Even when all the security screens are in place and all the precautions are taken, there are still moments when a system is awfully exposed.
Around mid-August a former colleague of mine called from Lansing, Mich.: “My workstation insists I have an authorization error and reboots all the time; but that doesn’t matter because the power’s out everywhere. Are you OK?” As you may recall, it was mid-August 2003 when a lot of things technical went into a handbasket headed for Hades. Among other things, there were 50 million people without electricity and the Blaster worm was spreading rapidly.
Of course, when it came to information technology, individuals and companies that take pains to protect their systems were prepared to weather power outages and block worms. Just like myself and my friend’s business in Michigan. After all, didn’t we both have backup batteries and antivirus software?
Not that we thought we were invulnerable. We’ve seen the law in Murphy’s court far too many times. However, I suspect we both thought we’d taken enough precautions so that troubles would happen to others. Naturally, I wouldn’t be writing this if our measures of protection had been adequate–no problem, no lesson.
Patch as patch can
I now vaguely recall that a few weeks before the arrival of the Blaster worm in my email in-box, I got an e-mail message from Microsoft warning of a serious security weakness in Windows and highly recommending a visit to the Microsoft site for a patch. This was a rather unusual plea, aimed largely at consumers. Companies are handled differently and in general are assumed to be watching their patches.
I don’t know about you, but many of us are disposed to take most anything Microsoft says with a grain of salt (or perhaps even a pinch). Besides, Microsoft issues virus warnings and other product “fixes” with great regularity. It’s easy to underestimate the importance of any particular warning.
Whatever the reason, several hundred thousand of us–including many corporations–didn’t act on Microsoft’s advice. This meant that our systems were subject to a buffer overflow during a remote procedure call (translation: The Blaster worm program could gain control of a computer).
I still don’t know exactly how the worm got into my computer system. I was running a top-rated antivirus program, and as far as I know the virus definitions were up to date.
I remember that at about the same time I received a very official-looking e-mail from my ISP, threatening disruption of service and saying I should contact the company immediately. Everything–logos, pictures, text–looked exactly like the material at the company’s official Web site, except that when I clicked on the link that was supposed to take me to an accounting contact, I was suddenly at a porno-site. Something similar happened at other links on the page.
Believe me, I’m not a sucker for this sort of ruse, but this e-mail message was sophisticated, both in presentation and context. Because I’d opened the message and worse, clicked through some links, I wouldn’t be surprised if it was the source of the Blaster worm. Then again, I still don’t know why the antivirus software didn’t catch it; but I’m not sure exactly when my virus protection was updated.
That’s two strikes against me–not paying attention to warnings, and not being sure of my antivirus software. The third strike was something like opening an infected message. It took me the better part of a day to figure out why my computer was rebooting (the key symptom of the Blaster worm), find the patch at Microsoft, get a clean-up program from the antivirus vendor, and return my system to normal.
My friend Dean in Michigan had his entire business out of e-mail communication for that day–and then the lights went out.
Assault and battery
I know that Dean is meticulous about security and backup. I wouldn’t say he’s paranoid, but one of his favorite sayings is “Just because you’re paranoid doesn’t mean they’re not out to get you.” He runs a small IT-oriented business where, if the computers don’t work, work isn’t being done. So he’s careful, or as the economists say, risk-averse. He’s spent the money and taken the time to have antivirus protection on both his server and on individual workstations. He has UPSes (uninterruptible power supplies) on every computer, and I’m sure he monitors their batteries. He’s proud of his efforts, as any craftsperson is proud of good tools.
Fat lot of good it did him. In one day, the Blaster worm invaded at least two of his computers, including his company mail server, and then the power went out–not for a few minutes, but for almost 24 hours.
He told me, “It was like watching the movie ‘2001: A Space Odyssey,’ where HAL the computer terminates the lives of the hibernating astronauts. I watched my UPS monitor helplessly, as one by one our workstation batteries died and people frantically tried to finish up work. We were supposed to be finishing a job for a client on the West Coast; all we were able to do at the last minute was send e-mail and make phone calls telling them what had happened. What a mess.”
Perhaps he should have had a gas-powered generator to kick in when the power went out. However, a generator big enough to run several computers (with peripherals) and keep the lights on would cost thousands of dollars, not to mention requiring frequent checking and maintenance. I don’t know if he studied the option, but in any case, he still doesn’t have a generator.
The bigger picture
Part of the problem is that Dean and I are small-business people; in my case, a business of one. Despite our IT backgrounds, neither we nor our companies are in a position to do “everything possible” to protect our computer systems. That includes the cost of having an adequately large and well-maintained power generator, or constantly monitoring for updates and fixes to software. Then again, the unprecedented power outage and the nature of the Blaster worm affected a lot of people. We were hardly alone.
So what? Dean and I both agreed that these events weren’t like the weather–somewhat unpredictable and unpreventable. Just because a lot of other businesses were caught doesn’t mean that it was OK for us. The hard-nosed response was therefore…Well, there is no hard-nosed response unless a company is willing to spend whatever it takes to gain “near 100-percent security.” Perhaps some large corporations can do this and still build it into their pricing structure. We can’t.
After looking at costs, Dean decided that investment in an adequate power generator didn’t balance with the possible loss of revenue from a major blackout. Despite the inconvenience, he didn’t really lose any business (the client in California was quite accommodating). Likewise, I’m not about to pay somebody to monitor my software fixes and updates; I have to do it myself.
We’re not comfortable with the time and effort it takes to do this kind of big-picture risk analysis, but the main lesson from the Blaster/blackout combination is that you can’t afford not to figure risk versus cost for extreme cases.
Most digital technology not only isn’t invulnerable, but also, much of it isn’t even robust–it’s fragile. Serious and systemic problems occur. Blaster/blackout wasn’t a wake-up call. We were already awake, like most business people (we hope). I’m assuming we can always do a better job at computer security and backup; however, this was a reality check, something to make us examine our limits.