Presidential Advisor Encourages Computer Hackers to Break Software

Richard Clarke, President Bush's computer security advisor, told hackers at the Black Hat conference that most security holes in software are not found by the software maker.

"Some of us, here in this room, have an obligation to find the vulnerabilities," Clarke says.

Clarke says the hackers should be responsible about reporting the programming mistakes. A hacker should contact the software maker first, he says, then go to the government if the software maker doesn't respond soon.

Hackers commonly share their findings with others in their community through e-mail lists or Web sites. But how much they should disclose is an ongoing debate among computer security professionals. Some argue that full disclosure is best, while others say a hacker should only warn that a problem exists without showing how to take advantage of it.

Clarke says hackers shouldn't help criminals by showing how to exploit a programming bug before the software maker has a chance to fix the problem by issuing a patch, or fix.

"It's irresponsible and sometimes extremely damaging to release information before the patch is out," Clarke says.

Companies differ in their response to independent researchers. While some encourage or even reward bug-hunters, others are more concerned about the possibility of extortion or embarassment to the company. In some instances, they seek civil or criminal charges against the hacker.

Clarke says that situation is "very disappointing," as long as the hacker acts in good faith.

"If there are legal protections they don't have that they need, we need to look at that," he says.

Copyright © 2002 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.