Tina Turner once said that we dont need another hero, but I dont know if I agree. I know that Ive been looking for a hero in my ongoing trials and tribulations with Internet security.
What form would this hero take? Would he or she be a hero who takes on the trends and attitudes that lead to software vendors releasing sloppy and poorly secured code that the bad guys take advantage of?
In addition to making sure that vendors didnt release code full of bugs, this kind of hero would make sure that software makers would act quickly to address any problems that did arise and not hide the problem from users.
In recent months, a person has been positioning himself as this kind of hero: security researcher HD Moore. Moore, famous for creating the open-source penetration testing tool Metasploit (and for creating controversy in the vulnerability testing community), has recently launched a few high-profile projects to expose serious vulnerabilities on the Internet.
One of these was his Month of Browser Bugs project, in which he released information on one active security flaw in a popular Web browser every day for the month of July. Also in July, Moore created a search engine on top of Google that made it possible to look for Trojans and other malware publicly available on Web sites.
While Moores projects have angered some vendors, security researchers and (according to Moore) black-hat hackers, I think they are a good thing, for the most part.
To me, a flaw that has been publicly outed is much better than one that a vendor has kept hidden—you know that the bad guys are already using these flaws, and, by knowing about them, you can protect yourself. And Moores search engine application will make it easier for many sites to find Trojans and other bad code that they may not even know is on their site.
All that said, I dont think Moore qualifies as a full-fledged hero.
A person worthy of the cape, though, would be someone who could get people to actually take basic precautions when it comes to Web browsing and e-mail use. Peoples steadfast and totally ridiculous refusal to do so is one of the things that makes it so easy for viruses and Trojans to spread across the Internet.
For years now, Ive been trying every method I can think of to get through to these Gomer Pyles—from shaming them to laughing at their idiocy to appealing to their common sense. But, still, viruses and Trojans spread through attachments and phishing techniques that shouldnt fool a monkey. But then I saw a headline on the news site Ars Technica that made me think that, finally, the right kind of hero would come through to make people use the Internet safely: “Jack Bauer promotes common sense Internet safety.” Yes!
When it comes to getting people to be smart about using the Internet, who better than Jack Bauer of “24”? I mean, if the guy can intimidate presidents, he can handle Joe in marketing.
Think about it: There you are, sitting at your desk, irresponsibly opening any e-mail attachment that comes your way, surfing questionable Web sites, loading software sent to you from a Syrian e-mail address—just having a grand old irresponsible time. But then Jack Bauer walks over, grabs you by the collar and says, “You can start using the Internet safely now, or you can start using the Internet safely later. But later is going to hurt a lot more.”
Yikes! Youd be virus scanning and ignoring attachments in no time.
But it turns out that the headline above was referring to the fact that actor Kiefer Sutherland, who plays Jack Bauer on “24,” is promoting safe Internet usage for teens at the site commonsense.com—a worthy cause, but it wont help too much at stopping strange-attachment lovers.
So, I guess I wont have Jack Bauer around to break the fingers of irresponsible Internet users. And while I applaud Moores projects, he alone wont change the culture of many software vendors that dont rank security as a top priority. Well just have to keep doing our best to educate those around us and to secure our systems. To quote David Bowie, “We can be heroes.”
Labs Director Jim Rapoza can be reached at [email protected]