May 11, 2004
Can You Prove Otherwise... Let's take five with Moira Gunn. This is "Five Minutes."
It all started with Microsoft Security Bulletin MS04-011, which was released to the public on April 13th. Or, you might argue, it started earlier. Perhaps when the programmers were busily coding the Windows operating system, or when the software architects were simply envisioning it. Still, it was the public release of this very specific problem with Windows which gave the creators of the malicious worm du jour - Sasser - their big opportunity.
In retrospect, the bulletin makes for fairly ominous reading: "Who should read this document: Customers who use MicrosoftÆ WindowsÆ. Impact of vulnerability:ÝRemote Code Execution. Maximum Severity Rating: Critical. Recommendation: Customers should apply the update immediately."
The most important part of this bulletin reads "Remote Code Execution." These three little words signal that a computer can remotely set up and run a program on another without anyone suspecting.
You don't have to be a computer geek to know that's a very bad thing.
--
I don't want to take the wind out of anyone's sails, but no, you can't write a perfect complex software program. In fact, you may not even be able to write a perfect simple software program. Technology - especially large and appreciably long-lived, multiplied-patched and multiplied-versioned technology - is not going to be perfect.
So, let's appreciate the position that Microsoft was in. Here they literally have millions of Windows users all around the world, whose computers are vulnerable. By telling these users that their machines are at risk, hackers with nefarious intentions will know about it, too. Should Microsoft simply not tell anyone? Should it try to protect its users by keeping its head low?
Well, you know better than that. How many times in your life have you been caught unawares, and someone said, "I didn't tell you because I wanted to protect you." It doesn't work with technology, either.
At some point in a situation like this a company has got to bite the bullet and tell everyone to download the fix.
--
While there have been conflicting dates about when the vulnerability was found, everyone is in agreement that it only took a few days post-announcement before Sasser was out there invading machines. And to be sure, the conflict between telling and not telling will continue to haunt us.
Mikko Hyppoenen, the Director of Anti-Virus Research at F-Secure, has been a guest on Tech Nation a number of times, and his site provides both detailed instructions on how to recover from Sasser, as well as a detailed analysis of the Sasser programming code. Is this analysis an essential educational tool for systems designers and security advocates? Or is it a roadmap for malicious hackers? The answer, unfortunately, is yes ... to both questions.
Computer technology is a purely human invention. If we can find a way to fix our operating systems - safely and on the fly, I can tell you right now, the solution will seem simple and obvious. On the other hand, there might be no solution to this at all. That's right - it could be an unsolvable problem, and if we're lucky, we can develop a math proof to tell us just that.
So, let's get to work. Either build the technology to avoid having to live with this kind of crisis management, or prove it can't be built. At least, we'd know what we were looking at.
I'm Moira Gunn. This is Five Minutes.
Back to Five Minutes List