To the Ministry's main lobby The Ministry Blog
concert setlists

5 October, 2004

Beating up the victim

Worldpay, the e-commerce clearing house for 30,000 web stores, suffered a denial of service attack at the weekend, its second in a year.  As with most DDOSs, virus/trojan authors were able to infect and take control of a huge number of 'zombie' computers, which in turn sent a mass of junk data to the Worldpay servers, overloading them.  The vulnerability is in the 'zombies', not Worldpay, which could do nothing against the volume of traffic.

Yet, astonishingly, it is plain from the readers' comments posted at the end of the BBC report on the attack that Worldpay customers (i.e. small online retailers) do blame Worldpay for its "inability to stave off attacks." Two examples:

I am in the process of moving my company to a better merchant account - so I'm glad they are getting hit.
I really had hoped that WorldPay had learnt its lessons last year, this reflects badly on both of us.

This must be so frustrating to Worldpay, not to mention financially crippling. Yes, retailers are annoyed by lost orders, but to lash out at the victim of the DDOS is utterly unfair. There are no lessons to be learned by Worldpay. To anyone with the vaguest hint of technical comprehension, is is obvious that the ultimate blame lies with the perpetrators of the attack, though if it wasn't for the incompetent/negligent owners of the 'zombie' machines, there could be no attack, so I'd certainly ascribe the majority of the blame to people like my mother.

As Bill Thompson at the BBC, amongst others, have frequently argued (he mentioned it again yesterday), it is socially irresponsible to leave your computer open to attack.

Virus writers are relying solely on the fact that there are a lot of people online who simply don't know or care about security, who will not have bothered to patch their Windows PC, and who are perfectly happy to click on links, open e-mail attachments or have online conversations with strangers. It is hard not to conclude that exposed users get what they deserve.

However, connecting to the internet is a social act, one that carries with it obligations, including an obligation to run a secure system. There are serious consequences if millions of computers get infected. The network slows down, vital data may be damaged, and many of the infected computers will be turned into zombies, used to send spam.

This piece refers to another Thompson article from about a fortnight ago. I recommend reading that too, particularly the latter third, which makes a very valuable suggestion:

When a computer tries to connect to a protected network, it first has to verify that it complies with that network's security standards. It's a bit like having a swipe card to get into a protected area of a building.

If the computer doesn't conform then it is only able to connect to a single server, one which provides the patches and security software it needs.

If internet service providers set up a similar system for their customers then anyone who has a virus or other malware would find themselves unable to connect to the wider internet until they had sorted it out.

The security check could even look to see if anti-virus software or a firewall were in use, and refuse to connect any unprotected machines.

Many would complain at first, but the benefits to the net community as a whole would be so great that it would be worth it. We would have less spam, fewer viruses and a safer online world.


Good post. and I do like the idea of forcing people to comply with security standards before being allowed on the net. I would expect it to take one hell of an effort to get worldwide agreement to it though.

Posted by coffdrop at October 7, 2004 12:32 PM
Site Home Tull Tour History Annotated Passion Play
Day in the life... Page design and original graphics © NRT, 2003