About a year and a half ago, as I was preparing for a series of Microsoft-sponsored security talks with Mark Minasi, I suggested that my talk--which was to focus on Microsoft's security road map--might be jokingly called "Finding the Humor in Security." For the record, I was serious about the title, but the attempt at humor fell on deaf ears in Redmond and we used a more staid (i.e., boring) title.

I'm not laughing anymore. On Sunday night, while preparing for a trip Monday to New York, the notebook I had planned to bring was suddenly struck by the most malicious software (malware) I've ever encountered. This Trojan horse got through my defenses despite the fact that I was running the Release Candidate 1 (RC1) version of Windows XP Service Pack 2 (SP2) with the firewall turned on. It was infuriating, and after hours of investigating, deep cleaning with various antivirus and spyware products, and consulting with my technical guru (Storage UPDATE's Keith Furman, a lifesaver), I finally gave up. As I write this commentary, I'm heading to New York by train, using a different machine, and my infected laptop is home, awaiting a complete wipeout. I never did completely clean up the machine, and I'm still frustrated by the defeat.

This isn't the first time I've been hacked. A few years ago when Nimda hit, I discovered the chilling message, "You've been hacked by the Chinese" on one of my Web servers. Fortunately, I had previously taken the simple step of moving my Web sites out of the default location (i.e., they weren't in C:\Inetput\wwwroot), so I didn't lose any data. But the episode left me with an uncomfortable feeling of violation.

As a news reporter, I write daily stories about Microsoft and the computer industry and, as you might expect, security-related topics have dominated the headlines recently in ways that no topic--even Microsoft's epic antitrust battle with the US government--ever has. Even here in Windows & .NET Magazine UPDATE, security has been an overwhelmingly popular topic: The editorials in at least 10 of the last 24 issues have dealt, at least in some way, with security. These days, the topic is almost unavoidable.

Oddly, I've actually defended Microsoft and its security record. I've written--and I still believe--that no company is doing as much work as Microsoft is right now to secure computer systems and that, ultimately, this work will benefit us all as PCs become more and more adept at dealing with electronic intrusions. Last week, in a meeting at Microsoft, XP Lead Product Manager Greg Sullivan, showed me how XP SP2 prevents a particularly nasty form of attack, in which malicious users can use chromeless (i.e., borderless) browser windows to hide warnings and make you think that you're accepting a valid bit of Microsoft code. The ingenuity in such an attack highlights the problems Microsoft faces as it seeks to secure Windows and its other products against increasingly sophisticated attackers.

But ultimately, I'm not as concerned with Microsoft's problems as I am with how the company addresses its customers' needs. One concept I've always tried to get across, whether here in Windows & .NET Magazine UPDATE or on the road during speaking engagements, is that we need to remember where we, as Microsoft customers, fit in the equation. We pay Microsoft for specific services and capabilities, and we need to start holding the company to a higher standard. And we need to demand better security--it's just not there today, not yet.

And based on my recent experience, SP2 might not be the panacea I was hoping for. Indeed, days before my unfortunate experience with the aforementioned particularly irritating Trojan horse, Sullivan intimated during our meeting that SP2 wouldn't cure all security problems. Although the company is raising the bar in this release--dramatically, in some ways, especially for next-generation PCs whose microprocessors support the No Execute (NX) security technologies--SP2, like most technologies, will be too little, too late, for some people.

That brings me to another little bit of humor that I pull out whenever something goes wrong--maybe a demo isn't working quite right or a projector refuses to cooperate with my laptop for some reason. "Technology has never failed me," I'll deadpan. It always gets laughs, but you know what? Maybe the joke is really on me. If anything, technology has done nothing but constantly fail me. And now, purposeful technological glitches are starting to bridge the gap between simple irritation and economic ruination. I'm starting to fear that the Good Guys can't keep up.

Pick your poison: Today, we have spam, browser phishing, browsing hijacking, Trojans, worms, and viruses and probably have other malware of which I'm naively ignorant. Call me a Luddite, but I long for simpler days.

Reader Comments

Although no system (combination of hardware, operating system, software, etc.) is free from security breaches, vulnerabilities and intrusions, using different combinations of them makes you less vulnerable to attacks. For example, I have a mix of hardware/software at my home LAN, ranging from Cisco PIX firewalls, to embedded Soekris appliances running OpenBSD as a firewall/router, some windows PCs and many Linux servers and workstations (running several distributions, like EnGarde Trusted Linux, Fedora Core 2 and SUSE Linux). This won't stop any hacker from beating me, but will make much more difficult for anyone to perform a single attack that affects all my systems at once. The hacker can target my Cisco PIX firewall, or my Soekris box, but it's really difficult to target all my systems with a single, automated attack. As it has been said, monoculture is bad. Microsoft is forcing the market on monoculture, i.e. all devices running Windows. That's really horrible. Windows has made some serious mistakes, like producing a modified version of Kerberos that nobody in the cryptographic community has validated, for example. Betting all your business into one vendor is simply said a suicide. No one system vendor can offer you everything (no one-size fits all). For example, nobody can beat OpenBSD on embedded security systems like those from Soekris. And nobody can, currently, beat Windows as a multimedia platform. Nobody can beat sendmail/postfix as the best performing, most used, smallest footprint MTA on the market, and nobody can beat Linux as customizable and flexible system for clusters or servers. We should choose the best offerings from different vendors, while not trying to marry ourselves with one single vendor (let it be Sun, IBM or Microsoft).

*clap* *clap* *clap* Welcome to the party, Paul. After reading article after article where you berate the user for not taking the proper steps to secure their system, it's nice to see you finally put the blame where it belongs. It's not ALWAYS the fault of the user. Microsoft, Linux, Apple...they all face significant security challenges. You know I'm a rabid Apple fan, but I also use Windows quite regularly. The difference is that I don't worry about technology failing me on the Apple side anywhere near as often as I do with Windows. That's why I stick with my Mac whenever possible. So I will respectfully disagree with you when you say "better security" is just not there today. I think it is. Nothing's perfect, but when I need to WORK and not worry, I know what machine I'll be using. Thanks for a very thoughtful and intelligent article. Well done.

I especially like this article becasue as 40 something!? person who had adapted to new ways of communicating via work, home so on all kinds of gadjets that are becoming obsolete while we talk, the simple days of fill the car buy the case of barley hops on a Friday night has to be revisted.

Not that it is at all an end all solution, BUT, this is exactly why we need to support, and inform our Representatives to support the SPYBLOCK Act. The Act was introduced by Senators Conrad Burns, Barbara Boxer, & Ron Wyden. We, myself included, have a desperate need to pass blame on someone for the problems that we face. While it is easy to blame Microsoft for falling short on security what about blaming the somewhat intelligent, typically socially inept, malware developer. It seems to me that these developers have a need to be recognized, so I say we organize a group to simply search out these script kiddy pontiffs and slap them with a severe dose of their own code. As far as adware/spyware/malware, “I am mad as hell and I’m not going to take it anymore!”

It appears that RackSpace is hosting this malware problem that you are having according to http://www.arin.net. My question is this: does rackspace have any policies against malware proliferators like this renting space from them?

This was a good article Paul, but after reading recently that several software firewalls had security problems themselves – I concluded that software firewalls will never be secure enough and neither will software...so if you have a machine that needs to connect to the internet, use a hardware firewall and if you need to have a machine on the internet, use a hardware firewall with port forwarding..it doesn’t matter what Operating System…XP, OSX, OS/400..you name it..they all have and will always have vulnerabilities..

I think it's important to stack the odds in your favor. No OS is perfect, but I feel far more comfortable plugging my Mac into a wireless network or foreign LAN, than a Windows machine. I was one of the minority at Tech-Ed this year with a Powerbook, but I noticed a lot more than last year. With 8000 hack attempts on the MS Tech-Ed network & infrastructure, plus worms/viruses, there was no way I was bringing Windows XP w/ company data on it into that environment. I support Active Directory & a large Exchange 2000 cluster in my company, and it just gives me knots in my stomach every day, from both a reliability & security standpoint. Unbelievably, we've also switched to Windows servers for our phone system, which also has dependencies on AD & Exchange. One good worm that targets AD, and the whole companies' infrastructure will be wiped out; computers/mail/phone, everything. How dumb.

Paul, naturally I'm sorry to hear about your problems, especially occuring as you're packing Sunday night for a week-long trip, but with regard to your summary "Pick your poison...I long for simpler days", there is a simpler alternative today. You owe it to yourself to spend some time with an OS X laptop. It doesn't have to be your only computer, or your main machine. You don't have to be a "switcher" or recant on Windows XP being "the best yet", and Longhorn "walking the dog". But you'd see that it's possible to use a laptop everyday, still run MS Office, surf the web, read email, and yet have a completely different take on viruses, worms, pop-up windows, adware and trojan horses. Yeah I know about the recently publicized potential URI exploit on OS X and the regular BSD updates for the underlying unix internals, but as an OS X user, I don't worry about e-mail viruses, I've never experienced web sites putting up pop-windows, and adware or spyware are something I've never experienced and know about only 2nd-hand through reading accounts such as yours. As William Gibson put it: "the future is here. It's just unevenly distributed." Try an OS X laptop and experience the future today.

I had the same experience and just today, think I have cleaned my system. For the past 4 weeks, I have been looking into how to get rid of this thing that continued to send me to http://69.20.62.53/yyy3.html and allow pop ups to the point where I couldn't get anything else done. In investigating, it looks like it was a worm named virutal bouncer. I finally got rid of it by getting rid of the registry settings, running adaware, running hijackthis and finally antivirus. Right now, I haven't seen any attempts unknown. But then again, I haven't googled today either. Good Luck!

I'm pretty surprised you've encountered a trojan that you couldn't defeat. I'm a bit late on this bandwagon, but I didn't see the utility Hijackthis mentioned anywhere. It's a great tool for exposing all the browser addons hidden startups and bunch of other little items. I use it for removing toolbar and homepage hijacks. Read the warnings, but it might help find the last problematic bits of this. Lookup hijackthis in google or your search engine of choice and you should find a link to the download.