Slashdot Mirror
Melissa suspect arrested
Stone Table writes
"MSNBC reports that the FBI arrested a suspect believed to have authored the Melissa virus "
This is definitely a tricky one: course, its a windows email
virus, so it doesn't affect most of us, but he was tracked
using the MS GUID. Justice? Big Brother? I'm not sure
which.
I'm very glad this happened. As the GUID issue has been discussed, so far it appears the majority of people (at least on /.) have been very opposed to it. Now I'm not pushing the GUID, but I do think everyone needs to weigh the pros and cons of the GUID before they immediately call for its end. In our society today, it appears everyone wants total freedom with zero responsibility. I'm sorry folks, but it doesn't work that way. The GUID may not and probably is not the solution to the identification needs of the Internet as I doubt the issue of abuse was thought about very much during its creation. However, technology like this has its place, as this story shows, and we need to determine how to implement and use it.
I know that people fear abuse of GUID technology, it reduces privacy. I implore you to consider how? We have police forces, the IRS, Social Security Agency, Credit Agencies and many other institutions that have our censent and the government's consent to gather information and rule over us. We as a society have granted them that right. Why? To avoid anarchy. Also, the founders of our country knew that placing people in power and giving them authority to rule, requires us to subject ourselves to them and reduces our freedom. They did not throw their hands up and say, "We can't make a truly free society," or "We can't make a society that is free from corruption." They designed a system with checks and balances, knowing full well that it wasn't perfect, but it was better than nothing. Our police force lives under this system, with mayors and cheifs of police as elected officials. There have been times and there are places where the police have abused power, but how many of us would say, "We can't have a perfect police force, so lets not have one at all."
For that is what we are saying by trying to get rid of the GUID concept all together. I grant you, that although I do not know what all the flaws are, the current setup is most likely not an acceptable candidate for a final implementation of such technology. I do think such technology can be of great benefit to the users of the Internet and society in general if we go about creating such technology carefully, with much forthought. If possible we may want to find ways to implement a checks and balance system in the technology to help prevent abuse. Ultimately it is an issue that needs serious consideration, and not a flippant answer either for or against.
Ryan
I was just on the phone with a friend who was telling me how the Fourtune 500 company he works for had their entire email system go from fully functional to worthless in fourty five minutes. Wow!
It's completely ridiculous. Even more ridiculous is the fact that "onOpen" macros are fairly widely used... I'm taking a (expletive deleted) accounting class where we have to use (multiple expletives deleted) MS Excel for a bunch of spreadsheets... The professor decided it was important to each all the business majors how to "program". So they spent 2 weeks on VBA, the assignment over that section was to write a fairly complex "on open" macro, and now all future assignments must include an "on open" macro that explains what the worksheet does. IMNSHO the professor ought to be slapped. I've emailed him twice already about crap like this, but he's clueless... That class is the only time I've used an MS product all semester, and I'll be glad when it's over.
Virii are bad; this guy was wrong to do this, but the results taught a lesson. Dos's are bad; they piss-off sysadmins like me, but point out the soft areas I need to harden. Spam is bad - and it's fellow-traveler the email server hijacker; but again this situation forces a tightening of the security screws. It would have been better just to have the code announced on bugtraq, but that didn't happen. The guy should get his ass kicked, but jail time is a bit much, IMHO.
Thing is, though, as folks here have pointed out, 1. Anyone who uses the 'net at work has to know the basics of safe comptuing. These folks get educated by their sysadmins/network folks who have to know what goes on "out there". It's a big bad place, with lots of script kiddies, and older folks who should know better, just squirming in their collective jeans to get at an unsecure network. Users have to be made aware of this. Don't open an attachment from anyone unless you're expecting one. Draconian, but a bit safer. 2. MS shares blame for this. Period. This whole episode points out, yet again, that MS products are inherently unsafe in a real networked environment, and that MS applications that pose as server products can't walk the walk. The usual spin from MS will be Alice-in-Wonderland Pt. II, but I guess that par for their course.
"shop smart:shop s-mart" ash
Sigh....
s a.arrest.03/index.html
If you would read the CNN article...
http://www.cnn.com/TECH/computing/9904/02/melis
You'd find out they nabbed this guy by tracking the posting host, the AOL account, and then the phone line used to dial up to AOL.
About the only thing the GUID would be used for might be a piece of evidence linking the document to the computer used to write the virus.
what is really puzzling is that they aren't even attempting to address the real issue. that is, "why does a microsoft word document have enough access to your operating system to be able to inflict such damage?!?" if someone broke into the white house and shot the president, the first question they would ask (after thanking the guy) is "how did he get in and what can be done to prevent this is in the future?". i am shocked and amazed that the fbi has not publicly asked this question of microsoft first. i'm sure there are copies of word in the fbi office, aren't they concerned?!?! of course they know what the real issue is. but as they say, the easiest way to cover something up is to ask the wrong question. the fbi is asking the wrong question to deceive you. DON'T FALL FOR THIS TRICK!!!
you think i'm paranoid?? please remember just a few weeks ago the fbi has proposed an initiative to monitor citizen's bank accounts and would have been given them the right to investigate anyone with "questionable transactions". the fbi has also been trying for years to get broader wiretapping rights to counter "terrorists". to the fbi, every citizen is a terrorist. i might even be dead tomorrow for writing this. DON'T FALL FOR THIS TRICK!!!
"The lie, Mr. Mulder, is most convincingly hidden between two truths."
--
And Justice for None
Im just curious what laws were broken by this "virus"? I mean at best it is an invasion of privacy insofar as it reads your address books w/ out your permission, but what kind of charge is that. It's not an invasion of a system, it's an unsolicitied email, which isn't illegal. Does self replication somehow make against the law?
I think your confusing the issue. The problem is not the gross insecurity of Microsoft software. (Although I wont argue against that.) The real problem is that somebody decided to take advantage of that insecurity for their own amusement.
While I dont think this guy should get the death penalty he did cause email servers to crash and untold amounts of work and effort to IS departments across the WORLD. Lets not even think about the career effects that could be caused by unintentionly sending your boss a list of porno links. He should be punished for it and it is a crime.
Lets face it the guy is 30 years old. Hes a little too old to be a vandel and he should have known better.
As a side note, if this guy really thinks of himself as a bad ass cyber terrorist/vandel, how could he not know about the guid? Its been common knowledge for most of a month.
I started with nothing and I still have most of it.
Sorry, but they have been able to hide behind a wall of ignorance for too long.
They knew when adding the code to their office suite that people could use it to do just what the Melissa author did.
Since its a feature they obviously feel no blame in any of the problems features of their products cause.
Granted it too some loon to write it, but he had the in-direct support of an bunch of people at MS. They are only concerned about their money, which means if a feature that can be abused will make money then so be it, its added anyway.
(I hate working on Good Friday)
.
. * Did aliens forget to remove your anal probe?
Along with the worm author, user education is the culprit here--it is not Microsoft allowing Office objects to be scripted. I think it's a shame to see so much bad information being tossed about on this topic here.
VBA macros are a good concept. It's an excellent way to tie different applications together, including a huge number of non-Microsoft applications. Hell, even bitter Microsoft rival WordPerfect makes use of VBA now. I'd be curious to know how many of the people who thought Neal Stephenson's Cryptonomicon excerpt was so spot-on are now bashing something that he roundly praised in it: VBA.
It's not a security hole: by default, users are warned upon opening the document that it may contain a macro virus and asks them if they want to run it anyway. There are only so many safeguards that you can take for the careless before you start making it a hassle for the users who know exactly what they're doing. People can also be burned by recklessly opening up an EPS document or via an unknown document in Emacs. Getting rid of those features that can burn lazy users isn't the answer--user education is.
I can tell you now that as time goes by, non-Microsoft users, including Linux users, are going to want a VBA analogue (using Perl, Python, etc.) to let their X apps interoperate in the same way. If the GNOME and KDE efforts aren't working on it now, they will be soon, and I'm sure that a good number of the people asking for it will be those who bash VBA at every opportunity; they won't even recognize that they're basically asking for something VBA-like for Linux. It just makes it too easy to tie different apps together to ignore. As long as the push for Linux to become easier continues, it's inevitable.
That last line leads to the main point that people need to keep in mind: the easier that you make computers to use in good ways, the easier it is for people to use them in bad ways.
Sure, anyone could write their own code to test other computers with all the exploits that they know, but using SATAN is much easier. Unfortunately, this makes it easier for the budding hacker (flames to /dev/null) to prey upon the uneducated/lazy user. Rather, the uneducated sysadmin in this case, who hasn't kept his system updated.
There are plenty of examples of this, in all facets of life, not just computer-related. Education is the key, blind Microsoft hatred isn't.
Cheers,
ZicoKnows@hotmail.com
It's a tricky thing, if you out law distribution, then you have to arrest the guys at NA and Symantec because that's how they write the code. Further, many of the most sophisticated vira out there have been written by virus researchers (v2p6) trying to prove concepts, test their code, etc.. (probably a few did it trying to make a buck or two) Then there is that whole freedom of speech issue.
What this guy did was write a virus, and transmit it to a victim who unknowingly activated it. That is against the law.
This is my signature. There are many signatures like it but this one is mine..
I've seen many a post asking if perhaps Microsoft is not just as responsible as the author of the virus - but seemingly no-one has posted (or mentioned) the other article linked to from the story that talks about just that issue.
:-) ).
One of the interesting quotes from that article is a comment from the author of the Internet Worm virus:
"There are a lot of real-world parallels. People in general are not interested in paying extra for increased safety. At the beginning seat belts cost $200 and nobdoy bought them."
Which is a bit out of context, and meant more that people don't care about it now but they will eventually (or perhaps be mandanted to care?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Sorry, it's,
"Those who would sacrifice freedom for security deserve neither."
--Ben Franklin
censorship is a form of noise, which actively seeks to drown out content with silence - Crash Culligan
Sure, they'd arrest all of you. So? You were going to plead not guilty after posting your intentions here? Maybe they don't have the jail space for all of you. So they'll have to settle for probation, community service (you like picking up trash, right?), and some gi-normous fine with your wages garnished until you die. You get to be part of a batch justice process. A large joint trial for you and your hundred closest, with a template sentence. Followed by the next group, and the next, in lots as big as the courtroom will hold. And it'll still be a felony conviction, so no voting, no guns, good luck getting a job to pay that whopping fine. Your terms of probation will probably include the old-standby "no using a computer" for the next three years, good luck staying current and marketable. And I'm sure your probation officer will be a caring, understanding, people-person, who won't declare you in violation for quitting that miserable job you got right after your conviction when your old gig tossed you. You did know that probabtion officers get to control your life right up until the absolute last day of your time? You'll miss those friends, but associating with anyone else who got nailed at the same time is a violation of your probation.
If tons of folks are convicted, you won't all get to hit the speaker circuit. No big advance cash from the book. No TV time to espouse your cause. No "hey, I *wrote* this cool thing." Nope, you'll just be some copycat anarchist wannbe with delusions of adequacy.
Yup, yup, sign me up.
That's not even sheep behavior, you've moved on to lemming. Congrats.
-reemul
who actually prefers that the criminally silly declare themselves in such a way, it makes them easier to spot
You're just jealous 'cuz the voices talk to *me*
Granted, I'm not a lawyer, in fact I really know next to nothing about law of any kind. But I do seem to remember something about 'expectation of pricacy.' It would seem to me that anybody who is tracked because they used Microsoft products did not realize that by using MS products they were having an electronic tattoo placed on their forearm, and thusly any information that was gathered by using the MS-forearm-tattoo would be inadmissable in a court of law. I could be completely off-base, but I sure hope not.
Another reason this really scares me is suddenly the whole idea of this MS-forearm-tattoo will all of a sudden become more palatable to the general public. When you tell them that they are being tracked by a for-profit corporation the first thing they'll think is "Yeah, but it's only used to catch bad guys."
Computers have already infiltrated our lives to an intimate level, and I find it disheartening that there seems to be both a general disregard and sullen apathy when it comes to dealing with the ramifications of this infiltration. This is doubly disturbing when you realize that everyone also agrees that this is just the tip of the iceberg.
I guess it's time to run off to a deserted island with the Professor, Skipper, and Mary Ann. Who knows, maybe I could get Linux running on one of the Professor's coconut-computers . . .
Sean
RFC2119
Sorry I've gotta disagree with you big time here. Your malice and anger are displaced. Why? Personally I have more respect for the virus author than for anyone who fell for it. Too many people are becoming too relient on technology they don't understand.
At least the author understood the system well enough to exploit it.
The lusers who actually let the virus run free on their system by allowing software to run macros automatically on incoming e-mail messages are the ones I blame. Them and a culture that tries to get us to accept more technology into our life without understanding it.
Don't get me wrong. Viruses Piss me off big time. But having been around computers since the mid eighties and for a good part of that time being too involved in "fringe activities" (Shall we say?) I have never lost any data to a virus.
Sure I've lost some time getting rid of it but at least I leared my lesson and looked at my computing habits.
Protecting yourself from computer viruses isn't all that much harder than locking your car doors when you get out. Of course I know a college grad who got upset when someone stole his car stereo even though he parked it with the windows open and doors unlocked.
--- Juggle juggle@hitesman.com
I'm a sysadmin. In the end, people like me get stuck with cleaning up the mess whenever any over-hormoned cracker decides to crack/write virii/pingbomb/etc. a machine/network. I can certainly sympathize with alot of the people calling for lynching this guy. Though I don't think that's the right answer.
And, while I can certainly appreciate the skills that go into writing virii, that doesn't mean we should in any way encourage this sort of "skill". That includes the sort of nudge, nudge, wink, wink> comments I've seen here. Yeah, Charles Manson was one of the most skillfull and persuasive leaders of the 70s, but I don't want anymore of that type around, either.
Microsoft (and others) deserve to get nailed with a "defective product" suit one of these days for shipping shoddy products. That day will come (sooner, I hope, than later). But encouraging vandals (and let's not kid ourselves, that's what crackers and virus-writers are) isn't the solution.
An analogy, if I may:
In my neighboorhood, 9 of the ten houses are built by XYZ, and come with 10 door locks (of which 5 are broken, and the other 5 are very hard to turn). 1 house (built by ABC) has 3 locks, all easily set. One day, a burgler walks down my street, wiggling the door to each house. If he can open the door, he walks in, re-arranges the furniture, and smashes a few things. If he can't open the door, he goes to the next one. So, guess what! 3 houses get sacked, and they were all made by XYZ. Now, do I complain to the police that XYZ should be held responsible for smashing my furniture? No! I help catch the burgler, send him to jail, and then file a complaint with the Better Business Bureau about the shoddy work that XYZ does (maybe even a civil suit).
Virii-writers are pond scum. If you are smart enough to find a bug/exploit in a program, TELL CERT! That's what they're there for. Sure, the responsible company might not fix it fast. But that doesn't make it right to go smashing other people's property. If the software company isn't responsive to security demands, well, vote with your feet (and dollars). Don't buy from them.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
Call me pervert, but I actually enjoyed reading all those reports about Melissa spreading and knoking out mail systems ;)
Seriously, I think this is kinda Microsofts fault. It is a fact of life, that if something can be missused, it will. And what measures does Microsoft take to prevent the missuse of Word and Excel macros? None. Of course, technically it isn't their fault, but I think it's clear that MS should fix the HUGE security holes in Office and Windows.
Everyone believes its a law of nature that all software is susceptible to viruses like this. Even word processor documents! Why is it so impossible to explain to people that the outrage is MS-Word, not the Melissa virus!
As with all virii that expose a security flaw, I hold no grudge against the author of the Melissa virus. But, I think that while Microsoft somewhat to blame, in this instance, this should also be a warning to Unix comunity. This isn't just an email virus. It also plays social-engineering tricks on you. This virus comes from a known email address.
If a friend sent me a PERL script and said it was amusing, it's very possible that I'd run it. I would hopefully look at the source first; and wouldn't run it as root. But, what if I felt lazy that day.
If we aren't lazy this isn't a huge problem. Many of us would be wary of a binary, and know enough about programming to examine source code. What will our community look like next year? The Linux community is expanding quickly. We've got project s like KDE and GNOME trying to make things more user-friendly. The hacker-quotient is, and will continue, to drop rapidly.
In this instance, User-Friendly is what caused the propogation of this bug. User-Friendly is what makes it possible for some virii to spread. Either by having automated startup routines that a user rarely sees, or doesn't know about (Mellisa would auto-run through an init file), or automated features that make you lazy. The 'user-friendly' thing for an email client to do is to make attachments automatically run, or make them easy to run.
As we, as a community, become more user friendly; as we attract more hands-off users, I feel that we will be opening up possibilties for this kind of virus to sneak into our ranks. I can't really think of anyway to prevent this kind of program from propogating, aside from awareness. But, as we increase automation we seem to also decrease awareness.
It was handy once, and will be handy to catch abject imbeciles, but the MS GUID (and the Pentium III digital serial number) won't be of any help to catching the moderately intelligent criminals. They'll skate around it somehow (I can think of two ways right now) and we'll still pay the viral price.
My mother-in-law, a woman in her 50s who's firmly turned-on to the digital age but remains innocent of all but the most basic knowledge regarding computer security issues, is an easy target for these virii. She's still a digital toddler; she trusts all the digital adults out there and doesn't know that some of the misguided ones are out to hurt her. She's got some top-flight viral protection on her machine, but that only helps for the known virii.
In the end, it comes down to education. As much as I hate it, I get to shatter her innocent enjoyment of computing and show her a bit of the darker side; she'll be wiser for it, I know, but watching her take such joy in the medium that I've grown inured to was quite pleasurable to me -- like hearing a five-year-old laugh at a silly joke you heard ages ago and chuckling to yourself, knowing how much more pleasure is ahead.
Thanks, VicodinES, for dragging her into your world.