The Melissa Syndrome

John Dillinger wasn't nailed with much more fanfare than the alleged creator of the now-famed Melissa virus, whose apprehension in New Jersey a few days ago drew a governor and a platoon of state, local and federal cyber-cops. This syndrome is becoming almost ritualistic. The virus and the arrest tell us a lot about Crime and Hype; Technological Hostility, and Closing the Distance that makes so much online hostility so easy.

CRIME AND HYPE: The Melissa Syndrome

John Dillinger himself wasn't arrested with much more fanfare. When police in New Jersey announced the "capture" last week of David Smith of Trenton, allegedly the creator and distributor of the now famous Melissa virus that's supposedly infected more than 100,000 computers and shut down several hundred corporate computer systems, it made front pages all over the country.

The FBI acted as if it had just rounded up the world's most wanted terrorist. The bureau rushed to hail its new National Infrastructure Protection Center, a division created to fight cyber-warfare threats following teenaged hackers' intrusions on U.S. Defense Department networks. "We will track down these electronic saboteurs," promised William Megary, the FBI special agent in charge of the Melissa investigation.

The case was such a public relations bonanza that New Jersey's governor - never before known to have uttered a syllable about the Internet -- turned out before the cameras to praise the "good old-fashioned detective work" that brought the villain to justice. She was flanked by the Attorney General and a battalion of law enforcement officials.

This reeks of opportunism and hype.

And it reflects the curious mythology of the Net and the Web, especially to the old-world institutions trying to figure out how to deal with it. The idea of a computer virus is genuinely chilling. But has it created enough damage or suffering to warrant this kind of coverage? Or is the idea of the virus more menacing than the reality?

Anybody who's been paying attention to the Net for any length of time has learned to be deeply suspicious of journalistic and law enforcement pronouncements about cyber-criminals. Both government and journalism have been fundamentally clueless about the dangers presented by hackers, virus-makers and other bogeymen. Dubious, unchallenged statistics are often presented as fact, great dangers invoked where they are few, sometimes no, victims. Too often, the hype hasn't fit the crime. More than anything, bureaucracies like to grow, and nothing feeds them faster than saving the public from real or perceived danger.

This drama has become almost ritualistic, ever since the famous Secret Service raids on suburban hacker bedrooms in the 80's. Law enforcement, competing for bureaucratic jurisdiction over the Internet, deeply suspicious of a culture it can't understand or control, has pressed for encryption tools and standards that challenge both privacy and freedom.

Journalists, threatened by the ferociously independent digital culture, accept and relay all sorts of unfounded accusations and statistics, and seem eager to portray the Net as a public health hazard.

So when somebody is hauled out of an apartment by publicity-hungry law enforcement agents, his equipment seized, the media enthusiastically passes along reports of massive damage and danger with little or no detail or substantiation.

The brilliant loner stalking society plays into the media's shallowest stereotypes and the public's deepest fears. In the David Smith case, the media have found their latest Kevin Mitnick style cyber-villian, another disconnected computer addict without a life, using his computer skills to prey on unsuspecting citizens and helpless companies.

The 30-year-old programmer was described as a reclusive, anti-social loner who rarely left his apartment. He allegedly named his virus after a topless dancer in Florida. He was charged with interruption of public communications, theft of computer services and wrongful access to computer systems. As noxious as viruses are, Dillinger, in fact, would have been embarrassed to be nailed on charges like this.

Journalists reported the existence of dark and menacing viral subcultures lurking on the Net and Web, working feverishly to prepare lethal viruses. Was Smith also VicodinES, another virus writer linked in Net posts with the creation and dissemination of Melissa?

According to the New York Times, the emergence of the Melissa virus "underscores the growth on the Internet of a community of virus writers and collectors. They freely trade malicious code, combine efforts to best the work of antivirus researchers, and post their creations on the Internet for anyone to download and release into the wild."

To hackers, thieves, crackers, perverts, addicts and porn-peddlers we now add viral terrorists - "the anarchic lure of virus writing," one paper called this new danger. Curiously, if typically, there was no hard evidence to support the suggestion that virus writing has become epidemic, or even to substantiate the police estimates that more than 100,000 people and hundreds of companies had been affected by Melissa. How would we know? Did they all call the FBI?

Stories like this one reinforce the idea - already entrenched in journalism and politics - that people need walls around their computers to protect themselves, their businesses and their families.

These walls sometimes take the form of legislation (the late CDA, for instance, and sometimes result in the blocking and filtering systems spreading all over the Net).

"Here we go," e-mailed Johnny Rocket, who creates, studies and then dismantles (but never distributes) computer viruses for fun. "There are some sick people out there, but why don't they ever check to see how much real harm is done? Mostly, they're dumb kids. But they don't do nearly as much harm as you would think from watching TV."

And not nearly as much as human beings do to one another in the real world either. A child mailed or killed by gunfire --- more than 5,000 American kids were casualties of guns last year -- doesn't get a fraction of the coverage or attention David Smith or Melissa will get.

TECHNOLOGICAL HOSTILITY

Still, for all the exaggeration, hostility is a reality online. Whoever created Melissa did cause harm and damage. And to human beings, not just machines. He or she also reinforced the false idea that the Net and the Web are dangerous places inhabited by threatening people, and in need of urgent policing. The FBI and its National Infrastructure Protection Center is ready and waiting.

Yet some programmers do generate destructive programs like Melissa and take some warped pleasure in distributing them. Some do make viruses for fun, the same way others love bar codes and study magnetic strip coding. This kind of behavior isn't new to the world, or unique to the Net. Every year, thousands, even millions, of people race trains across tracks, drive drunk through stop signs at high speeds, beat up their spouses and kids.

But one of the strange realities of Internet life is that it juxtaposes extreme anger and powerful friendship, closely and continuously.

The Net is awash in varying emotions and diverse responses. It brings support, creates community, makes communication easier than ever, and almost simultaneously spawns disconnection and hostility.

The nearly continuous dichotomy - making friends, receiving generous advice and direction, fending off flames and criticism, even dodging viruses and mail bombs - is so discordant as to be disorienting.

In many ways, the Net is fundamentally about community - bringing disparate, far-flung people together in new kinds of social groupings. You really can't go anywhere online by yourself and be completely alone. Technologically-driven hostility becomes even more important in that context, because community requires the members of a given group to talk about issues, forge common values, articulate goals.

The communicative social nature of the Net makes the former - the coming together -- easy, but the latter - rational discussion -- almost impossible. People who share an interest in Linux, open source or free software can come here from all over the world, but can they talk openly about the very thing that brings them together? Not often easily. Any half-dozen angry people can, and often do, disrupt a discussion in seconds (and not just here, but all over the Web), driving away people who are disinclined to trade insults or have better things to do. The effect is bizarre. The majority are driven underground and out of sight, the tiniest minority becomes a tyranny.

I've made my closest friends online, gotten many of my ideas and a torrent of thoughtful commentary. I am continuously supported, and educated. I am continuously challenged, attacked, insulted. Although I'm used to it, it's still sometimes bewildering to be praised and criticized simultaneously, for the same ideas and words, so immediately and intensely that it's hard to maintain a sense of reality at times.

Should you still listen to all the feedback, or make a point of ignoring it? Do you factor in age and gender? Do you credit the most articulate and impassioned critics? The most thoughtful? Or do you finally throw up your hands, and go by your own instincts.

When I wrote for conventional media - Rolling Stone (where I still write), New York, GQ and other places - the problem was simpler. I was trained to dismiss readers. It didn't matter what they thought. Nobody could reach me, except those taking the trouble to write and send letters.

But every idea advanced online is praised, attacked and criticized in varying degrees, sometimes within seconds of being published and for weeks, even months beyond.

The bulk of e-mail is radically different from most of the public posters on the site itself. Neither group, the flamers or the lurkers, seems to have much direct contact with or even consciousness of the other.

Unaware that I receive praise, the flamers expect me to go up in smoke. Unaware of one another, the lurkers reassure me. The lurkers sometimes know that ferocious, even vicious, debate and hostility is evident just a few scrolls down. The flamers have no idea that anything else is.

For a columnist dealing in opinions, this is a Brave New World, a parallel universe, my very own Matrix. It's sometimes impossible to know where one reality begins and the other ends.

CLOSING THE DISTANCE.

Technological vandalism and hostility - flaming, personal attacks, virus and mail-bomb attacks -- occur because the people who practice and advocate them must operate at an enormous physical and psychological distance from the people they attack and from the consequences of their actions.

Although they differ enormously in their impact, the principle is the same as scientists' and technologists' advocating the use of advanced air weapons against remote and presumably primitive peoples.

Both kinds of attacks are made possible by the disconnection technology permits. We don't see our adversaries as human beings, and don't expect to ever encounter them. So, since we have the instant and visceral technology to respond emotionally to things we fear or dislike, we attack them with the expectation that there will be no consequences. And there hardly ever are. On the Net, assaulting someone is no tougher - or riskier -- than pushing a send button.

Online violence and hostility, wildly exaggerated in terms of scope and danger but still epidemic, will diminish only when the distance between people is somehow closed by the same technology that now promotes it. Perhaps when audio and video-streaming permits live encounters with real-time video and sound. Or when phone, voice and visual messaging technologies fuse, and the presence on the other end appears, even in virtual form, as a human being.

Smith may or may not be the author of the virus, and it may or may not be as dangerous and pervasive as the publicity-hungry cyber-cops suggest. But it's still a great metaphor for the nastiness that has marked the first generation of the Net, and then the Web.

For me, the damage comes mostly from what can't happen: intelligent, continuous discussions, messages from the many lurkers who have powerful ideas but are not willing to endure the public assault that comes with expressing them.

The best resistance: to persevere. To listen to all criticism, no matter how crudely expressed, and keep writing and talking. To do anything else would be to give up the freedom that makes the Net unique. Some day, the Net will have its own equivalent of a "peace" movement, and mindless hostility will be perceived as the very direct threat to free and open speech that it is.

Exaggerated or not, techno-hostility forces community underground, into closed websites, mailing lists and e-mail. It stunts the evolution of ideas, movements and communities themselves.

It aborts ideas.

Hostility, from flames to viruses, are an inducement to the many in journalism, politics and the corporate world itching to find ways to control and curb free access on the Net and the Web.

And they are all generally acts of cowardice and malice at worst, unthinking and reflexive cruelty at best. It's no wonder that the most enthusiastic attackers hide behind anonymity.

"The lesson," wrote computer pioneer Joseph Weizenbaum in a 1976 essay explaining the people who advocated the advanced weaponry used to maim and kill during the Vietnam War, "is that the scientist and technologist must, by acts of will and of the imagination, actively strive to reduce such psychological distances, to counter the forces that tend to remove him from the consequences of his actions." jonkatz@slashdot.org

bah.

Everyone blames the bad, evil, nasty hackers. Nobody ever thinks to blame the poorly designed systems that they exploit. Why? People have been warning Microsoft for years about macro viruses.

Ideally all virus writers would be fully accountable and we wouldn't need to assign any blame to companies that produce shoddy software. But in reality, it will be virtually impossible to catch virus authors unless they make a colossal mistake like Melissa's author did. All you have to do is leave a floppy lying around with your macro virus on it. Label the disk "teen porn". Someone will pick it up and spread the virus for you, no way to trace it back. My point? Accountability is a myth, so let's go after the designers of these fragile infosystems.

It was a crime & MS wasn't at fault

[Analog]

The company that makes Tylenol was held accountable for the deaths of 7 people when someone put cyanide in some acetominophen capsules and replaced them on store shelves.

They were held liable because it was found that they could have reasonably known that at some point someone could attempt to do such a thing, and had taken no steps to prevent it.

Point that logic at the Melissa virus. Microsoft made it possible, they know it's possible, and they've taken virtually no action to prevent it. If liability under the law is consistent, shouldn't they be held at least partially liable?

Many have pointed out the terms of the EULA as being Microsoft's ace in the whole, in that they disclaim any and all liability. I would just like to point out that AFAIK, EULA's have yet to be shown to be valid contracts, and additionally, many jurisdictions have laws specifically outlawing this type of disclaimer.

the distraction

[Tom]

the #1 sickening thing about the whole melissa hype is how it distracts from the facts.

here we have a collection of well-known security holes practically screaming "exploit me". they should've been fixed for years, but instead they've been put deeper and deeper into the very design.
yes, I'm flaming micro$oft, but it's not them alone. it's the armada of clueless who, far from being honest about what they know and what they know nothing about, not only BELIEVE, but carry the word along - "integration is good for the customer".

in my country (i.e. germany), when I break into a bank and it is found out that the bank's security company made my job considerably easier by leaving out standard security procedures or making serious mistakes that a security company really shouldn't make, it can be made liable for parts of the damage done.
in the states, you have those idiot cases where macdonalds is sued for the same thing - negligience - because they forgot to tell some fool that hot coffee is, well, hot.

I wonder whether micro$oft will be sued for melissa-incurred damages. if you can sue macdonalds for hot coffee, than sure as hell you should sue micro$oft for gross negligience of basic security procedures.

The unwritten rule

[heroine]

With the recent publicity on bedroom hackers ISP's came up with some new rules. Mainly, they give you 9Megabits/sec, but the only software you can use on their LAN is Windows running a MSIE client.

melissa etc.

[Phil-14]

I'm not sure whether or not the concern about
Melissa might be actually justified. IMHO, the
environment many people use these days for computing is responsible for a lot of the ease
with which things like Melissa spread.

Believe it or not, viruses are something that
have to be taken very seriously. Especially by
the people who build OS's or distributions. If
they're negligent, however, no amount of panic
from anyone else is going to stop things.

I don't think Linux is virus-proof, but
at least it isn't a "hey look at all these
macros!" sort of petri dish...
Phil Fraering "Humans. Go Fig." - Rita

Melissa Schmelissa

[Stu+Charlton]

the more I read about the hoopla over this virus, the more I want to switch industries to something less blatantly silly and immature (like concrete production)

- It has become clear just HOW stupid ZDNet and its target readership are. I still can't fathom that people actually ate up the dumbed-down explanations, the conspiracy-theory GUID matching saga, the prediction of hundreds of millions of dollars of lost productivity, etc. It was a BENIGN MACRO VIRUS! This doesn't deserve a whole "special report".

Of course, on the bright side, the "truly professional" trade rags, like InformationWeek or InfoWorld, barely had a peep about Melissa.

- People who were affected were those who were stupid enough to click "YES" when the "Do you want to run this macro (which may be a virus) ?" question came up. I have little sympathy for them or their IT departments. Macro viruses have been a well-known threat for years, and avoidance training should have been provided.

- The obtuse "virus protection schemes" from IT shops are beyond ludicrous. Go to Bob Lewis' infoworld column this week and read about how they removed EVERYONE'S FLOPPY DRIVE at one shop, and you now had to use a floppy under lock & key to copy disks....

- They want to put a benign macro virus writer in jail for 40 years, when arguably, all of the damage (tied up mail servers and crashed NT boxes) were the result of a) stupid operators and b) shoddy technology.

In all, this whole incident makes me ill. I hope that if open source does anything, it helps to bring FUD like this down to a tolerable level.

Religion is a virus

[joss]

"He was charged with interruption of public communications, theft of computer services and wrongful access to computer systems."

Interesting 3 crimes listed there. I guess in some sense he was guilty of 1, but I don't see how he could be guilty of 2 or 3. Does the fact that your program is running on somebody else's hardware without their consent constitute theft of computer services. w95 was running on my hardware when I bought it - can I charge MS with theft of computer services. Likewise if your data appears on another computer does that consitute wrongful access to computer systems? How about spam, can we lock people away for 40 years for sending spam, far more offensive to me than being sent a program which I would have to be a moron to run.

Are there any specific laws against self-replicating programs. Powerful memes such as religion can be considered virus's that run on wetware and are highly contagious. Should these be illegal too ?

While I'm looking for different angles, I think he should counter-sue the US govenment for violating his copyright. When federal employees pressed the "run macro" button they ended up sending copies of his software to different organisations without consent. A variation of melissa with a nice (C) on it could be an effective way of protesting daft IP laws.

The guy has done society a huge service by waking people up to the huge security holes in their software. It would have been just as easy to send out a truly destructive virus that introduced random errors across the harddisk or appended "transfer funds" instructions to the Quicken files for people who do online banking. Now that would be an interesting virus.

Melissa, Memes, and "Good Times"

[Frater+219]

> Where do we draw the line between a program that
> knowingly mails to everyone in your address book
> (so-called virus), or a program that accidently
> mails to everyone in your address book (possibly
> a mail program in development, being debugged)?


... and a piece of information which suckers you into sending it to everyone in your address book (i.e. "Good Times")?

Everyone who sent along Melissa did so by pressing a button that said "Yes, run this attachment." They were conned into doing so, because the attachment was sent under false pretenses -- it seemed to be a message from a friend, but was actually a virus.

Everyone who sent along the "Good Times" warning did so by pressing a button that said "Yes, forward this message." They were conned into doing so, because the message was sent under false pretenses -- it seemed to be an important warning, but was actually a hoax.

Melissa is not entirely a computer virus. It is dependent on user interaction, making it at least partly a "virus of the mind". Where do we draw the line between a human-aided computer virus, like Melissa, and a computer-aided memetic virus, like "Good Times"?

Hacker, cracker, whacker.

[Frater+219]

Actually, most crackers I know are noisy boasters and swaggering fellows. And hackers do tend to be people who hack, yes.

The MS GUID does NOT enter into this!

[Frater+219]

The alleged author of Melissa was not caught using the GUID. This is a myth which was propagated, among other places, in the Slashdot article about his capture -- even though it was not mentioned in the linked news article.

Please stop propagating this hoax. It's almost as bad as "Good Times".

Poor try on your part.

[Frater+219]

Pardon me, Mr. A. C., but you really should learn to read what is before you before you respond to it. I recognize that this is difficult, but it is utterly necessary if we are to discuss real-world situations.

I do not believe that the virus writer shouldn't be held responsible for his actions, nor did I imply such. I certainly do not believe that the actual victims of the virus were responsible for the damage caused, any more than the owners of the MS-robots in my fairy-tale were responsible for their own deaths.

However, I do believe that Microsoft has deceived its customers by encouraging them to think themselves secure and protected when using their computers, when in fact they are exposed to risks which a marginal amoung of responsible engineering would prevent. MS has billed its operating systems and applications software as being better than, or at least as good as, their competitors, when in fact MS software is uniformly ill-made and riddled with design flaws (not "security holes") which expose users to the kind of victimization perpetrated by the author of Melissa.

Microsoft is not the victim of the Melissa virus, except insofar as, by using their own shoddy software, they exposed themselves to the same attack to which they exposed their unsuspecting customers. Microsoft is an accessory before the fact.

It was a crime; MS was at fault

[Frater+219]

It is true that what the author of Melissa did was a Bad Thing, because it misled people and caused some amount of damage & disruption. However, this does not absolve MS of responsibility for knowingly exposing their customers to an unnecessary and unjustified risk.

Already too many analogies have been posted here, but let me contribute just one more:

Suppose that everyone in the world owned robots built by Microsoft. Everyone believed that these robots followed the Three Laws of Robotics, as put forth by Dr. Asimov:


1. A robot shall not harm a human, nor through inaction permit a human to come to harm.

2. A robot shall follow the orders of a human, except when doing so would violate Rule 1.

3. A robot shall protect its own existence, except when doing so would violate Rules 1 or 2.


All other robots followed the Three Laws, the Laws being embedded into the kernels of the other robots' OSes. However, the MS-robots were not so trustworthy. It is not that they were designed to harm people, but rather that while each of them bore a sticker printed in large letters "THIS ROBOT IS USER FRIENDLY" (which people took to mean that it followed the Laws) none of the MS-robots actually had the Laws programmed into them. When they did follow the Laws, it was because it was the easy thing to do.

Sometimes the MS-robots would run around and collide with people accidentally, hurting the people rather badly. Owners of MS-robots got used to these crashes, and accepted them as a normal part of owning a robot, even though other manufacturers' robots did not crash.

One day, a fiendish roboticist named Relkid Omadan wrote a computer virus for these MS-robots. When infected by this virus, a robot would run up to its owner, beeping happily. It would say to the owner, "Press my red button, then my blue button! Please!" As soon as the owner did this, the robot would strangle the user to death, then run off and infect twenty other robots with the virus.

Several hundred people were killed by the infected robots, and several thousand streets were clogged up with robots running around looking for other robots to infect. The disruption was massive. M. Omadan was, of course, tracked down, tried, and condemned as a murderer and a clogger-up of streets.

Some radicals claimed that MS, by not programming the Three Laws of Robotics into their robots, was complicit in the murders. People trust their robots, the radicals claimed, but MS-robots abuse that trust because they aren't secure.

Were the radicals right? Or was MS just a company trying to make money by selling robots, bearing no responsibility for the fact that its robots' deceptive friendliness concealed the capability of becoming murderers?

Be wary of the cyber evil!@#!

[Juliet]

Paranoia.. its alla bout paranoia.. and things like this.. that are very public.. make the people feel safe and secure.. where its really just a charade.. kinda like airport security.. like if i really wanted to hijack a plane.. id use a plain ole gun.. of course not.. id use plastic explosives that would be undetectable.. DUH!@#!.. but people FEEL safer walking through big ass metal detectors..

Sigh. Another dis on anonymity?

[cpt+kangarooski]

Once again I just can't see why it is that so many people insist on everyone on the net being named. Untracable psuedonyms and pure anonymity get an incredibly bad rap here, even though it's nothing compared to the degree of identification that large corporations and various governments would prefer.

Yes, the net does have two apparently conflicting abilities. It both fosters extremely close relationships, by bringing together people who would likely never meet, with similar interests, or even who just like to talk to each other. At the same time, Katz is right in that just like the soldier who sits in a bunker thousands of miles away from the action, people can also be disassociated from each other, with the abstract, faceless ASCII world of the net insulating everyone.

Surely the exaggerated mode of speech, with concepts strongly worded to let the intonations of the voice and expressions of the face that are so essential to speech is a contributing factor here. If sarcasm (for instance) can't be distinguished in plain text from regular speech, an emoticon is not going to help that much. Written communication _can_ convey this information; after all people have written to each other for millenia. Yet, as more people now utilize it for conversational purposes with strangers, as opposed to the well thought-out letter of old to an acquantance, the number of people who fail to get their point across accurately has grown dramatically. I don't know if the overall percentage of these failures has increased though. I'll leave that for other people to debate.

Getting back to my point, yes the net has these abilities, because of fosters communication. It doesn't care to whom, from whom, or how clear.

Yet why should a person's thoughts and words be dismissed instantly only because there's no way to find out who, irl, wrote them? One of the great advantages of the net is that it's not real life. I can be a dog. More importantly, I can be a dog with something to say, and you can be a dog who wants to hear it. A name is just a matter of convenience, so as not to have to address everyone as hey-you@over-there.net. If people wish their speech to be attributed all the way back to them, that's their choice, but it doesn't necessarily mean that their words are better. Lots of people post (maybe not here, but in general) from aol or webtv or some such, which are all quite tracable. And they, because they are comfortable with their ISP, or don't know how or why they might change it, tend to get derided. Again, this is all too frequently based on a glance at a name or address, glossing over their message entirely.

Me, I don't want real-time video or sound. I feel that written communication, aside from being a more efficient use of bandwith for me, lets me choose my words in a way that speech generally does not. Yet I bet anyone five dollars that the minute a/v become the standard media for communication on the net, no one will bother reading text messages. Again, because of surface attributes, rather than the content. I will grant that communication may be richer by using such technologies (see above) but it's the discrimination based on relatively unimportant issues that galls me.

Yes, the most enthusiastic flamers and hackers (that word's meaning has multiple definitions; deal) will hide behind aliases and anonymity. So will whistle-blowers, people who fear retribution, people wishing to say things that would for one reason or another prove dangerous if posted with a name, to one's safety or reputation.

And I don't even want to get into the specter of big brother corporations and governments monitoring everyone. How many people here dislike anonymous posts, but support anonymity from Microsoft? You can't have one without the other, I'm afraid. (except possibly in Australia and New Zealand)

I am not, however, defending the author of this or any other malicious (by intent or deed) virii. Nor those who would slander or libel others. But while I don't intend to do the lantern thing, as long as there is one good reason for anonymity, it's something we really need to preserve.

I apologize if I've rambled here. One major gripe I have with /. is the small comment blank. It bugs me to only be able to read a few lines without scrolling, so I usually don't.

-cpt kangarooski

Whose fault was it, really?

[Bruce+Perens]

Microsoft's system was like a forest that hadn't had a controlled burn in decades, just waiting for one person with a match to turn it into a disaster.

Melissa was Microsoft's fault. They left their system wide open to this sort of abuse, they knew it could happen and did nothing. The fact that word macros could be abused was public knowledge for at least a year before Melissa came along. Rather than fix their system and protect a few hundred thousand users, they waited for someone to come along and set off their bomb. Someone so naive that he left incriminating evidence in the virus. The fact is, MS users are unprotected from rank amateurs.

Bruce Perens

Don't blame the users

[Elwood]

I really dont think you can blame the users for this one. It is easy for us to do, because we know computers, we understand them, and we expact everyone else to be the same. The thing is, most people could care less.

See, as a small time sys admin, I try and try to drill into peoples head "Dont open attachments". But that dont work, curistory and the cat. So I explain to them, never open .exes, .bats, or .coms. Anything else, after you recive it, send a e-mail back making sure the person really send it too you (that alone can stop you from getting most e-mail viruses), and if you do open it, dont enable macros.

Think is, that is too much for most of my users. Why? Most of my users are middle age or older females that could care less about computers. They dont want to know a why or how on anything, they want to follow a 123 step recipie do do the little work they have to on the machines. And really, I cant blame them. There main job has nothing to do with computers, but people. And they can do that better then I ever could. So can I really blame them for not knowing this stuff?

The other section of people I work with is seniors that want to learn computers. These poor people are so trusting, and so eager to do right that if someone sends them something, they feel it is a insult to the sender if they don't open it. These are our grandparents trying as hard as they can to learn a way to stay in contact with their grandchildern, can I fault them for not knowing everything?

I don't think we can blame the users. I think it is the software. When I chose a OS, I would expect that vendor to have a system that works correctly. But MS is leaving a system with huge holes right in the middle, and conspiracy mode on, but here is why I think it is.

As a low lever sys admin, I work in a place where no one knows what I do here. I go about my days, usallay never talking to anyone else here, most people look at me strange when I walk down the halls. (I dont think it helps that I also keep strange hours, never turn on my main light, instead use a little table lamp so I can see the screen better and I keep moy door shut and locked all the time.) Needless to say, I don't get noticed much, so I don't get patted on the back much at all.

But because of the Melissa virus, I got my first "good job" from the Big boss in a long while, simply cause we did not get hit, some simple e-mail filters on the server was all that was needed to keep Melissa outside (a unfilterable virus would be a tough one, Melissa was easy as far as that goes). But because of all the attention Melissa got, people that did not know better thought I was superman for protecting them from her. I did nothing special, keeping e-mail filters is something ever sys admin does, it is a dull part of the job. But for a three day period of time, my bosses had it in their head I was protecting the company from evil. I could have wore tights and a cape and got away with it. Even though I did something I do a million times before, this time they knew about it, and were told by the TV it was a big deal, so they accepted it.

So you could say I benifited from Melissa. And I am not the only one. Magizines sold (When there is good news, you go out and experience it, when there is bad news, you hide inside where it is safe and watch it on TV), news shows got watched, anti-virus programs sold, IT people got kudos. Etc. People justified their paychecks because of Melissa.

For no reason at all, everday jobs got alot of attention. Sure, it only lasted for what three days? But how many people are going to to bring it up during their next review? How many extra units did anti-virus publishers sell? And how much more did mags charge for a back cover add in the special Melissa issue?

Those are the reasons Melissa was such a big deal. Melissa was just a natural progression of viruses, nothing exciting. The next one will even be that much more clever. But will it get noticed? No, these stories are only good about once every two years. Thats why the gov and his lackies had to go out and suck up the press while they can.

This whole thing was a big non-event that made a bunch a people look good, and a poor virus writer is going to publicly shuned for a while. He may have been stupid for writing a virus, but not 40 years stupid. Give the poor slob probation.

Kind or remined me of Wag the Dog.

How is that trojan a crime?

[boinger]

I was discussing this with my grandfather...IANAL, but, what that guy did is not a crime, SFAIK. Yes, it was irritating, yes it was malicious, but so is country music. This guy getting railroaded is just another step in the wrong direction for the internet as a community.

Well, at least I was unaffected. What kind of moron runs a macro-laced Micro$oft file from someone they don't know? Anyone who does that deserves what they get.

"The Constitution admittedly has a few defects and blemishes, but it still seems a hell of a lot better than the system we have now."

lets do it again.

[MentlFlos]

I can see it now.. I write a word macro 'virus' just for fun to see what it can do. Say it mails itself off to, oh, 50 people. I pass this to a friend to have him look at it and like a dolt he opens it. Bam... it spreads all over.

Stupidity will always be around, our job as sysadmins is to contain it in little clusters and beat those people to a pulp.

Just wanted to rant a little.

---------------------------------------
The art of flying is throwing yourself at the ground...
... and missing.

Explaining techno-hostility

[D-Fly]

The basic explanation for why people behave so poorly in Internet interactions seems to be pretty simple: it's the impersonal nature of the medium.

Despite the fact that users KNOW there are other real-live humans on the other end of the wires, it is hard to get past the illusion that you are interacting with a computer that couldn't care less how many ways you flame it.

All you ever actually see is the keyboard and CRT, not JonKatz as he reads your ridiculously hostile, inarticulate rant. Actually, that's wrong; remember, it's Jon Katz, not some entity called JonKatz...

[Think of the Turing problem]

There is a very closely analogous situation in the "Road Rage" phenomenon. When you are driving down the highway and some idiot in a red Lexus cuts you off, you KNOW that it is actually some middle aged guy headed to his dead-end job in the city and he just wasn't paying attention when he pulled into your lane.

But on a different level, you have been out on the highway for 45 minutes, and the music on the radio sucks, and you have started to sort of forget that the drivers in the other cars are people, and started to anthropomorphize their cars--think of them as living competitors for space on the road.

That's why you start screaming, making obscene gestures, and maybe rear end the goddamned Lexus.

In all our new, nontraditional relationships, we have to remember to maintain the kind of empathy we reserve for flesh-and-blood, everyday interactions.

Affected -who-?

[Evan+Vetere]

I read in a major weekly news magazine that the Melissa virus had clogged up and shut down tens of thousands of mailservers, and saw a few techs quoted saying it had "brought mail transfer on the Net to a standstill." The second is not true; the first is highly implausible.

This virus relies on a human vector; it doesn't propogate with the speed of electricity or a Pentium III - it only moves as fast as a man can check his email, download a text file, and open Microsoft Office (the latter, we know, takes forever).

I was not, and I know of no one who was, affected by this virus.

The internet technicians who are employeed in Fortune 500 companies - the ones who get interviewed about these events more than the people who designed the Net's various subsystems in the first place - need to start gauging their replies very carefully. If they don't, they'll succeed in scaring a large number of people away from the Net and reducing the importance of their own jobs. I'm pretty convinced they're doing these interviews and exaggerating impact for their own ego enlargement, so they can hear the reporter on the other end of the telephone gasp in shock.

I could be mistaken. I hope I am.

re: lawsuits

[Jesse+E+Tilly]

Tom, I for one would encourage any company that lost measurable time due to this virus to sue Microsoft. It's will serve one multiple-faceted purpose. The first and formost in my mind is "Is Microsoft *really* liable for their products?". Proponents of Microsoft use this as an argument for commercial software. A backstop, a single point for all eventual complaints to return. The precident will make software companies the real thing: a producer of content that is liable for its product. This is different than the current image of "tool producers" who, like Craftsman and Snap-On, cannot be held liable for someone using a hammer in a murder, but can be held liable for injury should the hammer break (when they claimed it would not). Either way, the definition of software companies will change forever and bring to light the problems RMS, ESR and Linus have been trying to point out all along. It will wake up software vendors to the problems of market flooding unproven proprietary products to unsuspecting consumers who think they are being served to their best purposes. Bill Gates likes to compare his innovations to the auto industry. If so, maybe he should talk with them about government restrictions such as ABS and air bags, something the industry refused to add for years. Today, they are considered the major selling points for cars, yet 20 years ago, their proposed regulation raised cries of "innovation hinderance" and "cost inflation" by car companies. Of course, the US auto industry was suffering from something a certain US software company is suffering from: percieved quality of its product when placed next to a better competing product. Most americans know what took place over the next decade. First it was denial, "it's the Japanese underselling us", then it was FUD "buy American, it's the patriotic thing to do", then they wised up and started to produce quality cars. Had GM or Ford had the grip on transportation that Microsoft has on the software business, I think the end result would be different.

Who's prepared to speak out?

[The+Dodger]

Okay, so I think it's safe to say that Microsoft shares at least some of the blame for the Melissa virus. But who's going to actually stand up and say it? Apart from Emmanuel, who speaks out in defence of hackers who are arrested, imprisoned or charged on flimsy/circumstantial evidence made viable by hype and hysteria? Who has stood up and demanded to know why Kevin Mitnick has been imprisoned for four years without trial?

The media aren't interested - they lap up what they're told by so-called "experts", whether they're law-enforcement officials or Microsoft hacks. When it comes down to it, the news media's main objective isn't to report the news anymore, but to gain the largest audience share. Hype and hysteria sell to the uninformed masses, who then become the misinformed masses.

It's merely another facet of the increasingly commercialistic society we live in. I remember when the Internet was about knowledge and learning. Now it's about Porn and making money. Sooner or later, a group of people are going to get pissed off and embark on a campaign of info-terrorism which will make the whole "Free Kevin Mitnick" thing look like a fucking walk in the park.

Ideological terrorist groups used to have to align themselves with countries like Iran and Libya in order to gain the resources to make an impact. And then they had to face public hostility in the face of innocent deaths, and the prospect of a bloody demise on the wrong end of an MP5 held by an SAS or GSG-9 trooper.

Now, all we need is a computer and a modem. Noone's going to get hurt and, believe me, conventional law-enforcement organisations will be powerless to stop a dedicated info-terrorist (not these lame script kiddies). l0pht weren't bullshitting when they said that it's possible to crash the Internet. The only reason it hasn't been done so far is because the people with the skills and knowledge aren't lame enough to do it. Sooner or later, someone's going to decide that the 'Net's just not fucking worth it and it'll be a fucking disaster - we'll see billions wiped off the US stock markets as .coms go under and I wouldn't be willing to bet against another Black Monday. Or how about someone gets control of something like DNS or whatever and holds the US Govt. to ransom, demanding the release of Jack Hacker?

Y'know something? I hope I'm totally wrong. I really hope that none of this comes to pass and that it can be dismissed as Dodger in one of his infocalyptic moods.

But just imagine if Melissa's creator had more malicious and destructive intentions. Just imagine if that Alternic guy who redirected visitors to internic.net hadn't been so harmless. And how many Americans expected the World Trade Centre or Oklahoma bombings?


The Dodger

This is hopeless.

[FireReaper]

This is truly and utterly hopeless. Someone goes out and writes a piece of software which takes advantage of a bug in a system put in place by MS. MS has been warned of this. Users have been warned of this. But nothing, if anything, has been done.

People. *points to the cities* The people out there don't give a fuck. People are killed everyday and the news counts it off as a daily occurance. Accidents kill people. Drunk drivers kill people. Tobacco kills people. And yet nothing substantial is done. Why?

Why is the government so willing to step on peoples' rights to "bring the evil-doer to justice" when it comes to computer crimes but is so god-damned apathetic when it comes to drugs, rapes, murders, and theft?

It is ridiculus.

I don't think it's _just_ MS's fault or _just_ the end-users' fault, or _just_ the programmer of the virus's fault. It is everyone's fault. For being apathetic to problems. For running companies and BLINDLY trusting a company even when they know better. For writing programs with known bugs and not taking the time to go back and fix it. For accepting these problems as "normal".

THESE PROBLEMS ARE NOT FUCKING NORMAL!

My god.. if a car you bought broke down every day, you'd be pissed as hell, but you accept the fucking fact that when your computer crashes, that it's just life. That is plain stupid. ANYONE who goes through life just accepting that has something wrong with them. Either it was forced upon them or it was something they came to accept, but they should seriously consider looking over their lives again. Because there IS something wrong when our society has such a screwed up system where punishment and action no longer coincides with the actual threat.

Someone else posted that there is a real underlying threat. That this one macro virus which _can_ be discovered, was. But what about those which can't be discovered?

We have a REAL problem. And all the authorities can think of doing is either covering it up, getting rid of the people who are trying to do it, or profiting off of it. Whatever happened to fixing the problem?

Solve the fundamental problem. A simple directive. But no one seems to want to do it. Complaining about costs and corporate image and all that crap. Here's some news: Someone being able to get into the corporate computers is pretty freaking bad for the corporate image.

People are worrying about another world war with the current bombing situation. I think people should be more worried about an internal war in America with information.

Just my two cents.


- Wing
- Reap the fires of the soul.
- Harvest the passion of life.

Who's prepared to speak out?

[IntlHarvester]

Okay, so I think it's safe to say that Microsoft shares at least some of the blame for the Melissa virus. But who's going to actually stand up and say it?

Actually, traffic on various NT mailing lists has been heavily hostile towards MS design flaws in Office. ZDNet has a legthy attack Microsoft's approach (not fixed in Office2000) in today's PCWeek.com. Whereas earlier macro outbreaks had been pretty much confined to the desktop techs, this Melissa thing has been big enough that it's landed right on the CIO's desk. I'm sure that Microsoft has had many friendly discussions with some of their large customers about this issue.


--

Flames and viruses both serve some good purposes

[IntlHarvester]

If you're a student or an independant contractor, sure you could switch to an alternative platform (Linux, MacOS, and OS/2 are not technically safer, but are unlikely targets just for market share reasons.)

But the point of an office automation platform is that everyone in your organization has the same client plaform to work off of. There's a defacto need for standarization in a business enviornment, and it has to do with more than file formats.

Note that I said "automation platform" and not "three useful programs" - lots of people do use the scripting features in MS Office. (Although I don't, and I wish I could turn it off.) The Melissa virus is nothing more than a mail merge using your address book. Once could imagine that type of thing could be highly useful for people.

This sort of automation is not automatically exploited. Microsoft chose the stupidest route for protection - a simple Y/N question. They could have also prompted you 100 times "OK to access address book?" "OK to send mail?" "OK to modify Word Defaults?", but that would get old real quick if you were running a legitimate application.

The other solution is a code signing infrastructure, where macros could be assigned differing rights depending who signed the code. Imagine grafting this onto the 100 million user base of MS Office - it would be damn near impossible.

Hopefully KOffice and the other new clean design Office products can handle this problem intelligently. However right now proposing a Linux/whateverOffice solution is essentially asking users to accept a lower level of functionality to keep them safe from the scary evil viruses. If KOffice and others make the mistake that Microsoft did, just wait a few years when Linux has a more significant desktop penetration, and we'll start seeing Linux macro viruses.
--

eh?

[IntlHarvester]

What, everybody will forget regular user accounts and log in as root, then forget all about security?

I think you misunderstand what the Melissa "virus" is. It runs entirely in a normal user's security context (on an NT machine) and does not 'exploit' any 'holes'. It simply accesses *your* address book (which you could do manually) and sends mail (which you also could do manually) and disables the virus warning in Word (which you could also do). It does not interfear with other users on the same machine or act in a root context.

So login security has nothing to do with it - which is entirely my point. The fact that a macro can do these things is a designed-in feature of MS OOffice, and it's probably in Lotus and WordPerfect too. If a different Linux/Windows/Mac/OS2 office suite (er, automation platform) is immune is because it's either feature deficiant, allows the user to disable certain functionality, or it has some sort of code-signing infrastructure. (I can't think of any different solutions.) Some posters seem to be leaning towards the feature-deficient solution.
--

Dave Smith - CyberMartyr

[jabber]

Yes, writing a virus and releasing it into the wild, is a bad, bad thing. Bad boy Davy, go stand in the corner and don't ever do it again...

But does he really deserve this level of persecution? I don't think so. The man has been set upon by rabid dogs, half of them ignorant of the technology involved, and the reset trained by the Federal government to be heavy-handed and vicious. Security and conformity enforcement through intimidation works. Da Comrade!

The effect of what he did, intentions aside, is not far removed from from the Morris Worm. Yes, Morris was prosecuted and punished, but even the government admits that it was a curiosity that ran away from a controlled environment. It's not like this guy (Smith) is Geoffrey freakin Dahmer. He's a geek, who for one reason or another, wrote an annoying bug. Sure, it touched many computers, but what DAMAGE did it really do?? It got a lot of IT people money for systems improvements, it gave many anti-virus softwares welcome exposure. It was a boon, and it got attention. Who got hurt?

Dave Smith. He will be prosecuted to the fullest extent of the law, by an ignorant, ham-handed mechanism that's been eager to sink it's teeth into a non-celebrity, just to show that you can't fight city hall, even with a computer.

"Oooohh!!! Scary computer people will launch nuclear missles with a virus!" IMHO that bespeaks badly of the federal and military security, not the crackers who are being compared to the John Gacy's of the Internet.

As for those here who claim that M$ should bear some of the burden for this Melissa fiasco, just because their cheesy software was used to make it happen.. BOLLOCKS! If I go and shoot somone, who in their right mind would blame Smith and Wesson?? What a brilliant defense for Dahmer that would have been: "Your honor, it wasn't really all MY fault, if Ginsu didn't make such sharp knives I would have never been able to eat that Thai boy."

Feh!

Acutally, some are asking if MS is at fault.

[sammy+baby]

MSNBC (go figure!) wrote an article asking whether or not MS is partially to blame for these problems. Obviously (given their parentage), they don't come down too hard on Microsoft, but they don't let them/themselves off the hook that quickly, either. Check it out.

crime and deserving

[sammy+baby]

At the risk of writing a "me too" post... me too, brother. Taken to its logical extreme, that line of reasoning implies that if your web server is attacked, you deserved it for not firewalling it properly; if you get hit and killed by a drunk driver, you deserve it for being on the road on St. Patrick's day (or New Year's Eve, ad nauseaum); if you're mugged, you deserved it for not being able to defend yourself.

And you know what? A lot of this computer stuff is pretty complicated. You and I understand what we do because we are either smart, or worked at it really hard, or were indoctrinated in a techie culture, or some combination of the three. Saying nasty things about "kl00l3zz n3Wb33z" just makes it harder for people trying to get by, and that sucks.

Facts and clues free of charge

[kaisyain]

For someone who claims to be interested in the facts your apparent ignorance of the McDonald's case is interesting.

The coffee, maintained at a scalding 180F-190F because the customers supposedly "like it hot", caused severe third-degree burns. She spent seven days in the hospital and was treated with skin grafts.

Initially she only wanted payment for her medical bills but McDonald's refused to even negotiate with her. Consequently she contacted an attorney who had settled another coffee burn case with McDonald's. In the course of the trial company documents revealed that "in the past decade McDonald's had received at least 700 reports of coffee burns ranging from mild to third-degree, and had settled claims arising from scalding injuries for more than $500,000."

Despite knowledge of the hazard, company officials refused to warn its customers. "There are more serious dangers in restaurants." And given the 1 billion cups of coffee sold annually, McDonald's considered the number of burn complaints to be "statistically insignificant".

After hearing such testimony a jury found McDonald's liable and awarded $200,000 in compensatory damages. The jurors deducted $40,000 for contributory negligence. Also, given McDonald's conduct, the jury awarded $2.7 million in punitive damages, which was equal to 2 days of coffee sales.

Later the judge reduced the punitive award to $480,000. While awaiting appeal the two parties settled out of court for an undisclosed sum.

The #1 sickening thing about the whole McDonald's coffee hype is how it distracts from the facts. I suppose you just glibly believed whatever it was the mass media told you about that McDonald's case didn't you? Why do you expect anyone else to behave differently when it comes to the hacker culture (or whatever you want to call it today)?

This is out of hand

[Master+Switch]

Some dork writes a prank virus, and he gets threatened with up to 40 years in jail. He would have been better off to go shoot someone. At least then he would only be looking at around 7 to 10 years. Now I don't mean trivialize murder. The point I am making is that this guy basically pulled a prank. He didn't do any tangable damage. Things are getting way out of hand. The GOVT has too much power. Why take away this man's future for a stupid prank. Why is this a crime at all? This is more humor than anything. Microsoft shouldn't have left so many stupid doors open in their software.
Anyhow, that is my take on things

'Melissa' Virus not the point of Jon's article.

[CodeShark]

Folks, consider the source here... Jon Katz is not writing about Microsoft (which I acknowledge has not done a very good job securing VBA -- why should a VBA macro be able to access my e-mail address book without permissions, etc.?), he's writing about the societal response to bad news and the Internet.

Then he makes (IMHO) a valuable connection of the similarity in psychological distancing involved n the use of high tech killing weapons. The 'Internet Creeps' (the so-called dark side of the Internet: porno junkies, perverts, crackers, flamers, etc.) have the advantage of anonymity from their intended victims that allows them to launch whatever type of attack they wish, without responsibility for the results of their actions.

Freedom without responsibility invariably leads to anarchy. Let me offer several examples.

• I am (not being an ex-convict, or otherwise restricted) 100% free to buy a gun. I am not 100% free in how I use it.
  Use it wrong, and I am subject to arrest for breaking the law.
• I am free to buy the ingredients which mixed together, could make an explosive or illegal drug.
  But if I make the explosive or drug, again, I am breaking the law, and deserve the consequence of my actions.

Similarly, I am free to write an unbelievably malicious computer virus. I am not free to distribute it without consequence. But even these thoughts are not 100% what the article is (IMHO) trying to focus our attention on.

Either we work together to make the 'Net a more livable, enjoyable, and safe place to co-exist, or we do in fact deserve the heavy-handed law enforcement and media responses which would undoubtably otherwise follow.

How is that trojan a crime?

[shri]

I am not sure of the legal framework that goes into "making a virus" and propagating it, a federal crime. However, here are my observations on how this thing went about spreading itself in the company I work for.

a) My company is a respected and technical organisation with about 2000 people in it. We tend to work mainly with Fortune 500 type outfits.

b) Unfortunately, we are a microsoft centric company. This is true in development and also very true in our companies sales organsation. Everyone without exception has to rely on Word and Exchange for their correspondance, document creation. i.e. MS software is core to our business.

c) We were hit quiet badly, but luckily enough, the media had created enough of a frenzy on TV and in the local newspapers that we escaped the consequences.

Now onto an brief analysis of what I see as a growing problem, which a lot of linux folks are oblivious to, or tend to have an elitist attitude towards.

It is easy for a corporation to select MS products. In the good old days no one got fired for selecting IBM, these days no one gets fired for selecting MS products. This in my opinion has happend because of the "dummification" of the industry overall.

Most of the people in organisations like mine DO NOT have a choice in terms of what software they use. MS Office and Backoffice are corporate standards, for which licenses have been purchased for every luser. Given that there is every spectrum of IQ in our organsation, from Management to Intelligent and savvy users ;). What the author of the virus did was essentially created a "gun, which replicated itself everytime someone fired a shot". Imagine a weapon like that let loose on our streets.

Facts and clues free of charge

[dillon_rinker]

Your post tends to support the idea that MS is liable for damages caused by their software. McDonald's makes their coffee too hot. A woman accidentally pours it on her genitals. A jury find McDonald's liability to be $160K and the woman's $40K. MS sells an office suite that defaults to totally insecure. On their web site, there is doubtless information about how to secure it, so a customer is at least partially liable for damage caused by macro viruses, but I believe that Microsoft could also be found liable for some damages. Of course, the EULA states something to the effect that by using their software, you agree that any harm is your fault. Too bad McDonald's didn't put a EULA on their coffee.

Not only that...

[coreybrenner]

... but it's not actually 5000 kids killed by guns. It's 5000 kids killed by morons wielding guns. Be those morons kids themselves, or no, those are the facts.

Guns don't kill people. People kill people.

Too much sensationalism. The only way to combat this type of thing is via EDUCATION, EDUCATION, EDUCATION. One of these days, hopefully, people will figure out that media is not there to disseminate news. Media exists to further the cause of media, just like bureaucracy exists to further its own existence. Sensationalism, hype, and demagoguery are the tools of media and politicians, and none of it is good for us. We all lose our rights and freedoms when the ignorant are cowed by these tyrannical forces.

Makes me want to live in a tar-paper shack in Montana and build bombs. Also makes me glad I don't own a bloody television.

--Corey

Naming of Melissa virus

[gothwalk]

Katz writes:
He allegedly named his virus after a topless dancer in Florida.

As I understand it, the virus was named for part of the registry modifications it makes. I could be wrong, but the CERT advisory FAQ says: "It was named Melissa by the antivirus software vendors."

40 years?

[Merk]

Apparently if found guilty on all counts this guy could face up to 40 years in prison.

I, for one, find this ludicrous. Nobody was killed, nobody was hurt, and as far as I know no data was even lost.

I think, on general principles, anybody who writes a macro virus should face half the legal penalty of someone who writes a true machine-language virus. Afterall, in order for his/her virus to do anything the person whose computer is involved has to effectively let them, by allowing the macros to run.

Maybe the way to divide up the blame is to say any malicious things the macro virus does to the host computer can be laid squarely on the shoulders of the virus writer. Any denial of service resulting from the virus spreading is shared between the company that has a macro-virus enabled platform, and the users who don't check for virii.

In that case, this guy would be liable for writing the Simpsons quote in thousands of documents, but that's it.

But unfortunately my views aren't the views of law enforcement.

So. How is a very successfully propagating but non-destructive macro virus different from some other action resulting in denial of service? For example: the people responsible for the net clog following the Pamela Anderson / Tommy Lee videos? Lucasfilm for the popularity of the Star Wars trailers? Even the /. effect! We take down servers just has harshly as Melissa did when there's something cool to see there.

Look out Cmdr Taco -- 40 years as some guy's bitch isn't worth the coolness of maintaining /.

The GUID Myth

[DonkPunch]

The initial wave of media reports suggested the authorities were using the GUID to help track the virus author. After Mr. Smith was arrested, very little was mentioned about the GUID in any stories.

The GUID in question pointed to a virus writer who goes by the handle "VicodinES". Authorities believe that Mr. Smith built Melissa by combining parts of other virii. One of the original virus elements of Melissa was allegedly created by VicodinES -- hence the attached GUID.

The authorities do not believe that David Smith is VicodinES. In their opinion, the GUID is not reliable as evidence (this point was made on slashdot by many posters long before Smith's arrest).

/* BTW -- I can't help but wonder if the GUID would be "reliable" if it HAD pointed to David Smith. I also wonder if it becomes useful to Smith's defense now. */

5,000 kids killed by guns

[DonkPunch]

Acutally, statistics like that get a LOT of media coverage. I suggest the author take some of her/his standards for factual reporting and apply it to other statistics. Where did you get the number "5,000"? What is the cut-off age for a child (25, 21, 18, 12)?

Anyone's death by firearms is unacceptable. When I studied criminal justice, however, I saw studies that defined a "child" as anyone under 25. This includes legal adults who were killed as part of gang activity.

If the author is going to insist on media fairness and accuracy, I would suggest also exercising it. Sensational statistics like "5,000 kids killed by guns" serve the same purpose as "100,000 computers infected by Melissa".

Sorry to go off-topic (and sound like an NRA stooge), but that statement stuck out like a sore thumb to me.

Knowledge = Power

[AKAJack]

I used to think that "knowledge = power" was just a cute quote someone picked up and put in their signature file.

More times than not, nowadays, it really rings true.

Some say the death of the Internet was when AOL got newsgroup access and every post from there was repeated in duplicate (at least) for the first week. The homogenization of "our" Internet still causes quite a bit of pain among the intelligentsia.

I'm sorry John, I couldn't bear to stay with you for this whole article, but I think you got your point across about half-way into it.

My company doesn't understand the Internet, what a virus is, or a macro for that matter. Our IT management did their fieldwork when ATs and VT100 terminals were the rage. They wax eloquent about punch cards and green monitors. They stopped learning a long time ago.

They are scared, because they don't know.

Knowledge = power

In my case knowledge also let's me form a basis for an opinion on a subject. An opinion that usually doesn't involve "hammer them to death" tactics and thusly is not the preferred response the things like the Melissa macro.

Scared companies and governments do dangerous over-the-top things. That's what's happening here.

When an IT manager can't guarantee to the upper management that this won't happen again, maybe tomorrow, the fear sets in.

Punishment, swift and aggressive is called for. Someone must be found to blame. Set an example. Show the world that you are not powerless. Try and convict the "author" or his roommate. Vilify his parents in the press. Trash his lifestyle. Whatever is necessary to apportion the blame. Because it can't be MY fault. I was only following orders. From Microsoft, my anti-virus company, the manufacturer of my computer, etc.

That's the way it works around here: Plausible deniability.

Really sick stuff. Shift the blame to someone who cannot possibly defend himself.

That's the American way.

Jack

This stuff

[Madhatter]

If you take a loaded gun with a label that says "Point in face and pull the trigger for a hell of a good time" and pass it around to a random group of people are you to blame for the morons who pull the trigger and blow their heads off? That guy was e-mailing a loaded gun (if it was him responsible for spreading it) and people very stupidly opened up stuff they had no idea was about. Is he to blame for everyone being so lax about their own security in the computer world?
On top of that, I've seen entire mail networks brought down by one lone dumbass who hits reply all to a system e-mail that causes a crazy loop drawing in other dumbasses telling her to shut up and before long servers are crashing all over the network(MS-Mail 3.2 BTW).
Freedom of information. He has every right to write a macro virus if he wants to. Who can prove that he did or didn't spread his melissa ho all over the internet? I look forward to seeing how this plays out in front of a jury. The poor sots are going to be confused to hell by the end, and probably turn into disgrunteled cyber-terrorists.

executable attachments

[dagarath]

Melissa just takes advantage of people that rely on binary executable attachments to email. MS users are of course much more vulnerable to this. How many times have you saved an attachment, set it chmod 700, and executed it?

Contrast that with an attachment in Outlook, Outlook Express, Eudora, etc. Attachment - double click - .. oops!

Just as windows users should learn not to execute email attachments that are *.exe, they shouldn't execute *.doc files.

The automatic response I expect is : "but, that's how our users work". That's not acceptable. Ignorance shall not become a defense. If a user becomes infected with Melissa, it's their own fault. They were too trusting. (perhaps sad, but true)

Any company or government agency that was hit by Melissa needs to do some serious re-education of their users and implement some policy about email attachments. For example: 1. No *.exe attachments to email (maybe even filter them out) 2. No *.doc (or other macro containing formats) 3. All attached files should be in *.rtf or *.txt format.

Safe Computing like Safe Sex depends on EDUCATION.