[Am-info] ATTN: Cyber terrorism/Security Experts

Eric M. Hopper hopper@omnifarious.org
Fri, 9 Nov 2001 13:29:40 -0600 

On Fri, Nov 09, 2001 at 12:22:59PM -0600, Fahey, Katie wrote:
> Hello,
> 
> My name is Katie Fahey and I work at KSTP-TV, Channel 5 news. I am
> looking for an expert in the area of CyberTerrorism or computer
> security who could talk about the possibility of an attack and how
> companies/individuals can avoid these attack on their computers.
> 
> I am looking to do the story over the weekend.  Any help or references
> would be greatly appreciated.

	Also, I'll add my own few cents here.  I suspect Mr. Schenier
will largely concur with me.

	If you want good computer security, running Microsoft software
is very risky.  There are two reasons for this, one of which Microsoft
admits.

      The first reason is Microsoft software's ubiquity.  It's
everywhere.  It makes a very tempting target for virus and worm writers
for this reason.  Your virus or worm will spread far and wide.  If your
goal is media attention, you'll get it.  If your goal is a lock of
systems that have back doors in them (installed by the virus or worm) so
you can get access later, you'll get that too.

	Also, because of the 'product' nature of Microsoft software, you
can be pretty sure that almost all the people you target will be running
a small subset of different versions of that software.  This makes it
even easier to exploit.  It's like releasing a disease into a field of
clones.  If the disease will affect one clone, it will affect them all.

	The second reason is that Microsoft values things that can be
sold to consumers over things that actually help them.  Security is a
hard sell.  It's expensive and hard to get right, and it's not a feature
people tend to look for.  They want software that does new things they
couldn't before, not software that does the things it's supposed to do
securely and well.  Microsoft is highly optimized to selective pressure.

	The end result is that Microsoft software is very insecure.
IMHO, this is partly the media's fault for not making it clear that
various worms and viruses affect only people who run Microsoft software.
They don't do enough to damage Microsoft's image when something bad
happens that's Microsoft's fault.  Since Microsoft is such an incredibly
image driven company, the end result is that Microsoft cares much less
about security than it should.

Here is some hard evidence to support my assertions:

	When the Code Red worm, and the NIMDA worm attacked, the only
web servers affected were Micrsoft IIS (Internet Information Server)
servers.  IIS only makes up about 35% of the web servers on the
Internet.  The remaining 65% is about 58% Apache, and 7% other stuff.

	If (as Microsoft claims) market share were the only determining
factor in virus and worm writers targetting a particular platform, we
woul actually expect to see more widespread worm infestations for Apache
than IIS.  The reverse is actually true.

	There have been worms that attacked computers running Apache.
Most of these worms have actually gotten into the computer through some
other mechanism than Apache itself.  None of these worms has achieved
anywhere near the widespread infestation of NIMDA and Code Red.

	The conclusion that one must draw is that something besides
ubiquity must be driving worm infestation.  The actual security of the
system must play a major role.  IIS must be a very insecure server, and
Apache must be a very secure server.

	Also, Apache is not sold as a product.  It is a piece of Open
Source software.  This means that (since the source is available, and
Apache is often tweaked and/or recompiled by people using it) there are
actually many slight variants of Apache running in different places.
This makes Apache that much harder to effectively target.

	I hope that was instructive.

Have fun (if at all possible),
-- 
"It does me no injury for my neighbor to say there are twenty gods or no God.
It neither picks my pocket nor breaks my leg."  --- Thomas Jefferson
"Go to Heaven for the climate, Hell for the company."  -- Mark Twain
-- Eric Hopper (hopper@omnifarious.org  http://www.omnifarious.org/~hopper) --