Open your doors to white hats before black hats blow them off, US deputy AG urges big biz

And don't forget to add in those backdoors, ta

By Shaun Nichols in San Francisco

Posted in Security, 4th October 2017 22:46 GMT

The second-in-command at the US Department of Justice says every business should have its own program to let third-party researchers find and report bugs.

Speaking at the Cambridge Cyber Summit in Boston today, Deputy Attorney General Rod Rosenstein said bug bounty and white-hat research programs will help companies avoid large-scale network breaches and data thefts.

"Software and hardware vulnerabilities are one means by which your networks are compromised. Finding and eradicating those vulnerabilities is an important aspect of cybersecurity," Rosenstein told attendees. "All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities found on your system."

Rosenstein recommended execs and other senior staff in the audience push their companies to look into setting up their own programs where both internal and third-party security can test and report security flaws back to the company and its tech suppliers, potentially closing holes before they can be exploited by hackers.

Deputy AG Rosenstein calls for law to require encryption backdoors


He noted the DoJ already has its own guide for organizations on how to set up a bug-reporting platform. The hope, Rosenstein said, was that commercial outfits make themselves and the hardware and software they use more secure. and avoid breaches that the Feds would have to investigate.

"Many organizations find that the amount you can learn from 'crowdsourcing' your search for vulnerabilities in a controlled way is well worth it," Rosenstein said.

"The Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises."

At the same time, Rosenstein also talked up the need for policies that many developers argue will make software and hardware platforms much less secure: breakable encryption. The Deputy AG doubled down on his earlier calls to give investigators backdoors to decrypt data transmissions and stored info.

"We in law enforcement have no desire to undermine encryption. But the advent of 'warrant-proof' encryption is a serious problem. It threatens to destabilize the constitutional balance between privacy and security that has existed for over two centuries," Rosenstein said.

"Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, even when officers obtain a court-authorized warrant. But that is the world that technology companies are creating."

So open your doors to white hats before hackers find a way to break in. And then put in a backdoor anyway for black hats to find. Perfect sense. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Samsung left off Google's new official Androids-for-biz list

Five carriers make the cut, plus 32 mobile management apps - and four Chinese phone-makers

BoundHook: Microsoft downplays Windows systems exploit technique

It's just not a security vulnerability, says Redmond

Patch or ditch Adobe Flash: Exploit on sale, booby-trapped Office docs spotted in the wild

ThreadKit leverages flaw fixed in February

Exploit kit development has gone to sh$t... ever since Adobe Flash was kicked to the curb

Coinkidink? Nah. Crooks are switching tactics

Fresh Microsoft Office franken-exploit flops – and you should have patched by now anyway

Updated Exploit combo fails to dodge Word warning prompts

Google reveals Edge bug that Microsoft has had trouble fixing

Oh great - because Google's explained how to make Edge run dodgy code

Oh my Microsoft Word: Dridex hackers exploit unpatched flaw

Banking trojan-proofing will take place later today

Home Sec Amber Rudd: Yeah, I don't understand encryption. So what?

Techies! Will you please stop patronising and sneering! ;_;

Australian Senate passes meaningless motion that says encryption is very useful

Token effort won't stop not-backdoors legislation

IBM's homomorphic encryption accelerated to run 75 times faster

It lets you work on encrypted data without taking it to plaintext and back again