Alex Zaharov-Reutt
Monday, 18 February 2008 04:20
Opinion and Analysis
Page 2 of 3
Sophos’ own security researchers don't have quite the same enthusiasm, with Paul Ducklin, Head of Technology, Asia Pacific, at Sophos saying that the notion of ‘good worms’ is “Nonsense”.
Ducklin loads both barrels and fires them, saying: “Which modern security software relies on a central server to bear all the load? Perhaps Microsoft's does, and perhaps that's why they are playing with fire here. But using self-replicating software to disseminate new code and data sounds like a recipe for disaster to me.”
Ducklin then asks a number of pertinent questions, including:
- “How do you regulate the behaviour of the worm at your network boundary?
What if some of your computers inadvertently try to pass the update on to computers your company doesn't own or control?”
- “How do you send a control message to the worm to regulate its behaviour after it has been released? (A second worm is no good, because it might not catch up with the first.)”
- “How do you test the performance of the update worm in a network the size of the internet, and how do you vouch for its behaviour in the face of security software trying to prevent this sort of self-replication?”
Ducklin then wisely argues that “a hierarchical updating system -- one in which updates fan out from a few central points, like branches on a tree -- with consenting computers polling their nearest upstream servers regularly, and fetching small updates whenever needed, can deliver similar performance with far fewer risks”.
Ducklin believes the answer lies in ensuring the network administrator should remain in control of their network... For Ducklin's final comments - and my own - please read onto page 3.
