First published in 2003

We're on the rebound. The past 10 years have proven that the Internet is here to stay, but they've also proven that the Internet isn't the panacea that some have made it out to be.

As some of you may know, I've been around the Internet since a bit before it became known to the general public; like almost another 10 years before. I've also been around business for a while too; like about 30 years or so, including quite a spell as owner and manager of both retail and service businesses. This has given me a perspective that is somewhat unique.

On the one hand I see the opportunities inherent in sales via the Internet; those where the product is portable or digital. On the other, I see the problem of the locally oriented retail and service type companies and their struggle to find the right formula for the use of the Internet in their businesses. It's no wonder that many people have pulled back from the use of the Internet for their businesses.

At a friend's birthday party recently I spoke to Laura Krown, the owner of specialty book store Abrahams's Books here in the Vancouver area. Her tale included both the Internet and the Yellow Pages in her quest for customers. She handed me her business cards (one for herself as an artist and one for her store) and I noted that the store had a web site. "...we registered the domain but the site is still under construction..." and still is offline as I write this despite the fact that it was registered in May of 2000.

"Last year we bought an ad in the Vancouver volume of the Yellow Pages for what turned out to be almost $500 per month." she said. I asked if she had seen a rise in sales of $3,000/month (figuring a 20% average gross profit which may be low) and she said they hadn't seen any rise in sales at all. "The money was just wasted!" she said.

She's had estimates ranging up to thousands of dollars for the creation of the store's web site which is why it isn't up. "We actually sell books through the Internet via sites like www.worldbookdealers.com and that has actually been a saving grace but the number of walk-ins has declined despite our advertising." When I said that in my estimation the store's site should cost no more than a few hundred dollars a year if it was to be cost effective Laura was a bit taken aback.

"Your web site needs to be complementary to your other advertising and marketing, not a replacement for them," I said. "It should be aimed at making a potential visitor comfortable with your atmosphere before they walk in the door or call on the phone."

This attitude is in keeping with my whole philosophy about the Internet's use for location-based businesses. The Internet should encourage the face-to-face atmosphere of the physical premises.

For a business such as Laura's, where some of the traffic is from walk-bys and some is people from farther a field who come because of the specialty nature of the goods, the marketing and advertising must be tailored to the nature of the product and the people who buy it. This means knowing your market and your customers, and knowing what else they do, where they frequent, and where they get their information from.

New customers for such retailers are hard to come by. Scatter-gun techniques probably don't work well because they are not cost effective. In many cases, actually using traditional advertising to attract new customers may not be cost effective at all. It may be far better to do some clever marketing instead; things like visiting other stores that cater to similar types of people and swapping marketing materials (cards, brochures, samples, etc.) with them to cooperatively market both stores.

Another method is to put some time into creating things like articles for publication in local papers or periodicals, or in magazines that cater to the same types of people.

Such articles can be reprinted as content for bi-fold brochures that again can be distributed to other establishments as reading materials for potential customers (coffee shops, etc.)

Any and all such materials should have pointers both to the physical store (address, phone number, etc.) and to the Internet web site "for more details". The web site then becomes in effect an extended brochure for the store and some of the products; but especially for the people and the (hopefully) friendly and helpful attitude they have towards new and repeat customers - the image you want to portray to your potential new customer.

Next month we'll deal with what the web site for a location based business should and shouldn't contain, and how often it needs to be updated and added to.

richard

I was just reading an editorial (Network Magazine, August 2003, "Wide Angle") about whether "bits and volts" can coexist. It was about the use of the power grid as a "universal access" network distribution medium; using the physical medium for the power to your home to also deliver things like Internet.

The piece decried that such a use would be a security nightmare.

Personally, I'm of the opinion that any bits outside my direct control (and even most of those in my direct control) are a security nightmare so what is special about power-line bits?

The same problem applies to wireless; and in fact every medium. All are snoopable in one way or another although some are harder than others.

About 15 years or so ago I read an article on "black fiber" - the unlit fiber being installed all over the world by various companies but not yet in use. The article hinged on what at that time was just coming out of the lab - tunable lasers and laser amplification to propose that a single, shared fiber physical network could handle all of man's bandwidth needs point to point for whatever possible needs might be dreamed up in the future in a similar fashion to the way CB radio worked; a shared "all call" channel and "meet me" facility for a particular wavelength the two ends would agree on for further communications.

The laser amplification would allow the fiber to be split many times (infinitely) and fanned out to the home/office/desk and would be bi-directional.  Of course since this would be a shared facility, encryption would have to be used and at that time (remember, 15 years ago) good encryption was the territory of government (mostly the US) and not exportable.

All of this would mean that there would be many millions of potential listeners in all conversations, the same as would be necessary for a power-line physical plant.

So, we come back to the same point - the physical medium is insecure. Only encryption, end to end, can fix this.

Today, thankfully, there is good encryption available to most people using Internet facilities. There are some exceptions, both due to export restrictions and to local governments, but all in all the problem now is really one of implementation, not availability.

Today I was working with a friend of mine on our customer's site, implementing a Virtual Private Network (VPN) capable edge router on their business LAN gateway with the intention of allowing the customer to access their business LAN from their home office. The VPN router has all the software built-in and it was only a matter of deciding what blocks of IP addresses were going to be where and allowing the remote blocks to have access to the server. The rest was handled by the new under CDN$200 per end hardware.

Another customer uses a Linux box with an older, text-oriented interface database as a major part of their business. In their case, we simply configured an open source suite called PuTTy to use the Secure Shell (SSH) protocol from their various home offices into the central server in the same manner as we had configured it for normal telnet internally on the LAN (with telnet blocked at the firewall).

I just purchased a laptop that came with a 802.11 wireless card in it, and finally decided to implement a "production" wireless LAN in my home. Our software  company has written all manner of software for 802.11 products and I've done testing and such for several years, but have never had product that I could call "mine" so I could rely on having it for any length of time. Since I was setting this up on my LAN instead of in a test environment, I was careful to ensure that it was "secure", despite the fact that there is a known vulnerability in WLAN access point software in general.

I did this by putting the access point on the outside of my firewall and treating anything that comes in or goes out through it as if it were snoopable by anyone - which meant that I set my laptop's firewall software to block all ports incoming and only use SSH to talk to the rest of my LAN. In fact, I'm setting up a software VPN facility so I can share my disk files directly too - no matter where on the planet I find myself - but all encrypted end-to end and requiring my passphrase to activate.

And this is exactly the kind of thing that is necessary when using such physical media as the power-line Internet transmission facilities I started with at the top of the article. The point is that today, not only is the technology available to take advantage of power line transmission of digital data, but also the encryption technologies necessary to allow us to make use of them without a care for how "public" they are - in contrast to the article's author's point of view.

There is no such thing as a private physical LAN/WAN facility, so expect to use encryption for anything you want to keep private and then don't sweat where the bits go.

richard

	The companies brought together were staffed by individuals used to direct access at high speed to the Internet
	The product that Lineo was based upon (Linux) was the largest distributed software development project in the world, and it was tightly integrated into the Internet environment
	Things like e-mail attachments had grown from a few thousands of bytes to megabytes, especially between developers and customers of software vendors.
	Each of the companies that Lineo purchased had their own web sites, ftp sites, software repositories, e-mail systems, and expertise in these areas; and was not about to take a step down in capabilities in the integration process.

These were the major points, but they were exacerbated by the proposal to funnel all the Internet access through a measly T1 (1.5 Mbps) connection when many (most) of the software people in the other offices had cable or ADSL connections which ran faster. Admittedly the people in Australia and the far East were running mostly on 56K ISDN or lease lines to their local ISP, but the majority of people were in places where their offices had their own T1 or DSL connection, and the individuals might have faster connections at home!

Even the lower bandwidth might have been ok if it were not for the much higher propagation delay (the time it takes a packet to get from one computer to another) the routing of all the traffic through the one link would have meant. While propagation delay doesn't appear on the surface to affect things much if you are not actually interacting directly character by character with the computer at the other end, it actually slows things like web browsing substantially, even if the total bandwidth is high and the link not saturated.

High propagation delay causes affects the start-up time for each file transfer. Each such start-up consists of at least a 4 part conversation between your web browser and the server at the other end, and there can be literally hundreds of such start-ups for a single page in some cases; one for each graphic and segment in a complex page such as a portal page. A 1/2 second propagation delay (500ms) which is what we were likely to end up with from some offices, would mean 2 seconds (4 parts, each taking 1/2 second minimum to even start) before anything even showed up on a screen, and with many browsers and servers set to only start a maximum of 4 such conversations in parallel, a complex page might go from taking a few seconds total where the delay was 10-100 ms, to taking ten times as long or more - even minutes!

The only saving grace the design would have had was that it was LAN friendly - it was a known quantity and a private link that could have connected all the office's LANs together without separate firewalls and routers. In a perfect (and coherent/homogenous) LAN environment this would have been heaven. With all of us using a mix of versions and operating systems it would have been worse than what eventually happened because the expectation would have been that things would "just work" together. As it was, since we didn't just hook all the LANs together at one time, the expectations were less and we ended up looking for other solutions to the various problems.

Head office had Lotus Notes and used Microsoft Office for documents in most cases. In fact, administration in all the offices used MS Office almost exclusively, so from that point of view things worked fairly well. The problem was that head office had Notes and shared files in that way, and nobody even told the rest of us what files were available, let alone how to get them. It turned out that there were in fact ways to get them - just not obvious or documented.

On the other hand, most of the software people used Linux (for obvious reasons) and so sending out documents to them was problematic. Many either didn't have, or wouldn't be bothered using, access to Office or any other Microsoft product. The fact that they were in the Linux development arena initially was ignored as an aspect of the potential integration of the various offices; nobody thought that there would be active resistance to the use of non Linux tools! And this in a Linux company!

What should have been the "lowest common denominator", e-mail, turned out to be the biggest problem! Even discounting the format of attached documents, the fact that initially head office, and eventually the 3 West coast offices as well, did all their e-mail using Notes meant that those outside this clique either got a poorly formatted version in a Windows mail program (we eventually got Notes clients) or couldn't read it at all in a text-only mail client under Linux. Yes, there was a web interface of sorts (apologies to IBM, it may simply have been the implementation) but it was missing some critical elements and proved to be next to useless when trying to use from Netscape or Mozilla under Linux. It also meant adding yet another mail box to the list of those to check for incoming messages, and bypassed the recipient's favourite filter and filing programs.

The saving grace for sending documents turned out to be Adobe PDF and the use of Rich Text Format for saving widely disseminated documents. Both of these formats are well served on Linux and Windows.

The saving grace for sharing ideas and such turned out to be a very interesting facility of the Web called a WIKI; essentially a set of web pages that anyone with access could modify and extend with just a simple web browser - from anywhere, at any time, over the Internet! By building a WIKI (and in fact several of them eventually), and putting it within the Lineo Intranet (secure, authenticated, authorized but accessible from anywhere on the web if you had the right ID and password) we increased the interaction of the various R&D, sales, marketing and even administration groups to an incredible degree.

The next article will deal in more detail with the various integration puzzles we solved.

I have to say that until early 1996 the only thing I used any Microsoft product for was to prepare a hard disk to receive SCO Xenix or Unix. 

In January 1996 I started work with iSTAR Internet, the purchaser of our former company Wimsey, as the Director of Management Information Services (MIS). The eye-opener was that iSTAR, having recently purchased 9 different Internet Service Providers (ISP), now had offices running Unix, Mac and Windows systems of various flavours and in various combinations. I had to learn to deal with this mix, make sense of it, and integrate the various offices as quickly as possible. This series builds upon my original exposure to Windows after Unix and mainframe systems, and includes my experience with the current crop of Linux and Open Source competitors to Windows; all from the point of view of business. 

When our next company (after iSTAR died - but that is a separate story) was purchased by Lineo Inc., we faced a similar problem, although without the complication of the Macs. I'll deal with each of these eras separately because the problems and solutions were really quite different, despite that fact that "only" 3 years separated them.

Basic Document Problem

The first problem I faced with iSTAR's desktop war was finding a "lowest common denominator" for written information back and forth through the company. 

	The Unix (mostly SCO) faction was happy with straight text for most things and TeX documents for more complex ones. (TeX is one of the most powerful large document preparation "languages" available - but is not "WYSIWYG" so requires a fair amount of learning)
	Those few of us on Unix systems who used either MS Word 5 (yes, Microsoft actually issued a version of Word for SCO Unix at one time) or Wordperfect 5.1. These programs were file compatible with the Windows versions of the time.
	The MAC and Microsoft Windows people were using Microsoft Office for MAC for most documents but there were version problems since the MAC version tends to be behind the Windows version which caused compatibility problems.

At iSTAR we ended up settling on text-based e-mail as the most basic internal "memo" structure. Most company-wide information and policy releases were done in this fashion, with printed versions sent for permanent "reminders" of policies and procedures - to be put into individual and office-location binders as necessary.

For documents meant to be sent to customers we ended up providing templates in Rich Text Format (RTF) - which was able to be pulled into all of the WYSIWYG word processors. Those who were Unix people turned out to be pretty much all technical staff (me being the most obvious exception), so were not involved in "formal" document preparation other than technical manuals, and TeX was fine for that.

Formal Documents and Proposals

As noted above, in iSTAR templates for formal documents were distributed as RTF. This was fine for most things; letters, policy statements, replies to inquiries, etc. but we got a fair amount of push-back regarding things like proposals and contracts. Fortunately it turned out that all of those involved were in head office, so their use of MAC based MS Word became the baseline, and the format they saved in was the older one, so was compatible with those of us with "real" MS Office on MS Windows (NT and 98). The only problem we had was sending back revisions - having to remember to save in the older Word95 format (which could not be selected as the default).

All documents were distributed internally as e-mail attachments. This presented minor problems in that many people had limited exposure to e-mail as a true business mechanism. 

Spreadsheets

In early 1996, when iSTAR was just getting off the ground, Excel was still up against Lotus-123 and Multiplan. Multiplan was the best known spreadsheet available on PC based Unix, although the Uniplex package was also excellent. Since Lotus had been the leader for many years, both Excel and the others were compatible with its files. Only a small number of people created or used macros of any type, so we had little to worry about in that department.

The problem of sending around spreadsheets was not one that came up often except as a general problem of doing file inclusions. Most users were doing them for their own local and internal functions, and those who had to interact with others much seemed to be able to do so with no problems. The fact is that most of the sheets were fairly simple and the file compatibility was not much of an issue.

Graphics (Presentations and for Print)

Prior to joining iSTAR I had done a fairly large number of public education and lecture sessions, mostly using overhead projectors with clear plastic transparencies as my visual aids. Computer graphics projectors were only just starting to come out with resolutions greater than that of TV. In fact, most of the first ones were simply adaptations of TV projectors.

Many of my graphics were simply print-outs of web pages. We at Wimsey had been some of the first creators of web pages outside the scientific community, and I had developed quite a flair for creation of block graphic pages and such just using HTML and some simple graphic programs - all printed out onto acetate with a laser printer in black and white. At the same time, PowerPoint and similar offerings from other companies (Lotus, Corel, etc.) were starting to come on the scene.

Within iSTAR, since most people did presentations only for their own use, we had little in the way of compatibility problems. The worst problem was the unrealistic expectations some of the non technical people had of what it took to put their pet presentations up in front of an audience. I recall being put in the position of paying over $12,000 for a projector that today would go for less than $1000 (contrasted with the $350 we paid for our own overhead projector) just so some of our people could do full-color, high (1024x768) resolution, animated presentations. 

It turned out that the common graphic format for most was the GIF file. People would send these around either as "screen shots" of their presentation, or as individual elements so people could share.

All in all, the problems we faced in iSTAR had more to do with the immaturity of the e-mail file include facilities, even though we had the 3 different types of systems, Unix, MAC and Windows.

3 Years Later

The solutions we settled on in 1996/97 for iSTAR were vastly different from that in 2000/01 with Lineo. The rapid evolution of the Web as a document vehicle made the difference.

On the other hand, there were aspects of the exercise that proved to be far more cultural than technical, and far more insurmountable it seems.

During our integration into Lineo, we didn't have the Mac versionitis problem, but we had several others that made things even more complex:

	Several versions of Microsoft Office at various locations and even within a single one.
	Different versions of Adobe's PDF generator as well as the Linux ps2pdf facility
	HTML vs. text only e-mail
	LAN (Notes) based e-mail vs. Internet e-mail (even though all "SMTP" compatible)
	MS Project version differences
	Rampant Internet viruses, worms and spam
	Too many cooks

Ever since the first commodity personal computers came out over 25 years ago, hobbyists and visionaries have dreamed and schemed over the automation of the home.

It has taken a long time and the job is certainly not yet done, but we are now at the point where a reasonable job can be done for a reasonable price, and things are getting better fast. On the other hand, we now also have to contend with quite a few blind alleys from people bent on marketing something, even if it doesn't really make sense.

This article and the ones that follow will take a pragmatic look at home automation; not only the aspect of automated home process control, but also the aspects of integrated communications, entertainment and security. We will explore some of what has gone before, see what is possible, what is practical, and what is coming in the future.

The Pieces of the Puzzle

I'm going to deal first with the physical control items, since they are the things that have taken much of the time to evolve. All of the physical control systems have some sort of computer interface, and with the state of software today, they all can be controlled to the limit of their abilities from almost any computer (and to the limit of today's software, but again, that is another story).

The prize for the first item hobbyists automated is said to be a toss-up between the furnace and the lights, but in my experience, the lights won out. I helped a friend put low-voltage controlled lights in his house in 1972. He still has the house, and the automated control has gone through several generations of computers. 

The best known of the light/power control systems over the past few years has been the "X-10" system (see history) which has had several companies create compatible modules and controllers which use the power wires in a home as the means of sending and receiving commands. This system has grown from a small number of modules with strictly manual controls, to a fairly complete system with wireless, manual and computer interfaced control systems.

It has motion detectors, alarm fobs, sirens, wired in as well as add-on/plug-in controllers and even has high-power modules for 220 volt (I use one for the jet pump on my hot-tub.)

I've used these modules for over 14 years now (through 2 houses, moving them from the old one to the new), and within their limitations they have proven extremely useful. The main problem I've had is with the address switches (the round dials on the face of many of the units) which seem to require exercising from time to time due to what I assume is oxidation of the contacts. I understand that there is a newer (than the modules I have) series of "professional" units which either don't have this problem, or at least need more time to show it. 

I have to say that I have not needed to purchase any new X-10 power units for several years (I've picked up a couple of wireless control units to add and replace a unit that got dropped in the hot tub), so will have to do my homework to really be able to represent this product as it currently is. I note that the www.x10.com site is very high pressure, with pop-unders and such. I can't say I'm impressed, but then at least the technology has not died.

The system in our current house is based upon Radio transponders mostly. It uses the PS561 "Voice Dialer" security console as the central receiver. While the alarm functions are not specifically used in our home (there is another system for that), the system is set to ding each time one of the doors is opened, or one of the motion detectors set on "immediate" mode is tripped. We use the wireless motion detectors when we leave a door open in the summer - so anyone coming close to the door trips the ding.

The serial console (top picture) is plugged into one of the serial ports on our Linux-based NFS file server in the furnace room (helps to heat the house) and is programmed via a simple scripting language and some "cron" functions to turn various systems on and off throughout the year.

Along with this, we use various flavours of hand-held remotes with up to 24 functions on each to allow us to turn on and off lights (and the pumps and heater on the hot-tub).  While all are battery operated, I estimate that our total battery outlay per year is less than $100.00, including the 9-volt ones for the door monitoring units and the wireless motion detectors.

We're in the midst of deciding what we're going to do with the current house once the kids move out (something they alternate between wanting and not wanting to do on a daily basis it seems). I don't expect to take the current system with us to the next house as many of the modules have already traveled from our previous one. This series of articles will be based upon my research into the current state of the art.

richard 

The next article will deal with more recent control technologies; not that X-10 has in any way died, just that there are now competitors.

Some Resources

An interesting article on potential for viruses in home automation products I found recently. There is also an interesting thread of comments following the article.

(second in this series on FUD and securing the computer)

Social engineering is a polite way of saying "screwing with people's minds" - taking advantage of their preconceptions, biases, soft spots, basic human decency and humanity.

The biggest security hole in today's business and home Internet and computing environment is the "nut behind the wheel" - the person at the keyboard. It doesn't matter how secure the network or the computer is, the operator (that's you, your employees, and your family if they share your computer) is the key weakness.

It can be something as simple as the subject of an e-mail with a malware payload being "Here's the file you asked for" - even though you didn't ask for it. It can be as complex as a McGuiver episode where the hero masquerades as a telephone repairman and asks your receptionist for the key to the computer room "so I can trace the problem your IS manager reported."

The point is that everyone who deals with a computer must take responsibility for the security of it and the rest of the ones connected to it in the local network. They can't rely on any software or hardware to provide absolute protection since this is simply not possible. The problem is that many (most) of the vendors of software and hardware security systems market their wares as if they (and only they) will be absolute protection against all threats; and they certainly are not!

Some of the most embarrassing exploits of otherwise "absolutely" hardened systems have been via the weaknesses of the flesh; sometimes all too literally. Even before the advent of wide spread computing, the security of installations, armies and governments was compromised by the likes of "Madeleine" (a British spy) and "Cynthia" (an American) both of whom used their natural assets in the course of their careers as spies against the Nazis. 

All it takes is a failure to follow what should be a hard and fast rule in your organization; identify and monitor all people who come anywhere near your systems. This policy should include guidelines such as establishing that a repair person was expected, who called, who was dispatched, and what exactly they are allowed/supposed to be doing.

Another hard and fast rule is never leave a public area alone when there are valuables in it. I recall an instance where two brand new laptop computers (worth at that time about $7,000 each) disappeared from the area of the front desk of a company. The reception area was not properly manned because the office was in the process of being built. The fact that the office was in a state of flux is not an excuse! Someone came up the elevator, walked around a corner, picked up two boxes sitting beside an otherwise unmanned front desk, and walked out; but that is only a physical loss. The potential for a data loss or system compromise is even greater since the system of computers and the data on them in even a small business can be worth many times the price of a single laptop, or even two! All it takes is someone walking up to a networked computer left carelessly on, and running a program from the web - probably already to go from their own or another compromised computer. The result is a local computer compromised with almost any kind of malware, from a worm to a keystroke logger. Once done, this is very hard to undo and can be almost impossible to detect.

While the necessary vigilance is something that all employees (and family) must understand and practice, this doesn't mean you (or they) need to be socially abrasive towards strangers. What it does mean is that strangers who don't have reasonable reason to be in your private areas, or who don't have excellent and reasonable identification should not be trusted anywhere near your valuable assets; and you should consider a logged-in computer system as a valuable asset!

This even has application outside of computers. I don't know about other cities, but here in the Vancouver area we have had our share of what are commonly called "home invasions", where a seemingly innocent individual talks their way into a home. They then abuse the owner's trust by either assaulting them or unobtrusively robbing them.

Just as good door locks are no use if the door is left open, or opened to strangers not properly vetted, so to are computer login and password systems that are unused when the system is left unattended while logged in. In previous times, using Unix and other host-terminal based systems the administrator could easily enforce an inactivity policy where the screen was locked if the keyboard was not touched for some period (typically about 5-15 minutes). Today's desktop systems can do the same thing, but the settings are typically under control of the individual user. This puts the onus on the user to set some reasonable timeout period which directly impacts how secure the user's and subsequently the whole network's systems are. Only through major machinations involving setting and locking user profiles can an administrator or manager impose the policy absolutely.

The next article in this FUD series will deal with some of the cultural issues of security - keeping the kids from learning too much too fast, and keeping grandma from being assaulted by today's in-your-face vendors of all things XXX.

richard

FUD
(Fear, Uncertainty and Doubt)
and the Secure Computer

This is the first of a series on the security concerns around technology today, with emphasis on the SOHO and home environment, but applicable to virtually any enterprise that doesn't have its own security personnel.

A bit of history

I don't know about you, but I remember the first time I ever saw a virus infected computer. I don't recall the exact date, but it was in late 1989 or early 1990. My friend Ken phoned me up and said "my system says its stoned - what's going on?" Prior to this I was certainly aware of viruses because I had been hooked up to the UseNet News system since around 1983, and had read all sorts of articles and postings on the evolution of Trojans and viruses in various systems. (for a brief but interesting history, see Robert M. Slade's History of Viruses (1992) The point is that I had not seen a virus because I didn't run any MS-Dos systems, either on my computers or those of my customers.

At that time the virus was transferred by people using floppy diskettes from an infected computer on an uninfected computer. The virus buried itself in the boot sector of the floppy (or in a program run automatically at boot) and when the floppy was used to boot the clean computer, the virus infected that too. Because this was a physical process - walking to another computer - the virus spread relatively slowly compared to some of those today.

Today's viruses, Trojans, worms, back-doors, and all sorts of permutations and combinations are collectively called malware for malicious software, and there is a whole industry that has grown up around it. This series of articles will look at all aspects of malware from the point of view of the business owner/manager.

Malware - why and how it spreads

In general, malware spreads due to inadequate security. This sounds like I'm putting the blame on those who are infected rather than on the creators of the malware, and in part I am. The point to understand is that I'm not necessarily putting the blame on the owner/operator of a computer - but rather on those who create the systems that run on the computer. They, the creators of the operating systems and programs have failed to create a secure environment.

Malware exploits the insecure environment to change and infect critical system files, read system settings, and use system resources to propagate itself. The various exploits are being found and taken advantage of at a much higher rate than when viruses were propagated only by physically inserting a floppy disk. The reason for this has to do with the synergies of the Internet and the age of the Information Revolution.

Today, a criminal cracker in one country might find a vulnerability in an obscure piece of a computer software package; e-mail the details to someone in another country; test it, publish a "root-kit" or "script" that can be used by a "script-kiddy" to create other similar attacks, and compromise several thousand or even millions of computers in a single day.

The information on how a particular system works and ideas on what things to look at might be discussed on an Internet Relay Chat (IRC) system with several "black-hats" listening in and commenting, all in real time yet from anywhere in the world.

It might sound like it really takes quite a bit of work to make a virus or worm that can take over many computers automatically and get them to do the cracker's bidding. In fact, for many (most) of the systems that individuals and small businesses use, there really isn't much that has to be done to cause you grief; the computer you are sitting in front of actually has been programmed to make it easy, purposely!

All I can say is "It seemed like a good idea at the time" 

The most common desktop environment of the past 15+ years has been Microsoft's Windows of various flavours. One of the design goals appears to have been the recognition by the system of items received by the operator via e-mail (and later via a web browser) that could be "active", doing things like playing a sound (voice-mail), showing a picture or video (video-mail) or running a "cute" program that did various things on the desktop. All this was done with the objective of making the computing system "easier" and "more fun" - but it was also all done with only a benign or friendly local network in mind.

This all changed in early 1993 with the release of a piece of software that allowed the PC to hook up via telephone modem to the fledgling Internet. Even this would not necessarily have been all that problematic except that the Internet itself was also undergoing a change; from the captive, controlled, US Government funded network to a wide-open wild-wild West type of commercial, unregulated, ubiquitous connection facility for the world. It became possible for someone on another continent to directly talk to a PC on your desk. It also became possible for someone who was neither known by others to be honorable or friendly, nor bound by any acceptable usage contracts, to get access to the Internet in general to do pretty much as they pleased.

Much of even this problem might have been eliminated or at least mitigated if Microsoft had taken the move of abandoning the older DOS-based operating systems and programs completely and going with a completely different design that was not trying to be backwards compatible. The problem seems to be that they didn't want to lose the ongoing market - it would have been a tremendous change in the way things worked and would have caused a large hiccup in revenues. Windows NT and 2000 in fact have the makings of a much more secure computing environment, but the backwards compatibility and continued insistence on auto-magic program execution under insecure conditions simply didn't help.

Don't get me wrong, Microsoft was certainly not the only company with problems, they were simply the one that had the largest installed base and presented such an easy target that for a long time, nobody really bothered to go after anyone else. This is changing.

Today (mid July 2002) I saw an article that showed that the number of different attacks on Linux this year to date was already over 50% higher than the whole of last year; some 7900+ attacks to July compared to around 5000 for all of 2001. In the same article it noted that the attacks on Windows were down about 20% over last year - but didn't give a real number to compare. I expect the same thing to happen to the new MAC OS/X since it is based on Unix as well. The point is that there are still a lot less Linux and other Unix systems than there are Windows systems, and it is still a lot easier to go after Windows; but it is getting harder.

Of course the other thing to note is that it is much harder to find a problem with Linux than it is with Windows. This is not obvious, since Linux is "open source" and Windows is proprietary. It would be logical to think that being able to read the source code for the whole system would make it much easier to find a problem than having to reverse engineer or simply play with an already running system.

It may look logically easier but it isn't. There are a couple of reasons for this: 

1. Linux has a multi-layered security model at its base. The typical user is not able to run a program that can damage anything the user's account doesn't "own" on the system. This coupled with the convention of either not allowing or not encouraging the owner of a system to run normal programs as the "root" or super user makes the system quite a bit harder to subvert.
2. The fact that the source code is available has meant that far more people than any single company could possibly employ have been looking at the code with the intention of eliminating security holes and bugs. This multitude of eyes has caught and fixed many bugs rapidly and efficiently. Because the source is available, many of those who find problems also propose and implement fixes.

On the other hand, a proprietary operating system (and there are far more than just Microsoft in this boat) has only the eyes of the few (or few hundred) or so directly involved with a particular part of it who are even allowed to see the source code, let alone fix a problem. In Microsoft's case the even worse concerns have turned out to be:

1. Even in the newer (NT/2000/XP) multi-layered security Windows systems, the typical single user system is run as "administrator" and there are few, if any warnings that this is not a good idea. In fact, there are many programs put out by third parties that simply won't run except as administrator. Worse, some run as the "normal user" but manipulate the system to give that user administrator privileges without telling them or others what has been done! This shows that the conventions of the developers, encouraged or at least not discouraged by Microsoft, do not take into consideration security concerns.
2. The source code for the various Windows systems is not available to any but a very tightly controlled small number of developers. The number of eyes looking for problems is small, and it is not possible for many who find them (by experiencing them on running systems) to fix them. In fact, until only recently Microsoft was very reticent about even admitting that security problems existed.
3. The overall system design, whereby files of commands from unknown and untrusted remote systems are automatically and in some cases silently executed with effectively unlimited permission to do anything to the system.

So we know we have systems that are prone to malware attacks. What if we had systems that were flawless, ran only programs that came in a box from a recognized vendor, on CD-Rom, and ran all incoming attachments in a protected environment that could not be automatically subverted?

Well, now we get into the problem of the user, and protecting the system from things the user does that might be harmful in themselves, or that might compromise the security of the system in some fashion.

The next article deals with the security of the user.

richard