Fog Creek Software
Discussion Board




Nuclear Power Plant Slammed by Worm

"The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall" -- http://www.securityfocus.com/news/6767

This doesn't bode well. So when the next worm causes a meltdown that radiates a six-state area, would you folks support the death penalty for the worm writer? I would. Pretty clear that if you maliciously and intentionally engage in activities that result in a nuclear meltdown, you are a terrorist.

Is it time to implement some sort of UN or NSA administered global network activity monitoring network to track down worm terrorists?

I used to be against requiring unique identifiers on all computers, but now I think it's necessary. It should be made illegal to anonymously use a computer -- all computer use and compiling activity absolutely must be monitored.

Tony Chang
Thursday, August 21, 2003

>Is it time to implement some sort of UN or NSA >administered global network activity monitoring
>network to track down worm terrorists?

Yes Mr. World Police sir, have NSA ship worm writers to Guantanamo, and keep them there without proper trial.

This is what is so wonderful with this war on terrorists; you get to pick whoever you dont like, and call them terrorists. They dont have to be terrorists even, alleged terrorism is good enough and then you can go fight them. Not my idea of a state with a working justice system.

Please.

Anonymous
Thursday, August 21, 2003

I wonder what would happen to the manufacturers of a security system that could be so easily picked, exploited and used by terrorists.

Bill Gates "a certain amount of collateral damage is unavoidable"

(no not a real quote)

Simon Lucy
Thursday, August 21, 2003

It seems like you might attribute culpability to a number of people and organizations here. Microsoft, sys-admins, worm-writers, legislative bodies etc. Choosing an easy, anonymous, obvious target to blame doesn't help anyone to prevent this happening again. Fining Microsoft might help. Sacking sys-admins might help. Criticizing Congress might help. But hang the writer? There'll be another one along to replace him.
Anyway, I've heard it argued that this worm did the world a service in that it was so benign - it was more of an innoculation than a weapon.

Knowledge maker
Thursday, August 21, 2003

"I wonder what would happen to the manufacturers of a security system that could be so easily picked, exploited and used by terrorists."

Yeah, yeah - blame the victim! That's how it is on these things.

"Al Qaeda is not to blame for 911. It is Bush's fault because he did not have enough airport security. When the saw the opportunity, Al Qaeda simply could not help themselves and should not be held responsible."

"The arsonists are not to blame for pouring gasoline over the house and setting it on fire. The homeowner should have had a security guard and should not have built his house out of flammable materials. Building an unguarded wooden house in an area with pyromaniacs represented too great a temptation and the pyromaniacs can not be held responsible for their actions. "

"The 11 year old girl was just asking to get raped because she was wearing revealing clothing and the pedophile just couldn't help himself."

"The worm writers who caused the meltdown can not be held to blame. The worm they wrote practically wrote itself and they had no control over themselves."

Delightful.

Tony Chang
Thursday, August 21, 2003

"Fining Microsoft might help"

Yes, and let's put the 11 year old girl who was raped and beaten in jail as well!

I'm sorry, but are you saying that Bill Gates wrote the worm? Cause if you're not, you have some weird (read: dumbass) ideas about culpability.

Tony Chang
Thursday, August 21, 2003

"Anyway, I've heard it argued that this worm did the world a service in that it was so benign - it was more of an innoculation than a weapon."

You are talking about the pedophile now? "An innoculation" for the poor little girl? Don't tell me, you belong to NAMBLA or the LOLITA society?

Tony Chang
Thursday, August 21, 2003

Tony,

Troll.

>It is Bush's fault because he did not have enough airport
>security.

Your middle name isnt Clueful is it?

Anonymous
Thursday, August 21, 2003

I don't think anyone has suggested that the worm-writer doesn't have some culpability in this matter. If you prefer to imagine that everyone is saying that so that you've got a bigger target to aim at with your argument, knock yourself out....no actually, knock yourself out.

Put the worm-writer on trial and punish him. It might even have a deterrent effect....but what will actually be useful, as opposed to quenching vengenance, will be finding out what can be done to make sure it doesn't happen again. For that, look towards Microsoft and tighter regulation.

Knowledge maker
Thursday, August 21, 2003

"It should be made illegal to anonymously use a computer -- all computer use and compiling activity absolutely must be monitored."

dear god.  whats scariest about this comment is that I have very little doubt that many authorities would agree with it 100%

Its actually an interesting test of how much americans love freedom.
See, theres a tradeoff, societies can exchange privacy and freedom for security.
The trade can be made as often as you like.

But history has shown it is almost impossible to go the other way without a huge amount of trouble and battle.

The _really_ interesting thing is that americans appear to have forgotten that they originally based their society on the idea that one was more important than the other.
And now, as soon as they feel even a little threatened, suddenly they will make any exchange just to feel safe again.
(heres a tip:  the world has _always_been a dangerous place)

I have a strong fear that the spirit of freedom is departing from american shores and will soon be found elsewhere.

anonymous american
Thursday, August 21, 2003

Tony,

You make excellent and valid points. You have changed my mind entirely on the matter. I am lucky this time only to be branded a pedophile by you, and obviously it is kind of you not to have charged me with being unpatriotic, unamerican or even a terrorist myself.

Knowledge maker
Thursday, August 21, 2003

I'm surprised that this hasn't been mentioned before, but why on earth is a nuclear power plant connected to the Internet?

Frederik Slijkerman
Thursday, August 21, 2003

I think we should ban windows in mission critical environments because it makes people stupid.  "Oh, yea.  I think it would be a good idea to connect our internal network to the web."  "Great, I second the motion.  Microsoft is strong on security you know."

Dipshits dipshits dipshits

Hanta
Thursday, August 21, 2003

You don't ban Windows, you build intelligently redundant systems. Read the thread regarding monoculture - a few people make the point that it's really expensive to run heterogeneous systems. Yep, but there are some places where it is worth the cost, and this is one of them.

Any mission-critical system like this should be running in parallel on Windows and Unix. Yes it costs more, but imagine the safety factor - whenever the systems don't agree, you get an alert.  You can patch the systems at will, since you always have an online backup.

And how come nobody else pointed out that the system was down for FIVE HOURS? Is there any excuse for that?

Philo

Philo
Thursday, August 21, 2003

Tony,

>> I used to be against requiring unique identifiers on all computers, but now I think it's necessary. It should be made illegal to anonymously use a computer -- all computer use and compiling activity absolutely must be monitored. <<

People who are willing to rely on the government to keep them safe are pretty much standing on Darwin's mat, pounding on the door and screaming "Take me, take me!".

Mark
----
Author of "Comprehensive VB .NET Debugging"
http://www.apress.com/book/bookDisplay.html?bID=128

Mark Pearce
Thursday, August 21, 2003

First off, blaming /anyone/ other than the worm writer is just ridiculous. It is like a digital twinkie defense.

Second, not punishing the author because "someone will just replace him" might be the most inane response to a crime I have ever heard. I guess we should stop locking up any criminal because there will always be more?

Frankly, it is already illegal to do what this programmer did. He committed a slew of crimes the second he released the worm. There is no need to make new laws for this.

And as for banning windows because it makes people dumb, demanding more regulations, sewing Microsoft, or any other radical right or left-wing response; go pound sand please. The /last/ thing we need is you folks mucking up our system even more that you already have. Zealot ideologues going into a tizzy will cause more harm than the
worm itself.

And I second the question as too why this place was on-line in the first place.

Marc
Thursday, August 21, 2003

Maybe they were not online, but they allowed Homer and his palls to plug in a computer from home so they could all share some divx over the LAN.

Duh!

Just me (Sir to you)
Thursday, August 21, 2003

philo, this power station did have two systems.  But it wasn't windows / unix; it was windows / analog.  Analog survived the worm.

i like i
Thursday, August 21, 2003

Frederik:

"I'm surprised that this hasn't been mentioned before, but why on earth is a nuclear power plant connected to the Internet?"

Probably three possibilities:

* the people who made that decision didn't know jack about internet security
* they took the advice of a sysadmin whom they thought was competent, and clearly wasn't
* someone commented out a line of code

Joe Grossberg
Thursday, August 21, 2003

Probably three possibilities:

* the people who made that decision didn't know jack about internet security
* they took the advice of a sysadmin whom they thought was competent, and clearly wasn't
/* someone commented out a line of code  */

Nope, don't see the answer here...

Philo

Philo
Thursday, August 21, 2003

Come on people. This incident was caused by a contractor bridging a completely open unsecured network into the plant network bypassing the firewall. The systems were never patched, possibly because the operators thought that by bloking the worm at the firewall they were safe.
This has nothing to do with it being a Microsoft system. If it had been Linux they might have been infected by Slapper or whatever in exactly the same way.

Just me (Sir to you)
Thursday, August 21, 2003

"This has nothing to do with it being a Microsoft system. If it had been Linux they might have been infected by Slapper or whatever in exactly the same way."

Well maybe it does have something to due with it.  There are thousands times more viruses that target windows than any other platform.  Probably due to installed base size and that windows is easier to exploit etc.  If you run ANYTHING besides windows you are automatically less likely to get infected or compromised because there are less exploits that target you.

Kind of like how a red sports car attracts more attention from the police than the wood panel station wagon.

Think about it.
Thursday, August 21, 2003

So are you saying it is OK to plug your nuclear power plant network unprotected into the open Internet as long as you do not run Windows?

Just me (Sir to you)
Thursday, August 21, 2003

"If you run ANYTHING besides windows you are automatically less likely to get infected or compromised because there are less exploits that target you."

There is no doubt that Microsoft needs to take some huge strides in improving the security of their apps -- If not in actually eliminating buffer overruns and security loopholes, then at the very LEAST by turning off every unnecessary service on the machine. It is disturbing to do a netstat -a -n to find a whole slew of listening ports for various services, and disabling those services breaks parts of your system because it insists upon talking to itself via public IP addresses rather than the loopback device. I can see no reason, whatsoever, why Joe Schmo running a standalone PC to access the net has anything listening other than UDP port 53 for DNS. Software firewalls can't be the answer because often they're like an overly sensitive smoke detector near your kitchen: You end up pulling the battery out rather than fighting with it everytime you toast a bagel.

Having said that, I personally have never had one of my machines exploited (my home network has 3 machines, and I've been responsible for a number of customer facing machines). For comparison, a UNIX advocate friend, who also is a brilliant developer, has had his Linux machine wiped out _3_times_--DNS exploit, wftpd exploit, and something else which I can't remember now.

Dennis Forbes
Thursday, August 21, 2003

Just a note re: whether punishing software vendors would do any good - it has done good in the automobile industry. Correct me if I'm wrong (not living in the U.S and hardly being old enough to remember this myself) -

But didn't Ralph Nader get his fame by assigning to the manufacturers (through the courts) responsibility for car safety - responsibility which they were knowingly neglecting because it was considered "unprofitable"?

The terrorist/pedophile analogy for the virus writer is flawed. A better analogy would be (if we proceed with this industry analogy) for a crazy punk that spills oil on the road in order to get an accident to happen. He did wrong and should be severely punished, but the fact that every car as a result also spills its own oils causing the effect to avalanche to millions of cars is, at least in part, a responsibility of the car maker. Don't you agree?

Ori Berger
Thursday, August 21, 2003

Let's get even more absurd.

Say I, as an avant-garde artist create a work of outdoor sculpture consisting of 1000 carefully arranged $1 bills on a folding table and display it on my front lawn. I do not hire a security guard, put up a fence, or even a "Do not touch" sign.

When I awake the next morning and find myself $1000 poorer, who is at fault. Well _logically_ it must be the thief (and trespasser), since both activities are illegal.

On the other hand, _reasonably_, I should not expect to leave small objects of significant value unguarded in plain sight. But isn't that the same as blaming the victim? Maybe.

Common sense indicates that there are certain precautions individuals should take to protect items of value. I don't walk through dark alleys in NYC at night counting $100 bills.

The virus writers are bad men and should be punished. Many people are also negligent in their duty to mitigate their risk of exposure when they have significant value relying on the security and availability of their systems. These are not mutually exclusive.

Devil's Advocate
Thursday, August 21, 2003

DA - have you *read* the Slammer exploit? It's not exactly "walk in and steal the jewels" - it's *hard*.

Consider that the exploit has existed for at least four years until anyone attacked it - doesn't sound like leaving the front door open to me.

And again - it's not just MS. EVERY OS releases patches for security vulnerabilities every year.

Heh - just thought of this. Isn't open source MORE vulnerable, since someone has to find the vulnerability, and you have to hope a patcher finds it before a virus writer? To find a vulnerability on Windows, you're working with chopsticks through a keyhole - guessing until you find something that works.

Also of note - in both worms this year, the retort was "the patch has been available for a month." Odd that each worm came out four weeks after the vulnerability was revealed. I'll bet you a case of beer that both virus writers are subscribed to the Windows security bulletins. A patch for a promising exploit comes out, they get to work analyzing it and coding away, knowing that nobody's going to patch their systems.

To that end, I don't blame anyone but the sysadmins. Microsoft did everything exactly as prescribed - found a vulnerability, patched it, sent out the security alert. Anyone who didn't patch their system before the virus writers were done is at fault.

And the lesson is - subscribe to the bulletins and patch quickly, because they'll do it again.

Philo

Philo
Thursday, August 21, 2003

Philo -

I don't recall mentioning Windows or Slammer specifically. Security principles are platform agnostic. If you _really_ depend on something, you should pay the money to independently verify that it lives up to its claims. Without this kind of due dilligence, you'd better have a good insurance policy.

Futhermore, we don't know that this is the first exploit of the vulnerability, only the first bandwidth-abusing variant that made everyone take notice.

Devil's Advocate
Thursday, August 21, 2003

Ori, your car example is flawed also.  To better fit this case, you would have to say that the car's oil leaking was a known flaw in the design, and the manufacturer had issued a recall to fix, free of charge, everyone's car.  In that case (as in this one), the manufacturer is all but absolved of blame, because they practiced due diligence in attempting to correct the problem before it caused harm.

It would be totally different if MS had sat on this or tried to cover it up.  But they responded exactly as security experts have been urging them to.  Once the exploit was discovered they issued a patch and sent out a security notice.  If someone failed to patch their system, it is no different than someone failing to abide by a recall alert on their car, which then fails in the manner specified by the recall.

Mike McNertney
Thursday, August 21, 2003

Terrorism: "The unlawful use or threatened use of force or violence by a person or an organized group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons."

hmmm ...
unlawful - check
use of force or violence - nope
threatened use of same - nope
intention to intimidate or coerce - nope
reasons - unknown

Intent is critical, Tony. If the scenario you propose (the six-state meltdown) had occurred, there's probably not sufficient intent to qualify for terrorism or murder. It would probably be manslaughter.

And let me go a bit off-topic: I am so sick of the way you and others exploit 9/11 to further their own agenda. Everything we don't like is terrorism. Every country we don't like (or want to own) could house Bin Laden.

When will we go back to standing for freedom? George Washington is rolling in his grave.

Zahid
Thursday, August 21, 2003

"To that end, I don't blame anyone but the sysadmins. Microsoft did everything exactly as prescribed - found a vulnerability, patched it, sent out the security alert."

IIRC, didn't the patch that fixed Slammer break a previous patch, or something like that? Fuzzy on the order, but pretty clear on the memory. [a little googling later] Yup, lookee here: http://www.astreet.com/article.php?sid=229

"The reason many system administrators did not install a patch for the problem that Microsoft released in July was because that patch "broke" many SQL applications and Microsoft refused to fix it properly. It was only after a new version of the original patch was released after the worm attack that systems could be  effectively patched."

http://www.google.com/search?q=slammer+patch+broke

(Ha: from a security focus article, 7/28/03: "There is still time for a RPC Slammer.")

In general, I blame lazy admins. In this case, I blame MS. OTOH, who has all these services facing the Internet in the first place? And why do people keep saying "Close port XYZ!" No, no, NO! *All* ports should be closed; you *open* ports on your firewall. My firewall at home allows 22 and 80. Period.

brian
Friday, August 22, 2003

The whole "full disclosure" thing is flawed beyond believe.
Why would the exploit writer do the hard work? Studies such as http://www.rtfm.com/upgrade.pdf show that a blackhat can just sit around and wait for the vulnerability to be announced, and even after a mad scramble by the vendor and a patch release, he can take all the time he wants sinced this will only diminish his potential victim list by one third.

I believe we can assume all the "security research" firms know this very well, but they do not care one bit since
a) publicly announcing a vulnerability is publicity
b) the demand for their services grows as more vulnerabilities are exploited.

Just me (Sir to you)
Friday, August 22, 2003

"The reason many system administrators did not install a patch for the problem that Microsoft released in July was because that patch "broke" many SQL applications and Microsoft refused to fix it properly. It was only after a new version of the original patch was released after the worm attack that systems could be  effectively patched."

Exactly.  Microsoft patches are Russian roulette.  Until this changes their will be MANY unpatched servers, and with the desktop users they will almost always be unpatched.

Microsoft - Unsafe at any speed.
Friday, August 22, 2003

Quoting a blurb out of AStreet, a /. wannabe Linux advocacy site, a second time does not give it any more credibility. Trying to give the qoute more credibility by trying to hide its blatant bias behing a Google search does not help either.

Just me (Sir to you)
Friday, August 22, 2003

>use of force or violence - nope

Releasing a worm that results in a nuclear meltdown is certainly a violent act. Saying its not is like saying that pulling some knobs and levers causing a dam to drain, drowning a valley's worth of villages is not violent because there is nothing inherently violent about pulling levers. Likewise, could say that launching missles against a target is not violent because pushing a launch button is innocuous. If the result of your intentional nefarious action is deaths or sickness, then you intentional nefarious action is violent. Not all violence involves hand to hand combat with sharp sticks.
 
>threatened use of same - nope

So by your reasoning, 911 was not terrorism because we didn't get advance warning.

>intention to intimidate or coerce - nope

What world are you living in? Of course the intention of worm writers is to intimidate.

>political or ideological reasons - unknown

Many virus and worm terrorists do do it for political and ideological reasons -- check out their message boards to hear some of the many reasons.

Tony Chang
Friday, August 22, 2003

You need to spend more time reading, Tony, and less time venting. I didn't say causing the meltdown was not a violent act; I said that intent was key. If the writer did not foresee the meltdown, whether through short-sightedness or stupidity, they didn't have the intent to do it.

Moreover, I'm glad to live in a country where you can't prove someone's intent via arguments like "of course his intention was to intimidate" or "he must have had a political agenda because these other people, completely unaffiliated with him, posted their agenda on a message board". You might look up the word "intent".

But first you might sharpen your definition-reading skills. The definition I posted said "use *OR* threatened use of force" (emphasis mine). So your ludicrous analogy about 9/11 fails, since that act involved the use of force regardless of advance warning or the lack thereof.

Zahid
Friday, August 22, 2003

*  Recent Topics

*  Fog Creek Home