Slashdot Mirror
Melissa suspect arrested
Stone Table writes
"MSNBC reports that the FBI arrested a suspect believed to have authored the Melissa virus "
This is definitely a tricky one: course, its a windows email
virus, so it doesn't affect most of us, but he was tracked
using the MS GUID. Justice? Big Brother? I'm not sure
which.
> What I get is paid fairly well for a job that's usually pretty easy
Yeah. Until yet another Talking Moon brain-dead-ism comes
along and bites you (and your employer) in the butt. Welcome to the
Real World.
granted better built operating systems such as linux give less oportunity for a virus to penetrate, but the real reason there aren't more linux viruses is that it isn't as mainstream... dos based machines have the twofold appeal of being vulnerable and available... once linux finally kicks ms off the desktop, I predict we'll see a lot more exploitation of what security holes exist
the very nature of a computer virus would involve the Federal government since it would almost certinately cross state lines.
anyway, seeing as how you don't know any specifics of the case, it's stupid to assume that the media is trying to demonize him. he could very well have pled guilty. you don't know.
Presumably this refers to the guy's invention being the immediate cause of many systems being tied up and clogged.
Don't worry they'll just build more prisons
(as if they aren't already)
and then the moral slugs of doom will slowly takeover.
Portland, OR
http://local.portland.citysearch.com/story/990329
Whoa! Touchy, aren't we? That was meant as a humorous aside, not as a personal insult. Lighten up, will you?
A good virus should email a copy of one of your documents (from "My Documents" folder), infected of course, to 50 people in your contacts list. Privacy violations rule, dude!
Ideally, it should also send a death threat to president at whitehouse.gov.
Finally, it should change the name of the virus randomly when it generates a copy of itself.
Okay virus writers - stick it to Microsoft! Fuck Microsoft as only you can.
If you give someone a coke and it has poison in it but you don't tell them it is poisoned, you can't use the legal defense that they are the ones that killed themself by drinking the poison.
Assuming this David Smith is VicodinES...
ANYBODY could have used his previous virus as a
template... the GUID stays with the modified
document. It's like if I write a history paper,
and someone else takes my document and changes to
claim that the holocaust never happened (or
whatever) then it will have my GUID on it!
Not only that, but the virus could have been
circulating around for quite a while until it
finally hit a powder keg (one luser using Outlook
with an address book)
I don't want to jump to conclusions so I will
save my conspiracy theories until I hear more.
Other than the fact the real bio virii are different than computer virii... here's my take.
First, comaring a computer virus to an air-borne one that kills is somewhat misleading. Everyone needs air -- not everyone needs to use broken software. You can recover from a computer virus, like your body recovers from a cold.
Second, if you liken a computer virus to something like STDs, there is another parrallel. Stop doing risky things! You can and should practice safe computing as well as safe sex/abstinance (depending on your beliefs).
I've had to spend too many extra hours at work over the years because of dickheads like this, rebooting the system of some moron who ignored our policy about opening email attachments or who disabled our virus checkers.
That's What You Get For Using Windows
And that's what you get for dealing with stupid people all day.
But will the problem then be viewed as a security issue in the Linux world and be fixed? Probably.
In the MS world? Probably not.
ah, but wait....if the author isnt to blame for making something that can werk with windows and 'create' problums (a small crack in the windsheild) then every virus that affects windows is the manufactors fault for not thinking about it. yea, windows is ony a few years old, a beta if you will. do you think the mac os wouldnt have any probs if it was so widely used? mas is more secure because the os is made for that hardware and the upgrade is limited. i had happy virus, i think that was a proto type for millisa. cars when they came out didnt have certain features that we use nad not think about. seatbelts, fire walls, and crumple zones. like OS's, they dont have a good gui (why everyone likes windoes, because its easy and grafical) some dont need it. dos, os2 (dead os but still great), linux (all 50 versions), novell netware, and a few thousand others. theres many dos's, disk operating system, for many different computers. its not microshafts fault that a virus was written. its not really a virus. its a program with an efficant source code, and is usually hidden. Back orafice is one, its whats called a trojan, but it isnt. its a chat proggie slightly edited. its made for netwerking. and it werks. but mcaffee and norton dont lkike it. its not the manufators fault that fallout was witten to run it both windoez and dos. its not their fauls that quake 2 was witten. is that a virus? have you installed it wrong and it made your system qwerky? is it linus's fault that someone rote a virus ( or a small program) for his OS? is learning efficant progframming rong? i think the maker or the dreaded virus (though i still dont know what it does) should be punished, but not harshely. someone with that muck intelict should have a good job, and would given tha chance. well, im at fault, i am learning VB. i may skip a line or something that when you run the proggie windoez never werks again. come and arrest me now so i dont inadvertantly make a mistake. oh, i dont wear a seatbelt either, and cigaretts can kill ya, so its camals fault for makin em, and coke causes cancer so its their fault. anything i missed? hope not. know i did. i dont read this bord offen, so email me with your remark about the...er...situation, and maybe i too can learn a bit.
dinglezip@usa.net
"allegedly" is actually an adverb, not an adjective.
I'm not sure what part of speech "allegidly" is.
</nitpick>
It's not a matter of being afraid of the creator of the virus: /workers emails too is pretty useless unless your out to piss somebody off and invade their privacy, or sell their addresses to others.
- it's because the guy was an irresponsible twit and had no regard for human rights
- sending your email to a bunch of web-sites (porn and otherwise) and grabbing all your friends
That should be illegal. If I had my way, spamming would be as illegal as breaking and entering.
What you did in high school was fine as long as you knew that that information was going to be used by mature people for an educational purpose.
- I'm sure that _wasn't_ your reason.
The school had a right to get angry - there was a real chance that a lot of people could have gotten hurt by an irresponsible twit trying out the stuff on the disk at the expense of other people.
The fact that _you_ made that possible should have been punished. It's too bad you didn't learn that at an early age.
As for being afraid, you are damn right I'm afraid of someone with a mismatched ego and low intelligence playing with bombs in my vicinity.
Wouldn't you be?
Thought experiment:
Suppose the virus pops up a dialog asking the user if they want to send a copy to the first 50 people in their address book - but uses an obscure language that practically no one can understand. Wouldn't the net effect be about the same? Would this be illegal? What if the only button was "Ok"?
Essentially a GUID is a long-ass number (i forget the length) but anyway, using a complex algorithm you can be assured that its unique...
that way if i generate a GUID on my comp, and give it to you, unless you generate GUID's for a billion years you won't get the same one... it makes things easier on distributed databases and other such things.. putting them in documents though is bullshit
THANK YOU. This is exactly what I fear. The author
of the macro is purely academic now. Instead of being
put in jail, and used as an example, he should be forced
to work with anti-virus folk to find a soloution,
or fined a nice 4 or 5 digit sum.
But isn't he also civilly liable for any computer downtime caused by the worm? Why isn't there a class action lawsuit against him? Is it too late to file one?
1. if you dont encrypt or keep confidental documents offline you are pretty damn stupid. and if you use outlook to send them you have to be even dumber than a salad bar! I love how people want to make laws to protect the stupid and the morons. Let's change those laws.. If your sensitive document was released because you didnt protect it then it get's published on the internet for ALL to see, or you are made to eat a copy of win98.
:-P)
2. this is not a DOS atack.. this is a largwe scale spam. Granted the net sucks so badly right now that large segments get knocked down with a small increase in load. but then it's not our fault, butt he fault of the GREEDY isp's and backbone operators, and the ever popular tele-phony companies. good grief we have had high bandwidth technology for decades, and we still have frigging copper wire in the streets! will someone please come up with a viable replacement for the phone company so we can all get some decent bandwidth? (and ban shockwave,streaming video, and anyone that hasnt owned a computer for more than 3 years.
This is not a dos attack.. as it doesn't target the routers or the servers specifically.
What this guy did was dumb. He made a virus that
spammed the world (Spam = BAD!) and crippled big
buisness (piss off big business, piss of the
government). Then he sent it out via an AOL
account (AOL keeps logs of _everything_). He
deserves to get a kick to the head. He does not
deserve a 'human slashdot effect.'
He was arrested at his big brother's house.
Windows 95 has locked up my computer at work, that's DoS and it prevents me from doing my job which costs my company money. I think a massive class action suit against MS by everyone who has ever had it crash (everyone who has ever used Windows) is in order.
I see it now. US government endorses the Microsoft and Intel serial numbers. Plans on creating a records database for use in criminal investigations...
::sigh
-Aaron
aaron@technologist.com
Unfortunatly the fact that those tags were put in place by M$ makes it legal to use them in court. It's just like video cameras. The government can't put up a survalence camera that looks in your windows, but the 7-11 across the street can. Then, if the 7-11's cameras capture illegal activity, the survalence was not illegal so the tapes are admisable.
sucks don't it.
It is possible. The MAC is loaded into the card's RAM when it boots up. You can overwrite this RAM. I think the ways to do it vary from card to card.
Consider this:
I take several pounds of dynamite, gift wrap it, leave it on your doorstep, ring the doorbell, and run away. You pick up the box, unwrap it, open it, and upon seeing the dynamite, drop the box, which then explodes.
You are stupid. You didn't know who the box was from, but you opened it anyway! You should have expected it was full of dynamite! Why is this a crime? I didn't do anything to hurt you, you blew yourself up!
Dude... by writing and releasing a virus, this guy was intentionally trying to inflict harm on others. There is really only one law; it is "Do no harm." All other laws are attempts to codify what "harm" is and assess damages (usually punitive) for the harm. The author of the virus is criminally and civilly responsible for any harm caused by his intentional actions. If he escapes the criminal prosecution, he can look forward to one hell of a class action suit from every company whose mail server was shut down -- and in an "intentional tort" suit, you can't get out of paying the judgment by filing bankruptcy.
Summary: This guy is fucked. And he deserves to be ! He brought it upon himself by his own malicious and stupid actions. He should be made an example out of, and left slowly twisting in the breeze as a warning to other sociopaths who choose to use their powers for evil, not good.
And you, kind sir, really need to get a life!
Not unless someone knows its a virus, here is a snipet from the book "Artificial Life Lab"...
... "The internet worm written by Robert Morris, Jr., was alledgedly designed to go to every node on the internet and report back in--to provide a kind of map of the internet. But the worm got out of control, "....
"A computer worm is a self-contained computer program that, like a virus, reproduces itself. The diffrence is that a worm does not spread by infecting host executable programs. Instead a worm manages to start running on its own, and copies itself to new memory locations. Some worms send copies of themselves to other users over electronic mail--sort of like a self-perpetuating chain letters.
The famous worm to date was the Internet worm of November, 1988"
Any way, I think its a worm personly.
While I do think that Microsoft has some bugs in their software, which if fixed, would greatly deter viruses, I don't think they should be charged legally. It is the user's responsibility to find software that does what he needs, and it is Microsoft's right to make poor software as long as they don't claim it is for mission critical (or even half-mission-critical) purposes. i.e. They must not misrepresent it as secure if they don't fix bugs once they know of them.
Would the whole Melissa virus be created as a PR effort to justify MS GUID or Pentium III digital signature?????
:(......
We are being watched
It all comes down to blame. ICMP fragmentation bugs in Linux - no one person in particular was to blame, and I don't think anybody cared... patches just came out quickly.
I agree with you 100% except...
Is the true fault Al Gore's for creating an internet so sucky it allowed a thing like this to happen?
Remember the law "What can happen will happen", people are chaotic, punishing the person doesn't solve the problem, setting the standards of law lower, just means we have more law breakers.
The problem is Psychological, we all need psychologists but psychologist are people to and can screw up your head, so the psychological problem has been attempted to be correct in a few ways, first there were MEMEs, much like viruses and worms. Memes are mind traps such as religion - believe in God or go to hell, help the suffering by brining them God. Next there is Government - if you speak out against the government you are a spy. And the modern day Marketing pyramids, someone teaches you how to make 10times your money for $10, you teach 10 other people for $10 each. All of these are in them selves like viruses and worms.
The bottom line is the easiest solution for this day and age is to have secure software, there is no other easier way. But if we scare people away from using viruses and worms, how will we know if our systems are truly secure??? We could put our entire lives online and be vunerable to forgieghn invaders screwing up peoples lives who are not even a citizen of our country. How will we know if there exists security holes??? If this Melisa worm has proven anything it is that MS makes very insecure software.
somepeople actually go along and register their ethernet cards with the manifacturer..imagine that..
and a MAC address is not the only tracable, unqiue idenitifcation on a computer..
Think about it, if MOST of the users out there weren't completely ignorant would your MIS/Consultant/Help Desk/Sys Admin job even exist?
Think of Micro$oft and mindless users as job security.
I know if it weren't for stupidity/ignorance I'd be out a pretty decent job.
-just another dumb ER Doc/Glorified Triage nurse.
The document used English, I blame the creators of the English language -- England. Those darned Brits!
Al Gore speaks English -- the language used by the worm! Al Gore should be sent to England and then we should Nuke them.
Hey, If there was a biological agent out there that would kill all the stupid people -- Bring it on!!!
or, is it only when it actually spreads,
or, only when it actually does damage,
or, when someone needs a high profile bust?
That way if i generate a GUID on my comp, and give it to you, unless you generate GUID's for a billion years you won't get the same one
Unless you copy it with a hex editor... in that case it will take about 5 seconds to generate the same GUID.
I'm sure they can get him for some sort of "malicious intent" charge, not to mention for any systems it 'damaged' (since time == money).
cswiii
(who isn't logged in all the sudden. strange)
Wondering if he actually spelled Melissa 'MELISSA'.
He probably spelled it M31iSS4
Mayhap when Linux actually has some of the apps I run I will move to linux. Till then WindowsNT works just the way I want it to on the hardware I want it to.
Kevin mitnick was put away with less evidence!
as far as the feds are concerned if you are suspected of hacking they can torment you and even kill you (I'll bet they think this way!)and definately take away all your civil rights.. Hell they dont even have to give you a trial..
Ohhh we live in the land if the free......
It's time for a new government, one that has no lawyers or rich people.
Go suck eggs- people who do things as you say make life harder than it needs to be for the rest of us- and gives security people heartburn. Do the rest of us a favor and go play in traffic.
Gregm
But MAC addy's aren't registered to users. They
are just registered to card makers. Assuming
the makers of the cards use MAC addresses to
do their inventory tracking (unlikely), the best
anyone could do is track a card down to the point
of purchase. In any decent sized city, that's pretty damn useless.
As an experienced programmer, security enthusiast, and white-hat hacker, I can state from experience that some viruses have a wierd appeal. Poking around with a debugger and looking at really beautiful self-duplicating or sometimes even self-modifying code is fun in a dangerous sort of way, especially when it demands an understanding about underlying PC architecture.
Reading a classic exploit for the first time is also thrilling--not because it's malicious, but because it requires a real understanding of architecture, because it is done in a couple of seconds--it's like understanding Gödel's theorem for the first time.
Melissa is not one of those cases. It is a crappy, ordinary VBScript macro that could be written by chimpanzees in a trade school class. It does nothing but eat up disk on mail servers and bog down mail exchanges on backbones that are already too damned overtrafficked.
In my humble opinion, Melissa does not deserve the attention that it has gotten from the media. It does not deserve the strange reverance that small-town newspapers have given it across the country. It is lame; it really hurts to see something of its sort receive such popular attention. Just arrest the bastard and get it over with.
Yes. But lost in this sub-thread was my original point. The originator of
this thread was whining because the virus writer's actions resulted in long
hours at the office for him. My point was that the fault for his condition was
(as much) the fault of the buggy software his company was using as that of any
virus writer. I stand by that assertion. If the company was not using lame
software, they wouldn't suffer from such easily exploited deficiencies in it.
And, by extension, neither would he. Duh.
The original poster's response (and so eloquently put, it was), was that he had
no choice in the matter. WRONG! Get a job somewhere where you're not tortured
by 16-bit wind-up toy applications and operating systems from a second-rate
company that has achieved market dominance by every means *other* than merit.
Again: duh.
Somebody whining about broken behavior out the effluent that issues from
Talking Moon gets no sympathy from me.
> However, the unique computer ID is stored in a
> Word document only once -- when the document is
> created. Even if a document is copied to a new
> computer, and saved under a new name, the
> original GUID number does not change.
So to install a fake GUID, all you need to do is start with an open document with the GUID you want, erase ALL OF IT, and start coding.
What is your point?
I was about to say the same thing. Seems like our fearless Commander Taco failed to read it as well! :) Or maybe it was just a bait of his to find out how many ppl actually read before posting. Hehehe...
Melissa Melissa... pretty scary if you think of how it exploits the trust relation between individuals (Important message from ) and natural curiosity (a tantalizing "don't show it to anyone else"-kind of message body). No wonder so many ppl fell for it. Its both a technical crack AND a social crack. Yikes! Got to watch out for such things...
Btw, I am wondering how CmdrTaco got the Russians to coordinate the article on Linus moving to Moscow. Was it a coincidence? (Pardon me if I missed his explanation in some thread - I only read the articles and not every comments.)
How embrassing it would be to see Melissa][ while the poor kid rots in jail.
;)
:p
Just a thought.
Death to all macros and id pins. Both are used to destroy your peace of mind.
So now because you can't decide what software your company uses, it is now the virus writer's fault for Microsoft's bugs? Please.
I think this just goes to show how much Windows sucks. It's pretty sad really. So sad...
Or, how 'bout the government owns all computers and "licenses" them to you. Hard drives are owned by the government and will be "inspected" from time to time to improve "efficiency."
*seems ms guid has some good sides afterall*
Keep it in perspective. I'm sure some illegal searches by the police with out warrants provide good results but.....
> I've had to spend too many extra hours at work over the years
> because of dickheads like this
No. Actually you've had to spend too many extra hours at work over the
years because of the deficient products emanating from Talking Moon.
Or did you fail to note that if one wasn't running Ms-Turd,
particularly in conjunction with Ms-LookOut!, one wouldn't have been
susceptible?
This is not to say that what the author of Melissa did wasn't
irresponsible, but the problem, from a practical standpoint, is the
software attacked.
But if you'd prefer to keep your head firmly buried in the sand...
Actually, "virii" are potentially useful (an application which has seemed to escape most of damn virus writers posting these things on the net). If you think of them more like "agents", then you could use them to scan the net for data, or to distribute software patches (gene therapy equivalent?). Of course, it would be a lot better if they used an "approved" method of providing agent services which didn't kill the machines they passed through...
If this is an email virus, then the guy can be tracked through mail headers. It shows what MTA's it's gone through. Then the use of GUID just kind of gave them the lead to look at the subscribers at the ISP. The only thing is, if this guy is smart enough to write code like this, wouldn't he be aware of the use of GUID? Just being careless? I don't know, but he hasn't been found guilty yet.
and a BASIC program, no less. glad i don't live there. :P
did anyone else find this amusing? "AOL, state and federal agents helped snare 30-year-old N.J. man"... it makes it sound like AOL is a branch of the exectutive government.
nt
Yeah, and I have mad respect for Sirhan Sirhan, Lee Harvey Oswald, Charlie Manson, Ted Kazynski(sp), and all those other high achievers.
Come on. Virus writers are criminals, no matter how much they try to fool themselves and others into believing that they are just 'advancing the art.' Yeah, and I just turned my truck into a rolling bomb. Ph33r muh e133tne55.
If you feel the need to be a groupie, try Torvalds, Cox, or ESR. Stallman, if you feel revolutionary.
From http://www.news.com/News/Item/0,4,34579,00.html?st .ne.lh..ni :
t .ne.ni.relq :
``The Melissa virus was introduced on an alt.sex newsgroup early last Friday morning...''
and from http://www.news.com/News/Item/0,4,34577,00.html?s
``The virus automatically spread to 50 people on Outlook's address list when the user opened the attachment that listed a number of Internet pornography sites.''
So you go to alt.sex, grab a message, open it with MShit Word, open the interesting attachment, and complain you got the virus? Too bad it wasn't AIDS... Give me a break! What are they going to charge the guy? Virtual sex without consent? The fact that MS forces you to bend over while reading a simple e-mail is clearly the culprit here. Seems to me like the FBI and the media want to unleash another witch hunt, while the real problem (that is, complete lack of security in MS products) is not addressed. Get a life...
Yup, I had lunch with him during his faculty visit just this past week. He seems like a very interesting and intelligent candidate. His recent (although not current) work involves a new technique for modifications to Internet routers for improved TCP-specific performance in real bottleneck areas.
:P).
No, we didn't talk about the Internet Worm fiasco (although I WAS dying to ask
hope linux doesnt do a guid db. I think its an infringment of privacy and being tracked is not morally right.
Would you feel the same if this guy was a biologist, and released a new deadly virus into the air? So, if your parents got the virus and died, would "they deserve what they get"?
This guy created and released this virus with the sole intent of illegally gaining access to users machines and fucking things up. I say that's pretty damn illegal. Throw the book at him.
> That is true, but it wasn't a well known
> hole that nobody had bothered to close
no, it was a (several) well known holes
that had already been closed
What did this person do other than write the code and make it publicly available(albeit in binary form only)? The FBI is making a manhunt out of this issue because they are worried that corporate america will get pissed with them. This is more screwed than the Mitnick case.
-Someone
They could use a security model similar to the one used by Java Applet's on the web. What they have now is basicaly like ActiveX's security model, but even worse (no signing). You *can* have security while keeping usefull/user friendly features it just takes a bit more work. Is MS up to the challenge? Do they care? Now that is another question.
Snoop Baron
I posted this further up on this board, Robert created a worm not a virus, Melisa is a worm not a virus, the media can seem so illiterate some times.
i believe this would be illegal under the Federal Computer Crimes act of whatever year it was passed. i mean, do you think that America would have come this far with technology and not outlawed the spreading of virii?
Why don't people read the article before posting? The GUID wasn't used in tracing him.
I must say I agree with you completely.
The new Melissa's are coming... and the next one won't be so nice as to just take down your Exchange server.
I can't believe how people are not seeing this.
Comparing a computer virus to a real virus is like comparing a computer cracker to a saltine. Just because two words are the same doesn't mean they are the same.
My cursor doesn't spew obscene words, my windows aren't made of glass, computer crackers don't go well with soup, and computer virii don't kill people.
When a virus infects your system you will care what the diffrence is.
Microsoft had to have something to do with this. Look at the timing of this:
1. DOJ Hearings, Microsoft Has To Settle
2. Pentium III Serial # Controversy
3. MS Word GUID Controversy
This was all Microsoft needed to convince the public and MS-centric IS managers that GUID's and the Pentium III ID are beneficial. This entire investigation centered around the GUID, when there were more reliable and better-logged methods for finding said culprit (alt.sex).
This is the kind of PR that Microsoft needs, because most people who buy their products are convinced MS is the end-to-end solution for all their needs. Even security, which this proves is lacking.
Microsoft will probably use this to launch several new features of their products that will cost a lot of money. People will buy them. They will not think twice. I would not even be surprised if M$ decided to make a firewall that is "macro-virus" proof. Their marketing people are not technical, and would make such claims.
This is all because of an M$ hole, and M$ probably exploited it to show how effective GUID's can be so that the public would rally for them, even when they are clearly not beneficial.
How does FBI define a virus? As a piece of software to cause harm with intent? Are buggy software considered harmful? If so, how do you establish intent?
I have DELETED MS Office from my computer.
Once I've installed linux, Win95 will be
next.
y'all are being to harsh, I thought the only people left using MS products were cattle ranchers and rodeo clowns?
Wow, it's Spectec Jr, I loved your columns in YS.
its a worm not a virus.
No technically The virus itself was compiled in VB so it actually cantains the GUID of the computer it was compiled on twice.
Now someone could have taken his previous docs and infected them but the Macro they used under normal circumstances would Have their Guid not the docs.
Maby someone can get around this with a hex editor I never use windows so I do not know.
The Guid Still has investigational value and violates the users privacy. Think how effective it is for digital evidence gathered in the past. Plus think how many are never going to apply the patch! There is still a ton of "erronious" data floating around in word documents even a year after that patch was published.
Besides Office is not the only place GUIDs are used. Next time think before you post and think twice before you defend MS.
Nope, he's already out on bond.
So much for fairness.
Those popups have crashed my browser before, which I consider DoS. Let's SUE!!! :p
- RF (dfelker@cnu.edu)
He was convicted immediately following the release of the worm. The original poster wasn't saying Robert Morris was punished recently... this is all long, long ago stuff.
Sounds to me like they had AOL use their logs to track down who was using the skyroket account when the original files were posted to the alt.sex hierarchy.
I understand that in situations like this, everyone is looking for somebody to blame. Unfortunately, the anti-microsoft sentiment is leading people to the wrong source of the problem. As a developer that owns a software company, I don't believe the software company is to blame for somebody exploiting holes in programs. Granted, Microsoft has less than impressive software stability, but I don't believe they're to blame for the virus.
If software companies were held liable for exploitations, you would soon find that software would become prohibitively expensive for the common person and potentially, for large companies. Also, you would also find that security software would no longer be sold due to the high liability exposure. It reminds me of a vaccination (I can't remember the name) that in 5% of children has adversed side effects but in the other 95%, protected them from a life threatening disease. The unfortunate 5% began suing the pharmatceutical companies for the adverse side effects and the juries were awarding huge settlement awards. It got so bad, the pharmaceutical companies quit making the vaccine because it wasn't cost effective anymore. When the last company making the vaccine tried to get out of the business, the government had to force them to manufacture the vaccine to prevent the potential loss of 100% of people without the vaccine (without limiting the liability awards). What will the government do when the last security software company tries to get out of the business because it's not worth it?
Let's make sure we're putting the right person on trial here.
I'm not saying I completely trust government, but at least their motivation isn't always trying to steal my money.
April? Tax-time? Stealing is a strong word, but it's damn close..
As any computer consulting company can tell you, there's a lot of money to be made in cleaning up after other people's messes.
And as any computer software company can tell you, there's even more money to be made in cleaning up after your *own* messes.
His goal was not to frame Your Boss Bill. His goal was to show how suceptable GUIDs are to forgery.
For someone who bills themself as an Alan Cox alterego, your response of "You idiot", was extremely lacking.
Anonymous Kevin
Oh great, Microsoft which lies, cheats and steals, fakes videos for court cases, makes bogus support groups for media attention, has a corporate policy to fake emails and news messages to slander other's products and increase support for their own...
They have your MSUID. They have more power than a small country. They make their own rules. They are accountable to no one. Are you scared yet?
Who do you want incarcerated today?
By any chance was this file attached to spam about high profile busts?
huh? It took some learning? um, have you seen the source code to this virus?
It's so simple! Just Visual Basic. No clever buffer overflowing and machine instruction overwriting or any tricks. Just "open outlook address book, loop through first 50 address, mail document, write virus to current doc".
I guess we ought to give Microsoft credit for creating the most feature-rich platform for virus development ever made.
so much for liberal thinking.
i don't have MS office and dont know Melissa virii so i can't jump into the discussion. But what is THAT? you mean a guy can't sell a book to tell his story? a guy can't earn a living for what he knows?
i don't think there's any ground for criminal chargest.
I'm sure once you get yourself in the slammer, everyone else will see how much fun it is and do the same!
Perhaps you should be shooting your own ignorant users. Don't go into a brothel without a condom and then complain that you got some nasty disease. ;-)
Macro Virus free, PLUS
Does everything M.S. does plus gives you a choice of OS....
This guy has been charged with "disturbing the public communication", which can put him away from 5-10 years and will cost him $150,000.00 in fines.
Is the author of rm negligent if you run as root a shell script that contains 'rm -r /'? Maybe the author of the shell is negligent for executing it.
I consider virii to be only slightly more malicious than security exploits, and neither are really harmful if they are public knowledge. To arrest the author of a virus just for writing it is wrong. To arrest a malicious distributor of a virus is somewhat justified, but I'm afraid it will be taken to an extreme.
Making virii illegal while not fixing the broken software that helps propagate them is just dumb.
They place a minielectronic device that lets them know when and where you're computer is located. I'm not joking either the technology is smaller then your pinky.
Right now None of this anti-privacy BS is good, not NOW. Maybe in the future when we become a society more like star trek, but giving this kind of anti-privacy ability to these cannibal companies who have no morals or ethics, is pure insanity, it will be abused for power.
I disagree, its more like buying a car and not expecting it to break down when you have to actually drive it for a long period of time.
Why do I say it this way, because virus and worm creators have been in the computer world for so long they are almost a force of nature. Its psychological really, people will be crazy and will do this reguardless of law. Security is important if you don't think so its like saying"why should I buy insurance if every one else is a worse driver then me?", well the obviouse answer is in the question, everyone else is a bad driver, you don't know what will happen on the road. All the ones who have created viri and worms in the past have shown us where the mistakes are in our software, with out them we would all be vulnerable, the people who build virus protection where once people who created viruses them selves. Another thing to think about, imagine if the US government actually trusted people to not hack their computers and kept all their data (eggs) in one network (basket), if there were no hackers/crackers/viri and worm creators, the US government could have fallen under attack by someone eventually and it may have been a foriegn invader (like serbia), they would have been able to steal information from the US, with out the effort to break in and/or destroy, there would be no effort or knowledge of how to keep out and protect, all of us would be way more vulnerable then we are today, today we have virus protection programs, most systems are pretty secure. Closed source programs are the worse, since NO ONE but the creators of the software can fix security holes, BUT it doesn't mean hackers could not reverse engineer it and find holes that way, Open Source software has many eyes looking in it for security holes, and if someone finds a security hole more then likely its a contributor, ABOVE all else, there are no purposely hidden security holes that steal private information from your system, because every one would see the source code and know about it, closed source programs dont do this, and only if someone reverse engineers the software will they be able to find holes in it.
The ability to be an irresponsible twit and be protected by law is what makes America so grand. The author didn't really do anything wrong, and I think that the FBI has the wrong person.
Correction: the GUID does not identify the creator of the document. The GUID
can be linked to the network card on the machine where the document was created,
OR the registry on the machine where the document was created (for machines
without network cards).
Like I said before, the Microsoft GUID only identifies the stupid/careless, since it is trivial to forge with a hex editor.
Yeah but, your average user probably has no idea what a macro is, or what it is capable of, and seeing that the mail would have come from one of their friends i'm not surprised everyone says yes. And besides the fact that it prompts you does not make it legal, its not like it says "Hello i'm a virus that will infect your machine. Do you want to run me?"
Just because you, and most people replying to this issue have not had any real issues with a virus, it does not mean that they do not do any harm.
The melissa virus as harmless as it was managed to bog down email servers at many major corporations, this does cost them money, and not all were being run by completely inept people either.
Computers can be used for extremely sensitive, and time dependent information. If one of these computers goes down even for 15 minutes, even if it does not lose any information. There can always be the potential for great harm.
Remember what a is a prank to one person can have serious consequences for another. So while you might use your computer for low level stuff such as cruising the net and reading email, not everyone does.
However non of this should validate putting tracking numbers in comuters or software such as microsoft or intel have done.
Does effect us kept several of my mates occupied ridding it from M$ setups + some were impossible to reach whilst the clensing was being done.
If they've got the right guy, castrate the bastard. No a better idea drop in Serbia.
He didn't just "give" the virus to someone on a floppy, he initiated its widespread dissemination. As a result, it had a negative impact on systems that did not belong to him, disrupting e-mail, and at times, even crashing the servers that were affected.
Actually, I thought the whole thing was damned funny.
The idea of a macro going off when you open a document to me seems quite stupid and useless. Why on earth would you want an 'OnOpen' sort of even to fire, in a f-ing word processing document!? M$ screwed up by putting that bug in there.
MS is fully aware that their startup macro feature is being used to create viruses, yet they have made very little or no effort to prevent or stop the creation or spread of the macro viruses.
MS could have set Office so that the startup macros were disabled by default on install, and you had to turn them on in the rare chance you were going to use the macros for something other than viruses. MS could have made a dialog appear warning you when a startup macro was run, and told you exactly what the macro was doing. Or a dialog that appeared and warned you if a macro was about to modify another file.
Yet they've done nothing, so the viruses have gone rampant. Couldn't they at least be charged under some kind of law similar to the one that put Jerry Seinfeld in jail?
I think that at the very _least_, we should file a class action lawsuit, so that justice can be served. Everyone who bought Microsoft Office would get three dollars and an MSN CD with 10 free hours, and three lawyers get $55million each.
A coincidental connection to the self proclaimed creator of the internet? I think not.
and now, RM is a CS grad student at Harvard. or so i've heard.
hmm.
The US changes. When I was in high school, not long ago at all, I created a small bit of fuss by giving out disks full of explosives information. The fuss quickly ended when school and law enforcement officials realized that I was doing nothing illegal. I've read several stories in the past couple years of people in the same position I was in being arrested for the same thing, and in fact it being treated as a very serious crime.
They will search to find a law fitting for the Melissa author. And they will succeed, because society (including the police, prosecutor, judge, and jury) are afraid of him, and want to destroy him.
All the M$ drones out there should be breathing a sigh of relief that nothing worse happened. This should also demonstrate to them how $#ity M$ products are.
Autoexec macros in documents with the power to do anything? What the hell were they smoking when they thought that one up? The best part is that they are so easy to write. My cat could come up with one (and my cat is really stupid).
I have heard about nothing in the media suggesting that M$ should be to blame in any way for this mess. I love the MSNBC take on it, about ten different people saying "Oh, no! M$ isn't to blame. They were just trying to make everything easier for our moronic sales department."
Microsoft's success can be attributed to one thing: they never underestimate the stupidity or the bad taste of the public.
Does that mean Geocities can be prosecuted for those annoying pop-ups?
It is harder to fake a GUID in a word document than it is to forge a usenet header.
Bullshit. It's easier.
It's unfortunate that UIDs have been used to
catch this guy. Now the snoopers have some
new evangelism to use in furthering their
agenda to cram surveilance down our throats.
I think it would be better if system security
made virus writing less rewarding, less feasable.
We don't need any new "Cracker Laws" or "Jack
Boot Technology Thugs" to protect information systems and thir property. I suppose a big
enough "Computer Crime Army" could make even
MicroShaft platforms secure, although most of
the Hacker/Craker community would be behind bars!
The Microsoft GUID doesn't identify anyone, since it is trivial to forge with a hex editor.
Microsoft guid was used to track down the origin of the virus. What i cant understand, who's that stupid that he pays for a ms products AND register it when he use it to produce malicious code ?
This can't be true. If the guy knows the internals
of the latest ms products he should also be
aware of the GUID.
They knew when adding the code to their office suite that people could use it to do just what the Melissa author did.
Yes and no. The developers probably figured out that this was a possible consequence of allowing a Word macro to send email. The Marketing droids (most of which are still having their secretaries type and distribute memos 'cause email is too difficult a concept for them to master) probably said "look at this cool feature we can add to our feature list!" And this being Micro$oft, who's opinion do you think prevailed?
Sometimes I think the best thing about Open Source is that it does not have a Market Department... yet.
Privacy is guranteed by the constitutuion. The protection from unreasonable search and seizures is how its phrased.
Jeez, if I thought the FBI might arrest me, I'd dump the equipment far away from my appartment. The FBI are investigating and the best he can think of is to stash his computer 50 feet from his appartment? God damn, and I thought I was lazy. If that was me I can guarantee you the computer would be in a dumpster in an alley in another state.
Getting a virus through email in most cases is natural selection. If you get an attachment from someone you don't know or weren't expecting something from, don't open it. Common sense.
Yep, if the original author covers his/her tracks well, it will impossible to find them. A GUID ain't worth the bits it's written on.
ZDNet is pretty clueless for spouting their conjecture about the case.
The virus was deliberately created to disrupt e-mail networks.
How do you the intent of the author? (unless you wrote it?) Maybe it was meant to promote that site.
The new Big Brother scheme by Intel has everyone so freaked out by the "invasion of privacy" but it wasn't Microsoft OR Intel who put the "globally" unique MAC address in your network card. The MAC address is incorporated into the GUID that MS stuffs into the Word docs.
Most malicious programs won't give you a yes/no popup, if the program was an executable it would run and wouldn't ask the person if they wanted to run it. Perhaps Microsoft should implement an "Are you really sure you want to run this?" popup after you hit Yes the first time.
Did anyone notice /lib/libuuid.so.1 in all Red Hat installations, and probably most others?
Granted, it is installed as part of e2fsprogs. It's used to give your disks a serial number. One imagines the existence of your network card ID on your disk would not bother anyone.
But CORBA also uses UUIDs, assigned by a similar algorithm, possibly even the same one. And CORBA is used by Gnome, KOffice, and mod-CORBA for Apache.
Getting the picture yet?
Maybe it is a conspiracy, why on earth would they call it a virus when its a worm? A Virus is much worse to a user then a worm, the worm simply uses your email account to emai itself tol others, in that way it doesn't do anything harsh to the end user only to the email accounts, a virus literarly screws up your system, so why on earth call it a virus and even go as far as to suggest its as bad as a virus.
One word: ITAR.
Could MS have authored the Melissa virus to gain support for GUIDs? I love a good conspiracy theory - imagine this: A few days prior to the virus everyone was complaining about GUIDs. So MS decides they need something to show how good they are. They write a virus that damages MS products. Then they report on MSNBC that the culprit was caught using GUID. Now they are justified in including GUID in software.
In this case, not if he's smart. Considering all the fuss in the news, he has probably destroyed the NIC he was using and replaced it with a new one, and deleted or converted to a new format (or the new GUID) all of his word documents.
If it wasn't for the Hacker community you wouldn't be posting to Slashdot ya freak. But if my Hacker/Craker ( spelled wrong I might add ) you meant just Crackers well then pardon my misinterpretation
Way behind you.
Obviously you've never lost critical data from viruses. If someone writes a virus that INTENTIONALLY damages/overloads/DOSes some system, thats vandalism or worse as far as I'm concerned. If it costs a few days work by sysadmins to clean up a mess caused by some malicious program, the author ought to be liable for the cost. And if systems are damaged, even more so. Lack of understanding, my rump. It doesn't matter that "only" a "stupid person" would fall for a virus, whatever that means- it matters that the virus was written to damage/exploit/DOS systems. Whats the difference between me coming over to your house and reformatting your hard disk when I say I'm copying in a document and a virus I wrote doing the same thing? I should be liable for both.
Writing software that damages/exploits/DOSes peoples systems should be what makes you FEEL WRONG.
Gregm
Forget the criminal aspect... The civil aspect is that all of the companies affected can sue to recover costs and damages for the effort to control and cleanup the mess. This guy won't be able to own much more than a car and his clothes for a long time.
It is the fault of the person who wrote the virus, and no-one else. Whether or not Microsoft made it easy to write such a virus is irrelevent. As an analogy, suppose you leave the keys in your car's ignition, the doors unlocked, and the windows down. If someone comes by and steals it, he is still guilty of that theft, no matter how easy you make it for him.
Besides, the criminal liability is paltry compared to the potential civil liability that the person who wrote the virus is subject to. I don't know how much was lost productivity there was as a result of the virus, but I'm sure it's in the tens or hundreds of millions. Plus, civil cases don't have the same stringent requirements for a guily judgement that criminal cases do; the OJ case provides the perfect example.
Forget about that Ms idiot. Visual Studio sucks so bad, i don't even wanna start.
I'd like to get a copy of Melissa (i heard of it on Jay Leno show, that's how much i know.) and see if i can find the GUID, whatever that might be, and i'm sure it can be edited. i don't believe they will put any strong encryption or stupid things like that.
but the hard part is: how do we know bill gate's network card ID?
(My view may or may not represent my hatred to microsoft suck-ups.)
Arresting someone for virii creation doesnt' set right with me...
I, too, have only had one or two "problems" with them
since I started out on PC Compatables back in 1989.
If you don't have a clue, I'm sure viruses can be a real
problem. But they've never really been more annoying than a
4 year old child whining. To ARREST someone and charge them
CRIMINALLY...seems not so right. Publically ridicule them?
Sure. But throw them in jail? No. A fine, perhaps,
but anything worse is a gross lack of understanding of the nature
of viruses. I can't explain myself any more than that. It just FEELS WRONG. >:(
Bill Gates is "Big Brother" and the world will
be a better place when everyone just gives in and
lets him make all our decisions!
Another atempt to destroy the Cyber-community. This time they got a worm (which is a very old concept) which is also a word virus (also very old) and spreads through e-mail (old again). Then they create a big media hype on it. I wonder which law will they try to make based on this incident.
I'll try to keep it simple so that your tiny brain can understand.
I agree with you, VBA seems to be a good idea. The problem is that it is powerful (in the sense of what it can do to the system) and so you want to have some safeguards, which are completely inadequate right now. Oh, and by the way, I'm not saying you should just carelessly restrict your beloved VBA, just restrict it in potentially dangerous situations, like another guy suggested, by adding one more level of protection. But there ought to be better ways, and MS has tons of money to find a good solution, if it wants to...
You may not want to have these safeguards, since you seem to be a highly intelligent and attentive person, but I'm pretty sure there a lot of people out there who would just die for them. A pretty good guess would be the folks from the company where 60000 computers were infected (can you believe it, *sixty thousand*; they must have worked very hard to gather so many morons under one roof. But running MS, what can you expect?).
Unix has some fairly good protection designed in the system, while MS, perhaps because of problems of compatibility with Win95/98, has only merely added some band-aids. So, it's not just a mere of being hypocrite, it's a matter of being rational.
But MS will get there someday, after all there are a lot of morons paying big bucks to it. So, don't worry, by the time you finish high-school MS should have already more decents way of dealing with this problem.
I'm no lawyer, either, but I can say that you are way off. By your logic, Timothy McVeigh (contrived example..) would not be prosecutable if the FBI used chemical tracers in the explosive to trace back his purchase of explosives, on account of "I thought my bomb purchases were private!"
I constantly see people in general, and especially on Slashdot, ranting about their so-called privacy. First, privacy is not guaranteed in the Constitution. Secondly, "Privacy" is really actually a very narrow concept. Much everything you do in the Public Realm is fair game for investigation and exposure by anyone and everyone.
As for 'Expectation of Privacy': Perhaps Macy's can't watch you changing in the dressing room, but I'll bet they can strip you naked as soon as they notice you're shoplifting, just the same as Customs Agents have gotten away with worse when you re-enter the country. Granted, that is changing.
Create a new virus (based on mellissa or mailissa or whatever it is) forge the guid to be bill gates
and then show the world how stupid they are for using the guid for any real purpose..
And rewrite gcc with boundary checking on arrays for the buffer overuns.
I remember hearing something about someone adding this to gcc, I haven't heard much about it lately though. I'm sure there's a version to download somewhere out there.
Hey... this could be a way to crack down on spam emailers. I mean, don't spammers violate pretty much the same laws as this guy is charged with? Theft of computer services... if you go along with the idea that unsolicited and unwanted advertisements consume CPU cycles and resources on the RECEIVER's computer, it could be construed as theft of computer services. All the other charges like conspiracy to steal computer services fall from that. Would it work? Couldn't you get lots o' cash if you win? If somebody wins one case like that, wouldn't the spam industry pretty much get too risky?
Not a security hole? What are you smoking? So the only thing that stands between your system and a remote user while you are reading an e-mail is a yes/no question? Good grief. You need a reality check.
Hmm, isn't this exactly what is happening to (cr|h)ackers like Kevin Mitnick and Bernie S.? I recall reading that as part of Kevin Mitnick's sentencing is that during his (wasn't it three year) probation he wasn't allowed to so much as touch a computer.
And Bernie S., IIRC, was (is?) doing time for simply having in his posession a device which was not illegal but violated terms of his probation.
You're right, it cannot. My point is that all that stands between you and a potentially massively destructive virus is a yes/no answer. The problem is that VBA is *too* powerful for something like reading e-mails from remote users. It would be much better if you had a restricted version of VBA to do that, one where you could have more fine control over what is run and what is not. You don't want the users to jump over too many hoops but in this case there is only one tiny one, for both your users and malicious users. Maybe someday I can hire you as the unemployed sysadm to configure the systems of my enemies. However you cut it, it still is a security problem.
What pisses me off is that the very same people who bashes Unix for some of its potentially insecure, but sometimes very useful, features, like remote command execution, are the ones that deny this security problem in Word.
Assuming he was traced by the GUID you'd be right. Unfortunately it appears you didn't read the article since he was not traced by the GUID.
I'm a die hard linux user, but I think an out of the box redhat linux machine is much more vulnerable to worm type viruses.
Every few months we see a new buffer overrun exploit for linux [ftp daemon, imap daemon, nfs daemon to name a few] to allow a remote user access to the local machine. And even more often we see a buffer overun exploit to give the local user root access.
And since many people still use telnet to logon, a worm could simply start sniffing the ethernet traffic for even more boxes.
The only real solution to this sort of problem is to have a cryptographically strong tcp stack, that authenticates all connections before acceptance. Furthermore, requiring that all binaries be signed would be another nice step.
And rewrite gcc with boundary checking on arrays for the buffer overuns.
I'm probably the only one that feels this way, but I was rooting for our virus author. The real fault is in the gross insecurity of the Microsoft software, or perhaps in the over-reliance on Microsoft software. Discussion on zdnet was vastly in favor of torturing this guy to death (I'm quite serious. With punishments like feeding him into a meat grinder.) This arrest will only bring support for the GUID (and general consensus that privacy is a bad thing), and our virus author, who really did nothing new, will probably receive a punishment vastly in excess of the amount of maliciousness that went into his "crime".
When did that come out? 1987? and your new OS still has a problem with it. You would think MS would fix these lame problems, But they know people like you love to bend over and take it up the ass, then you come back next year and still buy the newest version of their OS.
MS just LOVES this...now they don't have to fix any more of their BUGS..anyone finds one they will just send out the FBI!
You should be happy he was in a nice mood. He could have made it mess with the files on your HD or have it wipe the whole damn drive! Ive seen Word Virii that FTP files to the bad guys computer, this one just sent out spam.
BTW: if you knew what the hell you where doing you would just set the BIOS in your PC's to make IDE0 the 1st boot device...and not the A drive. Boom, no more boot virii problems.
Could someone please explain what MS GUID *is*?
This guy if cought so quickly is NOT a hacker (any that get cought lose the hacker badge) Good grief, only an ankle biter or newbie would upload a virus via his own account and his own home phone number!!! And I dont understand all the hubub about it anyways... All it does is prove that microsloth makes extremely crappy software. when I first saw outlook I told my boss that I will quit and take the whole IS department employee base with me if he even suggests using that crap. He complained and I said, "why dont you tell the board that you want to make it easier for our network to be compromised, because if you dont I will." and that shut him up. Am I the only one that has a IS manager that is a complete moron??? I personally want to give this guy a medal, it's about time someone proved what we all have been screaming all along, all MS products are as secure as a paper bag! MS knew this security hole was there and refused to give us a nice way of disabling the dang thing so that moronic users cant turn it back on... In fact I was told, "that would be impossible to impliment" just like getting rid if IE4.0 from win98..
Oh well, I just smiled when this happened, and I'm still smiling!!!
Well, since both a GUID and a MAC address are easily spoofable, the author would have to be a fool to have his/her actual info in the thing....
Itsa the people who clicked on the email who did wrong, think bout it.
Did the Atom bomb inventor(s) get charged with 200000 murder charges? no... Did the guy who make the gun get charged no?
Personaly, this guy if guilty should have hidden his tracks a lot BETTER and done everything from library computers, what a weener!, oh well, the source is out, and free to be modded fixed and made more evil to be released AGAIN by ANYONE.
HAHA
is insecure by nature, why hide your code unless you are embarrased, or afraid of security holes. They could make it open source and still make money.
They have no proof that he wrote the virus. It would be trivial to frame him. All you need to do is change the address of your ethernet card. If somebody received a Word document from this guy, it would be easy to get the MAC address of the card along with it.
http://www.news.com/News/Item/0,4,34577,00.html?st .ne.ni.rel
I find it rather appalling that everyone jumps to comment about this idiotic post without even reading the referenced article from MSNBC. I'm not a fan of MS, and surreptitiously embedding IDs in documents that are associated with a database of info is clearly illegal. But if you read the damned article, they never traced this guy with the GUID. Hell, he probably had a pirated copy of Office anyway. This isn't a big brother case here, the guy was turned in by someone at AOL, who traced back a bunch of emails to the hacked account - at that point, the FBI and the telco clearly team up to find where this person was logged in from. Point is, they never used the GUID.
Fnkmaster
(no password)
How come no criminal charges have been filed for Microsoft's GUID exploit which sends information from one's computer, or a document created with MS Office, to some outside party without one's knowledge or permission? How is this any different from a trojan horse? It *is* a trojan horse. Or, could someone please explain why it is not and therefore not a proper subject of criminal prosecution?
Ms is not the only "trusted" software vendor which does this. Normally, cookies are harmless but used in combination with ActiveX controls embedded in programs and even documents, they can serve as relaying agents for information which is personal or sensitive to one's business.
Here some individual launches a macro-email virus and faces criminal charges, most likely. On the other hand large corporations do even worse and admit it and go unpunished.
The justice department case is a sham. These and other matters are criminal in nature. Some others include industrial sabatoge of competitors software (OS2, DRDos, etc). Industrial sabatoge is very serious, and carries the death penality in China and some other nations. Perhaps MS executive should be extradited there to face prosecution. At least some nations (India, France) are now banning the use of Microsoft software for critical national security tasks. Mostly because it's closed source and these nations want to insure that nothing fishy is going on with it (like the GUID stuff not to mention unreliability).
These are not technology issues, IMHO. Organized crime is still organized crime whether one is practicing extortion of labor unions and dynamiting competitors' factories or extortion of hardware vendors and sabatoging competitors' software with hidden OS gotchas.
Nothing could be a greater threat to freedom than the monopolistic racketeering by corporations and mergers into a national or international syndicate. Yet, those involved need not be prosecuted in civil court on technology and anti-trust grounds that are difficult for most people to understand.
Criminal activity like extortion, sabatoge, and theft of personal and business information is easy to understand.
Even if the "arrest" has nothing to do with the GUID trojan horse (nobody but the FBI knows yet)
in all the news articles the press is focusing too much on individuals who screw with the system mostly for amusement or revenge instead of the real culprits who should do *hard time in prison* for criminal racketeering.
It's time to take the gloves off and demand that criminal charges be brought against Microsoft. If not in the United States, then elsewhere.
From http://slashdot.org/articles/99/03/04/236243.shtml
"Indeed, some Linux advocates say Linux's small footprint, efficient code and lack of integration with surrounding technology is what makes it appealing. Muth disagrees.
'People want more integration,' he said. 'They want to take a bar chart from Excel and put it in Word. On the server side they want strong queuing and security. This is all done through integration. Linux has a low degree of integration. Linux is basically a big step backward for those two reasons plus others.'
I can just hear him saying "People want to have a Word macro send email to all your friends, without any confirmation from you!"
That's not even sheep behavior, you've moved on to lemming. Congrats.
Ever read "Civil Disobediance?"
Sorry, to be pedant, but he was closer. It's actually "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." I looked it up the other day for a report.
That same argument can be used against the MS GUID. Even worse, some people explicitly stated they didn't want their data transmitted and it was anyway.
In alot of states there are laws against purposely damaging computer equipment (probably from way back when computers were still curiosities, to protect them from tech-fearing luddites).
Great, so the dude gets off. it doesn't end there....
Because of this ruling, there will be binding legal precedent stating that Microsoft's GUID is an illegal invasion of privacy... this opens Microsoft up to about a gazillion and one (rough estimate) lawsuits. Not to mention that it won't look too good for the defence at the DOJ trial. I will be quite interested to see how this turns out.
Disclaimer: I am not a legal expert. My knowledge of the legal system comes from 2 high school law classes and wtaching Law and Order religiously.
- Adam Schumacher
cybershoe@mindless.com
N.A.R.T. #009
P.W.T.T.K.S.S.S.T.H.U. #001
I made my post based on the information I had heard from other sources, and just skimmed this particular document.
Again, sorry.
Anyone else think it's funny that Microsoft created the problem, and the solution?
My Freakin Blog
I don't decide what the users at my company get. I just get stuck supporting it. Gotta pay for school somehow, you know.
Next time, maybe you ought to get your facts straight before you open your cakehole.
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
If I ever see another person with a copy of stoned, I swear I'm gonna have to go on a shooting spree.
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
second-degree charges of interruption of public communication, conspiracy to commit interruption of public communication and attempts to commit those offenses, as well as the third-degree offense of theft of computer services.
Also of note is that the CNN article makes no mention of the MS GUID being part of the evidence that led to his arrest. Apparently he was tracked through an AOL account.
--
Is that the virus-protection industry, i.e. Symantec and Network Associates, is churning these things out to keep their stock prices up.
--
Robert T. Morris was convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision. His appeal, filed in December, 1990, was rejected the following March.
--
1:387 net ring a bell? Used to run your board under OS/2? Black Angel user parties with black toe nails? hehe...
Mike...
rodent...
Tactical nuclear weapons are a viable alternative!
The Melissa virus always appears to be from a person you know (insofar as if you're in someone's address book, you probably know them).
And what's unreasonable about opening something you weren't expecting, if it's from someone you know? Personally, I wouldn't allow an auto-run macro to run even under those conditions, but most people probably would, and that's reasonable.
But what constitutes consent? When I received the Melissa e-mail last Friday, and MS-Word asked me if I wanted to run the macro, I said NO. Everyone who was hit by Melissa had a chance to allow or disallow the macro to run, whether by disabling the auto-macro feature at some previous time, or when opening the document. And everyone who was hit by it essentially said YES.
I'm not trying to blame the whole thing on the victims, but especially in this case, with Microsoft Word explicitly warning the user beforehand, it's hard to determine where the line should be drawn.
Posted by Disillusional Dennis:
The big deal for my company was two or three full days of unexpected, unscheduled, unenjoyable work for 1 Security person, 2 PC techs, and 6 help desk staff persons. The real kicker is that we don't even use Outlook as an email client. We still believed that we should remove all malicious virus' from our systems. We certainly don't want to be infecting other systems with a virus due to our carelessness or lack of digital hygene. So now you add up all the time WASTED on virus eradication PLUS the time lost to other projects (yeah we have a few scheduled in 1999) and the Mellisa "prank" was extremely costly. I realize that we cannot send this guy a bill for this time wasted so I am clinging to the hope he gets what he deserves in some darkened corner of a jail cell.
Posted by pARODY - oberphlow:
whether they prove he wrote it or not.. its not that easy to charge him.. they need to find intent, and the prove fact that he was the one who released it into the wild..
writing virii is as legal and legit as writing any common program.. its only its use that can get someone into trouble..
Posted by The Mongolian Barbecue:
What a moron. Did he even try to cover his tracks?
Because it can be used as justification for allowing "Big Brother" type schemes to prosper. Don't forget that the US government has at times requested that wiretapping be legal without a warrant, not to mention key escrow and such. Despite the protestations to the contrary, the US government doesn't want you to have privacy, and this kind of thing may be used as good PR for those efforts. "See how good this is, whe caught a criminal because of it!" The next thing you know, the gov will be REQUIRING this. For the sceptics, remember the Clipper chip?
How about this. Some large, strong and very mean dude comes over and kicks your teeth right out of your ass. Is this okay because all the time you spent using the computer you should have been in the gym getting stronger and at the dojo learning how to fight?
Pull your head out of your butt and _THINK_ for once.
Personally I've been using computers for about 19 years now and it never ceases to amaze me the number of hateful, immature cretins who are out there who think it is fine to victemize those who know less than they do.
Boobies never hurt anyone. - Sherry Glaser.
I like the way people try to blame the victem for the actions of those who attack them. No wonder our society is going down the toilet.
Is the trusting old lady at fault when she gets swindled by a con artist?
Is the college coed at fault when some psycho rapes her in the park?
Are you at fault when someone bigger and stronger than you kicks your ass just because he feels like it?
The fault always lies with those who victemize others. They _CHOSE_ to commit acts againts others (be it voilent or otherwise).
Boobies never hurt anyone. - Sherry Glaser.
Blame the victem. You sound like a Scientologist.
Okay, try this: I give you a gun and you go target shooting with it. I didn't bother to tell you that the nice wood-grain platic handle is actually made of C4 and that when that first shot is fired the whole thing is going to explode and turn your arm into ground beef. Is this okay?
Or how about I distribute a new, and very complex code library for Linux that does really cool stuff and then when your not looking it suddenly fills your network with so much garbage traffic it bombs your network?
Boobies never hurt anyone. - Sherry Glaser.
TedC
Well, it's easy to say we have to educate people about computer security, but first people at large have to CARE about computer security. Most people don't care until security is well-broken (such as it is, if there is any at all) and it's become completely obvious that they're totally exposed. If there were some way to make it MATTER to people, maybe they'd care enough to educate themselves.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
after all, the '89 worm exploited a hole in sendmail.
That is true, but it wasn't a well known hole that nobody had bothered to close. Macro viruses have been around for a while now, and are just as big a hole now as when they were introduced. UNIX has it's holes, but when they are discovered, they are closed. Usually before anything really bad happens.
In short, Virus writer = criminal. MS != criminal. MS= crappy software? Not exactly news.
True, but that was an administrative failure. At least they had the opportunity to close the holes. You don't get that if you're still waiting for the vendor to acknowledge the problem's existance.
When virus writing will be outlawed, only outlaws will write viruses... :)
J.
Besides adding another line in the "common sense guide to writing virii", can we learn anything from this? Are macros necessary? If so, should we use javascript, java, VB (this is possible with Star Office, is it not?) I am personally tired of having to disable "features" on MS products. My fiancee says she needs Word for writing her papers. I wouldn't allow it on any of my machines. Now she uses StarOffice. I am glad I made that decision. It pays to be different.
_damnit_
It's my job to freeze you. -- Logan's Run
I went into it more fully href=http://www.slashdot.org/comments.pl?sid=99/03 /30/1344200&cid=915> here, but in addition to the federal law regarding release of virii, the law attributes the same intent to the natural consequences of your actions as the acts themselves. The use of the computers was a criminal trespass, vandalism, and a common law misdemeanor.
The Atari ST had plenty of viruses and it was a platform that was nowhere near as popular as any variety of unix, nevermind Linux.
The notion that Unix has less viruses because it's 'unpopular' is just weak Microsoft apologism.
A Pirate and a Puritan look the same on a balance sheet.
Yes it is. This is something that never should have happened. It never would have happened if the predominant consumer software vendor actually had to be held up to any sort of standard. They acted with gross negligence in safeguarding that property of their customers that their their software is entrusted with with full knowledge and forseeability of what has, does and would go on on the public computing networks.
This crap is ancient history, as old as bulletin boards.
It's no different than putting an exploding gas tank on a pinto.
A Pirate and a Puritan look the same on a balance sheet.
Hardly. Unix has always been about the ability to insulate the stupidity or malice of users from one another not about anarchy. That's the real difference here. Unix attempts to manage concurrent use and competing requiremnts wheras Microsoft just ignores all that with the obvious results.
Merely deciding that you are never going to open untrusted attachments is no more a solution than deciding that you are never going to run untrusted binaries.
What do you think gives us that freedom? Just as in other things, freedom does not come from anarchy but from just the right balance of chaos and order.
The order in Word/OLE is lacking. The ensuing anarchy results in the deprivation of liberty.
A Pirate and a Puritan look the same on a balance sheet.
Sure... you wouldn't be able to live without your virus perpetrating applications...
A Pirate and a Puritan look the same on a balance sheet.
Except Microsoft is catering to retards and encouraging their users to be retards.
Ruger doesn't do this.
A Pirate and a Puritan look the same on a balance sheet.
That's certainly bright: take a fellow who ideally should be able to pay off a rather large tort judgement and then interfere with his ability to make a living. Giving potentially very bright criminals nothing to loose is the height of stupidity.
Giving people nothing to loose is bad public policy, especially when those people are capable of causing havoc on a grand scale.
A Pirate and a Puritan look the same on a balance sheet.
This is the computing virus equivalent of a mild cold. It's little more than a nuisance and primarily serves to demonstrate to you just how poor your personal hygeine is.
You did know that most communicable diseases can be stopped by good hygeine didn't you?
A Pirate and a Puritan look the same on a balance sheet.
An easy mark is positive reinforcement for the criminal, period.
A Pirate and a Puritan look the same on a balance sheet.
Don't fuck with Microsoft.
How do you get arrested for exploiting a security hole in an operating system that lacks any kind of security? If the maker of that operating system owns all the world's computing assets. If you want to live on this planet, start kissing Microsoft's ass.
From the sketchy article it would appear that he was turned in by someone where he works. All this hype about MS embedding tracking features into Office is just bunk.
"Does that mean Geocities can be prosecuted for those annoying pop-ups?"
They should be. . .
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
It sounds to me like he was actually caught by the AOL guy's identity he stole, the Sky Roket account. I bet AOL keeps logs of information on people when they log in, where they log in from, etc. And tho AOL wasn't able to stop the fradulent use of another member's account, they were able to back trace it's mis-use in the logs.
I think this is why they're "not discussing" the details. I bet it had nothing to do with the GUID, unless it had the SN of his copy of Word registered to his employer or something.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Heh, sort of a "license agreement" to run the virus code.
Take THAT microsoft!
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Security Consultant?
Cracking AOL accounts with AOHell and writing Word Macros hardly qualifies a person. . .
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
To a certain extent, I agree. Not that it's good to break into systems to prove that they're broken ... but rather that when a vulnerability is well-documented, well-known, and the manufacturer continues to do nothing about it, sometimes nothing will bring it to the public attention but a massive exploit.
Compare this to the Netscan site, which lists networks which can be used to execute a smurf attack, because they haven't been secured against directed broadcast pings. On the face of it, Netscan is a huge resource for idiots who want to smurf people --- but far more importantly, it brings the brokenness of the networks to the attention of the sysadmins who run them, when they wouldn't have noticed otherwise.
Melissa is hardly a particularly damaging virus; it doesn't scrag your hard drive or damage your files. It does very little more than prove just how catastrophically broken certain Microsoft applications are --- Outloook and Word for exposing users to email-borne viruses that were once a myth, and MS's mail servers for crashing under load that Sendmail or qmail would laugh at.
By no means does this justify virus-writing. However, it places a good deal of the blame for the damage caused by Melissa at the feet of Microsoft and its unthinking customers. Buy a known-insecure system, get what you deserve.
The susceptibility of those Pintos to explosions was caused by oversights --- what we'd call bugs.
The susceptibility of Microsoft products to network-reproducing macro viruses is due to designed-in features.
Furthermore, Microsoft has known that macro viruses exist for several years now. They have done little to protect their customers --- little even to draw attention to the threat, because they don't want to be held responsible in the market for their design mistakes.
While MS might not be legally liable for criminal negligence or complicity in the distribution of the Melissa virus, they are definitely ethically in the wrong. They are bad engineers, not simply for making a shoddy product but for ignoring and denying responsibility for the shortcomings which are direct, obvious byproducts of its design.
The author of the Melissa virus was doing a bad thing in writing it. But from this bad intent comes not only the bad result --- users spammed, systems crashed --- but also potentially a good result: Microsoft being held responsible in the market for their product's blatant failure to meet basic security needs.
It's important to note that "real" engineers (like civil or mechanical engineers) are considered to be "professionals" (like doctors and lawyers) in most jurisdictions. This means that the self-regulating associations and accreditation boards of the profession are given special legal standing, and it's illegal to bill yourself as an "engineer" if you don't have an engineering degree, just as it's illegal to practice medicine or law without a license. "Software engineering" is not legally considered engineering.
(This is why some E.E.'s look down on computer scientists; it's also why software certifications with the word "engineer" in the title have gotten "real" engineers a bit indignant at times.)
Because programming is not legally considered engineering, even though IMHO ethically there are similarities between the wrong done by an incompetent or sloppy engineer and that done by an incompetent or sloppy programmer, I doubt that MS's programmers can be held legally liable for their shoddy work.
In fact, because the EULA on all MS products disclaims "merchantability for any particular purpose", it's likely that MS can't be held legally liable if their code does nothing at all, or even does something destructive. The only way to hold them responsible is in the marketplace --- by not buying their crap.
ifconfig eth0 hw ether DE:AD:BE:EF:F0:0F
Some device drivers don't support it, though.
Mailboxes are federal property. Destroying a mailbox is a federal offense because you are destroying government property. Don't play mailbox baseball.
Mike Mangino
mmangino@acm.org
While I agree with alot of the comments concerning the question over real criminality and how microsoft definatitly has a certian amount of due negligence. This post is probably the most interesting.
The only reason that this has not happened to the same extent with Linux, and Unix in general is not so much that it is not possible, but mostly due to the fact that the user base is slightly more technically knowledgable, and less likely to be caught by a similar trick. - eg. distributing a 'cool perl app...'
The fundimental question is really what sort of ietf standard could be applied to prevent this from happening again?
The forced re-entry of password check when sending out Userid (eg. non root) messages with over 5 to 10 recepients?
One of the major problems is that this type of mail type virus has not been considered by any of the rfc and ietf drafters.. It is a new 'concept', pardon the pun.
The outcome of various ideas to eliminate this type of attack mean that every major mail distribution system must be reconfigured. All clients would have to make allowances for the change in standards as well. - While this is not a big issue for open source, the effects of a major revamp of closed source applications is huge.
This little virus may be the turning point where the justifiablity of proprietry solutions in mail and information transmition goes out the window.
Hong Kong Linux Center home of squidblock, and other cool stuff
Worm, virus, who cares what form of low lifeform we name it after?
The fact remains that it was engineered by a form of lowlife.
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
Two things are the big deal here.
/. effect pale into insignificance by comparison. To be able to DoS literally hundreds of mail servers in this manner, with such little effort, and not using your own bandwidth to do so is scary to say the least.
1) Melissa can, under certain conditions, infect another document and send it as an attachment to the list of fifty recipients. Thereby creating the possibility of distributing confidential information to those who have no right to that information.
2) It amounts to a mass DoS attack that makes the
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
"The real fault is in the gross insecurity of the Microsoft software, or perhaps in the over-reliance on Microsoft software."
You can't be serious! That's like saying "All he did was point the gun and pull the trigger - No big deal. The real problem was that the gun was loaded."
I do agree that gross insecurity and/or over-reliance on software is a bad thing, but exploiting them is just wrong.
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
The GUID only identifies the original creator of the docment. Theoretically, I could create a e-mail virus by starting with a Word file originally created by someone else. By erasing the document, adding in my own malicious code, and resaving, I can "frame" the creator of the original document file. The GUID is created by the File|New routine.
It's only a matter of time before newer viruses are developed. There are supposed to be a lot of interesting features in Melissa: apparently it resets Word to read macros without prompting the user.
The fact that it advertises pornography sites is peculiar. A much more effective virus would advertise "Make Money Fast." Another good place to insert viruses might be in resumes. Some HR departments require the use of MS Word attachments. Many of them may well have their email servers set up in a vulnerable fashion.
So they can track us by our MAC address. Maybe we should all be changing our address. This would at least force them to create a database of the changes.
There are 10 type of people in the world, those who understand binary and those who don't.
First of all i would like to say that i don't have anything to hide.
But what i don't like the possibility that the Goverment can track you. Now by MS GUID, and intel PIII serial number.
Next, here in the netherlands they might implement a toll-way system around the busiest highway. So next the goverment can track a lot of my movement.
The already reported that somewhere close to 2001 they plan to use satelites for that.
At that time they can check the whole country. So i lost a freedom. The freedom to move somewhere without somebody knowing it. Because the goverment can track... That's what i hate about this stuff!
Offcourse my example only related to normal cars. But it's getting real close to the all seeing goverment!
Met Vriendelijke groet/Yours Sincerly
Stijn Jonker
The article linked to by this story says that he was charged with interfering with public communication. 5-10 years prison and up to $150,000 fine. He was released on $100,000 bail.
Shawn Asmussen
Look dude, most corporate users that I've run across know very little about computers but are forced to use them in their jobs. Why wouldn't the average persone "fall for it?" Do you think your Mom wouldn't open an attachment that a friend emailed her? What about your Grandma? Not everyone can be expected to spend the time and energy needed to keep up with technology. Most people just know what they need to know to get their job done.
I'm currently helping to migrate GM from Win3.1 to Win95. You know how much training users are getting? Zero. The only help they get is a brief rundown from me on where to find there apps before I move on to the next unit because I've got a schedule to keep. So what should these users do? Should they go to their boss and say "I'm not going to rely on technology I don't understand... here is my resignation." Or should they stay up late at night trying to master a technology that they have no personal interest in? Computers don't interest everyone y'know.
I've recently heard rumors that Morris has been interviewed by the MIT CS department for a professor/researcher position here.
Could be interesting...
The newer laws just make it easy to prosecute.
Since the earliest days of computer "cracking", it has always been against the law to use one iota
of cpu cycles on someone-else's computer in an unauthorized way. If this guy wrote a program
that intentionally did this, he broke the law as soon as one cpu cycle got used to open the
address book on the infected computer. The legal theory is that you are stealing the cpu cycles.
This is how people got procecuted in the '80's. This is the same legal theory that protects FAX
machines against SPAM, and you against telemarketers.
Proving that actions were unauthorized was kinda tough (you did open the attachement after all) so
they passed new laws making this easier to prove. Now prosecuters only need to show intent in that
you knew that your program would do this.
BTW:
1. unsolicited email is now illegal in several states in the US.
2. any time things cross US state lines, the feds get involved (interstate commerce clause).
3. public disruption laws have always existed (illegal to yell "fire" in a crowded room).
it may be but that doesn't excuse the fact that documents are given the control to do these kind of things. the scripts should be separate from the document and it's likely that linux heads would be smart enough to do it this way. i'm sure that even wordperfect does it this way.
"The lie, Mr. Mulder, is most convincingly hidden between two truths."
--
And Justice for None
they still can't certify that he wrote it. the evidence is circumstantial at best. the id remains constant no matter who changes it. it's not a bulletproof id.
"The lie, Mr. Mulder, is most convincingly hidden between two truths."
--
And Justice for None
very bad analogy. to the best of my knowledge, this virus killed noone. a proper analogy would be if this virus caused a nuclear bomb to go off.
"The lie, Mr. Mulder, is most convincingly hidden between two truths."
--
And Justice for None
>>The GUID was invented by the Open Source >>community a while back, for use in RPC >>environments.
And? Do we still see it used much? nope. Did we all know it was there? yep. Did it go into all Documents and who knows what else that is made on that computer? NOPE
>> It's also
>>passed around in EVERY SINGLE CORBA OBJECT YOU >>CREATE.
How meny Cobra objects do people write? And when they do write them they usely take credit for it.
If you knew the place you where working for was doing something wrong and you wanted to tell the Media or the police/feds yet wanted to not be named would you want your GUID going into that Email/Document?
I have to return some videotapes...
>>it appears everyone wants total freedom with >>zero responsibility
Responsiblilty to WHO?! MS? The US GOV?
Why the hell should they know what I do on the Internet?
I got a better idea. Lets have the US GOV stamp BARCODES on our forheads. And put little scanners all over the place so they can track where we go and what we do 24/7/365. So if a store gets held up they can know who did it. What a good idea!
>>and we need to determine how to implement and >>use it.
We would have no say in it...get your head out of the sand.
>> I implore you to consider how? We
>>have police forces, the IRS, Social Security >>Agency, Credit Agencies and many other >>institutions that have our censent and the
Maybe you did...i didnt.
And remeber when they founded the USA and wrote the constitution that stated that an IRS would be illegal, but the US GOV changed that. Now the constitution isnt even worth the paper it is writen on.
>>...by trying to get rid of the GUID concept all >>together. I grant you, that although I do not >>know what all the flaws are, the current setup >>is most likely not an acceptable candidate for a >>final implementation of such technology
There is no need for a GUID system. There was never one befor MS and the world still turned. The simple fact is that if you still use software THAT YOU KNOW SUCKS, don't read the bug reports or secure your own systems you WILL get screwed. Why should we take away everyones freedom for a few DUMB and LAZY users?!?
This virii wasnt the 1st...and God knows it wont be the last to hit Word/Outlook yet people still this POS software.
I have to return some videotapes...
how is virus defined, is it based on self replication, is it formally defined at all???
Plus i mean is this guy prosacutable in the uk if he released it in the us?? just because it ended up in the uk does that mean he falls under their juristiction??
those are some cracked out bullsh*it charges. First off interruption of public communications, come on, is that like interrupting someone, besides the majority of that actual mail systems effected were private systems, like all communications in a capitalist system. as for theft of computer services this has got to be the most selectivly enforced law ever, i mean is any program that does something without your consent stealing computer services, was microsoft steal computer services from me by embedding my history into my word docs w/ out my knowlege and consent?
I'd love to charge them for that!
Im totally down, lets do it....
But this is such a broad definition of virii, i mean the only damage it causes is indirect, you might be able to prove that he wanted the mail to spread like wildfire but how do you prove that he both knew and intended for it to crash mail servers???
what is the definition of virus, legally???
Amen!
Bitcoin pyramid: Join here: http://www.bitcoinpyramid.com/r/1427 it's FREE!
Changes his name...... Hah, it's David Smith right now, come on I mean you could only get more obscure if it was John Smith. Vermifax
Vermifax
Logout
Hell yes.
Although I don't find the Melissa virus to be all that awful (it's just DOS, and pretty funny too), and I have some sucspicions about the whole affair, it is completely irrelevant whether or not there's a 'lock on the door.'
If someone steals something, even if it was unprotected, then he's still a thief. Of course, I still think that Microsoft ought to have been found guilty of negligence for such awfully insecure products years ago by someone. They are partially to blame, but that doesn't absolve people breaking into your computer just because it's easier.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
Is it at all possible that Microsoft set the whole thing up? Well, this does come hot on the heels of the GUID contraversy, which they're taking a good bit of flack for. Could the GUID be more important to them than people had thought? (which would be why they'd be willing to try to save it)
And with all the press (even some in major media outlets), why didn't the alleged author (who's would be pretty smart to develop this virus) alter the GUID? (Caveat: If neither MS nor the accused guy in NJ did it, then the actual author is smart enough ;)
So Microsoft would have had to set someone up (who is a likely candidate for a fall anyhow; if I were Microsoft I'd look for someone who's written other macro virii, similarly trackable through the GUID database, pirates software, always quiet and kept to himself...) which would not be terribly difficult. After all, they're the only ones who have the GUID database and if they felt it necessary they could easily fudge it to point to whomever they liked, prior to it (or a subset of it) being entered into evidence.
And although I have not been directly effected by Melissa (I use a Mac, and pine on Linux, via telnet, for mail) it seems to me that it's just a very virulent DOS attack. The file it propagates is kind of funny, really. So why all the hype, unless MS (which is already known to feed reporters in the trades information, and could presumably expand their operation a bit) were to have been hyping it? And they sure reported early on the arrest of that suspect. Although this is all conjecture, it does make you think.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
Microsoft are the ones that need to be arrested. They put out
packages that people find useful (Microsoft Word and Excel) then they deliberately engineer them so that anyone with half a brain can write a virus to disrupt processing. They then integrate this product with others so "You won't know where the desktop ends and the Internet begins".
If GM desinged cars like that, they would put the fuel fuiller pipe on the dashboard (next to the cigarette lighter) because it made everything easily accessible to the driver.
Slashdot: Where nerds gather to pool their ignorance
There is a big difference. In the 70s when Pinto
gastanks were exploding, it was not because a bunch of mechanics were running around lighting them on fire. And then blaming Ford for the resulting explosion.
ALL software has bugs. The fact that MS has more then their share is not an excuse to take advantage of those bugs. If the intention of the melissa virus was to point out those problems, why not simply release a patch to fix it?
Whoever wrote the melissa virus is a vandel.
The fact that it may be a 30 yr old vandel just makes it sadder.
I started with nothing and I still have most of it.
--
Rod Begbie done this, and he's not
It would be easier to trace who first posted the document to alt.sex than it would be to track someone by GUID. Or someone could just have grassed him up.
--
Rod Begbie done this, and he's not
The net can survive a few MIRVs but a MS-macro can cause major disruption? Just shows how fragile it is to internal attacks. You have to go to great lengths (physically break and enter) to disrupt phones, but one upload and the wonderful world of email explodes.
Face it, the guy was aided and abetted by thousands. And he demonstrated another huge security hole. They should give him a medal for teaching the sheep once again a very valuable lesson, for selling a ton of anti-virus software (a very good thing), and for adding to the mythology of the Internet. All with a 'virus' that DESTROYED NO DATA!!!!
I'm serious! You people who go on about how this guy deserves 20 years need to quit clenching your teeth so hard and take some Ex-Lax.
-kabloie
Why shouldn't the guy get upset? Doesn't he have the right to leave his doors unlocked? Does that hurt anybody? The argument that someone deserves something bad to happen to them because they didn't lock their doors or were walking in a bad area of town or were wearing the wrong type of clothes is rather repulsive if you think about it. It's just shifting the blame to the victim. A society where distrust of others is not only common but encouraged is a pretty sorry excuse for a society.
I believe the MAC address is hardcoded on the NIC. Someone correct me if I'm wrong. Is there a way to switch the address? I don't know of any way.
There was the gentleman who wrote the "Internet Worm" of 1988 -- IIRC, he admitted to it (he didn't intend it to reach the scale it did), and he was charged with something or other.
Christopher A. Bohn
cb
Oooh! What does this button do!?
As I read the article, the suspect was caught with the help of AOL, and the article mentions that the president of another software company linked Melissa's originator with VicodinES, and he claims the AOL account used to distribute Melissa was stolen from AOL 15 months ago ... but the link between the suspect and VicodinES is never explicit.
Christopher A. Bohn
cb
Oooh! What does this button do!?
What a lot of people don't think about is that many of us are stuck in "user support" roles at our jobs -- while I personally would love it if everyone here at my office ran (fill in your favorite alternative OS here), I can't enforce that kind of policy, so I'm stuck helping people who got burned.
:)
Yes, virii like Melissa help to expose the gross negligence of companies who put shipping dates and PR image before security, and I'm glad they exist -- to a point. But I hope people don't use the "down with Microsoft" rallying cry to flood the world with macro virii and screw your fellow hackers out of valuable time while we're stuck debugging office computers
Nothing worth doing is worth doing today.
Check out star office. Free, (for personal use) and besides being a bit slow, it isn't that bad. I have it for winblows and linux.
If ignorance is bliss, the world is full of blissful people
You know, it occured to me that what if M$ put someone up to this? Since the discovery of the id in the word docs and how no one wants it. Lets just say Bill wants to leave it there and have people happy about it being there. A small step towards id'ing everything.
Ok, so he hires someone to take credit and the fall for a virus that does nothing but be anoying. Ok, there are probably a few NT mail servers out their who took it hard, but it had no real dammaging characteristics.
Basicly it upset allot of business people, and gets them upset about viruses and how usefull the id was in finding the guilty person. They think nothing of privacy or how usefull that id could be to Bill. They do know it stopped the person who wrote the virus. Another small victory for Bill.
(This is all pure speculation, I have no proof of any kind to back it up. Just seems a bit coincedental for me)
If ignorance is bliss, the world is full of blissful people
Yeah, hah! That was so funny and totally original. I haven't heard that a billion times before. =P
My understanding of the GUID issue is that the Melissa virus and a couple of previous viruses shared the same GUID. Hence, a first assumption is to assume that they came from the same source. Then the task would be to backtrack the origins of the viruses until one reached a common starting point (like finding the intersection point of two lines). This is where the AOL comes in. I don't know what info AOL archives, but perhaps this may be the key to how they tracked down this guy.
I'm wasting part of today downloading virus updates on ppl's computers so I'm a little peeved by all of this.
Are you kidding??? Porno sites are HUGE money makers. Just like drug dealers, they offer you a couple "free" tidbits, and then sucker you in for a paying subscription. The way they proliferate (and send out their SPAM teasers), they've got to be making money hand over fist.
Your Servant, B. Baggins
The MS/Government alliance grows, and soon none of us will be able to see the difference, the future drawth nigh, and we must fight the MS GUID
(hmm when I see that it remindes me of MIS-GUIDED)
hehe, the MS division was only a diversion, part of a new divide and conquer technique just wait, a new wing of MS/Linux will pop-up named Winux 2000
and they will say GNU be damned....
*Icephish steps off of his soapbox*
Life is but a Beta test...
does the idea of them using the GUID so fast bother anyone else?
heres my idea:
ms sees that people are upset at the GUID "feature", because it basicaly destroys any hope of privacy for MS products. MS goes out, hires some computer hacker for 50g's and tells him to make a "trackable" virus. he does, it is released, people use the GUID to track him, there for MS can claim that ghe GUID is NOT a bad thing, because, after all it caught this nasty man that made a big bad nasty virus (that really didnt do anything bad if you were running a REAL mail server). MS is praised for embeding the GUID in all virus, score for MS.
i dont know... maybe i am paranoid.... but it sounds feasable to me.
Ok, maybe I've missed something, but I doubt it.
What is the freakin deal with this Mellissa stuff? I mean, really, if he'd written something that erased your hard drive, I'd be pissed like so many other seem, but really, it sends a list of porn sites to people under your name. Now unless you *are* the kind of person that would so that sort of thing, any recipient will be at least supicious (probrably not even that. It's gotten so much coverage that most will probrably recognize it for what it is w/o a second thought).
So why can't everybody just sit back and laugh at the joke. Ok, maybe he should even be proscecuted because it does invde people's privacy, but why is everybody so up in arms over this thing? It's ridiculous.
Now that the idea is out there (viruses spawning through email), expect to see a lot of this in the future. Already, two Melissa "clones" have started to spread.
The only real solution for now is to stop using the braindead Microsoft products that make this kind of thing possible.
What if we all take the virus (I have a copy if
you need one), and intentionally distrubute it,
making sure to commit the same crime as Smith.
Then, they have to arrest us all.
The human slashdot effect. We can shut down the
country. The whole freaking legal system.
Think of the possibilities!
-fb Everything not expressly forbidden is now mandatory.
whoa. that 50K bank deposit would be
interesting evidence, now wouldn't it?
-fb Everything not expressly forbidden is now mandatory.
>So why are people still using Microsofts >products? Are they stupid? Stubborn?
I use Linux as my primary system at home and at
work. I have been involved in Linux for quite
some time, and immersed in it since 1.0.9.
I have Applixware, StarOffice, and WP8. I use
VI as my primary tool. I am an accomplished,
vastly talented, and internationally recognized
authority on the system. A bearded guru, if you
will.
HOWEVER. I use MS WORD and EXCEL from OFFICE 97.
Since last Thursday I use them under VMWare, under
AfterStep, under XFree86 3.3*, under Linux 2.2.5.
Why do I use it? Because I am too lazy to layout
my envelopes, labels, business cards, and sheet music with TeX or whatever. I sincerely wish
Word would save postcript (portably), but, oh well. I'll probably keep using it, as I will
continue to use Quicken. Especially now that
I have a cool geek factor engendered by how well
it all runs under VMWare. So it's an expensive,
proprietary application layer on top of a free,
but not apolitical, os. It works for me. Are there people who would scowl at one for wanting
to keep zsh, textutils and find, as well as those?
Why am I this lazy? Because the tools to do the
job easily are there, and they happen to be an
expensive, proprietary solution, that happens to
have been provided for me. Except for political
concerns, I can objectively embrace this software.
It is excellent software, from a software technologists point of view. There are certainly
modes of operation for which Word is unacceptable.
An applications development platform is one of them, and that is what leads to situations like
Melissa.
In order to keep my sanity, I must separate my political from my professional life. I can merge
my artistic life with my professional life, but
not politics.
-fb Everything not expressly forbidden is now mandatory.
One has to wonder how long it'll take before someone decides that rather than do something like sending out 50 emails with a virus like this, they will do use the stolen machine cycles for their own use (maybe to crack passwords etc...). Sure, You wouldnt want to write a password cracker in VBA as a macro, but with machine speeds becoming what they are, one never knows.
-Hal
-Hal
At work our various branches were cut off by email for several hours while the inhouse support guys cleared virus infections everywhere. I spent a couple of hours going round our branch updating virus definitions and running scans on all the machines - a huge waste of my time, and theirs. Surely I'm not the only one stuck with working at a company that uses M$ products...
(on the positive side...we had the odd customer coming in with infections, all chargeable work to fix that - which is good for the company at least)
Actually Robert Morris graduated from Harvard and was one of the founders of ViaWeb an online store company that was snapped up by Yahoo for $50 Million. He went from net hacker to net millionaire. Interestingly enough he was head of Security for ViaWeb so I assume he's now running the security at Yahoo. For his 'crime' of writing and releasing the worm he got 400 hours of community service.
The power of technology is manifest in how it is applied within the social matrix.
Isn't the statute of limitations 7 years? Or does that not apply here?
"The things we wizards have to put up with."--Jethro Bodine
By making a hash where seeds are one or more CPUIDs of your cool PIII+ one will avoid these problems.
AtW,
http://www.investigatio.com
alexc
Join Majestic-12 Distributed Search Engine
One of the issues with the release of Melissa was its unauthorized use of personal information to propagate. So, Microsfot's misleading lack of mention of the GUID, or unauthorized use of personal information, to catch him is good?!
Joe
Joe Batt Solid Design
I think there are several charges, one of them being "Theft of computer services". Presumably this refers to the guy's invention being the immediate cause of many systems being tied up and clogged.
As most crimes, the main issue is intent to commit the alleged act, and that'll be what the prosecutor will need to prove. But that's proved immediately once it is established that the person arrested actually wrote the virus and actually released it "into the wild".
Jan Theodore Galkowski, (Oo) http://www.smalltalkidiom.net/ MySQL,PHP,ETL,SQL,MinGW C, and plucking the Web
First off A quick hi to Abigail who I still quote on my homepage even though I haven't known your addresss for almost 4 years.
Anways, the arguments against my argument are almost the same point I was trying to make. (I should just give up on written language and try writing comments in source code, less ambiguity)
My problem is with giving people technology that they can't or won't handle. Having been in charge of designing and implimenting a corporate network as well as training the decidedly "old school" corporate structure then in place on how to use it.
It's a common problem. You can't teach people what they don't want to learn. And from my experience even today most of the upper management in most corporations still don't want computers on their desk. They love having computers on their employes desks but they will kick and scream like the spoiled little kids they are if you try to teach them how to send e-mail.
If the level of computing competency in the world today was even half what it should be melissa would not have been possible. We need to stop teaching people how to use software and start teaching them how to use computers. Untill we got over this hurdle bringing computers into our lives on the level we now have them is foolhardy.
As for my other argument. I still say you get what you ask for. I agree that you shoulden't have to lock your doors. You shoulden't have to think about what streets you walk home down at night. But the world is not perfect. There are bad people (even though some of us have a hard time imagianing that). And what's more there will always be bad people. Afterall without evil how will you know what's good?
All I'm saying is that we need to rethink how we teach computers. No everyone want's to learn about registers, hex, binary, and all the nity gritty that happens every microsecond after you hit that power switch. But it's just as essential as learning how to walk before learning how to run. Personally I can name several subjects I would have rather not learned, but we require them for one reason or another.
In a world where computers are literally everywhere it's not asking too much to start teaching the basics of computing very early. And untill the people with lots of power agree we will continue to churn out uncomprehending lusers and things like melissa will become more and more common.
(I've taken more space than I feel I should be entitled to so I'll stop now. Besides this is an argument that can go on and on and on....)
--- Juggle juggle@hitesman.com
Since microsoft has been denying that you can use this feature in word to track users, it will be interesting to see what they have to say now. Yeah, this was a "good" use, but there are also "good" uses for tapping everyone's phone lines. This isn't any better than the PIII problem, it's actually worse.
On another note, I don't remember another virus writer ever being arrested. I'm curious as to what they charge him with... Theft of computing resources?
Would you do it for some scoobie crack?
Computers were meant to hack and be hacked. Virii were meant to do this also, just for the user. If people are so stupid to GET the virus in the first place, they deserve what they get.
This is just another one of the media's protecting the stupid people act.
Personally, I've been on computers / used computers for about 5-6 years now. How many virii have I had? 1. And know where I got it? It was on my DOS 6.2 disks that came from the small place that built my first machine. Since then, I've downloaded virii, played with creation programs, hell, even sent them to stupid people to infect them - and I'm yet to get one myself.
Welcome, stupid people, to the world of computing. We're not going to make it more safe just for you... you'll have to actually LEARN something in order to protect yourself. And maybe this'll make you STOP SENDING SPAM all over the place.
8Complex
According to an article on ZDnet:
2 34018,00.html
a -1.html
> However, the unique computer ID is stored in a
> Word document only once -- when the document is
> created. Even if a document is copied to a new
> computer, and saved under a new name, the
> original GUID number does not change.
http://www.zdnet.com/zdnn/stories/news/0,4586,2
More at Ars Technica:
http://www.arstechnica.com/wankerdesk/2q99/meliss
-- Don't Tase me, bro!
That was my point. If they claim the GUID is his, he it's very easy to say it was based on a Word doc he wrote 2 years ago.
-- Don't Tase me, bro!
Thanks for being one of the few to point out that Linux is not somehow magically immune to this sort of virus, just because it's not from Microsoft and it doesn't have 90% of the market. The bottom line is that Linux doesn't have a built-in certificate infrastructure or code-signing mechinism either (like Lotus Notes does), unless you count a PGP sig here and there. Many of you would still run something off of freshmeat even if that sig wasn't there. I have.
The one thing Linux has going for it is that right now the projects are being run by engineers for engineers, so security is likely a higher consideration. Microsoft has been berated by complaints about the macro situation in Microsoft Office for years, and there is no solution in sight. The nice thing about Melissa is that now they're getting the complaints from the CIO rather than from some random system admin. This has been a huge PR hit for Microsoft, which they deserve for letting the marketing dorks choose the feature set.
The fact of life with modern computer systems is that code and data are getting mixed up all the time, and furthermore are getting pushed down to the client, and who's to say that KDE or GNOME or even emacs is immune from this sort of attack. If Microsoft is to blame, it's because they've lead this movement to push the logic down from the back end system to the client platform. The Linux's community's response has been to pick up that client-side ball and run with it.
--
Business. Numbers. Money. People. Computer World.
Agreed. Although in the Linux world, if you asked "Run unknown macro Y/N?", most would probably answer a resounding no. So there is a "security fix" in MS Office, it just relies on the great unwashed users to press the right button.
--
Business. Numbers. Money. People. Computer World.
That's What You Get For Using Windows
Wait until someone releases a simlar virus that exploits emacs/pine/mutt/sendmail or whatever. Totally possible. Ooops - it's your fault for using Linux. Too bad, screw you.
Besides, it wasn't a Windows exploit, it was a MS Office exploit. Windows and IE actually have a certificate checking routine for ActiveX (although iit's pretty braindead), whereas Office has no security infrastructure, just some dumb Yes/No question.
--
Business. Numbers. Money. People. Computer World.
For every bad thing that happens in the digital world, there are hundreds of good things that go un-noticed or overlooked each minute.
Bad Mojo
"The purpose of writing is to inflate weak ideas, obscure pure reasoning, and inhibit clarity. With a little practice, writing can be an intimidating and impenetrable fog!"
--- Bill Watterson's Calvin from "Calvin & Hobbes"
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
How did you extrapolate that this person was caught due to the MS GUID? Was there another article you have not shared?
This is so true. In the Windows world, virii are a fact of life. No one questions the fundamental lack of OS security that allows this to happen, then MS creates software that fuels the fire of the insecurity.
Don't blame the ID. Don't blame the gov't for hunting this guy down. Don't blame MS. Blame the man who wrote and distributed the virus.
Had this virus been truly malicious, the damage could have been much worse. Admins breathe a sigh of relief today, but the technique still exists for any other idiot to use and exploit. Macro virii were novel one day, but now they are - I believe - the most pervasive kinds of virii. More people will write Melissa-style virii, and until the fundamental structure of MS Office and Windows is changed, or replaced, most users will continue to be susceptible.
If only there were a secure, reliable alternative to Windows.
Open Message to Bill Gates:
Bill, you must pull us from the dark ages of computing. Please bend your powerful mind to the creation of a new operating system that will save us all from the Bob Smith's (or whatever his name is) of the world. Call it Windows 2005, but get it here fast. We need it. We need you.
It's not an invasion of a system, it's an unsolicitied email, which isn't illegal.
Actually, I thought that uce was illegal in at least two states, and there was a bill in congress that would make it a federal offense. Since the email contained a list of commercial porno sites, as I understand the story, that would make it illegal, would it not (at least in those states where the law is in effect)?
Yeah, I had to reread it twice, too. =]
Is it just me, or is this a curious sequance of events...
M$ gets chastized for embedding UID#s in documents.
An M$ product bourne macro virus gets international attention for it's unusual ferocity.
The UID# feature is the means of catching the author of the nasty new virus.
Hmmm, all we need now is for that infamous M$ database of 'accidentally' gathered consumer information to serve as a key piece of evidence in convicting the guy.
-- What you do today will cost you a day of your life.
Yep, millions upon billions of people on this planet and they want a safe Internet so they can buy the shirt they're favorite TV star, or the car etc. They must be lead to believe the internet is not the wild wild wild west. That CorpGov LLC are in CONtrol. While this worm with a virus wormed its way across the little house on the prarie through its locked doors and windows, out into the barn. So sleep well my matrix dwellers everywhere, "the net" is really "the grid" and you just )experienced a power surge. ) ) ( ) ( ) ( ) ( ) ( )
an enigma wrapped around a paradox driven by a paradigm shift
OK, everybody jump on the bandwagon, this poor bastard sucks. He'll get nailed against a wall for what really amounts to a prank. A prank that cost lots of money, and kept lots os sysadmins up late, but still, a prank.
How long have melissa type macro exploits been known and extant? Nothing substantive been done by MS to curb them. No real seriosu efrforts undertaken by companies to see that their employees are properly trained in the most basic precautions against this sort of thing.
The US Government continues to actively fight the use of strong encryption to secure systems and privacy.
THis entier incident will get blown further and further out of proportion to villify all the bad "hackers" out there, and roust up support ofr tighter gevernmemt controls.
Sad, since Mccain Just came out in support of easing up on encryption controls.
The really wonderfull thing about standards is that there are so many to choose from.
There's a part of me that laughs at things like this...media frenzy over a relatively harmless virus that exploits MS codebloat. OK, I know it wreaks havoc for sysadmins out there, but still, this isn't much different than those phony virus warnings that go around every week.
Madison Ave. has pumped Americans full of the idea that they need to be on the internet, but they've left off the part concerning the underlying complexity. People should really be more informed about what goes on under the hood.
The Melissa virus is a good reality check for all computer users. Just like the unwritten law that you should never rely on a MS *.0 release product, you should never open any unsolicited email attachments. These are just a couple of the basic computing guidelines that everyone should know.
Slashdot: Liberal News for Nerds. Liberal Stuff that Matters.
I don't remember another virus writer ever being arrested. I'm curious as to what they charge him with... Theft of computing resources?
n dex.html) says: He faces second-degree charges of interruption of public communication, conspiracy to commit interruption of public communication and attempts to commit those offenses, as well as the third-degree offense of theft of computer services. I read somewhere that he faces 5-10 years in prison. Serves him right.
Here's what CNN (http://www.c nn.com/TECH/computing/9904/02/melissa.arrest.02/i
Gergo
Among other things, depending on your installation of MS Office, you may not receive the warning dialog.
Whether or not you receive the dialog does not mean you legally consent to whatever happens next, particularly since it exploits security holes most people barely understand.
The virus was deliberately created to disrupt e-mail networks. I don't think a Robert Morris "oops" will work here. Even an "oops" didn't prevent him from prosecution! This was a virus writer who had full knowledge of prior art and was intentionally exploiting security holes with no possible legal foundation to his actions. I'm not surprised he's been charged with about ten crimes (not all may stick).
But if I were him, I'd be contemplating a future paying back a multi-million dollar judgement from the civil suits that will inevitably follow. And if there's any justice, New Jersey will hastily enact a law (if they don't have one already) preventing him from profiting -- by selling his story or becoming a highly-paid "security consultant".
lake effect weblog
{Network engineer in Chicago--looking for work!}
Let's not be too hasty to isolate Microsoft ... after all, the '89 worm exploited a hole in sendmail.
Whether we're talking Microsoft, Linux, or whatever, the mere fact that something is widespread makes it an attack target. Microsoft should be more responsible about these issues, particularly since Melissa built on prior art in the virus "industry" that's been around for as much as two years. Don't they even pay attention to what's going on over there? There should be someone at Microsoft salaried for the specific purpose of spending 40 hours a week watching these guys!
The anti-virus companies didn't fare too much better in this one. There was a nice responsive activity but again, little prior problem-avoidance. Not that they can predict everything, but this one seems to have been obvious to at least a subset of virus writers.
The real worry is what's gonna happen when somebody finds a similar way to exploit the next generation of software -- MS Office 2000, or whatever -- and actually make the virus do something malicious. Like deliver a server killer, or print money. I hope security is in place before that one is released.
lake effect weblog
{Network engineer in Chicago--looking for work!}
But if I were him, I'd be contemplating a future paying back a multi-million dollar judgement from the civil suits that will inevitably follow. And if there's any justice, New Jersey will hastily enact a law (if they don't have one already) preventing him from profiting -- by selling his story or becoming a highly-paid "security consultant". From my cursory knowledge of constitutional law (I am by no means a law student or any such thing), I believe one could make the case that such a law, while not only unproductive and unjust, is in violation of the constitution. One cannot deny life, liberty, or property without due cause. He will pay his debt in his imprisonment and/or fine if he is found guilty. To make it illegal for him to hold a job in his area of expertise would be most definitely unconstitutional. It would be like saying that if you rob a convenience store, that it is illegal for you to shop or work there when you get out of jail. Unconstitutional, and stupid and unproductive. As far as his guilt, I think he should be punished. The only times that I can think of where a virus author should not be punished for his/her actions are: 1 If they never intended it to be released into the wild, and took concrete actions to aviod that from happening, and it was through the malice or stupidity of someone else that the virus was released. 2 If they release the virus as such. Someone who releases a program that is a virus and says "See this? It shows a security hole that should be closed. Do not run this program on your computer. If you want to see what it does and how it does it, either run it on an isolated system, or, here, take a look at the source code."
-Cheetah
Even if it were possible to file one against him, it should be dismissed. After all, that's what happened when someone tried suing Monoposoft for all the downtime they suffered when NT crashed.
Digital Wokan, Tribal mage of the electronics age
The Word GUID was not used to catch David Smith. The article itself specifically calls attention to this fact. Quoting:
However, Chris Bubb, deputy attorney general, said investigators did not use GUIDs, the unique identifiers embedded in every Word document, to track down Smith. Several published reports this week linked the Melissa author to other well-known virus writers by analyzing GUIDs.
So no matter how big-brotherish GUID may be, it was not actually used in this case to catch the actual culprit (note that this fellow, David Smith, is not linked in the article with any of the hacker-handles mentioned in the other articles which talked about who the GUID belonged to).
Editor Emeritus and Senior Writer, TeleRead.org
Hey, don't knock User-Friendly...I read that strip religiously!
Editor Emeritus and Senior Writer, TeleRead.org
And when I configure 2.2.x kernels for my machine, the only thing standing between the setup that I want and one without Networking or ELF Binaries support are yes/no questions. It's truly amazing that I can somehow manage to come up with a well functioning system. One can only imagine the flop sweat you produce when configuring yours.
As for macro viruses, I can hit "Yes, disable macros in this document" and Melissa can't do a damn thing to me. You already have to do three steps as it is: (1) Read the email, (2) open the attachment, (3) enable macros. How many hoops do you want users to have to jump through to get things done? If you're that worried, maybe you can hire an unemployed sysadmin to come to your house to read any warnings and type/click "yes/no" for you.
Cheers,
ZicoKnows@hotmail.com
Sorry, it just didn't. Anarchy? Please.
Cheers,
ZicoKnows@hotmail.com
No, a yes/no answer is not the only thing. First I have to want to open the email, then I have to actually want to open the attachment before I even get to the yes/no question.
I don't want a restricted version of VBA. I don't want to not be able to have remote command execution on Unix. Why is it that Unix is lauded for the freedom it gives the user, but when it comes to the platform that you hate, you criticize it for giving the user too much freedom? I apologize to everyone for the language, but do you realize how much of a fucking hypocrite you are?
Cheers,
ZicoKnows@hotmail.com
Ummmm, hello! You're probably the same kinda guy who would sue a gun manufacturer if someone you knew shot themselves!
The cause of your problem is retarded users, not virus authors. If there were no virii, your idiot users would still cause problems, they just wouldn't be easily found by VirusScan...
Forgive me for straying from the topic, but you've hit a sore point with me.
The Internet was not created to withstand a nuclear attack. It was created because the Advanced Research Projects Agency (ARPA) couldn't afford to keep buying tremendously expensive mainframe computers for every organization that was performing research for them. To solve the problem, they contracted with several organizations, including BBN, University of California and University of Utah to join their existing mainframe computers together. Ultimately, that became the Internet of today, after mixing in a good dose of PARC, NSF and a phone company or two. But the defense department never had any intention of using ARPANet, NSFNet or the Internet for any strategic purpose.
OK, I'm done ranting.
>it's an unsolicitied email, which isn't illegal.
Actually, he was arrested in Virginia, where spamming is illegal. And since he could reasonably be charged with spamming everyone who got a copy of his infected message, he could be up against some serious penalties if the state decided to charge him.
...which is a fairly straight piece (from MSNBC!) on whether or not Microsoft is to blame for making macro viruses so easy to write. They don't actually condemn MS, but they don't let them entirely off the hook, either. Check it out.
If you read what I said, I was making the point that Unix, and hence Linux is very popular, and yet it has few viruses. This is do to its solid security model.
-Master Switch, one more element in the machine
There are few, if any viruses that will affect unix. There is the occasional worm, but even those are few and far between. You might not be imune from spreading the virus, but it won't affect you. If you are really nuts about being immune, and protecting your data, Run VMS. The point is, Stop running crap os's and their crap apps, and you won't have to put up with the Crap. I run Linux 24-7-365, and it's on the net unsupervised all of the time. With a little reading, I have been able to secure it to a level where I am comfortable that it won't be hacked. It's been tried, but no one has been able to get in(You just have to love SSH). If you are going to drive on Public streets, learn to drive. If you are going to be on Public nets, learn to protect yourself. Don't expect the Govt to hold your hand, and don't expect your OS vendor to protect you. Your safety is your responsibility. As for the author of the Virus, I personally feel that 10-15 years is a bit heafty for a prank. Why put murderers away for only 5 to 7, and put a talented programmer away for 10-15. Something isn't right here. Anyway, that's my take on it
-Master Switch, one more element in the machine
But any holes that arise will quickly be closed. I sincerely doubt that there will ever be the danger of viruses for Linux as there is for WinXX. Anyhow, Unix has been around for almost 30 years, and it has many users and developers, by your reasoning, there should already be a large proliferation of Viruses for Unix, and hence Linux. I don't see that, and I doubt I ever will
-Master Switch, one more element in the machine
I was a bit shocked that they tracked him via his own phone number. good greif, I mean AOL sends me 1,000 of those free account CD things a week, there are pay phones, credit card # generators, hell, it is easy to just pull someone's line off the drop at the back of their house. he was clearly not thinking at 100% capacity.
What about the CERT? Didn't they have something to do with it? A task force of state and federal agents probably didn't do it alone. And, the article was by MSNBC, not, IMO, the model of journalistic independence or integrity.
It was all over state lines.
A class action suit should be filed against Microsoft for it's negligent behavior in not creating preventitive measures by the people and corporations impacted by this virus.
I don't think virus prevention of this kind is the realm of the IETF, it is the realm of application writers. Now, the IETF should make sure that all protocols are secure, which will help... for example, right now it is possible to spoof the From: address(the field is added on the client side... it's not easy to hide all traces of the fact it was spoofed, but for a non-technical user, it isn't necessary) or intercept email and add an attachment containing a virus to it. So, I could pretend I was someone you trust, and send you a virus.
But, there already is an RFC on how to prevent this - RFC2311 - S/MIME Version 2 Message Specification All email readers and writers should start supporting this(hopefully in reasonably secure ways such that you can verify any automatically generated email before letting it get signed!), so that sometime soon we even have the reasonable option of not accepting any email without a verified digital signature. (Imagine the possibilities for eliminating/filtering SPAM! Delete or filter into a separate folder all mail received from someone who isn't in your key ring and doesn't have a key verified by one of your friends!)
This is not true. No change in the mail distribution system is necessary to prevent this type of virus. Merely changes on the clients to prevent a script received via email from automatically emailing people. Note that Java already has protections against such things, whereas Visual Basic does not. Also changes to implement S/MIME so as to verify who sent the email, so that you know whether or not the mail was received from a trusted individual. (Note: This won't help unless scripts are also prevented from sending signed mail!)
--LeBleu
If you're reading this you're part of the mass hallucination that is Kevin the Blue.
Search /. for GUID to find some links. Briefly, it stands for Globally Unique Identifier. It was recently disclosed that MS Office creates a number incorporating the Ethernet MAC address on the machine and saves the resulting GUID in the registry and in any documents created by that copy. The real problem was that the registration process sends the GUID to Micros~1 who has been saving the data.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
Sure it's federal. If it was written in one state and harmed a computer in another, that's federal.
I agree with your underlying premise that user education is one of the main problems in this type of situation.
n /script_fu/etc. in the powerful applications in current wide use. You make the fallacious unspoken assumption that bloated applications (similar to word/excel/wordperfect/photoshop/access/VB/etc.) are a necessity to the success of Linux. To state it more plainly you assume that for Linux to be successful it must be just like Microsoft is now (in which case why choose one over the other) -- literally that Windows is the only viable solution for computing. To that I say, why should a descendant of the systems from which MS products are so blatantly derivative attempt to close the circle and mimic the poor imitation?
Implying that VBA is a panacea, and that one day Linux is going to require a VBA-clone (at least as regards functionality) is patent bullshit. The functionality is present already in java/CORBA/Gtk/Tk/Perl/C++/OpenGL/Motif/Tcl/pytho
The functionality in *nix (Linux included) as regards interoperability and in-application programmability has historically so far exceeded (for nearly a decade) the laughable attempts MS has made in this area that your supporting argument is ludicrous.
The unfortunate downside is that, as bloatware vendors migrate their products to Linux to attract the $'s of the clueless masses they will invariably take the easy course: using the same broken solutions that sold on a faulty mass-produced system instead of attempting to re-innovate to achieve the "right" solution.
The warning is legitimate but should read: VBA is another "broken whore" (as a lead QA tester for a major networking company once described WinNT to me), and any further UserFriendly scripting solution on *nix should be developed with attention to correctness (security) than attention to bottom-line.
The beauty of the OpenSource paradigm is that a scripting solution (if the community has the need for yet another) will be developed which addresses these issues.
roundeye
"Cause there's 40 different shades of black, so many fortresses and ways to attack, so why you complainin'?"
"Several computer experts earlier this week said they had found clues linking the virus to a writer who uses the computer handle "VicodinES." Malley said Smith was "definitely not" the person who used that handle, but also said investigators believe he took two viruses, one of which came from VicodinES, and combined them with another virus to create Melissa."
See ABC News for further details.
"besides the majority of that actual mail systems effected were private systems". They don't matter much, what matters is were specific email communications systems that are expected to carry and or be the final resting point of official government communications effected? If yes, then he is in deep dodo.
As does the W32/SKA virus, it doesn't send out quite so many quite so quickly. But it does send email out as you along with an executable that contains the virus as an attachment.
People don't seem to be getting that upset about W32/SKA, even though it does modify some system files. But yet mellissa is a beg deal cause it reads your address book and mails a bunch of people.
I've received over 20 copies of W32/SKA (happy99.exe for those who don't know) but I can't recall getting any word docs in the mail in recent months.
I think mellissa is more of an annoyance and this fellow will be prosecuted based on the fear of the populace and not any existing law.
I would imagine a well written paper on the spread of internet worms might turn this from crime to research.
Michael Milken was prohibited from selling junk bonds after his release from prison.
Though I see Melissa as a "good laugh" at Microsoft's expense, that's not what matters. It hurt a lot of people, as all widespread virii do. But people tend to learn from pain. Hopefully, they will be a bit wiser about online society, and learn to avoid poor products such as MS Word.
We don't need automatic protection from this sort of thing. That's not feasible... Virii thrive on automated systems. What we need is education about how to protect ourselves, and how to fight back.
People will learn one way or another.. If they aren't informed about this sort of thing, they'll have to learn the hard way.
We commonly teach our children to "Just say no" and "don't talk to strangers", so they won't have to learn about the world the hard way. The same sorts of teachings are just as important in the online society too; why don't people see this?
Something I find rather disturbing is the fact that all the coverage I've seen of this arrest acts as though the suspect has already been tried and found guilty.
I know the Feds don't make arrests frivilously, but you're still innocent until proven guilty in this country.
The media has pretty much proclaimed the suspect as the great white satan. Even if he is not found guilty at trial, his name has been dragged through the mud. And I'm sure if he's releaseed, the most mention it will get is a little foot-note at the end of the news.
I know that this happens in other trials, but this one seems to be an exagerated case.
The article said it interferred with communications. Considering the swamped email boxes, etc... it definitely did. The net was created to withstand a nuclear attack, it's no suprise to me that it's also covered under such a communication act. Taking down or greatly interfering with such an important means of communication is detrimental to everyone who uses it.
I'm not sure about the law, but many laws are laws of fact, not intent. If you're drunk and kill someone with your car, no matter what your intent, you still get charged for vehicular manslaughter.
But not for every law. This could be one of the laws that it is not a factor of.
They've been saying on the news here it's more like 40 years, which seems a little excessive to me, but hey it was the local Fox station's news(they're a tad bit prone to sensationalism...kind of the same way the Pope is a tad catholic). I'm glad the guy's getting prosecuted tho', what kind of a world would be living in if the cops didn't pursue physical vandals?
Mix the failings of Usenet with the shortcomings of the World Wide Web and the result is slashdot.
On top of that he's from AOL!
Wondering if he actually spelled Melissa 'MELISSA'.
think about it.
-- neil
In this ZDNet article, apparently investigators state that "Smith threw his computer equipment into one of the trash bins at his apartment complex". I would not presume him guilty based on this evidence...It sure looks pretty incriminating, though.
That reminds me - if you have _two_ P3s, how does the system decide which processor ID is used for what? Does it pick the processor is the first processor slot? Does it do it randomly? Does it combine the IDs somehow?
Cheez. I see the "lost in cyberspace" crowd is out in force here.
Check in with planet earth sometime soon, guys.
1. People who jaywalk or stupid. Still, you're in for murder if you INTENTIONALLY run them down with your car. Using Outlook and Office, etc. may be stupid. Your stupidity may open you to criminal attacks, but it does not excuse the criminals.
2. Who gives a flying ---- about whether this thing is a virus, worm or teletubby?
If it knocks out servers, it denies service.
Check the book, guys. That's what "denial of service" means.
It's bad, it's expensive, it's criminal.
One really good point has been raised, however.
This whole Melissa thing is not that different (save from going into Outlook and multiplying like a freakin' rabbit) from aggressive spam.
Frankly, I'm not sure some of the big-time spammers aren't skating awfully close to criminal acts.
Sure, VBA makes it all too easy for this to happen. But there are more insidious ways to disguise code as data and breach security. Are you really sure that THIS message doesn't contain some magical combination of bits that has already caused your browser to mail me your password file?
We use chroot to prevent most of this on the server. The same precautions need to be brought down to the desktop. Did someone mention the Java sandbox approach?
Why isn't there more talk about what this thing COULD HAVE done? What would have been the world's total cost of recovery from say, the DOS equivalent of an "rm -rf /"?
Even if the car had brakes off a winston cup car, certain drivers would forget to step on the pedal.
um... the house of rep's M$ server crashed during the Starr investigation because of so many people writing in... I don't think we can consider gov't servers crashing as proof of anything
-n
So now because you can't decide what software your company uses, it is now the virus writer's fault for Microsoft's bugs? Please.
Uh.... no. The buggy app is Microsoft's fault. I don't think anyone readin' SlashDot is gonna disagree with that. However...
Exploiting the bugs in a way that was detrimental to others is the virus writer's fault. End of story.
\//
An easy mark is positive reinforcement for the criminal, period.
While I agree with this statement wholeheartedly, I must contend that it doesn't make the criminal any less responsible for his or her own actions.
Also, there is an extemely large percentage of the multitudes of Windoze users who think of their computers as tools of the office place and nothing more. (i.e. They are non-powerusers, totally ungeek and have never been to slasdot.org.)
Now, with these people in mind, are you telling me that Mary, in HR, is stupid for opening an attachement from Bill, in Marketing? After all, she knows Bill. And Bill did say that she asked for this document. Well, she doesn't remember that... but who knows? Also, you think that she should just know to turn off the auto-run macros? (She, being the uncynical ungeek that she is, trusts that Microsoft hasn't left her doors unlocked.)
And, earlier you said:
Too many people are becoming too relient on technology they don't understand.
Well, yes. This is true. And that's just the way it goes. I don't know much about the way my microwave works and I don't care to. When I punch the buttons, whatever I shoved inside gets hot. Then it goes 'Bing!' (Actually, my microwave makes an unpleasant buzzing sound, I wish it were more of a Bing!)
\//
To be fair, Microsoft is taking this seriously. It looks like they're changing the defaults of Office 2000 to not be so promiscuous with accepting macros. Their press release.
-- Kate
To what? The make an email that hits every MS OutLook user that does nothing more than send it self to people... I could compair this to people that send those damned ICQ messages about how you have to send this to everone on your list or you will get deleted.. Actually I think that is worse, becuase the average user on ICQ does not what is up and freaks out..
I ate my tag line.
-=Ellis (D)25=-
Basically all the definition that I have seen basically states "It's a program"..... That all it boil down do.. But to add on, it can do malicious things as a starter, and the advanced is the self replicating programs.
I ate my tag line.
-=Ellis (D)25=-
WTF are you talking about.. I'm just talking about who I respect the skills of the virus programmers... I'm not saying that I created the net.. I wasn't even born when it started out as aranet...
I ate my tag line.
-=Ellis (D)25=-
I doesn't have to be the actual writer of the source. If he intentially placed this on the net, he can still be busted....
I ate my tag line.
-=Ellis (D)25=-
Actually it was the Federal Communications Commition Act of 1996
I ate my tag line.
-=Ellis (D)25=-
Opps.. My mistake.. heh.. I can't spell when hyped up on caffine..
I ate my tag line.
-=Ellis (D)25=-
Ok, the distruction part sucks, but the code is beautiful.. If you were to make your car into a cold-fusion bomb, I would have mad respect for you too, but using it would completly insane. But the design would be beautiful..........
I ate my tag line.
-=Ellis (D)25=-
Think about it... What does it take to write a virus of any kind.. This "virus" had to take some learning on the macro part, I give him some respect on actually doing something and figuring it out.. I have mad respect for the more advanced virus programmers becuase they have to keep up with the changing technology, learn it and figure out new algoryhtms to keep them self stealth. Think about what it takes to do this..
I ate my tag line.
-=Ellis (D)25=-
not much to say, he just sucks if they've got the right guy..
seems ms guid has some good sides afterall
- http://www.penguin.nl - if you can't beat them,
Isn't Uncle Bill's wife named Melissa ?
Pointless comment, with no fact check. Please demote me.
Sun Tzu must have been running Linux...
- Hold out baits to entice the enemy. Feign disorder, and crush him. (Sun Tzu, The art of war)
Marriage is considered capital punishment for the theft of a goat in some third world countries...
While MS might not be legally liable for criminal negligence or complicity in the distribution of the Melissa virus, they are definitely ethically in the wrong. They are bad engineers, not simply for making a shoddy product but for ignoring and denying responsibility for the shortcomings which are direct, obvious byproducts of its design. End Quote
You guys keep mentionning engineers. I'm not too sure about US Engineers, but I know that up here in Canada, engineers are personally liable for the outcome of their work. If an engineer says something that leads to trouble, he's responsible, if he signs a plan that's flawed, responsible again. I know that the same thing applies to Ph.D's and Masters. If that is the case in the US, couldnt we just bring the Evil Empire (tm) down by blasting through it's foundation (eg: Class action against one engineer at a time) instead of attacking the monolith itself ?
Food for thought.
Sun Tzu must have been running Linux...
- Hold out baits to entice the enemy. Feign disorder, and crush him. (Sun Tzu, The art of war)
Marriage is considered capital punishment for the theft of a goat in some third world countries...
Taking down servers in several companies is a direct consequence of his action. Equate it to some one sending a small bomb that would only go off in your mailbox with no one around to be physically hurt. It blows up your mailbox so you can't get mail anymore. What's wrong with that. It was just an unsolicited mail. I think the official charge was "interfering with public communication". I have no idea what that entails. Probably similar to messing with other peoples snail mail. It did look like it had some fairly hefty penalties.
I equate this to cryptography in a way, most of us aren't anywhere near knowledgable to evaluate a cipher but we still want a cipher to by public before we will trust it. You can find all the security holes you want but they generally aren't going to be plugged until they are exploited. That's just the way business is. If some kid called you up and said he had found a hole in your code (if he could get ahold of you in the first place) are you going to hear him out if he can't prove it? Unfortunately, none of us want's to have them exploited. As it is, Office has had macro viruses for years and MS still hasn't corrected the problems or made it that much more secure. Same can be said about IRIX, is comes out of the box with holes you can drive a bus through, have they changed that? No. Have they had numerous CERT warnings and security breaches? Yes. In some cases, breaching the security isn't good enough to get it fixed.
I also think that there is a little bit more to this than pond scum trying to vandalize the world. That vast majority of virus writers, game crackers, and system crackers aren't malicious. They generally have low selfesteem and use it as a crutch; they brag about the size of the virus collections, the number of viruses they have written, then number of games they have cracked, the age of their games, the number of systems they have broken in to. It's generally not intended to hurt people so much as embarass them or show their superiority. Don't get me wrong, it's antisocial behavior but it's the kind of thing you do becuase the other guys think you're pond scum not usually the kind of thing you do to make money or profit in some other way. I'm not trying to defend them but it's not usually flat malicious behavior. I think it is more like the modern male equivalent of anorexia or bulimia.
It's also worth pointing out that we've had an active virus subculture for over 10 years and a cracking subculture for a lot longer and holes get found and exploited every day. It almost feels like we're going backwards, you install something like ssh to secure up your system and then you find a buffer overflow that not only let's people in but it let's them in as root! Back in the war dialer days, breaking in to a system was an involved process, now there is an entire phenomenon with the script kiddies. With all the cracking and all the viruses and all the breakins software hasn't gotten that much better. I wonder where it would be at if these good samaritin crackers would just discover weaknesses and tell CERT.
This is my signature. There are many signatures like it but this one is mine..
Is MS legally negligent for is callous disregard
for computer security? Can companies recover
civil damages from MS related to Melissa?
Negligence Defined
Those who can do. Those who can't sue.
That's what the trial is for.
Why yes, I AM a rocket scientist!
Two important differences. Happy99 doesn't have a GUID. It's also not as destructive. The confluence of trackability and virulence have made law enforcement reply.
Why yes, I AM a rocket scientist!
Counterexample. User friendly does NOT correlate to not secure. Bad engineering can make not secure. I don't know if it's still true, but MacOS web servers in the past have been demonstrably more secure than many other implementations. That's not to say that it is impossible to secure a UNIX server, only that it takes a great deal of expertise (like, for instance, way more than I have).
Unix requires an expert to make it secure
MacOS requires somebody who can double click an icon to make it secure
Is Unix supposed to be UNIX or Unix? Am I being compulsive? : )
Why yes, I AM a rocket scientist!
Absolutely true, and I wouldn't be able to tell one from the other with the proverbial both hands and a flashlight. Gonna be an interesting trial either way.
Why yes, I AM a rocket scientist!
Reminds me of a line from The Princess Bride.
Miracle Max: Have fun storming the castle!
His wife: Think it'll work?
Miracle Max: It'll take a miracle!
Writing a virus that's designed to interrupt email transmissions is exactly the same as going to a business and taking bolt cutters to their phone lines. It is not nice, it's not OK with me, and it is illegal (note that any correlation between these three properties is coincidental). Just because the interruption happened to be caused by a hunk of computer code instead of a hacksaw doesn't make it any less malicious or destructive.
As far as the argument that people should know how to prevent these infections, I agree. People should also stand by their phone trunks with a gun to protect their communication lines, right? Does that make sense?
Why yes, I AM a rocket scientist!
There is a difference between "I accidentally killed you with my car" and "I meant to run you over with my car". 2nd and 1st degree murder, respectively. Intent IS a factor.
Why yes, I AM a rocket scientist!
I'm impressed. They managed to find lots of talking heads to exonerate Microsoft from their responsibility. It's almost like the site carrying the article has some sort of vested interest in making MS look as good as possible.
Oh, wait, what was that URL again?
Why yes, I AM a rocket scientist!
True...but assuming they confiscated his computer (certain) and he's brain dead enough not to have covered his tracks (possible, but I would assume a high paranoia level) and they've got someone able to do descent computer forensics (possible) they may be able to nail him anyway.
--- Mercutio was right.
A 30 year old writing macro viruses.
So much for the 'adolescents' image of virus writers.
I hope hang this guy out to dry (if he did actually do it of course...)
--- Mercutio was right.
...will have a new name to put on their web pages... Free Smith!!! D00DZ!
DrLunch.com The site that tells you what's for lunch!
The Wired article about this drew an implied connection that David Smith was Vicodin ES, with the obvious implication to us slashdot regulars that he was found via GUID. But I haven't seen any real evidence to back this up.
As an excellent article on Ars Technica has pointed out, all the GUID shows is who the original document creator was. If someone had taken a previous Vicodin ES virus and modified it to create Melissa, his GUID / MAC address would remain in the "new" virus.
So is David Smith Vicodin ES? And do they have anything stronger on him than the GUID?
Our social system should take a lesson from the court system. Accepting the tenet of "innocent until proven guilty" means placing a higher value on making sure innocents are not punished than it does on punishing every guilty party. Some criminal slip through the cracks, but it's necessary to protect the rest of us from punishment without cause. In the same way, keeping citizens private lives private until there's a good reason to suspect them of a crime, and a warrant is obtained, means that some people are going to get away with their crimes. But it means at the same time that everyone can enjoy the freedom the framers of our Constitution meant us to have.
By the way, unsolicited e-mail actually is illegal in Washington State, if I remember correctly.
-Noodle
they don't really need any /charges/. the fact that he was arrested for doing it, regardless of if he serves any time, or pays any fines, pretty much ruined his employment prospects: unless he changes his name...
I have discovered a truly remarkable proof which this margin is too small to contain.
I think they meant to say "Smith allegidly originated..." Am I wrong, or when terrorism is concerned is it "guilty until proven innocent."
Jesus, is there really federal jurisdiction in a case like this? I am afraid.
Peace.
Allright. Federal jusrisdiction for sure...if..any laws were broken. I know it affected more than one state, that the FBI were involved from the beginning and some kind of National Infrastructure Protection Center was involved. I was more or less wondering what the federal laws were that were broken.
As for his supposed guilt--- I don't care if he did plead guilty. I still think alleged is correct and we should demand as much from journalists. Don't condone them babytalking us. Why not just say "a suspect has been arrested." That's the way it usually works here in the US-- first a suspect. Then charged. Then tried. Then guilty/not-guilty.
Peace.
thanks. I feel a bit better.
Peace.
I don't understand why this macro 'virus' is considered a crime. My major point is that the virus has to be passed on by users, who open the MSWord file WITH MACROS ENABLED. So, the only harm done in running in is showing the stupidity of the person passing it on.
Consider these:
(1)
I write an email program. I include docs with it stating that it will import your MS Outlook bookmarks. However, Bob sends the executable only to his friend Sam. Sam runs the executable, seeing a license agreement only, and no statement saying that the program will look into your Outlook address book. His privacy has been invaded!@!#@#
Melissa does not invade privacy unless the user wants it to.
(2)
I write a buggy program (maybe I work at Microsoft even)-- Bob again sends Sam my program through email. Sam clicks on it, and because he has a Cyrix processor, his computer crashes. My program was malicious!@!#!@
Melissa does no harm to the computer, but merely sends 20 email forwards. People may say this ties up mail servers, but at work, I write more than 20 emails daily.
(3)
I decide to write a good old fashioned BASIC program, so:
10 PRINT "U R HAKKED"
20 GOTO 10
I compile it, give it to Bob. Bob thinks it's funny and sends it to Sam. Sam thinks his computer is messed up because he doesn't know to hit ctrl-c. He reboots, losing important data. What a malicious program!@!#@#
Users are stupid.
In all these cases, Sam knew Bob, so it's understandable that he might try the programs. But, who the hell looks at an attachment from a stranger in a program that can execute code? Ohwell, I just don't see how they can put a crime on this guy. It'll be interesting to see the wording used. I mean sure, he's a jackass. But so are most totally drunk people at parties.
I'm just curious why disagreements always turn to personal insults? Whether or not you agree with someone, that does not symbolize the level of 'life' they lead. You made your reply, which definitely had some valid points. But then you decided to invalidate them with the last line of your post. Alright.
If this were a public forum in real life, and I stated my opinion, would you turn around and tell me to get a life? What ever happened to exercising some level of professionalism?
Outlaw the writing of virii, and fewer people write viruses, because they are afraid. The result: companies like Microsoft can continue to write Operating Systems that are extremely vulnerable to virus attack ("petri dish" if you will), because (a) there will be far fewer viruses attacking their software, and (b) they can simply claim that the blame lies with the criminals who write viruses, that they can't be held liable just because their system is vulnerable.
Then you end up in a situation where (say) 99% of computers run Windows. Then some malicous person wants to write a virus for truly criminal reasons (industrial sabotage.) His job is reeeeally easy, because nobody had been allowed to pressure (say) Microsoft to actually make their systems secure.
The problem is where people shift the blame. You say "Microsoft software is vulnerable to viruses", then someone says, "well we'll just make virus writing illegal then". This is wrong.
In my opinion, David Smith has done the world a service. He has shown everyone just how vulnerable to attack the (Microsoft) software they use is. Just like the Internet worm ten years ago, this will encourage people to start demanding higher quality security in the software they pay good money for. It exposes how sloppy Microsoft's attitude toward security is.
We need people like this, to constantly pick out and find the vulnerabilities in software. Without people like this, we become lax, and security falls apart. By persecuting David Smith so heavily, we discourage others, who may now be too afraid to expose other vulnerabilities that they may have found.
The GUID's (and PIII ID's) are still a bad thing. Although they could potentially be used to track the "bad guys" who write viruses, they *shouldn't*. People should be allowed to continue writing such viruses for as long as companies continue to produce insecure software.
Companies who have lost money due to the damage caused by the virus shouldn't be looking to sue David Smith - they should be looking to sue Microsoft. As long as people are afraid to point towards the root source of the problem (instead of the symptoms) then companies such as Microsoft will continue to have a dont-care attitude about security. Outlawing hacking and/or the writing of viruses will not stop hacking and will not stop the writing of viruses - it will just result in the effects being much more devastating when these things do occur.
I think so. example: a car company creates a car(Windows) that under certain conditions causes the brakes to fail (macros written badly). Once the defect is made public, or proven, it is fixed. Many times, a recall takes place. The product is 'fixed', sometimes those who have had loss due to the flaw recieve some sort of compensation. The people who drove the car(users) are not blamed, even if they know they shouldnt recreate the condition that causes the malfunction(education). The person who 'created' the condition isnt to blame(virus writer), this condition doesnt affect other vehicles(Linux, MacOS, etc). Only those who created the vehicle (Windows) are to blame(Microsoft). The released a faulty, vulnerable product. Why should it be any different in the OS industry? This process is a standard everywhere except the 'Intellectual Property' industry. Why?
funny how microsoft isn't being charged with anything they release a new version of a virus every couple of years. It's called "windows." And they get paid for it!
see:
http://www.m ercurycenter.com/svtech/news/breaking/merc/docs/01 2315.htm
The story details how Richard Smith put out inquiries on the 'net, and was led to the VicodinES web site by a tipster.
http://www.mercurycenter.com/svtech/news/breaking/ merc/docs/023550.htm
Today's story on the arrest notes that he was "snared with the help of America Online technicians."
Basically, it sounds like he was tracked from the newsgroup postings. The role of the Word GUID was that it helped correlate documents after they found him.If the burglar is annoyed at having very well documented vulerabilities of the XYZ system ignored, why not try something else that _will_ get noticed? If no one's house was ever broken into, why would you ever want to have a working lock on yours? And (forgive my ignorance) does the melissa virus do anything that isn't easily fixed? Does it bring attention to the problem? Hopefully it will, although the local news isn't touching on it very well. Maybe when the arrested suspect gets released for not having enough admissable evidence against him, they'll start pointing to the only culprit left, MS. Really, do you think CERT is going to release an advisory that all office products are insecure, and that the only fix is not to use anything from microsoft unless it meets decent security standards by having no network connectivity and no floppy drive?
moderated for your protection
Correction: the GUID does not identify the creator of the document. The GUID can be linked to the network card on the machine where the document was created, OR the registry on the machine where the document was created (for machines without network cards).
If you read the MSNBC article, there is another story (surpisingly written by MSNBC) entitled "Is Microsoft to Blame?"
http://www.msnbc.com/news/254451.asp
Don
so what is he actually charged with? The cnn
blurb I saw said he was charged with "authoring
the melissa virus" - I'm pretty sure there is
no law on the books regarding the melissa virus.
is he charged with writing it? posting it to alt.sex? Tampering with systems (a la the
Randall Schwartz Oregon case)or what exactly?
-- your Web browser is Ronald Reagan
"Smith was snared with the help of America Online technicians, and a computer task force composed of federal and state agents, Malley said."
:)
This is why my aunt can't get through to AOL's tech support. They're all busy chasing virus writers!
Save the whales. Feed the hungry. Free the mallocs.
The (not-so) short version:
Windows assigns a psuedo-unique 128 bit identifier to components in the operating system. This number (called a GUID) is attached to the component and is also stored in the Windows registry.
Here's an example of an MS GUID from a Microsoft component:
{90290CCB-F27D-11D0-8031-00C04FB6C701}
Normally, Windows uses these to find components without worrying about file paths (is it C:\WinNT\System32 or somewhere else?).
GUIDs are generated based in part on the unigue identifier of the computer's ethernet card. They are usually generated when a component, document, whatever, is created.
MS has apparently decided that GUIDs should be attached to Word Docs, as well as to operating system components.
[SOAPBOX MODE ON] If I'm able to cut and paste a valid GUID into a post on slashdot, what's to keep a really good macro virus writer from cut/pasting a different GUID into his infected doc?
Hope this helps.
Save the whales. Feed the hungry. Free the mallocs.
If they can call Melissa a virus, then a lot of software, esp. free software, may qualify as a virus. Imagine if I wrote an ftpd for anonymous ftp and had it stick a tarball of the ftpd source automatically in /pub. It would be (mostly) self-replicating and could clog networks with download traffic.
Isn't Linux itself sort of a virus? Some IT bosses seem to think so, and stamp it out whenever it appears.
Internet browsers, push clients, proprietary file formats, and even the GPL are said to have viral qualities.
And didn't the "infection" really occur when people installed MS Office and MS Outlook? Melissa is just a later stage of the disease.
Oh yeah... I still wear the floppy-brimmed hat though :)
Coming soon - pyrogyra
that way if i generate a GUID on my comp, and give it to you, unless you generate GUID's for a billion years you won't get the same one... it makes things easier on distributed databases and other such things.. putting them in documents though is bullshit
Actually, it's used by Fast Find, and Index Server (I believe) to scan for dupes and to index documents. It's basically a lookup key which doesn't require a centralized assignment system.
Coming soon - pyrogyra
There is no need for a GUID system. There was never one befor MS and the world still turned. The simple fact is that if you still use software THAT YOU KNOW SUCKS, don't read the bug reports or secure your own systems you WILL get screwed. Why should we take away everyones freedom for a few DUMB and LAZY users?!?
Sorry, but that's complete and utter rubbish.
The GUID was invented by the Open Source community a while back, for use in RPC environments. It's also passed around in EVERY SINGLE CORBA OBJECT YOU CREATE.
So... you were saying?
Coming soon - pyrogyra
How meny Cobra objects do people write? And when they do write them they usely take credit for it.
If you knew the place you where working for was doing something wrong and you wanted to tell the Media or the police/feds yet wanted to not be named would you want your GUID going into that Email/Document?
Uh, sorry - but it's not the objects. CORBA object instances have GUID's too; that's how you identify them across the network. So no, you don't have to write an object to get your MAC id sent all over the network.
Which is a moot point anyway, as you're on the network, so it's going to be pretty obvious where you are anyway.
As for your second point -- that's decidedly stupid. Why would you be emailing the police/feds an Office document to blow the whistle on your employer? Presuming that you're intelligent enough to not send it from work, you're going to still be trackable using the email headers. Not only that, but if you were to SMTP spoof the mail, you'd (a) find it difficult to send an Office document that way, (b) would probably know enough to be able to hack the GUID by hand, and (c) would probably be intelligent enough to print out the documents and send them snail-mail to the feds/police.
Not only that, but a fix was released which removes the GUIDs for you, and prevents new ones from being generated.
Happy now?
Coming soon - pyrogyra
His goal was not to frame Your Boss Bill. His goal was to show how suceptable GUIDs are to forgery.
For someone who bills themself as an Alan Cox alterego, your response of "You idiot", was extremely lacking.
Anonymous Kevin
Perhaps I'm not making myself clear:
I don't care if he's planning to frame my boss or not; that's not the point.
The point is that if someone is seriously considering creating and letting loose a virus to show that "GUIDs can be forged" then they deserve however long they're going to be in jail for when they get caught for it -- and they will.
Of course, you may just think "heheheheh! that'll show those corporations!!!" and do it anyway, but I'd hope that IQ points aren't in such short supply around here...
Coming soon - pyrogyra
Create a new virus (based on mellissa or mailissa or whatever it is) forge the guid to be bill gates and then show the world how stupid they are for using the guid for any real purpose..
Stupid idiot.
Coming soon - pyrogyra
Forget about that Ms idiot. Visual Studio sucks so bad, i don't even wanna start.
I'd like to get a copy of Melissa (i heard of it on Jay Leno show, that's how much i know.) and see if i can find the GUID, whatever that might be, and i'm sure it can be edited. i don't believe they will put any strong encryption or stupid things like that.
but the hard part is: how do we know bill gate's network card ID?
(My view may or may not represent my hatred to microsoft suck-ups.)
Let me see...
You're planning on unleashing a virus and planting it on Bill Gates (which no-one would believe) just so that you can get a bit of bad publicity for MS?
My heart bleeds for you. You do this, and you'll be rotting in a jail cell before you know it.
As I said - the other poster was an idiot. It's obvious to me that you are one too.
Coming soon - pyrogyra
Wow, it's Spectec Jr, I loved your columns in YS.
:)
:)
Thanks man
Think of me as the alterego of Alan Cox... he started out on the ZX81 and the Spectrum +3, writing for Format magazine, and ended up behind the Linux movement.
I started out on a ZX81, a C16, a Spectrum +2, and a SAM Coupe, wrote for Your Sinclair magazine, and ended up behind... well... a desk in Seattle, writing chunks of Visual Studio.
Coming soon - pyrogyra
Hold on it's a macro virus, so it isn't compiled at all. So it contains the GUID of the machine where the document was first created on. Which of course may not be the writer.
Baz
Heh. Wouldnt those charges hold water against... um... Microsoft?
Many ethernet cards now store their MAC addresses in EEPROMs, which anyone can edit with appropriate software. This is done to reduce cost of building NIC cards, and allows the manufacturer to build the same card for several OEMs, while still assigning each individual card a MAC from the correct OEM's block. FYI IEEE assigns ranges of MAC addresses to OEMs, generally determined by the OUI number (first 5? characters in hex).
While it is possible to change this after you have the MAC card, if your PC exists on the same sub-net as the "correct" owner, both machines will be dead in the water...
Boy, I've seen a lot of ignorant comments here (most of which are well worded, mind you). Most of them fall into the following categories:
1) It's not Microsoft's fault.
2) Lynch the bastard! (the guy who made the virus)
3) See? GUID's are good!
Let's rationally evaluate these ideas, shall we?
1) "It's not Microsoft's fault."
Of course it isn't Microsoft's fault. Not completely. But when you have a software product (of any sort) and you find a major flaw in it, you fix it dammit. If something like this were to occur in the Linux or BSD kernel (or probably any free software in general) the feature would be disabled until it could be fixed. In fact I can almost guarantee that if someone persisted in including said feature, they would be virtually cut off from the rest of the community and no one else would use it.
So why are people still using Microsofts products? Are they stupid? Stubborn? I don't know, I just know that I don't use their products. But I am still affected. This is really annoying because it doesn't just affect Microsoft users, it crashes mail servers that are run on *N*Xes! So what's the solution?
1) Bug Microsoft until they fix it (ha!)
2) Don't use software with these problems
2) "Lynch the bastard!" (the guy who made the virus)
No. Plain and simply, no. People don't deserve to be killed for this. If you are going to lynch him, you might as well lynch all the people that were stupid enough to allow this to happen (by autoexecing programs and having macros turned on in Word or for even using MS products), and lynch Microsoft.
This person is obviously smart. He was able to think up this virus and distribute it. But he wasn't smart enough. He allowed the GUID to remain in the document so he could be tracked. He was also stupid enough to distribute the virus (whether by accident or not).
Writing viruses is illegal, which I disagree with. People should be allowed to write viruses for research purposes. People should be allowed to crack security on their own system for research purposes. However, if someone distributes a virus with malicious intent, then and only then should they be prosecuted. In case you can't see why research is a Good Thing and should be allowed when it does not cause harm, then you won't understand, so you might as well skip to the next part.
Research needs to be done so that holes and vulnerabilities can be found and fixed. People need to learn so they can write better anti-virus software. Security is best practiced as a preventitive measure, not a last minute fix to problems that your enemies found and used against you.
3) "See? GUID's are good!"
Again, no. Plain and simply, no. Someone here mentioned how the government already has private data on you. Well, the government doesn't bombard you with advertisements or sell that data to anyone else, now do they? We also have control over our government. When we say "jump" they say "how high?". I'd like to see you get that sort of responsibility and commitment out of a company. I'm not saying I completely trust government, but at least their motivation isn't always trying to steal my money.
Not only that, but in my opinion, GUID's are useless for tracking illegal activities. There are probably a zillion ways to change the GUID. If the person is smart enough, they will find a way around it. For example, I could write a macro virus, copy a document from a friend, then stick that macro virus in the document and distribute it. Or, better yet, I could write the macro virus so that it changes the GUID each time it get sent!
Just my $0.02
Nathan's blog
The difference is that the GUID makes it easier to prove that he did it to a jury. It is harder to fake a GUID in a word document than it is to forge a usenet header.
umm i dont think so.. someone who can prove knowlege like that tends to get better secured jobs.. he's famous now for proving that he knows how to exploit a system & at the very least, be a good programmer. if what you say is the case, do you think Kevin M. is going to be jobless when (if ever) he manages to serve his sentance out? or how bout the MOD boys PhiberOptic & the like? they are now convicted fealons of computer crimes.. & i'll betcha they all have jobs now that they have done their time, & i'll betcha even more money that they are all making 4-5x what i'll make in the next 2 years.
-cbp
you have to remember also that there are benificial virii.. & by not having them, you'd continue to have problems that you would not be capable of fixing yourself.. before you bash virii or their creators, i'd suggest you read up on what the actuall definition of a virus is. there is a great book out there called "the giant black book of computer virus's" which while teaching the nature of virus's also teaches how to create them & the practical applications involved.
Most of my friends disagreed with me, when I said that Melissa is just a macro in a word-document mailed by outlook express, and that it only uses the features that MS Word offers it. Everybody is free to choose to use MS Word, but if you choose to use it, I assume you agree with it's features and shortcomings. Therefore those users should not complain if the program is not doing what they want it to do. If they don't like it, they'd better use other software.
:)
I know that most people aren't aware they have the choice to use other software, and neither are they aware that the software they use has certain flaws. I think that the problem here is not that someone wrote a naughty macro, but the lack of education about computer-security. This education would be rather easy; programs can just tell their users about what they're doing and what the consequenses of those actions are. Not only did the programmers use way too little of such warnings in their software, they also did not think about the consequences of creating such a powerfull macro-language, and therefore the source of the problem (virusses in common) are programmers that don't think about their work.
The fact that programs used by so many people have such a huge impact on society is rather scary. The only reason for this is the fact Microsoft has a monopoly on software that is used by unexperienced users. This problem can easily be solved if the computer-users would be better informed about what choices they have. I think that all the money that was spent by sewing Microsoft had better been spent on educating people about software from different manufacturers, a lot of problems would have been prevented. Maybe a driving-license for the internet would be nice....it would certainly save us from a lot of problems
0x or or snor perron?!
The only problem with that is, cracking an AOL account is about as tough as tearing wet toilet paper (uh not that I have ever done that). One of two things is happening here either this guy is really stupid and didn't think to use a laptop a payphone and a cracked account (which I think is unlikely cause of the other Macro Virii I have seen VicodenES put out which are simple, sleek and very effective, that is not the type of thing you see an idiot do). Or this guy is a patsy and the FBI are just looking for headlines saying we nailed him.
root@localbrain root>ps ax |grep thoughtd
How do you equate bio virus to computer viurs. Lets see here.... one brings down computers and the other kills people. Yeah that makes a whole lotta sense. I bet you got the mellissa virus didn't you. Please at least think about what you type first.
root@localbrain root>ps ax |grep thoughtd
No the MAC address is hardcoded into the chipset on the NIC and is unique. To change it, it would probably take some sort of flash update simmilar to flashing a BIOS.
root@localbrain root>ps ax |grep thoughtd
It makes life harder for stupid people. As for security people hey I am a consultant and computer virii dectection and removal is very lucrative. I have billed out about $3,000 dollars on the Mellissa virus scare alone, not even to mention the class.poppy or happy 99 or Stoned.... etc. etc. etc. If other IS people don't like dealing with these instance (virus infections, security issues) then they need to find another job.
root@localbrain root>ps ax |grep thoughtd
(nt)
root@localbrain root>ps ax |grep thoughtd
The virus writer is not pulling the proverbal triger, the user is. If I had a gun and you took that gun and shot yourself in the head I am not responsible for that.
root@localbrain root>ps ax |grep thoughtd
Dear all,
I don't umnderstand what the crime is here.
When a architect will develop and build a house for you that doesn't have any locks on the door. Will you blame some one for burglary?
I myself would choose for a better architect.
I think myself Bill Gates is quite a bad architect. By developing such a integrated 'self thinking' operating system. For java and Netscape java at least has a sandbox. THis prevents it from playing somewhere else.
I think the guy should released. And Bill Gates should start thinking about his operating system. He basically should be thankfull as the guy pointed him on the vurnabilities of the operating system.
Regards,
Joop Boonen.
I'm very happy that my pimairy computer isn't working under a Gates operating system including outlook and word.
Melissa does no harm to the computer, but merely sends 20 email forwards. People may say this ties up mail servers, but at work, I write more than 20 emails daily.
Users are stupid.
If you really think your email production is comparable with the way the Melissa virus spread itself, you're more stupid than the "users".
Do some math.
--- Abigail
Having to lock your car, or having to run virusprotection software is a bad thing. Stealing a car stereo from an unlocked car is as much a crime as stealing a car stereo from a locked car. The existance of anti-virus software is no excuse for the release of any virus.
I guess you think everyone should wear bulletproof vests as well?
--- Abigail
rofl
censorship is a form of noise, which actively seeks to drown out content with silence - Crash Culligan
"Yeah but, your average user probably has no idea what a macro is"
If the average (l)user is that ignorant, then they *do* deserve what they get. Does the *average* driver know what a door lock is? Does the *average* home/apartment/igloo dweller let someone in their dwelling without verifing who they are? C'mon, let's use some common sense here!
censorship is a form of noise, which actively seeks to drown out content with silence - Crash Culligan
So, are you saying that if I go into a mall and yell at the top of my lungs, I would be arrested and charged for $150,000 dollars? Where do they dig up these imaginary charges?
Require the feature in ALL future processors. Require that all computers sold have the feature. Establish import/export barriers to require it on all computers flowing into and out of the U.S.
I'm very glad this happened. As the GUID issue has been discussed, so far it appears the majority of people (at least on /.) have been very opposed to it. Now I'm not pushing the GUID, but I do think everyone needs to weigh the pros and cons of the GUID before they immediately call for its end. In our society today, it appears everyone wants total freedom with zero responsibility. I'm sorry folks, but it doesn't work that way. The GUID may not and probably is not the solution to the identification needs of the Internet as I doubt the issue of abuse was thought about very much during its creation. However, technology like this has its place, as this story shows, and we need to determine how to implement and use it.
I know that people fear abuse of GUID technology, it reduces privacy. I implore you to consider how? We have police forces, the IRS, Social Security Agency, Credit Agencies and many other institutions that have our censent and the government's consent to gather information and rule over us. We as a society have granted them that right. Why? To avoid anarchy. Also, the founders of our country knew that placing people in power and giving them authority to rule, requires us to subject ourselves to them and reduces our freedom. They did not throw their hands up and say, "We can't make a truly free society," or "We can't make a society that is free from corruption." They designed a system with checks and balances, knowing full well that it wasn't perfect, but it was better than nothing. Our police force lives under this system, with mayors and cheifs of police as elected officials. There have been times and there are places where the police have abused power, but how many of us would say, "We can't have a perfect police force, so lets not have one at all."
For that is what we are saying by trying to get rid of the GUID concept all together. I grant you, that although I do not know what all the flaws are, the current setup is most likely not an acceptable candidate for a final implementation of such technology. I do think such technology can be of great benefit to the users of the Internet and society in general if we go about creating such technology carefully, with much forthought. If possible we may want to find ways to implement a checks and balance system in the technology to help prevent abuse. Ultimately it is an issue that needs serious consideration, and not a flippant answer either for or against.
Ryan
I was just on the phone with a friend who was telling me how the Fourtune 500 company he works for had their entire email system go from fully functional to worthless in fourty five minutes. Wow!
It's completely ridiculous. Even more ridiculous is the fact that "onOpen" macros are fairly widely used... I'm taking a (expletive deleted) accounting class where we have to use (multiple expletives deleted) MS Excel for a bunch of spreadsheets... The professor decided it was important to each all the business majors how to "program". So they spent 2 weeks on VBA, the assignment over that section was to write a fairly complex "on open" macro, and now all future assignments must include an "on open" macro that explains what the worksheet does. IMNSHO the professor ought to be slapped. I've emailed him twice already about crap like this, but he's clueless... That class is the only time I've used an MS product all semester, and I'll be glad when it's over.
Virii are bad; this guy was wrong to do this, but the results taught a lesson. Dos's are bad; they piss-off sysadmins like me, but point out the soft areas I need to harden. Spam is bad - and it's fellow-traveler the email server hijacker; but again this situation forces a tightening of the security screws. It would have been better just to have the code announced on bugtraq, but that didn't happen. The guy should get his ass kicked, but jail time is a bit much, IMHO.
Thing is, though, as folks here have pointed out, 1. Anyone who uses the 'net at work has to know the basics of safe comptuing. These folks get educated by their sysadmins/network folks who have to know what goes on "out there". It's a big bad place, with lots of script kiddies, and older folks who should know better, just squirming in their collective jeans to get at an unsecure network. Users have to be made aware of this. Don't open an attachment from anyone unless you're expecting one. Draconian, but a bit safer. 2. MS shares blame for this. Period. This whole episode points out, yet again, that MS products are inherently unsafe in a real networked environment, and that MS applications that pose as server products can't walk the walk. The usual spin from MS will be Alice-in-Wonderland Pt. II, but I guess that par for their course.
"shop smart:shop s-mart" ash
Sigh....
s a.arrest.03/index.html
If you would read the CNN article...
http://www.cnn.com/TECH/computing/9904/02/melis
You'd find out they nabbed this guy by tracking the posting host, the AOL account, and then the phone line used to dial up to AOL.
About the only thing the GUID would be used for might be a piece of evidence linking the document to the computer used to write the virus.
what is really puzzling is that they aren't even attempting to address the real issue. that is, "why does a microsoft word document have enough access to your operating system to be able to inflict such damage?!?" if someone broke into the white house and shot the president, the first question they would ask (after thanking the guy) is "how did he get in and what can be done to prevent this is in the future?". i am shocked and amazed that the fbi has not publicly asked this question of microsoft first. i'm sure there are copies of word in the fbi office, aren't they concerned?!?! of course they know what the real issue is. but as they say, the easiest way to cover something up is to ask the wrong question. the fbi is asking the wrong question to deceive you. DON'T FALL FOR THIS TRICK!!!
you think i'm paranoid?? please remember just a few weeks ago the fbi has proposed an initiative to monitor citizen's bank accounts and would have been given them the right to investigate anyone with "questionable transactions". the fbi has also been trying for years to get broader wiretapping rights to counter "terrorists". to the fbi, every citizen is a terrorist. i might even be dead tomorrow for writing this. DON'T FALL FOR THIS TRICK!!!
"The lie, Mr. Mulder, is most convincingly hidden between two truths."
--
And Justice for None
Im just curious what laws were broken by this "virus"? I mean at best it is an invasion of privacy insofar as it reads your address books w/ out your permission, but what kind of charge is that. It's not an invasion of a system, it's an unsolicitied email, which isn't illegal. Does self replication somehow make against the law?
I think your confusing the issue. The problem is not the gross insecurity of Microsoft software. (Although I wont argue against that.) The real problem is that somebody decided to take advantage of that insecurity for their own amusement.
While I dont think this guy should get the death penalty he did cause email servers to crash and untold amounts of work and effort to IS departments across the WORLD. Lets not even think about the career effects that could be caused by unintentionly sending your boss a list of porno links. He should be punished for it and it is a crime.
Lets face it the guy is 30 years old. Hes a little too old to be a vandel and he should have known better.
As a side note, if this guy really thinks of himself as a bad ass cyber terrorist/vandel, how could he not know about the guid? Its been common knowledge for most of a month.
I started with nothing and I still have most of it.
Sorry, but they have been able to hide behind a wall of ignorance for too long.
They knew when adding the code to their office suite that people could use it to do just what the Melissa author did.
Since its a feature they obviously feel no blame in any of the problems features of their products cause.
Granted it too some loon to write it, but he had the in-direct support of an bunch of people at MS. They are only concerned about their money, which means if a feature that can be abused will make money then so be it, its added anyway.
(I hate working on Good Friday)
.
. * Did aliens forget to remove your anal probe?
Along with the worm author, user education is the culprit here--it is not Microsoft allowing Office objects to be scripted. I think it's a shame to see so much bad information being tossed about on this topic here.
VBA macros are a good concept. It's an excellent way to tie different applications together, including a huge number of non-Microsoft applications. Hell, even bitter Microsoft rival WordPerfect makes use of VBA now. I'd be curious to know how many of the people who thought Neal Stephenson's Cryptonomicon excerpt was so spot-on are now bashing something that he roundly praised in it: VBA.
It's not a security hole: by default, users are warned upon opening the document that it may contain a macro virus and asks them if they want to run it anyway. There are only so many safeguards that you can take for the careless before you start making it a hassle for the users who know exactly what they're doing. People can also be burned by recklessly opening up an EPS document or via an unknown document in Emacs. Getting rid of those features that can burn lazy users isn't the answer--user education is.
I can tell you now that as time goes by, non-Microsoft users, including Linux users, are going to want a VBA analogue (using Perl, Python, etc.) to let their X apps interoperate in the same way. If the GNOME and KDE efforts aren't working on it now, they will be soon, and I'm sure that a good number of the people asking for it will be those who bash VBA at every opportunity; they won't even recognize that they're basically asking for something VBA-like for Linux. It just makes it too easy to tie different apps together to ignore. As long as the push for Linux to become easier continues, it's inevitable.
That last line leads to the main point that people need to keep in mind: the easier that you make computers to use in good ways, the easier it is for people to use them in bad ways.
Sure, anyone could write their own code to test other computers with all the exploits that they know, but using SATAN is much easier. Unfortunately, this makes it easier for the budding hacker (flames to /dev/null) to prey upon the uneducated/lazy user. Rather, the uneducated sysadmin in this case, who hasn't kept his system updated.
There are plenty of examples of this, in all facets of life, not just computer-related. Education is the key, blind Microsoft hatred isn't.
Cheers,
ZicoKnows@hotmail.com
It's a tricky thing, if you out law distribution, then you have to arrest the guys at NA and Symantec because that's how they write the code. Further, many of the most sophisticated vira out there have been written by virus researchers (v2p6) trying to prove concepts, test their code, etc.. (probably a few did it trying to make a buck or two) Then there is that whole freedom of speech issue.
What this guy did was write a virus, and transmit it to a victim who unknowingly activated it. That is against the law.
This is my signature. There are many signatures like it but this one is mine..
I've seen many a post asking if perhaps Microsoft is not just as responsible as the author of the virus - but seemingly no-one has posted (or mentioned) the other article linked to from the story that talks about just that issue.
:-) ).
One of the interesting quotes from that article is a comment from the author of the Internet Worm virus:
"There are a lot of real-world parallels. People in general are not interested in paying extra for increased safety. At the beginning seat belts cost $200 and nobdoy bought them."
Which is a bit out of context, and meant more that people don't care about it now but they will eventually (or perhaps be mandanted to care?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Sorry, it's,
"Those who would sacrifice freedom for security deserve neither."
--Ben Franklin
censorship is a form of noise, which actively seeks to drown out content with silence - Crash Culligan
Sure, they'd arrest all of you. So? You were going to plead not guilty after posting your intentions here? Maybe they don't have the jail space for all of you. So they'll have to settle for probation, community service (you like picking up trash, right?), and some gi-normous fine with your wages garnished until you die. You get to be part of a batch justice process. A large joint trial for you and your hundred closest, with a template sentence. Followed by the next group, and the next, in lots as big as the courtroom will hold. And it'll still be a felony conviction, so no voting, no guns, good luck getting a job to pay that whopping fine. Your terms of probation will probably include the old-standby "no using a computer" for the next three years, good luck staying current and marketable. And I'm sure your probation officer will be a caring, understanding, people-person, who won't declare you in violation for quitting that miserable job you got right after your conviction when your old gig tossed you. You did know that probabtion officers get to control your life right up until the absolute last day of your time? You'll miss those friends, but associating with anyone else who got nailed at the same time is a violation of your probation.
If tons of folks are convicted, you won't all get to hit the speaker circuit. No big advance cash from the book. No TV time to espouse your cause. No "hey, I *wrote* this cool thing." Nope, you'll just be some copycat anarchist wannbe with delusions of adequacy.
Yup, yup, sign me up.
That's not even sheep behavior, you've moved on to lemming. Congrats.
-reemul
who actually prefers that the criminally silly declare themselves in such a way, it makes them easier to spot
You're just jealous 'cuz the voices talk to *me*
Granted, I'm not a lawyer, in fact I really know next to nothing about law of any kind. But I do seem to remember something about 'expectation of pricacy.' It would seem to me that anybody who is tracked because they used Microsoft products did not realize that by using MS products they were having an electronic tattoo placed on their forearm, and thusly any information that was gathered by using the MS-forearm-tattoo would be inadmissable in a court of law. I could be completely off-base, but I sure hope not.
Another reason this really scares me is suddenly the whole idea of this MS-forearm-tattoo will all of a sudden become more palatable to the general public. When you tell them that they are being tracked by a for-profit corporation the first thing they'll think is "Yeah, but it's only used to catch bad guys."
Computers have already infiltrated our lives to an intimate level, and I find it disheartening that there seems to be both a general disregard and sullen apathy when it comes to dealing with the ramifications of this infiltration. This is doubly disturbing when you realize that everyone also agrees that this is just the tip of the iceberg.
I guess it's time to run off to a deserted island with the Professor, Skipper, and Mary Ann. Who knows, maybe I could get Linux running on one of the Professor's coconut-computers . . .
Sean
RFC2119
Sorry I've gotta disagree with you big time here. Your malice and anger are displaced. Why? Personally I have more respect for the virus author than for anyone who fell for it. Too many people are becoming too relient on technology they don't understand.
At least the author understood the system well enough to exploit it.
The lusers who actually let the virus run free on their system by allowing software to run macros automatically on incoming e-mail messages are the ones I blame. Them and a culture that tries to get us to accept more technology into our life without understanding it.
Don't get me wrong. Viruses Piss me off big time. But having been around computers since the mid eighties and for a good part of that time being too involved in "fringe activities" (Shall we say?) I have never lost any data to a virus.
Sure I've lost some time getting rid of it but at least I leared my lesson and looked at my computing habits.
Protecting yourself from computer viruses isn't all that much harder than locking your car doors when you get out. Of course I know a college grad who got upset when someone stole his car stereo even though he parked it with the windows open and doors unlocked.
--- Juggle juggle@hitesman.com
I'm a sysadmin. In the end, people like me get stuck with cleaning up the mess whenever any over-hormoned cracker decides to crack/write virii/pingbomb/etc. a machine/network. I can certainly sympathize with alot of the people calling for lynching this guy. Though I don't think that's the right answer.
And, while I can certainly appreciate the skills that go into writing virii, that doesn't mean we should in any way encourage this sort of "skill". That includes the sort of nudge, nudge, wink, wink> comments I've seen here. Yeah, Charles Manson was one of the most skillfull and persuasive leaders of the 70s, but I don't want anymore of that type around, either.
Microsoft (and others) deserve to get nailed with a "defective product" suit one of these days for shipping shoddy products. That day will come (sooner, I hope, than later). But encouraging vandals (and let's not kid ourselves, that's what crackers and virus-writers are) isn't the solution.
An analogy, if I may:
In my neighboorhood, 9 of the ten houses are built by XYZ, and come with 10 door locks (of which 5 are broken, and the other 5 are very hard to turn). 1 house (built by ABC) has 3 locks, all easily set. One day, a burgler walks down my street, wiggling the door to each house. If he can open the door, he walks in, re-arranges the furniture, and smashes a few things. If he can't open the door, he goes to the next one. So, guess what! 3 houses get sacked, and they were all made by XYZ. Now, do I complain to the police that XYZ should be held responsible for smashing my furniture? No! I help catch the burgler, send him to jail, and then file a complaint with the Better Business Bureau about the shoddy work that XYZ does (maybe even a civil suit).
Virii-writers are pond scum. If you are smart enough to find a bug/exploit in a program, TELL CERT! That's what they're there for. Sure, the responsible company might not fix it fast. But that doesn't make it right to go smashing other people's property. If the software company isn't responsive to security demands, well, vote with your feet (and dollars). Don't buy from them.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
Call me pervert, but I actually enjoyed reading all those reports about Melissa spreading and knoking out mail systems ;)
Seriously, I think this is kinda Microsofts fault. It is a fact of life, that if something can be missused, it will. And what measures does Microsoft take to prevent the missuse of Word and Excel macros? None. Of course, technically it isn't their fault, but I think it's clear that MS should fix the HUGE security holes in Office and Windows.
Everyone believes its a law of nature that all software is susceptible to viruses like this. Even word processor documents! Why is it so impossible to explain to people that the outrage is MS-Word, not the Melissa virus!
As with all virii that expose a security flaw, I hold no grudge against the author of the Melissa virus. But, I think that while Microsoft somewhat to blame, in this instance, this should also be a warning to Unix comunity. This isn't just an email virus. It also plays social-engineering tricks on you. This virus comes from a known email address.
If a friend sent me a PERL script and said it was amusing, it's very possible that I'd run it. I would hopefully look at the source first; and wouldn't run it as root. But, what if I felt lazy that day.
If we aren't lazy this isn't a huge problem. Many of us would be wary of a binary, and know enough about programming to examine source code. What will our community look like next year? The Linux community is expanding quickly. We've got project s like KDE and GNOME trying to make things more user-friendly. The hacker-quotient is, and will continue, to drop rapidly.
In this instance, User-Friendly is what caused the propogation of this bug. User-Friendly is what makes it possible for some virii to spread. Either by having automated startup routines that a user rarely sees, or doesn't know about (Mellisa would auto-run through an init file), or automated features that make you lazy. The 'user-friendly' thing for an email client to do is to make attachments automatically run, or make them easy to run.
As we, as a community, become more user friendly; as we attract more hands-off users, I feel that we will be opening up possibilties for this kind of virus to sneak into our ranks. I can't really think of anyway to prevent this kind of program from propogating, aside from awareness. But, as we increase automation we seem to also decrease awareness.
It was handy once, and will be handy to catch abject imbeciles, but the MS GUID (and the Pentium III digital serial number) won't be of any help to catching the moderately intelligent criminals. They'll skate around it somehow (I can think of two ways right now) and we'll still pay the viral price.
My mother-in-law, a woman in her 50s who's firmly turned-on to the digital age but remains innocent of all but the most basic knowledge regarding computer security issues, is an easy target for these virii. She's still a digital toddler; she trusts all the digital adults out there and doesn't know that some of the misguided ones are out to hurt her. She's got some top-flight viral protection on her machine, but that only helps for the known virii.
In the end, it comes down to education. As much as I hate it, I get to shatter her innocent enjoyment of computing and show her a bit of the darker side; she'll be wiser for it, I know, but watching her take such joy in the medium that I've grown inured to was quite pleasurable to me -- like hearing a five-year-old laugh at a silly joke you heard ages ago and chuckling to yourself, knowing how much more pleasure is ahead.
Thanks, VicodinES, for dragging her into your world.