– fordi tiden kræver et MODSPIL

19. Jul 2006

Harvard Law Review: Hackerangreb gør mere gavn, end de skader

I det seneste nummer af det juridiske tidsskrift Harvard Law Review er der en artikel, der påpeger, at hackerangreb fungerer som Internettets eget "immunforsvar", idet de gør software- og hardwareleverandørerne opmærksom på svagheder og huller, som de herefter retter til fordel for samtlige brugeres sikkerhed.

Truslen er ellers alvorlig nok, påpeges det:
In a 1997 exercise, National Security Agency teams hacked into computer systems at four regional military commands and the National Military Command Center and showed that hackers1 could cause large-scale power outages and 911 emergency telephone network overloads.2 The following year, members of the hacker group L0pht Heavy Industries testified before the Senate Committee on Governmental Affairs that it would take them only thirty minutes to render the Internet unusable for the entire nation.3 Maintaining computer network security presents the unique problem of automated attack methods that can compromise millions of systems, all of which share the same vulnerabilities. Cybercrime is becoming easier to carry out, and as society becomes more dependent on the Internet, the risk of a catastrophic attack looms larger. This Note argues that computer networks, particularly the Internet, can be thought of as having immune systems that are strengthened by certain attacks. Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack — one that would threaten national or even global security. In essence, certain cybercrime can create more benefits than costs, and cybercrime policy should take this concept into account.
Artiklens forfatter foreslår, at dette burde tages i betragtning ved strafudmålingen i denne type (hackerangreb/virus/orme/osv), eftersom den efterfølgende lukning af hullet er til gavn, ikke til skade for samfundet: Although the law should encourage movement toward the white hat model, some activity that is currently illegal may be necessary if society is to maximize the benefit from cybercrime.

Suns James Gosling (manden bag programmeringssroget Java) kunne ikke være mere enig:
I'm a very strong believer in this, and have been for a long time. When we first released Java in 1995, we made all of the sources available on the net. Most people just downloaded the binaries and used them, but a lot of folks downloaded the sources, and many of them spent many hours trying to figure out how to break the security of the system. And several people did: they would publish their attacks, and we'd fix them. The end result is an extraordinarily strong system. Many people in the software industry are nervous about such policies because they fear that it will give nasty folks an unfair advantage. They somehow believe that "security by obscurity" is a valid technique. I have always believed, and experience has shown, that the reverse is true: there are many more good smart people than evil smart people, and good smart people let us know about any flaws they discover, so we get things fixed quickly.
Det er også en af grundene til, at Linux er så meget mindre sårbart overfor virus og hackerangreb, rent sikkerhedsmæssigt: Alle har adgang til alle oplysninger om systemets sikkerhedsarkitektur og kan hermed påpege fejl og foreslå rettelser - mens Microsofts hemmeligholdelse af det grundlæggende design betyder, at der kun er dem selv til at finde og lukke hullerne. OG alverdens hackere eller crackere, naturligvis.

Link til artiklen i Harvard Law Review.