Security Alliance Chock-Full of Holes

I pity companies that make real products that solve real problems.

I pity companies that make real products that solve real problems. Theyll never be able to compete with the fantasies and myths of todays computer industry. After all, what else could explain the tremendous hype over Ginger, something that no one knows anything about, by an inventor whose best work was in the medical field? Yet the hype is here, and Ginger

(by all indications a motorized scooter) will apparently save the world and be "more important than the Internet."

Can you see the wince on my face? Can you see how hard it is to discuss a similarly hyped tech alliance to battle hackers? Onward Ill go, though. The new alliance is huge, by all indications. It brings together the industrys toughest competitors, including Oracle, AT&T, Cisco, Hewlett-Packard and even Microsoft, a company not known to leap quickly into any technology alliance.

The deal is theyll work together to swap vulnerability stories. Former President Clinton urged the creation of such a committee, and Commerce—and future Transportation—Secretary Norman Mineta (hmm: transportation and commerce? Perhaps Mineta has something do with Ginger) is an advocate of this nonprofit, to be known as the IT-ISAC (IT-Information Sharing and Analysis Center for Information Technology).

On the surface, IT-ISAC sounds wonderful, but theres something wrong with this picture. Each of these companies might provide a general idea as to the kinds of attacks that it is receiving. But no company in its right mind will contribute the important stuff, such as specific exploits or a specific vulnerability in its product.

Theres little chance that these vendors can disclose hack attempts against customers or inherent vulnerabilities in their applications. This leaves IT-ISAC with such thankless tasks as trying to data-mine hackers IP addresses to figure out which hackers are attacking more than one company. In other words, the data they gather wont be valuable.

There is a better, less organized way of dealing with security vulnerabilities. Dozens of high-level organizations track vulnerabilities, including CERT, Security Focus and SecurityWatch. They are collecting real information and are publicizing real vulnerabilities. IT-ISAC is simply being created for the protection of the vendors. The rest of us are on our own.