A famed hacker who nearly 20 years ago told Congress he could take down the internet in 30 minutes is now going after the computer software industry, whose standard practices all but guarantee that most products will be vulnerable to cyber attacks.
Peiter Zatko, known in the hacker world as Mudge, was the best-known member of pioneering Boston hacking group the L0pht. More recently, he headed a Defence Department grant program for computer security projects.
Now Zatko and his wife, former National Security Agency mathematician Sarah Zatko, are developing what amounts to a Consumer Reports-style rating system for software.
The initiative, if it catches on, could lead to major changes in the business practices of some of the world's largest software companies. It could also, he says, help deliver something that decades of the free market, the open-source movement, government commissions and well-paid lawyers have not: software that is consistently secure, or at least very expensive to compromise.
On Wednesday at the annual Black Hat security conference in Las Vegas, the duo will explain how their system works and point out some of the early winners and losers in their analysis. Among the preliminary findings: on Apple's Macintosh computers, Google's Chrome web browser is significantly harder to attack than Apple's Safari, which in turn is much more secure than Firefox. Many Microsoft products have scored quite well so far, but its Office suite for Mac did terribly.
The Zatkos' system, which they have licensed in perpetuity to a new non-profit, is a radical attempt to solve a problem that has vexed software customers for decades: There is no unbiased, consistent method for rating the security of programs.
"We need a nutritional label," Peiter Zatko told Reuters in an interview. "You might care more about sugar, or carbohydrates, or protein, but if we tell you about all of it, a nutritionist can help you come up with the appropriate diet."
Such a ratings system could prove very valuable because no other approaches to assuring secure software are working. Courts have held that software is licensed, not sold, so no product liability lawsuits can be brought for defective goods.