COMPLACENCY GUARDS THE INTERNET

J. I. Nelson, Ph.D.  
10 February 2003

 SUMMARY:  The biggest cost of an unbroken Microsoft monopoly is national security.  The stakes are about to rise, but as long as costs are off the books, nothing will change.

Continuing attacks on domestic Internet services show the U.S. has neither the technology nor the will to run a secure computer infrastructure.

"Slammer" stopped certain ATM machines, airline reservations, cell phones, and a newspaper trying to get out the Sunday edition.  And yet it did nothing but propagate itself to database "servers". Slammer's search for new victims clogged database access for customers trying to get cash or place reservations.  And behold!  Cash was not stolen, airline flights did not change cities, everyone in Korea got neither free minutes nor a permanently dead phone.  Slammer penetrated perhaps 250,000 databases, but neither erased them in a flash of destructive glory, nor quietly shipped a copy off to foreign shores.  In security parlance, Slammer was a 376-byte worm with no payload; a test, some say.

My concern is that attacks are about to change, and we aren't.

The Love Bug virus that told everyone in your Outlook address book how much you loved them was written by a Filipino student.  Although some users lost irreplaceable graphics files, most of the estimated $7B in damage was lost productivity from shutting systems down to clean them out. Cyberattacks run by kids for glory have not moved us to change how information technology is developed and deployed in this country.

Changes are coming, but not the ones we want.  The National Security Agency has warned that foreign governments have already developed ways to attack U.S. computer systems.  Our counterattack is Cyber-Warfare National Security Presidential Directive 16 signed secretly by President Bush last July, to make cyberattacks a normalized part of the U.S. arsenal, and to build a cadre of cyber-warriors for carrying them out.  The home front is not ready for the backlash.   Jim Allchin has said that the Message Queuing technology used in all Windows32 systems contains a coding mistake that would threaten the security of corporate systems if disclosed.  He should know.  Allchin is Group Vice President for Platforms (operating systems) at Microsoft.  He was testifying under oath.  Instead of forcing Microsoft to fix the security threat, the government granted Allchin permission to hide the error.

Forget the kids.  An attack run by foreign national assets will recruit machines at traffic levels below the 3 - 5% anomaly rate detectable in laboratory systems not yet deployed.  As each recruited machine acquires fresh subordinates, a hierarchy is built that can be launched to coincide with an event not of our choosing.  Slammer reached 100,000 machines in 4 hours groping blindly; a clandestine hierarchy would activate almost instantly.  While the machines wait, access codes can be sniffed and harvested, data can become dyslexic, instructions can be received for disabling security, escalating access privileges, wiping out activity logs, opening all drives to sharing.  It's not your car if someone else is driving.  The list of recruited subordinates each machine harbors is encrypted. It is hard to know anything is happening, and, if you stumble over it in the dark, you can't find, notify or count the number of affected installations beyond your own.  I do not know the state of any clandestine art.   These are only exploits already done and run, one by one, just for fun.

The software industry has become a threat to national security.  It is a hole we seem determined to dig deeper.

The White House response to Slammer was typical: software vendors issue plenty of patches to program problems, and we need to apply them.  But the current "patching regime" is bankrupt. The question is whether society will orchestrate the upheaval required to achieve acceptable security, or whether we must wait for the upheaval to be thrust upon us. A look into the trenches of patch warfare is sobering:

The first patch to fix the Slammer vulnerability was issued on 24 July 2002.  Additional Security Bulletins came in August and October, when it was discovered that another package of patches to the same database programs made them worse.  A patch to fix the new problem came on 9 October, but fully installing it would reopen the vulnerability to Slammer -- an old, vulnerable module had been included in the fix. 16 October brought a patch that actually patched Slammer, but now the other problem was forgotten.  The sixth shot was the charm: a preliminary pack of patches issued in December 2002 got both problems right, along with 188 other bugs in the 7th version of SQL Server.  Systems Administrators were told, "Microsoft DOES NOT support the use of this build in your production environments. It is being provided for testing purposes, such that you have the opportunity to uncover issues/concerns . . ."  Doubtless some waited until that pack stabilized on 4 January 2003, or until the first easy-to-install patch addressing just these two vulnerabilities was issued. That was 26 January, just after Slammer struck.

Decide for yourself whether the patch was released 6 months before the attack or the day after.  An independent researcher discovered Microsoft's Slammer vulnerability and contacted the company on 16 May 2002, so throw in the 2+ months it took Microsoft to make any public move when you add up the nation's total response delay.

Attacks exploit vulnerabilities that are already patched. If we've always had patches and we keep getting attacked, the current patch regime is not protecting us.

The reason patches don't work is obvious to anyone who has installed one. For the privilege of fixing someone else's mistakes, the user must agree to these terms:

"To the maximum extent permitted by ... law, [we] provide to you the operating system components ... as is and with all faults. [We] ... disclaim ... all warranties ... including lack of viruses, ..., workmanlike effort and lack of negligence.... The entire risk arising out of use or performance of the operating system components and any support services remains with you."  And, "... in no event shall [the supplier] be liable for ... loss of profits, loss of confidential ... information, loss of privacy, negligence, and any other pecuniary ... loss whatsoever ....'' "The entire liability [of the supplier] ... shall be limited to ... the amount actually paid by you for the operating system components or u.s.$5.00."

It doesn't pay to develop better security because the victim bears the cost.

The automotive industry is mature.  We have a National Transportation Safety Board and a recall mechanism.  The supplier does the patch himself, in a place called "dealership" or "garage".  Eventually the software industry will mature, but the country will be humiliated or worse while we wait.  Congress must declare software vendors liable for damages caused by defects they do not repair themselves.

Famous attacks cost over $5B each, so limits on damage awards are needed. A $1 million limit would give Microsoft a competitive advantage against smaller players unable to pay.  Microsoft has cash equivalents on hand able to pay the loss of a million-dollar case every day for the next 145 years. Any symbolic cost will do.  With no cost and no liability, software is shoddy and the country keeps crashing.

The biggest question cuts deepest: products will always be rushed to market and fixed later, but does it have to be this bad?  Not at all.  Many attacks use buffer overflows to seize control, and technology like Sun's java renders buffer overflows irrelevant.  Visitors play in a "sandbox", far from the soul of the machine.  Microsoft was born on the desktop, and made design philosophy choices that rendered the entire product line vulnerable, particularly as desktops are networked.  Sun Microsystems can not make money on a superior solution as long as the true costs of cyberattacks are off the books.  Microsoft is an able competitor.  It will block java, start over on its own dot-NET initiative, and hold the country to ransom until it is finished.

How did we get here?

The United States government has publicly failed to move effectively against a monopoly power in software that it identified.  It is clear to anyone studying us where our systems are weak and the courage to change them is lacking.

Who is in flight school today?  Do you know the current list of vulnerabilities for your systems?  The enduring shock of September 11th is that we did not understand the world we live in.  Airlines had security systems then too, just as computers have security systems now.  But our dedicated attackers succeeded with knowledge of how corporations and government behave, and how our own complex technology works. We failed from complacency and poor imagination.  Next?

--jerry

Jerry Nelson is an equity analyst for high tech in Washington DC.

WORD LIMITS:  752 ideal; 1272 possible;  now 1428

------------------------------ end article -------------------------

From: "Features, Edit" <edit.features@wsj.com>
Sender: "Coyle, Marie" <Marie.Coyle@wsj.com>
To: "'J.I.Nelson, Ph.D.'" <jerry-VA@prodigy.net>
Subject: RE: op ed submission "Complacency Guards the Internet" 2nd try
Date: Thu, 13 Feb 2003 15:59:10 -0500
X-Mailer: Internet Mail Service (5.5.2654.89)