<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.4419.22">
<TITLE>FW: You'll love this</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Happy reading you bashers of the other operating system!!!</FONT>
</P>
<BR>
<P><FONT SIZE=2>Steve Dawes</FONT>
<BR><FONT SIZE=2>PHONE: (403) 268-5527. </FONT>
<BR><FONT SIZE=2>E-MAIL ADDRESS: stephen.dawes@gov.calgary.ab.ca </FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Steve Mason [<A HREF="mailto:smmason@masoncomputing.yi.org">mailto:smmason@masoncomputing.yi.org</A>] </FONT>
<BR><FONT SIZE=2>Sent: 2001 August 02 1:56 PM</FONT>
<BR><FONT SIZE=2>To: Stephen Dawes</FONT>
<BR><FONT SIZE=2>Cc: Steve @ Home</FONT>
<BR><FONT SIZE=2>Subject: You'll love this</FONT>
</P>
<BR>
<P><FONT SIZE=2> .comment: The Weakest Link</FONT>
</P>
<P><FONT SIZE=2> By: Dennis E. Powell</FONT>
<BR><FONT SIZE=2> Wednesday, July 25, 2001 02:26:40 AM EST</FONT>
<BR><FONT SIZE=2> URL: <A HREF="http://www.linuxplanet.com/linuxplanet/opinions/3647/1/">http://www.linuxplanet.com/linuxplanet/opinions/3647/1/</A></FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2> Watching the Asteroid Approach</FONT>
</P>
<P><FONT SIZE=2> It was amusing, terrifying, interesting, and irritating, all at once.</FONT>
</P>
<P><FONT SIZE=2> Last Thursday afternoon I sat here and watched the cable modem go</FONT>
<BR><FONT SIZE=2>wild, as if thousands of machines were trying to do port scans all at once.</FONT>
<BR><FONT SIZE=2>That's because thousands of machines were trying to do port scans all at</FONT>
<BR><FONT SIZE=2>once.</FONT>
</P>
<P><FONT SIZE=2> It seemed to come in waves -- first the blinking "incoming" light</FONT>
<BR><FONT SIZE=2>would flash, then it would flash frequently, then it would be solidly on,</FONT>
<BR><FONT SIZE=2>semi-flashing like a little orange neon bulb, with only an occasional,</FONT>
<BR><FONT SIZE=2>sub-second break. Twice, the load was such that the cable modem just shut</FONT>
<BR><FONT SIZE=2>itself down; once it was nearly an hour before it came back.</FONT>
</P>
<P><FONT SIZE=2> I think I keep my machines here buttoned up pretty tightly, safe</FONT>
<BR><FONT SIZE=2>behind their firewall and running, really, no services. But just as the</FONT>
<BR><FONT SIZE=2>diver in his cage must as the sharks approach, I had the tiniest bit of</FONT>
<BR><FONT SIZE=2>doubt. I knew the system was as tight as I could make it, but I didn't</FONT>
<BR><FONT SIZE=2>entirely believe it.</FONT>
</P>
<P><FONT SIZE=2> Last Thursday, in case you didn't follow the industry press closely</FONT>
<BR><FONT SIZE=2>(there having been unforgivably little coverage in the mainstream media),</FONT>
<BR><FONT SIZE=2>was when the chief effects of what is known as the Code Red worm were felt.</FONT>
</P>
<P><FONT SIZE=2> Code Red is a worm that exploits a known security flaw in Microsoft's</FONT>
<BR><FONT SIZE=2>web hosting software. The flaws in Microsoft's web hosting software have</FONT>
<BR><FONT SIZE=2>been so legendary that a couple months ago a well-known industry web site</FONT>
<BR><FONT SIZE=2>retracted a report of one, thinking it was repeating a story many months</FONT>
<BR><FONT SIZE=2>old. An easy mistake to make, but it was the retraction that was wrong:</FONT>
<BR><FONT SIZE=2>Microsoft had discovered that its earlier fix hadn't secured the product.</FONT>
<BR><FONT SIZE=2>Now, said Microsoft, here was the patch that would cover the hole. Everyone,</FONT>
<BR><FONT SIZE=2>said Microsoft, should apply it. Not everyone did; there are nearly a</FONT>
<BR><FONT SIZE=2>quarter-million known infected servers. (Among those who didn't apply the</FONT>
<BR><FONT SIZE=2>patch was Microsoft Corp., as many who rushed to windowsupdate.com for the</FONT>
<BR><FONT SIZE=2>patch last week discovered. A lot of those disappointed visitors made</FONT>
<BR><FONT SIZE=2>screenshots of what they found.)</FONT>
</P>
<P><FONT SIZE=2> What they found was a defaced web page with the URL of a site that had</FONT>
<BR><FONT SIZE=2>nothing to do with the attack and a claim that the Chinese were responsible,</FONT>
<BR><FONT SIZE=2>something that has not, best I can tell, been either confirmed or disproved.</FONT>
</P>
<P><FONT SIZE=2> If that had been all that Code Red did, it would certainly have been</FONT>
<BR><FONT SIZE=2>criminal but there would at least have been the knowledge that the only</FONT>
<BR><FONT SIZE=2>people affected were those who should have known better. (Here there might</FONT>
<BR><FONT SIZE=2>be disagreement as to what knowing better would have comprised. Certainly it</FONT>
<BR><FONT SIZE=2>would at least have involved applying the patch. But there's a good argument</FONT>
<BR><FONT SIZE=2>to be made that knowing better requires not running any Microsoft</FONT>
<BR><FONT SIZE=2>Internet-related software on any machine that is connected to any other</FONT>
<BR><FONT SIZE=2>machine or group thereof, and that is the argument that I shall champion as</FONT>
<BR><FONT SIZE=2>our story unfolds.)</FONT>
</P>
<P><FONT SIZE=2> This worm had more on its squirmy little mind, though, than screwing</FONT>
<BR><FONT SIZE=2>up a bunch of web pages. It also spun off a hundred threads, each looking</FONT>
<BR><FONT SIZE=2>for other machines to infect. These, in turn, sent their own hundred</FONT>
<BR><FONT SIZE=2>feelers. And so on.</FONT>
</P>
<P><FONT SIZE=2> The idea, based on dissection of the thing, was to propagate as widely</FONT>
<BR><FONT SIZE=2>as it could until Friday. At that point it would begin sending 4.1-meg globs</FONT>
<BR><FONT SIZE=2>of data to the IP address that had been occupied by www.whitehouse.gov,</FONT>
<BR><FONT SIZE=2>every four hours or so, for a week. Then it would start sending itself all</FONT>
<BR><FONT SIZE=2>over creation again.</FONT>
</P>
<P><FONT SIZE=2> (I oversimplify here a little -- for instance, it defaced the web</FONT>
<BR><FONT SIZE=2>pages only where it found English language versions of the web server;</FONT>
<BR><FONT SIZE=2>elsewhere, it would infect but leave the pages intact. There are some</FONT>
<BR><FONT SIZE=2>additional fine points -- duration and frequency of the attack on the IP</FONT>
<BR><FONT SIZE=2>address, for instance -- that I have approximated.)</FONT>
</P>
<P><FONT SIZE=2> What I was watching Thursday was the frenzied attempt of this monster</FONT>
<BR><FONT SIZE=2>to propagate, as a hundred discrete threads from each of at least a quarter</FONT>
<BR><FONT SIZE=2>of a million machines -- 25,000,000 would-be worm infections -- were going</FONT>
<BR><FONT SIZE=2>just as fast as they could, trying to find a machine to infect. We're</FONT>
<BR><FONT SIZE=2>talking, in effect, an impressive denial-of-service attack here. If the</FONT>
<BR><FONT SIZE=2>worm's construction is to be taken as a statement of intent -- something of</FONT>
<BR><FONT SIZE=2>which we cannot be sure -- then the DOS was merely a side-effect, an</FONT>
<BR><FONT SIZE=2>overture before the real show began. The White House runs Linux for portions</FONT>
<BR><FONT SIZE=2>of its web operations, but when you have 25,000,000 attempts by Windows</FONT>
<BR><FONT SIZE=2>machines to send you 4.1-meg packages, it doesn't much matter what you're</FONT>
<BR><FONT SIZE=2>running.</FONT>
</P>
<P><FONT SIZE=2> We cannot know what the worm's authors had in mind because of a couple</FONT>
<BR><FONT SIZE=2>of seemingly stupid things that were done. One was to hard code the IP</FONT>
<BR><FONT SIZE=2>address of whitehouse.gov. This meant that all that was necessary for the</FONT>
<BR><FONT SIZE=2>White House to do was to change the IP address of its site, which the White</FONT>
<BR><FONT SIZE=2>House did. The other was to require a connection before any data were sent.</FONT>
<BR><FONT SIZE=2>The White House black holed the hard-coded IP address, so beyond the initial</FONT>
<BR><FONT SIZE=2>feelers, the worm did nothing. (Imagine 4.1 megabytes times 25,000,000</FONT>
<BR><FONT SIZE=2>threads, every four hours, if the coders had done DNS lookup instead of hard</FONT>
<BR><FONT SIZE=2>coding the address. That's a pretty decent bandwidth suck, don't you think?</FONT>
<BR><FONT SIZE=2>And those are just the machines we know about.) But the worm was otherwise</FONT>
<BR><FONT SIZE=2>fairly sophisticated, I'm told by people who know a lot more than I do about</FONT>
<BR><FONT SIZE=2>such things. Hard to imagine its programmers would make such simple and</FONT>
<BR><FONT SIZE=2>obvious mistakes.</FONT>
</P>
<P><FONT SIZE=2> It has since been learned that there was apparently a variation of</FONT>
<BR><FONT SIZE=2>Code Red that appeared on Thursday morning, after which the rate of</FONT>
<BR><FONT SIZE=2>propagation greatly increased. There is a body of evidence suggesting that</FONT>
<BR><FONT SIZE=2>the code in Code Red can be changed remotely -- the reason, perhaps, for the</FONT>
<BR><FONT SIZE=2>variant? Worse, a harbinger of things to come? For, you see, it appears that</FONT>
<BR><FONT SIZE=2>after it is done not attacking the White House's website, it will start</FONT>
<BR><FONT SIZE=2>spreading itself around again, perhaps with modifications made on the fly.</FONT>
</P>
<P><FONT SIZE=2> Do you suppose everyone who uses Microsoft's web hosting software will</FONT>
<BR><FONT SIZE=2>have applied the patch by then?</FONT>
</P>
<P><FONT SIZE=2> (The thing also was capable of shutting down certain unpatched Cisco</FONT>
<BR><FONT SIZE=2>routers and -- I don't know why I think this is funny, but I do --</FONT>
<BR><FONT SIZE=2>Hewlett-Packard network printers that aren't hidden away behind a serious</FONT>
<BR><FONT SIZE=2>firewall.)</FONT>
</P>
<P><FONT SIZE=2> There is also the possibility that this was some kind of proof of</FONT>
<BR><FONT SIZE=2>concept. That the whitehouse.gov business was a red herring, coming as it</FONT>
<BR><FONT SIZE=2>did during the G-8 meeting, and the evil bastards who cooked up this thing</FONT>
<BR><FONT SIZE=2>have something entirely different in mind. Imagine, a friend mentioned to me</FONT>
<BR><FONT SIZE=2>this week, if the target had been root nameservers. Add the</FONT>
<BR><FONT SIZE=2>denial-of-service implications on the Internet in general, and this could be</FONT>
<BR><FONT SIZE=2>the general mess that people have been predicting for years.</FONT>
</P>
<P><FONT SIZE=2> And if that happens, it doesn't really much matter what operating</FONT>
<BR><FONT SIZE=2>system you are using, if the Internet plays a part in what you do. It would</FONT>
<BR><FONT SIZE=2>be an order of magnitude increase in what I watched here last Thursday, when</FONT>
<BR><FONT SIZE=2>my poor little cable modem struggled just to stay alive, let alone actually</FONT>
<BR><FONT SIZE=2>transfer any data.</FONT>
</P>
<P><FONT SIZE=2> We can smugly say that we're not running Microsoftware, but that</FONT>
<BR><FONT SIZE=2>scarcely means we're immune to the effects of its being used by others who</FONT>
<BR><FONT SIZE=2>are connected to the Internet.</FONT>
</P>
<P><FONT SIZE=2> Just as I was getting set to write this, I checked my mail. In it were</FONT>
<BR><FONT SIZE=2>two "messages," each of more than 900k, claiming to contain a file that</FONT>
<BR><FONT SIZE=2>ended in .zip.bat. They were from no one I'd ever heard of, and they had a</FONT>
<BR><FONT SIZE=2>little message up front suggesting that I would welcome the attached. A</FONT>
<BR><FONT SIZE=2>little poking around in the usual places produced the news that there was</FONT>
<BR><FONT SIZE=2>yet another Outlook Express macro virus on the loose. This one performs a</FONT>
<BR><FONT SIZE=2>variety of tasks, from filling your hard drive to sending your documents to</FONT>
<BR><FONT SIZE=2>people in your addressbook. I'd apparently acquired one of the latter,</FONT>
<BR><FONT SIZE=2>because the macro itself was a little over 300k. It got spread far and</FONT>
<BR><FONT SIZE=2>wide -- if sysadmins at Microsoft shops can't rub their two brain cells</FONT>
<BR><FONT SIZE=2>together and download patches for known exploits, how can mere users be</FONT>
<BR><FONT SIZE=2>expected to know about, let alone do anything about, the obscenely corrupt</FONT>
<BR><FONT SIZE=2>behavior of the userspace mail program? (Hell, you get an argument on Linux</FONT>
<BR><FONT SIZE=2>lists when you point out that HTML mail is not secure.)</FONT>
</P>
<P><FONT SIZE=2> Point is, nothing here is unfamiliar or unexpected. How long does it</FONT>
<BR><FONT SIZE=2>take before there's general recognition that Microsoft software has no</FONT>
<BR><FONT SIZE=2>business on the Internet?</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2> Attitude</FONT>
</P>
<BR>
<P><FONT SIZE=2> There has been a lot written recently, much of it very perceptive and</FONT>
<BR><FONT SIZE=2>entirely correct, about the bad attitude exhibited by Linux users, usually</FONT>
<BR><FONT SIZE=2>young and enthusiastic ones but occasionally old and embittered ones. If you</FONT>
<BR><FONT SIZE=2>are among those, go do something else -- what follows is for the grownups.</FONT>
<BR><FONT SIZE=2>Write a talkback about how I'm an astroturfer in the employ of Microsoft or</FONT>
<BR><FONT SIZE=2>something.</FONT>
</P>
<P><FONT SIZE=2> Okay.</FONT>
</P>
<P><FONT SIZE=2> As Linux users, we've grown accustomed to enduring things that Windows</FONT>
<BR><FONT SIZE=2>users do not have to endure. We must shop more carefully for hardware, we</FONT>
<BR><FONT SIZE=2>can pretty much forget off-the-shelf software, and issues like hardware</FONT>
<BR><FONT SIZE=2>technical support are extra-special ordeals, as my colleague Michael Hall</FONT>
<BR><FONT SIZE=2>detailed in his memorable column last week.</FONT>
</P>
<P><FONT SIZE=2> We put up with it, mostly and with varying degrees of grumbling.</FONT>
</P>
<P><FONT SIZE=2> Time has come to draw a line -- a subtle line, but a line nonetheless.</FONT>
<BR><FONT SIZE=2>It is this: Anyone using Microsoft software in connection with the Internet</FONT>
<BR><FONT SIZE=2>simply cannot be taken seriously. This doesn't mean we should be impolite in</FONT>
<BR><FONT SIZE=2>dealing with these persons, anymore than we should be impolite to someone</FONT>
<BR><FONT SIZE=2>who is eager to show you his new computer and it turns out to be a Play</FONT>
<BR><FONT SIZE=2>Station. But the fact is that Microsoft has proved to be utterly unconcerned</FONT>
<BR><FONT SIZE=2>about security. Its own sites have been cracked, over and over. The National</FONT>
<BR><FONT SIZE=2>Security Agency has joined Linux development after having concluded that</FONT>
<BR><FONT SIZE=2>Microsoft's code is so corrupt that it cannot even be audited. Outlook macro</FONT>
<BR><FONT SIZE=2>viruses are commonplace. The web server has been so full of holes that</FONT>
<BR><FONT SIZE=2>Microsoft had had to keep trying to plug them, to no real effect. And based</FONT>
<BR><FONT SIZE=2>on this tarnished and pitted record they propose .Net and XP. Do you suppose</FONT>
<BR><FONT SIZE=2>there will be sudden fastidiousness where security is concerned? This is a</FONT>
<BR><FONT SIZE=2>real hoot, except that it is the Internet that we all use that their clumsy</FONT>
<BR><FONT SIZE=2>code will be screwing up. But the appropriate attitude toward Microsoft's</FONT>
<BR><FONT SIZE=2>willing victims has to be pity. That isn't to say that when someone you know</FONT>
<BR><FONT SIZE=2>fills your mailbox with Outlook macro virus crap, you don't have a right to</FONT>
<BR><FONT SIZE=2>be irritated and say so -- but at the same time point out that the person</FONT>
<BR><FONT SIZE=2>wouldn't look anywhere near as foolish if they were using software not</FONT>
<BR><FONT SIZE=2>vulnerable to such foolishness. As an example, this, which I just sent:</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2>Subject: the outlook express macro virus you just sent me</FONT>
<BR><FONT SIZE=2>Date: Tue, 24 Jul 2001 01:15:37 -0400</FONT>
<BR><FONT SIZE=2>From: dep <dep@drippingwithirony.com></FONT>
<BR><FONT SIZE=2>To: [name i'm withholding]</FONT>
</P>
<P><FONT SIZE=2>i just received a windows macro virus from you, with the subject</FONT>
<BR><FONT SIZE=2>"stikbikeboy."</FONT>
<BR><FONT SIZE=2>it probably has one of your private files attached to it; i do not know and</FONT>
<BR><FONT SIZE=2>do not plan to</FONT>
<BR><FONT SIZE=2>dissect it to find out. but you have probably also sent it to others in your</FONT>
<BR><FONT SIZE=2>windows</FONT>
<BR><FONT SIZE=2>addressbook as well, or others whose email addresses somehow appear</FONT>
<BR><FONT SIZE=2>somewhere on your</FONT>
<BR><FONT SIZE=2>computer.</FONT>
</P>
<P><FONT SIZE=2>please either change operating systems to something secure, undertake to</FONT>
<BR><FONT SIZE=2>secure your</FONT>
<BR><FONT SIZE=2>windows machine, or disconnect your machine from the internet.</FONT>
</P>
<P><FONT SIZE=2>thank you.</FONT>
<BR><FONT SIZE=2>--</FONT>
<BR><FONT SIZE=2>dep</FONT>
</P>
<BR>
<P><FONT SIZE=2> This isn't to say that bringing Windows users to Linux solves the</FONT>
<BR><FONT SIZE=2>problem. Microsoft has led them to believe -- incorrectly, as things like</FONT>
<BR><FONT SIZE=2>Code Red and Outlook macros have demonstrated -- that you need to know and</FONT>
<BR><FONT SIZE=2>do nothing to use a computer. These are complicated machines, and it takes</FONT>
<BR><FONT SIZE=2>knowledge to use them properly. That knowledge becomes a responsibility if</FONT>
<BR><FONT SIZE=2>the computer is attached to any other computer. There are Linux security</FONT>
<BR><FONT SIZE=2>patches that appear and must be applied, and now we hear of a kernel exploit</FONT>
<BR><FONT SIZE=2>that can ride in on any corrupted RPM, so we need to be a little more</FONT>
<BR><FONT SIZE=2>careful in picking the sources of our RPMs. Explaining this to a fed-up</FONT>
<BR><FONT SIZE=2>Windows user is not easy. A powerful tool is the fact that even if one got</FONT>
<BR><FONT SIZE=2>rooted by a bad RPM, it's not something that is going to propagate.</FONT>
</P>
<P><FONT SIZE=2> Microsoft software spews forth corruption at the slightest invitation.</FONT>
<BR><FONT SIZE=2>As long as they kept it among themselves, it was their business. But now</FONT>
<BR><FONT SIZE=2>we're seeing it begin to hinder us all. That is not acceptable. We need to</FONT>
<BR><FONT SIZE=2>say so, politely but uncompromisingly.</FONT>
</P>
<P><FONT SIZE=2> And in the meantime, we can await the next visit from Code Red or a</FONT>
<BR><FONT SIZE=2>variation thereof. Wonder if Microsoft will have patched its own servers by</FONT>
<BR><FONT SIZE=2>then.</FONT>
</P>
<BR>
<BR>
<BR>
<BR>
<P><FONT SIZE=2> Copyright © 1999 internet.com Corp. All Rights Reserved.</FONT>
</P>
<BR>
<BR>
</BODY>
</HTML>