Open your doors to white hats before black hats blow them off, US deputy AG urges big biz

And don't forget to add in those backdoors, ta

By Shaun Nichols in San Francisco


The second-in-command at the US Department of Justice says every business should have its own program to let third-party researchers find and report bugs.

Speaking at the Cambridge Cyber Summit in Boston today, Deputy Attorney General Rod Rosenstein said bug bounty and white-hat research programs will help companies avoid large-scale network breaches and data thefts.

"Software and hardware vulnerabilities are one means by which your networks are compromised. Finding and eradicating those vulnerabilities is an important aspect of cybersecurity," Rosenstein told attendees. "All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities found on your system."

Rosenstein recommended execs and other senior staff in the audience push their companies to look into setting up their own programs where both internal and third-party security can test and report security flaws back to the company and its tech suppliers, potentially closing holes before they can be exploited by hackers.

Deputy AG Rosenstein calls for law to require encryption backdoors


He noted the DoJ already has its own guide for organizations on how to set up a bug-reporting platform. The hope, Rosenstein said, was that commercial outfits make themselves and the hardware and software they use more secure. and avoid breaches that the Feds would have to investigate.

"Many organizations find that the amount you can learn from 'crowdsourcing' your search for vulnerabilities in a controlled way is well worth it," Rosenstein said.

"The Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises."

At the same time, Rosenstein also talked up the need for policies that many developers argue will make software and hardware platforms much less secure: breakable encryption. The Deputy AG doubled down on his earlier calls to give investigators backdoors to decrypt data transmissions and stored info.

"We in law enforcement have no desire to undermine encryption. But the advent of 'warrant-proof' encryption is a serious problem. It threatens to destabilize the constitutional balance between privacy and security that has existed for over two centuries," Rosenstein said.

"Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, even when officers obtain a court-authorized warrant. But that is the world that technology companies are creating."

So open your doors to white hats before hackers find a way to break in. And then put in a backdoor anyway for black hats to find. Perfect sense. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

SEAL up your data just like Microsoft: Redmond open-sources 'simple' homomorphic encryption blueprints

How to work on encrypted data without having to decrypt it first

Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it's really, really dumb)

Security experts frantically facepalming at stupid design

Encryption? This time it'll be usable, Thunderbird promises

A generation that tried the PGP plugin weeps

Fee, Fi, bring your own one... Google opens up Project Fi to mobes built by Apple, LG, Samsung

Beware, some features are missing depending on which smartie you use

Facebook, Google, Microsoft, Twitter make it easier to download your info and upload to, er, Facebook, Google, Microsoft, Twitter etc...

GDPR put a gun to their heads

Samsung left off Google's new official Androids-for-biz list

Five carriers make the cut, plus 32 mobile management apps - and four Chinese phone-makers

One UI to end gropes: Samsung facelift crowns your thumb the king

Everything within reach on oversized phones

Google and Microsoft boffins playing nicely together to stop replay attacks in their tracks

Internet Engineering Task Force doc examines how to better protect authentication tokens

Ahem, Amazon, Google, Microsoft... Selling face-snooping tech to the Feds is bad, mmm'kay?

Government facial surveillance harms civil liberties, advocacy groups warn

Sorry, Samsung. Seems nobody is immune to peak smartphone

Chaebol warns operating profit to fall 29%