The Rants, Raves, Gripes, and Prophecies of Paul R. Potts
Contents by Category
Contents by Date
I came into work today and started checking my e-mail. The MacOS X Mail client began downloading messages. It is still doing so. I had almost 200 new messages (on a typical day, including mailing list traffic, I might normally have 50 brief text-only messages which download quite rapidly). My mailer has been synchronizing for over an hour, and more mail seems to be pouring in, almost faster than it can be downloaded.
But the big fun is that most of them are garbage generated by worms and viruses running on Windows systems. The messages are coming in bursts, but during some of the bursts I'm getting one or more message per minute. And it has been going on around the clock. So far, I've received almost 170 copies of Microsoft worms.
I'm glad to see that Microsoft's Secure Computing Initiative is showing positive results.
This is having real consequences: I've got real content I've got to get at in my mail: some code built by a contractor I'm supervising, messages from another development team which I can't get to, and messages on developer mailing lists that may have solutions to some of the latest difficulties I'm encountering in my coding. I can only imagine how much worse this would be if my machine was a Windows box actually executing the worm while I was trying to get things done.
Now my mail server is being choked alive, and Most of these messages are allegedly from "Security Division," "Inet Email Service," "Net Service," "MS Technical Bulletin," "MS Net Mail Service," "Microsoft Corporation Technical Services," "MS Network Security Section," "Admin," "postmaster," "Security Center," "Microsoft Inet Message Storage System," "Microsoft Corporation Technical Support," "MS Corporation Network Security Division," "Inet Service," "Microsoft," "MS Technical Assistance," "Storage System," "email storage system," "Network Email Storage Service," et cetera.
Subjects include "Current Network Update," "Last Net Security Upgrade," "Failure Notice," "Abort Letter," "Notice," "Critical Pack," "Network Upgrade," "Undelivered Mail," "error letter," "Bug Message," "New Microsoft Critical Patch," and "Report." Some have a blank subject. There are two general themes: fake patches, and fake bounce messages.
They all have attachments. Of course, I'm receiving them on a system with a completely different processor, so they won't run on my machine. My disk usage for e-mail on DreamHost has gone from about ten megabytes to about seventy. The server is wallowing like a water buffalo under the weight of all this spam. (It is not technically spam, given that it is not exactly unsolicited commercial email; it's also harder to figure out who to blame for it, since most messages are likely coming from infected machines whose owners do not realize that they are infected).
I've also got one message that includes at least 300 email addresses and appears to be an advertisement for an anti-virus service written in Italian. A nice effort from a member of the Coalition of the Bullied, but better luck next time, guys.
Anyway, what can we deduce from the attachment? First of all, if you're running on machine and seeing similar mail: DO NOT EXECUTE THESE ATTACHMENTS. If the message contains web page links, DO NOT CLICK ON THEM. Don't try to analyze the attachment like I'm about to; you're likely to wind up installing the worm on your computer. I'm an expert. This is a Mac. Don't try this at home.
So what is this crap?
Running "strings" over the binary executable yields some interesting results: it was written with Microsoft Visual C++. It contains the names of a lot of executables: "anti-trojan," "bootwarn," "findviru," "lockdown2000," "safeweb," and "regedit." It also contains the following:
HEAD %s RCPT TO: <%s> QUIT DATA MAIL FROM: <%s> HELO %s
These are the phrases used to communicate with an SMTP mail server. So, this executable is designed to send mail. It also contains a template e-mail message:
Content-Transfer-Encoding: base64 Content-Disposition: attachment Content-Type: text/html Content-Transfer-Encoding: quoted-printable Copyright %i Microsoft Corporation.
(Hint: the mail does not come from Microsoft), and a whole bunch of stock phrases presumably assembled at random to generate subjects and "From" lines:
Microsoft Support Assistance Services Bulletin Customer Public Technical Center Department Section Division Security Network Internet Program Corporation Microsoft
And here are the strings which will generate some of the "Subject" lines:
Notice Report Announcement Advice Letter Failure Abort Error Bug User unknown Mailer Sender Returned To Message Mail Undelivered Undeliverable Returned System Service Delivery Storage Mail Message Email Inet Postmaster Administrator Admin
Then there are these strings:
Virus Generator Magic Mushrooms Growing Cooking with Cannabis Hallucinogenic Screensaver My naked sister XXX Pictures Sick Joke XXX Video XP update Emulator PS2 XboX Emulator HardPorn Jenna Jameson 10.000 Serials Hotmail hacker Yahoo hacker AOL hacker
(Who is Jenna Jameson? I feel I should know.) It turns out these are used to give filenames to the trojan when it is propagated by file-sharing. There's a lot more in here, but you get the idea.
W32/Swen.A Worm added September 19
The CERT/CC has received reports of a new mass-emailing worm, referred to as "W32/Swen.A" or "W32/Gibe.F". This worm is similar to W32/Gibe.B in function. The worm has been reported to propagate through email, network shares, and file-sharing networks such as KaZaA and IRC. It arrives as an attachment.
The subject, body, and From: address vary, but often claim to be a Microsoft Internet Explorer Update or a delivery failure notice from qmail. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds on the system. Additionally, this worm attempts to terminate numerous security product processes on the system.
So, what is this all about? It's about poor propagation of security patches, poor code, and what is largely a sotware monoculture. It's about a software monopoly which is complacent even in the face of the beginnings of public outrage over its insecurity.
There are people out there who would like you to believe that all operating
systems are created equal and, thus, equally insecure. Vance Gloster on the
Stickwire mailing list wrote recently:
In the bad old days, about 4 years ago, Microsoft was very irresponsible about security. While the folks at Sun who created Java were thinking hard about security with Java applets, the folks at Microsoft ignored security concerns in creating the ActiveX infrastructure. As they had been trained to evaluate issues, the Microsoft folks said, "security does not increase revenue", and they dismissed it as irrelevant to what they were doing.
Bill Gates, though, saw that poor security could erode their user base like nothing else, and in January of 2002 he sent a memo to all of Microsoft telling them security had become their highest priority. You can read his memo at:
Since then they have done a much better job at plugging security holes. Virtually every big hacker invasion (that did not depend on email attachments) exploited a hole that Microsoft had already fixed. Microsoft's Windows Update system makes it easy to update your machine.
Let's look at this claim: I have a clean XP Home box from Dell here that had never been patched since purchased (perhaps a year go). I went to patch it. I found that Microsoft's site identified over SEVENTY patches!
Needless to say, it took the better part of a work day to decide which ones to install, download them, install, and reboot three or four times, then navigate back to the site each time. Microsoft throws everything into the "patch" system: documentation updates, adware, spyware, "security" in the form of added DRM.
Vance goes on:
So does Microsoft really just write terrible code, and that is the problem? Maybe, but so does everyone else.
To which I replied:
Well, yes, all code must be assumed to be buggy and security-hole-ridden until proven otherwise. And unfortunately there is no way to "prove" otherwise except to gradually gain confidence in a code base that has been tested "the hard way" over the years. But Microsoft does seem to have an amazing culture of prima donna hacking and premature optimization. Read the war strories of some of Microsoft's programming management (Steve McConnell writes quite openly about Microsoft's programming culture).
In reality, even very smart programmers make errors that can be exploited. Until we get better at testing for these things, software, whether on a Mac or on Linux or on Windows (or even on your souped-up Commodore 64), will have vulnerabilities. About all you can ask for is for the authors to be responsive in creating updates. The open source community, with a few exceptions, has been very responsive, as has Microsoft over the last year or so. Apple has not been as aggressive about doing updates, but they argue that their users have had few problems. This is what Microsoft was saying several years ago. If you are interested in Apple security updates you can find them at the address below. There is a new one as of about a week ago for OSX.
But this is misleading. Apple has not been "aggressive" about releasing updates, but this is because they have not had as many security holes to fix. As security holes are uncovered in the underlying Darwin OS components, many of which are quite arcane and have never led to exploits, Apple has been quite decent about releasing patches. In my reply I wrote:
Yes, MacOS X is based on BSD UNIX, but this is really a blessing in disguise: BSD has been around a lot longer than Windows 3.X/9X/200X/XX and, being open-source, has had the benefit of decades of hackers competing with each other to find security holes and bugs. When security holes are found in the BSD layer Apple is aggressive about patching them.
Apple's culture is not Microsoft's. Apple, being the one with the small market share who must prove themselves and can't resort to monopolistic practices, simply can't afford Microsoft's arrogance and carelessness with its customers. Apple doesn't "argue" that their users have had few security problems. MacOS X, formerly OpenSTEP, formerly NEXTStep, aka BSD UNIX, with a dash of Mach, has a reliability record that no commercial OS except perhaps Solaris (System V) can aspire to.
Apple's core OS is open source; I have the source on my machine. Most of it is BSD (with a 20-year-plus pedigree).
I've seen Windows boxes compromised at every place I've worked; in practice, having a Windows server on a network is generally a security disaster. I've had Linux boxes rooted as well.
Having an OSX box rooted is astonishingly rare. It's like a Sun vulnerability. It happens, but not often. BSD servers have a record for reliability that even Linux boxes can't match. MacOS X comes set up with reasonable security out of the box: no FTP, no Telnet (something Linux distributions are only recently beginning to try). By contrast, an XP box on the network is a promiscuous whore begging to be hacked: services running all over the place, ports open left and right, many which can't even be turned off. (And Lord knows, we're trying; 99% of the disturbing activity we track on our network is coming from our XP boxes. I know this because we've got a consulting investigating strange activities on our network, reading TCP/IP dump files and trying to figure out why our network constantly behaves as if under a denial-of-service attack. What he's found is that it correlates very well with spyware, file-sharing trojans, and Windows XP shenanigans).
Apple's built-in software update also works much better in practice. It notifies you of patches, and there are a small number of them (less than one a month). It's much less onerous. And they don't try to blame all the security flaws in the OS on the end-user's failure to spend half his or her working day trying to keep up with a bewildering array of patches.
It's doubly ironic today that I'm being inundated with fake security patches. Apple has heard and taken to heart the story of the OS Vendor Who Cried Wolf, while Microsoft blames the customer and inundates us with irrelevant patches.
To be fair, there isn't much that Microsoft can do if users download and install trojan horses, or happily bypass warnings to run executables they received in incoming email messages.
Now the worm writers are exploiting the very lassitude, hopelessness, and blind trust that this approach has engendered in its users, and it isn't a pretty picture.
So. Want to fix the security holes in your Microsoft system? Unplug it. Want to make the internet a healthier place? Run another operating system. It doesn't have to be MacOS X, but that would be a good choice. A recent BSD release would do you just fine, or Linux if you wish. And you might find that you learn something and save money at the same time.
UPDATE: The Register has a great piece here that talks about the meme that "if Linux or MacOS was as widely used as Windows, there would be just as many viruses written for those platforms." It just isn't true; Windows has unique qualities that make it inherently insecure, and this isn't just anti-Microsoft propaganda; the design and default configuration of the Windows OS make it so. See http://www.theregister.co.uk/content/56/33226.html.Mon, 01 Sep 2003 Apple LCD Monitor Prices
Let's imagine for a moment that I had the money to order a brand-spanking-new G5 system from Apple and assume that I wanted to get some Apple LCD screens. (Yes, I know 3rd-party LCD screens are much cheaper, but I also notice that the cheap ones don't have digital video input, which somewhat reduces the actual image quality I get out of them). Today the prices on the Apple displays are as follows, at least when I spec them together with a computer:
17" screen: $699
20" screen: $1299
23" screen: $1999
Now, the Apple 23" screen is certainly beautiful. It gives you a lot more real estate. Let's assume for a moment that screen real estate is fungible: that is, that I don't care about the exact dot pitch, that I want as many pixels as possible, and that it does not matter to me if they are all on one screen, or two... or even three. In this scenario, does it make any sense to buy the 23" screen? Or even the 20" screen?
The answer is no. The 17" has a native resolution of 1280 by 1024; the 20", 1680 by 1050; the 23", 1920 by 1200. We can calculate a cost-per-pixel ratio. Rounding the prices to the nearest dollar, the cost per pixel is about 0.053 cents for the 17" screen. It goes up to about 0.087 cents per pixel for the 23" screen. (When you consider that the 23" screen has about 2.3 million pixels, the cost doesn't seem quite so ridiculous).
If pixels cost the same on all three screens, the 20" screen would cost about $940 and the 23" would cost about $1230. If the high-end screen prices come down to or below these points, it would make sense to buy them. (Of course, by the time this happens, one might assume the 17" screen will cost less as well). And of course there is some fixed overhead per unit: the power supply, the backlight, the casing, the cost of packaging and manufacturing.
For now, for my needs, it would make better sense to buy two 17" screens. That would give me about 2.6 million pixels, more than the number of pixels available on the 23" screen, at a cost of $1400, or 70% of the cost of the 23" screen. I don't truly have a need to view large layouts on a single monitor the way a graphic designer or digital photographer might, but as a developer, I like to have multiple source files open at once, along with, perhaps, several terminal windows, a project view, and a source-level debugger. Sticking two monitors next to each other is good enough.
Of course, this does not take into account the minor thrill of watching a DVD on a 23" flat panel. Were money no object, I'd consider two 23" screens. But this is all pretty much a speculative exercise to begin with, and if I speculate more realistically, I'll be a bit less disappointed!Second-guessing the Compiler
So, did you hear the one about the programmer who decided to rewrite all the logical tests of the form
if ((x) || (y))
if !(!(x)) && (!(y))
On the grounds that the PowerPC uses "NAND gates," where the Pentium used "AND gates," so the second expression would run faster on PowerPC hardware?
When I heard this, it caused me to utter some kind of sound... I don't remember the details, but I think it involved spraying coffee all over my monitor.
Of course, the two are logically equivalent (work out the truth table for yourself, if you don't believe me). I don't have any idea whether there really is a difference in the performance of OR logical operators on the PowerPC. I sincerely doubt it, keeping in mind that even the assembly instructions are abstract, as far as the hardware is concerned, and I don't have any way of knowing what is really happening in the hardware when a simple OR test is executed. If the hardware chose to execute the OR comparison using NOT and AND, I'd never know, and wouldn't care. But the second one certainly looks a lot more obscure, and that was the programmer's real point. (The "baffle 'em with bullshit" defense; if it looks complex, it must be complex; it will be harder for someone else to maintain; perhaps it will ensure job security.) (Don't bet on it; if anyone who worked under my supervision wrote this without a very good reason, he or she would be out on his or her ass).
It gets better. CodeWarrior is pretty good compiler. It looked at this code, and determined, pretty much as a human could with a little thought, that it made more sense to reduce the code to a simple logical OR. So that's what it did. So even if the original programmer had been right, the processor wasn't executing the logic he wrote. He hadn't looked at the resulting code. So there was, for yet another reason, no reason to write it that way.
Now, the people who wrote CodeWarrior's optimizer aren't dumb. It has undergone years of tweaking by very smart people. If there was some great optimization to be gained by rewriting logical operations to support the PowerPC's "NAND gates" more efficiently, they would have implemented it; it would be described in the PowerPC documentation, to guide compiler writers; and programmers would be griping about it. IBM and Motorola have a vested information in getting optimization advice out there, to make their chips appear more competitive. There isn't a reason to rewrite the logic like this, so they didn't.
If you've been living under a rock and haven't heard: optimize after you get it working. Optimize what you can measure. But the best initial optimization you can do on your code is to design it well and express it clearly. After you've tested it, crank up the compiler optimizations and test it some more. Measure its performance. Profile the hot spots. Optimize those parts. It doesn't make sense to waste effort optimizing instructions that are only executed once, during the startup of the program, which is not noticeably slow. If your program is slow on a modern CPU, it is far more likely that you are doing something wrong algorithmically: looking up some information by traversing a long linked list every time a function is called, for example, instead of using a more efficient structure such as a tree or hash.
Don't get me wrong: there's a place for serious hand-optimization. I've worked hard to hand-optimize DSP assembly code in order to reduce the number of cycles necessary to restart a disconnected data transfer across a PCI bus. I've tweaked interrupt routines to block for as few instructions as possible. I've also worked to determine why a program that draws animated meters is using thousands of times more CPU time than I expected. (Because it was drawing far too much, far too often, due to a bug that was easy to find by single-stepping the code with a source-level debugger). But in these cases I had some way, even if it was an imperfect way, of measuring the results. And you can bet your ass I was carefully commenting the code to explain why the implementation no longer appeared to be as simple and straightforward as possible. Not just to benefit some abstract future maintenance programmer; that maintenance programmer could be someone I know and love - myself.