Four observations on Code Red

Code Red. It was hard to miss. From Atlanta to

Boston to
Chicago and
Toronto, the newspapers this week were full of warnings
about a Chinese worm. Ron Dick, director of the National Infrastructure
Protection Center (NIPC) warned that Code Red was a pending disaster, and
that the integrity of the Internet was at risk. He and officials at other
government security organizations called upon Web site administrators running
Windows NT or Win2000 to download a patch before it was too late.

The new virus was yet another in a series of worm viruses that take
advantage of the weaknesses in Microsoft’s server architecture. Code
Red worm enters servers running Microsoft IIS, by targeting the IIS
indexing service DLL. Once in control it distributes itself to other IIS
machines, over a roughly 19-day infection cycle, and then, for an eight-day
period, floods the target site, in this case whitehouse.gov. (For all of
those Linux users for whom this is all academic, an explanation of the IIS
buffer overflow vulnerability is available at CERT’s Web
site ). It also affects Cisco 600-series DSL routers, which may stop
forwarding packets.

In any case, the site’s IP address was changed last week,
effectively eliminating the target of the worm. But early this week, the warnings
issued by Dick were more strident than ever.

When I look at this virus attack, like so many before it, there are
four things I’ve noticed:

Observation #1: Panic for a profit

I can’t tell if there was a problem here. Was this just one more
“hystericane,” an unjustified virus panic about an event that
Vmyths.com
predicted wouldn’t happen?

Some Asian security sites predicted the worm would stay dormant
after its last attack. But eEye and Steve Gibson of Gibson Research warned
of trouble ahead. Gibson performed an analysis of the worm, which
he would begin the cycle of
infection and attack all over again beginning August 1.

Unfortunately, if the worm does launch a follow-up attack, the
collateral damage, involving clogging up the Web with thousands of
misdirected requests, will be real, and it could continue for some months. As
PBS commentator Robert Cringely points
out, there are tens of thousands of servers whose owners don’t
regularly maintain them. Those servers could continue to harbor and
distribute copies of the virus, and continue to affect the performance of the
Web for some time.

We’ll soon know if the threat is real. So far, the Japanese agency
for IT security said found little evidence of any impending flood caused
by Code Red. Neither did the Hong Kong Computer Emergency Response
Team Coordination Centre, which was interesting considering that the virus allegedly originated at School of Engineering at Foshan University in nearby Guangdong, China. This week, Dick, of NIPC, admitted that there was little evidence of
any impact. Still, sites like
Internet Traffic Report and The Internet Weather Report did
identify some degradation in system performance and increased
latency — possibly caused by thousands of people sending out panicky
mass emails about the pending end of the Net.

So was the threat overblown? U.S. officials claim that we still
won’t know for a number of days, but part of the problem with the evidence
is that there is so little of it — and that virtually everyone
associated with the panic has something to gain by stampeding the Internet
community. It’s budget cycle time in Washington. There’s never a better
time than late July for government security types to spread fear that
something is going to wipe out the Web.

In addition, the tech malaise has been particularly hard on the Web
security businesses. Take the case of government security advisor
Predictive Systems (formerly Globalintegrity.com). Despite its government contracts, revenue is down by 22%.
Other security software developers and IT security “advisors” are
having similar trouble. In the best of times, none of these groups are
likely to soft-pedal any potential threat.

In this case in particular,
vendors drove the perception of the threat. Take the case of eEye Digital
Security. The company sells Secure IIS, which is allegedly resistant to Code Red.
eEye was the first to tell the world about the problem, the first to
disassemble the code, and the first to assess its possible affect on
server traffic, long-term. Call that all a coincidence if you wish.

Observation #2: A license for anarchy

“There is a time when the operation of the machine becomes so
odious … that you can’t take part; you can’t even passively take part,
and you’ve got to put your bodies upon the gears and upon the wheels,
upon the levers, upon all the apparatus, and you’ve got to make it stop.
And … unless you’re free, the machine will be prevented from working
at all!” — Mario Savio, 1964

Who would’ve thunk it? That Microsoft, of all corporations, could
give birth to the best e-tool of all times for performing Techno Civil
Disobedience, big time. The developers of the Code Red worm, and
its inevitable copycats, have been provided with the ideal tool for really
messing with an institution that someone decides needs a good
electronic bombing. As any good anarchist would tell you, all institutions, all
power is ultimately subject to the veto of one, incredibly pissed-off
human being. Until now, that veto came at a terrible cost to the perpetrator.

But now, thanks to the idiocy of Microsoft’s IIS design, there’s no
need to resort to physical violence, or go to the next globalization
demonstration prepared to get your head kicked in. A truly disgruntled person
with reasonable technical chops can take down any entity deemed insufficiently correct
politically, or the domain used by his former employer, or
ex-girlfriend, and make tens of thousands of Microsoft servers into
co-conspirators.

Observation #3: Where’s a lawyer when you need one?

“To err is human but to really foul things up requires a
computer.”

With all the paranoia concerning corporate liability issues, I’m
surprised that no one has suggested that Microsoft and its customers
may have a potentially whopping legal exposure on their hands for these
constant security problems. To begin with, Microsoft is a major federal
contractor. Anyone else performing government services knows Microsoft risks
being sued for “failure to perform” or an for any alleged failure to
meet “technical requirements of the contract.” Ask any defense
contractor. Defense contractors like Boeing have been sued for allegedly faulty products.
So has GE, just to name a couple of companies.

The feds may not think they have a direct claim. Most of the
software causing them trouble wasn’t theirs. However, there is plenty of
material for a legal case holding Microsoft legally responsible for creating
a public nuisance. To begin with, vending a product the producer knows
to be inherently dangerous, is a bad place to be legally. And it’s hard to
argue, after all the repeated patches, that Microsoft doesn’t know that
its server design (and development process!) isn’t inherently flawed,
and capable of creating a really big, public mess.

While I’m no lawyer, I’m aware that there is a great body of “public
welfare” law that describes the heightened duty of a vendor of products
“that affect public health, safety or welfare,” to commit no act of
omission (like sloppy design or inadequate quality assurance). While most
of these legal cases have been focused on dangerous chemicals or
explosives, the developer of any product whose design allows it to damage
millions of dollars in public or private property has a big problem on
their hands. No amount of disclaimers in a license will secure
Microsoft from a liability claim filed by a third party.

Observation #4: Why avoid the obvious solution?

I am no Linux zealot. I agree with many of the critiques of the
Linux movement, and I tried but gave up on many of the Linux desktop
applications. I think that Microsoft’s Active Directory is potentially a
“killer app” for the enterprise. But why anyone would use
Microsoft’s IIS server when there are better, cheaper solutions is beyond me. Part of
the problem may be that government advisors are stacked with firms like
Globalintegrity.com who have a long-term relationship with Microsoft as
part of the company’s Microsoft Security Partners Program.
Nevertheless, The National Infrastructure Protection Center is in charge protecting the
Web, and preventing trouble — not just issuing hysterical warnings
after it is too late. Why didn’t the recommendations include Linux? Apache?

You might want to ask that
question yourself.