TECHSPLOITATION: The Good Worm
Mason and Dixon, two of my favorite devious hackers, were having one of those conversations that occasionally happens in the early evening when your blood sugar is low and dinner is still a few hours away.
"Some people say that worms are mostly created by good Samaritans," Mason mused idly.
I thought of the Slammer worm, the one that clogged up traffic on the Internet for a couple of days early this year, taking down Bank of America ATMs and crashing the South Korean cell phone system.
"How can that be?" I wondered.
"Think of it this way: most worms alert people to major security flaws without doing very much damage," Dixon said, warming to the topic. "What a worm does is make a lot of noise, so it's easy to detect. But it doesn't destroy people's data or ruin their operating systems. So the worm gets out, goes everywhere, and then everybody patches up the hole it exploited in Windows or whatever, and now they're protected from something really bad in the future."
"Maybe even the NSA is releasing worms," Mason added. "That way they can protect the nation's infrastructure, because a lot of these unpatched vulnerabilities would be really dangerous if something worse than a worm got to them."
Their speculative chat seemed all too reasonable.
Imagine the frustrations of do-gooder programmers who are trying to get people to fix the software on their machines so nobody can hack them. Unfortunately, people are lazy. They're not going to spend half an hour downloading and installing updates to their system based on some geek's warning. The idea that they might get hacked, their machine owned up and all its data destroyed (or, worse, stolen and used against them), seems as remote as catching the plague or being bombed by terrorists. And so, completely frazzled by clueless users, some cabal of hackers with hearts of gold releases an annoying but nondestructive worm.
Even the Slammer worm could have been such an effort. Sure, it clogged the Internet with lots of traffic and took down a couple of networks, but nobody's computers were destroyed. In the end, more computers are safe in the wake of the Slammer than before it. Fearing the worm, people actually downloaded patches to Windows that now protect them against all kinds of potentially ugly attacks.
It's tempting for a lot of reasons to indulge in this fantasy about who makes worms. First of all, most of us want to believe there is some force of goodness out there protecting us, even if we don't understand it. It's like a happy conspiracy theory, where the powerful overlords who secretly rule our world are, in fact, a bunch of scrappy people like us, trying to do the right thing and sometimes resorting to unorthodox tactics to make it happen. Another reason the good-worm theory appeals to us is that it wards off an uneasy sense that we are being fucked with for no reason. What if the Slammer were just some high school prank? Does our information infrastructure run only as long as it suits the whims of hormone-addled, barely technical teenagers who think it's fun to bust shit up?
Put that way, who wouldn't rather have a conspiracy than chaos?
Unfortunately, the Internet is still mostly anarchy, and not the nice Emma Goldman kind. Crazy, haphazard networks continue to spring up everyday; networks that aren't secure, that are vulnerable to surveillance, that are set up so badly that they relay spam and worms and viruses without their administrators even realizing it. People send their passwords over the wires without encrypting them. Most Internet users don't realize that many popular applications like Kazaa come bundled with spyware, evil little programs designed to relay personal information from your computer to a third party.
I hope the good worms are out there protecting us. But we can't depend on that, and we can't expect that everyone who uses a computer will be technical enough to protect themselves. And that's why we need to regulate the Internet, the same way we regulate cities with building codes and police forces and politicians. Right now two pieces of (regrettable) antispam legislation are up for congressional vote after six years of endless debate. And at the December World Information Summit in Geneva, representatives will debate whether the Internet should be placed under United Nations governance, although it's unlikely to happen.
I'm still hopeful that someday we'll have a sane, open-government model to regulate the Internet. But sometimes I'd rather be ruled by worms.
Annalee Newitz is a surly media nerd who can't believe how much ZRNet sucks for making its free WiFi a pay-only service. Her column also appears in Metro, Silicon Valley's weekly newspaper.