Back to article
.comment: A Golden Opportunity
Where Do You Want Your Data to GoToday?
January 3, 2001
I've argued for years now that the time will come when use of Microsoft Windows on machines storing sensitive data will be deemed an act of misfeasance. By that I mean that the lack of security in Windows will be well enough known that if your lawyer or your accountant stores private data on a Windows machine, and that Windows machine is cracked, you'll be able to sue, win, and collect.
The evidence toward that end mounts. Perhaps most damning, both in content and in the prestige of the organization whence it came, is a 73-page study, "Cyber Threats and Information Security: Meeting the 21st Century Challenge," released last month by the authoritative Center for Strategic and International Studies in Washington. The CSIS report concluded that Microsoft software is so full of security holes, and so poorly audited, that it not only poses a risk to the national security but also cannot be fixed. It is, the report said, an insecure system so complicated that it cannot be made secure.
The computers of most of the Fortune 500 companies have been cracked, the report notes, including last autumn's break-in at Microsoft's own network. Frankly, right now one gets the sense that only an idiot would pass a credit card number over the Internet, so many insecure credit card repositories have been cracked. And, the report noted, the chances are that most cracks go undetected--if script kiddies can do it, imagine what the pros could come up with? (If you've read this column for awhile, this theme will already be familiar to you.)
There are several kinds of security risks familiar to the clue-enabled. There are the virus and virus-like macro attacks in which code finds its way onto your machine and does damage locally or distributes itself by way of your machine to others and causes trouble through the sheer weight of the traffic. There are the distributed denial of service attacks, which produce two flavors of victim: The site that gets hammered, and the hundreds, even thousands of "zombie" machines that do the attacking unbeknownst to their owners. (In at least one DDoS attack last century, which is in this case to say last year, Linux machines were the chief zombies, an exploit having been found and, well, exploited.) There are cracks of websites, substituting some new content for that which the webmaster intended. These three are largely acts of vandalism, just stupid stuff. When The New York Times website was cracked two years ago, the children who did it eschewed any cleverness in their substitute site. (Imagine some fiendish cracker hitting that site and inserting something subtle--sanity in the editorial column, for instance.)
By far the worst, though, is gaining access to data on machines. This can be anything from a doctoral dissertation to a database of a few hundred thousand credit card numbers, along with the names, addresses, and card use histories of the card holders. The potential for abuse is obvious--order up a bunch of stuff, or, if you manifest equal measures of boldness and stupidity, hold the data hostage mpending payment of a ransom--and unobvious: imagine a database of 300,000 cardholders with all their information. That puts you in a dandy little mailing list business, and you'll never get caught. Forget the card numbers--the rest of the stuff is easily saleable, no questions asked.
And when a person has access to a machine, chances are good that the data can be copied, sure, but also manipulated. The fact that macro virii got into into and caused to be shut down a computer network in the National Security Agency last year tells us that somebody bent on more than obvious troublemaking could cause a lot more trouble, unobviously.
The threats are broad and frightening, and they extend to every computer that is hooked to a modem or, worse, broadband. And Microsoft software is not part of the solution.
"It is doubtful that the millions (sometimes billions) of lines of code required to power Microsoft's products could readily be sanitized," nores the CSIS report, which goes on to mention that most government computer systems--including very sensitive military systems--are running software from Redmond.
This represents a golden opportunity. Not just for crackers, though surely that's the case, but for Linux.