Software Gadflies Shake Up the Biggies
Paul Greene picked a novel route to a job interview at Microsoft: he broke the company's Explorer Web browser. Or not broke it, exactly. Rather, he found a programming glitch-a bug-in Explorer that would "let me download or upload pretty much anything I wanted from anybody using the browser."At first, Microsoft's reaction was disbelief -- but soon, after realizing the straits he'd spared them, the software giant was offering to fly Greene out to Redmond as a prospective programmer. "I don't know how that's going to go," Greene says of the imminent job interview, "since most of their programmers hate me. I ruined their work, after all."Welcome to the new frontier of extermination: high-tech bug hunters, haphazardly scouring computer software and telecom codes for kinks that, in the wrong hands, might be put to ill use. Software and high-tech companies, of course, have always beta-tested as standard practice. And every company has in-house security experts to screen products before releasing them to the public. But with increasingly complex ware, and the schedule for new versions and updates a constant pressure, it's not unusual for some bugs to escape notice. Which makes bug hunters the new vigilantes: snaring flaws before the hackers do and, just maybe, being rewarded for their efforts.Ever since Greene caught Microsoft's Internet Explorer accessing his hard drive when it wasn't supposed to, would-be bug catchers have been probing the fledgling Web browser for defects. But Greene found his by accident. "The bug had been there for over a year and a half. I couldn't believe I was the only one who had found this."Once Greene and his two roommates at Worcester Polytechnic Institute were certain they had a bug, on February 26, they emailed Microsoft founder Bill Gates. No reply came, so the WPI students, who call themselves Cybersnot Industries, revealed the glitch on the Cybersnot home page, setting up a demo program showing the damage that might be done.In the next 24 hours, the Cybersnot site logged half a million hits. Microsoft noticed, and began fixing the problem -- though not before a hacker in Norway ruined a few hard drives by exploiting the flaw, according to Greene.Bug hunters aren't just scanning the Internet. In late March, Counterpane Systems announced it had cracked a code intended to protect digital cellular telephone calls. As Counterpane's Bruce Schneier describes it, the security breach would allow them to "break into any phone call that uses the supposedly safer digital technology."In contrast to the happenstancial Cybersnot crew, Counterpane is a professional security-consulting firm, making its living by breaking cryptographic codes. But the fundamental goals and results are the same: find a bug, tell the company, and hope you get some recognition for your troubles."Usually the work we do is either for a paying client so we have a nondisclosure agreement, or it's so academic no one cares," Schneier says. But in this case, the security consulting firm took on the digital technology because the industry was instituting what Counterpane believed was an inadequate security standard. And once the consultants came up with the proof, the industry bit back. No sooner had Counterpane announced its discovery than the Cellular Telecommunications Industry Association, a trade group, waved off the report. Digital phones, they promised, could be exploited only using "very sophisticated cryptological knowledge."Such assurances are "naive and foolish," according to Schneier, whose announcement earned front-page coverage in the Times and play in the Wall Street Journal and elsewhere. "If you have a dirty little secret, your security is dependent on keeping it secret. Which means your system can be held hostage by the threat of publication. That's suicide."The necessary but painful medicine Schneier prescribes is full and immediate disclosure. "The proper way to do security is to find the bugs. People who break your systems are helping you. That's not always clear."The same rule should apply in cyberspace, according to Greene. "Once a problem is out there, everybody knows about it. Full disclosure levels the playing field."It's a lesson the industry is beginning to learn. While most software companies welcome help finding bugs, there's generally a lot of chaff to sort through -- "Ninety-nine times out of 100, it's error or confusion," a Sun Microsystems engineer said. But when the bug claims stand up, a company's image is at stake. In the weeks following Cybersnot's announcement, half a dozen more leaks were discovered in Explorer 3.0, including one that could snag users' passwords. The infestation of bugs prompted Microsoft to release a new 3.02 version of the software. Furthermore, the company established a new email hotline, firstname.lastname@example.org, where users can report security problems with Microsoft products.The hotline does more than just let Microsoft know about a problem. It reduces the odds that a flaw will be publicized on the Web, as each of the Explorer slips have been. Having taken 25 to 30 per cent of the browser market from Netscape and elbowing for more, Microsoft has plenty of reason to keep its bugs-and their mention-contained.But from the bug hunters' perspective, attention is all they have. In Counterpane's case, Schneier bets the media coverage "hopefully -- possibly -- will bring in some consulting contracts."Cybersnot's success inspired students at the University of Maryland and MIT to take on Explorer-producing their own Web pages and publicity. And the bugs hunted by a team at Princeton have earned that school frequent mention. "It seems to be a fad going now," observes Greene. "People seem to want to report bugs."As high technology seeps still further into daily life, there's no shortage of fresh material to work with. Which will keep the hunters in business. "The sad truth is I can break most protective systems out there," says Schneier. "I should not be able to do that."