Now blogging at diego's weblog. See you over there!

viruses, OSes, and videotape


virus.gifI was reading today this article from Salon about Microsoft's approach (or non-approach) to security. Some good comments in there, which reminded me of a piece by Cringely from last year on Palladium and what he called TCP/MS. Re-reading it now in the face of what happened in the last couple of weeks is quite enlightening, particularly when you think that MS is considering making automatic updates mandatory. How difficult would it be for MS to do what Cringely was talking about then, in the name of security (hey, not even that, they can say it's a bug. It seems to have worked fine so far...). Through Jon Udell I got to this entry by Chris Brumme, who works at Microsoft (unrelated topic: look at the permalink in Chris's entry. Damn.). Near the end he talks about security, and I can't help but thinking that if Microsoft as a company had his attitude, things would be better. I am sympathetic to him as a person caught in all of this, as I guess I'd be to other MS employees. But the company as a whole needs a change in attitude, and in priorities. Forget about conspiracy theories (after all, greed is always a more plausible reason), this is a problem that needs to be fixed, and now. Some of what I mentioned last week should work, properly applied, and it's not even new, as Cringely's article this week demonstrates in the section where he discusses the worms. It's not a technology problem. It's a problem of priorities, and company culture.

If you don't think it's company culture, consider this article from Fortune magazine. I'd call that article "the return of clipit". Of special note is the attitude of the Microsoft person that the author talked to. It was always "no, you don't get it at all".

My view is the opposite: if a person that is obviously interested, educated and motivated to look at your software doesn't "get it at all" for something so simple as auto-case-modification then, something's wrong with the software, not with the person!

And so the worms and viruses spread. In the past 48 hours my postfix filters have rejected more than ten thousand infected emails. So I guess it's stabilizing at about 5000 a day (!). Update: Others are reporting similar continuing problems, though not in the scale I'm seeing--I wonder why. It seems that mileage varies widely. Matthew who created and runs AlienCamel mentioned through email that they've seen quite a lot of traffic from it, and the CS servers of TCD they've stopped about 10,000 copies over the weekend, but for the entire department. Dave had 600 messages accumulate overnight, rendering his email useless. Wilson has also seen some traffic bumps, but not much. Grant hasn't been hit at all. I wonder if it has to do with who is running your server, whether you're (unknowingly) protected by other SMTP relays with checks along the way, instead of, for example, my case, where I run my own SMTP server. Hmpf.

In my idle moments I been thinking often about the issue of liability, which has been raised more in the last few days, as in the Salon article mentioned above, or on this article specifically on the topic. Liability in some form might sound like a solution, but a closer look reveals many thorny questions. For example:

  • If, like in my case, I am being seriously affected by a virus but I am not using the Microsoft product that has failed (Outlook, Outlook Express, etc), is Microsoft liable, or is the sender? In the real-world analogy, if a car breaks down and a pedestrian gets killed, then the driver is sued. However if the accident is due to a sistemic failure a class-action lawsuit would make the company pay, rather than the individual drivers
  • And if such where the case, how do we determine the balance of bug/feature/error, plus the inevitable claims of misuse?
  • Even more: in the case of the virus, if Microsoft was found guilty, couldn't Microsoft accuse all other OS makers of not being prepared to handle the situation created by the bug (on the grounds that "it could be reasonable that no system is bug-proof)? In a distributed system, is the sender less, as, or more responsible than the receiver?
Okay, these are only some of the issues, but I think it's clear what I mean. Digital communications and distributed systems create problems beyond what we've known in the past. It's going to take a while to figure out how to apply our laws (in some form) to them, and it would take even longer if something like Law 2.0 is needed.


Yesterday I spent most of the day working on the Linux machine. A real treat. Been using IDEA, Dia to create diagrams (some things, like font settings, are primitive in it, but it works) and then OpenOffice. I saw the Gnome desktop crash a couple of times (particularly when accessing network resources through SMB), but it recovered on its own with no problems. Tried out KDE, as Nex6 recommended, and installed the Windows true type fonts, as Juan Cruz recommended, both of them in comments to yesterday's linux entry. KDE does seem to be more solid, but it's also a bit less polished. Will play more with both though.

Configuring a remote printer (an HP deskjet shared on a Windows XP machine) on the Linux system was a breeze. Simple, fast, and it just worked. I loaded a PDF and pressed print, and nothing seemed to happen. I pressed again. Then I hear the printer in the other room. Oops. I hadn't expected it to work silently and transparently like that. Very cool.

What's weird is that Windows is actually getting more complex than Linux. Why? Because Windows is, at heart, a system designed for a disconnected world, while Linux (even though not fully a "networked OS" like the Spring Research OS was in the 90s) is much more aware and ready to deal with those things. Transparent firewall, IP routing, NAT, DHCP, etc, etc. All of that has been making the rounds on Linux for ages while Microsoft is just adding it now to Windows. The conclusion is that the playing field is leveled in that sense. Red Hat 9 already provides an easier (and a LOT more clear) way to configure the system's firewall than Windows XP does.

gimp-read.gifAlso, I've been using GIMP a bit; I can't help it, I am graphics-dependent, and even for simple cases I end up doing image manipulation that is always better done with a good program (scaling algorithms are not all the same, you know :)). Found this really useful site on it and Gnome in general (including for example this nice GIMP tutorial).

And I still haven't commented on how cool (and useful!) the miriad of useful applets are in the Linux desktop. For later then...

Unrelated (more or less). I found Contiki. Useless for serious work, sure, but probably useful in many situations... and in any case, isn't it cute?


Right. Let's forget about the videotape for now. :-)

Categories: personal
Posted by diego on August 27, 2003 at 1:35 PM

Copyright © Diego Doval 2002-2011.