Aftermath of MyDoom/Novarg

I went into work yesterday expecting to finish off some transition tasks for my departing boss and preparing to be the technology department. I ended up fighting a stupid virus the entire day. And it only infected one of my computers because she had opened up the attachment on Monday night before a fix was posted to my antivirus server.

Novarg or MyDoom, as it has lovingly been called in the mass media, is slowly going away. Yesterday, my server was spammed with about 50 messages/minute and today that has trickled down to about 5 per hour. But the ramifications are all too apparent.

This brings up two topics of particular interest. First, the nature of Internet security and how it exploits gullible users and, secondly, and perhaps more importantly, the reason why the virus was written in the first place.

John Dvorak suggested it before and I balked at the notion. But now, it's starting to seem like a better idea, at least in that funny theoretical Galois theory kind of way. Can't wa license computer users? Or, at the very least, in a work environment like here — can't I force people to take a computer driving test much in the same way one needs to get a drivers license at the DMV before one can operate machinery?

It will never happen in the all-too PC (that doesn't stand for personal computer, btb — think the other abbreviation) world of my work place. After all, wouldn't want to hurt other people's feelings by telling them that they're stupid and incompetent. But think about it. They're using my network. (Okay, they're using work's network — but I run it so it's mine — all mine!) Any stupid thing they do from downloading attachments, visiting porn sites, downloading crappy screen savers and freeware potentially could wreck havoc to my network. So why shouldn't they be forced to take a knowledge exam and be tested on that knowledge periodically? Kids in schools have to take an acceptable use policy and computer skills test before they can use the Internet. Why shouldn't my stupid mouse-trigger happy coworkers have to?

The second issue is SCO. If you haven't heard, SCO is a small Utah based company that basically went from $1 billion dollars in the early 90's to about $100 million now. In a last ditch effort to raise money, they began to analyze their owned code and found that they owned some UNIX code that was written at AT&T in the early 60's. As a result, they linked this code to code in Linux and decided that they wanted a piece of that open source pie. Being rebuffed at this they did the next best thing. They sued IBM for using this source code in Linux distributions and are now on the hunt (much like the RIAA) against Linux users. If the suit against IBM prevails, look for them going against end users.

Of course, the above has not gone above the ire of open source supporters. It's a weird day when IBM and HP are representing the rights of open source. (Although, as this Dvorak article suggests, it may actually behoove IBM to develop a Linux desktop if they want to compete in future years with Big M.)

First of all, from what I've read — the SCO thing seems really frivolous. I'm more inclined to believed Linus Torvalis then some failing company in Utah that is about to go under and has a chip on their shoulder against IBM to begin with. Further discrediting SCO is the fact that they will not reveal what code is proprietary. The Linux community has repeatedly said that they will remove whatever code is in question. SCO wants none of this. And of course they don't. They want the money that a sudden influx of Linux "licenses" would give them. Google itself runs 10,000 Linux machines in a cluster. I think it will easily be proved in court that SCO claims are worthless and, at least in this case, my eyes are glowing at the prospect of IBM's lawyers ripping SCO a new one in court.

But my main concern is the virus. The writer of MyDoom's goal was to take down SCO's web site with a massive denial of service attack that would (and still might) run from February 1 - 12th. This article in Wired describes the virus' intent.

The attack was stupid. Yes, SCO is engaging in chicanery — but why stoop to their level? As a Slashdot writer succinctly puts it:

"This is someone who just wants to feel important and who thinks that by DDoS'ing SCO everyone will call him a hero. Well, you stupid ignorant bastard, if you're reading this -- and you probably are since you expect that the Slashdot hordes will applaud your bravery in damaging thousands of people's computers -- no one admires you.

Anyone who wants to see SCO suffer for the wrongs they have done should unequivocally condemn such acts of terrorism. SCO will be broken by the weight of justice and right, not by mindless thugware."

It looks like the battle ground of this century will be in the imaginary digital world. With the sensitive nature of electronic missives and transmissions, hacking a network will soon become more popular (and let's face it more lucrative) then cracking a safe in a bank. Advocacy groups could easily use virus technology to annoy the heck out of users. Imagine PETA putting a picture of a bovine with a brain disease on your desktop. (And don't think they won't.) It can all be done thanks to the lack of security in modern operating systems (I'm looking at you, Bill). Let's hope that the people running these causes advocate in traditional forums rather than engaging in the stupid actions of this open source nut.