Slashdot Mirror
Melissa Virus Suspect Confesses
rcade writes "Melissa virus suspect David L. Smith 'admitted to investigators that he created it and then destroyed the personal computers he used to post it on the Internet,' according to court papers turned up by the Asbury Park [NJ] Press."
If Microsoft shipped Windows 2000 in a form that wouldn't boot, or wiped the hard disk every third day, not a single user would have any rights to complain.
In fact, if Windows 2000 e-mailed confidential company information to every competitor with an e-mail box, those users could still not raise a fuss. They have no rights. And even fewer, with the new software legislation that's going through.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Big Businesses seem to love sueing people when they have problems they can't explain.
... And of those, the people who were not trained about their business machines were already a liability to their business (re: the stupids earlier on Slashdot).
"But these Microsoft marketting people told me NT was good, so I told my IS and IT managers to use it.. Now this! We mu sue!!!"
Disgusting!
1) I never noticed any slowing of the internet as a whole (whereas the sendmail worm of the 80s affected actual network speeds all over the Darpa-net).
2) Postfix MTA didn't receive one mail with a doc attachment. It if had, it would have at least done something sensible like message me whens everal thousand outgoing emails started happening.
3) Clueless IS people who don't notice the network bandwidth is being eaten by hundreds of thousands of SMTP trasnfers should be fired.
4) Netscape Communicator mail, PINE, and Eudora all have no problems with this (I use them, millions of others do).
The problem only affected a fraction of the "true" internet population, because not many people use Outlook 9[78]
I hope Businesses grow up about responsibility, perhaps by demanind service contract, or perhaps by listening to their technical staff.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Other involved parties:
--
Interested in XFMail? New XFMail home page
I wonder if they took his extension cord as "evidence" also... The floppies and writable CD's I can understand their taking in order to determine whether they contain evidence, but *cables*??
;)
Apparently anything even vaguely "computer" is fair game when searching the lair of a "hacker". I wonder if they take the car-vac along with the car when they bust a getaway car driver.
Geeky modern art T-shirts
""Smith admitted, among other things, to writing the 'Melissa' macro virus, illegally accessing American Online for the purpose of posting the
virus onto cyberspace, and destroying the personal computers he used to post 'Melissa,' " Bubb wrote"
"Posting onto Cyberspace" is as valid in this case as "making the men not quite well feeling" would be in a murder case, except less so since "cyberspace" is not a valid term for email..
Also:
" on April 1 that central processing units from two computer systems had been removed. Police seized the remaining components of the systems, including power cables, monitors, monitor cables, floppy disks and writable CD-ROMs."
I'm reminded of the people who hit enter, intstead of letting wordwrap handle their comments on Slashdot.. The central processing units led me to bevlieve they had found two complete cases, with motherboards, expansion cards, power supplies, etc, except with the CPU socket empty.. Oh, no. The "monitor, monitor cables" (yes, monitor cables are somehow important evidence, they could've just siezed the HD) "floppy disks and burnt CD-ROMs."
Where are the HDs? Where are the expansion cards, etc? I think these st00pids meant the computer was removed from the peripherals. Sad. Pathetic. I hope this kid gets off scott free.
Certainly, their evidence gathering "methods" must have at least destroyed the evidence itself. I'd personally convince one of them (people who watch the evidence) to have a bulk demagnetiser around the "CPU" all the time to stop the viruses jumping to their systems.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
I'm still unclear on whether this guy actually sent out this virus to anybody's computer, or whether he just posted it to Usenet and waited for people to download it. If the latter happened, it seems it would be arguable that he didn't do any damage at all. I'd like to see someone post a similarly virulent macrovirus to Usenet, with clear warnings that "This is a worm", with the actual code commented out so the Usenet post doesn't hurt anyone accidentally, but with effects that are tempting enough to script kiddies that a million people are infected the next week. If you write malicious code, but someone else uses it, whose fault is it?
My understanding of the situation is that the guy was identified by the Word ID on the most common melissa-infected document that circulating the internet, and that there are records of him posting the infected document to usenet.
What a lot of people have overlooked is that this does not necessarily mean he created the virus.
This is a Word macro virus and like other Word macro viruses it infects the system such that all new documents created are infected with the virus. The new infected documents don't automatically get mailed out, unless you send the document to people who are not already infected, in which case they will automatically mail out YOUR document, not the document that originally infected you.
Such is the nature of viruses: they get spread by people other than the person who created it.
It is conceivable that a person could unknowingly contract the virus from someone else and then simply be the first infected person to post to such a widely accessable location as alt.sex.whatever, thus causing their infected document to spread exponentially faster than any other infected document. If you create a new document it would have your ID. If you are infected it would have the virus. This is not the same thing as creating the virus.
I'm not saying the guy didn't create the virus (they say he confessed) I'm just saying that finding the person who created the most widely spread infected file and assuming that they created the virus is a dangerous precedent. If the Word ID and upload records is sufficient to convict a person of creating a virus, then anyone who's ever been infected and unintentionally spread a virus can be charged for creating it, if their infected file gets enough distribution.
So he created a macro that tells another piece of software to do something bad.
Well if I tell anyone to go kill someone, and they do so, I wouldn't be the only one to face court actions would I ?
Dumb is, as dumb _does_.
I tell people on a regular basis, that I don't understand why so many people (including them) put up with systems that willingly will destroy everyting they work on. And get this, I either get blank stares, or some muttering about nobody wanting to switch to Linux....
Hell, if MS Word or any other product with just as little notion of security was ported to Linux, that would be just as bad. But why the fsck does people fail to see that security is just as needed in applications as it is in operating systems and front doors ?
I don't run netscape as root either. And my seti@home clients run with their own UID.
It all boils down to, if the source ain't open, you don't know what you got.
But I'll be the first to sell you the Eiffel tower if you tell me people will realize this.
This event has shown that writing viruses is no longer reserved for highly skilled crackers with a great deal of time. Hinting at another post, I would compare the skill required to write (or modify) a macro virus with that of a good car stereo thief. The difference is that even the best car stereo thief has to steal one at a time. Why waste your time when you can bring down all the computers in corporate America? During the panic you might be able to target a vault or something...
This could become an extremely serious problem. Microsoft will not lose profits, however, until the public can understand the issue. But that will never happen. Like Y2K, it just doesn't make sense to most people.
- "Will my PC stop working in the year 2000?"
- "No."
- "Then what's this Y2K thing?"
- "Some programs store only 2 digits of the year to save space. Those programs may interpret the year 2000 as the year 0. Since 0 will come after 99, some date-related calculations will be incorrect. Their may be hiccups in deliveries, payments, interest rates, bank accounts, and public utilities."
- "But 0 doesn't come after 99. How come the programs can't just figure that out?"
- "Computers can only perform calculations, and in general cannot adapt to special situations unless they have been programmed to do so. That's why there are so many people reprogramming the computers."
- "It's Microsoft's fault, isn't it? Windows always crashes for me."
- "No, Microsoft doesn't have much at all to do with it. Microsoft has dominated personal computers but not the older servers and mainframes, where the problem is."
- "So who would make a computer that crashes just because the date changes?"
- "Well, in general it's not the computer that's incorrect, it's the software. A lot of programmers didn't believe their programs would still be in use when we switched to the 21st century."
- "Microsoft released a Y2K patch for Windows. If I don't get it, will my computer stop working?"
- "No. Certain older components of Windows will display the year as 00 rather than 99. On the other hand, you do need to make sure you have the latest software updates if you run financial or other date-sensitive software."
- "So does that mean my PC will stop working in the year 2000?"
Arghhh...
My point was simply that I think it's about time we ALSO started looking how software makers are being negligent. They do not respond to vulnerabilities in a timely fashion and there doesn't seem to be very much will to release a quality product. Software seems to be the only industry where this is not only tolerated but expected.
--- Tao
- Low end: $20/hour * 2 sysadmins * 8 hours * 3 days = $960
The $100/hour includes benefits, employer's taxes, and other things which don't show in a wage. This assumes only 2 sysadmins (plural was used by original poster) and does not include other losses, such as recovery of damaged documents and employee time lost while machines being cleaned.More realistic minimum: $100/hour * 2 sysadmins * 8 hours * 3 days = $4800
Okay, so it did "cost" something to clean up Melissa. But in this case we have someone to blame. What about when the Exchange Server "just" fails and it takes 2 weeks to get it running again. Is that a felony? Car manufacturers are held liable when a defect, for instance, causing the gas tank to blow up. Not that I'm saying that car manufacturers *shouldn't* be held liable, but why not software manufacturers when their products fail for "reasonable" causes?
I don't think Smith intended to shut down the whole world with his virus. In fact I don't think he intended to cause any damage at all. No payload, remember? He was like a driver on the freeway, who, of no fault of his own smashed into another car, where upon the "gas tank" blew up.
Just as a car manufacturer is liable even though the buyer had a reasonable ability to not buy the car, even though they made their bed and slept in it, I think that software manufacturers should be held to the same standard. Software monopoly aside, I understand that Microsoft stated in the license agreement that the software shouldn't be used in "mission critical" environments and therefore shouldn't be held liable. However, Smith didn't guarantee that his program was free of "defects" either, and the user *did* have to accept his program, just as they had to accept Word 97.
In this case, I think we should find Smith not-guilty for anything more then we'd find a virus writer guilty that didn't affect any PC's. However, I think that we should hold Microsoft liable in this case for producing a product that had a known possible defect. Office97 should be "recalled" and Microsoft should be found guilty to the fullest extent of the law.
Just as it wasn't the buyer of the defect car, nor the driver of the other car, but the manufacturer that is liable for gross negligence, in the same way it should not be the buyer of the product, or the virus writer, but the manufacturer of the software that should be liable for gross negligence in developing the product
-BrentI read the article, and it wasn't clear to me at all.
...central processing units from two computer systems had been removed.
So the guy "removed" his CPU.. "removed" it from where? his desk? This implies to me (and obviously to the original poster) that just the CPU chip was removed. Otherwise, it's not a computer system, is it?
In the UK it is illegal to write viruses.. that is the only country on earth where it is. Reason: I have the right to program anything I wish on my computer. Here in Australia it is illegal to deliberately infect a computer with malicious intent.. this does not include posting it onto usenet or giving it to someone to run.. you have to be caught actually putting the executable on the machine and running it (and perhaps drooling from the mouth and saying "oh.. I'm gunna get this guy").. in the US the laws are a little worse.. you have to answer charges if you distribute a virus in non-source (ie.. ready to roll) form even if you never intended for the code to ever be run.. The legitimate way to transfer viruses is in source form or, for analysis purposes, with a non-executable extension inside an archive with clear documentation.. most common way is the name of the virus with the last letter of the extension underscored: CIHv4.EX_ inside a zip with a README file explaining that this is an infected binary.
Posting a virus to usenet as "hotfuck.exe" with a "run me, run me, run me" message is not only stupid, it is blatantly obvious.
How we know is more important than what we know.
police told Smith his Miranda rights, but the defendant voluntarily waived his rights and chose to speak, Bubb asserted. At that time, "Smith admitted, among other things, to writing the 'Melissa' macro virus, illegally accessing American Online for the purpose of posting the virus onto cyberspace, and destroying the personal computers he used to post 'Melissa'
They make it sound like the cops sat down and had tea while discussing this...
I imagine his "voluntary waiving" of his rights went something like "OWWW!!! Why do you keep hitting me? OWW!!! That hurts! Quit it! OK, I'll confess if you stop hitting me! Just Please stop!"
Thanks for saying "Thanks, Bill!", although in a few more words.
Both sides accuse each other of manipulating the media, and the alleged confession seems to have been denied by the defence. Sounds to me like both sides are so obsessed with the glitz of being celebrities that they've long since left Earth and their egos are floating around the stratosphere of Jupiter.
Maybe this new Interstellar protocol can be used by the judge to talk to these guys. I doubt anything else could.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If your whole car is stolen and you can't produce the keys, they aren't gonna buy you a new car. You shouldn't have left your keys in the ignition.
The macro vulnerabilities have been around for EVER. Why, then, are companies allowed to continue whining when they are exploited? Why isn't there more pressure to plug this up? How many times can you listen to a guy moan about his car stereo before you yell "LOCK YER FRIGGIN DOORS, MORON!"
Further consider.. what kind of crap would a car company get if they shipped a car with doors that just plain don't lock?
I dunno. It just seems like software companies can get away with persistent bugs than never go away while the rest of the world is expected to provide a GOOD product.
--- Tao
Mozillazine (www.mozillazine.org) has this article today:
Yet another hole has been found in Internet Explorer's ActiveX
implementation. This one allows arbitrary code to be written to the user's
hard-drive. The bug was found by Georgi Guninski, who has found many
security bugs in IE and Communicator. To read more about it, click here to
visit Georgi's page. If you click "Test it" beside the name of this bug
("Executing programs with IE 5.0") while using IE, the page you visit will
write a small bit of sample code to your StartUp menu. You've been warned.
Georgi calls this bug "the most significant of my discoveries and the most
dangerous also".
I have yet to hear of one sys admin having a system actually go down because of this virus. Every system that I have heard go down was due to the sys admin hearing about this virus and then pulling the plug. Does preventative maintenance count as damage? I admit if Symantec and others didn't have an update 3 days after the release of this virus it may have caused some damage. But really this virus sent a little word doc around the world a few million times. There are more problematic e-mails than this: SPAM, Dancing babies etc. Also, has anyone ever read the source for this virus? Its crap, and obviously written either by more than one person or copied right out of a book and then edited a little. Someone with NO VB skills could easily create this hack with a few Microsoft Library MAPI articles. Give this guy a break. He had no idea what he was doing/creating. Someone left a gun unlocked for a child to play with. Do persecute the child. Two cents
I think that it shouldn't be illegal. No I'm not condoning cracking or virii or anything that is "damaging"
I'm just saying that the modern day script kiddie (even though he's like 30...) is in a symbiotic relationship with computer users (and that term is loosely used here).
We on the other hand (to clarify "computer users") are above the standard issue computer user. So I say let the script kiddies live in peace. Of course, the arguments will be made, but like yesterday's link to the computer humor page showed, owning a computer involves responsibility.
I really wish that people would take the responsibility of learning about their new machine, but considering the total number of VCRs flashing 12:00, i'm asking too much? No, because some people just don't need to "program their VCRs" to tape what they want to watch.
However, not meaning to offend any tech support folks, the computer is quite more complicated and those of us who "know what we're doing" with computers wish the idiots would leave us alone. Techies probably agree they'd rather that their job was obsolete than have to listen to the proverbial cup holder users.
Finally, if the supposed method of trashing his computer is true (by removing the processor), then I really, I mean REALLY question this guy's knowledge of computers.
ALL HAIL BRAK!!!
- "So Mr. xxxx of management, how much damage did Melissa inflict?"
- "We estimate that Melissa cost us about 100 000 000 USD"
- "A hundred million? How?"
- "Um..well, we recieved a lot of bogus e-mail."
- "$100 000 000 for that?"
- "erm..uh.. Oh yeah, our mail server crashed twice so we had to reboot it a couple of times. That's pretty expensive, you know."