The Code Warriors

(2 of 3)

The Human Threat
"If you can fault our industry we realized a little bit too late that we did indeed connect everybody, including the bad guys." --David Aucsmith

Humans strike at computer systems in one of two ways, through malevolence or incompetence. Unfortunately for law-enforcement agencies and the people they protect, the bad guys are getting much better at what they do.

The FBI in the past two years has reinforced its cybercrime division as mercenaries in the global capitals of hackerdom Russia, Brazil, the Philippines team up with traditional organized-crime groups to infiltrate ATM systems or hold corporate databases hostage. Before he became mayor of New York City, Michael Bloomberg helped the FBI and Scotland Yard foil a plot by a Kazakh national who was threatening to break into the computers of Bloomberg's financial-information company unless he was paid off. In November 2000 the FBI busted two Russians who had been trying to extort money from an American Internet company undercover agents had lured them to the U.S. with compliments and a fake job offer. And the FBI, burned in 2001 by the Robert Hanssen spy scandal, knows as well as anyone else the danger caused by internal security threats, which nationwide are growing even faster than external ones.

Incompetence can be just as wily an opponent. Before the desktop revolution, the average computer user had to know much more about how computers work than he or she does today. Now we don't need to know much but still foul up what we should know, like not opening attachments to unsolicited e-mail. Consumers also repeatedly fail to install security available to them. Manufacturers regularly issue programs called patches that fix newly found flaws in software. Microsoft gives consumers several options for patch delivery, from automatic downloads to manual installation. Free security upgrades: What could be easier?

Virus writers take advantage of the gap between the time a patch is issued to cover a newly discovered flaw and the time users actually download the patch. In that window, they are able to study the flaw, write their destructive virus and let it loose. And they have been getting better at it so much better, in fact, that Microsoft last month introduced a stricter security regimen. The company will release its patches monthly to make life more predictable for corporate and individual customers. At the end of October, Bill Gates previewed the firm's Longhorn operating system (due in 2006), emphasizing its security advances.

Companies are trying to automate security so that customers needn't worry about it: today's software is in many cases so overgrown and bloated that the complexity overwhelms programmers. The number of flaws increases geometrically with the volume of code. "Complexity is the enemy of security," Palmer said.

The software industry is learning from the credit-card industry, which has digitized crime watching based on card users' behavior. Basically, the credit-card companies monitor your card patterns, and when something out of the ordinary happens a card is used overseas, yet the cardholder rarely travels, for example the alarm goes off. Is the cardholder really in London? It sounds creepy and intrusive, but tracking exceptions to detect intruders is the basis for several new security approaches. And it has already become an invisible part of our lives. Stolfo has a start-up called System Detection, a two-year-old company whose tools scan networks and applications for code that shouldn't be there. Surveillance of this variety is effective and it is going to be more pervasive. A number of start-ups are developing technology that sniffs out "aberrant" behavior. Like it or not, somebody is going to be watching.

Market Speed
"I don't personally want to bash any individual company or manufacturer. I would rather bash them all." --Sal Stolfo

Suppose 90% of the world's automobiles used the same engine, and an undetected flaw suddenly emerged that shut them all down. We're talking global gridlock.

That's the worst nightmare for Microsoft, the company that provides 90% of the world's desktop operating systems and a similar proportion of its Internet browsers. Microsoft earned its market share, but with that dominance comes the vulnerability of what computer geeks call monoculture. The near monopoly undermines security by making everyone's computers susceptible to the same flaws (you need only note the $2 billion in losses caused by the Sobig worm to understand). Critics point to parallels in the natural world to explain what happens when life becomes too dependent on a single source. "The Irish potato famine killed a country. The boll weevil killed an economy," Geer said. "It is self-evident that the desktops of the world are clones ripe for the slaughter"--unless they are Macs or run the open-source Linux software, both underdogs that hackers are less likely to subvert. The latter's ability to be guarded and upgraded on the fly by a universe of programmers offers some protection against the megaviruses. Linux's tamper resistance is one reason governments in particular are showing great interest in Linux-based operating systems.