by Wendy R. Leibowitz
Just back from a Federalist Society conference on cybercrime. I'm not a federalist, but some of my best friends are and all that. Federalist conferences do tend to start and end on time, which is an achievement when you're hosting a panel of lawyers fielding questions at a law school--George Mason University Law School National Center for Technology & Law, to be precise. It was a fine conference, and my musings are simply things I can't write about in more serious publications, for reasons that will become obvious.
One question frequently asked was, "What IS cybercrime?" It must be on an exam somewhere, but the answer to that really is, "Who cares?" I'm worried about preventing crimes, online and off, and catching the crooks before they strike again, whether or not they use a computer. Hacker Kevin Mitnick committed some crimes, including stealing passwords, with only a telephone. The prosecutor-heavy panel (hey, they're federalists) responded by detailing the crimes with which they were now equipped to prosecute offenders. Feel better now? There are STATUTES protecting us. Lots of statutes. And they can always write more. Don't worry your little head.
Look, I'm glad that someone will not go free because they technically did not break a law. I'm glad there is more international cooperation in rounding up and extraditing sickos who prey on children or who steal Social Security numbers and credit card numbers from people who have no choice but to store their personal identifying information with organizations using insecure technologies. And God knows we need to catch terrorists before they strike, and if e-mail can lead us to them, or help nail down a conviction, then get a warrant and get the e-mail! Amazingly, there is increasing cooperation among local, state and federal authorities within the United States in fighting high-tech crimes--we need to share expertise, and the borders and turf battles are increasingly meaningless. Rumor has it they are also sharing information among different branches of law enforcement! Go, team!
But there are many aspects of peace and war this October 2002 that make me uneasy, and I don't feel we are asking the right questions or getting any meaningful answers. The low point of the conference for me was when a speaker from the Department of Justice said that the government would never say, "Here's a software flaw or security problem--fix it or we will give you problems." During the Year 2000 problem, the government did indeed say just that to federally-funded institutions of higher education, not just requiring them to certify that their software was Y2K-compliant, but requiring them to have tested the software against an extremely problematic government Web site or lose their money. Though it was a hassle and half for the colleges and the universities, they did it. It bothered me that the guy from the government was confidently lying (OK, he was probably ignorant) about what the government does and doesn't do.
But with all due respect to the Federalists, a lot of us out here want the government to start demanding more of the software developers. There have been few, if any, civil suits over software failures--presumably the computer environment is too complex to trace the problems to a particular software flaw. And the software industry always says, "Hey, there are bugs in software. The product comes that way. Read the fine print, and do let us know if you find any problems--we value our users!"
The security problems with Microsoft software are legendary and horrific, both in the corporate and in the government world. For example, a flaw in Windows NT disabled a Navy ship, the Yorktown, in 1998. The Yorktown had to be towed into port several times because of the failures of Windows NT. "If we used Unix, we would have a system that has less of a tendency to go down," said a technical director at the time. (The articles from Government Computer News about this are no longer online, but an excerpt from one is at www.langston.com/Fun_People/1998/1998APK.html).
Now, Microsoft products have improved a bit since 1998, so when I asked about how they go about testing software to patch up at least some of the flaws before shipping the product, I was surprised to get a blast of the old Microsoft p.r. non-response. "We take security very seriously, we have a Trustworthy Computing Initiative and we've hired Scott Charney," was the gist of the answer. "Your concerns are laughable." I wonder how many people were laughing at the 53rd security advisory of the year, this time about flaws in FrontPage Web page design software that could jeopardize their servers. An article about the flaw is online at: http://news.com.com/2100-1001-959577.html?tag=fd_top.
Jerry Lawson, a lawyer who runs Netlawtools, at www.netlawtools.com, also helpfully suggests that people turn off the "Preview Pane" in your InBox, if you use Microsoft Outlook. "Scripting features in MS Outlook mean that merely viewing a message in a preview pane can be enough to let some viruses take over your system, " he warns, and then adds: "There are patches that purport to close this vulnerability. I have them installed, but keep the preview pane turned off anyway, partly because I don't trust Microsoft on security issues."
Jerry is right. Many people don't trust Microsoft, whose spokespeople confuse launching a p.r. campaign at the beginning of this year with actual action taken to improve their software. I admire Scott Charney, a prosecutor and computer programmer who now handles Microsoft's security, as much as the next person, but he's not Superman. (If he were, I know I'd have received a dozen press releases to that effect from Microsoft's hardworking publicists). One person alone cannot do this. Even Batman needed a sidekick, Robin, and had a great butler as well. I'm worried there's no one out there in Starbucks country who takes security as seriously as they take publicity and marketing.
There is help from other quarters, of course. SANS, the SysAdmin, Audit, Networking and Security people, have published the Top 20 software flaws on their site, with a helpful hint to Microsoft and others that, "The majority of the successful attacks on operating systems come from only a few software vulnerabilities." The list is online at www.sans.org/top20/.
Lawyers have to act on this. Put riders on software contracts requiring software manufacturers to warrant that their software does not contain these 20 flaws. Require specific, higher standards of performance and if the software fails, sue the bastards. We did it with the Ford Pinto and McDonald's coffee--can't we do it with software? Where are the lawyers on this?
Microsoft in some ways reminds me of the United States as we drive the world to war. We are big--people must use our products and listen to what we say. We think we are better than we really are and that others have little to teach us. We are despised by too many, rightly or wrongly. And we might be making some serious mistakes, but will admit them only under pressure. It doesn't help me sleep well, or to trust my computer, especially if today's battleships and airplanes, and other aspects of our national security, are running on Microsoft products.