Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Code Red, Media Hype, Paranoia, and Robert Morris

By wiredog in Op-Ed
Tue Jul 31, 2001 at 03:22:28 PM EST
Tags: News (all tags)
News

Code Red! Code Red! All sysadmins man your battle stations! This is not, repeat not, a drill!
A worm strikes the internet and massive media hype ensues. So does geek paranoia. Because this media attention to an internet worm is evidence that Big Business and Big Government are using the hype to push new controls upon us. After all, this amount of media hype is new. Isn't it?


The Code Red worm is getting a lot of media coverage, primarily because of the speed with which it spread and the damage it could do. You have Bob Cringely, CNN, and Scientific American analyzing the worm's effects and threat.

I saw this comment attached to this story over on slashdot. The author seems to think, and people there agree(it's rated "Score:4, Insightful") , that the excitement in the press is FUD intended to enable a new, controllable internet. It must be, because this type of attention hasn't been paid to any previous worm, by the mainstream press, before. The trouble with that view is, it's wrong. It has lacks a historical perspective.

The Morris worm of Nov 1988, (13 years ago) took down 10% of the servers on the net and led to the formation of CERT. 13 years ago. It made all the news broadcasts, the front pages of many newspapers, and generated many follow-up articles in the popular press. It generated quite a bit of media coverage. So why do many people on slashdot, K5, and other net sites think the attention is new? Because it happened 13 years ago! If you are under 30 it is unlikely that you had personal experience with the worm and its effects. If you are under 20, as many readers here are, it is unlikely that you even remember the worm (directly, that is), or the coverage, at all. It is entirely likely that there are people on slashdot and K5 who were born after the worm was released.

The people here, and in the media, are paying attention to the security holes that allow Code Red, and other worms, to spread. What we, and the media, are missing is that the types of security holes are not new. A hole in a popular, widely used (because it's the default) server daemon. IIS on Windows today or Sendmail on Unix 13 years ago? Low security default settings on a popular operating system. Is that Windows today or VMS 13 years ago?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Slashdot
o Code Red worm
o speed
o Bob Cringely
o CNN
o Scientific American
o this comment
o this story
o Morris worm
o CERT
o Also by wiredog


Display: Sort:
Code Red, Media Hype, Paranoia, and Robert Morris | 30 comments (29 topical, 1 editorial, 0 hidden)
One reason why this isn't just FUD... (4.50 / 8) (#2)
by rpg25 on Tue Jul 31, 2001 at 12:45:57 PM EST

...is the simply astounding proportion of IIS servers that seem to have been had by this worm.

Just because there's FUD doesn't mean there isn't a real threat.

On Slashdot, a +4 moderation (4.00 / 7) (#3)
by pallex on Tue Jul 31, 2001 at 12:46:18 PM EST

just means 2 or 3 people modded it up!! I wouldnt say thats a particularly large number of people!

Its not getting coverage because its new, its getting it because its one of the few virus/worm/trojan things which isn`t a lame `me too` hex edit of an existing one, and because its effective (just like the `I love you` VBS one, and Melissa). There really arent many of these.

I agree that i wouldnt blame MS just because this sort of thing is possible using their OS/tools. Thats ridiculous.



Not "just" because (5.00 / 1) (#22)
by sy5tematic on Tue Jul 31, 2001 at 11:15:04 PM EST

What we can thank MS for is their consistent pattern of turning on every service that their operating system supports (with minimal security) by default.

As Cringley points out in his article, it's likely that a substantial percentage of the unpatched IIS 5.0 servers out there belong to people who have no idea that IIS is even running on their computer! These passive servers act like a petri dish, in which this virus(worm) or the next one can remain active more or less forever. Because the worm is relatively unobtrusive, there's a fair chance that some of these servers will never be patched, until the owners eventually upgrade to IIS 6.0 under WinXP (or whatever.)

At that point, we can all look forward to taking another turn on the merry-go-round as another half-dozen buffer-overflow exploits are discovered and the process begins again.

[ Parent ]

Why no one is paying attention (2.80 / 5) (#4)
by ajschu on Tue Jul 31, 2001 at 01:00:52 PM EST

Three chars:

Y2K

As far as most people are concerned, this is old news. "Imminent death of Internet predicted, news at 11" was built up for years leading up to 2000, and what came of it? Nothing.

"The Interweb survived y2k," thinks Joe Average, "so obviously it'll survive this Code Red business."

The media have cried wolf on the destruction of the Internet once already, and it'll take a near cataclysm for most people to pay any attention ever again.

AJS



A near cataclysm won't do it (5.00 / 1) (#21)
by sy5tematic on Tue Jul 31, 2001 at 10:59:37 PM EST

For the Joe Average you speak of, I imagine it would take an actual disaster to make them pay attention.

A near disaster (one widely predicted, but with few or no measurable consequences) would actually support the assumption that the media is crying wolf.

[ Parent ]

Funny you should mention Y2K (4.00 / 1) (#23)
by fluffy grue on Tue Jul 31, 2001 at 11:57:50 PM EST

It's exactly because of all the Y2K hype that there wasn't a problem - it was enough to draw attention to the fact that many critical systems would have broken if they had gone unfixed. Yes, it was tabloidish and out of hand, but it did serve its purpose. Unfortunately, there was a huge backlash against all of the people predicting bad things happening. It probably didn't help that all of the tabloidish mainstream media was saying how bad things WILL happen but were cutting out the "if we don't fix it" part. Yay.

So anyway, I'd imagine that as a result of the Y2K "flop," no managers will pay attention to this trouble and so they won't authorize the 30 minutes of downtime it'll need to patch the servers. Joy.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

I think the point is (4.57 / 7) (#5)
by weirdling on Tue Jul 31, 2001 at 01:08:01 PM EST

13 years ago. M$ has had open exploits in their silly IIS product for years. Many have been known about and published by communities such as the l0pht, and yet M$ has done little to close the holes. Actually, M$ has written legalese into their liscences that actively prohibits others from doing this sort of research legally, which seems an attempt to shut up those reporting these holes.

It's funny, but another version of the vb script virus flew through here a week or so ago and nobody cared. Has M$ fixed the problem? Of course not. It still works exactly as before, only users are more intelligent.

What I'm trying to say is that a bug in sendmail thirteen years ago when Unix was young and testing the waters is not the same as Win2K or NT, both ostensibly mature platforms, running IIS, which is not a newcomer, either. Since that worm, *nix rewrote the areas affected to stop it from happening again. M$ simply does not.

I'm not doing this again; last time no one believed it.
It is the same (3.75 / 4) (#6)
by wiredog on Tue Jul 31, 2001 at 01:29:21 PM EST

thirteen years ago when Unix was young and testing the waters

Unix was not young and testing the waters 13 years ago. It dates from the early 70's (or late 60's, depending on the definition of Unix). It was over 15 years old when the Morris worm hit.

If you read "The Cuckoo's Egg" by Cliff Stoll you will see that the security problems plagueing(sp?) us today are no different from those of 13 years ago. Unpatched software with security holes. Sysadmins who don't really know their jobs. Bad, low security default settings. Popular software with massive holes.

To that, add worm writers who make stupid mistakes. The difference being that Morris's mistake made the worm more dangerous, the mistakes in Code Red make it less dangerous.

If there's a choice between performance and ease of use, Linux will go for performance every time. -- Jerry Pournelle
[ Parent ]

microsoft bashing... (4.00 / 5) (#7)
by klamath on Tue Jul 31, 2001 at 01:31:33 PM EST

M$ has had open exploits in their silly IIS product for years. Many have been known about and published by communities such as the l0pht, and yet M$ has done little to close the holes.
Um, NO. There has been a patch out for 6 weeks now. If any admins still haven't updated their servers, it's because they are lazy/clueless, not because MS fucked up. Were people blaming Redhat when the Ramen worm hit? Isn't the only fundamental difference between Ramen and Code Red the success of the product in question?

I'm not suggesting that MS makes good products for production servers (we run Solaris), but to suggest they are responsible for the damage caused by this worm is ridiculous. Every piece of software has bugs; every security-sensitive piece of software has security holes. But ultimately, it's the admin's choice to use product X, and subsequently their responsibility to keep it functioning and secure.

M$
You're smart for a 13-year old...

[ Parent ]
But not as smart as you (3.00 / 3) (#12)
by weirdling on Tue Jul 31, 2001 at 03:45:07 PM EST

For being able to conclude I am a 13 year old for using M$...

I'm not doing this again; last time no one believed it.
[ Parent ]
no (2.00 / 2) (#15)
by klamath on Tue Jul 31, 2001 at 04:25:25 PM EST

For being able to conclude I am a 13 year old for using M$
No; the (obvious?) implication of my statement is that using 'M$' makes you sound like a puerile 13-year old hax0r. It's a feeble attempt to be witty and 'diss' Microsoft, when your actual argument against them comes down to incoherent ravings.

[ Parent ]
Or personal experience (3.00 / 3) (#16)
by weirdling on Tue Jul 31, 2001 at 06:03:37 PM EST

M$ (neener, neener) may have fixed this bug, but hundreds await. I'm pretty certain that any one of the hundreds of bugs reported *per day* by bugtraq when I used to have to support this drakh would suffice in the future. When I had time, cared, or needed a good laugh, I used to read all of the stupid things M$ (neener, neener) used to put into their software on accident and require that us trusting users discover them to our chagrin.

I'm not doing this again; last time no one believed it.
[ Parent ]
so what? (5.00 / 1) (#20)
by klamath on Tue Jul 31, 2001 at 10:38:29 PM EST

M$ (neener, neener) may have fixed this bug, but hundreds await
The point here is that the bug HAS been fixed, and regardless, it hasn't really helped -- there is still (arguably) a significant problem. Assuming that writing perfect software is impossible, there will ALWAYS been security holes, in ANY piece of software. So the real important thing is to educate the clueless admins who don't update their servers.
I'm pretty certain that any one of the hundreds of bugs reported *per day* by bugtraq
Um... last I checked, there are not 'hundreds' of posts per day on BugTraq -- and certainly not hundreds per day on MS (neener, neener) products.
When I had time, cared, or needed a good laugh, I used to read all of the stupid things M$ (neener, neener) used to put into their software on accident
As I said before, I don't think MS make good software. I certainly wouldn't run NT/2k in a production environment if I could avoid it. But the fact is that if there is a serious security bug in any piece of software that is as popular as most MS products are, the repercussions are going to major. Realistically, we can only partially solve the problem through more secure software: there are still going to be bugs (e.g. the recent root hole in BSD's telnetd). The real problem here is that we need a more effective means for admins to keep their servers up to date, so that when patches are released, the fixes can propagate.

[ Parent ]
13 Years (5.00 / 1) (#26)
by Captain Derivative on Wed Aug 01, 2001 at 04:33:01 PM EST

You seem to be implying that there haven't been any exploits for Unix systems for the past 13 years. If so, you're horribly mistaken. Sendmail, BIND, rpc.statd, and wu-ftpd are all daemons that seem to be a perennial source of root exploits. But even "secure" servers like apache, exim, fetchmail, commercial ssh, etc. have also had security holes recently. I'd wager there's few programs written in C that haven't had a buffer overflow or printf attack at one time or another.

It's necessary to assume that there are security holes in everything you run, and act accordingly. Checking daily for new security patches alone will do a pretty good job of protecting you (although it shouldn't be relied upon exclusively). Virtually every worm out there, regardless of target platform, exploits security holes that have been known about for quite some time. Microsoft had released a patch for IIS six weeks before Code Red started spreading. All those systems affected were being run by admins who were either too lazy or incompetent to install the fix beforehand. Linux worms like lion, ramen, and adore likewise exploited known holes in BIND, rpc.statd, and the like. Heck, even the Morris worm only infected systems running old versions of sendmail or fingerd.

To me, it seems like most of us haven't learned very much over the past 13 years. Sure, it was IIS this time, but there's no reason to believe it won't be a hole in your six-month-old unpatched Apache, or some service you've never heard of running by default on your fresh-out-of-the-box Red Hat/Slackware/Debian/other distro install. (Yes, lots of people are still running unpatched Red Hat 6.2 boxes will all default services still running. *shudder*)

Snickering in the corner at Micro$oft [sic] only ignores what the real problem is.


--
Hey! Why aren't you all dead yet?! Oh, that's right, it's only Tuesday. -- Zorak


[ Parent ]
Worms (3.33 / 6) (#8)
by Orion Blastar on Tue Jul 31, 2001 at 01:35:41 PM EST

Well 13 years ago the Internet was not as popular as it is now. Today almost everyone is on the Internet so it becomes big(er) news.

But we must not forget that Sendmail had a bug that allowed a Worm to exploit it. I think that has been fixed.

The thing is that Microsoft technologies have had, time and time again, different viruses and worms that can abuse the weak security and still effect systems. IIS is up to version 5.0 and it still can be infected with a Worm-like program. Plus the Worm-like program can be spread via non-server machines that use Microsoft Outlook or that have Microsoft Word installed. The 1988 Worm only infected servers running Sendmail. See the difference? The Code Red Worm infects servers and personal computers (Non-Servers) if they use Microsoft technology (Word/Outlook, NT4.0/Win2000 with IIS). Will Code Red knock out more than 10% of the Internet servers tonight, or will it also knock out more than 10% of the non-servers (user's personal computers?)? With Windows being a majority of the user's computers, the chances of it knocking out more user's computers is greater. Remember that the IP address changed and the infected machines might have those packets bounced back at them?
*** Anonymized by intolerant editors at K5 and also IWETHEY who are biased against the mentally ill ***

Sendmail versus IIS (4.00 / 1) (#13)
by kostya on Tue Jul 31, 2001 at 03:56:03 PM EST

The thing is that Microsoft technologies have had, time and time again, different viruses and worms that can abuse the weak security and still effect systems.

Not to nitpick, but have you thought about how many exploits sendmail has had since 1988. It's not like sendmail was broke in 1988 and then they patched it, fixing it from that point on. On the contrary, sendmail continues to have major bugs and root exploits to this day. Think about Red Hat distributions--how long is it from the beginning of the new release till there is a sendmail patch? (I tried to back that up with a search, but Red Hat has messed up there site in favor of earning money via the RHN). As a long time Red Hat user, I can tell you that I keep my eye on the security updates for the sendmail updates. I always uninstall it or disable it, but many of my friends run it unaware or against my constant nagging.

I run Linux on upwards of 10 machines with not a single dedicated Windows machine--I love UNIX and Linux in specific. I am no lover of MS. Don't take this as a Linux flame--just a reality adjustment post.

Sure, IIS sucks big rocks. But so does sendmail--and sendmail has a nice long history of doing its job faithfully for 13 years along with providing the #1 way to get access to a machine for 13 years.

And while we are on the subject of bad Red Hat decisions, think on WU-ftpd and how many machines and OSes it is installed on--it's just as bad if not worse than sendmail.



----
Veritas otium parit. --Terence
[ Parent ]
Two Words: (4.00 / 1) (#14)
by MrSmithers on Tue Jul 31, 2001 at 04:20:17 PM EST

Postfix

Ok, so that's one word -- so sue me...



[ Parent ]
Or, if you don't like Postfix for whatever reason (4.00 / 1) (#17)
by nstenz on Tue Jul 31, 2001 at 06:12:13 PM EST

There's also qmail.

[ Parent ]
Code red does not run on Outlook or word (5.00 / 1) (#19)
by plone on Tue Jul 31, 2001 at 06:42:07 PM EST

Plus the Worm-like program can be spread via non-server machines that use Microsoft Outlook or that have Microsoft Word installed

Fortunately Code Red cannot spread through outlook or word. Otherwise we would have had the Internet would have already died on us on the 19th of July. What i find really disturbing about the current crop of worms and viruses(virii?) is that could be much more lethal. If i was a virus writer, i would have an infection period of about 2 weeks, and then a sudden outbreak. All machines on a broadband connection would simultaneously flood a single site (doesnt matter which, the traffic generated woudld help prevent any news and quickfix patches from being distrubuted). After that period of flooding, all machines would systematically start corrupting as many files on the hard disk as possible.

[ Parent ]

Re: Code red does not run on Outlook or word (none / 0) (#24)
by jacob on Wed Aug 01, 2001 at 11:20:20 AM EST

[On the plural of virus: it's viruses according to Tom Christiansen. "... [W]e certainly don't grab for genitive singulars for the plurals when we've started out with a nominative. Such hanky panky would certainly get you talked about, and probably your hand slapped as well."]

If you're interested in really effective viruses, see this article, a pretty scary article called "What if smart people wrote computer viruses?"



--
"it's not rocket science" right right insofar as rocket science is boring

--Iced_Up

[ Parent ]
Possibly of interest (3.00 / 4) (#9)
by wiredog on Tue Jul 31, 2001 at 01:36:02 PM EST

Christopher Budd, security program manager at the Microsoft Security Response Center, will be online at the Washington Post Tuesday, July 31 at 3 p.m. EDT. This is a moderated discussion, so don't bother flaming.

If there's a choice between performance and ease of use, Linux will go for performance every time. -- Jerry Pournelle
this IS new (3.25 / 4) (#10)
by boxed on Tue Jul 31, 2001 at 01:49:43 PM EST

There is a HUGE difference between the incident 13 years ago and the Code Red hype: the Morris worm got headlines after it had done actual damage. The Code Red worm however hasn't done any noticable damage and it never will, you can quote me on that.

told you so (4.00 / 1) (#25)
by boxed on Wed Aug 01, 2001 at 02:31:23 PM EST

Nothing happened, don't believe hype, because hype is bullshit. Any catastrophe that happens to the net will come out of the blue and everyone, EVERYONE, will be taken by surprise.

[ Parent ]
Different reasons, different times (5.00 / 8) (#11)
by Pac on Tue Jul 31, 2001 at 02:19:11 PM EST

The problem here is that Robert Morris proved his concept (and tried to prove himself worth of his father) in an Internet with 60.000 hosts. The Morris worm infection peaked at a little more than 6000 machines. Some 10%. The media coverage was due more to the strangeness and the silliness of the event (worn, Internet, college professor's sons wreaking havoc at Dads workplace).

Fast forward to 2001 and look closely at the threat posed by Code Red. It has the potential to infect 20 to 25% of all Internet hosts (Netcraft numbers for hosts running IIS). The absolute number would be 4.000.000 hosts, give or take a couple of hundreth thousands. Avoiding the easy flame and supposing more or less 50% of those are well tended and regularly patched (but not resisting to note that this is a fairy tale optmistic assumption), we are back to the Morris 10% of the Internet.

But now the damage to people, business and society in general is much more evident. The vanishing bandwidth can cause losses many orders of magnitude larger than Morris worm could (even if it had infected every server existing in that mitical time when men were real men, women were real women and computers were real fridge size VAXes). The Code Red worm can close down business, deny delivery of important messages and even mess military communication.

As for culprits to hang, the Scientific American article you link to tell of some theories about the worm originator. One of them is the government. Exactly for the reasons stated in the Slashdot comment (another suspect is the company that gave the first alert about the worm. That is, let us shot the messenger).

I am not so paranoid, but I have read my Code Law. Even if the government hasn't created the worm, this opportunity can and will be used to stress how fragile the Internet infra-structure is and to push for tigher security measures and more corporate control and government involvement.

Also, when you say "What we, and the media, are missing is that the types of security holes are not new" I take personal offense. My installations, past and present, run Web Servers that now and then have bugs, but these bugs are (A)patched quick and painlessly by the community (and usually dutifull and timely corrected by its administrators). I can not fail to notice the logical flaw in comparing a very early version of an open mail server with a 6 year old closed source web server whose creators had plenty of time, warnings and money to correct.


Evolution doesn't take prisoners


You made a mistake. (5.00 / 2) (#27)
by stuartf on Wed Aug 01, 2001 at 10:31:22 PM EST

I can not fail to notice the logical flaw in comparing a very early version of an open mail server with a 6 year old closed source web server whose creators had plenty of time, warnings and money to correct.

I think you meant to say:
I can not fail to notice the logical flaw in comparing a very early version of an open mail server that has had many security holes in the last thirteen years with a 6 year old closed source web server whose creators had plenty of time, warnings and money to correct and did so several weeks before the Code Red worm.

[ Parent ]

Sendmail vs. IIS (5.00 / 1) (#28)
by ronin212 on Thu Aug 02, 2001 at 04:29:07 PM EST

Sendmail might have had "many holes in the last 13 years", but IIS has had at least as many in the last 2 years. Recently, sendmail has been relatively secure. IIS keeps at it and will have sendmail's history beat in no time, if it doesn't already.


--
Now is the time... get on the right side! You'll be godlike.
[ Parent ]
You missed the point. (5.00 / 1) (#29)
by stuartf on Thu Aug 02, 2001 at 04:48:46 PM EST

The point was, that the post I responded to implied that the Code Red problem was caused by Microsoft failing to fix the problem, which is plainly false. Regardless of sendmail's patchy security history.

[ Parent ]
Maybe it's hype, maybe it isn't... (3.33 / 3) (#18)
by nstenz on Tue Jul 31, 2001 at 06:15:08 PM EST

...I just hope that the next few days doesn't make the Internet about as responsive as K5 around lunchtime. =)

It wasn't VMS's fault. (none / 0) (#30)
by b1t r0t on Wed Aug 08, 2001 at 11:03:47 AM EST

Low security default settings on a popular operating system. Is that Windows today or VMS 13 years ago?

Don't blame VMS for this. IIRC, the worm only infected BSD running on Sparc and VAX. While a lot of VAX machines were involved (and were really good at spreading the RTM worm), none of them were running VMS.

-- Indymedia: the fanfiction.net of journalism.

Code Red, Media Hype, Paranoia, and Robert Morris | 30 comments (29 topical, 1 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!