PGTS PGTS Pty. Ltd.   ACN: 007 008 568               Mobile Version Coming Soon

point Site Navigation







Valid HTML 4.01!






   Brilliant XED lighting!
   Australian XED Lighting

   AXL

   Australia/NZ Distributor of
   Reming XED Lighting Products





My Computer Is On Drugs - Help!

By Gerry Patterson

The phrase Microsoft Security could be considered an oxymoron.

Security? What security?

Much of the problems with Microsoft security stem from the companies obsession with market strategy. Microsoft has concentrated attention on how their product is positioned and how it will inter-relate with other products, but the company often neglected security because the requirements conflicted with user friendliness.


Your Computer is on drugs! Click anything for Rehab.

Beware of programmers carrying screwdrivers!

-- Old Engineers' Proverb.

Now I'm going to divulge a little secret. But please don't broadcast it, ok? A few decades ago, I actually worked in PC support! I hate hardware problems, so when I found myself dealing with an increasing number of hardware problems, I contrived to delegate the hardware problems. This was on the grounds of: "If you don't like a particular job, don't get good at it!". On the other hand a savage downsizing initiative had meant that it was beginning to look as if I would be the only one left to do the work.

And so I found myself contemplating some very green lawns in front of a jungle of pipes and cylinders as I sat at a computer screen. What I could see was the labyrinthine machinery of chemical manufacturing. Sunlight slanted through the half-open venetian blinds in my office in the western suburbs of Melbourne. I left the blinds open because the sunlight helped keep me awake. I was struggling to keep my eyes open as I filled out a mind-numbing report to management on my activities to date.

George, the sole remaining member of the PC support group to whom I could delegate hardware support, entered my office, leaned against the door jam, crossed his arms and announced,

"Well, that's it ... we're all stoned."
I looked at him quizzically, and raised one eyebrow. Had he completely lost his mind?
"Yep, we're all stoned ... on marijuana."

He lounged against the door with a silly smirk on his face. "Not bloody likely!", I replied. Ok, the sixties and seventies were wild times and some punters had inhaled a little deeper than Bill Clinton in those smoke-filled rooms. But those days were long gone. So I set out to investigate the source of this mind-altering disturbance. I decided to leave the screwdriver in the filing-cabinet since George assured me I would not need it.

We took a short cut through the fire exit out past the over-watered lawns. The dense green luxuriance helped high-light some footprints made by an unknown worker from the glyphosate plant. Trace amounts of the well known herbicide on the soles of his boots would ensure that the unknown walker's size ten prints would remain on the lawn as a monument to the power of chemicals to alter our biosphere. We ended up inside the labrynth of pipes that surrounded my office, talking to one of the foremen, our heads bent close to one another as we shouted to be heard above the constant rumble of machinery. After a brief confabulation, we crowded into a room that was so tiny it could hold barely one person, let alone all three of us.

Connected to some monitoring equipment was an IBM XT which had seen better days. The machine was covered with a layer of dust so thick that it almost undergone a colour change. Normally this machine was concerned with the chemicals that came out of the styrene plant. Now however, it was being used to proselytise for an entirely different chemical. The green screen contained only these words:

This computer is stoned. Legalise marijuana!

I had already heard about the infamous marijuana virus. This was the first time that I had encountered one however. I removed the virus from the hard disk and took the floppy disk that was in the drive back to my office. There I reverse assembled the boot portion of the disk. I don't have a copy of that code anymore but it was remarkably simple. Whenever the computer was switched on or rebooted the program would be the first thing that the computer ran after the BIOS checks. It would stay in memory and wait until a disk access was performed. Whenever it was it would place a copy copy of itself on the disk. If the computer had a fixed disk it also inserted a copy of itself in the Master Boot Record. I have forgotten the mechanism that was used to determine whether the message would be displayed. But the result was that the stoned message would be displayed on about twenty-five per cent of reboots At this point I should digress and consider the prehistory of computing. Back in the cretaceous, when computing dinosaurs ruled the world, they used to be built from very expensive components. This meant that computer resources were very expensive. These resources were CPU time which was the amount of time that the computer spent thinking about a process, mass storage, which was often some form of magnetic storage and printing resources. Most computing centres kept a record of how much of these resources each user consumed and billed them accordingly. The bill may not have been invoiced and often served as a record for various departments that the computing centre served. Whether or not they were actually billed, Computer Operating Systems were usually constructed to share these expensive resources amongst many users and to record how much they used.

Then there was the IBM PC, which wasn't actually an IBM product. It was a Microsoft-Intel PC. But the IBM badge gave the machine credibility with the business sector. The machines were built from components that were comparatively cheap, although they would seem ludicrously over-priced by today's standards, they were cheaper then the older mainframes by orders of magnitude. And it soon became appararent that they had computing power that was far in excess of the of the mainframes when measured as bang per buck. The key to this affordability was mass-production. Large numbers of IBM PCs meant a lower per-unit cost. Soon the number of IBM PCs became vast.

And they were almost identical.

This is to say the machines all used similar hardware, architecture and startup firmware. This firmware was known as the Basic Input Output System (BIOS). The software was also largely identical. The Operating system, PC-DOS, had been supplied by Microsoft and each release was shipped as an identical binary. This was only possible because the machines were identical. Prior to this Operating systems would often need to be compiled or tailored for each installation. Now the operating system was pre-compiled, which saved time, space and, of most interest to burgeoning software corporations, kept the source code secure. The distribution model that resulted allowed the same economies of scale to apply to Operating System software. Herein lay the great strength of the PC. This overall cost-effectiveness fueled the PC revolution.

It was also a great weakness. It presented a security hole big enough to drive a bus through.

The PC devoted all those previously expensive resources to a single user. The system owner, the system manager, the application manager, the systems programmer, the database manager, the operations manager, the operations staff and the user community were now all the same person. One bum on one seat in front of one screen. The designers of the original PC realised this and they assumed that there was no need for security. After all it was unlikely that a system owner would cheat on himself or attack himself. And the designers of the original operating system made a similar assumption.

When the system was switched on the first task executed by the CPU was the BIOS program. This went through a series of preliminary checks and, having established which storage devices were connected to the computer, started searching those devices. The first device (called device zero), was the floppy disk. Then device number two (the fixed disk) was searched. If something was found, it loaded it and executed it. And this is the important part. The BIOS program would pass control to anything residing in the boot sector of a floppy disk or the master boot record of the fixed disk. For those of you who still remember floppy disks, the following message will be familiar:

Non system disk or disk error, replace and strike any key ...

This message was probably responsible for the destruction of many keyboards. On reflection it probably would have been preferable to have written something like gently press any key ... rather than strike any key ... Many computer users took this message to heart and hammered the living daylights out of their hapless keyboard whenever it appeared! However, the message had not been put there to encourage the manufacture of new keyboards, it appeared because it had been displayed by a small program embedded in the boot sector of the floppy disk. The format procedure for floppy disks has changed very little and the program is still put there by processes which prepare the disk for writing. As far as programs go, the little program is extremely simple. It merely prints the message and halts. This is because the BIOS program has its' usual checks and passes control to whatever it finds in the boot sector. The stoned virus replaced this program with its' own version. The new version still printed out the message ... but it did not halt. The program remained resident. So when a user stuck out at the keyboard, in search of the any key, there was an uninvited hidden guest in the system ... no matter how forceably the long-suffering keyboard was struck.

The famous "Stoned virus" was the precursor of many other programs that also came to be known by the misnomer of virus. The reason for the name was the mechanism by which these mischevious programs propagated. The offending program would attach a copy of itself to a location that would enable it to run again. This was supposedly similar to the way that a biological virus would propagate. Although in nature the elegance and adaptability of a real virus far surpasses anything that has ever been written for computers.

In the case of the boot partition virus the program would attach copies of itself to the boot sector of a floppy disk. Other programs might attach copy of themselves to executables that had names ending in .EXE or .COM. The weakness that a so-called virus would exploit would be due to the single machine and single owner architecture of the PC. The MS-DOS operating system gave complete ownership of the machine to any program that was executing. This is quite reasonable given that it was intended to run only one program for one user. So a program that was running on a PC could do virtually anything it wished. Other operating systems that were intended for many users would place limits based who owned the program. Each user had rights (or privileges) which enabled them to access certain computing resources. But an MS-DOS program had no restrictions. Except of course the physical limit of crashing (and hence coming to a halt).

The wave of "viruses" which followed in the late eighties spawned a new industry. The so called "innoculation" programs. In keeping with the undeserved misnomer of "virus", these all adopted medical terminology that would have been more appropriate for the arena of public health. Computers that had run one of the malicious programs were said to be "infected" and the anti-virus software would "innoculate" your machine. Since the programs that caused such mischief were exact copies of an original, all the anti-virus software did was look for a "virus-signature", which was a chunk of sufficient length to uniquely identify it as part of the virus.

Microsoft had given the world a new industry. The anti-virus industry for computers. And it was an industry that would keep many software developers employed for years to come.


Connecting ... Your computer is now connected!

This is all very well when the PC sits in a corner with a printer attached to a parallel port and perhaps some serial input devices. Before long the PC was put to many other uses. One of the more common uses was as a so-called dumb terminal. In this role, the PC usually served a dual purpose, pretending to be a terminal connected to an internal network, while offering many of the processing capabilities which made it attractive as a terminal. It soon became possible to link PCs together into networks. At first this growth was almost invisible to the corporate data centres.

And there was the Internet.

After the widespread adoption of the Internet it was possible to disseminate mischevious software much more rapidly than when executables had to be physically transported on floppy disks.

Within the space of a few years, the PC could be connected to huge numbers of other computers and there was a dramatic evolution in networking technology and computer component manufacturing, especially chip manufacturing. The basic structure of the Microsoft operating system and the firmware of the PC did not change all that much. Close examination of the Microsoft-Intel platform reveals many remnants of the past structure. Rather than undergo a dramatic structural change which might jeopardise the Microsoft-Intel market position, the platform has, in effect, put on new clothes. This consists of many layers of cumbersome garments and an extremely thick and shiny lacquer of marketing and hype. Strip these many layers away however, and much remains of the original Microsoft-Wintel product. The approach that Microsoft took to security was to add the user management components as one of these many layers.

This meant that security was an after thought. This may have worked had Microsoft been committed to the idea of security. However the primary focus of the corporation was consolidating and maintaining market share. This meant that the software had to be User Friendly. This term grew into accepted parlance in the late eighties. Many MacIntosh enthusiasists claim the word as their own. Microsoft adopted it, in order to differentiate themselves from IBM. The inference to consumers was that the mainframe and the mid-range machines were User Unfriendly. Much of this unfriendliness was security related. The insistence on logins and passwords, the constant requirement to remember and change passwords. Procedures performed on these large enterprise systems kept running up against security related barriers. Although it is true that the user interface seemed cumbersome and security appeared to be considerable burden, much of it was necessary. Most PC users would gain a little wisdom as they interacted with their machine, and with this came the realisation that there were certain commands like "fdisk" and "format c:" that they would be well advised to leave for more knowledgeable or experienced users. In the case of mainframe however, one could only imagine the pandemonium that would ensue if any user could run the equivalent of "format c:" on a corporate enterprise database used by thousands of users world-wide.

Security and "friendliness" are mutually exclusive. The user-friendly approach which was successfully promoted by Apple and then adopted so enthusiastically by Microsoft assumes that each individual is working on data that is important to his or her own endeavours. Once a group of people start working on data which becomes important to the group or the corporation, the issue of security increases geometrically with the size of the group. The problem for the user-friendly approach is that recent trends in computing have tended towards sharing of data and consolidation of databases. Whereas the low-security user friendly mindset remains appropriate for the stand-alone PC of the eighties.


Strategic Software

Microsoft has always regarded market strategy as one of the most important components of their enterprise. These days they don't refer to their products as strategic. The strategy has become one of the most contentious elements of their corporate behaviour. Although they don't use the word anymore, they have consistently promoted software which aids the corporation in the process of locking users into continued use of all their products whilst locking competitors out. There are many examples of strategic decisions that would have conflicted with security concerns. However for Microsoft there has been no conflict. The Microsoft strategy takes precedence. Some examples of strategic decisions which impact on security are:


The Microsoft Outlook: Smart Software For Dumb Users

Microsoft Outlook has became the single biggest threat to computer security that the world had ever seen. The most remarkable practical demonstration of the extent of this threat was the extraordinary "ILOVEYOU" trojan horse. Ok everyone called it a "virus" so I will keep with the established nomenclature. The most troubling thing about this program was the ease and rapidity of its' dissemination. As the dawn rays of the sun swept around the globe so did the "ILOVEYOU" virus, as office workers around the world clicked on their morning inboxes. Fortunately the program, was nothing more than a harmless little jape written in visual basic with an appealing subject. After all everyone wants to be loved. And what better e-mail could one discover first thing in the morning than a message from a secret admirer? Had the "ILOVEYOU" script been armed with a deadly "payload" or been part of a suite of malicious batches, the PC community could have been bleeding from every Microsoft orifice on that May morning in 2000.

The principal (only?) argument in favour of the Microsoft outlook was to make life easier for users. Why should users have to learn about files, file types and applications? Why should they have to know what a file is? What a program is? After all many users found these concepts difficult to comprehend! Why not let them just click on something? Why not leave the hard stuff about files and file types up to the brains' trust in Redmond? The problem was that those users who found such concepts difficult were precisely the users who should not be clicking on things!

If the same approach were taken with heavy machinery or motor vehicles it would be a recipe for disaster. No sane person would challenge the convention that drivers should have to understand and recognise common controls like the steering wheel and brake pedal. No one would ask why should motorists learn to drive? Why should they learn about road rules? The prospect of handing over complete and unsupervised control of a half tonne of rapidly moving metal and rubber to a novice without any preliminary training would be alarming to say the least. Software just doesn't have the same mass or momentum as motor vehicles ... so we don't need the same stringent safeguards ... right?

With an impressive marketing campaign, firms like Microsoft have convinced many consumers that a smart terminal could and should be used by dumb users. User don't have to know or learn anything about what's happening under the floorboards, because all the intelligence is inside the computer. Not only has the public been persuaded that this is a desirable state of affairs, but that furthermore it is actually achievable. The lamentable state of personal computing security is largely due to the deliberately dumbed-down approach to user interfaces. The dumbing-down of the interface is in effect treating users as if they are too stupid to do simple tasks like decide where to save an attachment that is sent as part of an e-mail, or what type of application might be used to open the attachment. According to this school of thought a general user would be incapable of a preliminary investigation of the attachment to see if it is what it purports to be. Such an approach over-rates the intelligence of Microsoft software as much as it under-rates the intelligence of their customers. Some Microsoft users are reasonably intelligent people. There may even be several genuine rocket scientists amongst them. If they are smart enough to learn how to drive motor vehicles, fly airplanes, perform brain surgery, cook meals etc, they could easily be taught about the concepts of files, data storage and application software.

If Microsoft was attempting to integrate all their applications out of a genuine concern for their customers, it might be possible to forgive the occasional lapses in security. However the primary reason for integration has been too lock customers in. The user friendliness is a sugar coated pill designed to paralyse the unwary user and ensnare them forever in the dumbed-down Microsoft user interface. Rather than occasional lapses, Microsoft seems to have shown a complete disregard for security implications. And most of these problems have arisen because of strategic concerns. Like good boy scouts the Redmond lads offer to help confused users across dangerous intersections. But not all the way across ... The unfortunate partially sighted user winds up stranded on a traffic island in the middle of the highway! A permanent prisoner of the boy scouts from Redmond! Unfortunately the only escape route for them is self-help. They must learn how to see the traffic. And how to safely cross roads by themselves.

The boy scouts from Redmond will be doing their best to prevent their customer base from smartening up. If users get smart, they will stop purchasing Microsoft products.


BIBLIOGRAPHY:

DOE-CIAC An Old DOE bulletin about the infamous Kiwi export, "The Stoned (Marijuana or New Zealand) Virus on MS DOS Computers", is sadly no longer available. The webpage that was displayed on their site had all the flavour of antiquity appropriate for the subject matter.

Richard Forno At the time of writing there was a classic white paper on the dangers posed by Microsoft, available on the Info Warrior website, with the title: Microsoft: A Proven Danger to National Security. It no longer seems to be available at it's former URL. Even though it was written 2002, much of it would still be relevant today.

Richard Forno Forget California, it's time to recall Microsoft Since this was first written, the "Blaster" fiasco has given further entertainment. This article by Richard Forno is still available. It is proof yet again that the word "Microsoft security" is indeed an oxymoron. As it turns out, the "Blaster" worm was yet another warning shot. Yet another silly little prank. We can only wonder, how long it will be before one of these programs is truly armed and dangerous rather than a puerile and innocuous bit of mischief?