September 24, 2004
For a long time, the Mac community has believed that because the relative size of the Mac population is small, that this lack of size is a defense against an attack. The logic goes something like this:
Since the overall Mac population is so small compared to the Windows population, Macs are not that interesting to virus writers.
Well, as the Witty worm showed, a small population is no defense against a devastating attack.
On March 8th, 2004, eEye Digital Security discovered a vulnerability in ISS's BlackICE/RealSecure products. On March 9th, ISS released a patch for the vulnerability.
On March 18th, eEye published a high-level description of the vulnerability. 36 hours later, Witty was released into the wild.
Within 45 minutes, every vulnerable machine was infected, about 12,000 machines in total.
Witty is a scary story for a number of reason.
First, it was destructive. Not only did it create copies of itself by generating 20,000 packets with random IP addresses and sending those packets out to infect more hosts, but it then found a random point on the hard drive, and overwrote whatever data was there with 65K of data from the iss-pam1.dll to that point. Once that was done, the process was repeated until a reboot, or the machine crashed. As a side effect, this had a self-limiting effect on the number of times the worm could reproduce further, although this was small comfort to those who were infected and lost data.
However, there are some other factors here that make Witty a particularly ominous example of viral code. First, instead of starting from a relatively small number of hosts, Witty spread outwards almost simultaneously from 100 to 110 hosts. Considering the packet count, and allowing for at least two rounds per host, that means within seconds of its release, there were over 2,000,000 packets probing other hosts for the vulnerability. This number is exacerbated by Witty's size:
Witty was also bug-free. That means that someone tested it. It also means that the core worm engine was probably done, and just waiting for the right vulnerability to be used well in advance of the BlackICE vulnerability announcement.
Witty was not some dork with a virus kit from a h@xx0r site spreading the love of Anna Kournikova. It was written by someone who knew what they were doing, was patient enough to wait for the right opening, and, importantly, didn't care about the vulnerable population size.
Witty only attacked computers running unpatched versions of BlackICE firewalls. It was released ten days after a fix for the vulnerability was issued. It only infected 12,000 hosts, but it did so in 45 minutes, or 4.45 hosts per second. If there were enough hosts, and assuming perfect antivirus signature update and use 48 hours after release, that's 768,960 computers infected and probably dead within two days.
It's illogical to assume that Witty was a fluke, no matter how comforting that thought may be.
Witty showed that:
- Not all virus writers are goofy kids doing the modern-day version of vandalizing mailboxes
- Not all internet virii are annoying, or only concerned with denial of service
- There is no patch management system in the world fast enough to prevent this level of attack
- A small population is no defense against attack
Even on a Mac| Comments ()
September 9, 2004
On a more serious note...
Well, if it follows its current track Hurricane Ivan, is looking to hit the same area that Charley rumbled over not a month ago, only much stronger. (RIght now, it's an Andrew level storm. I was in Miami for that sonofabitch, and words cannot describe what that kind of storm does.)
So I'm asking those of you who read my ranting to do me a favor. Go to the Red Cross home page, and help out however you can. If you can afford to send them some cash, do that. If you can set one up at your company, organize a blood drive, collect funds, whatever. If you work for a public utilities company, find out if they have any plans to send hands down there to help restore power. If you're a cop, a medical worker, a firefighter, whatever, find out if they're going to need extra bodies to assist. In other words, figure out what you can do. You don't have to tell me, or anyone else. Help doesn't require press releases.
in 1992, Andrew caused over 30 billion in damage, destroyed over 25,000 homes, and pretty much wiped Florida City from the map. There were areas without power and water for weeks, widespread looting, etc. It was a nightmare. Hospitals had people working 12+ hour days non-stop. When we saw the help coming in from around the country, the Utility trucks, the cops, the medical workers, the water trucks, it meant a lot.
I can't make anyone help out, and I'll never know if you do, (and hell, Ivan's track has drifted west a bit, and it may drift even more or just wander in the Caribbean for a few days and only kill marlins. I'd be perfectly happy if it did.). But if it hits, and it's at its current strength or greater, there's going to be a lot of folks that will be in a world of hurt. So anything we do to help will mean a lot.
Note: The continuation here was a comment, but it shouldn't be, and so now it's not. Being in charge is handy sometimes. As I get comments in that I think are noteworthy, i'm going to integrate them into the main story, esp. if they are from folks living in the affected area. It's all too easy to see this kind of thing as something that just breaks stuff. but that stuff is a home, someone's irreplaceable memento of a unique time or event in their life, and thanks to a random set of weather conditions, it's gone. It's not about stuff, it's about people. jcw
Thanks for posting this, but you're wrong about this being like Andrew. Andrew hit an area that was still strong, so the damage, while extensive, extended only from the aftermath of Andrew.
What we're dealing with here is something that nobody has ever had to deal with in Florida (or most of the US) before. I know people who lost their homes from Charley. And I know people who had damage from Charley, and then Frances came in and finished off their homes. If you drive through central Florida right now, there are houses standing, but their windows are still boarded up, and there are still plastic tarps where their roofs used to be. They'll probably be boarded up and tarped for a long time to come. Trees are lining the roads like hedges, and it's only getting worse. There is so much debris that there aren't enough people to pick it up, or enough places to put it. There's not enough time to fix the roofs. To turn back on the power. To fix the water. Not before we get hit again. Ever try to stand up when someone keeps punching you in the face? That's what we're dealing with here.
We survive on tourism. Flights are being canceled. Cruises are being re-routed or canceled. Theme parks that NEVER close are shutting down for days at a time. We're talking about billions of dollars in lost revenue. Places that are going to close their doors forever due to bankruptcy from all that lost revenue. Thousands of people are taking unpaid vacations that they can't afford to take, meaning that come rent time, they're going to be broke this month. And the very real possibility that once the theme park or restaurant or whatever they work for closes it's doors again, it'll be for good.
The shelters haven't really closed since Charley, three weeks ago. People evacuate for the storm, then go back home afterwards, only to find out that they're going to have to evacuate again in less than a week. Every time they go back, they're not sure how much more of home will be gone.
Andrew happened, and then it went away. Charley is still with us. Frances is still flooding our streets. And it's only a couple of months into Hurricane Season. September and October are the worst months. We've had three hurricanes already (Hurricane Bonnie hit the panhandle, Charley and Frances the penninsula), in less than four weeks. Now we're looking at Ivan, and I'll tell you this... we're all terrified.
An update from West Palm Beach.
Many of us are still without power. You can see that these conditions bring out either the best or the worse in people. It's very sad. People's homes are being broken into and they're losing what's left of their possessions after Frances.
People can't buy electricity, gas or a hot meal in some cases. We're still under curfew. Many businesses are running off of generators just to generate some income and help the public at the same time.
Our paper will lose millions in Labor Day and advertising revenue over the next few weeks or months depending on if Ivan hits. This domino effect from all these businesses will indeed lead to layoffs, bankruptcy etc..
If you can't send money please write a letter to your congressman and ask why we can send billions to Iraq but we can't even seem to send enough support to our own people that pay taxes here at home? It seems as if we can send the military to erect a mini city in a matter of days in a foreign country but when it comes to getting a US city back on its feet our government just tries to brush it under the rug.
September 4, 2004
The Perfect Scam...er Storm
So I've been diddling with GMail, and I've come to a conclusion:
But not because of any email brilliance. It's a nice little webmail client. It's got a clean interface, although I hate not being able to easily set up extra folders. I've been using IMAP almost exclusively for over 7 years now, and I like my IMAP folders. But it's free, so how much can I really complain? As well, since no one has that address, I get no email. (Well, maybe 3-4 people). It's therefore my favorite account. It's got a lot of storage, which is also cool.
"But John, that's not brilliant." You're right, it's not. It's the phenomenon Google has created that is brilliant. It's club marketing on the Internet.
No, really. GMail is using the same trick that every Kool Kids Klub uses. You can't just join. Oh no. That would let anyone use it. You must be invited to use GMail. You can only be invited by other members of the GMail Klub. There's now two classes on the Internet. The GMail Kool Kids, and everyone else. In fact, they should call it the GMail Qool Qids, then they'd be all GQQ, which is cooler than GQ, because it has two Q's.
Think about it. You get an invite. Of course you join. Yes you did, and you know it. Then you play with it, and just before the reality of It's just Webmail sets in, you get six invites. Why six? I don't know, maybe seven is a magical GQQ Posse number. But it's enough to invite a few people, but small enough so that you can't invite EVERYONE.
Jesus, all they need is a logo of an extremely large bald black man in sunglasses when you log in. If they charged an insanely high non-invite joing up fee, they couldn't be any more manipulative.
Don't get me wrong, I think the idea of a free email service with a lot of storage is good. But folks, behind the GQQ marketing, it's just email.
And no, I'm not giving you an invite, or my GQQ address. You're not GQQ enough.| Comments () | TrackBacks (2)