I can look at the logs on my firewall and web servers and see hundreds of break-in attempts every day. Mainly, these are mass-produced attacks - they have no effect on my systems, not because I have been particularly clever in securing them, but because they are exploits for completely different operating systems and software. The attackers are simply searching the multitude of IP addresses for the ones that are vulnerable. They use published vulnerabilities, for which patches and exploit tools exist. We can imagine individuals or teams of not very skilled hackers downloading the exploit tools, using them to break into some machines and using those to break into others, making large collections of compromised machines. As such, these attacks are background noise on the Internet - they pose no threat to well-managed sites, and there is no clear pay-off for tracing the source and reporting the offenders. Even if the source's company or ISP takes action, ten new sources appear elsewhere. This is like playing a hundred wack-a-mole games simultaneously, with a single mallet, while on crutches.
However, many sites are not well managed - many companies have very little idea of information security, and home users are possibly the largest group of victims. Should we care about it? Yes, for many reasons. The continual attacks are a waste of our bandwidth. The large numbers of dumb attacks make it more difficult to spot the more intelligent attacks that might work. We do not know the motives of the attackers; perhaps they are amassing these compromised machines to make DDoS attacks on us later. If you run an e-Commerce site, then those people are your customers, and if they suffer a loss because their machine is insecure, they have less to spend with you. Finally, it slows the growth of the Information Society if people disconnect because they have problems. The more difficult question is what we can do about it. Some suggest making ISPs responsible for their user's security - but experience with their helpdesks show that some ISPs are clueless about security. On our roads, vehicles must meet safety standards. Perhaps we could pass laws to force people to secure their machines before connecting to the Internet. However, this is futile unless there is a workable way to make desktop operating systems securable by ordinary users, which brings us to Microsoft.
Microsoft's New Direction?
It is difficult to write responsibly about security without sounding like a Microsoft-hater. The fact is that most of the world's computers run Microsoft products, so any serious vulnerability will affect a lot of people. And there are lots of serious vulnerabilities. Even organisations that keep their critical systems and data on minis or mainframes have users or customers with Windows, so they must consider the risks when the systems interact.
The good news is that Microsoft is taking security seriously - Bill Gates sent round a memo in January emphasising that security is the new priority: "when we face a choice between adding features and resolving security issues, we need to choose security." This is the approach that is needed - complexity is the enemy of good security, and no one can deny that Microsoft products are rich in complex features.
The bad news is that even with total commitment within Microsoft, it will take a long time for the benefits to emerge - the existing vulnerabilities (known and unknown) will be with us until everyone changes to use the new, safe software. Also, this may be mere lip service, designed to combat recent bad publicity. Certainly, Steve Ballmer (Microsoft's CEO) is not showing a new commitment to security, he is still repeating the "all software contains vulnerabilities" spin. This is true, but some software contains more vulnerabilities than other software. Also, Scot Culp (manager of Microsoft's security response centre) is showing a remarkably selective memory in the face of the UPnP exploit for Windows XP, saying, "This is the first network-based, remote compromise that I'm aware of for Windows desktop systems." Perhaps Back Orifice, the Internet Explorer cross-frame scripting vulnerabilities and numerous other examples do not count. We will have to wait to see if Bill's memo is a real change of direction, or just hot air.
So, assuming that Microsoft is committed to doing the right thing on security, what do we need for end users? Perhaps it is a new definition of "User Friendly". When I invite a friend to my home, I do not expect him or her to bring a load of stuff and install a cat flap, "because I might need it one day". I would expect a friend to mention if I had left a window open, and to be honest if they have an accident in my home. So the default install should be minimal functionality - no installing a web server with the OS, macro capability should be optional in word processors and spreadsheets and so on. There should be warnings about unsafe configurations, and when fixes are needed, the users informed consent for the automatic fix will be sought. This will make computers more difficult to use, but a lot easier to use well.
.Net Virus
January also saw the first virus for the .Net platform. Called Donut, it is a simple, direct action infector. Jimmy Kuo once suggested that it takes virus writers about 2 years to release the first virus for a new, virus-supporting platform. Donut is probably the first virus to be released before the (official) release of the platform it targets. Other than that, it is unremarkable - there is certainly no surprise that a virus can be written for .Net, all general-purpose operating systems are vulnerable to viruses.