We're Not Prepared
Friday, July 3, 1998 by Dave Winer.
Yesterday was the highest-flow day ever on scripting.com, and rightly so. We had the most detailed information on the $DATA security hole in IIS and other Windows-based web server software. It was a breaking story, I believe a bigger story than the Intel Pentium public relations fiasco over two years ago.
Microsoft's response was excellent, but the industry press response was frightening. This morning there's barely a mention of the story on the sites I check on a regular basis. I'm tempted to say that this was not the catastrophe that I'm concerned about, but it *was* the catastrophe, and there are certainly a lot of system operators that still aren't aware that they have a major security hole, and given the coverage given by the press, it seems they aren't likely to find out.
Even though dozens of reporters are on DaveNet, only one inquiry came in from a press person, and that inquiry was about the trust issue I mentioned in the postscript, which is a long-term issue largely of interest to web server developers, and shouldn't concern system managers and users much.
Why weren't the reporters interested in this story? Is there any lesson I can learn from this? Maybe I'm not trusted? Maybe the press people don't get it? How can I do better to deserve their trust or to educate them about how precarious our security is, now that web servers manage sensitive information like customer credit card info, medical records, and nuclear secrets?
My moment of greatest fear yesterday came when I got a link into a major airline's frequent flier database, and presumably I could have altered my records in their database (I'm a customer).
As an experiment I tried calling their main number to see if they could receive a security alert over the phone, and found that they had a company policy to not give out phone numbers. I could make a reservation, but I couldn't speak with their computer operations people. I said it was an emergency. I asked to speak to their president, but the request was refused.
How frightening for them! Airline safety is a big deal. Sure a hacker probably can't impact airline safety thru a frequent flier mileage database, but we don't know that that's the only hole that was opened yesterday.
And I saw the password they chose for their database and was even more shocked! Oh man. Passwords 101. Change that password right now folks. Even without the IIS hole, a hacker could easily guess the passwords that many people are using.
Further, since the hole has been there since IIS shipped, we have no idea what other data was compromised due to the hole that was revealed yesterday.
Remembering Murphy's Law, anything that can go wrong will go wrong. It seems prudent to assume that your passwords are compromised, and go from there.
We have an emergency response system for other kinds of catastrophes, earthquakes, fires, power outages, etc., but the response system for computer security holes is totally inadequate. It may take a meltdown to bring this home to the public, something that people can relate to, an event that costs everyone money or jobs, or kills people, or breaks a system that people depend on.
Then the press will be outraged, and the anger will likely be directed at computer industry, but it would be misplaced. This time the industry acted responsibly, but the press didn't pick up the story. There's still time, and something important that still needs to be done. The press is a crucial link in the communication system. People have a right and need to know about this stuff.
Microsoft shipped a fix for the problem yesterday. Now, system operators have to install the fix. The press can help by spreading the word, and perhaps for once tell the story of an industry that's doing its job in an honorable and open way.
The bottom line, security holes happen. I don't believe people who say Unix or Mac systems aren't subject to holes. No one knows. Programmers are human, we make mistakes, software has bugs, and servers have holes. The measure of our quality is how open we are about our mistakes, when we take the high road and let people know, even if it makes us look human, we're doing the right thing. I hope the press tunes into this.