CIA infosec guru: US govt must buy all zero-days and set them free

Destroy the software industry before it destroys the world, says Dan Geer

Security for virtualized datacentres

Black Hat 2014 Computer security luminary Dan Geer has proposed a radical shakeup of the software industry in hope of avoiding total disaster online.

Geer played a crucial role in the development of the X Window System and the Kerberos authentication protocol, and is now the chief security officer of the CIA’s VC fund In-Q-Tel.

And during the opening keynote of the Black Hat USA hacking conference in Las Vegas on Wednesday, he presented a ten-point plan for solving many of the problems found online. Without serious and drastic action, the technology industry will be destroyed by inaction, he suggested.

"We have to do something," Geer told the audience of 5,000 attendees. "It's as Einstein said about repeating the same action again and again and expecting the same result. We have to do something different."

When code crashes, who gets punished?

One of his more radical suggestions was restructuring the way the software industry handles liability. There are only two industries that have no liability problems, he said – religion and software – and this needs to change for the coding community.

His proposed solution was offering two different business models. Software firms could carry on selling code, but if the programs are faulty then the companies must pay out when things go wrong. Alternatively, they can publish the source code of software, allow the user to shut down functions they don’t want, and enjoy freedom from being sued.

"Software houses will yell bloody murder and pay any lobbyist they can to scream that this will end computing as we know it,” he said. “I would respond ‘Yes please, that was exactly the idea'."

Net neutrality

He suggested a similar solution to the net neutrality debate. ISPs can’t expect to enjoy common carrier protections against being sued for harmful content on their networks and also expect to be able analyze network traffic so that they can apply differential pricing based on what users are watching.

US govt must buy zero-days

Geer also suggested a new way to stamp out the exploitation of software security vulnerabilities for which no patches exist – dreaded zero-day vulns: the US government should make a standing offer to pay a bug bounty equivalent to TEN times the price companies are willing to pay for the security flaws, and then make them public after a patch has been developed.

This could go a long way to end inter-state cyberwar and stop common criminals, we're told. No mention of the NSA, of course.

In order for this to work, Geer said, we would have to test Bruce Schneier’s hypothesis that serious software flaws are either far more common that is thought or fairly rare in the majority of code. If they are rare, it makes sense for the US to take a leading role in zeroing out the cyber arsenals of states and criminals.

"If there are many vulnerabilities then we've wasted our money," he said. "But if there are a limited number, by making them not weaponisable have we not contributed to world peace? The US can corner the market in this in a way few other countries can."

With regards to non-critical vulnerabilities, Geer suggested setting up a clearing house through which flaws can be reported and disseminated swiftly to fix problems. Breach laws, requiring customers be told of problems, were a step in this direction, but more needed to be done.

Make Windows XP open source

If a company stops issuing security patches for code, as Microsoft has with Windows XP, then that code should automatically become open source, he said. If you abandon a car, property, or child, then you lose rights to it and this should be true for software, too.

As for embedded systems, manufacturers need to either include a remote management systems that allows the software to be updated, or they need to have a limited lifespan. Leaving old devices in operation was a recipe for disaster, Geer warned.

Everyone has the right to be forgotten

As for the European courts' right to be forgotten ruling that has Google and pals in a flap at the moment, Geer said this right was essential and the current system didn’t go far enough. People must have the right to reinvent themselves and this point is getting lost at the moment.

He said that in the intelligence community building plausible false identities is becoming much harder in the digital age and will only get harder. These days it’s a much better solution to steal someone’s identity and use that, Geer opined.

Other suggestions included eliminating electronic and internet voting systems, for the obvious reason that they are so simple to hack. Home routers are also a potential disaster waiting to happen he said – since most relied on outdated and thus unpatched Linux kernels.

“It is likely that there is a botnet in Brazil that is using this now,” he warned, ”and with it I could take down the internet and so could you.”

Humanity is at a civilizational crux point, Geer said, where meatspace and the digital world are converging with very few controls. He said that unless humans reassert control over the digital sphere and make it work to human rules, humanity will not be able to take back control once code is law. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.