Schneier lambasts Microsoft 'friendly worms'

The security expert has branded as 'stupid' the concept behind Microsoft research into the use of worms to spread software updates
Written by Tom Espiner, Contributor

Security expert Bruce Schneier has criticised the concept of using "friendly worms" to distribute software patches.

Following the publication of Microsoft's Sampling Strategies for Epidemic-Style Information Dissemination paper on Friday, Schneier criticised the concept of using worm-like techniques to distribute software patches.

The security expert said that, while it may seem like poetic justice to turn a weapon against itself and would seem to solve problems of home users not patching, the idea was "stupid".

"Patching other people's machines without annoying them is good; patching other people's machines without their consent is not," wrote Schneier in a blog post.

"A worm is not 'bad' or 'good' depending on its payload. Viral propagation mechanisms are inherently bad and giving them beneficial payloads doesn't make things better. A worm is no tool for any rational network administrator, regardless of intent," added Schneier.

Schneier wrote that a good software-distribution mechanism lets people choose which options they want. It should be easy to halt an installation and to uninstall, and to know what has been patched, wrote Schneier.

While agreeing that people should be able to decide which security patch is right for their computing environment, Microsoft said that "spreading information in epidemic style may have benefits in terms of the speed of propagation and resilience".

Microsoft researcher Milan Vojnovic, one of the authors of the Microsoft paper, said that the main thrust of his research was not to develop worm-like security patching techniques.

"My focus is fundamental research on improving the efficiency of data distribution of all types across networks, and isn't limited to certain scenarios or types of data but investigating underlying networking techniques," wrote Vojnovic in an email response to ZDNet.co.uk. "Using understanding from the field of epidemiology is one of the methods that we're investigating in this area, and we hope that our research will help inform future computer science research and networking technology."

A Microsoft spokesperson said that the research was into how data could best be disseminated over a large-scale network by sampling computers in a subnet or IP address block — a similar technique to that used by worms — to identify computers which needed data to be pushed to them.

"The paper quantifies how efficient an epidemic-style information dissemination can be made by optimised sampling of host addresses," said the spokesperson.

While data distribution could include software patching, in the paper the researchers said that "epidemic-style information dissemination" could be used in web-service membership management, database maintenance and streaming broadcasting.

Some worms randomly sample potential hosts to see if they can be, or already have been, infected, while some worms use subnet preference scanning and sampling strategies to optimise infection rates. The spokesperson said that Vojnovic and his fellow researchers had looked at optimising sampling for distributing data by studying sampling heuristics that use sequential learning of which subnets to sample, when the initial distribution of hosts is unknown. Hosts' IP addresses may not be known in a network if they are dynamic.

Vojnovic wrote that Microsoft had "no current plans to incorporate" his research findings into any of its products. The Microsoft spokesperson said that the company did not expect its customers to ask Microsoft to do "something radically different" when it came to pushing out customer patches.

"In the context of epidemic-style patch dissemination, Microsoft will always let customers decide whether a particular security update is appropriate for them and their computing environment," said the spokesperson. "We give customers choices in deployment technologies and allow them to decide if, when and how they'd like to apply security updates."

Editorial standards