Daily Archives: October 15, 2007

Bogus email ‘agreements’

Posted on by

I’m perpetually irritated by the ludicrous legalese that organisations force employees to tag onto the end of email messages. Here’s a typical example:

This e-mail and all attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender and delete the e-mail and all attachments immediately. Do not disclose the contents to another person. You may not use the information for any purpose, or store, or copy, it in any way.

Up to now, my standard reaction has been to mutter “Oh Yeah! You and whose army?” But I’ve just noticed that Cory Doctorow, Whom God Preserve, has had a better idea. He has decided that ridicule is the best defence against this nonsense. His boilerplate legalese reads:

READ CAREFULLY. By reading this email, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies (“BOGUS AGREEMENTS”) that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

I’m going to add this to my email signature options so that anyone who signs off with legalese will have the compliment returned, in spades.

Later: Hmmm… I’ve obviously touched a chord here. Lovely email from James Cridland pointing me to his personal legalese:

Terms and conditions of receipt of email

These terms and conditions apply to emails sent to the above email addresses or any containing ‘james’ before the @ sign and ‘cridland.net’ after the @ sign. Unsolicited email is herein defined as email which is not the result of demonstrable prior contact using or quoting such an address. No guarantee of confidentiality is given, or honoured, on receipt of unsolicited email, irrespective of any terms and conditions block contained therein. It is illegal to send EU citizens unsolicited commercial email without the users’ explicit (opt-in) permission, according to The Directive on Privacy and Electronic Communications (2002/58/EC). This site owner reports all such mail direct to your ISP.

That’s the stuff! I feel better already.

The Storm ‘worm’

Posted on by

Bruce Schneier has a sobering briefing on what he calls “the future of malware”.

Although it’s most commonly called a worm, Storm is really more: a worm, a Trojan horse and a bot all rolled into one. It’s also the most successful example we have of a new breed of worm, and I’ve seen estimates that between 1 million and 50 million computers have been infected worldwide.

Old-style worms — Sasser, Slammer, Nimda — were written by hackers looking for fame. They spread as quickly as possible (Slammer infected 75,000 computers in 10 minutes) and garnered a lot of notice in the process. The onslaught made it easier for security experts to detect the attack, but required a quick response by antivirus companies, sysadmins, and users hoping to contain it. Think of this type of worm as an infectious disease that shows immediate symptoms.

Worms like Storm are written by hackers looking for profit, and they’re different. These worms spread more subtly, without making noise. Symptoms don’t appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.

Storm represents the future of malware. Let’s look at its behavior:

1. Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.

2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.

3. Storm doesn’t cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won’t notice any abnormal behavior most of the time.

4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn’t have a centralized control point, and thus can’t be shut down that way…

There’s more, and none of it is pretty.

Not that we really have any idea how to mess with Storm. Storm has been around for almost a year, and the antivirus companies are pretty much powerless to do anything about it. Inoculating infected machines individually is simply not going to work, and I can’t imagine forcing ISPs to quarantine infected hosts. A quarantine wouldn’t work in any case: Storm’s creators could easily design another worm — and we know that users can’t keep themselves from clicking on enticing attachments and links.

Redesigning the Microsoft Windows operating system would work, but that’s ridiculous to even suggest. Creating a counterworm would make a great piece of fiction, but it’s a really bad idea in real life. We simply don’t know how to stop Storm, except to find the people controlling it and arrest them.

This is the other side of the end-to-end coin.