Originally Published: Sunday, 7 May 2000 Author: Raju Mathur
Published to: featured_articles/Featured Articles Page: 1/1 - [Printable]

Standardize and be Damned

Take the latest fiasco: the ILOVEYOU virus. A friend sent himself the virus on e-mail and read the same using two clients: a Linux computer with Netscape Messenger and an NT box with Outlook something-or-the-other. Guess which one started behaving funny afterwards?

   Page 1 of 1  

We live in a world of standards. Imagine what life would be like if each manufacturer had her own standard for plugging her appliance into the wall socket. Imagine life without Phillips screws. Standards are a Active Visual Good Thing++ (tm) (C) (pat pending) (maybe I need to stop browsing Microsoft's site?) in general. But not necessarily in computers. Heretical? Maybe. Crazy? Definitely. Read on.

Take the latest fiasco: the ILOVEYOU virus. A friend sent himself the virus on e-mail and read the same using two clients: a Linux computer with Netscape Messenger and an NT box with Outlook something-or-the-other. Guess which one started behaving funny afterwards? And this one is just the latest in a long history of viruses/trojans which need well-defined and tight environments to run and propagate.

Not that our friends from Redmond here are the only ones involved. For example, the teardrop, boink and other ping of death attacks were so successful precisely because they exploited a standard: the Internet Protocol (IP, commonly mis-referred to as TCP/IP) stack. Nearly every architecture and operating system (including Linux) running IP was vulnerable. On the other hand, people running old versions of Novell, SNA and DecNET were laughing their guts out, wondering what the whole brouhaha was about. (I presume there are still some of these people alive and kicking.)

Viruses and trojans aren't the only problems at hand, however. The real issue is that standards in computers put powerful and potentially dangerous tools in the hands of clueless people, while giving them the impression that just because they can select items from a menu and click a mouse they understand the technology and all issues associated with it. In this Redmond is definitely to blame; for instance, how many people know that their easy-to-use mail client is actually a high-power programming environment with its own language? How many people realise that that easy-to-setup Internet Information Server Web server is more ridden with holes than a swiss cheese? Close to none.

But what the heck, these are standards today, and more and more people continue jumping onto this standards wagon. As a cracker I find this making my task so easy! Now that "{}" and "Hardbeat" have given a nice demonstration of how easy it is to get into a misconfigured Apache server, 58% of all Web servers on the Internet are potentially vulnerable to being defaced or worse. In any case I'm working on a version of ILOVEYOU which sends me important information from your Windows PC without revealing itself. And as for all those clueless Red Hat 6.2 users and their wonderful imwheel programs waiting for someone to come and relieve them from their misery... slurp (excuse the drool on the monitor).

Ergo, standards in computers are a Bad Thing.

Hey, wait! Don't start throwing those CDs out of the window and starting work on your own distribution just yet! How about the other side of coin: what about standards in other technologies? Let's have a look at those.

Cars. Cars are pretty standard (except for this tendency for most of the world to drive on the "wrong" side of the road... I'm from India, figure it out). So why don't the arguments which apply to computers apply to cars too? Seems to be obvious... when you get into a car, you know the power and the potential of the technology, you have control over it and you exercise that control so that things don't get out of hand.

Guns. Potentially very dangerous, but hardly ever cause damage through lack of understanding.

Electricity. Instances of people unknowingly causing serious damage using electricity supplied to homes are quite rare.

A pattern seems to be emerging here, doesn't it? We deal with fairly high technology every day without understanding how that technology works. So what makes computers and networks different? The obvious answer is:

People who use computers do not understand their potential.

To elaborate, you do not have to know how a technology works in order to use it. However, you must know what can go wrong, and have basic guidelines on how to prevent common problems.

Standards in computers and apathetic users help create precisely the reverse of this scenario. Just because a software is easy to install doesn't mean that it's safe. Just because it's easy to use for two common tasks doesn't mean that you can afford to ignore the dozens of other things that it is capable of. This leads to the equivalent of putting a car in the hands of a 3-year-old, or selling arms to irresponsible governments.

Is there a solution? The simplest would be to ensure that every person who uses a computer or network is adequately educated in its use and potential. Simple and clear guidelines (e.g. change your password regularly, subscribe to your software vendors' announcement lists) should be prominently displayed above every terminal and workstation.

Ha! Can't you just see yourself going to your employer/school authority/friendly neighbourhood cybercafe and proposing this? Wild laughter is probably the least dangerous of the reactions you'll have to contend with. An excellent scheme, but too utopian and impractical.

The alternative bring us back to where we started from: if it is not possible or practicable to educate the users of computers, let's just make the things so hard to use that the potential user will need a PhD to get near one. And that's just to switch one on. No one will be allowed to actually use a computer until she's crossed 40 and has personally handcrafted 5 distributions of Linux from scratch, at least 3 of which should have been multi-lingual. Abolish all standards so that you will have to re-learn everything when you move from one computing environment to another, a side-effect of which is that you will valuable knowledge about its potential and protection. Implement this and watch the number of exploits and cracks on the Internet (which will cease to exist, of course) drop to zero.

This may seem rather Draconian, but it is the only solution to today's mess that I can see. Let me know if you have a better one.

Raju "OldMonk" Mathur is an aging Linux/Unix hacker who gains immense pleasure from the company of his family, new PIII/550 and open-minded (read "gullible") friends and acquaintances. While the solutions proposed in the article are not to be taken seriously, the problems discussed are real and will cause major disruptions and disasters unless corrective action is taken immediately.

Raju spends most of his time worrying that someday someone will destroy his computer by means of a cleverly crafted Emacs-lisp virus embedded in an e-mail.

Copyright and License
--

Copyright (C) 2000, Raju Mathur. Released under the GNU General Public License.





   Page 1 of 1