CIA infosec guru: US govt must buy all zero-days and set them free
Destroy the software industry before it destroys the world, says Dan Geer
Black Hat 2014 Computer security luminary Dan Geer has proposed a radical shakeup of the software industry in hope of avoiding total disaster online.
Geer played a crucial role in the development of the X Window System and the Kerberos authentication protocol, and is now the chief security officer of the CIA’s VC fund In-Q-Tel.
And during the opening keynote of the Black Hat USA hacking conference in Las Vegas on Wednesday, he presented a ten-point plan for solving many of the problems found online. Without serious and drastic action, the technology industry will be destroyed by inaction, he suggested.
"We have to do something," Geer told the audience of 5,000 attendees. "It's as Einstein said about repeating the same action again and again and expecting the same result. We have to do something different."
When code crashes, who gets punished?
One of his more radical suggestions was restructuring the way the software industry handles liability. There are only two industries that have no liability problems, he said – religion and software – and this needs to change for the coding community.
His proposed solution was offering two different business models. Software firms could carry on selling code, but if the programs are faulty then the companies must pay out when things go wrong. Alternatively, they can publish the source code of software, allow the user to shut down functions they don’t want, and enjoy freedom from being sued.
"Software houses will yell bloody murder and pay any lobbyist they can to scream that this will end computing as we know it,” he said. “I would respond ‘Yes please, that was exactly the idea'."
He suggested a similar solution to the net neutrality debate. ISPs can’t expect to enjoy common carrier protections against being sued for harmful content on their networks and also expect to be able analyze network traffic so that they can apply differential pricing based on what users are watching.
US govt must buy zero-days
Geer also suggested a new way to stamp out the exploitation of software security vulnerabilities for which no patches exist – dreaded zero-day vulns: the US government should make a standing offer to pay a bug bounty equivalent to TEN times the price companies are willing to pay for the security flaws, and then make them public after a patch has been developed.
This could go a long way to end inter-state cyberwar and stop common criminals, we're told. No mention of the NSA, of course.
In order for this to work, Geer said, we would have to test Bruce Schneier’s hypothesis that serious software flaws are either far more common that is thought or fairly rare in the majority of code. If they are rare, it makes sense for the US to take a leading role in zeroing out the cyber arsenals of states and criminals.
"If there are many vulnerabilities then we've wasted our money," he said. "But if there are a limited number, by making them not weaponisable have we not contributed to world peace? The US can corner the market in this in a way few other countries can."
With regards to non-critical vulnerabilities, Geer suggested setting up a clearing house through which flaws can be reported and disseminated swiftly to fix problems. Breach laws, requiring customers be told of problems, were a step in this direction, but more needed to be done.
Make Windows XP open source
If a company stops issuing security patches for code, as Microsoft has with Windows XP, then that code should automatically become open source, he said. If you abandon a car, property, or child, then you lose rights to it and this should be true for software, too.
As for embedded systems, manufacturers need to either include a remote management systems that allows the software to be updated, or they need to have a limited lifespan. Leaving old devices in operation was a recipe for disaster, Geer warned.
Everyone has the right to be forgotten
As for the European courts' right to be forgotten ruling that has Google and pals in a flap at the moment, Geer said this right was essential and the current system didn’t go far enough. People must have the right to reinvent themselves and this point is getting lost at the moment.
He said that in the intelligence community building plausible false identities is becoming much harder in the digital age and will only get harder. These days it’s a much better solution to steal someone’s identity and use that, Geer opined.
Other suggestions included eliminating electronic and internet voting systems, for the obvious reason that they are so simple to hack. Home routers are also a potential disaster waiting to happen he said – since most relied on outdated and thus unpatched Linux kernels.
“It is likely that there is a botnet in Brazil that is using this now,” he warned, ”and with it I could take down the internet and so could you.”
Humanity is at a civilizational crux point, Geer said, where meatspace and the digital world are converging with very few controls. He said that unless humans reassert control over the digital sphere and make it work to human rules, humanity will not be able to take back control once code is law. ®