Sunday, January 26, 2003

The Sapphire worm that hit servers running Microsoft SQL is a wake-up call for anyone who thought the Internet had become a safer place following increased attention by corporate and government leaders. [CNET News.com] The most revealing part of the article are these two paragraphs: "The problem was that this was a particularly malicious piece of code," said Steve Lipner, director of security assurance for Microsoft. "If it got a hold of one machine, it hammered away at the network. In a big organization, it's really hard to say that every point of access is protected." In addition, developers using Microsoft's Data Engine 1.0 and Microsoft Desktop Engine 2000 may not have known they were vulnerable to the worm. The software is included in Visual Studio .NET, ASP.NET Web Matrix Tool, Office XP Developer Edition, MSDN Universal and Enterprise subscriptions and Microsoft Access. MSDE is also included in Microsoft Application Center 2000. How could the users of all the software written by developers with those very popular Microsoft tools know that their systems were vulnerable? The "problem" wasn't that the worm was especially malicious. The worm did what worms are likely to do since the Morris worm. The real problem is that Microsoft and other system software vendors have only put trivial resources into attack prevention and recovery. As for the cost of doing better, there was a very interesting article a while ago that I can't find online on the huge cash hoards of Microsoft and other large software vendors. 8:34:49 PM

NY Times: Newspapers are engaged in technological one-upmanship over 'AstroTurf' letters to the editor that look like authentic grass-roots responses from readers but are not. [Scripting News] The newspapers need just a bit of cooperation and technical help. Combining a shared database of letters to the editor, automatically-generated searches, and a document fingerprinting tool should go a long way to block form letters. 8:17:35 PM