Security Alliance Chock-Full of Holes

By John Taschek  |  Posted 2001-01-29 Print this article Print

I pity companies that make real products that solve real problems.

I pity companies that make real products that solve real problems. Theyll never be able to compete with the fantasies and myths of todays computer industry. After all, what else could explain the tremendous hype over Ginger, something that no one knows anything about, by an inventor whose best work was in the medical field? Yet the hype is here, and Ginger

(by all indications a motorized scooter) will apparently save the world and be "more important than the Internet."

Can you see the wince on my face? Can you see how hard it is to discuss a similarly hyped tech alliance to battle hackers? Onward Ill go, though. The new alliance is huge, by all indications. It brings together the industrys toughest competitors, including Oracle, AT&T, Cisco, Hewlett-Packard and even Microsoft, a company not known to leap quickly into any technology alliance.

The deal is theyll work together to swap vulnerability stories. Former President Clinton urged the creation of such a committee, and Commerce—and future Transportation—Secretary Norman Mineta (hmm: transportation and commerce? Perhaps Mineta has something do with Ginger) is an advocate of this nonprofit, to be known as the IT-ISAC (IT-Information Sharing and Analysis Center for Information Technology).

On the surface, IT-ISAC sounds wonderful, but theres something wrong with this picture. Each of these companies might provide a general idea as to the kinds of attacks that it is receiving. But no company in its right mind will contribute the important stuff, such as specific exploits or a specific vulnerability in its product.

Theres little chance that these vendors can disclose hack attempts against customers or inherent vulnerabilities in their applications. This leaves IT-ISAC with such thankless tasks as trying to data-mine hackers IP addresses to figure out which hackers are attacking more than one company. In other words, the data they gather wont be valuable.

There is a better, less organized way of dealing with security vulnerabilities. Dozens of high-level organizations track vulnerabilities, including CERT, Security Focus and SecurityWatch. They are collecting real information and are publicizing real vulnerabilities. IT-ISAC is simply being created for the protection of the vendors. The rest of us are on our own.

As the director of eWEEK Labs, John manages a staff that tests and analyzes a wide range of corporate technology products. He has been instrumental in expanding eWEEK Labs' analyses into actual user environments, and has continually engineered the Labs for accurate portrayal of true enterprise infrastructures. John also writes eWEEK's 'Wide Angle' column, which challenges readers interested in enterprise products and strategies to reconsider old assumptions and think about existing IT problems in new ways. Prior to his tenure at eWEEK, which started in 1994, Taschek headed up the performance testing lab at PC/Computing magazine (now called Smart Business). Taschek got his start in IT in Washington D.C., holding various technical positions at the National Alliance of Business and the Department of Housing and Urban Development. There, he and his colleagues assisted the government office with integrating the Windows desktop operating system with HUD's legacy mainframe and mid-range servers.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel