Edited by author 07-21-2000 03:19 AM
If something like this ever becomes real, I predict a large boost in the OpenBSD userbase. Pro-active security and defense-in-depth are fast becoming requirements for anyone doing serious work on the Internet.

The problem is that most people on the Internet act as if they are in a quiet Midwestern town; in reality, it's more like living in Harlem. Attacks are a question of when, not if.

Why do so many people act as if it's sufficient to secure a system against casual threats. In many cases, it's simply because securing most systems is a huge amount of work. A single Windows NT box will take at least a solid day to set up in a secure fashion (and that's just shutting down known risks; all bets are off if another security bug is found), more if you're using it for more than just a basic webserver. That's because the basic approach vendors like Microsoft (and before the Linux kiddies get uppity, Redhat) is to default to an open system and require work to secure it. Ever see how many ways you could break into the typical developer box? Yes, it's easier to get stuff working when you disable all of the security. Connecting that box to the Internet, however, is equivalent to strapping someone into bondage gear, leaving them in the shower in a maximum security prison and hoping nothing happens after the guards leave.

A much safer, easier and more effective approach with Internet connected boxes (kinda common these days) is to default to a secure state which requires you to explicitly create a security risk. Besides confirming that Microsoft still doesn't even understand basic computer security, the recent email viruses also demonstrate why the old "tons of vulnerable systems behind a [hopefully] secure firewall" approach is, shall we say, somewhat suboptimal.


Preventing uberviruses like the one described is straight forward if you treat security as a mandatory requirement from day one:

If there's no way for the virus to get in the box remotely, it has to be run by a local user, which significantly reduces both the rate of infection and the number of infected systems.

If the box is properly configured, a normal user can't infect the system, which significantly reduces both the rate of infection and the number of infected systems.

If virus-like activities are prevented (e.g. using various programs and system tweaks to defang many buffer overflows), it's harder for a local user to infect even their own account. Even something as simple as disabling the Windows Scripting Host's associations (WSH is very rarely, if ever, used by anything other than a virus) cuts down on the risk by an absurd factor.

If security isn't treated like an afterthought and is instead treated as a fact of life, users are going to avoid at least the riskiest behaviour. It's amazing how many of mine suddenly decided they could stop running attached programs when company policy was changed to bill the user for the cost of cleaning up an infection. Unreasonable? I've yet to see a company that would turn off the burglar alarm when a new employee finds it difficult to remember a password but that's almost exactly how many of them treat computer security.



(The reason I mention OpenBSD is just that it has such a good reputation in this regard. You could probably safely provide a public shell server using a default OpenBSD install. That's because the OpenBSD team member perform security work publically for peer review, do things like code audits before bugs are found and take security seriously. It's been 3 years since the last remote exploit...)

I'm sure there could be an equal-and-opposite force out there. But the problem is, once the virus is unloaded, how much can they do then except clean up the mess afterwards? It's like dropping a bomb: sure, you might have your Acme Bomb-Repellant Net, which can catch it and fling it back into space (your equal-and-opposite force if you will), but how likely is it that you'll be able to set it up in time, at the right place, just in time to catch the bomb before it hits land?

If I understand virii correctly, the virus actually has a better chance of hitting ground before the net can be set up. No time between unloading and boom-boom. (Generally speaking.) At least with a bomb, you get to race against the force of gravity as it falls out of the plane.

Fact is, if the Uber Virus becomes real, then, my money's on the Virus. (I really need to get a cd burner, I've been running for four years without backing up anything. Zeus help me.)

two thoughts:
is it not likely that there is an equal and opposite counter force out there somewhere? this hypothesis could be tested by, say, carrying on an imaginary email conversation of a group actually starting development of such a virus and then waiting to see how long it took for the guys in rayban sunglasses to show up at the door,

if it can be done it will be done, but by whom? what about the ministry of truth? it is one thing for a group of bored and disaffected hackers to carry out such a project, but it is considerably more feasible for a group hired and modestly funded by say the fbi or csis

Use this forum to comment on the article "What if smart people wrote computer viruses?" in TBTF for 2000-07-20: Many fathers (http://tbtf.com/archive/2000-07-20.html#s07).