December 5, 2024

Posts Comments

Archives for 2003

Why So Many Worms?

September 10, 2003 by

Many people have remarked on the recent flurry of worms and viruses going around on the Internet. Is this a trend, or just a random blip? A simple model predicts that worm/virus damage should increase in proportion to the square of the number of people on the Net.

First, it seems likely that the amount of damage done by each worm will be proportional to the number of people on the Net. This is based on three seemingly reasonable assumptions.

(1) Each worm will exploit a security flaw that exists (on average) on a fixed fraction of the machines on the Net.
(2) Each worm will infect a fixed fraction (nearly 100%, probably) of the susceptible machines.
(3) Each infected machine will suffer (or inflict on others) a fixed amount of damage.

Second, it seems likely that the rate of worm creation will also be proportional to the number of people on the Net. This is based on two more seemingly reasonable assumptions.

(4) A fixed (albeit very small) fraction of the people on the Net will have the knowledge and inclination to be active authors of worms.
(5) Would-be worm authors will find an ample supply of security flaws for their worms to exploit.

It follows from these five assumptions that the amount of worm damage per unit time will increase as the square of the number of people on the Net. As the online population continues to increase, worm damage will increase even faster. Per capita worm damage will grow as the Net gets larger.

Assuming that the online population will keep growing, the only way out of this problem is to falsify one of the five assumptions. And each of the five assumptions seems pretty well entrenched.

We can try to address Assumption 1 by applying security patches promptly, but this carries costs of its own, and in any case it only works for flaws that have been discovered by (or reported to) the software vendor.

We can try to address Assumption 2 by building defenses that can quarantine a worm before it spreads too far. But aggressive worms spread very quickly, infecting all of the susceptible machines in the world in as little as ten minutes. We’re far from devising any safe and effective defense that can operate so quickly.

Assumption 3 seems impossible to prevent, since a successful worm is assumed to have seized control of at least one significant part of the victim’s computer.

Assumption 4 seems to be human nature. Perhaps we could deter worm authors more effectively than we do, but deterrence will only go so far, especially given that we’ve had very little success so far at catching (non-rookie) worm authors, and that worms can originate anywhere in the world.

So we’re left with Assumption 5. Can we reduce the number of security flaws in popular software? Given the size and complexity of popular programs, and the current state of the art in secure software development, I doubt we can invalidate Assumption 5.

It sure looks like we’re in for an infestation of worms.

Filed Under: Uncategorized Tagged With:

Computers As Graders

September 8, 2003 by

One of my least favorite tasks as a professor is grading papers. So there’s good news – of a sort – in J. Greg Phelan’s New York Times article from last week, about the use of computer programs to grade essays.

The computers are surprisingly good at grading – essentially as accurate as human graders, where an “accurate” grade is defined as one that correlates with the grade given by another human. To put it another way, the variance between a human grader and a computer is no greater than between two human graders.

Eric Rescorla offers typically interesting commentary on this. He points out, first, that the lesson here might not be that computers are good at grading, but that human graders are surprisingly bad. I know how hard it is to give the thirtieth essay in the stack the careful reading it deserves. If the grader’s brain is on autopilot, you’ll get the kind of formulaic grading that a computer might be able to handle.

Another possibility, which Eric also discusses, is that there is something simple – I’ll call it the X-factor – about an essay’s language or structure that happens to correlate very well with good writing. If this is true, then a computer program that looks only for the X-factor will give “accurate” grades that correlate well with the grades assigned by a human reader who actually understands the essays. The computer’s grade will be “accurate” even though the computer doesn’t really understand what the student is trying to say.

The article even gives hints about the nature of the X-factor:

For example, a high score almost always contains topically relevant vocabulary, a variety of sentence structures, and the use of cue terms like “in summary,” for example, and “because” to organize an argument. By analyzing 50 of these features in a sampling of essays on a particular topic that were scored by human beings, the system can accurately predict how the same human readers would grade additional essays on the same topic.

This is all very interesting, but the game will be up as soon as students and their counselors figure out what the X-factor is and how to maximize it. Then the SAT-prep companies will teach students how to crank out X-factor-maximizing essays, in some horrendous stilted writing style that only a computerized grader could love. The correlation between good writing and the X-factor will be lost, and we’ll have to switch back to human graders – or move on to the next generation of computerized graders, looking for a new improved X-factor.

Filed Under: Uncategorized Tagged With:

RIAA Files 261 Suits

September 8, 2003 by

The RIAA launched its long-awaited lawsuit storm today. John Borland at CNet news.com reports that 261 copyright infringement suits were filed against individual defendants.

Several of the suits have already settled, reportedly for around $3,000 each.

Filed Under: Uncategorized Tagged With:

P2P Porn

September 7, 2003 by

Yesterday’s New York Times reported that recording industry lobbyists are shocked, shocked to find porn on popular peer-to-peer networks. Naturally, they think P2P should be heavily regulated as a result. Somebody should send them a copy of Michael Kinsley’s classic Slate editorial on the most dangerous of all media: paper.

Filed Under: Uncategorized Tagged With:

RIAA to Grant Semi-Amnesty

September 5, 2003 by

The RIAA is reportedly planning to offer amnesty to file sharers. According to the reports, just after the RIAA launches its upcoming flurry of lawsuits against file sharers, it will offer a deal to everybody else: send a letter to RIAA admitting that you have infringed in the past, and in exchange RIAA will promise not to sue you for your past infringement. If you continue to infringe, though, the RIAA gets the right to sue you for wilfull infringement.

Mary Hodder at bIPlog points out that this may not be as good a deal as it might seem. The RIAA and its members don’t own all of the copyrights that cover recorded music. If you infringe, the RIAA and its members are not the only people who can sue you. An amnesty from them is worth something, but it doesn’t shield you fully from lawsuits. Given that, a written admission of infringement might not be a wise move.

Filed Under: Uncategorized Tagged With: