Slashdot Mirror
Melissa Creator tracked using MS's ID numbers?
So last week there was a lot of hype about Microsoft embedding
IDs into documents that would allow tracing of authors.
This week there was hype about Melissa- yet another lame
doomsday macro virus (intentionally not posted here because
I found it stupid). But mix the 2 together, and you get
a story sent to us by stevew: the Melissa Virus can
supposedly be traced
to its creator using those annoying little ids. They don't
have exact details, but the article says that it came from
AOL.
5-10 years and $350,000? What the f*ck is that? Maybe Microsoft should be slapped with a class action lawsuit for setting up the infrastructure that allowed this virus to spread.
This punishment does NOT fit the crime done. Basically, all this guy did was write some code (if you want to call it that). I will not deny the code was malicious, but we don't know why he did it. I could see someone trying stuff like this "just for the hell of it". Besides, if this guy hadn't done it, that security hole would have remained, and if it had been presented a year from now (presumably when even more people will be using email) it could have been MUCH worse.
Basically, they are setting the punishment based on the fact that is scared the shit out of the FBI and lots of other people, not based on the actual crime commited.
Doesn't it scare people here what can happen to you for programming something on a computer?
I'm not sure if use of such GUID's would hold up in court since it is private information gathered by an illegal search. The user did not give permission for his unique ID to be attached to his .doc file. The app (Word) had no just cause to attach this ID either so it's similar to having the feds tap your phone without a warrant.
.doc and posted it online?
While I am not defending this moronic macro virus creator, I do think that utilizing these GUID's is setting a BAD standard in regards to a person's right to publish anonymously.
What's next, they track down the GUID of the person who wrote an anti-Clinton
If you can read this message, your threshold is too low.
While I am probably being paranoid and overly
sceptical, it's way too convinent that the
Win98 ID bug, only uncovered recently, is
suddenly going to be the life saver for solving
the Melissa problem. And all only 2 weeks
before the anti-trust trial resumes.
But, even if this is the case, I really wish
there was something that could be done against
M$ for introducing the entire concept of Word
viruses to the world; if they had introduced
the security needed into the vis basic routines
when they first put out Word 6, things wouldn't
be as rampent now.
Plus, this only goes to show that when only
one company makes all the programs that you use,
it's rather easy to find all the loopholes between
them all. (Hint, there's better, more
established ways to do interprocess communiction
that a propriatary system).
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
Since a word document only has the GUID of the original document author, and all these Word Macro viruses are made by taking somebody else's Word Macro Virus (WMV) document and modifying it, all the GUID does is point back at some guy who wrote the original WMV that was the grandfather of Melissa. See this article
for more details.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
The Microsoft security website all but explained to this virus author how he should write his virus.
Microsoft Security Bulletin 99-002 points out the "vulnerability in Word 97 which could permit macros to run without warning the user when the user opens a document based on a template containing macros." Melissa modifies Word templates to do exactly this.
Microsoft's webpage continues with the warning "A malicious hacker could exploit this vulnerability to cause malicious macro code to be run without warning if a user opens a Word attachment that was sent by a malicious hacker..."
This security bulletin was posted to the Microsoft Knowledge Base on January 21, 1999.
Buried in their website, the page lamely suggests that "all affected customers" - i.e., every one of the tens of millions of Word users! - "download the patch to protect their computers." Those customers have had over two months to do exactly that, and the tiny fraction who did are presumably at least partially immune to Melissa's spread.
Posting to an obscure security webpage hints on what might make an effective virus - a virus for which the only fix is tens of millions of separate patch downloads - is asking for trouble. Microsoft created the problem by coding a laughably insecure macro language into their applications. And they may have turned the potential problem into a real one by calling attention to it.
"Security through obscurity" is never desirable, but when the system is already as broken as the Microsoft macro language and when the user community doesn't give a damn about applying patches, it might have been a better alternative.
(Credit to TBTF for the link.)
Jamie McCarthy
Jamie McCarthy
jamie.mccarthy.vg
So how should we feel about this? The ZDnet article only discusses the facts of the situation, which is as if should be, though there's a slight air of "this privacy-invading software feature helped catch a bad guy so it's OK" to it.
Is it good that the author's been traced? yeah, I suppose so. Doesn't matter all that much really, but I dislike viruses and their authors as much as the next person. If there's good enough proof that this is the author, and some damage can be shown, then I suppose I'm all for prosecuting.
But I care a lot less about that than about the way they caught him. It seems to me we can't just go along, and say what the ZDnet article seems, ever so slightly, to be implying: that it's all right for MS (and by extension, Intel) to build identifiers like this into their products so that anything people who use those products do is traceable, just because once it helped catch someone who was doing something illegal. That's like saying "sure, the FBI can go ahead and install a wiretap on everyone's phone--fine by me, I'm not doing anything illegal, and only people who are would have to worry about that." I don't think anyone in their right mind would agree to something like that; and it violates all the principles on which our legal system is founded: "presumed innocent until proven guilty."
It's good that they caught the author of the virus, if that were all that this meant. But it's not. I hope they don't try to prosecute unless they obtain stronger evidence, through more valid means; and if they do prosecute, I hope they don't try to use the Office-ID-number-trace in court. If they do, we're all going to have to start worrying. And looking over our shoulders.
Pancakes is the better part of valor.
First off, well said, Mr. Madin.
This piece clearly implies that the MSID is a powerful law enforcement tool on the Digital Frontier. (BTW, I thought the out-of-nowhere references to the FBI were a nice touch.) That idea doesn't hold water, for a number of reasons. Apparently, ZD will gratuitously reinforce their message with questionable stuff like that FBI reference, but won't do the homework necessary to refute arguments that logically arise from their implied assertion.
If they can be refuted, I don't think they can.
First, there's no reason this will ever trap another hacker again, malicious or not. None. Anyone smart enough to write a Word97 macro is smart enough to obtain their own MAC address, scan the file for it, and remove it.
Is the address encrypted? The article doesn't say, which leads me to believe that it's not. Even if they do end up encrypting the thing, how hard will it be to decrypt? The only people you'll track down with this will be script kiddies killing time. Hackers knowledgeable enough to do genuine damage to a defended infrastructure are knowledgeable enough to find this ID and neutralize it.
"But that doesn't apply to the Intel ID," I can hear the ZD sycophants opine, "the Intel ID is a hardware ID, and no hacker can erase that!"
Fair enough. And the MAC address isn't?
In order for this ID to be useful in tracking down the origin of a virus, it has to be propagated in a file. Any file can be searched and have its contents modified. Period. The kind of ID you have makes no difference after it's overwritten.
So this ID will only end up in documents that are:
So the only people the ID can track are law-abiding citizens who don't care to remove the ID because their intentions are not malicious. Now why would you want to track them?
The answer is left as an exercise to the reader.
phil
Quoting Masem:
While I am probably being paranoid and overly sceptical, it's way too convinent that the Win98 ID bug, only uncovered recently, is suddenly going to be the life saver for solving the Melissa problem.
The M$ GUID will not solve the Melissa virus from spreading. That will go on as long as one person has not taken the proper precautions.
All the GUID does is help catch the criminal who created the virus (assuming the GUID is accurate and was not forged).
Actually, the GUID creates more problems. If you want to help solve crimes in a similar manner, it would be beneficial to have wire taps and other eavesdropping devices in everyone's home. That way, if anyone in the United States mentions terrorism, they can be promptly arrested for plotting terrorist acts.
All the GUID is is Big Bro looking over your shoulder. That's not a comfortable feeling for me.
This latest development will certainly put privacy issues in regards to electronic forums to the forefront again.
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
Richard von Weizs
Of course, you're only vulnerable if you're running Windows. So, it's an HTML-borne virus that makes use of a Windows security hole. Doesn't matter if you have armor plated walls if the foundation is rotten.
I have an idea.
lets expose a major security hole in one of our products,
to let everyone see that GUID is a good thing.
hell, they made security holes in purpose to make GUID useful.
They planned it all along, ofcourse,
they knew GUID would be exposed, so made it possible for them to say:
"You need GUID because our products are bad and have many exploits for crackers to play with"
it reminds me when Microsoft bragged that NT servers had failsafe modes,
and when a server crashes,
another server can replace it.
If NT servers didnt crash so often nobody would care.
---
---
I'm going to live forever, or die in the attempt.
This is the worst kind of bloat I can imagine - a fancy text editor mated to a BASIC interpreter. Granted the usefulness of an integrated development environment in your word processor, it is doubly insane to permit programs to run automatically when the document is opened. While it is possible to disables macros in Word, this is not the default. 90% of users don't use macros (unless they are infected), so why couldn't MS change just one bit in its ditribution from ON to OFF and do some serious good toward slowing the spread of macro viruses?
The really sad thing is you can't sue them. They create an obviously deficient product, one which they could easily have changed to prevent material harm to their customers, yet they are not liable. But let somebody pour coffee all over their genitals, and Ronald McDonald is paying to the tune of $n*1E6.
hmmm.... The timing of these incidents seems a little too coincidental. "If it wasn't for those GUID's secretly embedded in MS Office documents, we may have never tracked down this evil perpertrator", says Joe Researcher, on his way to the bank to cash in his check from billg. "Thank goodness for GUID's!"
or maybe i've had too much coffee this morning - my paranoia settings could need some recalibration.
Having read the article I can't help wondering how hard the original virus writer would find it to change the GUID in his original file. If someone can extract the GUID from files on a website what is to stop the original author creating the original infected document and then changing its GUID to that belonging to a different instance of Office. And given the prevelence of AOL free membership CD's and the ease with which a poster to USENET can fake their address is it any wonder the original source appears to be an AOL (l)user.
Kithran
First, the existence of the GUID in Word documents was not "recently discovered." It's part of the spec, and it's been known about for a long time.
What was discovered is that the GUID is transmitted to MS during the registration process.
Of course, the likelihood that the macro writer registered his copy of Windows using his real name and address is probably.... zero. So it's doubtful that MS has any record that GUID.
Which begs the question... What is the basis for ZDNet's claim that the GUID was used to "track" the document back to its creator?
More likely, they used the NNTP headers to get some hints about where to look, and when THAT trail led somewhere, they compared GUID's and thus established an apparent connection.
The real issue is not the recently discovered transmission of the GUID to MS during registration, it's the existence of the GUID itself that can reveal more about information than you realize. It's not "big brother," it's just bad design. And sloppy reporting.
> Virus writers and crackers need to be given some serious jail time and fines.
Agreed. Virus writers are like people shouting fire in a crowded theatre. They probably don't intend to really hurt anyone, but they know they are "playing with fire," so to speak. So if their actions hurt others they should be held accountable.
That said, I'd rather let the virus writer get away with it than have every Office document carry a unique ID traceable to the author. Americans are too freely giving up their privacy. Time to fight back.
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Historical Review of Pennsylvania [1759] -- njl