Melissa Creator tracked using MS's ID numbers?

So last week there was a lot of hype about Microsoft embedding IDs into documents that would allow tracing of authors. This week there was hype about Melissa- yet another lame doomsday macro virus (intentionally not posted here because I found it stupid). But mix the 2 together, and you get a story sent to us by stevew: the Melissa Virus can supposedly be traced to its creator using those annoying little ids. They don't have exact details, but the article says that it came from AOL.

Scary as hell

5-10 years and $350,000? What the f*ck is that? Maybe Microsoft should be slapped with a class action lawsuit for setting up the infrastructure that allowed this virus to spread.

This punishment does NOT fit the crime done. Basically, all this guy did was write some code (if you want to call it that). I will not deny the code was malicious, but we don't know why he did it. I could see someone trying stuff like this "just for the hell of it". Besides, if this guy hadn't done it, that security hole would have remained, and if it had been presented a year from now (presumably when even more people will be using email) it could have been MUCH worse.

Basically, they are setting the punishment based on the fact that is scared the shit out of the FBI and lots of other people, not based on the actual crime commited.

Doesn't it scare people here what can happen to you for programming something on a computer?

Microsoft instructs how to build Melissa

[jamiemccarthy]

The Microsoft security website all but explained to this virus author how he should write his virus.

Microsoft Security Bulletin 99-002 points out the "vulnerability in Word 97 which could permit macros to run without warning the user when the user opens a document based on a template containing macros." Melissa modifies Word templates to do exactly this.

Microsoft's webpage continues with the warning "A malicious hacker could exploit this vulnerability to cause malicious macro code to be run without warning if a user opens a Word attachment that was sent by a malicious hacker..."

This security bulletin was posted to the Microsoft Knowledge Base on January 21, 1999.

Buried in their website, the page lamely suggests that "all affected customers" - i.e., every one of the tens of millions of Word users! - "download the patch to protect their computers." Those customers have had over two months to do exactly that, and the tiny fraction who did are presumably at least partially immune to Melissa's spread.

Posting to an obscure security webpage hints on what might make an effective virus - a virus for which the only fix is tens of millions of separate patch downloads - is asking for trouble. Microsoft created the problem by coding a laughably insecure macro language into their applications. And they may have turned the potential problem into a real one by calling attention to it.

"Security through obscurity" is never desirable, but when the system is already as broken as the Microsoft macro language and when the user community doesn't give a damn about applying patches, it might have been a better alternative.

(Credit to TBTF for the link.)

Jamie McCarthy

hmm, very interesting.

[Scott+Madin]

So how should we feel about this? The ZDnet article only discusses the facts of the situation, which is as if should be, though there's a slight air of "this privacy-invading software feature helped catch a bad guy so it's OK" to it.

Is it good that the author's been traced? yeah, I suppose so. Doesn't matter all that much really, but I dislike viruses and their authors as much as the next person. If there's good enough proof that this is the author, and some damage can be shown, then I suppose I'm all for prosecuting.

But I care a lot less about that than about the way they caught him. It seems to me we can't just go along, and say what the ZDnet article seems, ever so slightly, to be implying: that it's all right for MS (and by extension, Intel) to build identifiers like this into their products so that anything people who use those products do is traceable, just because once it helped catch someone who was doing something illegal. That's like saying "sure, the FBI can go ahead and install a wiretap on everyone's phone--fine by me, I'm not doing anything illegal, and only people who are would have to worry about that." I don't think anyone in their right mind would agree to something like that; and it violates all the principles on which our legal system is founded: "presumed innocent until proven guilty."

It's good that they caught the author of the virus, if that were all that this meant. But it's not. I hope they don't try to prosecute unless they obtain stronger evidence, through more valid means; and if they do prosecute, I hope they don't try to use the Office-ID-number-trace in court. If they do, we're all going to have to start worrying. And looking over our shoulders.

GUID didn't solve Melissa problem.

[afniv]

Quoting Masem:
While I am probably being paranoid and overly sceptical, it's way too convinent that the Win98 ID bug, only uncovered recently, is suddenly going to be the life saver for solving the Melissa problem.

The M$ GUID will not solve the Melissa virus from spreading. That will go on as long as one person has not taken the proper precautions.

All the GUID does is help catch the criminal who created the virus (assuming the GUID is accurate and was not forged).

Actually, the GUID creates more problems. If you want to help solve crimes in a similar manner, it would be beneficial to have wire taps and other eavesdropping devices in everyone's home. That way, if anyone in the United States mentions terrorism, they can be promptly arrested for plotting terrorist acts.

All the GUID is is Big Bro looking over your shoulder. That's not a comfortable feeling for me.

This latest development will certainly put privacy issues in regards to electronic forums to the forefront again.

~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"

...unless, of course, you're using Windows.

[sammy+baby]

There actually is a virus that will infect HTML documents, but it relies on a Visual Basic hack to insert itself into HTML files.

Of course, you're only vulnerable if you're running Windows. So, it's an HTML-borne virus that makes use of a Windows security hole. Doesn't matter if you have armor plated walls if the foundation is rotten.

Let's get a few things straight...

[Bob-K]

First, the existence of the GUID in Word documents was not "recently discovered." It's part of the spec, and it's been known about for a long time.

What was discovered is that the GUID is transmitted to MS during the registration process.

Of course, the likelihood that the macro writer registered his copy of Windows using his real name and address is probably.... zero. So it's doubtful that MS has any record that GUID.

Which begs the question... What is the basis for ZDNet's claim that the GUID was used to "track" the document back to its creator?

More likely, they used the NNTP headers to get some hints about where to look, and when THAT trail led somewhere, they compared GUID's and thus established an apparent connection.

The real issue is not the recently discovered transmission of the GUID to MS during registration, it's the existence of the GUID itself that can reveal more about information than you realize. It's not "big brother," it's just bad design. And sloppy reporting.

Scary as hell

[EisPick]

> Virus writers and crackers need to be given some serious jail time and fines.

Agreed. Virus writers are like people shouting fire in a crowded theatre. They probably don't intend to really hurt anyone, but they know they are "playing with fire," so to speak. So if their actions hurt others they should be held accountable.

That said, I'd rather let the virus writer get away with it than have every Office document carry a unique ID traceable to the author. Americans are too freely giving up their privacy. Time to fight back.