Guardian Unlimited © Guardian Newspapers Limited 2001
The worm that nearly toppled
by Dr Simon Moores
We all fell for Microsoft. Now we risk it falling on top of us. Simon
Moores on the dangers of omnipotence.
Sunday, August 05 2001 - Code Red is a title that
would better suit the plot of a Tom Clancy novel than a computer virus that
failed to bring about global internet meltdown.
Unlike the world of Clancy's Net Force, there was no secret organisation
capable of deterring, let alone finding, the author of Code Red. Instead,
the world's largest economy has once again fallen hostage to yet another simple
computer programme, conceivably an adolescent prank.
Code Red, which infected nearly 300,000 computers and was named after a
caffeine-based drink popular among computer programmers, was, according to
the FBI and the Home Office, a grave threat to the national infrastructure
the internet now represents in every developed nation.
However, last week's emergency and the many others that have preceded it
have forced some observers to consider the prospect of a broader technology
crisis, expressed by a dependence on internet software solutions from a single
- and frequently compromised - source, Microsoft.
Code Red cleverly exploited a weakness in Microsoft's popular internet information
servers (IIS) and the company worked swiftly to release a software fix. It
is estimated that IIS runs on approximately 6 million servers, and by last
Tuesday evening, there had been 2 million downloads of the fix. Over the past
12 months, internet-based attacks and cyber-vandalism have increased dramatically.
In a global sense, governments and business appear impotent in the face
of a threat that frequently targets Microsoft products.
Reuters reports that Code Red has already cost an estimated $1.2 billion
in damage, and the final bill may well reach $8.7bn. Over the past decade
both public and private sectors have subscribed, almost universally, to one
man's Henry Ford-style view of computing - any colour you like as long as
it runs Windows.
Tomorrow, should they embrace Microsoft's .NET vision of the future, an
apparently seamless integration of software and the internet, they are about
to repeat the experience.This Microsoft 'monopoly' - or 'consistency', depending
on your perspective - may have offered tangible advantages in the past, but
for many, choosing Microsoft software today attracts an element of risk.
An absence of competition and the company's proprietary software architecture
- which sees many of today's new products layered on top of yesterday's code
- continue to reveal dangerous vulnerabilities when some of the most popular
software is exposed to the world through the open window of the internet.
This climate of uncertainty means that only 55 per cent of business internet
users in the UK believe that online transactions are secure.
Microsoft's director of marketing, Oliver Roll, insists that companies are
choosing Windows because it offers lower cost, higher choice and greater skills
in the marketplace. Commenting on Code Red, he said:"You
can't plan for every eventuality. We have the most secure software available
in the industry. Is the benefit that I'm getting from choosing this software
greater than the risk that I'm taking?"
Chris Sterling, chief technology officer at software development house IT
Outpost, which creates business software exclusively around Microsoft technology,
says: "Microsoft's focus lies too
much on developing attractive functionality - at the cost of security. The
backward compatibility demands and very complexity of the Microsoft software
environment are its most profound weaknesses."
DK Matai, an expert on electronic risk and managing director of internet
security specialist mi2g, believes that a solution lies with open-source
software and the Linux operating system now being embraced by IBM.
"Microsoft's proprietary software
is being targeted by attackers because it has an Achilles' heel,"
he says. "Two-thirds of all web defacements
are centred on Microsoft's IIS. There is little doubt, says
Matai, "that the future lies in software
solutions that will be able to dynamically adapt to the rising threat in real
Naturally, such concerns also concentrate the minds of Microsoft executives
as clearly as those of their customers, be these UK or US governments or large
financial institutions. But there is real reluctance among many to speak openly.
The Office of the E-envoy is responsible for both selecting and directing
the technology choice for tomorrow's wired society and has been criticised
for its choice of Microsoft as a principal technology partner.
However, a source stressed the transparent nature of the decision-making
process and the challenges, in a Microsoft-dominated world, of finding acceptable
technology alternatives. Microsoft doesn't like to be thought of as a Fallen
Angel. Speaking frankly, but wishing to remain anonymous, a source close to
the company commented: "What should
we do? Nationalise Microsoft? You can't take the technology away."
"If Microsoft hadn't have done
it, another company would. It's not about Microsoft; it's about humans not
deserving the technology. Personally, I believe in supporting the advancement
of society and civilisation through the benefits that Microsoft can bring
to the world." The source continued: "Of
course there's a cost attached, but I think the benefits are stronger than
Others within the IT industry believe that Microsoft should accept a greater
responsibility, and see little mitigation in Microsoft's argument that security
is down to the quality of the software and the processes that a company or
individual deploys to manage a secure environment.
Ian Meakin, director of product marketing at Sun Microsystems, believes
that in following Microsoft's lead, society has arrived at a technology dead-end.
'Sun Microsystems may be Microsoft's arch rival, but not in a pure technology
sense. We represent the other side of the coin and we very much believe in
an open, free market, based on innovation and competitiveness.
'We certainly don't believe that comes from Microsoft, which drives innovation
out of the overall software equation and introduces mediocrity instead.' What
is certain is that in the wake of Code Red, the world is running low on time
and answers. Microsoft may be the McDonald's of computer software, but such
convenience comes at a high price.
As a source close to the company expressed it: "I
can see another Babel looming. It wasn't the tower that brought people to
their knees - it was the overreaching ambition of what the tower did for them."
Do not look into the abyss.