By D. IAN HOPPER, AP Technology Writer

LAS VEGAS (August 1, 2002 2:40 p.m. EDT) - A presidential adviser encouraged the nation's top computer security professionals and hackers Wednesday to try to break computer programs, but said they might need protection from the legal wrath of software makers.

Richard Clarke, President Bush's computer security advisor, told hackers at the Black Hat conference that most security holes in software are not found by the software maker.

"Some of us, here in this room, have an obligation to find the vulnerabilities," Clarke said.

Clarke said the hackers should be responsible about reporting the programming mistakes. A hacker should contact the software maker first, he said, then go to the government if the software maker doesn't respond soon.

Hackers commonly share their findings with others in their community through e-mail lists or Web sites. But how much they should disclose is an ongoing debate among computer security professionals. Some argue that full disclosure is best, while others say a hacker should only warn that a problem exists without showing how to take advantage of it.

Clarke said hackers shouldn't help criminals by showing how to exploit a programming bug before the software maker has a chance to fix the problem by issuing a patch, or fix.

"It's irresponsible and sometimes extremely damaging to release information before the patch is out," Clarke said.

Companies differ in their response to independent researchers. While some encourage or even reward bug-hunters, others are more concerned about the possibility of extortion or embarrassment to the company. In some instances, they seek civil or criminal charges against the hacker.

Clarke said that situation is "very disappointing," as long as the hacker acts in good faith.

"If there are legal protections they don't have that they need, we need to look at that," he said.
http://www.nando.net/technology/story/484376p-3867743c.html