Computer Crime Research Center

library/worms.jpg

Fighting the worms of mass destruction

Date: November 28, 2003
Source: Computer Crime Research Center


Page 1 2
... success in creating a virtual monopoly. Some 94% of PCs run on Windows. So nearly all the computers on the periphery of the internet, where the users are lay people rather than professional network-administrators, rely on the same software, which happens to be of Byzantine complexity. This practically invites hackers to attack these machines. A single good hit at Windows could take down the whole system.


Not surprisingly, Microsoft bristles at this line of thought. The only reason the firm has been bundling the operating system with applications is that customers want it to, says Mike Nash, a Microsoft executive in charge of security issues. He finds it “personally insulting that people think our motivation is anything else.”


Mr Nash also denies that Windows' code is less secure than other operating systems', such as Linux or Apple's Mac OSX. Scott Charney, another Microsoft executive, goes further and defends the monoculture. If one operating system is dominant, he says, companies can save costs by training IT staff only once, and security updates are easier since there is only one source of the patches that mend flaws.


But the patches often create more security problems than they fix, and there is a fear that Microsoft might use such regular access to desktops to keep rival software-makers away, thus reinforcing the source of the original problem, its monoculture. “If you don't trust us to download our patch, then you shouldn't be running our software,” counters Mr Charney, as if consumers had a real choice.


Nonetheless, even if Microsoft, with its disproportionate share of the market, constitutes a disproportionate share of the problem, it is not clear what to do about it. Many of the arguments sound tediously reminiscent of the American government's prolonged antitrust case against the firm in the late 1990s. Even Mr Geer, for instance, is not advising that Microsoft be broken up. Instead, he wants Microsoft to make its applications run on any rival platform, and to publish the interface protocols that will allow rival applications to spring up and survive. This might lead to some biodiversity of code.


Mr Schneier, one of the authors of the report submitted by Mr Geer, proposes a more fundamental solution. Cybercrime, he argues, is “not a technological problem; it's an economic problem: the incentives aren't there for smart people to solve the problem.” The culprit, in other words, is the licences that require buyers of new software to click their assent that the vendor is not liable for any flaws in its software. As long as software vendors–and this is not specific to Microsoft–cannot be held liable for security issues, Mr Schneier says, the economic incentives are stacked toward adding bells and whistles and shipping upgrades fast, rather than toward writing simpler, safer software.


Changing the law so that liability does rest at least in part with vendors, he argues, would align the incentives properly and lead to other good things as well. Software companies, just like firms in other industries, would buy product-liability insurance. Insurance companies would respond by pricing the risk, in effect voting on the security of each product. Just as companies that install sprinklers in their warehouses pay lower premiums and have a competitive edge over rivals that do not, software companies that write safer code would have an economic advantage.



In what could become a precedent, the first lawsuit against Microsoft on product-liability grounds was filed in a court in Los Angeles in October, accusing the company of violating California's consumer-protection laws by selling shoddy software. Legally, the approach may be controversial. Suing Microsoft over a Windows virus is not quite analogous to suing, say, a carmaker for selling vehicles that tip over while being driven. In the first case, a third party, the hacker, is committing a crime by exploiting a weakness in the product; in the latter case, the product fails without outside criminal intervention. A better analogy may be suing a maker of bullet-proof vests whose products fail to protect their wearers against bullets.


Some argue that the cost of insuring against product liability might stifle software innovation. Not so, says Stanford's Mr Lessig. A small upstart company making a small operating system would not present much of a target to hackers, and would thus pay negligible premiums. In any case, even if caution did lead to a few programs not being written, says Mr Schneier, so what? America's Food and Drug Administration can be said to stifle innovation too in so far as it leads to the marketing of fewer but safer drugs. In software, the risks are now simply too great not to make a similar trade-off, he says.


Microsoft argues that the constant attacks against its software–4,000 so far against Windows, according to Symantec, an anti-virus company–are threatening its brand and business prospects even without litigation. The argument that without product liability companies won't pay attention to security “is just not true,” says Mr Charney. Microsoft has already pulled out all the stops, he argues, and is retraining its programmers, reviewing their code and changing its entire culture. Unfortunately, security has to be built into software from the beginning–patches are just what their name suggests.



Concentrating entirely on the accountability of software vendors is like fighting burglary by leaning on the makers of alarm systems. A parallel approach to the problem of internet insecurity is, therefore, to focus on the internet's users, discouraging bad behaviour and ensuring that criminals can be traced. Legally, however, that could become as controversial as product liability. Mr Lessig suggests using a bounty system to catch hackers, which might involve enlisting those most able to catch them–namely, other hackers. “I'd bet my job that it works,” he says.


The issue boils down to the question of how much anonymity society can tolerate on the internet. Drivers' licences and registration plates dramatically reduce the incidence of hit-and-run accidents. Crack cocaine is never bought by credit card. If everybody on the internet were easily traceable, people would think twice about hacking. “I'm kind of a fan of eliminating anonymity,” says Alan Nugent, the chief technologist at Novell, a software company, “if that is the price for security.”


The internet is heading in this direction already. Enrique Salem, Brightmail's chief executive, says that all e-mail in future will either be authenticated or be sent into a quarantined in-box where few will dare to click. The sender's authentication may well be tied to a driving licence, social-security number or passport. An entire industry has sprung up to work on other forms of identification, such as the biometric scanning of irises or hands.


All this may not be pleasing to libertarians, who envisioned the internet as offering individuals the cover of relative obscurity. What use is the network to dissidents in China if the Communist Party is watching everything they do online? And what use is the internet, whose whole point was to connect people, if it is balkanised into separate, walled subnets?


The reality, however, is that the internet is already balkanised. Companies and governments have intranets, where users' privileges depend on their log-in. Virtual private networks (VPNs) traverse the public internet like guarded convoys. For example, employees at Merrill Lynch, an investment bank, cannot check their Hotmail or Yahoo! e-mail accounts while surfing the internet at work.


The proper analogy for what the internet might evolve into, says Novell's Mr Nugent, is a public library, a place where readers can browse in relative anonymity, but only until they take a book out, at which point they have to identify themselves. The degree of traceability varies with what one does in such a place.


To preserve freedom further, suggests Mr Lessig, anonymity could be replaced by pseudonymity. It might become legal, for instance, to have credit cards for online transactions under different names, as long as these could still be traced to the individual owner. The challenge is to set the legal hurdles for online search warrants high enough so that governments cannot abuse their power. But at the same time to keep them low enough so that criminals can be found and stopped. In this respect, the online world should be no different from the real one.
Page 1 2
Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-08-25 19:43:22 - Your blog is realy very interesting.... mishel
Total 1 comments
Copyright © 2001-2024 Computer Crime Research Center
CCRC logo