2010-03-01
Abstract
‘We're wasting more time than ever dealing with malware that is more hostile than ever.’ John Levine, Taughannock Networks.
Copyright © 2010 Virus Bulletin
For the past few weeks I’ve been trying to track down a bot that has been sending spam from my home DSL line. I know it’s there, because it has got me onto several blacklists such as the CBL (http://cbl.abuseat.org/). Like most home users, I send and receive my mail via a server somewhere else, so the blacklist entry doesn’t affect me directly, but I want to be a good citizen, and besides, it’s embarrassing for ‘Mr. Spam Expert’ to be on a blacklist.
On the LAN behind the DSL router are VoIP phones, a printer, a Mac, and a laptop running FreeBSD, but the prime suspects are two Windows 7 laptops: mine and my daughter’s. Multiple anti-malware programs on both Windows boxes all swear that both machines are clean.
The phone company gave me a combination DSL modem-router-access point, managed through web pages, telnet, and even FTP. I’ve turned off one computer or another to see if the spam would stop, and although I can’t sniff the switched wired LAN, I sniffed the wi-fi where both Windows boxes are, and saw no port 25 mail traffic, even when people were getting spam. Poking around in the router, I found its internal logs, with mysterious UPNP port forwarding entries from my daughter’s machine. Aha! So I dug out the Windows 7 install disk, wiped the laptop clean, reinstalled from scratch, and the spam still didn’t stop. Now I’m trying netstat, and it looks like the other one’s infected, too.
My main thought during this process has been: ‘what a phenomenal waste of time’.
Since the first computer virus hopped onto a floppy disk about two decades ago, how much progress have we made against malware on our computers? To put it baldly, less than none. We’re wasting more time than ever dealing with malware that is more hostile than ever. In the good old days, a virus might have drawn odd squiggles in the corner of your screen. Now it sends floods of porn spam while siphoning money from your bank account. What are we doing wrong? Our fundamental attitude toward software is screwed up.
In the past decade, the world has learned the hard way about the perils of financial innovation. Banks broke free from traditional regulation and innovated like crazy, with consequences that we now all know. It might have seemed like a good idea at the time to invent multiple tranches of derivative securities based on no-doc mortgages on shoddily built houses hours away from any jobs, but now we know that ‘innovation’ mostly meant very large levels of unknown risk, with the consequences falling on someone other than the innovator when they screw up. Does this remind you of anything?
Contrary to popular belief, there’s no secret to writing very reliable software. Computer-controlled space probes operate reliably for years, billions of miles from the nearest repair depot. Large airline and bank systems are equally reliable; one system running IBM’s TPF has run continuously for ten years, through multiple hardware and software upgrades. Reliability like that comes from having a very different attitude toward software: nothing changes unless there’s a very good reason to change it, nothing goes into the system without being thoroughly reviewed, and nothing goes in just because it’s cute and blinky.
The time we spend dealing with malware and its consequences is a dead weight on computer users, which is notably not charged back to the people who made the vulnerable software. When I look at my word processor or my web browser, I see about 100,000 bells and whistles, 99,900 of which I have never used and never will. If you ask a user ‘would you like feature X?’, the answer is always ‘yes’. But ask the question: ‘do you want feature X if it’s likely to mean that you waste days deworming your computer, or arguing with your bank to get stolen money back, or desperately hoping that you backed up the data you lost in crashes it caused?’, the answer is of course ‘no’.
Banks generally work just fine doing what they’ve done all along, and for most computer users, their computers work just fine doing what they’ve done all along, too. If we pushed back and said ‘no’ to glitz, and ‘yes’ to conservative design, imagine how much better off we’d all be.
