Those were the times when the company mainframe was locked up in the basement. To steal sensitive information the bad guy literally had to break into the building, find the room with the mainframe and copy the data. But then the network was created: the LAN and of course the network of all networks, the Internet, connecting every computer on the planet.

This has changed everything, especially the data security landscape. The recent denial-of-service attacks on sites like CNN.com showed how vulnerable Web sites are to malicious attacks from the Internet. And every new Web site represents yet another potential target.

At the Internet Security Conference in San Jose, California, security experts got together to discuss the situation. Marcus Ranum, CEO of Network Flight Recorder and former Usenet news guru, was one of the keynote speakers and delivered a somewhat controversial point of view. He was talking about cultural issues in Internet security. Hackers are not cute whiz kids, he said, but amateur terrorists who do not even have an ideology. In the past especially the press glorified the teenage-hacker as a computer genius, thus implying, that all the software engineers working on Internet security are idiots. In reality the hacker genius often downloads his tool from one of the hacker sites and gets lucky. He gets all the glory, the software engineer gets fired.

Of course there are the 'friendly' hackers who just want to help to make the Internet a safer place by finding bugs. But then they go ahead and disclose every detail, handing instructions on how to break into a site on a plate, compromising the company that operates the Web site even further. These guys, said Ranum, are either on an ego trip, flaunting their 'brilliance', or they are trying to sell their own security tools as counter-measures.

The right way to disclose a security bug on a Web site is to notify the vendor, and provide him, and only him, with details on how to reproduce the bug. Then ask the vendor when he will issue a bug fix. If the vendor does not come up with a fix in the appropriate amount of time, it is okay to publish the existence of the bug without fully disclosing it, however.

Ranum also appealed to companies not to hire any ex-hackers as security consultants - it is like using reformed wolves as shepherds. Why should we reward them for their criminal past? Ranum sees a wave of civil lawsuits rolling towards authors and distributors of attack tools. The big companies are really sick of getting hacked and will seek retribution. Unfortunately teenage hackers usually do not have a lot financial assets ...