Random Access - Monday, September 3, 2001Code Wed
by Chris Gulker
Silicon Valley? Yeah. Well. OK, so we're in a slump. Venture capital is harder to find than, uh, well, venture capital. People have time on their hands: some spammer recently hijacked my mail server - a modest machine on a relatively slow network link. Nobody used to bother with it.Us nerdly types, freed from now-crashed startups, are sitting around, staring at computer screens or chatting in cafes - cafes with wireless Internet connections, of course.
Lately, the talk has been the Code Red worm, computer code that spreads itself across the Internet by infecting Microsoft's Internet Information Server. It's a big, overblown deal in the U.S., with lots of FBI and computer-security types grimacing on the evening news, predicting chaos.
Interestingly, some of the geek-cafe clucking hasn't been the usual stuff, namely berating Microsoft for its massively leaky security, or berating Microsoft for the closed-source programming model that keeps people from fixing the leaks, or just berating Microsoft on general principals.
Code Red and its recent variants are not the usual 'script kiddy' nuisances: somebody with time and serious skills cooked these puppies up. Code Red works by exploiting a rookie goof, something called a buffer overflow, in an obscure piece of code in Microsoft's Web server software.
Code Red is real: the access lights on my network switches started going ape even before my new-found spam pals begin bouncing 300 emails a minute off my server. Even my tiny network was barraged with queries from Code Red infected machines searching for vulnerable Windows IIS servers. Security outfits estimate that Code Red's most recent attack, which started on Saturday, August 6, compromised some 180,000 machines.
Code Red works by looking around the network for other Microsoft Web servers that have the buffer overflow problem. It automatically exploits the security hole, installs itself on the new machine, and the cycle starts over.
Code Red I defaced its host Web sites with the words 'Hacked by Chinese'. Code Red II was a bit more insidious: it quietly installed a 'back door', programmer lingo for an easy way to completely take over the hacked machine at will. So 180,000 powerful Web servers stood ready to do whatever mischief knowing hackers could conceive.
But, back to the interesting discussion floating around these cyber parts. Hackers are infamous for using million-dollar skills to create 98-cent hacks. One famous example was a hack of the New York Times. The hackers in question filled the Times' home page with long, whining complaints about the Times' coverage of jailed hacker Kevin Mitnick, pornography, claims of hacker prowess and other adolescentia.
Many here in the Land o' Info wondered what would have happened if the hackers had just changed a headline, or a story, or a stock price. Maybe a business headline: 'Microsoft to Declare Bankruptcy: Federal Reserve to Follow'. Timed correctly, even a subtle headline change in the U.S. newspaper of record could have changed history, or made someone a lot of money, take your pick.
And, the thinking goes, someone who had surreptitiously launched Code Red, would have had, on the first go-round, something like 250,000 computers at their command. Not only could you read everything on them - credit card records, for example - but you could DO some serious stuff with all that horsepower. Like maybe predict short term stock prices a little bit ahead of Wall Street brokerages' arbitrage supercomputers.
But the real deal here is the concept: using simple code to marshal vast resources. Query: what kind of legal business could I do if I were able to quickly assemble all the information technology I needed, basically for free?
Code Red exploited a flaw in Microsoft's technology. A much easier, and quite legal approach is to exploit the resources that a gazillion public servers offer for free to all takers. What if one were to write a legal computer program - the difference between a virus, worm or useful, legal utility program is sometimes pretty fine - that could quickly assemble the information and useful computer processes to do, well, whatever you wanted to do.
The resources are out there and daily growing wildly in variety and power, dot com downturn notwithstanding. Massive peer networks have appeared overnight, driven by Napster's well-funded foes, that allow instant, all-but-untraceable access to anything that can be digitized. Those same networks offer free global delivery, potentially to hundreds of millions of people, for anything you care to drop into them.
A million DNS servers will describe the very structure of the Internet at a molecular level, just for the asking. Search engines will labor by the dozen to find what you need, and archives will tell you what you missed. Every encyclopedia article, university journal and corporate white paper awaits, conveniently indexed, keyworded and published on a vast array of servers.
Sun Microsystem's Bill Joy and some other thinkers conceived of future systems (Joy's is called Jini) where computer resources small and large lurked around the network, ready to be called up at a millisecond's notice. These services would self assemble into useful entities: a video conference call on-the-fly, an emergency medical procedure guided by leading experts, the creation, printing and delivery of a new magazine. Whatever.
Well, think some, Jini's here. The basic processes are out there: in their millions of instances. All we need is to assemble the right pieces, at the right time.
Code Wed, maybe? Hmmm...
Random Access | www.gulker.com | Help/Info
editor@gulker.com This page was last built with Frontier on a Macintosh on Mon, Sep 3, 2001 at 10:04:03 PM.