What do worms have to do with big brother?

Worms are certainly getting a lot of press lately. Code Red being the most recent addition to the pages of Net lore. It spread far and wide and is still very much alive and well. We've all read a lot about it, like the other news worthy worms and viruses that proceeded it. But have you thought about the fact that some of these infected machines contain your most sensitive information? These worms hit everything, but perhaps the hardest hit are small business/small office environments. This is because there are not really enough users to justify an admin in many of these places. Often a secretary, or another of the staff who happens to be more technical than the others, inherited the network. But these businesses are the ones that we are most likely to patronize. Doctors offices, dentist offices, lawyers, accountants, churches, and more. We conduct business with a lot of small businesses and organizations. Our most personal information rests in their hands. SirCam SirCam hit many of those places hard. I handled more than a few e-mails from those whose job it was to watch one of these networks. SirCam spreads like many of the other e-mail viruses, except that it looks in the browser cache for mailto tags and also spreads via file shares. Spreading by file share caused it to repeatedly infect every machine in small networks. Some were chasing it for weeks. SirCam also attaches a random file it finds on the infected machine to the outgoing mail. Think about the types of files in the pool from which it will be drawing. An infected machine in a doctors office. That means a game of Russian roulette with medical records. Some had to have gone out this way. I received a lot of SirCam mails. Over 400 a day at one point. This is because of Cotse, it is my e-mail address that is scattered all over this site. Cotse handles a lot of traffic. That put me in many browser caches as a mailto link. As a result I received some very personal files in my mailbox. I received a financial database export, a diary, some rather personal photos in a private doc, legal documents, a business plan, investment reports, and someone's tax information, just to name a few. That random file was guaranteed to hit a sensitive file at least some of the time. Code Red Code Red infected a lot of machines. Somewhere around 300,000 in it's first few hours. That is a big number. Code Red hit everything, big business, small business, and home users. Many didn't even know they were running a vulnerable system. Code Red also evolved. One version of it installed a back door. A back door into machines likely to contain our personal information. Code Red illustrated to all what security professionals have known for a while, that there are a lot of unsecured and unpatched machines on the Net. The patch for the vulnerability that Code Red exploits has been available for quite a while. People just did not apply it. Some didn't know they were running vulnerable machines, others got tied in red tape. But however you look at it, it infected a lot of machines. Odds are that some of those machines carry sensitive information. Soft White Underbelly The Internet has demonstrated it's soft white underbelly. It is us, the end users. We are human, as such we are susceptible to human weakness and encumbered by human imposed limitations. The ease of point and click, a momentary lapse of thought, a file launched, a virus spread. A patch needed, an impact study performed, a presentation given, a migration plan webbed, a network infected. This pretty much guarantees that the Internet will remain unsecured for a while. Yet even knowing this, it does not stop or slow our rush to put even more personal information on the Internet. It does not stop or even slow us from allowing even more systems that database, monitor, and track us to be built. "1984" at age 17 Lately we have been hearing a lot about the many faces of Big Brother. Face recognition technology, cameras tracking everything, cell phone tracking, gps, communication monitoring, employer monitoring, and more. We are working on building a society that will be monitored at all times. As horrible as that is, lets look past that. Lets look at the infrastructure. This technology is new. In computer terms much of it is the equivalent of version 1.0. Plus a large portion of this monitoring is being done by private industry. Governments and other organizations contract private industry to set these systems up, support them, and sometimes even run them. Some of this government contracting has foundations in the fact that the government found a loop hole. They can't legally gather or get some information about us without many layers of red tape. Yet, private industry isn't encumbered by the same governmental regulations on information gathering. So the government can have private industry get the info and then get it from them. Simple. Anyway, all of this places a lot of our personal information in hands of private industry. This is the same private industry that is doing such a good job securing existing systems. The worms and viruses are showing how unsecured things are and the sheer number of vulnerable machines and systems is astounding. They illustrate that business does not place a high priority on security. They illustrate the road blocks involved with keeping a large network secure. Instead of addressing the existing security issues, we are building new systems. That is what lead to the first security issues, always build, never look back. Security is overhead, it is support cost, it is not a new project you can crow about building. As such it plays second fiddle to new development. But in this case we are building big brother. It is not prudent to build an unsecured big brother. The strange part is that no one seems to care. There is no uproar from the masses. There is just a lot of hype about needing this or that to track child pornographers and terrorists. Save the children. It's well known that if you wrap any cause in a blanket of children, the masses will be blinded to anything but children. But I digress... OpenBigBrother 1.0 There is really only one thing worse than big brother, and that is big brother that anyone can use. Many think of the new surveillance and monitoring in terms of "you only have something to fear if you have something to hide". The truth is that they are either unaware of the issues or perhaps have just not thought about them. It won't just be the "authorities" who have access to these new systems. These systems will be spread throughout private industry. This is an industry with a track record. A quick look at the Internet shows that record in glaring light. There is every reason to believe that as they build more monitoring and begin to tie it all together they will follow the same path. That means that not only are we going to build big brother, but we are going to give everyone access. I'd like to name the project OpenBigBrother 1.0. I'd also appreciate it if someone could play Taps for the death of our privacy. /steve 09/03/2001 -- The thoughts and opinions within are mine and do not reflect the opinions or thoughts of any organization, real or imagined. However, if no one shared similar thoughts or opinions I would be forced to face the fact that I was either a genius or insane. Given the probablility against the first, it would leave the sad fact of the latter. So for this reason I hope that someone else shares similar thoughts and opinions. But mostly I just hope it causes some to think and have an opinion.