November 24, 2004

Malware: It's like a bad dream

Author: Joe Barr

This is a fairy tale, a dream I had last night. Any similarity between real kingdoms, and real kings, and real journalists, is purely coincidental. Obviously the things depicted here could never happen in real life, or in real journalism. We are much too fair and balanced for that.One day long ago, in a large kingdom far away, the king woke up to the fact that the Internet was a happening kind of place. Not only that, the king's own closed and proprietary network -- which he fondly called the Monopoly Spread Network -- was hemorrhaging cash so fast that even the king began to notice. The king ordered his software people to do what they do best, and they rushed out forthwith and purchased a Web browser. Now that the king had a browser he could call his own, he began to explore this place called the Internet.

Soon all the king's subjects were roaring around the Information Highway just like they knew where they were going. Everything was cool. At least it looked that way. The King squeezed very hard with all his monopoly muscle to make his browser the only choice for the masses. He squeezed so hard, in fact, that it attracted the Evil Witch of Dawj, whose name was Janet.

Browser design by MBA

The Evil Witch took the king to court, crying that he was an unfair lout who was clubbing his competition to death with his monopoly stick. The judge listened, and the judge pondered. Finally the judge said, king, you can stay. But that browser has to go.

The king frowned, and his monkey boy jester trembled. He always trembled when the king frowned. The two huddled and schemed and planned and connived and conspired to come up with a plan that would allow the king to keep his browser. Finally, they came up with an answer! And back to court they went.

"We can't remove the browser, your honor, because it has decomposed into teensy tiny little browser bits, and now it's a part of the operating system itself. But this is a good thing, judge, because it will let all of our applications be "Internet-aware!"

To be fair, the judge allowed a compromise. All those browser bits wouldn't have to be removed, just kept out of sight. Surely they couldn't harm anyone if you couldn't even see them.

Now it had also just so happened that, in order to be the coolest browser in town, the king and his software designers had decided to try to lock customers in to both their Web server and their Web browser. To make this unholy alliance work, they decided to let subjects accept and run software from the server without their even knowing what was happening! All the subjects needed to know was that it was cool. The king was very big on cool.

In a perfect kingdom, the collusion between server and client might have remained something cool. But the Internet is not a perfect place, and soon bad people began to learn just how easy it was to do bad things to the king's subjects' computers, without them even knowing. Not only did the design invite such behavior, it made it possible to hurt people through email and instant messaging as easily as they could from a Web browser. When this all dawned on them, they said, "Cool!"

The Age of Malware

And so the Age of Malware was upon us. Viral adware, spy-bots, DoS agents, keyboard sniffers, and cracker havens flourished, not only because of the design of the king's platform, but because there were so many different ways to exploit the fatal flaws. Smaller kingdoms sprang up, getting rich off the epidemic. Everyone running the king's software needed protection and cure. It was heaven for security companies and security gurus. But the king and his monkey boy chafed under the criticism their platform received. Worse yet, a rogue freeware platform appeared to be virtually immune to the malware monsters.

They huddled again, this time for weeks. Finally the two emerged with a great Five Year Plan to combat the twin enemies of reality and free software. First of all, the king would issue a proclamation. "Evil is Evil!" he declared. Then he vowed that from now on, fighting evil would be priority numero uno in his kingdom.

Next, they decided to completely ignore the design decisions that created the viral epidemic in the first place. Better, they thought, to blame their subjects, their software partners, and independents rather than take responsibility. And with an imperial wave of his baton, the king made it illegal to speak of the design flaws in the press. This was known as the Don't Misspeak Computer Argot act, or DMCA.

With the real cause for the problem neatly kept out of sight, spinmeisters were recruited to raise red herrings -- in a fair and balanced way, of course. Thus the argument that the damnable free software project is as vulnerable to viral attack as the monopoly came to the fore. Dozens of sources meekly concurred, because they had to admit, buffer overruns are platform-agnostic -- just as if that were the problem, instead of the platform design.

That being so, the king went back to talking about how good it feels to produce great software, and the monkey boy went back to break-dancing and singing "This is how we do it," while waving both hands back and forth over his head.

Waking up in a cold sweat

I awoke in a cold sweat, terrified at what I saw in front of me. It looked like a gangster Tux. He was wearing a beret and had a cigarette hanging from his lips. "The name's Vinnie," he said, "Tuxedo Vinnie. We want to know what you're going to do about this scam the king is playing in the press about the relative security of his software platform and ours."

"But what can I do? I'm just an old journalist," I whined. "I don't have an army of astroturfers, nor a score of PR firms, not even one single administration I can pick up by the nape of the neck and call my own!"

Vinnie looked down on me with his cold penguin eyes. "Yeah, we don't figure to send you in to take him on in hand-to-hand combat. Might be fun to watch, but we sure would miss you.

"All we want you to do is to remind your readers that one of the platforms being compared has been designed with security in mind from day one, and the other one hasn't -- has, in fact, compromised every serious security design concept known to man at one time or another. In order to 'enhance the user experience,' I suppose. Your readers are smart. Remind them which design invites malware, and which repels it. Leave the rest of it up to them."

Category:

  • Humor
Click Here!