Home
Contents
Search
Back
Up

Internet War

 

Opinions
Internet War



The Internet War

If you are like most users of the Internet, you probably don't really understand why things like worms and viruses have become such a problem. In fact, many people who use the Internet don't really understand what a change it has had on the flow of information, good and bad, over the past 10 years or so.

Putting Bombs in the Hands of Infants

Prior to the Internet, getting your hands on the recipe for such things as gunpowder or touch powder or other truly dangerous chemical technologies was as easy as going to the public library and reading an encyclopedia. That's certainly where I got the information - and I know it  worked as the local pharmacy carried all the raw ingredients, in many cases in fairly large quantities. Try and get raw sulphur from a drugstore today.

But the information rarely came in a form that could be followed by someone unfamiliar with at least a bit of chemistry, (what is the household equivalent to the urine of an alcoholic?)  so it was typically only the bright kids that could actually make it work - and writing books about how you did it was neither easy nor condoned.

There was even enough information that a bright teenager might come up with a fairly workable design for a nuclear weapon - or at least something that would certainly make a lasting impression on wherever it went off. Of course getting the parts was another matter.

On the other hand, even if you did put a workable bomb of some sort together - chances are that somebody in the neighborhood knew what you were doing and would call your parents - might even have been the druggist that sold you the materials. Not many kids lost fingers or lives, but some did.

The point is that the information was there - but you had to have some level of incentive to go and get it (visit the library) and probably were known well enough by the people around you (librarian, druggist, neighbors) that if you did use the knowledge you were likely to get caught - many times before the final fuse was lit.

Today, the Internet has the same information - but in a form that has been distilled from all of the experiments of bright teenagers and warped adults around the world. It's there because the cost in time and effort of publishing the notes and recipes worked out by individuals is no longer high, and it can be done anonymously, so there are no barriers to publication.

Today you can search for and download step by step instructions on how to make powerful explosives from household items in your kitchen. You don't need to know anything about chemistry - just how to follow directions - and the directions are sometimes detailed enough that anyone who can read can follow them - in fact with the pictures, you might not even need to be able to read.

Putting Bombs in the Hands of Idiots

This has lead to the point where we now have bombs in the hands of not just the bright kids - but the idiots as well. The good thing is that most idiots don't have the ability to deliver what they make anonymously to any part of the globe. This is likely the only saving grace of the physical explosive type of bomb.

On the other hand, there is now a different type of bomb that doesn't have that delivery problem; the Internet bomb, worm, virus, trojan, etc.

In a similar fashion to the way that the techniques of chemical bomb making have been documented and distilled to the point where any idiot can make one, the Internet bomb has evolved to the point where today's "Script Kiddies" (people who lack the knowledge to create an Internet bomb but who now can use one pre-made) can wreak havoc on chosen or random targets from across the world - mostly anonymously (at least we let them think so anyway) and typically with little or no consequences to themselves (unlike the possibility of a real bomb blowing up in their faces.)

Lowering the Cost of Delivering Bombs

And the real difference between the chemical bombs and the Internet bombs is that the cost of delivering these Internet Bombs is not only incredibly low - but in many cases is born by the owners of the target systems.

These two aspects of the Internet - easy and anonymous dissemination of information with no distance limitations, and "free" and anonymous delivery of resulting bombs - have combined with some historic design deficiencies in the basic Internet technologies to make the incidents of worms and viruses climb at an alarming rate. As soon as we discover and fix one problem, somebody creates an exploit for some other one which spreads at the speed of light.

Increasing the Production of Bombs 

Instead of having to wait for the publication of a paper work such as a book or magazine (or encyclopedia), the vandals of the Internet read instant publications - mail lists, news groups, web pages and chat rooms - and play with the new tools and techniques almost as fast as the one or two smart people who create them can post the how-tos. The synergies of this interaction of otherwise anonymous people at great distances from each other physically, but sitting next to one another electronically, are incredible. 

Thus, we have new Internet worms, viruses, trojans, exploits and such at an ever increasing rate. By one site - from 1 per day in 1999, to 1 per 3 minutes in 2000 to one every 30 seconds currently in 2001 (just less than 10,000 in 1999 and 1.4 million to date in 2001)

Contributing Factors

The speed that information gets from creator to user is just one of the aspects of this new war. As noted above, there are also some contributing factors in the overall technology of the Internet itself and also in some of the systems that have been hooked to it even though not originally designed to do so.

As far as the basic Internet technology is concerned, the biggest contributing factor is that it was not designed to deal with truly anonymous users. In fact, it is hard (and getting harder) to establish truly anonymous access to the 'Net - but the staggering increase in the number of computers and users on it over the past 10 years has meant that most administrators are strained just keeping up with getting new users onto the system - and have no resources left over for ensuring they know who their users are or tracking what they are doing, so users can be effectively anonymous with little extra skill. This coupled with the sheer volume of traffic and size of log files makes figuring out who did what, when, a time intensive and expensive problem even if the logs are kept long enough for the problem to be recognized. In many cases, new ISPs are administered by neophytes who don't keep logs or know how to read them anyway. No wonder only the "easy" or truly massively damaging vandals are being actively sought by authorities. This ignores the question of who is in fact the responsible "authority" when an attack is done by a national of one country using a system in another, against targets in a many other countries and jurisdictions.

In 1991, when I first started administering Wimsey, I used to spend upwards of half an hour talking to a prospective customer before I'd even consider taking an order from them. Before that, it was almost impossible to get an Internet account unless you were a government employee, registered at a university or a member of a product development team at a known business; i.e. well known with financial leverage held over you in case you did something bad.

Today, people can get dial accounts from AOL or MSN or other big providers for free for initial periods of time - and the volume of signups is such that there is almost no way that users can be vetted in any way except by their credit worthiness - and with stolen credit card information rampant, this too is lost. The people who man the call centers are not interested in what the new user is going to do with their access, and in many cases nepharious (and bogus) customers will only use the account for the free period before disappearing into the void again. At best, they use if for sending the seemingly unending variety of spam. At worst they launch a new worm or virus attack.

The other major contributing factor has been the adaptation of MS Windows systems to use the Internet. Leaving aside the problems with actual bugs in various system programs and utilities, the fact is that when initially offered, Microsoft's operating systems were not designed to be on any network, let alone one with unknown and hostile users on it.

Each of the iterations from DOS to Windows 98 and WinME were built upon this original base of technology to which networking in general and Internet (TCP/IP) networking in particular have been added as an afterthought. The initial major networking protocol (IPX/SPX) was added by Novel and later adopted by Microsoft as a standard. It was originally oriented towards small, Local Area Networks (LANs) where sharing resources was the prime idea - due to the expense of disk drives and printers if nothing else.

Even programs running in this initial LAN environment were not suitable to it - requiring people to tell others to "stay out of the General Ledger, I'm using it" by putting up flags or speaking out loud. File and record locking simply didn't exist for PCs.

But more than this, the operating system could not stop any single program from taking over the whole system and doing whatever it wanted to do. This is where the original computer viruses began their rise to fame. Putting an infected diskette into a computer could cause the system to load a virus which could then take over the whole machine - wipe out data, print nasty messages on the screen, send itself to servers and other PCs on the LAN, and in general wreak havoc.

With the advent of Windows NT and now 2000 and XP, the underlying operating system of Microsoft's products has not only become much more reliable, but it has put in place some facilities that, when properly used, can limit or eliminate the scope of damage that these older viruses can do. They do this by limiting the types of things that a "user" program can do compared to a "supervisor" program. If the real user runs their work as a "user" without supervisor (administrator) privileges, many nasty programs can either be caught before doing damage, or will have their damage limited to only local files.

The problem is that although the facility is there to restrict actions, most systems are either not set up to take advantage of this fact, or have had software added which invalidates the designed separation of capabilities either by its mere existence on the system, or through some setup option. The personal nature of the PC means that most have software added by the user at some time or other, and most users simply either don't understand the implications or don't care. I'll note here that this can apply equally to systems running Unix or Linux when used as a personal computer workstation, although for historic reasons it is not (yet) as bad as with Windows.

The historic problem with Windows is that software backwards compatibility has been a design goal. Software which couldn't deal with record and file locking would successfully run in a networked environment, up until it screwed up the data when two people tried to update the same record. Similarly, software designed to run on Windows 95 might be coerced to run on Windows NT, but in doing so might need to be run by the user logged in with administrator privileges - thereby invalidating the design goal of limiting virus damage. Many NT and 2000 users run as "administrator" because they don't understand that this is not a good idea.

The large numbers of Microsoft based systems has meant that introducing "fork-lift" updates has been met by the market with derision. The fact that years after the introduction of Windows NT there were still releases of 98 and ME systems based on the old operating system shows the inertia of the market. 

NT and XP both have TCP/IP built in from scratch. The fact is that IPX/SPX seems to be disappearing from the field despite what some say are technical advantages in its Wide Area Networking (WAN) abilities over TCP/IP. The Internet protocol has sheer mass behind its continued existence.

So... take systems designed either not to network, or not to network with unknown and hostile systems; put them into the situation where they must interact with hostile networked systems. Make the network protocol one that also was not really intended to deal with anonymous and hostile users and what do you have? The answer is exactly what we have now - a large number of systems with design inadequacies being exploited by all manner of bad-guys for fun, money, or terror.

It's Not All Bad News

The good thing is that the Internet also allows the "good guys" to interact and react with every bit as much speed as the bad guys. It has taken a while for some agents of change (read Microsoft) to start to react in Internet time, but it is happening. From the early days of CERT (Computer Emergency Response Team) to today's plethora of anti-virus companies and security organizations monitoring and responding to what is going on on the Internet in almost real time.

There are sites which show what is going on in real time - which viruses are rampant, and how many sites are compromised. Some people are talking about releasing "benevolent" viruses to counteract the bad ones. Others are talking about "nuking" compromised systems to get them off the net until their (ignorant or incompetent) owners fix them. I'm not personally in favor of this kind of vigilante action, but it demonstrates that there are potential solutions to some of the problems.

There are also advances in inexpensive firewall technologies, intrusion detection systems, and general program design and creation technologies. All of these make it harder and harder for the "bad uglies" to ply their trade. As the connected world matures and ages, the problems will change, but so will the solutions. The fact that many of the changes are taking place in the open source community means that the overall speed of change will increase and the cost of change will decrease. Why should the bad guys (who share their code) get all the advantages of synergy.

There is no doubt that the Internet has changed forever the way that information is disseminated in the world. It has sped up our publication process to the point where an application of a new technique, be it medical, technical or human, can be tried by someone on the other side of the world a few seconds after its inventor presses the "send" key. The time it takes to search for information in a virtual library orders of magnitude larger than the Library of Congress is measured in seconds, not days or years. The ability of anyone, anywhere to assemble and collate information on any set of diverse subjects as fast as they can ask the questions makes the possibilities almost endless. This can be used for good or bad, just as traditional paper publications could in the past.

As with the change from walking to the jet airplane, getting there is the same, it just goes faster. What also changes is the pace of the changes possible and probable.

I'm hanging on for dear life, but I wouldn't miss this ride for anything.

richard 

 
 

 

Home ] Contents ] Search ]
Back ] Up ]

Copyright © 1993-2007 Richard C. Pitt - all rights reserved
Updated June 17, 2005