(This page uses style sheets.)
This page posted 8 May 2000
We have seen yet another virus attack against Windows PCs. This has occurred despite the assurances made by the anti virus software companies after the recent Melissa virus that the precautions they have put in place would prevent similar attacks.
Viruses are increasingly becoming more vicious. They are possibly the single biggest security threat organisations face. In the near future we can expect to see a derivative of the Melissa / 'I Love You' virus which will do real damage. This virus will spread rapidly and will for example be able to destroy the computers firmware. Those organisations that get infected will have to rebuild the hardware of their PCs. How will they continue to trade while their systems are down, for days if not weeks? The move into e-commerce, where emails have to be encrypted to ensure confidentiality, will make matters a lot worse. Virus detection software can not detect viruses in emails that are encrypted. Anti virus software simply treats the symptoms and does not cure the problem.
Who's to blame for the mess we are in? The computer industry saw how electronic calculators rapidly went from high priced luxury items to low cost commodities. There was a determination on the part of the vendors to ensure the same would not happen with PCs. Bill Gates is quoted as having said 'The reason we come up with new (software) versions is not to fix bugs ...' (Klau Brunstein of Focus magazine, 4th Nov 1995). The computer vendors have acquiesced to this strategy simply to maintain their revenues. They force their customers to upgrade to new and expensive PCs every few years. Viruses are a result of this culture where there is no proper concern paid to the engineering of desktop computing. The security of Windows is fundamentally flawed and in particular because Windows makes no distinction between data and program files it is not possible to eliminate the threat from emails that contain virus programs.
Viruses are not a threat to operating systems such as Unix and Linux which can be configured to be secure where emails can not start the execution of a program. Unix was designed in association with the US Department of Defense to be a stable and secure operating system to run the Internet. Linux is a rewrite of Unix and has been developed by programmers co-operating over the Internet. What's more it is free. It runs well on low cost hardware and eliminates the constant churning the computer vendors impose on the users of Windows.
The perceived wisdom is that the people who write viruses are adolescent boys who have not yet discovered girls. This may be true. But the code of the 'I Love You' virus indicates that it was written by an experienced programmer and was released with a high degree of forethought and ingenuity. The Melissa virus was written by a middle aged, professional, programmer in Jerusalem. The Chernobyl virus, that infected a large number of computers in China, corrupted the PCs BIOS and prevented the PCs from being able to reboot, was developed by a programmer who now works for the Taiwanese Military. Another recent virus attacked Windows 95 and 98 computers and exported the password list. The result is that unauthorised users can gain access to these computers from anywhere over the Internet and read, modify or destroy information on the computer. Possibly virus writers are anti capitalists who are not prepared to riot on the streets.
How to respond to the threat from viruses? Strategies that enable organisations to take the long term view of the way forward have to be adopted. PCs must be secure and immune to the threat from unauthorised programs being executed. Their reliability has to be improved to that of all other products that have embedded software, such as TVs, mobile phones, cars etc. In this respect Linux is now ready for deployment on the desktop. Software exists that enables all existing Windows applications to run on Linux without any change so enabling compatibility to be maintained and ensuring user skills are not made obsolete. The benefit of having a well engineered operating system on the desktop is that there is an increased level of robustness where neither the failure of an application nor the actions of users can crash the system. PCs running Linux can be configured so they are immune to viruses without the need for anti virus software. They are also a lot cheaper to buy and run than PCs running Windows.
Why the reluctance to move to Linux on the desktop? Is Linux too good to be true? Is it because too many IT staff see their current Windows skills being made obsolete and find the move to Linux too difficult? Is it because IT managers have the mistaken impression 'no one gets fired for buying the market leader'? Is the 'investment' made in Windows software such that there is a reluctance to consider alternative solutions? It can be confidently predicted that viruses that attack Windows PCs will get more vicious. It is now time for those who are responsible for their organisations IT and business strategy to realise the reason for viruses. A risk analysis to recognise the potential damage that can be done should be undertaken. There must be a positive response to completely eliminate the threat. It must also be recognised that the solution will not come from those computer vendors who have a vested interest in ensuring the instability of desktop PCs.