SAN FRANCISCO – A famed hacker who nearly 20 years ago told Congress he could take down the internet in 30 minutes is now going after the software industry, whose standard practices all but guarantee that most products are vulnerable to cyberattacks.
Peiter Zatko, known in the hacker world as “Mudge,” was the best-known member of a pioneering Boston hacking group, the L0pht. More recently, he headed a Defense Department grant program for computer security projects.
Now Zatko and his wife, former National Security Agency mathematician Sarah Zatko, are developing what amounts to a Consumer Reports-style rating system for software.
The initiative, if it catches on, could lead to major changes in the business practices of some of the largest software companies. It could also, he says, help deliver something that decades of the free market, the open-source movement, government commissions and lawyers have not: software that is consistently secure, or at least very expensive to compromise.
On Wednesday at the annual Black Hat security conference in Las Vegas, the duo explained how their system works and pointed out some of the early winners and losers in their analysis.
Among the preliminary findings: on Apple’s Macintosh computers, Google’s Chrome web browser is significantly harder to attack than Apple’s Safari, which in turn is much more secure than Firefox. Many Microsoft products have scored quite well so far, but its Office suite for Mac did terribly.
The Zatkos’ system, which they have licensed in perpetuity to a new nonprofit, is a radical attempt to solve a problem that has vexed software customers for decades: There is no unbiased, consistent method for rating the security of programs.
“We need a nutritional label,” Peiter Zatko said in an interview. “You might care more about sugar or carbohydrates or protein, but if we tell you about all of it, a nutritionist can help you come up with the appropriate diet.”
Such a ratings system could prove very valuable because no other approaches to assuring secure software are working. Courts have held that software is licensed, not sold, so no product liability lawsuits can be brought for defective goods.
Big buyers can insist on third-party code audits, but that is an arduous process that few want to repeat with every new purchase.
Government and private certification programs often give an incentive to develop software that meets minimum requirements and penalizes those who spend more to make it safer.
The Zatkos’ approach begins with looking not at the computer code itself, but rather the digital outputs of compiling the code, known as binaries, which tell the machines what to do.
“Source code is the theory, while binary is the practice. It makes a huge difference in how secure the actual product is,” Sarah Zatko said.
The new approach shows the critical role played by compilers, which turn source code to binary. Major strides have been made in preventing compiler flaws, but many vulnerabilities remain.
Among the people most interested in the fine-grained results of the software ratings are insurance companies, which have been hard-pressed to estimate reasonable premiums for insurance against hackers.
But even without specific financial pressures, the Zatkos hope software buyers will want to look harder at where the risks are and then do something about it, forcing software creators to do better jobs.
“We’ve just been paralyzed so far, but hopefully this is something that can get us over the hurdle,” Peiter Zatko said.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.