December 26, 2024

Serious Linux Worm

New.com reports on a new worm infecting Linux/Apache servers. (A “worm” is a malicious standalone program that propagates on its own, without requiring any human action.)

A new worm that attacks Linux Web servers has compromised more than 3,500 machines, creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data, security experts said Saturday.

It was only a matter of time before this happened. Linux in particular, and open-source software in general, are not immune to malware such as worms and viruses. Linux has gotten a free pass for a while, because malware developers, like all software developers, tend to target their code for the most popular platforms. Now that Linux is so popular on servers, it becomes a more natural target for malware.

Of course, whoever did this is a criminal and deserves to be punished.

If there is a silver lining here, it is that this serves as a wake-up call for those who view the poor state of computer security as a “Microsoft problem” or a “closed-source problem.” All software is riddled with bugs, and all security-critical software is riddled with security-critical bugs. We just don’t know how to build large, complex programs without them. Rather than pointing the finger at others, who might or might not have a few more bugs than we do, we all need to figure out how to do radically better than any of us are doing today.

Rebecca Mercuri on the Florida Voting Fiasco

Rebecca Mercuri writes, in the RISKS Forum:

Well, Florida’s done it again.

Tuesday’s Florida primary election marked its first large-scale roll-out of tens of thousands of brand-new voting machines that were promised to resolve the problems of the 2000 Presidential election. Instead, from the very moment the polls were supposed to open, problems emerged throughout the state, especially in counties that had spent millions of dollars to purchase touchscreen electronic balloting devices.

Mercuri goes on to discuss the problems in detail. She is perhaps the leading independent expert on voting technology, and is well worth reading if you’re interested in that topic.

Voting poses a particularly difficult information security problem, because so much is at stake, and because the requirements are so difficult. (For example, the secret ballot is a particularly troublesome requirement.) My sense is that we are still far from having an all-electronic system that deserves our trust.

[Link credit: Dan Gillmor]

Princeton Accused of "Hacking" Yale

[This is slightly off-topic, but as a Princeton person I have gotten lots of questions about this incident.]

Somebody in Princeton’s admissions office, probably an associate dean of admissions, apparently accessed without authorization a Web site that Yale set up for people who had applied for admission to Yale. Yale says that 11 students’ records were accessed, on 18 occasions. Princeton admits that the accesses occurred, and has suspended the associate dean in question pending an investigation. The FBI is sniffing around.

I don’t have any direct knowledge of the relevant facts, so I’ll just assume for now that the press reports are accurate.

Three comments are in order. First, Yale was pretty irresponsible to put applicants’ private information on the Web with only the applicant’s social security number and birthdate as “passwords.” It’s no secret that it is easy to learn anybody’s SSN and birthdate, so Yale’s scheme left the applicants’ information open to almost any unscrupulous person. According to today’s Washington Post, the Yale site was designed and built by a Yale junior. I wonder how much adult supervision he had. (Of course, none of this can excuse the improper accesses that Princeton people, or anybody else, might have made to the site.)

Second, the Princeton admissions person who apparently made the accesses told the press that he was just trying to verify the insecurity of the Yale system. Whether the facts (e.g. the pattern of accesses) are consistent with this excuse remains to be seen. In any case, it’s an utterly lame excuse, as one could have verified the insecurity of the site without breaching it. This excuse was Slate’s Whopper of the Week.

Finally, this case illustrates one of the differences between computer intrusions and tinkering. An intrusion like this is wrong not because somebody disapproves of it, and not because somebody gains an advantage by doing it, but because it involves an unauthorized access to a system that belongs to somebody else. People often apply the same kind of rhetoric (i.e. “hacking”) to cases of tinkering, where the purported crime is to “break in” to one’s own property.