AS VEGAS. Hacker is not a bad word. That’s the assertion of Peiter “Mudge” Zatko, Program Manager, Information Innovation Office, Defense Advanced Research Projects Agency (DARPA) in the U.S Government. Zatko delivered the keynote address at the Black Hat security conference, a stage he’s familiar with, having formerly been a well known hacker with the L0pht hacker collective, which was famous for its L0phtCrack password cracking tool.
Zatko noted that his goal in speaking at Black Hat was to help build a bridge between the security community and the government. He stressed that the modern approach to building security solutions for both government and commercial use isn’t working as well as it could or should.
Zatko explained that DARPA keeps a watchlist of software deployed in the Government that needs patching or security fixes. As a source of irony and frustration, Zatko said that on a recent list, six out of 17 vulnerabilities that DARPA was tracking for fixes were for vulnerabilities in security software. So the software that is supposed to be securing the government is in some cases vulnerable and still unpatched.
The other issue that Zatko is worried about is the fact that modern software is built in multiple layers, which end up increasing the attack surface.
“There is no small target and large target anymore,” Zatko said. “Everything is a large target in modern operating systems.”