19 Aug 2003 | COD said...

A virus, or a person, doing something to your computer without permission is never a good thing. Anyway, it may patch one hole and give you a false sense of security as it plants another backdoor to be used later. (I don't know if it does that - pure conjecture on my part. )

19 Aug 2003 | Darrel said...

I think a good model would be to insist that MS some day produce a secure OS that doesn't require weekly patches.

19 Aug 2003 | Aaron Swartz said...

This is the Curious Blue part of the Curious Yellow story. (If you haven't read about Curious Yellow, you should.)

19 Aug 2003 | David said...

Automatic updates that you request are fine, but going out and looking for machines to update will cause a LOT of unneeded traffic and bog down networks.

19 Aug 2003 | Jonny Roader said...

The Nachi worm took out our hospital network today, at a cost of who knows what in lost care and tens of thousands of lost hours - not to mention the fact that several thousand PCs and servers will now how to be disinfected. So a nice worm it is not.

The idea of a 'vaccinating virus' sounds cool, but as someone with sysadmin responsibilities I pray to God it doesn't happen. As in nature, mutation will inevitably occur. The idea of setting vaccine worms loose should be treated with as much caution (in computer terms) as setting an AIDS vaccine loose.

I'm with Darrel - a mainstream OS that doesn't require constant patching would be a more profitable area to concentrate on.

19 Aug 2003 | Sunny said...

My 15 minutes of fame...

Although I go by my nickname 'Sunny', my real name is Nachiketa. And now there is a virus that uses part of my name.

Not exactly 'Kournikova' but it will suffice...

19 Aug 2003 | Brian said...

I believe Microsoft looked into something like this a while ago and all the sys admins who use their products (the poor, lost, souls) about killed them for considering it. Intensive testing goes on prior to deploying software on a network to ensure compatibility, reliability, and stability. This would be like throwing a monkey wrench into a high-precision, well-oiled machine.

To put it simply: bad idea.

19 Aug 2003 | suppafly said...

As in nature, mutation will inevitably occur.

Hahah.. I hope you aren't serious.

19 Aug 2003 | ~bc said...

I got lots of virus invested emails today. Others in Boston did too. I, unsurprisingly, went unaffected, other than deleting 30some virus-laiden emails. Normally, I enjoy being in the minority, but days like these make me wish the other 95% would hop on the cluetrain.

20 Aug 2003 | Jonny Roader said...

"Hahah.. I hope you aren't serious."

Well it's not a strict parallel of course. :) But Nachi is basically a 'mutation' of Blaster...

20 Aug 2003 | Max Leibman said...

I would agree with the general sentiments above--a helpful virus is a fascinating idea (and a great principle--find a good use for a technology that mostly wreaks havoc), but the implications are no good. If I understand correctly, security programs would need to be able not only to identify self-spreading/replicating software that altered programs and data, but ALSO to determine the specific effects or authenticity of source of each one and determine if it is good or bad. It would no longer be a matter of quarantining every worm or virus--every one would also have to be evaluated against a (probably very unreliable) helpful/harmful protocol. Either no value would be had from the "good worms," or security measures would become much more expensive or difficult to maintain (which, yes, happens anyhow, but do we want to speed it up to introduce what may be a dodgy new way to patch bugs?).

It's still an interesting idea, though, and I think despited the obvious drawbacks there may be some value in theoretical exploration of the concept.

[I should note I'm not a techie, so if I've missed--or said--something really obvious here, please forgive me.]

20 Aug 2003 | Jonny Roader said...

Just to keep you updated on the effects of this 'good' worm...

The hospital is now ending its second day without network access; clinical staff will force the closure of services if things aren't better by tomorrow AM; and the highest available IT official has spoken openly about the possibility that Windows will be ditched in favour of UNIX based or thin-client solutions. Notwithstanding, of course, that NHS management - it its endless quest to transfer tax revenues to private companies - signed a reported 50m deal last year with Microshaft to supply its desktop for the next five years...

I can honestly say that the only IT problem that has exceeded this in terms of magnitude in my experience was the Year 2000 'bug'. And even that didn't actually bring down any services!

20 Aug 2003 | hurley #1 said...

I guess I don't understand: Couldn't the hospital have avoided this disaster by simply installing anti-virus software and using Windows Update on its computers in the first place? To me, it just goes without saying that if you use Windows you need anti-virus software on every machine and you need to install Windows updates as soon as they're released. In a better world with better software, you wouldn't need to take those precautions, but the reality of Windows today is that it's vulnerable.

Antivirus software and Windows updates work: my Windows computer has never been infected by a virus or worm, despite the hundeds of them I receive each year. On the other hand, I don't even bother with anti-virus software on my Mac, although I probably should just in case.

20 Aug 2003 | Jonny Roader said...

You're right Hurley - but only up to a point.

It seems that several key security holes remained open well after the initial warnings about MSBlast were heard. The anti-virus software checking incoming traffic was *not* updated in time. At least two IIS servers were not patched. No-one seems to know if port 135 on our firewall has always been closed or not. Most importantly, 99% of networked client PCs had not been patched.

From a security perspective, this is a bit like a security guard leaving the keys to his car in the ignition in a bad neighbourhood and then dozing off in front of the CCTV. And heads will roll because of it.

However, was this completely avoidable? You've got to bear in mind that using Windows Update on a home PC running XP is an entirely different proposition from ensuring that 6000 PCs running everything from DOS to Windows 2003 Server are up-to-date.

Microsoft released the patch for this particular vulnerability about a month ago. Patch testing for implementation on that many computers can (and probably should) take several weeks itself.

Remember, that's before you even begin to install the patch -which is quite simply not always as easy as letting Windows Update do its stuff.

Today, for example, we first had to identify which parts of the network had most likely been infected. We then had to pinpoint the most 'virulent' machines so that we were patching where it was most effective. Not easy when your network is up to its neck in an IP flood.

Even if that had not been necessary, the second biggest obstacle was user fear. Have you ever tried explaining to a consultant cardiac surgeon that what you're about to do is not necessarily guaranteed not to completely fuck up their PC? Especially when they've not backed up their research files for two weeks? Especially when they've just seen you disable System Restore, as you should always do when removing a virus?

Have you ever then had to explain to said consultant that what they've just done while your back was turned (plug in their home laptop into an internal network socket ) could well be the reason why the bloody virus got through in the first place?

To cut this already long story short, what I'm trying to say is that protecting an entire network of systems is just not comparable to protecting one PC. At least, not where resources aren't in place to standardise the platforms and software in use, and where the people simply aren't available. In a world where Microsoft releases patches every Wednesday night, the game of catch-up is already difficult enough without well-intentioned but disasterous 'friendly worms' to contend with.

20 Aug 2003 | hurley#1 said...

You've got to bear in mind that using Windows Update on a home PC running XP is an entirely different proposition from ensuring that 6000 PCs running everything from DOS to Windows 2003 Server are up-to-date.

Point taken. Sorry you're in the thick of this horrible mess. The company I work for has about 1,500 PCs, but almost all the ones on the network are running Windows 2000 Professional so it's less of an issue for them, I guess.

21 Aug 2003 | Don Schenck said...

I get a bit immature in my old age sometimes ... but I swear if I found the person that wrote these beasts I'd kick their ass. They deserve it.

Oh yeah ... slowing down servers is real funny ... yeah ... REAL frickin' funny when a hospital has to shut down its systems ... yeah ... very funny.

Jerks. I hope they lose all their money buying CDs *wink*.