IP: Another take on Microsoft-specific worms

[Dave Farber <farber@cis.upenn.edu>]

>From: "Kevin G. Barkes" <kgb@kgb.com>
>To: <farber@cis.upenn.edu>
>
>
>Hi Dave,
>
>With the release of yet another Microsoft worm, I thought you might find the
>following from my May 22 newsletter of interest:
>.
>.
>.
>Ok, say we get lucky. No hurricanes, tsunamis or heat waves, and the power
>grid holds together. The world's economy can still be brought to its knees
>in a few hours by disturbingly simple code delivered via email to computers
>running Microsoft applications and operating systems.
>
>The prospect is especially frightening because last year's Melissa virus and
>the recent "Love Bug" worm and its variants were, frankly, badly-written
>programs created by rank amateurs.
>
>Imagine the chaos that would result if a truly skilled programmer with
>particularly malicious intent actually crafted a well-written,
>self-propagating email worm targeted at Microsoft Outlook and Outlook
>Express users.
>
>What would happen to the international business community if some dot snot
>wunderkind gets peeved because he misses out on an IPO and unleashes a bug
>that wipes out hard drives and bios settings on PCs around the world? The
>wonder is not that such an event is possible, but rather that it hasn't
>happened already.
>
>Another wonder is why the world allows itself to be victimized by
>Microsoft's cavalier attitude about the gaping security holes in its systems
>and applications.
>
>Technically speaking, the recent "Love Bug" wasn't a software bug at all. It
>was a feature. Boot up a new, out-of-the-box Windows98 machine and the odds
>are pretty good there's a chunk of code called Windows Scripting Host that
>activates automatically and eagerly awaits the chance to transparently
>execute surreptitiously invoked virus code.
>
>Anti-virus software? Fahgeddaboutit. Consider a real-world implementation of
>the virus checking concept. There's a knock at the door. The virus checker
>looks through the peephole and sees someone standing there. He scans a book
>that contains the pictures and descriptions of a couple thousand known
>miscreants. If none match, the unknown person is allowed in.
>
>Try implementing that security model in a Manhattan office building and see
>how far you get.
>
>Or consider Microsoft's typical defensive argument, that the problem is
>actually stupid users and system administrators.
>
>Another real-world analogy: you're tooling down the Interstate in your Chevy
>and hit a bump in the road. The doors fall off and the engine explodes. You
>have the ambulance driver stop at the dealership on the way to the trauma
>center so you can chew out the service manager. He sneers at you
>condescendingly and points to a paragraph of six-point type buried in a
>totally unrelated portion of the owners' manual:
>
>"The doors of your car will fall off and the engine will explode when you
>hit a bump while traveling on an Interstate highway. One of our engineers
>thought this feature would be neat and we have added it at no extra charge
>to you. If you disagree (you weenie), you can disable this feature by
>performing the following procedure. First, obtain three chickens, two brown
>recluse spiders, a length of nylon rope and a virgin..."
>.
>.
>.
>
>Regards,
>
>KGB
>
>-----
>Kevin G. Barkes
>Email: kgb@kgb.com | Web: www.kgb.com
>1512 Annette Avenue | Library, Pennsylvania | 15129-9735
>Voice: 412-854-2550 | Fax: 412-854-4707
>DCL Dialogue on line: http://www.kgb.com/dcl.html
>KGB Report http://www.kgb.com/kgbrep.shtml
>Random Quotations Generator: http://www.kgb.com/cgi/kgbquote.cgi