Virus attacks--dumb and dumber

COMMENTARY--On August 19, 2003, FBI and Secret Service agents knocked on the door of 603 Eighth Avenue South, Hopkins, Minnesota. Computers all over the world had been shuddering to a halt, rendered useless by alien code that infected their innermost workings, multiplying and spewing forth in a rabid search for further victims.

If this were Hollywood, their quarry would be a desperado, a secretive superhacker bent on bringing Microsoft to its knees, a criminal genius hunted by crack forensics to his laboratory lair stacked full of mind-mangling equipment. There'd probably be piranhas in the pool.

But it wasn't Hollywood. It was Minnesota. Our evil genius turned out to be Jeff Parson, nerdish teenager unextraordinaire. The laboratory was a bedroom, and the mastermind's weaponry of MS destruction turned out to be a handful of home computers hooked up to DSL. No piranhas are thought to have been involved.

The mighty machinery of government detection wasn't unduly exercised either--our antihero had thoughtfully included links to his Web site in the virus code, together with a wide selection of nicknames and other clues. Actually, calling them clues is akin to calling the words spoken in "The Matrix" a script: short of putting in his home phone number and a time when he'd be at home to visitors, there's not much more he could have done to help the detectives.

All these details are snappily related in the court deposition sworn in by FBI agent David Farquhar, and helpfully available online. Teenagers aren't known for fully comprehending the consequences of their actions, but Parson has raised the bar for those who come after. He barely qualifies as a virus writer at all--he just snarfed up a set of pre-rolled tools and stuck them together. The deposition covers those, too: a code replicator was the Blaster worm--renamed to reflect Parson's online persona, t33kid--glued to a remote-control package called Lithium

At this point, it gets interesting. Blaster had also been used in various other guises since first coming to light on August 11, but it ultimately derived from a package created by a Chinese group called Xfocus. There's no sign that they deployed a worm, but they did make the tools to do so available on the Web. That happened shortly after 16 July, the date on which Microsoft published a patch for the vulnerability that Blaster--and Parson--subsequently attacked.

In their way, patches are as simple-mindedly counterproductive as Parson's code. He included his Web site address; the patches contain explicit information about problems that would otherwise be very hard to detect. There's nothing to be done about that. No encryption or obfuscation can change the fact that patches change code, and those changes are obvious to people who know what to look for. In this case, the vulnerability was exploited within days of the patch going public--much faster than a world full of Windows machines could obtain and install the cure.

There will be many more patches to come. Studies of programmers are remarkably consistent: you'll get between one and three errors per hundred lines of code. With intensive testing, you can get that down by a factor of about ten--say, one error per five hundred lines. Windows XP has of the order of 45 million lines, which means we can expect somewhere in the order of a hundred thousand bugs. Many won't affect security, and most will remain undiscovered until the day the last Windows installation is finally turned off--I do hope someone's around to note the fact--but that leaves plenty to be getting on with.

Microsoft--and, to be fair, any other company finding itself with the responsibility for most of the world's PC software and $50 billion in resources--now has a difficult choice. By issuing more and more patches, it risks a proliferation of Parsons; by keeping quiet, it risks leaving millions of computers open to someone who's smart enough to find out the vulnerabilities on their own. The company is considering automatic patch deployment, presumably impressed by the idea that if Blaster or Sobig had contained inoculation code instead of a nefarious exploit, the problem would fix itself. Tempting, but patches themselves will have the 1 in 500 line bug rate. The image of Microsoft itself disabling its customers' computers without anyone else to blame at all is probably too rich even for Bill's battle-hardened fleet of warp-capable spin captains.

There is no right answer: there is only the least bad option. It has to happen soon and it has to look good. Whatever Microsoft does, it must carry the rest of the industry with it: many problems are reported by independent groups who are happy to act responsibly and keep quiet--provided they consider Microsoft will use the information properly.

Each vulnerability must be properly assessed for risk before being publicly patched. If keeping quiet for a while is less risky than issuing a patch, then so be it. And every so often, Microsoft should mail out CDs with all current security fixes to all registered Windows users with a "run this software, or else!" message a mile high. Broadband ain't enough: the company can afford the postage, and besides it's a good opportunity to bundle all manner of nice things to sugar the pill. It might even sell some more software for the company. And that's a happy ending good enough for Hollywood.