Slashdot Mirror
The Melissa Syndrome
CRIME AND HYPE: The Melissa Syndrome
John Dillinger himself wasn't arrested with much more fanfare. When police in New Jersey announced the "capture" last week of David Smith of Trenton, allegedly the creator and distributor of the now famous Melissa virus that's supposedly infected more than 100,000 computers and shut down several hundred corporate computer systems, it made front pages all over the country.
The FBI acted as if it had just rounded up the world's most wanted terrorist. The bureau rushed to hail its new National Infrastructure Protection Center, a division created to fight cyber-warfare threats following teenaged hackers' intrusions on U.S. Defense Department networks. "We will track down these electronic saboteurs," promised William Megary, the FBI special agent in charge of the Melissa investigation.
The case was such a public relations bonanza that New Jersey's governor - never before known to have uttered a syllable about the Internet -- turned out before the cameras to praise the "good old-fashioned detective work" that brought the villain to justice. She was flanked by the Attorney General and a battalion of law enforcement officials.
This reeks of opportunism and hype.
And it reflects the curious mythology of the Net and the Web, especially to the old-world institutions trying to figure out how to deal with it. The idea of a computer virus is genuinely chilling. But has it created enough damage or suffering to warrant this kind of coverage? Or is the idea of the virus more menacing than the reality?
Anybody who's been paying attention to the Net for any length of time has learned to be deeply suspicious of journalistic and law enforcement pronouncements about cyber-criminals. Both government and journalism have been fundamentally clueless about the dangers presented by hackers, virus-makers and other bogeymen. Dubious, unchallenged statistics are often presented as fact, great dangers invoked where they are few, sometimes no, victims. Too often, the hype hasn't fit the crime. More than anything, bureaucracies like to grow, and nothing feeds them faster than saving the public from real or perceived danger.
This drama has become almost ritualistic, ever since the famous Secret Service raids on suburban hacker bedrooms in the 80's. Law enforcement, competing for bureaucratic jurisdiction over the Internet, deeply suspicious of a culture it can't understand or control, has pressed for encryption tools and standards that challenge both privacy and freedom.
Journalists, threatened by the ferociously independent digital culture, accept and relay all sorts of unfounded accusations and statistics, and seem eager to portray the Net as a public health hazard.
So when somebody is hauled out of an apartment by publicity-hungry law enforcement agents, his equipment seized, the media enthusiastically passes along reports of massive damage and danger with little or no detail or substantiation.
The brilliant loner stalking society plays into the media's shallowest stereotypes and the public's deepest fears. In the David Smith case, the media have found their latest Kevin Mitnick style cyber-villian, another disconnected computer addict without a life, using his computer skills to prey on unsuspecting citizens and helpless companies.
The 30-year-old programmer was described as a reclusive, anti-social loner who rarely left his apartment. He allegedly named his virus after a topless dancer in Florida. He was charged with interruption of public communications, theft of computer services and wrongful access to computer systems. As noxious as viruses are, Dillinger, in fact, would have been embarrassed to be nailed on charges like this.
Journalists reported the existence of dark and menacing viral subcultures lurking on the Net and Web, working feverishly to prepare lethal viruses. Was Smith also VicodinES, another virus writer linked in Net posts with the creation and dissemination of Melissa?
According to the New York Times, the emergence of the Melissa virus "underscores the growth on the Internet of a community of virus writers and collectors. They freely trade malicious code, combine efforts to best the work of antivirus researchers, and post their creations on the Internet for anyone to download and release into the wild."
To hackers, thieves, crackers, perverts, addicts and porn-peddlers we now add viral terrorists - "the anarchic lure of virus writing," one paper called this new danger. Curiously, if typically, there was no hard evidence to support the suggestion that virus writing has become epidemic, or even to substantiate the police estimates that more than 100,000 people and hundreds of companies had been affected by Melissa. How would we know? Did they all call the FBI?
Stories like this one reinforce the idea - already entrenched in journalism and politics - that people need walls around their computers to protect themselves, their businesses and their families.
These walls sometimes take the form of legislation (the late CDA, for instance, and sometimes result in the blocking and filtering systems spreading all over the Net).
"Here we go," e-mailed Johnny Rocket, who creates, studies and then dismantles (but never distributes) computer viruses for fun. "There are some sick people out there, but why don't they ever check to see how much real harm is done? Mostly, they're dumb kids. But they don't do nearly as much harm as you would think from watching TV."
And not nearly as much as human beings do to one another in the real world either. A child mailed or killed by gunfire --- more than 5,000 American kids were casualties of guns last year -- doesn't get a fraction of the coverage or attention David Smith or Melissa will get.
TECHNOLOGICAL HOSTILITY
Still, for all the exaggeration, hostility is a reality online. Whoever created Melissa did cause harm and damage. And to human beings, not just machines. He or she also reinforced the false idea that the Net and the Web are dangerous places inhabited by threatening people, and in need of urgent policing. The FBI and its National Infrastructure Protection Center is ready and waiting.
Yet some programmers do generate destructive programs like Melissa and take some warped pleasure in distributing them. Some do make viruses for fun, the same way others love bar codes and study magnetic strip coding. This kind of behavior isn't new to the world, or unique to the Net. Every year, thousands, even millions, of people race trains across tracks, drive drunk through stop signs at high speeds, beat up their spouses and kids.
But one of the strange realities of Internet life is that it juxtaposes extreme anger and powerful friendship, closely and continuously.
The Net is awash in varying emotions and diverse responses. It brings support, creates community, makes communication easier than ever, and almost simultaneously spawns disconnection and hostility.
The nearly continuous dichotomy - making friends, receiving generous advice and direction, fending off flames and criticism, even dodging viruses and mail bombs - is so discordant as to be disorienting.
In many ways, the Net is fundamentally about community - bringing disparate, far-flung people together in new kinds of social groupings. You really can't go anywhere online by yourself and be completely alone. Technologically-driven hostility becomes even more important in that context, because community requires the members of a given group to talk about issues, forge common values, articulate goals.
The communicative social nature of the Net makes the former - the coming together -- easy, but the latter - rational discussion -- almost impossible. People who share an interest in Linux, open source or free software can come here from all over the world, but can they talk openly about the very thing that brings them together? Not often easily. Any half-dozen angry people can, and often do, disrupt a discussion in seconds (and not just here, but all over the Web), driving away people who are disinclined to trade insults or have better things to do. The effect is bizarre. The majority are driven underground and out of sight, the tiniest minority becomes a tyranny.
I've made my closest friends online, gotten many of my ideas and a torrent of thoughtful commentary. I am continuously supported, and educated. I am continuously challenged, attacked, insulted. Although I'm used to it, it's still sometimes bewildering to be praised and criticized simultaneously, for the same ideas and words, so immediately and intensely that it's hard to maintain a sense of reality at times.
Should you still listen to all the feedback, or make a point of ignoring it? Do you factor in age and gender? Do you credit the most articulate and impassioned critics? The most thoughtful? Or do you finally throw up your hands, and go by your own instincts.
When I wrote for conventional media - Rolling Stone (where I still write), New York, GQ and other places - the problem was simpler. I was trained to dismiss readers. It didn't matter what they thought. Nobody could reach me, except those taking the trouble to write and send letters.
But every idea advanced online is praised, attacked and criticized in varying degrees, sometimes within seconds of being published and for weeks, even months beyond.
The bulk of e-mail is radically different from most of the public posters on the site itself. Neither group, the flamers or the lurkers, seems to have much direct contact with or even consciousness of the other.
Unaware that I receive praise, the flamers expect me to go up in smoke. Unaware of one another, the lurkers reassure me. The lurkers sometimes know that ferocious, even vicious, debate and hostility is evident just a few scrolls down. The flamers have no idea that anything else is.
For a columnist dealing in opinions, this is a Brave New World, a parallel universe, my very own Matrix. It's sometimes impossible to know where one reality begins and the other ends.
CLOSING THE DISTANCE.
Technological vandalism and hostility - flaming, personal attacks, virus and mail-bomb attacks -- occur because the people who practice and advocate them must operate at an enormous physical and psychological distance from the people they attack and from the consequences of their actions.
Although they differ enormously in their impact, the principle is the same as scientists' and technologists' advocating the use of advanced air weapons against remote and presumably primitive peoples.
Both kinds of attacks are made possible by the disconnection technology permits. We don't see our adversaries as human beings, and don't expect to ever encounter them. So, since we have the instant and visceral technology to respond emotionally to things we fear or dislike, we attack them with the expectation that there will be no consequences. And there hardly ever are. On the Net, assaulting someone is no tougher - or riskier -- than pushing a send button.
Online violence and hostility, wildly exaggerated in terms of scope and danger but still epidemic, will diminish only when the distance between people is somehow closed by the same technology that now promotes it. Perhaps when audio and video-streaming permits live encounters with real-time video and sound. Or when phone, voice and visual messaging technologies fuse, and the presence on the other end appears, even in virtual form, as a human being.
Smith may or may not be the author of the virus, and it may or may not be as dangerous and pervasive as the publicity-hungry cyber-cops suggest. But it's still a great metaphor for the nastiness that has marked the first generation of the Net, and then the Web.
For me, the damage comes mostly from what can't happen: intelligent, continuous discussions, messages from the many lurkers who have powerful ideas but are not willing to endure the public assault that comes with expressing them.
The best resistance: to persevere. To listen to all criticism, no matter how crudely expressed, and keep writing and talking. To do anything else would be to give up the freedom that makes the Net unique. Some day, the Net will have its own equivalent of a "peace" movement, and mindless hostility will be perceived as the very direct threat to free and open speech that it is.
Exaggerated or not, techno-hostility forces community underground, into closed websites, mailing lists and e-mail. It stunts the evolution of ideas, movements and communities themselves.
It aborts ideas.
Hostility, from flames to viruses, are an inducement to the many in journalism, politics and the corporate world itching to find ways to control and curb free access on the Net and the Web.
And they are all generally acts of cowardice and malice at worst, unthinking and reflexive cruelty at best. It's no wonder that the most enthusiastic attackers hide behind anonymity.
"The lesson," wrote computer pioneer Joseph Weizenbaum in a 1976 essay explaining the people who advocated the advanced weaponry used to maim and kill during the Vietnam War, "is that the scientist and technologist must, by acts of will and of the imagination, actively strive to reduce such psychological distances, to counter the forces that tend to remove him from the consequences of his actions." jonkatz@slashdot.org
This is the first time you write a good essay, and do not miss the point. I agree with you.
How could you do that? Have you been on drugs lately?
Katz, you're right about the idiocy and the self-serving incestous relationship between publicity-seeking cops and sensationalizing journalists, both seeking to pander to the inexorable public will to irresponsibility in all matters, but you're making a dangerous mistake presuming to speak for Smith or any other virus writer or hacker. If he wrote it. I don't know. He sure as hell is innocent of the actual charges against him. I'll tell you bluntly though that you don't have a goddam clue about his motivation or intentions, regardless. Hostility doesn't have a damn thing to do with it. It might if it would mean a goddam thing in a world that insists on misconstructing everything, but it doesnt. In a just world, though, the man would get a fucking medal, not a jail cell.
You come so close some times, Katz, but you're buying into the fear and propaganda you're shrewd enough to see, yet keep capitulating to. Keep trying, though, you'll get it.
Free David!
Free Kevin!
I wanna meet this Melissa chick.
You were doing really well with this piece. It had a point, and made it. Then you rambled. Some advice: if it can be said in 5 words instead of 25, keep it short. You won't lose your audience that way. And for once, leave YOURSELF out of it. No "I recieve praise", no "I've published a book", and no resume pushing. It makes you sound condescending.
Whitman made the hype worse by making the press circus, I mean, conference. Her motivations were two-fold:
1) Appear nationally on camera before her run for the NJ senate. The more exposure the better...
2) Project the feeling that NJ law enforcement is under control since she sacked the Col. of the State Police for making non-politically correct remarks (I _STILL_ can't figure out what is so wrong with profiling ethnic gangs with particular narcotics).
She seized on the moment and used the hysteria surrounding what should have been an insignificant event to further her career.
Now, if we can just get Al Gore to admit to creating the first computer virus...
This time, the virus author fucked up and released his identity. But what if it's impossible to find out who the author is? I can describe several scenarios in which the author can spread his virus without any possibility of getting caught. So suppose it's impossible to find out who the author is. Who gets the blame?
Are you getting the picture? Do I have to spell it out for you? If nobody is to blame, then virii become like an Act of God: unpredictable and capricious, bringing down your network and computers at a whim.
In this kind of world, which is closer than you think, the inherent unreliability of the infrastructure that permits such virii to thrive is to blame. And who created that infrastructure? Microsoft.
Exactly right, when a web site I visit starts a java applet without my permissiom, slowing down my browser, can I charge the web site owner with theft of computer systems?
The people who got the mail ran the macro.If they don't know what a program does, they shouldn't run it, right?
(Although the alleged miscreant may be guilty of stealing the account on AOL...)
Is this the same licence that says that users who do not agree to the terms of it are entitled to a refund? IMO because Microsoft and its vendors won't honor one part of the licence, all parts should be void.
The argument that it was really Microsoft's fault because their software was the victim of the virus does not hold water. Claiming the victim is at fault for a crime is wrong. If a bank is robbed, is it the bank's fault because they didn't have sufficent security?
Hmmm....well,maybe.
I know that if you accept credit cards over the internet and don't take any security precautions, you can be held liable for any damages caused by theft. And if a bank had a history of robberies and didn't take any extra security precautions, and someone was subsequently injured in a robbery, yes the bank would be held liable.
And in Microsoft's case, from all available evidence, the liabilty borders on being criminally negligent.
And no matter how you feel about virus writers, they have certainly added to the sum total of accurate knowledge on this planet, which I always assumed was a good thing.
hacker \Hack"er\, n. One who, or that which, hacks. Specifically: A cutting instrument for making notches; esp., one used
for notching pine trees in collecting turpentine; a hack.
cracker \Crack"er\ (kr[a^]k"[~e]r), n. 1. One who, or that which, cracks.
2. A noisy boaster; a swaggering fellow. [Obs.]
What cracker is this same that deafs our ears? --Shak.
3. A small firework, consisting of a little powder inclosed in a thick paper cylinder with a fuse, and exploding with a sharp
noise; -- often called firecracker.
4. A thin, dry biscuit, often hard or crisp; as, a Boston cracker; a Graham cracker; a soda cracker; an oyster cracker.
5. A nickname to designate a poor white in some parts of the Southern United States. --Bartlett.
6. (Zo["o]l.) The pintail duck.
7. pl. (Mach.) A pair of fluted rolls for grinding caoutchouc. --Knight.
Your right, I'll never confuse the two.
The analogies being used to describe this issue are somewhat missing the point. Blaming Smith and Wesson when someone uses one of their guns in a crime is not the same as M$ leaving open known security holes.
You can't blame S&W for the (proper) use of their product as advertised, even if it is a crime. However, if you are negligent in that you know that use of your product can cause harm but you don't fix it, you must accept some blame.
This is more closely related to the infamous Pinto that Ford decided not to fix because the anticipated cost of potential lawsuits was less than the redesign and recall costs. Microsoft knewthat the security holes existed, and therefore must accept some resposibility. They are not, however, responsible for the actions of the author, and are not 'accomplices'. They were negligent, not co-conspirators...
I'm not sure if this is the best analogy. It might be more appropriate if the group of people are described as otherwise intelligent people who, due to massive PR hype from the gun companies, have accepted as fact that guns are safe and can't do any harm, even though the guns have their safety catches off by default and are known to fire in random directions when other guns fire.
The virus (worm?) adds to a registry key with the word "Melissa?" in it to indicate it has already infected this machine. The keys in the registry are arbitrary, so it very well could named after the dancer.
So what you're saying is that any crime where the criminal it is 'impossible to the find' the criminal should be likened to 'an Act of God'.
So if the ciminal is not or cannot be found it automatically becomes the victim fault. Now, there's a great piece of logic.
That argument is so deficient on it's face as to need no rebuttal.
I must respectfully disagree on a couple of points. I think what Jon is saying has a lot of merit and I think that some of what he wrote is not dissimilar to what Rob wrote last week.
:). If you scream at me and rant and rave I'll most likely just turn beat red from anger and stalk away. How does that encourage ideas to flow?
;)
:) I believe I'm one of EnSabahNur or CainDragon at /.
The key here is that what Jon & Rob are both saying is not that flaming is bad in of itself. Certainly criticism is an important thing that breeds better ideas. What both of them are saying is that there are better ways to criticize then to flame. If you think someone has made a mistake, or has volunteered a position you disagree with, express yourself politely. I can tell you from experience that if I state my opinion on something and someone counters me politely I'll remain open and willing to listen about 90% (no one is perfect
That's why I think Jon is right when he says "It aborts ideas." User A states his opinion and is flamed outright for it. If User B is more timid, but has a good idea, why should he post it? Who's to say he won't receive the same treatment? After all, perhaps he thought User A had some good ideas and look what happened to him.
As for "How clever! So in order to keep free access, we need to tone down our opinions and statements? Bullshit." I agree that toning down opinions and statements is not the way to keep free access, but I don't think for a second that's what Jon was trying to say. I think he was saying that so long as a large, visible seeming-majority choose to express themselves so negatively, it lends credence to the idea that the Net is populated by the kind of people that Jon said: theieves, malicous malcontents, dangerous perverts, etc. This may not be true, but the old adage that perception is as important as reality certainly applies.
In truth, I've come to believe the Net is an Anarachy. Far from what the word is popularly held to mean, it simply means "abscence of government". It has more to do with "harmony" then "chaos". The last thing I want is Big Brother stepping in to govern the Net. I like the Net free and unregulated (as I suspect you do) so that the very ideas it was founded upon can continue to flow. As my political science prof told me last week, however, anarchies will only work properly once people develop a better moral code: in a culture where you can do anything you want, you need good moral training to refrain from doing negative things. In short? It means you have to learn to treat everyone, _EVERYONE_, even people with whom you disagree with _RESPECT_, 'cause at the end of it all, we're all human. Even the Microsoft people
BTW, I'm not really an Anonymous Coward, I'm just too lazy to figure out what my logon is
Hmm...
so I sit at my text editor, and come up with some story about my kid brother, who has this kidney disease, and wants people to send him flip tabs from soda cans, and by you sending this message to 5 other people, you'll be granted an E-ticket when it comes time to reach for Nirvana.
Oh, I of course send it out from the list of e-mail addresses I've sucked off of the archives from Usenet posts on DejaNews, and of course through some pirated AOL or whatever megaISP user account is handy for me...
OK, so some Joe in Bergen County, New Jersey, is suddenly flooded when he opens his mailbox with about a million envelopes from Well Meaning! people with all their flip tabs from the week.
Hmm...
And it keeps on going even though Joe has been on all the news for the week, all the "news magazine" shows, etc., saying, "to the asshole who did this to me, the only good thing about all these flip tabs is that their density of packing is better than crushed soda cans, so I get a good price/volume ratio at the metal recycler!", and the flood of mail INCREASES?
Or it's revealed that there is no little brother, that it's all a big hoax?
Still get e-mail from well-meaning people warning you about the Good Times "virus"?
Re: Suing Microsoft...
Someone might try, but that nasty software license will get in the way, you know, the part about Microsoft making no warranty or guarantee of suitability for their products other than being liable for replacing the media they come on...
Or, read the Java license... "don't use this software for controlling medical equipment or nuclear power plants".
Everyone is so quick to blame Microsoft for making crap products, and the user from being stupid. Stupid for buying Microsoft and stupid for opening up the Melissa attachment.
/. attitude of "blame Microsoft for every attrocity in the world" is waxing a little old. I hate Microsoft too. And I tremble at the current media hype surrounding this "virus." But that is no reason to accuse Microsoft of the creation of this virus. Should they remove as many possibilities in their programs for such exploitation? Absolutely. But there is no way any software company is going to have flawless code and flawless design. There will always be holes. And let's not just jump on the bandwagon and attack the enemy like we do after every article just because.
Don't misunderstand me. Standing up for Microsoft is not at all my point here. But everyone is posting as if some hacker/programmer/whatever has the right to exploit whatever system flaw is in the Microsoft product, just because there is the system flaw. Yes, Microsoft should fix those flaws whenever possible, and they can't be held in high regard for the complete and utter lack of quality that spews out from Redmond.
But none of this gives a programmer a right to exploit this bug. Let me illustrate. We don't blame the gun manufacturer for the mis-use of their product. We blame the guy that pulled the trigger. In this case, we don't blame Microsoft because the made a faulty product. Or I should say, we shouldn't. There wasn't really any danger in the Microsoft product unless someone exploited it.
This
"A child [maimed] or killed by gunfire --- more than 5,000
American kids were casualties of guns last year -- doesn't
get a fraction of the coverage or attention David Smith or
Melissa will get."
First of all, your very statement contains the reason why this is:
violence, even mortal violence, has become too commonplace. Melissa
was *new*.
Secondly, you are guilty of some of the same criticisms you level
against your trade. In this case: hyperbole. More than 5,000
American kids were *not* casualties of *guns* last year. They were
casualties of violence where it happened that a firearm was
employed. Guns are not self-aware.
So much for your credibility, Jon. I believe that'll be the last
of your articles I bother with.
Hmm...
It's not that hard to do. Check to see if the msoutl8.olb library has been linked, if not, tell VBA to find it, then link it in, then run one's code. Want to see the properties & methods? In VBA it's not hard to enumerate the COM properties & methods for an object...
At least it's harder to reverse-engineer (i.e., figure out ordinal entry points, valid arguments, and determine results) from DLLs...
But COM makes it easy...
Of course, he could have written it to go through the MAPI dlls as well...
Don't use a condom, get pregnant. Use Windows, get viruses. Any questions? Having stupid users is no excuse for anyone going to jail. Let the guy go and slap the 'cuffs on the terminally ignorant users who opened this email causing it to spread!
....or maybe not.
So I park my nice Ferrari 512BB downtown one day, and forget! and leave the keys in the ignition, and the doors unlocked.
I come back.
Suprise! It's gone!
Now who exactly is to blame for the loss of the car?
As for those here who claim that M$ should bear some of the burden for this Melissa fiasco, just because their cheesy software was used to make it happen.. BOLLOCKS! If I go and shoot somone, who in their right mind would blame Smith and Wesson??
Then why are many cities suing gun manufacturers for handgun related deaths?
Anyway, I think this is quite different from the case of MS producing shite software. Despite JonKatz's opinion of guns, they're quite safe when used and stored correctly and sensibly, and generally do what they're designed to do (kill or injure) when put to that purpose. MS has produced a slap-ass, unfriendly, bug-ridden petri dish for all manner of infection that it passes off as the pinnacle of computing technology. Ugh.
Here, let me spell it out for you. If it is impossible to find criminals who keep vandalizing a system, we should (as a society) acknowledge this simple fact. And if we acknowledge that attacks can come from anywhere with no way of finding the perpetrator, then it's time to tighten up the systems that make it so easy for anonymous cowards to abuse them.
No, people shouldn't be writing viruses. But they *are* and except for obvious screwups like the author of Melissa, they can't be tracked down and punished. So we should focus on the infrastructure that the virii feed on.
Microsoft created the infrastructure, it should fix it. And since it's been aware of the faults in the infrastructure for some time, Microsoft is clearly negligent in failing to fix it.
- MSFT released macros for Office95 and Office 4.3 to display a warning dialog for suspicious documents. Not a patch, but another macro. This is significant becuase the macro kludge did not intercept in all instances. E.G. File -> Open would use the "protection", but double-clicking on an icon would not
- Surprise, surprise, the protection is better integrated in Office97. I can get better protection for a mere $300 USD. They turned a problem into a sales pitch.
- What MSFT has done is completely inadequate. E.G. most of these "viruses" hook into the "open document" event (forgive my lack of VBA jargon). Why can't you _completely_ disable that hook? Why hasn't MSFT borrowed the relatively rich and thoughtful security model of Internet Explorer with Zones and Levels?
The answer is simple: MSFT does not care. They write and sell apps that are both User-Friendly and Abuser-Friendly. And these jerks are raking in the dough. They're earning two billon dollars in a single 3-month period and can't find the time or resources to improve the product for current customers? It's obscene.Of course I also think some of the blame belongs to those who purchased Word+Outlook for their companies, and those responsible for training employees. But the company that could have done the most to stop this, and the only one that has the right and the resources to do so, pretends there's no issue here.
On a larer scale this incident points out the vulnerabilities inherent in a monoculture. Thank goodness we have diversity of applications, OS'es, and hardware platforms to limit exposure.
You had better check the facts youself. I don't claim to know much about this case itself, but I do know that even water at a full boil will NOT cause 3rd degree burns, which is charring of the skin.
Smith "molested" no one.
No one was shot or "molested", and Smith's not to
blame for what happened. Pull your head out of your
ass and look around.
Wow, if slightly improper grammar is the line you draw to determine one's credibility, you must be hard to live with. You didn't get the ghist of the idea, or you just hate Katz? Lets really put your thoughts in persepctive.
The reality of this situation is that everyone here shares the responsibility for the Melissa virus - M$, the users, sysadmins (and IS), and the writer of the virus. They all contributed to the problem:
1. M$ left security holes.
2. Users with little or no computer security education.
3. Sysadmins and IS using M$ products only.
4. The writer for creating the thing.
They all have received (or are receiving) what they deserved:
1. M$ is getting a little flack on the security issue.
2. Users lose productivity (and in really malicious instances, data).
3. Sysadmins and IS lose face in that they didn't stop it or that they recommended products with huge security holes.
4. The writer of the virus may face jail time - or at least probation and fines.
Why?
1. M$ writes crap software - and deserves flack for the security holes.
2. Users should have been smarter - at the very least by backing up their data _every_day_ - and by not using/reading proprietary formats for anything!
3. Sysadmins who blithely use M$ products are sheep being led by a rancher to a spot behind the barn for some serious...
4. The writer should have been much more careful - he wasn't, and so must face the consequences of his actions...
Should he face 40 years, though? NIMHO. I don't think he should face any time unless companies can prove he actually caused damage to their systems (they would have to come forward and present the evidence in court - sure, it would make people wonder why the company was so _negligent_ in letting its employees spread this thing, but "oh well") and impacted their bottom line (BTW - how was the stock exchange affected by Melissa?). Even then, 40 years is excessive - maybe 6 months - maybe. A fine, yes - or public service - but 40 years?
I take exception with this because of a possible future trend - what if someone wrote, not a malicious virus (I don't even think Melissa was malicious), but a benevolent one - say a M$ Word Macro virus that propagated through email and _cleaned_ up other macro viruses - inserting itself in place of the malign one? Would this be viewed as destructive behavior? Would this get the writer jail time? Or would such a "virus" be seen as beneficial on the whole (and if VirusScan killed it, would VirusScan be seen as malicious)?
I am suprised that such a thing hasn't been written yet. I can guarantee that if laws are passed prohibiting such viruses, that it probably never will be.
There is a problem in your reasoning here. One has to purposefully exploit a security hole. A Pinto would just blow up. I agree there is neglegence in both cases, and it is avoidable in both cases. But in one cases, a user has to purposefully write a program to break Microsoft. No one had to do anything on purpose to blow up a Pinto.
Not to miss the point, I totally agree they weren't accomplices in this action. Ford knew a Pinto would blow up. Microsoft knew someone could kill their product if they purposefully and willfully tried to break it (no, I'm not talking system crashes...).
Uh... Check out:
http://www.alpha-tek.com/burn/type.htm
Creating strawmen and beating them up doesnt help your empty-headed arguments. "Mental masturbation" would actually be too kind a description.
This attempt to shift the blame from the virus author to the victims is hilariously pathetic. But as long as such anti-victim social attitudes exist, so will virus writers.
*You* are part of the problem by encouraging such attitudes and behaviour.
Your argument here is flawed. Much of the parts that go into a car engine are not manufactured by the same company, but are part of an integrated product. Sometimes it makes sense that the pull-chain is the same as whatever its connected to, but I for one would like the choice of a different pull-chain if the one that was connected to my dohicky was inferior.
... but it doesnt change the fact that a crime has been committed, by a criminal.
If you are going to make strawmen arguments you could try to make them a bit sturdier. Yours disappeared in the first light breeze that came along.
IANAL, but my opinion is that Microsoft was negligent and should be held liable. If a gun is used to kill someone, the gun maker is not liable. But if the gun accidentally fires when it shouldn't, and kills someone, and the gun company knew that this could happen but failed to fix it, then they are certainly responsable.
The same principal applies to Microsoft's responsability for this virus's spread.
Is it mostly hype and opportunism by politicans to make a "stand" and show they're defending the American public from scary virus terrorists? Definitely.
Does that take anything away from the allegations or the simple fact the perpetrator should be punished? Hardly.
Charging Smith with disruption of computing resources (or whatever) is no worse than charging Al Capone for tax evasion. The law often moves light-ages behind behavior that is disruptive to society, and the authorities occasionally have to adapt appropriate laws for their cause.
As far as "100,000 infected machines..." Obviously a pretty simple sampling technique is used to arrive at that number. Whatever point you were trying to make with your statement in that case is lost on me.
Do you people who keep slamming "the sheep" or "the morons" have JOBS?
.doc, .ppt, .xls, or any other number of different types of files. If we don't read them, we could miss out on crucial information.
Although I use Linux at home, I'm forced to use Windows and the full Microsoft Office package at work. In the course of any given day, I get a ton of department, division and corporate memos in the form of email a day. These can be
If I understand this correctly, Melissa wasn't some strange executable file attached to email from total strangers. It was a Word document, and the origin of the email was usually someone you knew. If I get an attachment from our Division President or Team Supervisor, damn it, I have to read it, whether or not it contains macros.
It was dumb luck Melissa didn't hit our group, but it did proliferate in most of the mail system, causing massive slowdowns.
Some of us get PAID to be 'sheep'.
It's not the first time anyone's been prosecuted. I was party to a virus prosecution, back in about 1992. I don't remember the details of the settlement, but it did not involve jail time. AFAIK, there was probation and community service. The DA and others were threatening felonies and federal crimes.
This melissa writer, whoever it was, was an amateur. It wasn't malicious (see below), but it spread so quickly that someone was bound to notice. If he was any good, #1 he would have figured out that it wasn't a good idea, #2, it would have been quiet about its spread and would have infected more computers before doing something... interesting.
To quote a bad SNL Skit, "I'm Mephistopheles, Prince of Darkness. When I harrass you, You'll know it."
Anonymous, and glad of it.
You are absolutely right.
The Pinto case did not require a criminal act to cause harm to another. The negligence that M$ showed was in their lack of a fix for an acknowledged security flaw that could be exploited. The Pinto did not require an overtly criminal act, except maybe rear-ending someone by accident.
But, as you said, M$ may be held to blame for poor business practices, not for the malicious acts that were performed with their software.
The people who got in the most trouble with Melissa were businesses who put *everything* on Billyware. Saying "it's bad to have all these M$ messes running" is an example but you don't have to know anything about computers to know a monoculture is flattened when a predator gains an advantage. And that is exactly what happened here. People running ONE mailer, ONE os, ONE system of interacting with data, and ignoring anything like common sense or the warnings of sysadmins in handling what they got in the mail. Anything that can be exploited in a monoculture like that eventually will be.
A fix from M$ is a recursive instance of the same problem.
Folks, the brighter of the sysadmins out there are now saying "we can't have end-to-end M$ on desktops. We have to contain the damage somehow." The other sysadmins will be losing their jobs when "Spawn of Melissa" starts frying monitors or some damn' thing.
It couldn't be a better time to be a sysadmin. Just whisper "Melissa" to your boss, and he'll do what you say. Unless your shields were down, and your company got thrashed.
So, a lot of businesses run MS Office and other MS doodads on their MS-WinDOS boxen and so we are confused as to who is at fault when all of those MS-thingies break and go poof? Hmmmm... Nice excuse, "safety in mass ignorance" drone the bleating mantras as the sheep waddle off to be slaughtered in their safe masses.
So, what about all of those self styled IT experts with their MCSE stickers proudly stuck to their business cards - the folks that installed the whole insecure schlemiel on a corporate Net? Are they to blame? Or are they convenient scapegoats to be crucified after they clean up the mess?
Or the purchasing agents who bought the crapware and foisted it onto the poor IT sods who now have to make it work. The suits with the nontechnical diplomas who make technical purchasing decisions based on adverts in Forbes. Are they to blame?
How about the long haired Unix freaks who now sit smugly beside their Suns and wax profound about how they've been saying MS-WinDOS is a security Swiss cheese for years. They who say "I told you so" too loud and smile as Redmond burns. Are they to blame? Surely with their knowledge they could have helped to prevent this.
No, maybe we shouldn't all run off and switch corporate Nets to Linux. In fact, don't run off and do anything. Think it through. Lack of thinking is the prime contributor to this mess. Not enough thinking at MS, in purchasing, and in IT. Lack of thinking in every nook and cranny is to blame.
Now the smug Unix/Linux guys need to think about how to make their "better" systems easier to use by non-thinkers and not just smugly smile at the crappiness of WinDOS. This is an old line, but it's still true.
-MikeR-
Hmmm, not a bad article but seems to focus more at MS macro language than at the inherent security problems associated with COM(or whatever),and Windows itself with its dated "one user controls the whole computer" weirdness.
Still, at least they're looking at the smoking gun and not just the bullet.
-MikeR-
Heh. I got caught back in '87, for some playful exploration around university systems. (Not quite on the Mitnick level, but I was pretty good. I got caught thanks to the fuckhead hacker-wannabe I was sharing information with. He logged in at the public terminal clusters with a stolen account. When they cuffed him, he squealed. Moral: don't trust your friends. but I digress)
I thank the gods above that I was lucky enough to come of hacking age before the decade of hacker hysteria. The cops didn't understand what I'd done wrong. They didn't know what to do. On my suggestion (social engineering!) they wrote me up for a misdemeanor (criminal trespass). Yep that's right, I got a hacking ticket! Paid the $30 fine, no blemish on my record but it gave me a lot to think about.
Today, I'm a good guy. An upstanding citizen. Many of the people on this bulletin board system (that's the way I think of it) probably use my software every day. The skills I gained from 'hacking' have served me well in my profession. If I'd been sent to the slammer for 40 years, I don't know what anyone would have gained from it.
> If KOffice and others make the mistake that Microsoft did, just wait a few years when Linux
> has a more significant desktop penetration, and we'll start seeing Linux macro viruses.
What, everybody will forget regular user accounts and log in as root, then forget all about security? (if yes, then I'm scared)
If the macro runs as a non-root user and is not suid and does not take advantage of some major systems level security hole, all it can damage is the user account. (please excuse over simplification, but you see the point right?)
Part of the problem is the relative ease with which "User" level programs run with "System" level access under Windos. This, of course, is glossed over. It should not be.
-MikeR-
"It's also a mistake to assume that the end users don't know what they are doing. You never know, that 'clerk' on the second floor may be a kernel hacker at home."
Actually no, its a mistake to assume that they do know what they are doing. If they do happen to have a clue, then great, but assuming that they should know better is asking for trouble..
Um, yeah Word may have shitty security, but the virus did not write itself.. I don't think just because the security hole existed that he shouldn't be punished in some way. If you leave your window open at night, and I go in and vandalize your house, should I not be held responsible? After all, you made it easy for me to get in.. He was in no way obligated to do what he did..
Easy, you have to explicitly mail good times to everyone you know. Melissa never comes out and says "Infect all your friends Y/N?"
The common user probably doesn't know and doesn't care what a macro is, so the warning means nothing to them. I don't of any virus that can be spread without any user interaction. By your definition an executable virus is not really a computer virus, because it takes a person to run it.
Tom, I think you have it.
i
Mr. Smith should sue M$ for creating a product
which could be abused and which got him in
a lot of trouble because of their negligence
of protecting Mr. Smith from Mr. Smith.
You can sue cigarette companies using the exact
same logic (in the good old US of A).
M$ has known about these deficiencies
for years and has done nothing but assure the
masses that it's products are safe.
And there isn't a warning label on their software.
As I see it, the cigarette companies have a better
defense than M$.
The US is doomed, as this type of ridiculousness
is only going to get worse. Someone has
to show how ridiculous it is by winning a
$150 Million suit like this.
...nah, the lawywers will just slaver more...
Nope, we're doomed! And the lawyers are doing
it. What was the brilliant Roman Emperor quote
again?...
-kabloie
immelspam@nospam.texas.reallynospamplease.netsk
Of course on a single user system, the notion that you "only" trashed all your personal files is small consolation. This is a general problem with all popular OS'es, that all apps run by User X can normally exploit all of User X's authority. This is why we need a good Java 2 Vm and/or something like JavaOS where particular objects, classes, etc. might be locked down more tighly, e.g. limit Netscape to ~/.netscape and ~/nsmail so any bugs won't trash unrelated data.
My tuppence.
If a moron comes after you with a knife, you'd
better shoot him quick. And with handy concealed
weapons laws, that is a much greater possibility.
Doesn't Ohio have a concealed carry law? Maybe
it's still in the dark ages...:(
And if you whack the moron with a hollowpoint or
other advanced design, the possibility of
collateral injuries are much reduced.
Have fun!
-k
Maybe his intent was 100% to point out a
huge hole in MS software. He did it. They should
give him a medal. As opposed to, maybe, 40 years
of gay sex.
The 'victims' now know a little more, and know
which of their friends are as stupid as they
are for having opened the attachment and
sent the mail in the first place.
Melissa is a good thing and I support the
guy who wrote it. Seriously!
-kabloie
Supposedly, melissa was supposed to send out e-mails with the subject "important message from (username)". Now, I don't know about you folks, but I'd be pretty damn suspicious about someone sending me an e-mail and referring to themselves in the third person. That, combined with the suspicious message in the body, and the suspect practice of attaching *.doc files should be plenty of warning. Are these the same people that see "here is the document you requested" and go "Cool! That document I requested is finally here!"?
-lx
I agree--flames and flamers DO "abort ideas" on the net. They don't bother me--I just stick their worthless asses in my killfile and have done with it--but others seeking civilized discourse often just decide "to hell with usenet" and go to closed mailing lists (where you're booted if you flame) and web pages. However I personally think that what finally, really killed newsgroups as a viable medium of idea exchange is good ol' SPAM! You can put the occasional flamer in your filter but spammers keep changing their addresses! And there are so MANY of them, and not nearly enough moderated newsgroups. Oh, well.
Rediculous? Explain, its easy to say and to act sarcastic, but it makes sense considering the options, "We don't get what we pay for", "Do Nothing", or " We sue"? Most of the heard (consumers) don't have time to make sure the software they are buying is clean of bugs and clean of security holes, so most of them assume that since they are forking out the money instead of getting the free version, that they will be treated better and not have to worry about anything, little do they know the people who are selling it to them could care less about a little thing called security and even go the oposite direction by sucking out information when they are connected to the net (IE4+).
OK, an avarage every day REAL virus, the ones that infect all your executable files, those are hard to defend against, most people will find it reasonable that its not easy for any software product to defend against this, BUT think about it, could Melissa have been prevented? I think it could have, I think its neglect that has left peoples computers open to this kind of attack, from ANY ONE. Any one!!! Any crazy ass person who can sit in front of a computer and write a script, any one who wants to express himself about how he feels by pissing off others, some depressed kid with plenty of your time to waste, any one.
When you buy or rent a house, do you expect all the outside doors to the house to have locks, or that their is no secret hidden door or opening that leads into your house?
Bravo!
I would love to know where that statistic comes from. He is indeed using the same tactic, trying to push his own agenda in a forum in which (IMHO), the readers don't have much knowledge. The pot calling the kettle black, eh?
It is reported that firearms are used 2.5 million times a year to *prevent* crime. If you are going to believe the 5,000 kids figure, you've got to believe the 2.5 million figure. Seems like a fair trade to me.
This reminds me, there is a boot sector virus called Fish that disinfects a virus called Stoned from the system...
There are some problems with it however...
-Mashiara, sorry, had no time to log in
Melissa required the interaction of the user by way of opening the attached doc.
Ahh, but there's more than just that. They were warned that the doc contained macros and given the option of disabling them and chose not to do so.
Ignorance is _not_ an excuse. It never has been, and never will be. A person is not given a driver's license without being tested for understanding the rules and implications. People that drive without a license are still subject to the same laws, along with added penalties if they are caught driving without a license.
Just because you are a dumbass doesn't separate you from responsibility.
Here are a few rules for the ignorant.
1 - Always run virus protection. Learn how. It'
s your seatbelt and airbag.
2 - Never open binaries from strangers. Ever.
3 - _Rarely_ open binaries from friends. Often they are at least as ignorant as you.
4 - Find out what it is before opening it. I never open anything that doesn't come with a pretty good description of what it is and what it does.
5 - _Never_ pass something on without researching it yourself. If you receive a virus warning, then dammit, go to a virus protection site and check it out.
6 - Use a little common sense.
7 - Ignore rule 6. Use a lot of common sense.
Whether you are exposed to a binary virus or an analog (read memetic) virus, you should educate yourself on how to deal with it before crying wolf. If you got the plague, you wouldn't run over to your friends' houses to warn them would you?
Distinguishing analog and digital virii is silly. They are of the same species. They do the same things. Treat them similarly. Protect against both.
trowt@yahoo.com
I get a lot of suspicious looking emails every day. A generic memo going out to 3,000 employees is not likely to be more personalized than "Important Message from So-and-So". Not long ago, a minor virus circulated through tuition reimbursement forms our supervisor emailed out; not once, but twice.
Sure, you can turn off the macros, but not if you want to SEE the document.
I'm just saying it's not anyone's fault but the loser who has so much time on his hands and so little social conscience he can develop a virus for the hell of it.
I think most of you guys are off topic. Did you read the article? It raised some important points about how incidents like Melissa provoke techno-hostility and even more censorship and control.
Who administers this control and repression ? Sysadmins. Currently elaborate firewalls and gateways are in use to keep people and ideas out, and quota systems and internal "snooping" on employees to keep control in-house. Whose interests are being served here? The interests of a relatively small number of corporations, it seems - and big government. Why is any of this necessary? I guess because the whole "system" is based on lack of trust and repression and control and inferior, primitive technology in which end users can't implement their own security even if you were to allow it.
Katz is a futurist. Certainly he is well aware, if you aren't, that the days of systems administration as we know it are numbered and are tied to closed, proprietary corporate "systems" which are not unlike closed, proprietary software systems. So, you use unix or Linux at work. Still, it's a closed system in the service of a corporation even if the code is open, and you keep it closed in your jobs as sysadmins.
Sysadmin is based on the concept of the scarcity of ideas and data storage and computing power, just like closed software which assumes that ideas are limited and controllable. This scarcity may no longer exist as it does today - and regardless of the time scale I don't see how you can fail to see that syadmin is tied to these limitations and the repression necessary for corporations and anti-human, anti-God entities to carry on. Very limited bandwidth and data storage in particular. Of course systems like unix are built around this concept of scarcity. Unix can grow into something which offers more power and freedom to users and I'm sure it will bear little resemblance to the unix you are using today except in its power and versatility relative to the hardware being used. There will be plenty of work in that world for programmers and software designers, but none for sysadmins I'm afraid. Sysadmin will be done more and more by the system itself or by easy to use software in a more peer-to-peer environemnt. I know, it was tried somewhat recently but failed because of limited technology, but that will not necessarily be a problem in the near future.
Don't blame users for opening MS Office documents or for the poor security features of NT. Why is your place of work using NT and why is MS Office the standard there? Blame yourself for enabling the purchase of this software and integration of it into your system. Just following orders you say? Just following orders, maintaining and sustaining one of the most repressive, controlling and nightmarish scenarios imaginable as predicted by futurists and sci-fi writers 50 years ago. Invasion of privacy, censorship, restriction of the flow of ideas except along approved channels, information which is often innacurate about our personal lives stored and bought and sold to third parties without our knowledge or consent, etc. Really, you should be tried for crimes against humanity. You are worse than war criminals because nobody put a gun to your head and made you do it. You do it for a big paycheck only and drive a BMW. But that don't make you somebody.
System administartion is realy techno-hostility because it stunts the evolution of software and knowledge into systems which are at the service of people (individual human beings) instead of the faceless machinery of corporations and government. Programmers and software designers and engineers, if they are any good, try to develop software which opens possibilities for increasing the flow of ideas and organizing them in ways people can use. Sysadmins take that technology (more often than not without really understanding it) and place restrictions on it.
Every sysadmin knows that virus writers and crackers are their friends and allies. The symbiotic relationship is obvious. Both crackers and sysadmins work against the interests of people who use systems and computers at each end,
to the degree that computer users have become victims. Without crackers who can invade and use systems for purposes other than those intended by their controllers, the controllers would have less excuse to control in a vicious circle. But, then somebody has to take on the thankless role of guerilla warfare even though this method of attack is not what will bring the whole repressive system down once and for all. Technology and economic forces will do that, strangely.
Personal computing was an effort to put some control back in the hands of individual users but even that was perverted by abusing the concept of local networking to make it repressive, also.
At first pc's were strongly resisted by sysadmins until they figured out how to turn PC's into dumb terminals (which they were quite comfortable with)
from the point of view of the overall system. It is now very possible to totally control a user's workstation by reinstalling his local software over the network every night and requiring his work to be kept in an area which he has limited access to.
Networking is a great idea - the internet for example fosters the free expression of ideas and communication but efforts have been underway for some time to control the internet also, just like a corporate net. Same little minds at work. The only thing preventing the total control of the internet is the fact that it is used by a large number of business for commerce and these businesses have the economic power not to allow themselves to be restricted and controlled the way you guys have contolled individuals who work in corporations and in government bureaucracies. (Even if these business are very restrictive and repressive in use of thier own in-house systems). Here is a case where free enterprise and intellectual and personal freedom have a common cause and are working against the same repressive forces.
But, the biggest force working for the good is technology itself. As computers become more powerful and versatile peer-to-peer networking will become feasible in a way that makes centralized control non-competetive in the marketplace, and centralized storage of data will no longer be needed for business or anything else. Enjoy your monopoly and control while it lasts.
'Stupidity' is perhaps a little strong. I would guess that a large number of people on the internet don't really understand what a virus is and what it can do.
By my reckoning email should be plain text (or simple HTML), and therefore unable to carry any 'un-authourised' code. The effectiveness of the Melissa virus was down to one particular program (Microsoft Word), and has proved to me how unsuitable it is as an email viewer.
Hopefully IT departments and other users have learn an important lesson.
Simon W.
I know this is going to a very unpopular view but here goes...
The actions of Mr. Smith broke the law, therefore he is a criminal (check you dictionary). If you don't like the law say so but until it's off the books we are obligated to obey the law (think social contract).
The argument that it was really Microsoft's fault because their software was the victim of the virus does not hold water. Claiming the victim is at fault for a crime is wrong. If a bank is robbed, is it the bank's fault because they didn't have sufficent security? If a person is robbed, beaten or raped, is it their fault because they did not have sufficent defenses. The macro capability was put there for a reason, and some people make use of the ability. Yes, there are things MS could do to tighten security but again, if I can figure out how to sucessfully rob a bank can I claim I didn't commit a crime because 'gee, they left this big security hole so it must be their fault'. The damage and lost productivity that this virus caused is a real and cost firms real money, it shouldn't just be written off as a cool prank.
The way company networks are being attached to the Internet, you cannot possibly expect everyone to be knowledgeable about what to do and what not to do. Additionally, it isnt likely that companies will spend the money to train everyone about network use, just like they will not train everyone in sales or purchasing or logistics...
The reason sysadmins are in such high demand, the best of whom can pretty much write their own paychecks, is that they are the ones responsible for keeping things going and heading things off. True, you cannot stop everything from comming through, but you have to realize that the average employee in your company is going to open any attachment without thinking twice. It is your job actually, to ensure that they learn as little as possible -- and what I mean is they learn what they need to do their jobs and not waste time on anything else -- noone can possibly be expected to learn everything (and to resurrect the arrogance thread from a few weeks ago, when youre being paid, "Read the book" is not an acceptable response to a question).
Educate the users in your company to a point (what this point is can vary, but maybe a networking orientation for new employees where you tell them about the basics, or what most people in this group would call common sense); but beyond this, its up to you. Sorry, but youre going to have to earn that paycheck.
...of course it is no use arguing if the writer of a virus is absolutely free to spread his code without being punished for it - writing viruses is a crime in all laws that i know of.
:)
But definitely the other parties involved in making this kind of virus possible at all are to be blamed - and there has to be consequences for them as well.
If I buy myself a car (just as some people bought themselves ms windows) which has some cool electronic computer-thingies in it (something like ABS or whatever comes with new cars) which is manipulateable from the outside (like windows computers are), noone would react to a problem similar to melissa in the way that people react to melissa.
imagine the new daimler-benz s-class car being manipulated by an aol-user kiddie who used some well known bugs in the car's software - resulting in the car not breaking any more, driving against the wall at 150mph, killing people.
yeah i know some of you think 'this is something completely different than melissa'.
but hell - wheres the difference ?
the guy who crashed the car deserves punishment. no question there.
but i believe the reaction to a mercedes having bugs similar to the bugs of windows would be quite different - you'd expect fast reaction from the media (but in a different way than in this ridiculous melissa hype) refunds, repairs on all cars of this make for free, lots of blame against the manufacturer of the car...
well - where's the difference i wanna know... ?
except that car manufacturers can't build weird shit and get away with it...
think about it
Everyone blames the bad, evil, nasty hackers. Nobody ever thinks to blame the poorly designed systems that they exploit. Why? People have been warning Microsoft for years about macro viruses.
Ideally all virus writers would be fully accountable and we wouldn't need to assign any blame to companies that produce shoddy software. But in reality, it will be virtually impossible to catch virus authors unless they make a colossal mistake like Melissa's author did. All you have to do is leave a floppy lying around with your macro virus on it. Label the disk "teen porn". Someone will pick it up and spread the virus for you, no way to trace it back. My point? Accountability is a myth, so let's go after the designers of these fragile infosystems.
Well, part of the reason why Melissa spread so much is that people received it from people they did know.
Maybe a better question is: ``What kind of moron uses MS products?'' (The answer, of course, is ``Too many'').
-Brett.
Where do we draw the line between a program that knowingly mails to everyone in your address book (so-called virus), or a program that accidently mails to everyone in your address book (possibly a mail program in development, being debugged)?
The reason sysadmins are in such high demand, the best of whom can pretty much write their own paychecks, is that they are the ones responsible for keeping things going and heading things off. True, you cannot stop everything from comming through, but you have to realize that the average employee in your company is going to open any attachment without thinking twice. It is your job actually, to ensure that they learn as little as possible -- and what I mean is they learn what they need to do their jobs and not waste time on anything else -- noone can possibly be expected to learn everything (and to resurrect the arrogance thread from a few weeks ago, when youre being paid, "Read the book" is not an acceptable response to a question).
Good sysadmin will have a mail server that won't be overloaded by Melissa, his POP and IMAP servers will pass huge amount of mail without any glitches, and quotas will be set on filesystems, so users won't fill up the disk, and he won't use M$ Word by himself, so he won't participate in Melissa distribution. Users will be infected, and their mailboxes will be full of garbage, and potentially their data will be lost, but this is not what sysadmin should waste his time and efforts on.
Because if he will be busy installing 2^32-1'th version of antivirus on his M$ Exchange server instead of configuring and maintaining reliable network, the first copy of Melissa (or whatever mutant that will still pass through his "antivirus") will cause DoS on all his services, and all his network will be dead -- for users that received Melissa, for users that didn't receive Melissa and for customers that use company's web server. And that will be far worse than few tens of thousands of email messages.
Contrary to the popular belief, there indeed is no God.
Most of the people in organisations like mine DO NOT have a choice in terms of what software they use. MS Office and Backoffice are corporate standards, for which licenses have been purchased for every luser. Given that there is every spectrum of IQ in our organsation, from Management to Intelligent and savvy users ;). What the author of the virus did was essentially created a "gun, which replicated itself everytime someone fired a shot". Imagine a weapon like that let loose on our streets.
Good! When more incidents like this will be brought to public attention with honest and intelligent explanation, some people actually will start thinking, what kind of standards they are following. As for you, who cares about you having or not having a choice? You work with people that can't solve the problem with idiots at work in any other way than giving everyone a system designed for idiots => you pay the price.
Contrary to the popular belief, there indeed is no God.
The fact that a macro can do these things is a designed-in feature of MS OOffice, and it's probably in Lotus and WordPerfect too. If a different Linux/Windows/Mac/OS2 office suite (er, automation platform) is immune is because it's either feature deficiant, allows the user to disable certain functionality, or it has some sort of code-signing infrastructure. (I can't think of any different solutions.) Some posters seem to be leaning towards the feature-deficient solution.
You have missed the point. The flaw in M$ design is that there is no distinction between data files and executables. Any kind of macro functionality can be implemented in office-style package without placing self-executable stuff into data files, yet M$ did precisely that -- made possible to create a file that looks just like plain document yet if displayed triggers execution of a script, contained in it in the same "context" as normal macro operations, performed by macros built into package or written by the user.
Good design shouldn't prevent anyone to send macros just like nothing prevents anyone to mail lisp files to each other, but it isn't possible to email someone lisp source in a way that emacs (that consists almost entirely from "macros" in lisp) will automatically execute it when the user just wants to see the data.
Contrary to the popular belief, there indeed is no God.
I'm really tired of people attempting to justify malicious actions by saying that the victims "deserved it" because they are "morons". (The most obnoxious case of this, of course, is saying that a rape victim "deserved" what she got because of how she dressed, how much she drank, etc. But it applies just as well to acts of electronic vandalism, such as virus writing and cracking.)
If someone leaves his back door unlocked, sure, he's a moron, and in some sense, he deserves to get burglarized. But that doesn't make the burglar any less a criminal!
--
They were held liable because it was found that they could have reasonably known that at some point someone could attempt to do such a thing, and had taken no steps to prevent it.
Point that logic at the Melissa virus. Microsoft made it possible, they know it's possible, and they've taken virtually no action to prevent it. If liability under the law is consistent, shouldn't they be held at least partially liable?
Many have pointed out the terms of the EULA as being Microsoft's ace in the whole, in that they disclaim any and all liability. I would just like to point out that AFAIK, EULA's have yet to be shown to be valid contracts, and additionally, many jurisdictions have laws specifically outlawing this type of disclaimer.
The argument that it was really Microsoft's fault because their software was the victim of the virus does not hold water.
The message earlier suggested that Microsoft be held partially responsible, since their software could have had security mechanisms built in, and Microsoft refused to do it (in some cases, suggesting that macro viruses were the responsibility of the user - "You should be aware of what you're running" or words to that effect).
Mainframe environments have had security built in for ages, and it's impossible for a virus to even exist. Microsoft wants to play in that same market, but they don't want to be held to those same standards. Well, I for one disagree. (In fact, I find it amusing that the Melissa virus apparently ran through Microsoft's internal mail system like a hot knife through butter. Hoist by their own petard.)
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Posted by PasswdIs ScoreOne:
Since this is the first time anyone is being prosecuted for writing a virus, I fully expect the gov't to prosecute this case with a unique zeal and determination seldom seen. And if the rights of the accused and due process are not adhered to, so what? We've got to send a message to all these 'hackers' out there lest we end up with a nation of potential cyber-terrorists.
Kevin Mitnick: Four years in jail. And still not even a trial. Who's next?
Posted by wadageek:
I agree with:
"Creating a virus is an art. It is no different than the kid of your generation who took the radio apart just to put it back together again, even if some parts were left out. It is a natural instinct in humans to figure out how things work. "
But I disagree with:
"If you create a virus in order to show explicitly the obnoxious security holes in Microsoft or other OSs, you are doing the general public a service."
Saying that is like saying that vandals do the general public a service by underscoring the need for everyone to have security!
You may not be a thief if you do not make money from it - but you are in essence a vandal and a criminal.
my point was not that everyone should be sued for everything they're remotely responsible for.
my point was about that GROSS NEGLIGIENCE. everyone can make a mistake. but making the same well-known mistake over and over again is a different issue.
in other words, my employer can not fire me for trashing the network. (at least according to german laws he can't.) however, if I do it several times, always because I ignored basic procedures, then he very well can.
Assorted stuff I do sometimes: Lemuria.org
I must apology for my lack of knowledge on this particular case. I was unaware of the details as you write them, because nothing like that was published over here.
Assorted stuff I do sometimes: Lemuria.org
the #1 sickening thing about the whole melissa hype is how it distracts from the facts.
here we have a collection of well-known security holes practically screaming "exploit me". they should've been fixed for years, but instead they've been put deeper and deeper into the very design.
yes, I'm flaming micro$oft, but it's not them alone. it's the armada of clueless who, far from being honest about what they know and what they know nothing about, not only BELIEVE, but carry the word along - "integration is good for the customer".
in my country (i.e. germany), when I break into a bank and it is found out that the bank's security company made my job considerably easier by leaving out standard security procedures or making serious mistakes that a security company really shouldn't make, it can be made liable for parts of the damage done.
in the states, you have those idiot cases where macdonalds is sued for the same thing - negligience - because they forgot to tell some fool that hot coffee is, well, hot.
I wonder whether micro$oft will be sued for melissa-incurred damages. if you can sue macdonalds for hot coffee, than sure as hell you should sue micro$oft for gross negligience of basic security procedures.
Assorted stuff I do sometimes: Lemuria.org
Of course it's not *all* MS's fault. Many many many people turned off the security features in Word.... AFAIK you have to skip through several dialogs before Melissa can get into your system. It is the users who are dumb morons...
;)
Of course if everyone stuck to plain text none of these things would happen regardless of what email program or OS you use... apart from the odd buffer overflow
ITYM "Hip-hop." HTH.
I agree with you though that as annoying as this was for people, they should put most of the blame on themselves. Of course, Microsoft deserves quite a bit of blame, too...
Exactly.
The longer this goes on the more likely we are to have laws pased that are supposed to stop crackers and virus writers. And with these laws in place, when a new virus comes out or a system is comprimized the public will say "How could these evil people be breaking the law like this... why cant the government stop them?"
When the public has this outlook, it will be even easier to get more such laws passed (you want to stop these people right... well then give us more power).
Its a self propogating problem... and the longer it goes on the less likely anyone will be to question the quality of the software being comprimized. The blame will be placed on the criminal or on the law enforcement agents unable to catch the criminal... and microsoft can continue to produce software with integrated virus hooks.
We cant expect end users to wake up and start holding microsoft (or any other company) accountable overnight. Its up to people like us... programmers, who need to make software that is secure... and more improtantly, MIS people who must demand more from their software...
Its about time someone got fired for choosing microsoft when the solution simply didnt fit the problem... the whole "its from vendorX just like everything else we run... it must be the most suitable solution for us" mind set has to be abolished.
But whoes going to take the first step?
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
I think he was meaning depersonalization rather than anonymity. Many (certainly not all) flamers would not behave the same way in person even in a group of strangers who never exchanged names (Even if non-violence was somehow assured).
The difference is that even though nobody has a name, they relate to each other as people. Put a partition and a teletype between those same anonymous people, and let the flamewars begin.
I find it interesting (in a sick sort of way), that the virus writer basically pulled a prank on the order of simple vandalism, and is facing more punishment than a murderer.
Truly, he deserves punishment, vandalism is a crime. He should be looking at restitution, a fine up to $1000 and up to a year in jail. Instead, he faces 40 years (for all practical purposes, life).
I suspect that fear plays a large role in that. It's not a few email servers crashing that inspires all of that, it's the fear that one person could trivially cause all of that trouble, and make essential, ubiquitous, and 'incomprehensable' PC turn on their users.
I have to wonder if the many businesses using MS products have yet understood the implications of the gaping security hole in Word. This is where MS should get their punishment for crappy security. After the fine demo of the problem, the people who make software decisions should be re-thinking their word processers. Somehow, though, I suspect it's going to take another ton or two of bricks to make that happen.
For example, someone I know once did a security demonstration to convince management that macros (in Notes) were a very bad idea. The demo was to send a 'humor of the day' email to the vice president of the company. The email had a macro that sent a PGP signed letter of resignation from the vice president to the president. Macros were ordered dis-abled immediatly.
I have to wonder what the ramifications would be if a gaping security hole were exploited to cause some person harm. (for example, a word macro that changes any instance of 'Bill Gates' to 'Bill "Hitler" Gates'). Now, a document that has been infected and modified in that way is widely distributed. Would the company that distributed the document be held negligent for allowing a large security hole to cause them to lible Mr. Gates?
Of course, if people try not only to carefully and properly express themselves in text, and more importantly keep their cool and try to understand their fellow man, the depersonalization is rendered moot.
For the most part, I agree. My only reservation is those people who flame first, read never. But, I suppose there allways have been people like that, and there allways will be.
As for anon postings, I think they can serve several valuable purposes. After all, sometimes people have important things to say which could get them fired. Others are just terribly shy and should be allowed to interact at a level they're comfortable with.
Of course psuedonyms are reletive. For all I know you used your real name, and for all you know, I am a psuedo.
MS liabilities are interesting, but I'm also talking about a company who buys a MS product. The argument being that ABCco knowingly and negligently used a product with security flaws and as a result libeled a customer. (At least that's the arguement)
That sort of thing is not without prescident in civil court, but usually applies to physical security and safeguarding another's property. I'm not sure how it might play out for software.
I am not a lawyer, nor do I play one on TV (but I saw an episode of "Matlock" once!)
With the recent publicity on bedroom hackers ISP's came up with some new rules. Mainly, they give you 9Megabits/sec, but the only software you can use on their LAN is Windows running a MSIE client.
I'm not sure whether or not the concern about
Melissa might be actually justified. IMHO, the
environment many people use these days for computing is responsible for a lot of the ease
with which things like Melissa spread.
Believe it or not, viruses are something that
have to be taken very seriously. Especially by
the people who build OS's or distributions. If
they're negligent, however, no amount of panic
from anyone else is going to stop things.
I don't think Linux is virus-proof, but
at least it isn't a "hey look at all these
macros!" sort of petri dish...
Phil Fraering "Humans. Go Fig." - Rita
(currently testing something about signatures here)
the more I read about the hoopla over this virus, the more I want to switch industries to something less blatantly silly and immature (like concrete production)
- It has become clear just HOW stupid ZDNet and its target readership are. I still can't fathom that people actually ate up the dumbed-down explanations, the conspiracy-theory GUID matching saga, the prediction of hundreds of millions of dollars of lost productivity, etc. It was a BENIGN MACRO VIRUS! This doesn't deserve a whole "special report".
Of course, on the bright side, the "truly professional" trade rags, like InformationWeek or InfoWorld, barely had a peep about Melissa.
- People who were affected were those who were stupid enough to click "YES" when the "Do you want to run this macro (which may be a virus) ?" question came up. I have little sympathy for them or their IT departments. Macro viruses have been a well-known threat for years, and avoidance training should have been provided.
- The obtuse "virus protection schemes" from IT shops are beyond ludicrous. Go to Bob Lewis' infoworld column this week and read about how they removed EVERYONE'S FLOPPY DRIVE at one shop, and you now had to use a floppy under lock & key to copy disks....
- They want to put a benign macro virus writer in jail for 40 years, when arguably, all of the damage (tied up mail servers and crashed NT boxes) were the result of a) stupid operators and b) shoddy technology.
In all, this whole incident makes me ill. I hope that if open source does anything, it helps to bring FUD like this down to a tolerable level.
-Stu
I was more thinking in terms of just transfering the entire account immediately :) The virus would be discovered within a couple of days, but if you infected 500000 accounts in that time (like mellissa could), it would be worthwhile. Some Germans demonstrated this with an ActiveX control, just as a little example of how amazingly defenseless THAT stuff is. Just place it on your web site and anybody visiting using IE with security turned down has a problem. The nice thing about it is that you have all this security/passwords etc to access the bank account (that most people take pretty seriously), but it does them no good at all if the data on their PCs has already been compromised. Actually, a macro virus that added a link from any index.html files on the local machine to an ActiveX control that also contained the virus (and transfered funds) would spread pretty quick.
The point is that melissa was really NOT that malicious, if someone really wanted to play silly buggers on this hugely dangerous combination of crap software and naive users they could do FAR more damage.
http://rareformnewmedia.com/
"He was charged with interruption of public communications, theft of computer services and wrongful access to computer systems."
Interesting 3 crimes listed there. I guess in some sense he was guilty of 1, but I don't see how he could be guilty of 2 or 3. Does the fact that your program is running on somebody else's hardware without their consent constitute theft of computer services. w95 was running on my hardware when I bought it - can I charge MS with theft of computer services. Likewise if your data appears on another computer does that consitute wrongful access to computer systems? How about spam, can we lock people away for 40 years for sending spam, far more offensive to me than being sent a program which I would have to be a moron to run.
Are there any specific laws against self-replicating programs. Powerful memes such as religion can be considered virus's that run on wetware and are highly contagious. Should these be illegal too ?
While I'm looking for different angles, I think he should counter-sue the US govenment for violating his copyright. When federal employees pressed the "run macro" button they ended up sending copies of his software to different organisations without consent. A variation of melissa with a nice (C) on it could be an effective way of protesting daft IP laws.
The guy has done society a huge service by waking people up to the huge security holes in their software. It would have been just as easy to send out a truly destructive virus that introduced random errors across the harddisk or appended "transfer funds" instructions to the Quicken files for people who do online banking. Now that would be an interesting virus.
http://rareformnewmedia.com/
> Where do we draw the line between a program that
> knowingly mails to everyone in your address book
> (so-called virus), or a program that accidently
> mails to everyone in your address book (possibly
> a mail program in development, being debugged)?
... and a piece of information which suckers you into sending it to everyone in your address book (i.e. "Good Times")?
Everyone who sent along Melissa did so by pressing a button that said "Yes, run this attachment." They were conned into doing so, because the attachment was sent under false pretenses -- it seemed to be a message from a friend, but was actually a virus.
Everyone who sent along the "Good Times" warning did so by pressing a button that said "Yes, forward this message." They were conned into doing so, because the message was sent under false pretenses -- it seemed to be an important warning, but was actually a hoax.
Melissa is not entirely a computer virus. It is dependent on user interaction, making it at least partly a "virus of the mind". Where do we draw the line between a human-aided computer virus, like Melissa, and a computer-aided memetic virus, like "Good Times"?
Actually, most crackers I know are noisy boasters and swaggering fellows. And hackers do tend to be people who hack, yes.
The alleged author of Melissa was not caught using the GUID. This is a myth which was propagated, among other places, in the Slashdot article about his capture -- even though it was not mentioned in the linked news article.
Please stop propagating this hoax. It's almost as bad as "Good Times".
Pardon me, Mr. A. C., but you really should learn to read what is before you before you respond to it. I recognize that this is difficult, but it is utterly necessary if we are to discuss real-world situations.
I do not believe that the virus writer shouldn't be held responsible for his actions, nor did I imply such. I certainly do not believe that the actual victims of the virus were responsible for the damage caused, any more than the owners of the MS-robots in my fairy-tale were responsible for their own deaths.
However, I do believe that Microsoft has deceived its customers by encouraging them to think themselves secure and protected when using their computers, when in fact they are exposed to risks which a marginal amoung of responsible engineering would prevent. MS has billed its operating systems and applications software as being better than, or at least as good as, their competitors, when in fact MS software is uniformly ill-made and riddled with design flaws (not "security holes") which expose users to the kind of victimization perpetrated by the author of Melissa.
Microsoft is not the victim of the Melissa virus, except insofar as, by using their own shoddy software, they exposed themselves to the same attack to which they exposed their unsuspecting customers. Microsoft is an accessory before the fact.
It is true that what the author of Melissa did was a Bad Thing, because it misled people and caused some amount of damage & disruption. However, this does not absolve MS of responsibility for knowingly exposing their customers to an unnecessary and unjustified risk.
Already too many analogies have been posted here, but let me contribute just one more:
Suppose that everyone in the world owned robots built by Microsoft. Everyone believed that these robots followed the Three Laws of Robotics, as put forth by Dr. Asimov:
1. A robot shall not harm a human, nor through inaction permit a human to come to harm.
2. A robot shall follow the orders of a human, except when doing so would violate Rule 1.
3. A robot shall protect its own existence, except when doing so would violate Rules 1 or 2.
All other robots followed the Three Laws, the Laws being embedded into the kernels of the other robots' OSes. However, the MS-robots were not so trustworthy. It is not that they were designed to harm people, but rather that while each of them bore a sticker printed in large letters "THIS ROBOT IS USER FRIENDLY" (which people took to mean that it followed the Laws) none of the MS-robots actually had the Laws programmed into them. When they did follow the Laws, it was because it was the easy thing to do.
Sometimes the MS-robots would run around and collide with people accidentally, hurting the people rather badly. Owners of MS-robots got used to these crashes, and accepted them as a normal part of owning a robot, even though other manufacturers' robots did not crash.
One day, a fiendish roboticist named Relkid Omadan wrote a computer virus for these MS-robots. When infected by this virus, a robot would run up to its owner, beeping happily. It would say to the owner, "Press my red button, then my blue button! Please!" As soon as the owner did this, the robot would strangle the user to death, then run off and infect twenty other robots with the virus.
Several hundred people were killed by the infected robots, and several thousand streets were clogged up with robots running around looking for other robots to infect. The disruption was massive. M. Omadan was, of course, tracked down, tried, and condemned as a murderer and a clogger-up of streets.
Some radicals claimed that MS, by not programming the Three Laws of Robotics into their robots, was complicit in the murders. People trust their robots, the radicals claimed, but MS-robots abuse that trust because they aren't secure.
Were the radicals right? Or was MS just a company trying to make money by selling robots, bearing no responsibility for the fact that its robots' deceptive friendliness concealed the capability of becoming murderers?
Personally, I think viruses are interesting in that they are, in a sense, artificial life. Of course, I wouldn't want to be infected. I recognize the unique vulnerability of Windows 95, yet due to my "interest in gaming." it has become my primary platform. I'd like to have the flaws of my operating system proven by a capable virus writer, but on the other hand, I have no faith whatsoever in Microsoft to fix these flaws.
The larger problem raised by the attention of Melissa and other high profile "cracking" cases is that, if this trend continues, we may have a far more draconian regime unleshed upon us. Look at it this way-- it wasn't until the fundies discovered the net that the CDA was born. All we need now is for some senator or congressperson to get hit with a mildly annoying virus or a novice cracking attempt-- and boom, agencies start to "crack down" and rev up their "asset forfeiture" programs into high gear.
If I go and shoot somone, who in their right mind would blame Smith and Wesson??
Uh oh bad analogy. The guy who released the virus was also the guy who manufactured the virus. To use your analogy, it would be like holding Microsoft responsible for creating humans that were able to be killed via bullets, even though a cure for bullet-death had been discovered years prior. If Microsoft has control over the population of 80% of the people, and they have the power to make them invulnerable to bullets, it sounds like a pretty keen thing of them to do in my books.
I read an article earlier this (last?) week about how awful Katz's articles were, how egotistical he was, blah, blah, blah. I took note of the opinion, reserving judgement until I could read some of his material myself. I read the essay, was thoroughly impressed by it, then stunned to see Katz's name at the end. A mark of how another person's opinions can color your own, no matter how hard you resist.
So where are all the "awful" essays he's written? I for one, having read only this article, am impressed with his style and skill as a writer. His comments and opinions on this matter are pensive, highly accurate, very articulate, and deeply insightful (oh, that all Slashdot posts by readers were this well done). Why is there this hobby on the net (at least on Slashdot) of flaming this man? The only person I've seen flambe'd to a roastier state is RMS. What's the story?
Paranoia.. its alla bout paranoia.. and things like this.. that are very public.. make the people feel safe and secure.. where its really just a charade.. kinda like airport security.. like if i really wanted to hijack a plane.. id use a plain ole gun.. of course not.. id use plastic explosives that would be undetectable.. DUH!@#!.. but people FEEL safer walking through big ass metal detectors..
Victoria Palmer - I brake for unix.boys, Windows just breaks. - http://www.escape.com/~juliet
I agree. The problem of virii, rampant flaming, etc. can be addressed, though not necessarily solved, in several ways.
/. has implemented one type of social fix, in the creation of the moderator/score system. Honestly, I'm not a big fan of this, as it tends to lead to other people deciding what will be read by default. This ghettoizes many worthwhile posts because of moderators disliking the author, the content or not wanting to second-guess each other and bring a low score back up.
1. Legislation
The US government which, let's face it, has more power over the net than other governments, can heavily legislate the net and people's conduct on the net, and enforce those laws with a heavy hand.
I don't think any of us want this; that it might happen is one of the downsides of having a government that was deliberately designed to be slow and stupid.
2. Social responsibility
People should be pressured into accepting responsibility for their actions on the net. This doesn't mean they shouldn't be anonymous (see my other post on that subject). Rather, people need to think their actions through and act calmly and politely as much as possible, even if they experience no direct repercussions. Responsibility is not a matter of stimuli, response. It's roughly a moral issue. But there's no way to make people act in a moral fashion (no moral way), so...
3. Fault-tolerance
While everyone who can ought to still act responsibly, let's also encourage the establishment of fault-tolerant systems which can absorb malicious/juvinile behavior like the liquid terminator can absob bullets.
Part of this means technical fixes, like not creating juicy hooks for virii, and definately not keeping them once this vunerability is made clear. I can't believe that Microsoft takes pride in any of it's work; their stuff is real garbage on all levels.
But another part of this is a social fix.
I'm sure there are other social fixes out there, if we'll only experiment.
Let's do all of the latter two we can, to avoid the former, okay?
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
Yes, that probably was more of what he was getting at. Certainly the net, given that the only significant form of communication is text, does depersonalize communication. No argument there.
/. who casually dismiss anonymous and psuedonymous postings. At least, in the comments I've been reading.
Of course, if people try not only to carefully and properly express themselves in text, and more importantly keep their cool and try to understand their fellow man, the depersonalization is rendered moot.
Understanding can come from content-rich conversation. For example, irl conversation; you can see facial expressions, differences in tone of speech, etc. But it can also be manufactured through an effort to listen openly to other people.
I'm not a big fan of flamers, but when I do respond to them, I treat them just as I would like to be treated myself. It works surprisingly well, and I highly reccomend it. If it doesn't, then perhaps you found someone not worth talking to. But the important thing is that you checked to see if that was the case, rather than assume that it was in the first place.
Anyhow, I'm sorry for the digression from the article in the earlier post. I've really been getting fed up with the large numbers of people on
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
Horribly, horribly evil.
God I'd hate to think of what the government would do to the net if this happened. Especially if they couldn't capture &| try the culprit.
If you were careful though, and fortunate in certain respects, it would pretty certainly work. Good thing I don't make enough money to need to balance it on my computer. Also good that I use a Mac.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
Once again I just can't see why it is that so many people insist on everyone on the net being named. Untracable psuedonyms and pure anonymity get an incredibly bad rap here, even though it's nothing compared to the degree of identification that large corporations and various governments would prefer.
/. is the small comment blank. It bugs me to only be able to read a few lines without scrolling, so I usually don't.
Yes, the net does have two apparently conflicting abilities. It both fosters extremely close relationships, by bringing together people who would likely never meet, with similar interests, or even who just like to talk to each other. At the same time, Katz is right in that just like the soldier who sits in a bunker thousands of miles away from the action, people can also be disassociated from each other, with the abstract, faceless ASCII world of the net insulating everyone.
Surely the exaggerated mode of speech, with concepts strongly worded to let the intonations of the voice and expressions of the face that are so essential to speech is a contributing factor here. If sarcasm (for instance) can't be distinguished in plain text from regular speech, an emoticon is not going to help that much. Written communication _can_ convey this information; after all people have written to each other for millenia. Yet, as more people now utilize it for conversational purposes with strangers, as opposed to the well thought-out letter of old to an acquantance, the number of people who fail to get their point across accurately has grown dramatically. I don't know if the overall percentage of these failures has increased though. I'll leave that for other people to debate.
Getting back to my point, yes the net has these abilities, because of fosters communication. It doesn't care to whom, from whom, or how clear.
Yet why should a person's thoughts and words be dismissed instantly only because there's no way to find out who, irl, wrote them? One of the great advantages of the net is that it's not real life. I can be a dog. More importantly, I can be a dog with something to say, and you can be a dog who wants to hear it. A name is just a matter of convenience, so as not to have to address everyone as hey-you@over-there.net. If people wish their speech to be attributed all the way back to them, that's their choice, but it doesn't necessarily mean that their words are better. Lots of people post (maybe not here, but in general) from aol or webtv or some such, which are all quite tracable. And they, because they are comfortable with their ISP, or don't know how or why they might change it, tend to get derided. Again, this is all too frequently based on a glance at a name or address, glossing over their message entirely.
Me, I don't want real-time video or sound. I feel that written communication, aside from being a more efficient use of bandwith for me, lets me choose my words in a way that speech generally does not. Yet I bet anyone five dollars that the minute a/v become the standard media for communication on the net, no one will bother reading text messages. Again, because of surface attributes, rather than the content. I will grant that communication may be richer by using such technologies (see above) but it's the discrimination based on relatively unimportant issues that galls me.
Yes, the most enthusiastic flamers and hackers (that word's meaning has multiple definitions; deal) will hide behind aliases and anonymity. So will whistle-blowers, people who fear retribution, people wishing to say things that would for one reason or another prove dangerous if posted with a name, to one's safety or reputation.
And I don't even want to get into the specter of big brother corporations and governments monitoring everyone. How many people here dislike anonymous posts, but support anonymity from Microsoft? You can't have one without the other, I'm afraid. (except possibly in Australia and New Zealand)
I am not, however, defending the author of this or any other malicious (by intent or deed) virii. Nor those who would slander or libel others. But while I don't intend to do the lantern thing, as long as there is one good reason for anonymity, it's something we really need to preserve.
I apologize if I've rambled here. One major gripe I have with
-cpt kangarooski
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
Melissa was Microsoft's fault. They left their system wide open to this sort of abuse, they knew it could happen and did nothing. The fact that word macros could be abused was public knowledge for at least a year before Melissa came along. Rather than fix their system and protect a few hundred thousand users, they waited for someone to come along and set off their bomb. Someone so naive that he left incriminating evidence in the virus. The fact is, MS users are unprotected from rank amateurs.
Bruce Perens
Bruce Perens.
Hmmm.... Just imagine...
:)
Set it up so it'll transfer $0.10 every month
to a bank account someplace... Have it label
it "MS Tax". Lesse... if there's 1 million people
out there using Quicken...
Interesting ideas... Wonder if someone is already doing it
I really dont think you can blame the users for this one. It is easy for us to do, because we know computers, we understand them, and we expact everyone else to be the same. The thing is, most people could care less.
.exes, .bats, or .coms. Anything else, after you recive it, send a e-mail back making sure the person really send it too you (that alone can stop you from getting most e-mail viruses), and if you do open it, dont enable macros.
See, as a small time sys admin, I try and try to drill into peoples head "Dont open attachments". But that dont work, curistory and the cat. So I explain to them, never open
Think is, that is too much for most of my users. Why? Most of my users are middle age or older females that could care less about computers. They dont want to know a why or how on anything, they want to follow a 123 step recipie do do the little work they have to on the machines. And really, I cant blame them. There main job has nothing to do with computers, but people. And they can do that better then I ever could. So can I really blame them for not knowing this stuff?
The other section of people I work with is seniors that want to learn computers. These poor people are so trusting, and so eager to do right that if someone sends them something, they feel it is a insult to the sender if they don't open it. These are our grandparents trying as hard as they can to learn a way to stay in contact with their grandchildern, can I fault them for not knowing everything?
I don't think we can blame the users. I think it is the software. When I chose a OS, I would expect that vendor to have a system that works correctly. But MS is leaving a system with huge holes right in the middle, and conspiracy mode on, but here is why I think it is.
As a low lever sys admin, I work in a place where no one knows what I do here. I go about my days, usallay never talking to anyone else here, most people look at me strange when I walk down the halls. (I dont think it helps that I also keep strange hours, never turn on my main light, instead use a little table lamp so I can see the screen better and I keep moy door shut and locked all the time.) Needless to say, I don't get noticed much, so I don't get patted on the back much at all.
But because of the Melissa virus, I got my first "good job" from the Big boss in a long while, simply cause we did not get hit, some simple e-mail filters on the server was all that was needed to keep Melissa outside (a unfilterable virus would be a tough one, Melissa was easy as far as that goes). But because of all the attention Melissa got, people that did not know better thought I was superman for protecting them from her. I did nothing special, keeping e-mail filters is something ever sys admin does, it is a dull part of the job. But for a three day period of time, my bosses had it in their head I was protecting the company from evil. I could have wore tights and a cape and got away with it. Even though I did something I do a million times before, this time they knew about it, and were told by the TV it was a big deal, so they accepted it.
So you could say I benifited from Melissa. And I am not the only one. Magizines sold (When there is good news, you go out and experience it, when there is bad news, you hide inside where it is safe and watch it on TV), news shows got watched, anti-virus programs sold, IT people got kudos. Etc. People justified their paychecks because of Melissa.
For no reason at all, everday jobs got alot of attention. Sure, it only lasted for what three days? But how many people are going to to bring it up during their next review? How many extra units did anti-virus publishers sell? And how much more did mags charge for a back cover add in the special Melissa issue?
Those are the reasons Melissa was such a big deal. Melissa was just a natural progression of viruses, nothing exciting. The next one will even be that much more clever. But will it get noticed? No, these stories are only good about once every two years. Thats why the gov and his lackies had to go out and suck up the press while they can.
This whole thing was a big non-event that made a bunch a people look good, and a poor virus writer is going to publicly shuned for a while. He may have been stupid for writing a virus, but not 40 years stupid. Give the poor slob probation.
Kind or remined me of Wag the Dog.
Elwood
Well, at least I was unaffected. What kind of moron runs a macro-laced Micro$oft file from someone they don't know? Anyone who does that deserves what they get.
"The Constitution admittedly has a few defects and blemishes, but it still seems a hell of a lot better than the system we have now."
Send your friends messages of love at fuck-you.org
Let's talk about the media's propensity for
using undocumented statistics. Let's talk
about that 5000 children harmed by guns last
year. Just where did that statistic come
from, and are they reliable? I don't think
even the handgun control people have nerve
enough to quote this one, 5000 children harmed
by guns a year would mean that in less than
five years every single one of us would personally
know a child harmed by a gun. Funny, I don't
know any. Am I that statistically unlikely - or
is the author using precisely the same tactic he's
deploring?
-- Larry Smith
As for those here who claim that M$ should bear some of the burden for this Melissa fiasco, just because their cheesy software was used to make it happen.. BOLLOCKS! If I go and shoot somone, who in their right mind would blame Smith and Wesson?? What a brilliant defense for Dahmer that would have been: "Your honor, it wasn't really all MY fault, if Ginsu didn't make such sharp knives I would have never been able to eat that Thai boy."
your post is right on the money. in regard to the above, though: i recall some big american city (i want to say dc, but really don't remember) was planning to sue a gun manufacturer (colt, i believe) for this very thing not too long ago. i don't know how far the issue has moved since then. it's absolutely absurd to blame the maker of a tool for the tool users' actions. what's more absurd, though, is that people think that's a good idea.
"onward!" cried the copper man, little knowing brass corrupts...
I never thought of this case in terms of the idiotic cases such as the McDonalds coffee incident, but I think you have a good point. I cringe every time I see a suit over something that someone should have known better than to do in the first place, but this is different. I think the bank security example is a really good one, and people should seriously consider how we hold corporations or groups that are involved in the worlds communications software responsible. Blindness or ignorance of the dangers presented by their own products is exactly what you labeled it: gross negligence!
-- let me burn you let me burn you let me burn you -Front 242
In that case, this guy would be liable for writing the Simpsons quote in thousands of documents, but that's it.
Copyright infringement on a disgusting level. In addition to that, fraud for making it look like other people were breaking the copyright laws.
Orcslicer
So, Lone Star, now you see that evil will always triumph because good is dumb.
I can see it now.. I write a word macro 'virus' just for fun to see what it can do. Say it mails itself off to, oh, 50 people. I pass this to a friend to have him look at it and like a dolt he opens it. Bam... it spreads all over.
... and missing.
Stupidity will always be around, our job as sysadmins is to contain it in little clusters and beat those people to a pulp.
Just wanted to rant a little.
---------------------------------------
The art of flying is throwing yourself at the ground...
Alot of businesses use MS Office exlusively. It's all Microsoft's responsibility. They know quite well that the vast majority of users will never in their lives need to embed a macro in a word processing files, yet they continue to leave macros on by default.
"So, the person should use linux, god dammit! Office suites in linux can save in MS Office format!" you say? Most people up here don't even know what linux is, much less how to install and configure it. And nothing but 95/nt is officially supported here. Linux and mac people are on their own. On top of all that, lots of secretaries need to run Outlook to access their boss's schedules and calendars to set dates for meetings and such. Does linux support that?
The computing environment here is almost entirely Microsoft except for a couple of vax servers for some legacy services. We also rely very heavily on features of outlook for information exchange and communication. I'm not sure how outlook-compliant linux email apps are.
So, not everyone can just tell Microsoft and all their apps to go to hell and run off and use linux. It might very well be the best thing since sliced bread, but all that dosen't matter if it dosen't integrate well with the current information infrastructure of a business.
The basic explanation for why people behave so poorly in Internet interactions seems to be pretty simple: it's the impersonal nature of the medium.
Despite the fact that users KNOW there are other real-live humans on the other end of the wires, it is hard to get past the illusion that you are interacting with a computer that couldn't care less how many ways you flame it.
All you ever actually see is the keyboard and CRT, not JonKatz as he reads your ridiculously hostile, inarticulate rant. Actually, that's wrong; remember, it's Jon Katz, not some entity called JonKatz...
[Think of the Turing problem]
There is a very closely analogous situation in the "Road Rage" phenomenon. When you are driving down the highway and some idiot in a red Lexus cuts you off, you KNOW that it is actually some middle aged guy headed to his dead-end job in the city and he just wasn't paying attention when he pulled into your lane.
But on a different level, you have been out on the highway for 45 minutes, and the music on the radio sucks, and you have started to sort of forget that the drivers in the other cars are people, and started to anthropomorphize their cars--think of them as living competitors for space on the road.
That's why you start screaming, making obscene gestures, and maybe rear end the goddamned Lexus.
In all our new, nontraditional relationships, we have to remember to maintain the kind of empathy we reserve for flesh-and-blood, everyday interactions.
\
Sorry, but the scope of this fella's crime was international and disabled critical business and gov't computing resources all over the place. It should make a lot of noise. The 'net is still the most liberated, unregulated piece of context in the known universe.
"Professional coder on closed source. Do not attempt."
Jon said:
Exaggerated or not, techno-hostility forces community underground, into closed websites, mailing lists and e-mail. It stunts the evolution of ideas, movements and communities themselves.
Wrong. Techno-hostility is a PERCEPTION by non-members of a community that they know nothing about. Without worrying about pandering to a "larger" audience or "dumbing down", ideas evolve organically and quickly.
It aborts ideas.
Absolutely the contrary is true. It allows the community to be an idea-incubator (or womb to use your analogy).
Hostility, from flames to viruses, are an inducement to the many in journalism, politics and the corporate world itching to find ways to control and curb free access on the Net and the Web.
How clever! So in order to keep free access, we need to tone down our opinions and statements? Bullshit.
And they are all generally acts of cowardice and malice at worst, unthinking and reflexive cruelty at best. It's no wonder that the most enthusiastic attackers hide behind anonymity.
First of all, your parallel usage of flames and virus is suspect at best. The two are apples and oranges. Creating a virus or a flame is neither unthinking nor reflexive, unlike your article's unthinking and reflexive mental masturbation.
Creating a virus is an art. It is no different than the kid of your generation who took the radio apart just to put it back together again, even if some parts were left out. It is a natural instinct in humans to figure out how things work.
If you create a virus to rip off money, you are a thief. If you create a virus in order to show explicitly the obnoxious security holes in Microsoft or other OSs, you are doing the general public a service. You are enabling them to see clearly why security is important to protect their data, why encryption is essential, and why (in the example of David's Melissa) using shoddy MS products is a serious business risk. I hope sincerely that the example of Melissa will be considered by the Pentagon and NATO who currently both use Microsoft Products. And don't even get me started on Los Alamos Lab, the most high-level security lab in the country, that ONLY RECENTLY put up a firewall...
---diva
diva Pasty Drone NewsTrolls, Inc.
Exactly!
What's really galling to me is how all the coverage focuses on the Evil Hacker. Duh. Melissa was a stupid little macro that can only exist on Microsoft products. Why isn't anyone reporting that?
This is not the work of an evil programmer - it's the logical outcome of shitty products (windows and outlook). Hmph.
So go ahead and sue MS now, but what happens when a security flaw shows up in Linux? ( it cannot be!). But it has happened and will happen again... who then is responsible for the damages?
This is not a question tha can be easily answered by "Sue Microsoft!", you must consider the larger picture.
Complexity Happens
I read in a major weekly news magazine that the Melissa virus had clogged up and shut down tens of thousands of mailservers, and saw a few techs quoted saying it had "brought mail transfer on the Net to a standstill." The second is not true; the first is highly implausible.
This virus relies on a human vector; it doesn't propogate with the speed of electricity or a Pentium III - it only moves as fast as a man can check his email, download a text file, and open Microsoft Office (the latter, we know, takes forever).
I was not, and I know of no one who was, affected by this virus.
The internet technicians who are employeed in Fortune 500 companies - the ones who get interviewed about these events more than the people who designed the Net's various subsystems in the first place - need to start gauging their replies very carefully. If they don't, they'll succeed in scaring a large number of people away from the Net and reducing the importance of their own jobs. I'm pretty convinced they're doing these interviews and exaggerating impact for their own ego enlargement, so they can hear the reporter on the other end of the telephone gasp in shock.
I could be mistaken. I hope I am.
for(;;;) wrote: Shooting people in the head is a blunt way to point out the dangers of guns, but it's still not a very good idea. "~We had to destroy the village in order to save it.~"
Bruce Perens wrote: Let's not confuse negligence with vandalism. If someone leaves a can of mace around and I use it to assault bystanders, they may have been negligent but I'm still responsible for my actions.
People without self-control create problems. The tools to screw people's lives up can always be found by some idiot child with unfocused hostility. Civilization starts at the individual level.
Erm...the person who stole it?
If corporations are people, aren't stockholders guilty of slavery?
Tom, I for one would encourage any company that lost measurable time due to this virus to sue Microsoft. It's will serve one multiple-faceted purpose. The first and formost in my mind is "Is Microsoft *really* liable for their products?". Proponents of Microsoft use this as an argument for commercial software. A backstop, a single point for all eventual complaints to return. The precident will make software companies the real thing: a producer of content that is liable for its product. This is different than the current image of "tool producers" who, like Craftsman and Snap-On, cannot be held liable for someone using a hammer in a murder, but can be held liable for injury should the hammer break (when they claimed it would not). Either way, the definition of software companies will change forever and bring to light the problems RMS, ESR and Linus have been trying to point out all along. It will wake up software vendors to the problems of market flooding unproven proprietary products to unsuspecting consumers who think they are being served to their best purposes. Bill Gates likes to compare his innovations to the auto industry. If so, maybe he should talk with them about government restrictions such as ABS and air bags, something the industry refused to add for years. Today, they are considered the major selling points for cars, yet 20 years ago, their proposed regulation raised cries of "innovation hinderance" and "cost inflation" by car companies. Of course, the US auto industry was suffering from something a certain US software company is suffering from: percieved quality of its product when placed next to a better competing product. Most americans know what took place over the next decade. First it was denial, "it's the Japanese underselling us", then it was FUD "buy American, it's the patriotic thing to do", then they wised up and started to produce quality cars. Had GM or Ford had the grip on transportation that Microsoft has on the software business, I think the end result would be different.
>"Is Microsoft *really* liable for their products?".
Have you ever read the Microsoft licence? It basically says (and please do correct me if I'm wrong) that MS don't guarantee that this software will work and, if it doesn't, they aren't liable.
With open source software, you take real responsibility for the software you're running - if you don't trust it, you can hire a programmer to check it out. If you don't like something about it, you change it. You can't do that with proprietary software. And that is why open source software is more secure that proprietary software, no matter what that lame lawyer guy says.
Dodge
Okay, so I think it's safe to say that Microsoft shares at least some of the blame for the Melissa virus. But who's going to actually stand up and say it? Apart from Emmanuel, who speaks out in defence of hackers who are arrested, imprisoned or charged on flimsy/circumstantial evidence made viable by hype and hysteria? Who has stood up and demanded to know why Kevin Mitnick has been imprisoned for four years without trial?
The media aren't interested - they lap up what they're told by so-called "experts", whether they're law-enforcement officials or Microsoft hacks. When it comes down to it, the news media's main objective isn't to report the news anymore, but to gain the largest audience share. Hype and hysteria sell to the uninformed masses, who then become the misinformed masses.
It's merely another facet of the increasingly commercialistic society we live in. I remember when the Internet was about knowledge and learning. Now it's about Porn and making money. Sooner or later, a group of people are going to get pissed off and embark on a campaign of info-terrorism which will make the whole "Free Kevin Mitnick" thing look like a fucking walk in the park.
Ideological terrorist groups used to have to align themselves with countries like Iran and Libya in order to gain the resources to make an impact. And then they had to face public hostility in the face of innocent deaths, and the prospect of a bloody demise on the wrong end of an MP5 held by an SAS or GSG-9 trooper.
Now, all we need is a computer and a modem. Noone's going to get hurt and, believe me, conventional law-enforcement organisations will be powerless to stop a dedicated info-terrorist (not these lame script kiddies). l0pht weren't bullshitting when they said that it's possible to crash the Internet. The only reason it hasn't been done so far is because the people with the skills and knowledge aren't lame enough to do it. Sooner or later, someone's going to decide that the 'Net's just not fucking worth it and it'll be a fucking disaster - we'll see billions wiped off the US stock markets as
Y'know something? I hope I'm totally wrong. I really hope that none of this comes to pass and that it can be dismissed as Dodger in one of his infocalyptic moods.
But just imagine if Melissa's creator had more malicious and destructive intentions. Just imagine if that Alternic guy who redirected visitors to internic.net hadn't been so harmless. And how many Americans expected the World Trade Centre or Oklahoma bombings?
The Dodger
I agree with many people here that DOC files need to be treated as EXE files in attachments. I keep all macros disabled in all my office programs until I have a need from them. Besides, noone at work would e-mail me something with a "here is what you are looking for :-)"
This is truly and utterly hopeless. Someone goes out and writes a piece of software which takes advantage of a bug in a system put in place by MS. MS has been warned of this. Users have been warned of this. But nothing, if anything, has been done.
People. *points to the cities* The people out there don't give a fuck. People are killed everyday and the news counts it off as a daily occurance. Accidents kill people. Drunk drivers kill people. Tobacco kills people. And yet nothing substantial is done. Why?
Why is the government so willing to step on peoples' rights to "bring the evil-doer to justice" when it comes to computer crimes but is so god-damned apathetic when it comes to drugs, rapes, murders, and theft?
It is ridiculus.
I don't think it's _just_ MS's fault or _just_ the end-users' fault, or _just_ the programmer of the virus's fault. It is everyone's fault. For being apathetic to problems. For running companies and BLINDLY trusting a company even when they know better. For writing programs with known bugs and not taking the time to go back and fix it. For accepting these problems as "normal".
THESE PROBLEMS ARE NOT FUCKING NORMAL!
My god.. if a car you bought broke down every day, you'd be pissed as hell, but you accept the fucking fact that when your computer crashes, that it's just life. That is plain stupid. ANYONE who goes through life just accepting that has something wrong with them. Either it was forced upon them or it was something they came to accept, but they should seriously consider looking over their lives again. Because there IS something wrong when our society has such a screwed up system where punishment and action no longer coincides with the actual threat.
Someone else posted that there is a real underlying threat. That this one macro virus which _can_ be discovered, was. But what about those which can't be discovered?
We have a REAL problem. And all the authorities can think of doing is either covering it up, getting rid of the people who are trying to do it, or profiting off of it. Whatever happened to fixing the problem?
Solve the fundamental problem. A simple directive. But no one seems to want to do it. Complaining about costs and corporate image and all that crap. Here's some news: Someone being able to get into the corporate computers is pretty freaking bad for the corporate image.
People are worrying about another world war with the current bombing situation. I think people should be more worried about an internal war in America with information.
Just my two cents.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
The Melissa virus (and other macro-style virii) strike me as being more Microsoft and the end user's faults that anyone else. Greater society is quick to blame the virus programmer, but all the gaping security holes were put there by Microsoft.
Using MS products with this type of security holes is like going out, leaving your house unlocked, door wide open, with a sign posted in the front yard saying "Hey! My house is unlocked. Go on in! The stereo's in the living room..." and then complaining when you get robbed.
People use software with gaping security holes that they *know about* (word macro virii are old news) and then complain when those holes are exploited. If you're unwilling to close these holes, you can't complain. Of course, the other problem is that Microsoft has made leaving these holes open (sometimes) a necessity for using their software in useful ways.
pooptruck
Okay, so I think it's safe to say that Microsoft shares at least some of the blame for the Melissa virus. But who's going to actually stand up and say it?
Actually, traffic on various NT mailing lists has been heavily hostile towards MS design flaws in Office. ZDNet has a legthy attack Microsoft's approach (not fixed in Office2000) in today's PCWeek.com. Whereas earlier macro outbreaks had been pretty much confined to the desktop techs, this Melissa thing has been big enough that it's landed right on the CIO's desk. I'm sure that Microsoft has had many friendly discussions with some of their large customers about this issue.
--
Business. Numbers. Money. People. Computer World.
If you're a student or an independant contractor, sure you could switch to an alternative platform (Linux, MacOS, and OS/2 are not technically safer, but are unlikely targets just for market share reasons.)
But the point of an office automation platform is that everyone in your organization has the same client plaform to work off of. There's a defacto need for standarization in a business enviornment, and it has to do with more than file formats.
Note that I said "automation platform" and not "three useful programs" - lots of people do use the scripting features in MS Office. (Although I don't, and I wish I could turn it off.) The Melissa virus is nothing more than a mail merge using your address book. Once could imagine that type of thing could be highly useful for people.
This sort of automation is not automatically exploited. Microsoft chose the stupidest route for protection - a simple Y/N question. They could have also prompted you 100 times "OK to access address book?" "OK to send mail?" "OK to modify Word Defaults?", but that would get old real quick if you were running a legitimate application.
The other solution is a code signing infrastructure, where macros could be assigned differing rights depending who signed the code. Imagine grafting this onto the 100 million user base of MS Office - it would be damn near impossible.
Hopefully KOffice and the other new clean design Office products can handle this problem intelligently. However right now proposing a Linux/whateverOffice solution is essentially asking users to accept a lower level of functionality to keep them safe from the scary evil viruses. If KOffice and others make the mistake that Microsoft did, just wait a few years when Linux has a more significant desktop penetration, and we'll start seeing Linux macro viruses.
--
Business. Numbers. Money. People. Computer World.
What, everybody will forget regular user accounts and log in as root, then forget all about security?
I think you misunderstand what the Melissa "virus" is. It runs entirely in a normal user's security context (on an NT machine) and does not 'exploit' any 'holes'. It simply accesses *your* address book (which you could do manually) and sends mail (which you also could do manually) and disables the virus warning in Word (which you could also do). It does not interfear with other users on the same machine or act in a root context.
So login security has nothing to do with it - which is entirely my point. The fact that a macro can do these things is a designed-in feature of MS OOffice, and it's probably in Lotus and WordPerfect too. If a different Linux/Windows/Mac/OS2 office suite (er, automation platform) is immune is because it's either feature deficiant, allows the user to disable certain functionality, or it has some sort of code-signing infrastructure. (I can't think of any different solutions.) Some posters seem to be leaning towards the feature-deficient solution.
--
Business. Numbers. Money. People. Computer World.
I don't think the intent of the virus WAS malicious. How was he to know it would spread so quickly? If it was going to be malicious, why didn't he have it send mail to ALL of the people in the address book? It seems to me that he was trying to pull a little prank, and he grossly overestimated the intelligence of the majority of the computer-using population. And what's wrong with 40 years of gay sex? I know people who've had 40 years of it, they aren't complaining...
-lx
Not me. I'm rather quiet pin-tail duck, and I'm sick of getting confused with people who exploit poor computer security! Wake up, media! Make up a different term for those people. We had it first.
-lx
for the poor ones that get caught. I know what they did was wrong bla bla bla, but in most cases they are awesome programmers, and are doomed to never touch a computer again. Personally, I wouldn't survive too easily...
Sure, it was irritating and malicious, but not in the way country music is. If you don't like country music, you just change the station or go to another bar. Not liking the virus doesn't help if you're the tech responsible for cleaning it up. You just cancel your dates for the next few days, maybe give away an expensive pair of theatre or game tickets, and spend your evenings fixing the trouble that this guy caused.
I don't see how this is different from, say, shouting `fire' in a crowded theatre. Sure, chances are that nobody really gets hurt. But it's still making innocent people's lives less happy.
cjs
The world's most portable OS: http://www.netbsd.org.
>>>Someone might try, but that nasty software license will get in the way, you know, the part about Microsoft making no warranty or guarantee of suitability for their products other than being liable for replacing the media they come on...
This license, like every other license, contract and/or agreement, was written by lawyers, for lawyers. Hence, it can be broken by lawyers, modified by lawyers and challenged by lawyers. Just because some company slaps a string of words on a product does not make it legally binding for all time IF there is indeed demonstratable negligence involved.
Case in point..amusement park rides. They all have their standards disclaimers.."ride at own risk" sort of things. But if one of them fails mechanically and it is due to negligence, you can bet the lawsuits would be flying fast and furious. Disclaimer or no disclaimer.
Press ALT+F4 now to test your IQ.
There, all the braindead users who don't know their own computers should be gone now...
If you run a program you do not know, prepare for a big surprise. It's a feature of your computer to do things. Learn your appliance.
It's a shame that people who actually NEED the "Do not use heair dryer while bathing" warning labels are allowed to own a computer, or a car, or God forbid, even a gun...
Maybe if we were not so bent on protecting the public from it's own stupidity, the average IQ would rise in tandem with the resolution of the overpopulation problem.
There was a time when a virus was a piece of art. Not that I condone malicious virus programming, but it required hacking (the pleasant version) skills to do. You had to hand assemble the beastie, squeeze nifty little features into a few dozen bytes. Now Joe Shmoe can drag, drop, click and send. My question is, what happened to the artists? Did they all turn to OSS, for the satisfaction of being able to put their name on their work?
-- What you do today will cost you a day of your life.
I certainly hope that that lawsuit went nowhere. It would set a very dangerous precedent. If a gun maker were to be held liable for murders and accidents involving their product, where would it end?
Would Anheuser-Busch and Ford be defendants along with the drunk driver?
And you're right. It's the populace that is to blame. The legal maneuverings are, after all, intended to benefit the public (or am I totally naive, and it's all the lawyer's fault?). The idea that someone would have the stones to sue MacDonalds for having doused their own crotch with scaling coffee, is ludicrous. These people should not only be laughed out of court, they should (as per British rules) be made to refund the cost of frivilous lawsuit. Further, they should be kept from breeding more idiots.
However, there is some strength to the argument that M$ is at fault, at least in part. Tech-minded people have known for a long time, that M$ Office is swiss cheese, security-wise. This has been said elsewhere in this forum numerous times. M$, IMHO, has shirked the responsibility of keeping the PAYING public informed about the shortcomings of their product. Mind you, they are not obligated to fix it, it is their product to develop as they will. But, they have the moral obligation (uh-oh! How objective can THAT be?) to keep their customers aware.
Here Ford has them beat hands down. If something more than nominal rust appears on a tranny-mount, they issue a recall and have it replaced free of charge. (Just got a notice regarding my father's Lincoln) And you can't argue cost, since M$ is making money hand over fist, and their production costs for a patch are nil.
What the software industry needs is a vocal watchdog organization to point and yell each time the emperor streaks the town square. Maybe some of the primus mobilae of OSS could knock heads together and propose a Software Underwriters Association?
-- What you do today will cost you a day of your life.
Interesting point. Where is the list (I'm sure it's long) of bugs present in M$ e-Comm related software? Anything from FrontPage to ISS and MTS.
If these, in the presence of nominal conditions, can be shown (or even more effectively MADE) to cause serious financial (or even public opinion) losses to major corporations, M$ would find themselves under tangible pressure to do right.
-- What you do today will cost you a day of your life.
Yes, writing a virus and releasing it into the wild, is a bad, bad thing. Bad boy Davy, go stand in the corner and don't ever do it again...
But does he really deserve this level of persecution? I don't think so. The man has been set upon by rabid dogs, half of them ignorant of the technology involved, and the reset trained by the Federal government to be heavy-handed and vicious. Security and conformity enforcement through intimidation works. Da Comrade!
The effect of what he did, intentions aside, is not far removed from from the Morris Worm. Yes, Morris was prosecuted and punished, but even the government admits that it was a curiosity that ran away from a controlled environment. It's not like this guy (Smith) is Geoffrey freakin Dahmer. He's a geek, who for one reason or another, wrote an annoying bug. Sure, it touched many computers, but what DAMAGE did it really do?? It got a lot of IT people money for systems improvements, it gave many anti-virus softwares welcome exposure. It was a boon, and it got attention. Who got hurt?
Dave Smith. He will be prosecuted to the fullest extent of the law, by an ignorant, ham-handed mechanism that's been eager to sink it's teeth into a non-celebrity, just to show that you can't fight city hall, even with a computer.
"Oooohh!!! Scary computer people will launch nuclear missles with a virus!" IMHO that bespeaks badly of the federal and military security, not the crackers who are being compared to the John Gacy's of the Internet.
As for those here who claim that M$ should bear some of the burden for this Melissa fiasco, just because their cheesy software was used to make it happen.. BOLLOCKS! If I go and shoot somone, who in their right mind would blame Smith and Wesson?? What a brilliant defense for Dahmer that would have been: "Your honor, it wasn't really all MY fault, if Ginsu didn't make such sharp knives I would have never been able to eat that Thai boy."
Feh!
-- What you do today will cost you a day of your life.
"Technological vandalism and hostility - flaming, personal attacks, virus and mail-bomb attacks -- occur because the people who practice and advocate them must operate at an enormous physical and psychological distance from the people they attack and from the consequences of their actions. "
:b
Some of use have no problem in being close, personal AND attacking you. Why would you think I wouldn't as soon smack you as look at you if I was so inclined? Fear? Consequences? Sure - just get really good at dealing with the consequences or minimize the consequences by understanding the reactions that may be generated. Woah - is this hacking?!?
This doesn't excuse the reaction. I generally feel that what makes humans human is the ability to react AGAINST our basic instincts!
Mellisa was just the "internet worm" for 1999. (I still wonder if I saw the author of the worm at last years Linux Expo. The name on the name tag was right, as was his apparent age.) It wasn't a big deal. But some people are still afraid of the dark.
For more info on the internet worm, read
http://www.alw.nih.gov/Securi ty/FIRST/papers/virus/gao.txt
MSNBC (go figure!) wrote an article asking whether or not MS is partially to blame for these problems. Obviously (given their parentage), they don't come down too hard on Microsoft, but they don't let them/themselves off the hook that quickly, either. Check it out.
And you know what? A lot of this computer stuff is pretty complicated. You and I understand what we do because we are either smart, or worked at it really hard, or were indoctrinated in a techie culture, or some combination of the three. Saying nasty things about "kl00l3zz n3Wb33z" just makes it harder for people trying to get by, and that sucks.
A variation of melissa with a nice (C) on it could be an effective way of protesting daft IP laws.
:-)
You don't even need to do this. Everything you write is automatically copyrighted by yourself regardless of whether you put a (C) on it or not. Of course, if you haven't filed the appropriate paperwork with the appropriate government agencies then defending that copyright in court can be difficult.
It would be interesting to see what affected companies would say if you sued them for copyright infringement for running your virus without a license.
For someone who claims to be interested in the facts your apparent ignorance of the McDonald's case is interesting.
The coffee, maintained at a scalding 180F-190F because the customers supposedly "like it hot", caused severe third-degree burns. She spent seven days in the hospital and was treated with skin grafts.
Initially she only wanted payment for her medical bills but McDonald's refused to even negotiate with her. Consequently she contacted an attorney who had settled another coffee burn case with McDonald's. In the course of the trial company documents revealed that "in the past decade McDonald's had received at least 700 reports of coffee burns ranging from mild to third-degree, and had settled claims arising from scalding injuries for more than $500,000."
Despite knowledge of the hazard, company officials refused to warn its customers. "There are more serious dangers in restaurants." And given the 1 billion cups of coffee sold annually, McDonald's considered the number of burn complaints to be "statistically insignificant".
After hearing such testimony a jury found McDonald's liable and awarded $200,000 in compensatory damages. The jurors deducted $40,000 for contributory negligence. Also, given McDonald's conduct, the jury awarded $2.7 million in punitive damages, which was equal to 2 days of coffee sales.
Later the judge reduced the punitive award to $480,000. While awaiting appeal the two parties settled out of court for an undisclosed sum.
The #1 sickening thing about the whole McDonald's coffee hype is how it distracts from the facts. I suppose you just glibly believed whatever it was the mass media told you about that McDonald's case didn't you? Why do you expect anyone else to behave differently when it comes to the hacker culture (or whatever you want to call it today)?
Some dork writes a prank virus, and he gets threatened with up to 40 years in jail. He would have been better off to go shoot someone. At least then he would only be looking at around 7 to 10 years. Now I don't mean trivialize murder. The point I am making is that this guy basically pulled a prank. He didn't do any tangable damage. Things are getting way out of hand. The GOVT has too much power. Why take away this man's future for a stupid prank. Why is this a crime at all? This is more humor than anything. Microsoft shouldn't have left so many stupid doors open in their software.
Anyhow, that is my take on things
-Master Switch, one more element in the machine
This joker didn't send out emails saying "Open this Word Document to spread a virus to a bunch of folks in your email list", though.
And why should this guy have 'every right' to write a virus that screws with people? Calling the victims 'stupid' doesn't wash... 'uninformed,' perhaps, and that still doesn't excuse it. The *intent* behind the virus was malicious, and I challenge anyone to deny that.
"People" using "unnecessary" quotes should be "shot".
Correct me if I am wrong, but I am under the impression he was caught because of a string of code, undocumented, added to every word/excel document that takes a user's registration code and system settings and generates a unique id which is then sent out with everything he writes!
Close enough for Microsoft work. According to the news story cited in last week's /. Melissa coverage, the actual tracing was done by comparing the MAC address (a unique identifier on every network card, necessary for networking to work) which was embedded in two documents -- the Melissa virus's host document, and some documents on this guy's web site.
So, the information being inserted by Microsoft Office into your documents is your MAC address (a.k.a. your NIC address, or your ethernet address, or "those funny numbers that your network driver displays when it starts up").
Yes, this is a legitimate privacy issue. If you value your privacy, then perhaps you should not use Microsoft Office.
driving against the wall at 150mph, killing people. yeah i know some of you think 'this is something completely different than melissa'. but hell - wheres the difference ?
There are several differences:
I liked the Tylenol analogy the best. Businesses hit by this virus should get together and file a class-action lawsuit against Microsoft for contributory negligence. Even if the lawsuit is settled out of court in secret, or takes years of tedious litigation, the public exposure of Microsoft's gaffes would be a service to the computer industry. And the time to do this is now, while the Melissa virus is still fresh in people's minds. Remember, the outcome of the lawsuit isn't as important as the perception of Microsoft that the lawsuit would create in the public consciousness.
It's about time we (the hacker community) used big business's tactics against them. We don't even have to do much -- just encourage a few upset people to seek justice. And we're not lying or misleading -- we're only telling the truth.
I believe the theft of computer service refers to the AOL account that he broke into to send the virus. Ditto with the third charge. This is an interesting case, its not actually that far a leap from this Macro virus to spam mail...
-Rob Ansell
-forge5
"No rest for the weary, and the insane don't need it!"
Okies, people, let's say that David Smith is the creator of the Melissa virus. Well, he's got to be somewhat good of a coder to write the blasted thing...
The Melissa virus is not an evil monstrosity designed by a lone person to bring the information world crashing down upon our heads. What he did wasn't even *hard*. It's not like he had to break into military databases, bypass the incredible security, etc.
He let people do that for him, all thanks to Micro$oft. He utilized one of the primest of security holes. People. He did use their ignorance and trust against them, true, but it still took one person to blindly trust this suspicious document they received from an outside source.
And let's look at how the Melissa virus was done. It was a Visual Basic-written Word Macro. Written on Micro$oft to affect anyone who uses Micro$oft.
Macro virii are not new. In fact, they've been around for at least two years. However, unlike conventional virii, they're complete potential has not been explored. Each new development can, in a way, be paralleled to the rise of virii in the mid-to-late '80's.
Macros are a huge security hole in Micro$oft products. If you give me access to a Windows machine, and only give me access to Word because you don't want me to use anything else, I can easily hack together a macro to let me access command.com or anything else I want.
But no one wants to believe that.
Especially not the media. Hackers generally (and please do not confuse the term hacker with cracker) dislike the media, are in a sort of revolt from it. And the media wants to, well, to maybe exaggerate it a tad, own the souls of everyone it can. The hackers are a threat.
Threats must be eliminated. Resistance is futile. You will be assimilated. Or else.
The Melissa virus has shown us three things. One, the media is evil, given the arrest of David Smith. Two, Micro$oft Office is one of the greatest hazards to a computer's security. (Micro$oft coders, please take note.) Three, macro virii are still mutating, becoming stronger.
Does anyone here still remember the big scare about Michaelangelo a few years ago? The Melissa virus scare was even worse.
But has the macro virii world truly found its Michaelangelo, or are we just seeing its preludes?
--CAE
Virii have been around almost as long as computers, and the first ones were nasty little buggers too. Does anyone remember the Worm? That thing descimated systems in a time when data wasn't as easy to get back, and system weren't so easy to get back up.
Did the media care about this? No, it wasn't important enough. Nothing dealing with computers was important back then. Now along comes Jane/John Doe with a silly little script that only works on Windows if you're running only an MS mailer. This is not a virus. Imagine if the worm happened again today at the same level of severity as in the days when VMS sysadmins feared it. What would the media do to the author? (Assuming that he was brain-damaged enough to write it with a bunch of Big Brother type MS mararky)
My point is simply that the Media is supposed to be the people's survant. They aren't supposed to try and scare us with every new buzz-word that comes along. They should have to check their facts and look around to see what is actually going on. What they are doing to the person is wrong. Not that I have any simpathy for anyone who even tries to write a virus, that's the lamest thing going, it's just that there have been much worse cases then this tiny annoyance.
I mean come on people, all it does is send itself to five people! The only reason that hurts anyone is because thy happen to be running MS stuff at the time.
StylishPants.Org - Home of everything that's interesting, and nothing that's not.
I agree that the media has made this a much bigger problem than it should have been (Networks Crash, computers died, oh the tragedy!). But if a lot of little indistries fail the real Y2K test I think the media will jump all over it. Heck if nothing even goes wrong they'll dig out the smallest of problems so they can scoop everyone else. The media is worse than a million clueless nubie's! At least the nubies get the idea sooner or later. I mean the WSJ made a statement to the effect that Linux doesn't even support SMP! An it is supposed to be a top notch paper. What a sham! I'm begining to think the news that they want us to hear is what they're feeding us. (did I just say that!)
Neil Cherry - Linux Smart Homes For Dummies
Then he makes (IMHO) a valuable connection of the similarity in psychological distancing involved n the use of high tech killing weapons. The 'Internet Creeps' (the so-called dark side of the Internet: porno junkies, perverts, crackers, flamers, etc.) have the advantage of anonymity from their intended victims that allows them to launch whatever type of attack they wish, without responsibility for the results of their actions.
Freedom without responsibility invariably leads to anarchy. Let me offer several examples.
- I am (not being an ex-convict, or otherwise restricted) 100% free to buy a gun. I am not 100% free in how I use it.
- I am free to buy the ingredients which mixed together, could make an explosive or illegal drug.
Similarly, I am free to write an unbelievably malicious computer virus. I am not free to distribute it without consequence. But even these thoughts are not 100% what the article is (IMHO) trying to focus our attention on.Use it wrong, and I am subject to arrest for breaking the law.
But if I make the explosive or drug, again, I am breaking the law, and deserve the consequence of my actions.
Either we work together to make the 'Net a more livable, enjoyable, and safe place to co-exist, or we do in fact deserve the heavy-handed law enforcement and media responses which would undoubtably otherwise follow.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
a) My company is a respected and technical organisation with about 2000 people in it. We tend to work mainly with Fortune 500 type outfits.
b) Unfortunately, we are a microsoft centric company. This is true in development and also very true in our companies sales organsation. Everyone without exception has to rely on Word and Exchange for their correspondance, document creation. i.e. MS software is core to our business.
c) We were hit quiet badly, but luckily enough, the media had created enough of a frenzy on TV and in the local newspapers that we escaped the consequences.
Now onto an brief analysis of what I see as a growing problem, which a lot of linux folks are oblivious to, or tend to have an elitist attitude towards.
It is easy for a corporation to select MS products. In the good old days no one got fired for selecting IBM, these days no one gets fired for selecting MS products. This in my opinion has happend because of the "dummification" of the industry overall.
Most of the people in organisations like mine DO NOT have a choice in terms of what software they use. MS Office and Backoffice are corporate standards, for which licenses have been purchased for every luser. Given that there is every spectrum of IQ in our organsation, from Management to Intelligent and savvy users ;). What the author of the virus did was essentially created a "gun, which replicated itself everytime someone fired a shot". Imagine a weapon like that let loose on our streets.
Your post tends to support the idea that MS is liable for damages caused by their software. McDonald's makes their coffee too hot. A woman accidentally pours it on her genitals. A jury find McDonald's liability to be $160K and the woman's $40K. MS sells an office suite that defaults to totally insecure. On their web site, there is doubtless information about how to secure it, so a customer is at least partially liable for damage caused by macro viruses, but I believe that Microsoft could also be found liable for some damages. Of course, the EULA states something to the effect that by using their software, you agree that any harm is your fault. Too bad McDonald's didn't put a EULA on their coffee.
Step back for a moment from the issue of the virus itself.. This guy sits down, playing with VB, and writes a neat little virus. It may have been his first realization of how "powerful" VB can be. He may have just learned how to write a macro and figured a simple exploit... So he writes it, mails it off to a friend (Maybe to test it?), who mails it to a friend, etc etc.. wow it worked!
But he was caught... how?
Correct me if I am wrong, but I am under the impression he was caught because of a string of code, undocumented, added to every word/excel document that takes a user's registration code and system settings and generates a unique id which is then sent out with everything he writes! Hmmm, that sounds, wow, a hell of a lot like the virus he himself may or may not have written, EXCEPT it was written into commercial software by a multi billion dollar corporation with the guise of Information Security
If that's not the ultimate irony, I am not sure what is.
Once I thought I was wrong...I was mistaken.
"He was charged with interruption of public communications, theft of computer services and wrongful access to computer systems."
Just FYI, only the first one was related to the actual writing of the virus. He stole an account from AOL (probably with a CC generator, although maybe AOL's just lying and it was one of those "100 free hour" things and they don't want to look stupid "Oh, hey! We're giving away free accounts that anyone can use anonymously to do whatever the hell they want!"
even if the users are at fault, who cares, it doesnt matter. Everyone knows Microsoft is at fault for making piece of freakin shit products, and i think they are the ones that should be thrown in jail for being such a bunch of dumb asses.
Joseph?
... but it's not actually 5000 kids killed by guns. It's 5000 kids killed by morons wielding guns. Be those morons kids themselves, or no, those are the facts.
Guns don't kill people. People kill people.
Too much sensationalism. The only way to combat this type of thing is via EDUCATION, EDUCATION, EDUCATION. One of these days, hopefully, people will figure out that media is not there to disseminate news. Media exists to further the cause of media, just like bureaucracy exists to further its own existence. Sensationalism, hype, and demagoguery are the tools of media and politicians, and none of it is good for us. We all lose our rights and freedoms when the ignorant are cowed by these tyrannical forces.
Makes me want to live in a tar-paper shack in Montana and build bombs. Also makes me glad I don't own a bloody television.
--Corey
Not only will they not deserve liberty or safety, Mr. Franklin, they will be DENIED both!
No offense to you -- you're not the one that set your organization's IT standards -- but maybe people SHOULD start being fired for selecting MS products. A large vulnerability was found in a Microsoft product, resulting in considerable downtime for certain companies. If, say, Applix or Star Divison software was responsible for the bug, employees would be reprimanded for choosing their software. Why shouldn't the same be true for Microsoft?
Also, remember, patches were available for Sendmail (the Pro and open source versions) within hours of the virus' discovery. Many of the anti-virus companies (Symantec, etc.) published updates within hours of discovery. AFAIK, the only thing Microsoft has done is acknowledge that the vulnerability will be present in Office 2000 as well.
Ryan
Flames and viruses may both come across as hostility, but they share similar positive qualities. They're blunt ways to point out weakness in an argument or system. A wise Win98/Outlook/Word user will look at the Melissa virus and say, "I'm going to move to a system where the makers give enough of a shit about the users to fix the software holes that allow viruses." People have known about the threat of scripting viruses for years, but only when massive damage is done do mainstream folks wake up and pay attention.
"Whatever happened to fair use?"
-- Duff-Man
Assuming KOffice is open (I assume it is; I haven't seen its licensing), it is likely that exploitable holes in macro security will be fixed in a timely manner. The only way macro viruses will be eliminated is if Microsoft redesigns Office BASIC to be safe, and the only way this will happen is if a devestating-enough virus makes MS customers complain enough that Redmond does something.
As other people have posted, both Emacs and vi had scripting virus-type bugs that have since been fixed. In an open-source environment, security problems can be fixed before they become devastating. In closed-source environment, security problems are fixed only after they become devastating.
If the Melissa virus (which is really pretty mild as far as viruses go) causes MS to close up security holes before geniunely bad viruses are released, then the Melissa virus will have been A Good Thing.
"Whatever happened to fair use?"
-- Duff-Man
I don't understand what the Melissa fiasco has to do with "integration". Integration IS good for the customer. I'm really really glad I don't have a different pull-chain under my dashboard to control the spark advance, fuel delivery, valve timing, and all the other wonky stuff that makes my car make pretty noises and go fast. Bad engineering (in the form of MS's VBA implementation) is not good for the customer. Integration (that is, the combination of modular parts into a seamless whole) is the best possible way to run computer. I'd LOVE for Apple to release OpenDoc under GPL. That'd be a very cool thing indeed!
Why yes, I AM a rocket scientist!
This doesn't make sense. Certainly, it's ideal for people to not send executibles to each other, but sometimes there's no other alternative. It's the only widely-available peer-to-peer file sharing system that is currently available. As far as DOC files go, I'd LOVE to be able to get users to understand what file formats are, and how they can be converted and exchanged easily.
That's just not going to happen. Ignorance is no defense, but it's also just about inevitable. Engineering needs to be done on these systems to make it more difficult to do bad things inadvertantly.
Sure safe computing requires education...look how well education works nowadays.
Why yes, I AM a rocket scientist!
Upon rereading my post, I discovered that I totally left out the (to me) critical feature. Integration should not be "I'm microsoft and I'm going to bundle together this bolus of useless creeping featuritis and cram it down the throats of my customers, regardless of their needs". Integration should be "I'm OpenDoc, and I'm going to build an open, extensible framework in which you can choose from a variety of tools that work together harmoniously, that you can customize at your leisure". I think I'm using "integrated" in a misleading (or maybe bass-ackwards) sense. The more I think about it, "modular" fits better. But I want to differentiate between the slapdash "Netscape/Photoshop plugin" stuff, and a more elegant, easier to manage, more flexible architecture. I want to be able to use the same spell checker in ALL my applications. I want to use the same drawing and page layout tools in ALL my documents. This focus that we (computer users) have on using a certain application is somewhat mis-directed. When I fix a car motor (yeah, right!) my objective isn't "Use this socket set to fix the car", it's "Use the appropriate tool to fix the car". If I'd rather use an impact wrench, or Bob Vila's Craftsman Clench Wrench, I shouldn't have to get another motor.
It's late, and I'm rambling. There's a cogent point in there somewhere.
In short, you're absolutely right. : )
Why yes, I AM a rocket scientist!
What kind of moron runs a macro-laced Micro$oft file from someone they don't know? Anyone who does that deserves what they get.
Except everyone who got this Melissa virus got it from someone they DID know. Fortunately, all I've heard about the virus came from news sites (no first-hand knowledge), but it seems that the message is designed to fool the recipiant into opening the document. If you didn't know about the virus, you'll just think some friend of yours sent you something important, and you'll probably open it. Chances are that you'll ignore Word's warning about a possible macro virus, and run it anyway. Once you do that, it's all over -- the virus has spread to all your friends. Melissa spread so easily because it seemed to come from a trusted source, not becaue everyone who got it and spread it was a moron.
"Save the whales, feed the hungry, free the mallocs" -- author unknown
If a market-leading car manufacturer sells you a car that does not come with door locks, immobiliser, alarm,... and it gets stolen and taken for a joyride, you might feel inclined to blame them.
Yes, the joyriding kid is a sociopath, but the 'net is an unsafe neighbourhood.
-- open source? sounds like the real book --
Katz writes:
He allegedly named his virus after a topless dancer in Florida.
As I understand it, the virus was named for part of the registry modifications it makes. I could be wrong, but the CERT advisory FAQ says: "It was named Melissa by the antivirus software vendors."
I'd like to point out that the only real piece of "smoking gun" evidence, the MAC address, was discovered not by a government agent, but by the guy who originally found this security hole. The government would have just been speculating without him.
Furthermore, nobody's really talking about the privacy issues. Yes, it may have captured a suspected criminal, but it was a violation of privacy. We should hear about these things from the company.
Finally, I know this will never fly in court, but who says he had malicious intent? Maybe he was playing with macro virii and making a porno list, and he infected himself. In any case, he obviously got in way over his head, otherwise he wouldn't have gotten caught (for technical and other reasons).
Yeah. I'm tired of losing hours of work either cleaning up the mess, or just plowing through all the warnings, etc. when a nasty virus hits. I'm tired of spending time maintaining virus scanning software which gives nothing that anyone would value if only everybody would spend his time doing useful things instead of wondering what he can break next.
And if some vandal accidentally sprayed his name on the side of a building, don't you think the police would grab him just as eagerly? PR is PR. Everybody needs to be seen doing a good job.
Down with vandalism, whether virtual or physical. Go stuff up your own computers, or learn how to do something worth having.
Er, careful never to use that analogy or even joke about that in an airport. From what I understand body cavity searches are not pleasant.
I think it's more about finding a scapegoat anyhow. If they hadn't quickly found a suspect there might actually be some tough questions asked:
Apparently if found guilty on all counts this guy could face up to 40 years in prison.
I, for one, find this ludicrous. Nobody was killed, nobody was hurt, and as far as I know no data was even lost.
I think, on general principles, anybody who writes a macro virus should face half the legal penalty of someone who writes a true machine-language virus. Afterall, in order for his/her virus to do anything the person whose computer is involved has to effectively let them, by allowing the macros to run.
Maybe the way to divide up the blame is to say any malicious things the macro virus does to the host computer can be laid squarely on the shoulders of the virus writer. Any denial of service resulting from the virus spreading is shared between the company that has a macro-virus enabled platform, and the users who don't check for virii.
In that case, this guy would be liable for writing the Simpsons quote in thousands of documents, but that's it.
But unfortunately my views aren't the views of law enforcement.
So. How is a very successfully propagating but non-destructive macro virus different from some other action resulting in denial of service? For example: the people responsible for the net clog following the Pamela Anderson / Tommy Lee videos? Lucasfilm for the popularity of the Star Wars trailers? Even the /. effect! We take down servers just has harshly as Melissa did when there's something cool to see there.
Look out Cmdr Taco -- 40 years as some guy's bitch isn't worth the coolness of maintaining /.
If you take a loaded gun with a label that says "Point in face and pull the trigger for a hell of a good time" and pass it around to a random group of people are you to blame for the morons who pull the trigger and blow their heads off? That guy was e-mailing a loaded gun
Actually, it's more like this :
Your desk suddenly decides that it is going to send a package to all of your friends. Your friends are not wary of this perfectly normal looking package; it is addressed from you, after all. And, even though they weren't expecting a package from you, they know you and trust you.
Your friends take this package to their desk, sit down and open it. They find that the package contains a bunch of teen porn magazines. So now they're a little suspicious, of you, not of the package.
But, while they weren't looking, the package has told your friend's desk to send identical packages to everyone of your friend's friends.
Two things :
Should a package be able to talk to your desk?
Should a desk be able to send a package?
I have discovered a truly remarkable proof which this margin is too small to contain.
I don't think that's what he was saying. I think the point is that unlike "traditional" virii, Melissa required the interaction of the user by way of opening the attached doc.
The trick here was exploiting the human machine in spreading the virus. If users never opened the doc, the virus would never have spread. To get them to open the doc, though, is frightfully simple. Just entice them, exploiting a characteristic that we all carry - curiosity. "Hmmm.. What's in this document?"
What I'd really like to know, having seen the "code" from this thing, is why a macro language in an application has unchecked access to the system registry?!
Where the value of X-Mailer: is the true measure of a man...
How many months into 1999 are we.
.exe files.
It is only 4 months since Happy 99.
Fortunately I only ever read about that one - mainly cos I dont open strange
I can't wait till someone decides to exploit the weakness in the Standard VESA library and starts blowing up monitors.
Maybe after some flashes and bangs the sheep would learn.............
Yep I do have a job.
When you recieve mails from people are they often in the 3rd Party, suspiciously autogenerated, as if they have been passed on by another user format of
"Important message from [name]."
Dont you get a LITTLE suspicious?
If from a real person wouldn't they be less stilted, maybe a little less formal?
I have never recieved a mail titled "Important message from" that wasn't bot generated spam, and would automatically regard such with suspicion even if it came from my Mother.
Didn't this trigger any suspicion????
If so what was wrong with picking up the phone and letting your fingers do the walking, I assume that your Team Supervisor IS on the internal phone list.
BTW as a suggestion to all those corporations out there with wide open doors to this kind of thing, why not stick all vulnerable filetypes on your INTRAnet, and just refer to them in emails - this is a LOT more secure, as only authorised documents are made available to your employees.
Oh and another one, never turn of the warning in MS Office re macro's.
Remember people, you cant rely on "dumb luck" otherwise you will end up looking like a "dumb schmuck"
And those who are paid to be sheep, hope you're laughing all the way to the BAAAAAnk.
I agree with you.
Look at the situation thanks to Sony, Sega and Nintendo
Kids dont have access to programming, and so the above companies are now going crazy to try and source a new generation of coders for their games.
I subscribe to the philosophy "If you dont know how to abuse it, then you dont know how to use it"
ie you need to know the weaknesses in a system before you can say that you know what you are doing with it.
Maybe we need some servers set up that are "Hacker Friendly" ie no cops, no lawyers and a nice sysop to put it all back together, think of it as a "Hacker/Tracker training ground"
Anyone like to volunteer a server?
"Guns don't kill people, people kill people"
Yeah, people with guns. And bombs don't kill people either, people who drop bombs do. And nuclear weapons don't kill people...
There are an awful lot of shootings going on and at least SOME of the blame for that is the ease with which people (kids included) can get guns.
Heck, they even let ESR have one %-)
At least if a moron with a knife comes at me I've got a fighting chance, and he's not going to kill somebody standing in their kitchen half a mile away when he misses.
"I am here by the will of the people and I won't leave until I get my umbrella back."
The initial wave of media reports suggested the authorities were using the GUID to help track the virus author. After Mr. Smith was arrested, very little was mentioned about the GUID in any stories.
The GUID in question pointed to a virus writer who goes by the handle "VicodinES". Authorities believe that Mr. Smith built Melissa by combining parts of other virii. One of the original virus elements of Melissa was allegedly created by VicodinES -- hence the attached GUID.
The authorities do not believe that David Smith is VicodinES. In their opinion, the GUID is not reliable as evidence (this point was made on slashdot by many posters long before Smith's arrest).
/* BTW -- I can't help but wonder if the GUID would be "reliable" if it HAD pointed to David Smith. I also wonder if it becomes useful to Smith's defense now. */
Save the whales. Feed the hungry. Free the mallocs.
Acutally, statistics like that get a LOT of media coverage. I suggest the author take some of her/his standards for factual reporting and apply it to other statistics. Where did you get the number "5,000"? What is the cut-off age for a child (25, 21, 18, 12)?
Anyone's death by firearms is unacceptable. When I studied criminal justice, however, I saw studies that defined a "child" as anyone under 25. This includes legal adults who were killed as part of gang activity.
If the author is going to insist on media fairness and accuracy, I would suggest also exercising it. Sensational statistics like "5,000 kids killed by guns" serve the same purpose as "100,000 computers infected by Melissa".
Sorry to go off-topic (and sound like an NRA stooge), but that statement stuck out like a sore thumb to me.
Save the whales. Feed the hungry. Free the mallocs.
I used to think that "knowledge = power" was just a cute quote someone picked up and put in their signature file.
More times than not, nowadays, it really rings true.
Some say the death of the Internet was when AOL got newsgroup access and every post from there was repeated in duplicate (at least) for the first week. The homogenization of "our" Internet still causes quite a bit of pain among the intelligentsia.
I'm sorry John, I couldn't bear to stay with you for this whole article, but I think you got your point across about half-way into it.
My company doesn't understand the Internet, what a virus is, or a macro for that matter. Our IT management did their fieldwork when ATs and VT100 terminals were the rage. They wax eloquent about punch cards and green monitors. They stopped learning a long time ago.
They are scared, because they don't know.
Knowledge = power
In my case knowledge also let's me form a basis for an opinion on a subject. An opinion that usually doesn't involve "hammer them to death" tactics and thusly is not the preferred response the things like the Melissa macro.
Scared companies and governments do dangerous over-the-top things. That's what's happening here.
When an IT manager can't guarantee to the upper management that this won't happen again, maybe tomorrow, the fear sets in.
Punishment, swift and aggressive is called for. Someone must be found to blame. Set an example. Show the world that you are not powerless. Try and convict the "author" or his roommate. Vilify his parents in the press. Trash his lifestyle. Whatever is necessary to apportion the blame. Because it can't be MY fault. I was only following orders. From Microsoft, my anti-virus company, the manufacturer of my computer, etc.
That's the way it works around here: Plausible deniability.
Really sick stuff. Shift the blame to someone who cannot possibly defend himself.
That's the American way.
Jack
Oh for heavens sake, grow up.
Look Windows has never been touted as a secure system, Word pops up and *asks* you if you want to open documents with macros in.
So if it's all Microsoft's fault, is it Smith and Westons (spelling?) fault that you americans blow the crap out of each other every year?
Now lets if Linux takes off, how many non-geeky people will run their systems as a user with root access, because
a) It's easier
b) They don't know any better.
Then lets see if someone can run up a Linux virus.
Heck it's public knowledge that guns can hurt people, thats wide open to abuse and gun manufacturers do nothing. Wow.
What does difficulty have to do with anything?
It's not *hard* to shake a baby until it's brain-damaged.
It's not *hard* to shoot a bunch of people.
It's not *hard* to cheat a bunch of old people out of their money through a telemarketing scam.
Does that make these things okay? Are you suggesting that criminal law should be based on the *level of difficulty* of a crime?
Get a grip.
The ambitions are: wake up, breathe, keep breathing.
"What kind of moron runs a macro-laced Micro$oft file from someone they don't know?"
But, in fact, the major social engineering feature of the attack was that it was specifically designed to come from someone you _do_ know. IMHO _that_ was the real inovation in this expliot, not threading together a collection of security holes like so many Cheerios on a string.
"No matter how paranoid you are, it isn't paranoid enough."
The same kind of moron who thinks that just by reading a text file, you too can catch a virus.
The said part is that IT professionals must deal with this sort of thing everyday. In my shop, I've told people that if they run a file they recieved as an attachment, there SOL because I'm not going to drop everything to help them.
Stupidity on your part does not create an emergency on my part.
Very few "middle aged or older ladies" who live in an urban or suburban setting would dream of opening the door of their home before checking through a peephole to see if they were willing to trust the knocker.
I think they are capable of learning to do the equivalent with email, but it will take a while.
"I see great things in baseball" - Walt Whitman
Computers are great for games. It's fun to run network servers out of them. Programming is a unique power trip and one of the most elegant mind puzzles around.
But whereas the lives of home users, armchair sysadmins, hackers, hell, even W@ReZ D00Dz would go on without them (albeit nowhere near as much fun), businesses today are SOL without a uniform network. Each employee does not buy whatever system they feel comfortable with, or prefer, or trust. IT managers buy computers. The motivations of an IT manager are not necessarily to make the choice that will result in a near-bulletproof network (though security is very important to them), nor is it to make the choice that will promote free evolution of software (OSS), nor is it strictly cost; they have a budget to live within, but TCO takes support into account as well, as IT managers are not-so-cheerfully aware. The primary motivation of an IT manager is the same as that of anyone who's earned a management position: pay off the house, pay for the kids' braces, etc. In other words, not get fired
Years ago, the saying was, "Nobody ever got fired for buying IBM". Now, it's "Nobody ever got fired for buying Microsoft". Unless they've landed a job with incredible (and rare) autonomy, IT directors' requests must be approved by someone higher up. This "higher up" likely knows little about computers, outside of the fact that their clients, etc. would like documents in Word 97 format, that they dig Excel on their Packard Bells at home, etc. They also know that Microsoft is a massive company, and when they think of a computer, they see Windows 95 on the monitor because that is what they know. When the time comes to implement or augment a network, it's far easier to just accept Microsoft than to put your career out on a limb and try to convince this person that there are better solutions. And THAT, boys and girls, is how companies end up with Windows on their employees' desks.
So how do they get into the employees' homes? When a front-line accountant or HR grunt or marketing person chooses a computer, they may or may not realize that other platforms may be able to read their Excel spreadsheets or Word documents, but they're not going to bother, in most cases. Best Buy sells the system they use at work; they can pirate the software to use at home, and, they can use Outlook to check their mail, just like at work. They can do all of this without learning a new interface or converting documents. When something (virus, exploit, etc.) comes along and shakes up the users, IT can't blame Microsoft, because they purchased the Microsoft products themselves. They can't blame themselves, the network, or the users, for obvious reasons. The users and the management must trust the system, and so the virus writer is villified.
Virii are fascinating. Distributing them for no reason other than the malicious thrill of impairing others is wrong. IMO, anyone who distributes a virus should be held accountable for the inconvenience to users (and to tech support... "Windows just crashed... is it a virus?"... ::shudder::), but I'm not trying to excuse software companies that write software with Lincoln Tunnel security holes. Microsoft has a responsibility to its users to acknowledge and patch security issues, precisely because their products are so widely used. To simply turn their heads and work on The Road Ahead or whatever and make their next product without addressing security, stability, and utility issues for the people who paid for their products, is irresponsible and arrogant.
_ ___
_______________________________________________
If you take a loaded gun with a label that says "Point in face and pull the trigger for a hell of a good time" and pass it around to a random group of people are you to blame for the morons who pull the trigger and blow their heads off? That guy was e-mailing a loaded gun (if it was him responsible for spreading it) and people very stupidly opened up stuff they had no idea was about. Is he to blame for everyone being so lax about their own security in the computer world?
On top of that, I've seen entire mail networks brought down by one lone dumbass who hits reply all to a system e-mail that causes a crazy loop drawing in other dumbasses telling her to shut up and before long servers are crashing all over the network(MS-Mail 3.2 BTW).
Freedom of information. He has every right to write a macro virus if he wants to. Who can prove that he did or didn't spread his melissa ho all over the internet? I look forward to seeing how this plays out in front of a jury. The poor sots are going to be confused to hell by the end, and probably turn into disgrunteled cyber-terrorists.
Madhatter --It's no wonderland out there.
Unix/Linux have no viruses, though traveling
internet under "root" privileges can break security.
Seeking user-friendliness, Microsoft has produced
software that will act on anybody's program/message. This is not secure. Since Microsoft additionally piggy-backed internet, it became even more vulnerable to "viruses". Using Microsoft's Word and OS on internet amounts to standing naked in Central Park, then complaining you were molested.
When you run around naked in Central Park, you expect to be molested. You should complain little about the molester (Melissa author), but should complain about people without clothes (Microsoft's insecure software). Children run around naked. When children become adults (adult operating systems), they dress like adults (perhaps Linux or BSD Unix).
Word can be configured to use .rtf formats or others that don't contain macros. So, while you may not be able to discard MS products, you as the user can choose how it's used.
In addition, your IT/IS department has obviously choosen that your company should be vulnerable to this kind of attack. If you choose not to lock the front door, don't be surprised when someone walks in.
Don't mistake my intention, whoever started this worm should be caught and slapped on the hand. But, the 'damage' (downtime, flooded servers, lost productivity) is the result of poor choices on the user and corporate level.
Using a computer and it's applications should not be considered 'common knowledge'. An 'average' user should understand somethings about the system. And I would not expect that person to learn the basics without some formal education / inservice / training.
A good sysadmin could have deflected Melissa, that's true. But, Melissa is not the point, it was just one example of a email worm / virus. The end user must assume some responsibility for the security of their system. You may feel that's expecting too much from an 'average' user.... if so then the definition of an 'average' user needs to be raised.
It's also a mistake to assume that the end users don't know what they are doing. You never know, that 'clerk' on the second floor may be a kernel hacker at home.
I use word97 occasionally. I have it set to default to saving as .rtf - Rich Text Format. It's cross platform, and not dependant to any changes MS may make to the .doc format. And it doesn't save scripts. With a 'properly' setup install of Word, the user has to consciously choose to save as .doc. So, your users that don't understand file formats won't know to save in another format.
BTW, the same users that don't understand file formats are the same ones that probably never use any of the macro / scripting features in Word.
I know that people send executable attachments all the time. How many of those attachments are really 'work' related? How many are entertainment (holiday graphics, macromedia files, simple games, jokes, etc)?? I agree that the systems need to be designed to minimize these problems. But, we are talking about Microsoft, and Word macro viruses have been around long enough that if Microsoft wanted to fix them, they could. There is not a simple answer to these problems. Maybe, I oversimplified my opinion. The issues are:
1. MS products that are poorly designed from a security stand point. (MS is just one example here, and takes the stage because of Melissa)
2. IT/IS departments that purchase these security problems, and don't take precautions to plug these holes.
3. End users aren't provided sufficient training on security.
4. Rogue programmers that write viruses / worms / trojan horses.
The responsibility has to be shared between all these parties. You can't isolate one and place all the blame there. If the vendor wrote better software, if the admins filtered attachments, if the users knew about macro virii, if programmers didn't write viruses. If people assume responsibility instead of trying to blame someone else, and take the security precautions they are responsible for, then these incidents would be better controlled.
If I had been infected with the Melissa virus, I would blame myself, because I know better. I don't blame the author (even though he shouldn't have written it). I don't blame MS (even though the security should be better). I don't blame my mail admin. I am the only one that can stop a virus from infecting my PC. If I choose not to, it's my own fault. If a user chooses not to know about virii or worms, that is also a choice. They should understand the consequences of that choice.
full thickness burn ( 3rd degree ) does not mean 'charred' skin, It just means that the skin is dead. There is not a specific temperature that does this, it depends on the thickness of the skin at a certain location on the body. i.e. not all skin is the same.
Severe 2nd degree burns may have required skin grafts for scarring.
Melissa just takes advantage of people that rely on binary executable attachments to email. MS users are of course much more vulnerable to this. How many times have you saved an attachment, set it chmod 700, and executed it?
Contrast that with an attachment in Outlook, Outlook Express, Eudora, etc. Attachment - double click - .. oops!
Just as windows users should learn not to execute email attachments that are *.exe, they shouldn't execute *.doc files.
The automatic response I expect is : "but, that's how our users work". That's not acceptable. Ignorance shall not become a defense. If a user becomes infected with Melissa, it's their own fault. They were too trusting. (perhaps sad, but true)
Any company or government agency that was hit by Melissa needs to do some serious re-education of their users and implement some policy about email attachments. For example: 1. No *.exe attachments to email (maybe even filter them out) 2. No *.doc (or other macro containing formats) 3. All attached files should be in *.rtf or *.txt format.
Safe Computing like Safe Sex depends on EDUCATION.
I think you're projecting your own need to create villians.
Let me ask a question: Pretend that you are in some law enforcment position, and it is your responsibility to enforce sensible laws which prohibit vandalism on the internet.
Almost no one is ever truly convicted of violating these laws, and the vandalist know that.
What would you do?
Of course, this assumes that the laws are sensible. I see a lot of postings which explain that it's the fault of the "victims" for having security leaks. This is ridiculous. You could apply that to anything. I suppose that by the same logic - we shouldn't have laws against murder. After all, don't murderer's simply expose the weakness in their victims defenses, thereby helping us all to become stronger?
Perhaps the human race is a virus -- and the earth its host. The nature of our existance is to create life from the destruction of some other resource. A virus is no differant. It is an attempt to create artificial life that can subsist and thrive in its own environment, on what resources are available to it. I'm not trying to say that viruses are "good" or "bad" but to humbly point out that we should recognize them for what they are... life. I guess my point is this: even though computer viruses are dangerous and can be terribley destructive, we must realize that they hold potential far beyond what our minds can grasp right now. Thanks for your attention, acidbug
Hello all I am one of Jon's Infamous Lurkers, I agree with alot of what he has said here. But ture indeed is the fact that the OS makers are at blame as well. Macro virus are incredibly dangerous and easy to code VB is a wonderful tool for such projects but for the really good one you must program in Assembly, that dead language that no one really knows all that well. The mellisa Virus could have been much worse, It could have replicated and mailed it's self then over wrote every file of a type on the hard drive. It how ever is not that hard to remove I have been a consultant for a few years and helped A certain major Pizza Franchise corporation through a marco virus clensing. It was vary harmless as well, matter a fact we only lost 4 documents company wide, it propogated through e-mail, It did however cost the corporation a pretty penny to rid them selves of the virus. But the whole thing was blown way out of preportion, this guy is not even close to being a Kevin M. Thanks for the great colums keep up the good work
"Never judge a man till you've walked a mile in his shoes. This way when you do you are a mile away and have his shoes."
OK. All of you have had a chance to rant, now is mine. He he he. :)
/dev/null.
Although I am a relative newbie to slashdot, I have been reading it nearly every day since last October, and one thing has disappointed me. Unfortunately, most of the comments that I have seen, particularly on this article, happen to be not only anti-Microsoft, but also anti-user, in many respects. For the last 13 or 14 years, I have spent a good deal of time working with computers, mainly with an Apple IIe, an IBM PS/1, and my current machine, a PII-233 w/Windows 95. I know I will likely get flames from even mentioning that I even use Windows. Admittedly, there are many problems with Windows, and I don't like having to reboot at least every 24 hours. In fact, I am currently working on saving up for a nice box to throw Linux on and try it out. I am most anxious, but as a college student, I bought a Windows machine due to the fact that I was more familiar with it and the fact that the Systems Analysis department uses MS products for its classes on VB and C++. With that and books and other expenses, I am not in a position to buy the computer yet.
Yes, I use Office 97. I do like the integration, but there are several features that I would not miss if they are not there. Macros are one, Word HTML Authoring is another. I find it very frustrating that, after my having taken the proper precautions, that I read the comments here bashing practically anything even remotely related to Microsoft. I am a command line type of person, having been well versed in DOS, I have to admit that at times, I like the point and click simplicity of Windows, and I happen to enjoy the rich set of features that Outlook 97 (not Outlook Express) offers. The only lack is newsgroups, which I receive using Pine over a telnet connection to one af three different Un*x boxes around campus. I also like the PGP integration, although I could go without if I had to.
I also find it frustrating that some of the readers here assume that many who use Windows and Microsoft products are clueless and pathetic. Not all of us are. I would have to agree that many are, but not all. Microsoft products do have their merits, even if they are not perfect. I know that Linux isn't perfect. If anything was ever perfect, everyone would want it. That is simply not the case.
My question is this. "Linux is open source and, despite my use of Windows, I would have to agree that it is better, but why do we need to put down people that are not as literate as we are?" It would make sense that the Linux community would want to encourage as many people as possible to try it. For many people that post here, that is already their goal. For some of those and others that I have encountered in the Linux community around here, their means to the goal are misguided. The general impression that I sometimes get is that the Linux community is an elite crew that does not want more members, and some are inadvertently dissuading some users of Windows (even the die-hards) with the arrogant attitude that is projected.
Literate commentary welcome to come to nosbig@technologist.com. Please direct all flames to
Rob Gibson
nosbig@technologist.com
DH/DSS Key by email