The Slammer Blame Game

David Morgenstern fields reader comments about the SQL Slammer worm and its possible effects on remote-storage businesses. Who dropped the ball?

In my previous column, I voiced concern that fallout from last weekends SQL Slammer worm assault—only the latest in an increasingly severe string of attacks—might shake the already wavering confidence of consumers in the reliability of the Internet. This dip, I argued, could hurt the market for Web services and especially for remote storage of consumer data.

Some of your responses fell into the what-me-worry category. Others pointed fingers at a variety of culprits: at the hackers who perpetrated the worm attack; at the network managers who failed to safeguard their servers; and, not surprisingly, at Microsoft.

In this latter camp is David Wall, CEO of e-signature developer Yozons. He said the many attacks on Windows servers as well as the daily volume of virus attacks on hosts both erodes the confidence of consumers in the Internet and makes it difficult to come up with a remedy.

"Attacks on Microsoft software connected to the Internet affects those running Microsoft software, as well as those who have sensibly avoided using it," Wall complained. "The reputation of online businesses is harmed, since being unavailable or slow during the attacks harms their offerings and slows their customer support. How will Web services, grid computing and software as a service grow when computer users are concerned that the Internet is unruly, unsafe and unreliable?

"Granted, all software is vulnerable to a certain extent simply because its created by people. But why havent we seen such attacks against the market-leading databases, such as Oracle or DB2, or even open-source solutions like PostgreSQL or MySQL? Why dont we see crippling attacks on Apache, the market leading Web server? Most Internet servers run on Linux, Solaris or one of the BSD Unix systems, yet they are not attacked as often as Windows systems," Wall said.

While I appreciate his sentiment, Walls solution doesnt seem practical: "Just say no" is a less-than-satisfying answer for the technology community. No doubt this campaign would have the same level of effectiveness with computer users and CTOs that it has had with teenage sexual behavior. (About nil.)

Yet theres a nagging kernel of truth underneath his arguments. As Wall points out, there can be trouble when the market concentrates on a particular platform or piece of software.

The attack reminds us that any technology has vulnerabilities, from a single component in a peripheral to the massive interconnected system that comprises the Internet. Something and anything can, and will, go wrong.

Now a flaw can be exposed by malicious creations, like computer virii or the SQL Slammer, that are designed to attack a particular piece of software from a particular vendor. Or the vulnerability can crop up thanks to a small engineering error, such as the Pentium floating-point bug uncovered in 1994.

To mitigate these potential weak points, vendors, integrators and manufacturers should advocate for interoperability of hardware and software, insist on adherence to standards, and promote the diversity of platforms and products. The ultimate goal here is to ensure the fundamental survival of computing and preservation of data.

This principle, however, is easier to say than to put into practice.

As we saw last week, almost everyone on the Internet felt the pain of the SQL Slammer, even those living a Microsoft-free existence.

In fact, the worms fallout touched more than PC users. By messing with telecommunications, it even rattled those who believe themselves computer-free—and demonstrated that the ripple effects of computer security (or its lack) are spreading ever wider.

David Morgenstern is a longtime reporter of the storage industry as well as a veteran of the dotcom boom in the storage-rich fields of professional content creation and digital video.