Code Red II is on the prowl and proving more virulent than its predecessor, which I wrote about a few weeks back. It's clear that CodeRedII is a much nastier worm that appear to enable the remote Administrator access to compromised machines.
What's genuinely scary about this development is how many servers appear to be affected. One would've thought the mainstream media blitz about the "original" Code Red worm would've been enough of a hint to those operating unpatched IIS servers. Apparently not.
On a related note, I called Pepsico late last week to enquire whether sales of their recently-released Mountain Dew Code Red soft drink--which apparently fueled the analysis of the first worm, hence its name--had gone up noticeably. While the product itself appears to be a good seller, it's too early to tell whether the sales were, in fact, affected by the worm's media coverage.
A pattern emerges
Microsoft makes a relatively easy target on the security front, so I won't belabor the point too much, but I've got to wonder when senior management at Microsoft will reward security over features within the company's software. The number of Microsoft technologies that contain vulnerabilities due to their fundamental architecture is too large for any individual problem to be considered an anomaly.
The numerous IIS vulnerabilities aside, ActiveX and the myriad of scripting languages within Microsoft's productivity apps and email clients are a pretty clear indicator that security has been--at best--an afterthought.
Which is unfortunate, especially given all the really smart engineers and researchers that Microsoft employs. To take the example of scripting languages, it's not even as if this type of vulnerability was first contemplated with the introduction of VBScript, Visual Basic for Applications, and their relatives. I can remember reading research papers about Safe-Tcl back in 1994 or thenabouts.
The idea behind Safe-Tcl was to create a subset of the Tcl language that couldn't be used for nefarious purposes. At the time, Safe-Tcl's developers were contemplating scripts attached to email messages that would get executed when they arrived, for example to check whether the recipient's calendar had a free slot on a given day, and then report back to its sender. Unfortunately, the many email-based viruses have made scorched earth of the idea of executable email, which is a real shame, since useful things could be done with self-propelled email messages.
The engineers at Sun were clearly not asleep at the wheel at the time, either, since they build the notion of sandboxes right into Java. While the language didn't meet the grand expectations that Sun set for it, at least it seems to have gotten the security angle right. And that's a lesson that Microsoft's architects would do well not only to heed, but to act upon.
Eloi and Morlocks
A no-less alarming item appeared on my radar this past week in the form of Progressive's Autograph system, which has been test-launched in the Houston area. The idea is to track the whereabouts of a car, report back to the insurance company at regular intervals, and have the insurance premium for the car be determined by the reported telemetry.
Apparently previous pilot programs with this system have met with consumer favor, since it saves people money. However, these same consumers clearly don't factor in the cost in terms of their loss of privacy. In addition, this type of system created a really evil feedback loop for anyone who spends time in parts of the world that the insurance company doesn't like. The first example that comes to mind would be a social worker who spends most of the working day in housing projects.
Privacy should be the default
Am I the only one that finds the increasing encroachment of privacy-removing technologies disgusting? What's worse is that the average bears seem to be willingly giving up their privacy in the name of Mammon. I recall a study performed in the South about 7 years ago where a handheld coupon system was being tested. Consumers could choose how much to divulge about their buying habits, but if they dialed the device to maximum disclosure, the value of their coupons would also grow. Almost without exception, people chose coupon value over privacy.
I fear that this trend will get worse before it gets better. We are fostering a penny wise, pound foolish outlook on life, creating no-go zones for our vehicles, and ultimately creating a society where privacy will have a price. The inexpensive default will be little-to-no privacy, but if you want to maintain your privacy, you can expect to pay handsomely. After all, you must have something to hide, right?
What a bleak world we're creating for ourselves and our descendents.