Watching Marcus Ranum excoriate 1,500 computer security experts, hackers and various overt and covert federal agents at the Black Hat Briefing Conference in Las Vegas in August was like watching Daniel walk into the lion's den and deliberately pull out cats' whiskers every minute or so. Not pretty to watch. Deliberately provocative, perhaps even stupid.

Yet even those who violently disagree with Ranum give him spades in smarts, so attention was paid.

"I believe the public at large is getting sick of hacking," Ranum said. "Joe Average is starting to wake up and realize that the hackers and scriptkiddies are not his friend . . . And when Joe Average gets woken up, he lashes out in anger by calling up congressmen." The result, he predicted, will be "Washington helping us with knee-jerk legislation."

It's not real hackers who are doing the majority of break-ins, Ranum said. It's the "thousands of scriptkiddies" - wanna-be hackers who lack the technical skills needed for traditional hacking, and so rely on cracking tools, widely available on the Internet, to probe networks.

"Look at your typical Web site," he said. "It's going to get scanned 20 or 30 times a day." But the person doing the scanning won't be some hacker, he said, but "some guy who just downloaded Back Orifice," a tool for breaking into Windows sites, and is just randomly trying Internet Protocol addresses to find a hole into the system.

The real culprits in this scenario, Ranum insisted, are the computer security experts who tease out the vulnerabilities in flawed software, then publish those vulnerabilities in the form of "exploit scripts" - basically "how-to" instructions for scriptkiddies.

Flaws and vulnerabilities are published without exploit scripts in responsible venues like the Community Emergency Response Team, the Federal Computer Incident Response Capability, the FBI's National Infrastructure Protection Center, Internet Security Systems, Common Vulnerabilities & Exposures and the National Institute of Standards' ICAT list of vulnerabilities and patches.

But many are published with exploit scripts on security-focused sites, such as Bugtraq and NT Bugtraq; on hacker-focused sites such as Fyodor's Playhouse, insecure.org, packet storm or Rootshell; or in the hacker magazines Phrack and 2600.

So where is all this flawed software coming from? It seems the well of bad programming is bottomless.

For starters, Windows 95 and 98 are security minefields. Windows NT/2000 is far safer, but has its share of vulnerabilities. Microsoft's latest operating system, Windows Millennium Edition, is aimed at the consumer market. It's not clear how vulnerable it is. Linux and proprietary Unix operating systems, such as Sun Microsystems' Solaris or IBM's AIX, are touted as more secure than Windows, but they have their share of holes.

Nor is the problem confined to operating systems. An endless stream of vulnerabilities has plagued the 20-year-old Sendmail program, found on about 80 percent of all e-mail servers. And lately, many of the most dangerous holes have been found in the Internet Explorer and Netscape Web browsers. These are usually by-products of modules or plug-ins coded in ActiveX, Java and Javascript or some other active scripting language.

Myriad other security holes are the work of smaller developers that sell Net-based software that fails to provide even minimum security. All these vulnerabilities - and the readily available information about them - add up to an all-you-can-eat buffet for scriptkiddies.

Don't believe it

Ranum attacked as mere "myths" the key arguments that hackers and security experts offer for releasing exploit scripts:

Myth 1: Scriptkiddies know hacking tricks.

No, Ranum said: "The reality is that the scriptkiddies don't know these techniques. Scriptkiddies, in fact, don't know anything."

Myth 2: Full disclosure of bugs and vulnerabilities is a good thing because if "we go to a full-disclosure environment, the vendors are not going to be able to hide their bugs once they've been disclosed."

Not so, Ranum said: "Look at the work @/Stake/L0pht - a hacker consortium turned Internet security start-up - has done with successively dismantling Windows authentication systems. And it's still not fixed. If full disclosure was going to cause these things to be fixed, you would think that a giant like Microsoft would have already fixed a giant flaw L0phtcrack exposed. No, in fact, L0phtcrack is not exposing any flaws anymore. It is exposing users to having their accounts ripped off. Sorry to the guys at L0pht, but stop distributing that stuff."

Myth 3: "It's necessary to disseminate information on software flaws in order to make better systems in the future. The argument is, if you're trying to build better bank vaults, you have to hire a safecracker to tell you what not to do in the future."

"This myth doesn't make sense," Ranum argued. "It certainly doesn't play in the modern software security environment, because 99.9 percent of the vulnerabilities being found are extremely well-known vulnerabilities. We already know about buffer overruns. We already know about making sure your configuration files are protected against overwriting. We already know about jumping across permissions boundaries. We already know those things - and we consistently get them wrong."

Myth 4: This attack is for your own good.

"Those of you being punished by script-kiddies for not updating your software are supposed to feel very thankful to the people who are publicizing these flaws," Ranum said. But in reality, this rationalization is nothing more than "self-promotion, financial gain or ego massaging on the part of the practitioner of full disclosure."

Finally, Ranum offers three predictions about the future directions of security and hacking:

1. Vendors will be held accountable for their negligent actions.

2. Those distributing attack tools will face civil liability lawsuits.

3. Cops will stop chasing hackers. They're too busy with more important crimes. Let the lawyers take over.

"Scriptkiddy (scrihpt-kih^dee), [n]: 1. A computer user who utilizes the work of other more skilled people for personal gain, typically without giving anything back to the computer security community; 2. A computer user who maliciously, and without authorization, modifies the contents of Web sites; 3. A computer user who claims a higher skill level than he or she genuinely possesses."

- Jay Dyson, Senior Security Consultant at OneSecure