The Internet Explorer fracas: Let's find something else worth dumping
Fair warning, everyone: What follows is my opinion. Given the propensity of opinion traffic on the Web, I shouldn't have to say this: It truly is my opinion. Nothing to which I attach my byline or my face has been adjusted or colored in order to more thoroughly polarize my characterization of the subjects I cover, or to agitate your feelings so as to prompt you to post comments.
In fact, in all sincerity, I realized long ago that I'm not a very polarizing figure, I've accepted that fact, and I've come to embrace it. The art of persuasion, I was taught centuries ago, was developed with the aim of getting other people to agree with you. I'd like to get a hold of the person by the tea bags who came up with this notion that popularity must be driven by populism, which in turn can only be generated through agitation, anger, and outrage, hoist him onto a flagpole, and tell him flat out, "Rush, Americans are smarter, more sensible, wiser, and more capable than you think they are or than you would have them become."
So the dozens of you who came into this article expecting the Boston Tea Party may end up being disappointed. This article is not so much to stir up debate as to relieve a headache. For that, you may accuse me of being self-serving, with my permission.
The problem in front of us
There is nothing about the architecture of the delivery mechanism for the Hydraq exploit -- the one that rang alarm bells at Google -- that is so particularly novel that it would prevent Windows users with the requisite amount of everyday vigilance from avoiding it. If what Google appears to be saying is accurate, the original attack was not directed at the general public anyway. Nonetheless, the release of a version of Hydraq's source code by a researcher to the general public earlier this week, probably did more to make the general public vulnerable than the original attacker.
Only in America, perhaps, will you find someone who's not only paranoid of being blown up by a bomb from the Chinese Communist Conspiracy, but has no problems with the idea of divulging how You, Too, can build your own at home and try it yourself.
I'm attaching my latest podcast to this article, and it's directed toward everyday users who may or may not be technically-minded. I invite you to share it with your friends, colleagues, and relatives who may have been alarmed by some of the general press coverage of the Google attack. It talks about a problem and its solution.
For anyone who has become a victim of the Insecurity Hype Machine, as perpetuated by local TV news, they should listen to this latest edition of the podcast. There are days when local TV news is more of a burden than a service: "It's the cold war all over again, this time in cyberspace! Google is saying China is attacking American servers! Are your PC and all your files at risk? We'll tell you in a minute, but first, here's this week's Adopt-a-Cat."
One really big problem we face -- certainly a subject for a separate article -- is that publishers of media of all types do not believe they can capture the public's attention for any longer than a minute without promising you a slice of Armageddon.
Hype is an insipid beast. It inflates the magnitude of the smaller issues facing us, it takes our attention from the larger issues we should be concerned with, and to an unappreciated degree, it thrives on a certain degree of automation. Like a David E. Kelley series, a bit that catches the public's attention one week, can be rerun the next week even if it doesn't fit the real direction of the plot. When a security engineer discovered a way that new code engineered to look like old code (so it gets run using a compatibility mode) can pretend to be part of the BIOS so it can bypass the need for privilege to determine how the operating system randomizes addresses using ASLR, the dusted-off headlines last Wednesday (which look about as stupid as yet another kooky "Boston Legal" character) called this a "14-year-old browser flaw."
To me, that's like saying an atom bomb is an exploit in the wild for a trillion-year-old flaw in atoms.
We don't do ourselves any service when we fail to address problems for what they are. (Please feel free to cc: the previous sentence to the Democratic National Committee.) A security engineer discovered that code that looks old can be manipulated in a new way so that it bypasses the new restrictions imposed by ASLR. It's a significant defect in Windows -- not in a Web browser, but Windows. But unlike the Google attack, this isn't an active exploit -- not yet. To make an active exploit based on this discovery, someone has to wrap it in the usual "exploit toolkit" package -- probably the same class of package in which Hydraq was deployed. And thanks to the irresistible urge among some certain individuals to make problems public rather than fix them before they hurt the public, Microsoft must now race against the usual Boys in the Basement to produce a fix before someone six or seven or eight days from now produces a "0-day."
Regardless of the sophistication of this newfangled method for tearing old code down, the method itself cannot be enabled unless we let our guard down -- unless we turn off the very feature (ASLR) that the method is designed to defeat. It's like a bomb for a bank vault door that only works from the inside of the vault. Say what you want about the stupidity of Windows architecture throughout the 1990s, but a bomb that can only blow the barn doors off a barn whose doors are already open, sounds like something from a Bugs Bunny cartoon.
If this type of stuff -- a stealth remote controller that only works on technology from the last Ice Age, and a bomb that only blows down open structures -- is all that's necessary to make us hoist the flag of revolution and start dumping our Web browsers in the river, then we are seriously overdue for a diaper change.
Next: The problem that should be behind us...