Code Red, The Love Bug, The Anna Kournikova worm, Back Orifice, SubSeven,
SirCam, etc, etc.
the contents of Aardvark's "million-dollar ideas" notebook
are revealed for all to see!
What do all these have in common -- apart from the fact that they're worms,
trojans or viruses?
Yes, they're all Microsoft-specific.
Without Microsoft's lax coding and delinquent security model, none of these
malicious little bits of code would have had a hope of surviving or
replicating in the way they have.
Last week we were very, very lucky that the Code Red worm was written in such
a manner that it was easy to dodge its cyber-bullet -- but what about
next time? Will we be as lucky?
The fact that so many servers were infected so rapidly and that most IP addresses
around the world were, just prior to mid-day Friday, receiving between five and
ten probes per hour must surely be a sobering warning.
And now we see that, despite more than a year of repeated warnings from the
industry and the media, email-borne worms such as SirCam are still proliferating
at an alarming rate.
So what's my point?
I think it's obvious that education isn't a particularly effective tool in
the fight against worms, trojans and viruses.
How many of those responsible for administering Microsoft IIS webservers that
got hit by Code Red weren't already aware of the need to apply all security
patches as soon as they became available?
How many users of Microsoft's Outlook email program who got hit by SirCam
already knew that it's a bad idea to open unsolicited attachments?
How many users of Microsoft Windows aren't aware that they should be running
an effective anti-virus program?
Clearly the message either isn't getting through -- or people can't be relied
on to act sensibly even when they do have all the facts before them.
Now if the only victim of the stupidity we've seen recently was the idiot
who ignored the warnings then I would not be so concerned -- but, in the case
of a growing number of these malicious pieces of code, the effects of
infection reach far beyond an idiot's own machine.
If the Code Red worm had worked as intended, huge segments of the Net would
have ground to a halt -- inconveniencing you and I -- and probably costing
many businesses quite a significant amount of money in lost revenues or
additional expenses (falling back to phones and faxes because email couldn't
get through, etc).
Perhaps it's time that we bought more pressure to bear on Microsoft for their
absolutely appalling attention to detail in the security area?
Now it's fair to say that creating secure software is no trivial matter so
perhaps we shouldn't be too hard on them -- but on the other hand, Microsoft
is no trivial company is it?
How would you feel if you paid good money for a brand new car, only to find
out that the door locks kept popping open at regular intervals when you left
it parked in a public place? How would you feel if the dealer's response
was simply "well we do have a fix for that but it might happen again so
you'd better check with us every day just in case" -- because that's
exactly what's happening with Microsoft's software.
What good is a business computer if you can't trust it to keep your data safe
when you're logged on to the Net so as to send and receive email?
What good is a personal computer when you're constantly having to check and
make sure that there isn't another security hole that requires yet another
half-hour download to fix?
There ARE alternatives to Microsoft Windows and the launch of XP might
be an extremely good opportunity to reconsider your future direction in this
area. The only way Microsoft are going to be forced to get serious about
the security of their products is when people start saying "no thanks"
to its products.
Up to now there has been little incentive for Microsoft to do a good job -- after
all, most people just keep buying their offerings whether it's secure or not --
and the design and testing of PROPERLY secure software is an expensive
operation. When you're in a near-monopoly position, such expenses can be
seen as an unnecessary burden on profits.
Remember -- Microsoft's IIS webserver program is now several years old -- yet
it still had such a huge hole in it that around 300,000 computers running it
were compromised within a very short space of time.
Now stop and think ... do you REALLY want to entrust your valuable
personal or business data to a computer running a brand-new (and therefore
far less tested) version of Microsoft's XP software??
Can you afford the risk?
Aardvark also makes a summary of this daily column available via XML using
the RSS format. More details can be found