On Monday 08 November 2004 13:28, Adrian Midgley wrote:
> (Race condition)

Sorry, I didn't add my working out on this.
I've been reading and thinking and writing about this sort of thing for a
while now, and sometimes jump ahead.

I'll start off by giving an example of a system that includes a _race
condition_  picked for topicality and impact.

                               Railway level crossings.

Here is a Wikipedia reference (I commend Wikipedia to you both as a reasonable
reference and as something worth taking part in)
http://en.wikipedia.org/wiki/Race_condition

The authors there use "race hazard" as a synonym, which is reasonable, if you
Google on "race condition" you get a lot of hits, and many of them are
clearly IT problems and risks.

Race conditions therefore are to be avoided where the option exists, although
it is relatively rare for an adverse sequence to occur and severe
consequences to result from it.

Let us go back for a moment in time, to Slammer and South Korea.
http://en.wikipedia.org/wiki/SQL_Slammer

This is not the only example that could be used - you all know others, indeed
unless I am very much mistaken large chunks of NHS Net and multiple NHS
administrative organisations have been taken down by such worms at least
twice - but it is a reasonable one.

Slammer knocked over the S Korean banking system.  For a period there will
have been an apprehension that this was a move in the opening stages of a war
with a nuclear-armed neighbour, and there was a noticeable chance that the
confusion and reaction around that could have triggered an escalation that we
would have noticed in the UK.  But this essay is about IT systems falling
over, not civilisations.

Note that the race here was months long, and that it is by several accounts
not just carelessness that left significant installations unpatched, but
rather that the owners did not know that their software included the
vulnerable components built into multiple copies of the software subsystem
concerned, and that there were serious risks in patching such complex systems
in use.

Once Slammer had reached a vulnerable host in the banking system it infected
every available host in seconds.  Bang!
(OK, 600 seconds for near-saturation)

There are a number of specifics about this particular worm, this particular
host program, the use of RPC where it is not, according to some engineers I
believe are trustworthy, necessary or desirable that I won't go into for fear
of provoking apoplexy, but I will note that although a given user may never
inspect a given Open Source program's source code,   ...
  ("user" here including such entities as "the banking system of
   a medium-sized country"; "the IT and corporate governance departments
   of the First bank of Noddy"; "a health service area's sole contracted
   maintainer  which happens to be IBM/EDS/Fujitsu"; "Adrian Midgley")
 ... there is nothing except incompetence, laziness, trust, lack of time and
the usual suspects to stop them doing so and then talking about it.

And Slammer was not the Worst Case Worm
-----------------------------------------------------------
The Worst Case Worm is a credible projection
www.icir.org/vern/papers/worst-case-worm.WEIS04.pdf
and a UK article (because a lot of the Google hits are copies)
http://www.pcmag.co.uk/news/1156955

WCW combines features of the Worm whose name may still not be spoken in case
of lame virus filters, but suggests personal affection, with eg Slammer and
several others so as to spread by several - all, in fact - modes of transport
and then attack several (all known?) vulnerabilities in a computing
ecosystem.

The Race
-------------
I said that theoretically the advice given by the NHS and repeated by many
many people some of whom sell the tools, some of whom should know better, and
an unmeasured overlap and by many people who basically repeat things must
fail.

This is why

Despite clever stuff in Sophos and ClamAV and other antivirus/antiworm sets
that aims to spot an unknown worm by its behaviour, there is a basic problem
which is that the antidote follows the disease.

So Spotty the black hat in his bedroom codes up a new worm, releases it onto
the Internet (using some ideas borrowed from the makers of hot spots in the
South Pacific to get the chain reaction boosted for maximum yield) and it
infects the first few hosts.

At this point, unless there is unusual luck, no anti-virus company has seen
it, therefore no antidote no IDE file or signature has been prepared.  We
have a race condition at our border.

Later, after a doubling time or three, the first copy gets to the antivirus
companies.  I think they share things around...maybe.
They start analysing it, then creating a signature, which is now available,
after a bit of testing, to be propagated.  It goes on the server and an email
goes out warning sysadmins that there is something new.
(WCW would do well to take note of email, wouldn't it ... but there is a
problem there)

Now we get to the point where skill and judgement on our part, or that of our
employees, or whoever ends up guarding our assets, can make a difference.

(This is a long essay, and I apologise to the people who understood it all
from "(race condition)" and are reading it to see if there is anything new in
it - remember the chief assassin's dictum to a king "we have to be lucky
once, you have to be lucky _every_ time")

A while ago I looked at some of the really quite helpful NHSIA/NHS Net
security pages.  (I may be in a rather small minority, judging by the last
big worm ingress and the messages and comments flying about with it, but
others of that minority and of like disposition are here or work for us)
At that time one of them was advising in a rather hopeful sort of way that
organisations should make sure they updated their virus definitions every
week.  (and to be fair, those who watched the right news would get a warning
when something big was in its tenth doubling or so)

At that time my mailserver updated three times a day.
Now it looks for new ones when it looks for mail.

But you must see that when we are not protected by antivirus programs until
the update arrives, and the update cannot arrive before the virus arrives
somewhere, and we have a large network, failure is inevitable.

And if it is the WCW, failure will be big.

And yes, there are alternatives which do not fail under these known
conditions, but only under unknown ones.

or, to sum up...
Race condition.

--
Adrian Midgley                   Open Source software is better
GP, Exeter                       http://www.defoam.net/