FW: You'll love this

[Dawes, Stephen]

Happy reading you bashers of the other operating system!!!


Steve Dawes
PHONE:  (403) 268-5527. 
E-MAIL ADDRESS:  stephen.dawes at gov.calgary.ab.ca 

-----Original Message-----
From: Steve Mason [mailto:smmason at masoncomputing.yi.org] 
Sent: 2001 August 02 1:56 PM
To: Stephen Dawes
Cc: Steve @ Home
Subject: You'll love this


      .comment: The Weakest Link

      By: Dennis E. Powell
      Wednesday, July 25, 2001 02:26:40 AM EST
      URL: http://www.linuxplanet.com/linuxplanet/opinions/3647/1/



      Watching the Asteroid Approach

      It was amusing, terrifying, interesting, and irritating, all at
once.

      Last Thursday afternoon I sat here and watched the cable modem go
wild, as if thousands of machines were trying to do port scans all at
once.
That's because thousands of machines were trying to do port scans all at
once.

      It seemed to come in waves -- first the blinking "incoming" light
would flash, then it would flash frequently, then it would be solidly
on,
semi-flashing like a little orange neon bulb, with only an occasional,
sub-second break. Twice, the load was such that the cable modem just
shut
itself down; once it was nearly an hour before it came back.

      I think I keep my machines here buttoned up pretty tightly, safe
behind their firewall and running, really, no services. But just as the
diver in his cage must as the sharks approach, I had the tiniest bit of
doubt. I knew the system was as tight as I could make it, but I didn't
entirely believe it.

      Last Thursday, in case you didn't follow the industry press
closely
(there having been unforgivably little coverage in the mainstream
media),
was when the chief effects of what is known as the Code Red worm were
felt.

      Code Red is a worm that exploits a known security flaw in
Microsoft's
web hosting software. The flaws in Microsoft's web hosting software have
been so legendary that a couple months ago a well-known industry web
site
retracted a report of one, thinking it was repeating a story many months
old. An easy mistake to make, but it was the retraction that was wrong:
Microsoft had discovered that its earlier fix hadn't secured the
product.
Now, said Microsoft, here was the patch that would cover the hole.
Everyone,
said Microsoft, should apply it. Not everyone did; there are nearly a
quarter-million known infected servers. (Among those who didn't apply
the
patch was Microsoft Corp., as many who rushed to windowsupdate.com for
the
patch last week discovered. A lot of those disappointed visitors made
screenshots of what they found.)

      What they found was a defaced web page with the URL of a site that
had
nothing to do with the attack and a claim that the Chinese were
responsible,
something that has not, best I can tell, been either confirmed or
disproved.

      If that had been all that Code Red did, it would certainly have
been
criminal but there would at least have been the knowledge that the only
people affected were those who should have known better. (Here there
might
be disagreement as to what knowing better would have comprised.
Certainly it
would at least have involved applying the patch. But there's a good
argument
to be made that knowing better requires not running any Microsoft
Internet-related software on any machine that is connected to any other
machine or group thereof, and that is the argument that I shall champion
as
our story unfolds.)

      This worm had more on its squirmy little mind, though, than
screwing
up a bunch of web pages. It also spun off a hundred threads, each
looking
for other machines to infect. These, in turn, sent their own hundred
feelers. And so on.

      The idea, based on dissection of the thing, was to propagate as
widely
as it could until Friday. At that point it would begin sending 4.1-meg
globs
of data to the IP address that had been occupied by www.whitehouse.gov,
every four hours or so, for a week. Then it would start sending itself
all
over creation again.

      (I oversimplify here a little -- for instance, it defaced the web
pages only where it found English language versions of the web server;
elsewhere, it would infect but leave the pages intact. There are some
additional fine points -- duration and frequency of the attack on the IP
address, for instance -- that I have approximated.)

      What I was watching Thursday was the frenzied attempt of this
monster
to propagate, as a hundred discrete threads from each of at least a
quarter
of a million machines -- 25,000,000 would-be worm infections -- were
going
just as fast as they could, trying to find a machine to infect. We're
talking, in effect, an impressive denial-of-service attack here. If the
worm's construction is to be taken as a statement of intent -- something
of
which we cannot be sure -- then the DOS was merely a side-effect, an
overture before the real show began. The White House runs Linux for
portions
of its web operations, but when you have 25,000,000 attempts by Windows
machines to send you 4.1-meg packages, it doesn't much matter what
you're
running.

      We cannot know what the worm's authors had in mind because of a
couple
of seemingly stupid things that were done. One was to hard code the IP
address of whitehouse.gov. This meant that all that was necessary for
the
White House to do was to change the IP address of its site, which the
White
House did. The other was to require a connection before any data were
sent.
The White House black holed the hard-coded IP address, so beyond the
initial
feelers, the worm did nothing. (Imagine 4.1 megabytes times 25,000,000
threads, every four hours, if the coders had done DNS lookup instead of
hard
coding the address. That's a pretty decent bandwidth suck, don't you
think?
And those are just the machines we know about.) But the worm was
otherwise
fairly sophisticated, I'm told by people who know a lot more than I do
about
such things. Hard to imagine its programmers would make such simple and
obvious mistakes.

      It has since been learned that there was apparently a variation of
Code Red that appeared on Thursday morning, after which the rate of
propagation greatly increased. There is a body of evidence suggesting
that
the code in Code Red can be changed remotely -- the reason, perhaps, for
the
variant? Worse, a harbinger of things to come? For, you see, it appears
that
after it is done not attacking the White House's website, it will start
spreading itself around again, perhaps with modifications made on the
fly.

      Do you suppose everyone who uses Microsoft's web hosting software
will
have applied the patch by then?

      (The thing also was capable of shutting down certain unpatched
Cisco
routers and -- I don't know why I think this is funny, but I do --
Hewlett-Packard network printers that aren't hidden away behind a
serious
firewall.)

      There is also the possibility that this was some kind of proof of
concept. That the whitehouse.gov business was a red herring, coming as
it
did during the G-8 meeting, and the evil bastards who cooked up this
thing
have something entirely different in mind. Imagine, a friend mentioned
to me
this week, if the target had been root nameservers. Add the
denial-of-service implications on the Internet in general, and this
could be
the general mess that people have been predicting for years.

      And if that happens, it doesn't really much matter what operating
system you are using, if the Internet plays a part in what you do. It
would
be an order of magnitude increase in what I watched here last Thursday,
when
my poor little cable modem struggled just to stay alive, let alone
actually
transfer any data.

      We can smugly say that we're not running Microsoftware, but that
scarcely means we're immune to the effects of its being used by others
who
are connected to the Internet.

      Just as I was getting set to write this, I checked my mail. In it
were
two "messages," each of more than 900k, claiming to contain a file that
ended in .zip.bat. They were from no one I'd ever heard of, and they had
a
little message up front suggesting that I would welcome the attached. A
little poking around in the usual places produced the news that there
was
yet another Outlook Express macro virus on the loose. This one performs
a
variety of tasks, from filling your hard drive to sending your documents
to
people in your addressbook. I'd apparently acquired one of the latter,
because the macro itself was a little over 300k. It got spread far and
wide -- if sysadmins at Microsoft shops can't rub their two brain cells
together and download patches for known exploits, how can mere users be
expected to know about, let alone do anything about, the obscenely
corrupt
behavior of the userspace mail program? (Hell, you get an argument on
Linux
lists when you point out that HTML mail is not secure.)

      Point is, nothing here is unfamiliar or unexpected. How long does
it
take before there's general recognition that Microsoft software has no
business on the Internet?



      Attitude


      There has been a lot written recently, much of it very perceptive
and
entirely correct, about the bad attitude exhibited by Linux users,
usually
young and enthusiastic ones but occasionally old and embittered ones. If
you
are among those, go do something else -- what follows is for the
grownups.
Write a talkback about how I'm an astroturfer in the employ of Microsoft
or
something.

      Okay.

      As Linux users, we've grown accustomed to enduring things that
Windows
users do not have to endure. We must shop more carefully for hardware,
we
can pretty much forget off-the-shelf software, and issues like hardware
technical support are extra-special ordeals, as my colleague Michael
Hall
detailed in his memorable column last week.

      We put up with it, mostly and with varying degrees of grumbling.

      Time has come to draw a line -- a subtle line, but a line
nonetheless.
It is this: Anyone using Microsoft software in connection with the
Internet
simply cannot be taken seriously. This doesn't mean we should be
impolite in
dealing with these persons, anymore than we should be impolite to
someone
who is eager to show you his new computer and it turns out to be a Play
Station. But the fact is that Microsoft has proved to be utterly
unconcerned
about security. Its own sites have been cracked, over and over. The
National
Security Agency has joined Linux development after having concluded that
Microsoft's code is so corrupt that it cannot even be audited. Outlook
macro
viruses are commonplace. The web server has been so full of holes that
Microsoft had had to keep trying to plug them, to no real effect. And
based
on this tarnished and pitted record they propose .Net and XP. Do you
suppose
there will be sudden fastidiousness where security is concerned? This is
a
real hoot, except that it is the Internet that we all use that their
clumsy
code will be screwing up. But the appropriate attitude toward
Microsoft's
willing victims has to be pity. That isn't to say that when someone you
know
fills your mailbox with Outlook macro virus crap, you don't have a right
to
be irritated and say so -- but at the same time point out that the
person
wouldn't look anywhere near as foolish if they were using software not
vulnerable to such foolishness. As an example, this, which I just sent:



Subject: the outlook express macro virus you just sent me
Date: Tue, 24 Jul 2001 01:15:37 -0400
From: dep <dep at drippingwithirony.com>
To: [name i'm withholding]

i just received a windows macro virus from you, with the subject
"stikbikeboy."
it probably has one of your private files attached to it; i do not know
and
do not plan to
dissect it to find out. but you have probably also sent it to others in
your
windows
addressbook as well, or others whose email addresses somehow appear
somewhere on your
computer.

please either change operating systems to something secure, undertake to
secure your
windows machine, or disconnect your machine from the internet.

thank you.
--
dep


      This isn't to say that bringing Windows users to Linux solves the
problem. Microsoft has led them to believe -- incorrectly, as things
like
Code Red and Outlook macros have demonstrated -- that you need to know
and
do nothing to use a computer. These are complicated machines, and it
takes
knowledge to use them properly. That knowledge becomes a responsibility
if
the computer is attached to any other computer. There are Linux security
patches that appear and must be applied, and now we hear of a kernel
exploit
that can ride in on any corrupted RPM, so we need to be a little more
careful in picking the sources of our RPMs. Explaining this to a fed-up
Windows user is not easy. A powerful tool is the fact that even if one
got
rooted by a bad RPM, it's not something that is going to propagate.

      Microsoft software spews forth corruption at the slightest
invitation.
As long as they kept it among themselves, it was their business. But now
we're seeing it begin to hinder us all. That is not acceptable. We need
to
say so, politely but uncompromisingly.

      And in the meantime, we can await the next visit from Code Red or
a
variation thereof. Wonder if Microsoft will have patched its own servers
by
then.





      Copyright © 1999 internet.com Corp. All Rights Reserved.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linux-speakup.org/pipermail/speakup/attachments/20010807/0efe28b9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clear.gif
Type: image/gif
Size: 42 bytes
Desc: clear.gif
URL: <http://linux-speakup.org/pipermail/speakup/attachments/20010807/0efe28b9/attachment.gif>