Forgot your password?
typodupeerror
News

Melissa suspect arrested 424

Posted by CmdrTaco
from the whatcha-gonna-do-when-they-come-for-you dept.
Stone Table writes "MSNBC reports that the FBI arrested a suspect believed to have authored the Melissa virus " This is definitely a tricky one: course, its a windows email virus, so it doesn't affect most of us, but he was tracked using the MS GUID. Justice? Big Brother? I'm not sure which.
This discussion has been archived. No new comments can be posted.

Melissa suspect arrested

Comments Filter:
  • by Anonymous Coward
    They have no proof that he wrote the virus. It would be trivial to frame him. All you need to do is change the address of your ethernet card. If somebody received a Word document from this guy, it would be easy to get the MAC address of the card along with it.
  • http://www.news.com/News/Item/0,4,34577,00.html?st .ne.ni.rel
  • by Anonymous Coward
    I find it rather appalling that everyone jumps to comment about this idiotic post without even reading the referenced article from MSNBC. I'm not a fan of MS, and surreptitiously embedding IDs in documents that are associated with a database of info is clearly illegal. But if you read the damned article, they never traced this guy with the GUID. Hell, he probably had a pirated copy of Office anyway. This isn't a big brother case here, the guy was turned in by someone at AOL, who traced back a bunch of emails to the hacked account - at that point, the FBI and the telco clearly team up to find where this person was logged in from. Point is, they never used the GUID.

    Fnkmaster
    (no password)
  • by Anonymous Coward
    How come no criminal charges have been filed for Microsoft's GUID exploit which sends information from one's computer, or a document created with MS Office, to some outside party without one's knowledge or permission? How is this any different from a trojan horse? It *is* a trojan horse. Or, could someone please explain why it is not and therefore not a proper subject of criminal prosecution?

    Ms is not the only "trusted" software vendor which does this. Normally, cookies are harmless but used in combination with ActiveX controls embedded in programs and even documents, they can serve as relaying agents for information which is personal or sensitive to one's business.

    Here some individual launches a macro-email virus and faces criminal charges, most likely. On the other hand large corporations do even worse and admit it and go unpunished.

    The justice department case is a sham. These and other matters are criminal in nature. Some others include industrial sabatoge of competitors software (OS2, DRDos, etc). Industrial sabatoge is very serious, and carries the death penality in China and some other nations. Perhaps MS executive should be extradited there to face prosecution. At least some nations (India, France) are now banning the use of Microsoft software for critical national security tasks. Mostly because it's closed source and these nations want to insure that nothing fishy is going on with it (like the GUID stuff not to mention unreliability).

    These are not technology issues, IMHO. Organized crime is still organized crime whether one is practicing extortion of labor unions and dynamiting competitors' factories or extortion of hardware vendors and sabatoging competitors' software with hidden OS gotchas.

    Nothing could be a greater threat to freedom than the monopolistic racketeering by corporations and mergers into a national or international syndicate. Yet, those involved need not be prosecuted in civil court on technology and anti-trust grounds that are difficult for most people to understand.

    Criminal activity like extortion, sabatoge, and theft of personal and business information is easy to understand.

    Even if the "arrest" has nothing to do with the GUID trojan horse (nobody but the FBI knows yet)
    in all the news articles the press is focusing too much on individuals who screw with the system mostly for amusement or revenge instead of the real culprits who should do *hard time in prison* for criminal racketeering.

    It's time to take the gloves off and demand that criminal charges be brought against Microsoft. If not in the United States, then elsewhere.








  • by Anonymous Coward
    From http://slashdot.org/articles/99/03/04/236243.shtml

    "Indeed, some Linux advocates say Linux's small footprint, efficient code and lack of integration with surrounding technology is what makes it appealing. Muth disagrees.

    'People want more integration,' he said. 'They want to take a bar chart from Excel and put it in Word. On the server side they want strong queuing and security. This is all done through integration. Linux has a low degree of integration. Linux is basically a big step backward for those two reasons plus others.'

    I can just hear him saying "People want to have a Word macro send email to all your friends, without any confirmation from you!"
  • That's not even sheep behavior, you've moved on to lemming. Congrats.

    Ever read "Civil Disobediance?"
  • by Pug (21)
    Sorry, to be pedant, but he was closer. It's actually "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." I looked it up the other day for a report.
  • That same argument can be used against the MS GUID. Even worse, some people explicitly stated they didn't want their data transmitted and it was anyway.

    In alot of states there are laws against purposely damaging computer equipment (probably from way back when computers were still curiosities, to protect them from tech-fearing luddites).
  • I am extremely doubtful that the local DA's will have any case against Mr. Smith. The GUID tracking amounts to an illegal wiretap. Any high school law student could probably argue this case successully. Because of this, anything arising from the GUID tracking (i.e.: pretty much any evidence obtained against him) will be inadmissable, and suppressed at trial.

    Great, so the dude gets off. it doesn't end there....

    Because of this ruling, there will be binding legal precedent stating that Microsoft's GUID is an illegal invasion of privacy... this opens Microsoft up to about a gazillion and one (rough estimate) lawsuits. Not to mention that it won't look too good for the defence at the DOJ trial. I will be quite interested to see how this turns out.

    Disclaimer: I am not a legal expert. My knowledge of the legal system comes from 2 high school law classes and wtaching Law and Order religiously.

    - Adam Schumacher
    cybershoe@mindless.com [mailto]
    N.A.R.T. #009
    P.W.T.T.K.S.S.S.T.H.U. #001

  • I must apologize, I didn't completely read the original article.

    I made my post based on the information I had heard from other sources, and just skimmed this particular document.

    Again, sorry.

  • Anyone else think it's funny that Microsoft created the problem, and the solution?
  • Your mistake is in thinking that I get to make software decisions.

    I don't decide what the users at my company get. I just get stuck supporting it. Gotta pay for school somehow, you know.

    Next time, maybe you ought to get your facts straight before you open your cakehole.

    ----

  • So they caught the asshole. Virus writers get no sympathy from me -- I've had to spend too many extra hours at work over the years because of dickheads like this, rebooting the system of some moron who ignored our policy about opening email attachments or who disabled our virus checkers.

    If I ever see another person with a copy of stoned, I swear I'm gonna have to go on a shooting spree.

    ----

  • What I get is paid fairly well for a job that's usually pretty easy and which fits in to my college schedule well.

    ----

  • by opus (543)
    According to a much better CNN article [cnn.com], the charges are

    second-degree charges of interruption of public communication, conspiracy to commit interruption of public communication and attempts to commit those offenses, as well as the third-degree offense of theft of computer services.

    Also of note is that the CNN article makes no mention of the MS GUID being part of the evidence that led to his arrest. Apparently he was tracked through an AOL account.
    --

  • Is that the virus-protection industry, i.e. Symantec and Network Associates, is churning these things out to keep their stock prices up.
    --
  • According to http://www-swiss.ai.mit. edu/6805/articles/morris-worm.html [mit.edu],

    Robert T. Morris was convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision. His appeal, filed in December, 1990, was rejected the following March.
    --

  • 1:387 net ring a bell? Used to run your board under OS/2? Black Angel user parties with black toe nails? hehe...

    Mike...
  • by Riktov (632)
    The Melissa virus always appears to be from a person you know (insofar as if you're in someone's address book, you probably know them).
    And what's unreasonable about opening something you weren't expecting, if it's from someone you know? Personally, I wouldn't allow an auto-run macro to run even under those conditions, but most people probably would, and that's reasonable.
  • But what constitutes consent? When I received the Melissa e-mail last Friday, and MS-Word asked me if I wanted to run the macro, I said NO. Everyone who was hit by Melissa had a chance to allow or disallow the macro to run, whether by disabling the auto-macro feature at some previous time, or when opening the document. And everyone who was hit by it essentially said YES.

    I'm not trying to blame the whole thing on the victims, but especially in this case, with Microsoft Word explicitly warning the user beforehand, it's hard to determine where the line should be drawn.
  • Posted by Disillusional Dennis:

    The big deal for my company was two or three full days of unexpected, unscheduled, unenjoyable work for 1 Security person, 2 PC techs, and 6 help desk staff persons. The real kicker is that we don't even use Outlook as an email client. We still believed that we should remove all malicious virus' from our systems. We certainly don't want to be infecting other systems with a virus due to our carelessness or lack of digital hygene. So now you add up all the time WASTED on virus eradication PLUS the time lost to other projects (yeah we have a few scheduled in 1999) and the Mellisa "prank" was extremely costly. I realize that we cannot send this guy a bill for this time wasted so I am clinging to the hope he gets what he deserves in some darkened corner of a jail cell.
  • Posted by pARODY - oberphlow:

    whether they prove he wrote it or not.. its not that easy to charge him.. they need to find intent, and the prove fact that he was the one who released it into the wild..
    writing virii is as legal and legit as writing any common program.. its only its use that can get someone into trouble..
  • Posted by The Mongolian Barbecue:

    What a moron. Did he even try to cover his tracks?
  • Because it can be used as justification for allowing "Big Brother" type schemes to prosper. Don't forget that the US government has at times requested that wiretapping be legal without a warrant, not to mention key escrow and such. Despite the protestations to the contrary, the US government doesn't want you to have privacy, and this kind of thing may be used as good PR for those efforts. "See how good this is, whe caught a criminal because of it!" The next thing you know, the gov will be REQUIRING this. For the sceptics, remember the Clipper chip?

  • How about this. Some large, strong and very mean dude comes over and kicks your teeth right out of your ass. Is this okay because all the time you spent using the computer you should have been in the gym getting stronger and at the dojo learning how to fight?

    Pull your head out of your butt and _THINK_ for once.

    Personally I've been using computers for about 19 years now and it never ceases to amaze me the number of hateful, immature cretins who are out there who think it is fine to victemize those who know less than they do.

  • I like the way people try to blame the victem for the actions of those who attack them. No wonder our society is going down the toilet.

    Is the trusting old lady at fault when she gets swindled by a con artist?

    Is the college coed at fault when some psycho rapes her in the park?

    Are you at fault when someone bigger and stronger than you kicks your ass just because he feels like it?

    The fault always lies with those who victemize others. They _CHOSE_ to commit acts againts others (be it voilent or otherwise).
  • Blame the victem. You sound like a Scientologist.

    Okay, try this: I give you a gun and you go target shooting with it. I didn't bother to tell you that the nice wood-grain platic handle is actually made of C4 and that when that first shot is fired the whole thing is going to explode and turn your arm into ground beef. Is this okay?

    Or how about I distribute a new, and very complex code library for Linux that does really cool stuff and then when your not looking it suddenly fills your network with so much garbage traffic it bombs your network?
  • by TedC (967)
    Perhaps they'll throw him in jail for 49 months while they decide what to do...

    TedC

  • Well, it's easy to say we have to educate people about computer security, but first people at large have to CARE about computer security. Most people don't care until security is well-broken (such as it is, if there is any at all) and it's become completely obvious that they're totally exposed. If there were some way to make it MATTER to people, maybe they'd care enough to educate themselves.
  • after all, the '89 worm exploited a hole in sendmail.

    That is true, but it wasn't a well known hole that nobody had bothered to close. Macro viruses have been around for a while now, and are just as big a hole now as when they were introduced. UNIX has it's holes, but when they are discovered, they are closed. Usually before anything really bad happens.

    In short, Virus writer = criminal. MS != criminal. MS= crappy software? Not exactly news.

  • True, but that was an administrative failure. At least they had the opportunity to close the holes. You don't get that if you're still waiting for the vendor to acknowledge the problem's existance.

  • When virus writing will be outlawed, only outlaws will write viruses... :)

    J.
  • Besides adding another line in the "common sense guide to writing virii", can we learn anything from this? Are macros necessary? If so, should we use javascript, java, VB (this is possible with Star Office, is it not?) I am personally tired of having to disable "features" on MS products. My fiancee says she needs Word for writing her papers. I wouldn't allow it on any of my machines. Now she uses StarOffice. I am glad I made that decision. It pays to be different.
  • I went into it more fully href=http://www.slashdot.org/comments.pl?sid=99/03 /30/1344200&cid=915> here, but in addition to the federal law regarding release of virii, the law attributes the same intent to the natural consequences of your actions as the acts themselves. The use of the computers was a criminal trespass, vandalism, and a common law misdemeanor.
  • The Atari ST had plenty of viruses and it was a platform that was nowhere near as popular as any variety of unix, nevermind Linux.

    The notion that Unix has less viruses because it's 'unpopular' is just weak Microsoft apologism.
  • Yes it is. This is something that never should have happened. It never would have happened if the predominant consumer software vendor actually had to be held up to any sort of standard. They acted with gross negligence in safeguarding that property of their customers that their their software is entrusted with with full knowledge and forseeability of what has, does and would go on on the public computing networks.

    This crap is ancient history, as old as bulletin boards.

    It's no different than putting an exploding gas tank on a pinto.
  • Hardly. Unix has always been about the ability to insulate the stupidity or malice of users from one another not about anarchy. That's the real difference here. Unix attempts to manage concurrent use and competing requiremnts wheras Microsoft just ignores all that with the obvious results.

    Merely deciding that you are never going to open untrusted attachments is no more a solution than deciding that you are never going to run untrusted binaries.

    What do you think gives us that freedom? Just as in other things, freedom does not come from anarchy but from just the right balance of chaos and order.

    The order in Word/OLE is lacking. The ensuing anarchy results in the deprivation of liberty.
  • Sure... you wouldn't be able to live without your virus perpetrating applications...
  • Except Microsoft is catering to retards and encouraging their users to be retards.

    Ruger doesn't do this.
  • That's certainly bright: take a fellow who ideally should be able to pay off a rather large tort judgement and then interfere with his ability to make a living. Giving potentially very bright criminals nothing to loose is the height of stupidity.

    Giving people nothing to loose is bad public policy, especially when those people are capable of causing havoc on a grand scale.
  • This is the computing virus equivalent of a mild cold. It's little more than a nuisance and primarily serves to demonstrate to you just how poor your personal hygeine is.

    You did know that most communicable diseases can be stopped by good hygeine didn't you?
  • An easy mark is positive reinforcement for the criminal, period.
  • Don't fuck with Microsoft.

    How do you get arrested for exploiting a security hole in an operating system that lacks any kind of security? If the maker of that operating system owns all the world's computing assets. If you want to live on this planet, start kissing Microsoft's ass.
  • From the sketchy article it would appear that he was turned in by someone where he works. All this hype about MS embedding tracking features into Office is just bunk.
  • "Does that mean Geocities can be prosecuted for those annoying pop-ups?"

    They should be. . .
  • It sounds to me like he was actually caught by the AOL guy's identity he stole, the Sky Roket account. I bet AOL keeps logs of information on people when they log in, where they log in from, etc. And tho AOL wasn't able to stop the fradulent use of another member's account, they were able to back trace it's mis-use in the logs.

    I think this is why they're "not discussing" the details. I bet it had nothing to do with the GUID, unless it had the SN of his copy of Word registered to his employer or something.
  • Heh, sort of a "license agreement" to run the virus code.

    Take THAT microsoft!
  • Security Consultant?

    Cracking AOL accounts with AOHell and writing Word Macros hardly qualifies a person. . .
  • To a certain extent, I agree. Not that it's good to break into systems to prove that they're broken ... but rather that when a vulnerability is well-documented, well-known, and the manufacturer continues to do nothing about it, sometimes nothing will bring it to the public attention but a massive exploit.

    Compare this to the Netscan site [netscan.org], which lists networks which can be used to execute a smurf attack, because they haven't been secured against directed broadcast pings. On the face of it, Netscan is a huge resource for idiots who want to smurf people --- but far more importantly, it brings the brokenness of the networks to the attention of the sysadmins who run them, when they wouldn't have noticed otherwise.

    Melissa is hardly a particularly damaging virus; it doesn't scrag your hard drive or damage your files. It does very little more than prove just how catastrophically broken certain Microsoft applications are --- Outloook and Word for exposing users to email-borne viruses that were once a myth, and MS's mail servers for crashing under load that Sendmail or qmail would laugh at.

    By no means does this justify virus-writing. However, it places a good deal of the blame for the damage caused by Melissa at the feet of Microsoft and its unthinking customers. Buy a known-insecure system, get what you deserve.

  • The susceptibility of those Pintos to explosions was caused by oversights --- what we'd call bugs.

    The susceptibility of Microsoft products to network-reproducing macro viruses is due to designed-in features.

    Furthermore, Microsoft has known that macro viruses exist for several years now. They have done little to protect their customers --- little even to draw attention to the threat, because they don't want to be held responsible in the market for their design mistakes.

    While MS might not be legally liable for criminal negligence or complicity in the distribution of the Melissa virus, they are definitely ethically in the wrong. They are bad engineers, not simply for making a shoddy product but for ignoring and denying responsibility for the shortcomings which are direct, obvious byproducts of its design.

    The author of the Melissa virus was doing a bad thing in writing it. But from this bad intent comes not only the bad result --- users spammed, systems crashed --- but also potentially a good result: Microsoft being held responsible in the market for their product's blatant failure to meet basic security needs.
  • It's important to note that "real" engineers (like civil or mechanical engineers) are considered to be "professionals" (like doctors and lawyers) in most jurisdictions. This means that the self-regulating associations and accreditation boards of the profession are given special legal standing, and it's illegal to bill yourself as an "engineer" if you don't have an engineering degree, just as it's illegal to practice medicine or law without a license. "Software engineering" is not legally considered engineering.

    (This is why some E.E.'s look down on computer scientists; it's also why software certifications with the word "engineer" in the title have gotten "real" engineers a bit indignant at times.)

    Because programming is not legally considered engineering, even though IMHO ethically there are similarities between the wrong done by an incompetent or sloppy engineer and that done by an incompetent or sloppy programmer, I doubt that MS's programmers can be held legally liable for their shoddy work.

    In fact, because the EULA on all MS products disclaims "merchantability for any particular purpose", it's likely that MS can't be held legally liable if their code does nothing at all, or even does something destructive. The only way to hold them responsible is in the marketplace --- by not buying their crap.
  • ifconfig eth0 hw ether DE:AD:BE:EF:F0:0F

    Some device drivers don't support it, though.
  • Mailboxes are federal property. Destroying a mailbox is a federal offense because you are destroying government property. Don't play mailbox baseball.
  • While I agree with alot of the comments concerning the question over real criminality and how microsoft definatitly has a certian amount of due negligence. This post is probably the most interesting.
    The only reason that this has not happened to the same extent with Linux, and Unix in general is not so much that it is not possible, but mostly due to the fact that the user base is slightly more technically knowledgable, and less likely to be caught by a similar trick. - eg. distributing a 'cool perl app...'
    The fundimental question is really what sort of ietf standard could be applied to prevent this from happening again?
    The forced re-entry of password check when sending out Userid (eg. non root) messages with over 5 to 10 recepients?
    One of the major problems is that this type of mail type virus has not been considered by any of the rfc and ietf drafters.. It is a new 'concept', pardon the pun.
    The outcome of various ideas to eliminate this type of attack mean that every major mail distribution system must be reconfigured. All clients would have to make allowances for the change in standards as well. - While this is not a big issue for open source, the effects of a major revamp of closed source applications is huge.
    This little virus may be the turning point where the justifiablity of proprietry solutions in mail and information transmition goes out the window.
  • Worm, virus, who cares what form of low lifeform we name it after?

    The fact remains that it was engineered by a form of lowlife.

  • Two things are the big deal here.

    1) Melissa can, under certain conditions, infect another document and send it as an attachment to the list of fifty recipients. Thereby creating the possibility of distributing confidential information to those who have no right to that information.

    2) It amounts to a mass DoS attack that makes the /. effect pale into insignificance by comparison. To be able to DoS literally hundreds of mail servers in this manner, with such little effort, and not using your own bandwidth to do so is scary to say the least.


  • "The real fault is in the gross insecurity of the Microsoft software, or perhaps in the over-reliance on Microsoft software."

    You can't be serious! That's like saying "All he did was point the gun and pull the trigger - No big deal. The real problem was that the gun was loaded."

    I do agree that gross insecurity and/or over-reliance on software is a bad thing, but exploiting them is just wrong.
  • The GUID only identifies the original creator of the docment. Theoretically, I could create a e-mail virus by starting with a Word file originally created by someone else. By erasing the document, adding in my own malicious code, and resaving, I can "frame" the creator of the original document file. The GUID is created by the File|New routine.

    It's only a matter of time before newer viruses are developed. There are supposed to be a lot of interesting features in Melissa: apparently it resets Word to read macros without prompting the user.

    The fact that it advertises pornography sites is peculiar. A much more effective virus would advertise "Make Money Fast." Another good place to insert viruses might be in resumes. Some HR departments require the use of MS Word attachments. Many of them may well have their email servers set up in a vulnerable fashion.
  • So they can track us by our MAC address. Maybe we should all be changing our address. This would at least force them to create a database of the changes.

  • First of all i would like to say that i don't have anything to hide.

    But what i don't like the possibility that the Goverment can track you. Now by MS GUID, and intel PIII serial number.

    Next, here in the netherlands they might implement a toll-way system around the busiest highway. So next the goverment can track a lot of my movement.

    The already reported that somewhere close to 2001 they plan to use satelites for that.

    At that time they can check the whole country. So i lost a freedom. The freedom to move somewhere without somebody knowing it. Because the goverment can track... That's what i hate about this stuff!

    Offcourse my example only related to normal cars. But it's getting real close to the all seeing goverment!
  • The article linked to by this story says that he was charged with interfering with public communication. 5-10 years prison and up to $150,000 fine. He was released on $100,000 bail.
  • Personally I have more respect for the virus author than for anyone who fell for it. Too many people are becoming too relient on technology they don't understand.

    Look dude, most corporate users that I've run across know very little about computers but are forced to use them in their jobs. Why wouldn't the average persone "fall for it?" Do you think your Mom wouldn't open an attachment that a friend emailed her? What about your Grandma? Not everyone can be expected to spend the time and energy needed to keep up with technology. Most people just know what they need to know to get their job done.

    I'm currently helping to migrate GM from Win3.1 to Win95. You know how much training users are getting? Zero. The only help they get is a brief rundown from me on where to find there apps before I move on to the next unit because I've got a schedule to keep. So what should these users do? Should they go to their boss and say "I'm not going to rely on technology I don't understand... here is my resignation." Or should they stay up late at night trying to master a technology that they have no personal interest in? Computers don't interest everyone y'know.

  • I've recently heard rumors that Morris has been interviewed by the MIT CS department for a professor/researcher position here.

    Could be interesting...
  • The newer laws just make it easy to prosecute.

    Since the earliest days of computer "cracking", it has always been against the law to use one iota
    of cpu cycles on someone-else's computer in an unauthorized way. If this guy wrote a program
    that intentionally did this, he broke the law as soon as one cpu cycle got used to open the
    address book on the infected computer. The legal theory is that you are stealing the cpu cycles.

    This is how people got procecuted in the '80's. This is the same legal theory that protects FAX
    machines against SPAM, and you against telemarketers.

    Proving that actions were unauthorized was kinda tough (you did open the attachement after all) so
    they passed new laws making this easier to prove. Now prosecuters only need to show intent in that
    you knew that your program would do this.

    BTW:
    1. unsolicited email is now illegal in several states in the US.
    2. any time things cross US state lines, the feds get involved (interstate commerce clause).
    3. public disruption laws have always existed (illegal to yell "fire" in a crowded room).

  • I can tell you now that as time goes by, non-Microsoft users, including Linux users, are going to want a VBA analogue (using Perl, Python, etc.) to let their X apps interoperate in the same way. If the GNOME and KDE efforts aren't working on it now, they will be soon, and I'm sure that a good number of the people asking for it will be those who bash VBA at every opportunity; they won't even recognize that they're basically asking for something VBA-like for Linux. It just makes it too easy to tie different apps together to ignore. As long as the push for Linux to become easier continues, it's inevitable.

    it may be but that doesn't excuse the fact that documents are given the control to do these kind of things. the scripts should be separate from the document and it's likely that linux heads would be smart enough to do it this way. i'm sure that even wordperfect does it this way.

    "The lie, Mr. Mulder, is most convincingly hidden between two truths."

  • they still can't certify that he wrote it. the evidence is circumstantial at best. the id remains constant no matter who changes it. it's not a bulletproof id.

    "The lie, Mr. Mulder, is most convincingly hidden between two truths."
  • Would you feel the same if this guy was a biologist, and released a new deadly virus into the air? So, if your parents got the virus and died, would "they deserve what they get"?

    very bad analogy. to the best of my knowledge, this virus killed noone. a proper analogy would be if this virus caused a nuclear bomb to go off.



    "The lie, Mr. Mulder, is most convincingly hidden between two truths."

  • >>The GUID was invented by the Open Source >>community a while back, for use in RPC >>environments.
    And? Do we still see it used much? nope. Did we all know it was there? yep. Did it go into all Documents and who knows what else that is made on that computer? NOPE
    >> It's also
    >>passed around in EVERY SINGLE CORBA OBJECT YOU >>CREATE.
    How meny Cobra objects do people write? And when they do write them they usely take credit for it.

    If you knew the place you where working for was doing something wrong and you wanted to tell the Media or the police/feds yet wanted to not be named would you want your GUID going into that Email/Document?

  • >>it appears everyone wants total freedom with >>zero responsibility
    Responsiblilty to WHO?! MS? The US GOV?
    Why the hell should they know what I do on the Internet?

    I got a better idea. Lets have the US GOV stamp BARCODES on our forheads. And put little scanners all over the place so they can track where we go and what we do 24/7/365. So if a store gets held up they can know who did it. What a good idea!

    >>and we need to determine how to implement and >>use it.
    We would have no say in it...get your head out of the sand.

    >> I implore you to consider how? We
    >>have police forces, the IRS, Social Security >>Agency, Credit Agencies and many other >>institutions that have our censent and the
    Maybe you did...i didnt.
    And remeber when they founded the USA and wrote the constitution that stated that an IRS would be illegal, but the US GOV changed that. Now the constitution isnt even worth the paper it is writen on.

    >>...by trying to get rid of the GUID concept all >>together. I grant you, that although I do not >>know what all the flaws are, the current setup >>is most likely not an acceptable candidate for a >>final implementation of such technology

    There is no need for a GUID system. There was never one befor MS and the world still turned. The simple fact is that if you still use software THAT YOU KNOW SUCKS, don't read the bug reports or secure your own systems you WILL get screwed. Why should we take away everyones freedom for a few DUMB and LAZY users?!?

    This virii wasnt the 1st...and God knows it wont be the last to hit Word/Outlook yet people still this POS software.
  • how is virus defined, is it based on self replication, is it formally defined at all???

    Plus i mean is this guy prosacutable in the uk if he released it in the us?? just because it ended up in the uk does that mean he falls under their juristiction??
  • those are some cracked out bullsh*it charges. First off interruption of public communications, come on, is that like interrupting someone, besides the majority of that actual mail systems effected were private systems, like all communications in a capitalist system. as for theft of computer services this has got to be the most selectivly enforced law ever, i mean is any program that does something without your consent stealing computer services, was microsoft steal computer services from me by embedding my history into my word docs w/ out my knowlege and consent?
    I'd love to charge them for that!
  • Im totally down, lets do it....
  • But this is such a broad definition of virii, i mean the only damage it causes is indirect, you might be able to prove that he wanted the mail to spread like wildfire but how do you prove that he both knew and intended for it to crash mail servers???
    what is the definition of virus, legally???
  • Changes his name...... Hah, it's David Smith right now, come on I mean you could only get more obscure if it was John Smith. Vermifax
  • When a architect will develop and build a house for you that doesn't have any locks on the door. Will you blame some one for burglary?

    Hell yes.

    Although I don't find the Melissa virus to be all that awful (it's just DOS, and pretty funny too), and I have some sucspicions about the whole affair, it is completely irrelevant whether or not there's a 'lock on the door.'

    If someone steals something, even if it was unprotected, then he's still a thief. Of course, I still think that Microsoft ought to have been found guilty of negligence for such awfully insecure products years ago by someone. They are partially to blame, but that doesn't absolve people breaking into your computer just because it's easier.

  • I had had the same thought.

    Is it at all possible that Microsoft set the whole thing up? Well, this does come hot on the heels of the GUID contraversy, which they're taking a good bit of flack for. Could the GUID be more important to them than people had thought? (which would be why they'd be willing to try to save it)

    And with all the press (even some in major media outlets), why didn't the alleged author (who's would be pretty smart to develop this virus) alter the GUID? (Caveat: If neither MS nor the accused guy in NJ did it, then the actual author is smart enough ;)

    So Microsoft would have had to set someone up (who is a likely candidate for a fall anyhow; if I were Microsoft I'd look for someone who's written other macro virii, similarly trackable through the GUID database, pirates software, always quiet and kept to himself...) which would not be terribly difficult. After all, they're the only ones who have the GUID database and if they felt it necessary they could easily fudge it to point to whomever they liked, prior to it (or a subset of it) being entered into evidence.

    And although I have not been directly effected by Melissa (I use a Mac, and pine on Linux, via telnet, for mail) it seems to me that it's just a very virulent DOS attack. The file it propagates is kind of funny, really. So why all the hype, unless MS (which is already known to feed reporters in the trades information, and could presumably expand their operation a bit) were to have been hyping it? And they sure reported early on the arrest of that suspect. Although this is all conjecture, it does make you think.

  • Microsoft are the ones that need to be arrested. They put out
    packages that people find useful (Microsoft Word and Excel) then they deliberately engineer them so that anyone with half a brain can write a virus to disrupt processing. They then integrate this product with others so "You won't know where the desktop ends and the Internet begins".
    If GM desinged cars like that, they would put the fuel fuiller pipe on the dashboard (next to the cigarette lighter) because it made everything easily accessible to the driver.
  • There is a big difference. In the 70s when Pinto
    gastanks were exploding, it was not because a bunch of mechanics were running around lighting them on fire. And then blaming Ford for the resulting explosion.
    ALL software has bugs. The fact that MS has more then their share is not an excuse to take advantage of those bugs. If the intention of the melissa virus was to point out those problems, why not simply release a patch to fix it?
    Whoever wrote the melissa virus is a vandel.
    The fact that it may be a 30 yr old vandel just makes it sadder.

  • by Anonymous Coward
    I'm very glad this happened. As the GUID issue has been discussed, so far it appears the majority of people (at least on /.) have been very opposed to it. Now I'm not pushing the GUID, but I do think everyone needs to weigh the pros and cons of the GUID before they immediately call for its end. In our society today, it appears everyone wants total freedom with zero responsibility. I'm sorry folks, but it doesn't work that way. The GUID may not and probably is not the solution to the identification needs of the Internet as I doubt the issue of abuse was thought about very much during its creation. However, technology like this has its place, as this story shows, and we need to determine how to implement and use it.

    I know that people fear abuse of GUID technology, it reduces privacy. I implore you to consider how? We have police forces, the IRS, Social Security Agency, Credit Agencies and many other institutions that have our censent and the government's consent to gather information and rule over us. We as a society have granted them that right. Why? To avoid anarchy. Also, the founders of our country knew that placing people in power and giving them authority to rule, requires us to subject ourselves to them and reduces our freedom. They did not throw their hands up and say, "We can't make a truly free society," or "We can't make a society that is free from corruption." They designed a system with checks and balances, knowing full well that it wasn't perfect, but it was better than nothing. Our police force lives under this system, with mayors and cheifs of police as elected officials. There have been times and there are places where the police have abused power, but how many of us would say, "We can't have a perfect police force, so lets not have one at all."

    For that is what we are saying by trying to get rid of the GUID concept all together. I grant you, that although I do not know what all the flaws are, the current setup is most likely not an acceptable candidate for a final implementation of such technology. I do think such technology can be of great benefit to the users of the Internet and society in general if we go about creating such technology carefully, with much forthought. If possible we may want to find ways to implement a checks and balance system in the technology to help prevent abuse. Ultimately it is an issue that needs serious consideration, and not a flippant answer either for or against.

    Ryan
  • I think you're a bit mistaken, Rob. I know several Linux advocates who were walloped by the Melissa virus. They may run Linux on their servers and on some desktops, but MS dominates the desktop just about everywhere.

    I was just on the phone with a friend who was telling me how the Fourtune 500 company he works for had their entire email system go from fully functional to worthless in fourty five minutes. Wow!

  • by scottm (288)
    It's completely ridiculous. Even more ridiculous is the fact that "onOpen" macros are fairly widely used... I'm taking a (expletive deleted) accounting class where we have to use (multiple expletives deleted) MS Excel for a bunch of spreadsheets... The professor decided it was important to each all the business majors how to "program". So they spent 2 weeks on VBA, the assignment over that section was to write a fairly complex "on open" macro, and now all future assignments must include an "on open" macro that explains what the worksheet does. IMNSHO the professor ought to be slapped. I've emailed him twice already about crap like this, but he's clueless... That class is the only time I've used an MS product all semester, and I'll be glad when it's over.
  • Virii are bad; this guy was wrong to do this, but the results taught a lesson. Dos's are bad; they piss-off sysadmins like me, but point out the soft areas I need to harden. Spam is bad - and it's fellow-traveler the email server hijacker; but again this situation forces a tightening of the security screws. It would have been better just to have the code announced on bugtraq, but that didn't happen. The guy should get his ass kicked, but jail time is a bit much, IMHO.

    Thing is, though, as folks here have pointed out, 1. Anyone who uses the 'net at work has to know the basics of safe comptuing. These folks get educated by their sysadmins/network folks who have to know what goes on "out there". It's a big bad place, with lots of script kiddies, and older folks who should know better, just squirming in their collective jeans to get at an unsecure network. Users have to be made aware of this. Don't open an attachment from anyone unless you're expecting one. Draconian, but a bit safer. 2. MS shares blame for this. Period. This whole episode points out, yet again, that MS products are inherently unsafe in a real networked environment, and that MS applications that pose as server products can't walk the walk. The usual spin from MS will be Alice-in-Wonderland Pt. II, but I guess that par for their course.
  • Sigh....

    If you would read the CNN article...

    http://www.cnn.com/TECH/computing/9904/02/meliss a.arrest.03/index.html

    You'd find out they nabbed this guy by tracking the posting host, the AOL account, and then the phone line used to dial up to AOL.

    About the only thing the GUID would be used for might be a piece of evidence linking the document to the computer used to write the virus.
  • the fbi has issued a "manhunt" on the writer of the melissa virus. they might as well call it a WITCHHUNT. this is not about viruses. more severe viruses have existed and have done more damage than melissa. what this is is a pathetic attempt to set a precedent to give the fbi broad rights to invade your privacy. they have tried this before using terrorism and pedophilia as "targets". but what they don't tell you is that to equal the number of pedophiliacs and terrorists in the real world, the internet population would have had to have MORE THAN 100% PERCENT pedophiles and terrorists!!! pedophiles know that is easier to go to the mall or park to prey on children than it is to get them on the internet. the fbi is just trying to get their foot in your door. the fbi is like your worst dinner guest. once you let them in the door, THEY DON'T LEAVE!! DO NOT GIVE THE FBI THESE KIND OF RIGHTS!!!

    what is really puzzling is that they aren't even attempting to address the real issue. that is, "why does a microsoft word document have enough access to your operating system to be able to inflict such damage?!?" if someone broke into the white house and shot the president, the first question they would ask (after thanking the guy) is "how did he get in and what can be done to prevent this is in the future?". i am shocked and amazed that the fbi has not publicly asked this question of microsoft first. i'm sure there are copies of word in the fbi office, aren't they concerned?!?! of course they know what the real issue is. but as they say, the easiest way to cover something up is to ask the wrong question. the fbi is asking the wrong question to deceive you. DON'T FALL FOR THIS TRICK!!!

    you think i'm paranoid?? please remember just a few weeks ago the fbi has proposed an initiative to monitor citizen's bank accounts and would have been given them the right to investigate anyone with "questionable transactions". the fbi has also been trying for years to get broader wiretapping rights to counter "terrorists". to the fbi, every citizen is a terrorist. i might even be dead tomorrow for writing this. DON'T FALL FOR THIS TRICK!!!

    "The lie, Mr. Mulder, is most convincingly hidden between two truths."

  • Im just curious what laws were broken by this "virus"? I mean at best it is an invasion of privacy insofar as it reads your address books w/ out your permission, but what kind of charge is that. It's not an invasion of a system, it's an unsolicitied email, which isn't illegal. Does self replication somehow make against the law?
  • I think your confusing the issue. The problem is not the gross insecurity of Microsoft software. (Although I wont argue against that.) The real problem is that somebody decided to take advantage of that insecurity for their own amusement.
    While I dont think this guy should get the death penalty he did cause email servers to crash and untold amounts of work and effort to IS departments across the WORLD. Lets not even think about the career effects that could be caused by unintentionly sending your boss a list of porno links. He should be punished for it and it is a crime.
    Lets face it the guy is 30 years old. Hes a little too old to be a vandel and he should have known better.

    As a side note, if this guy really thinks of himself as a bad ass cyber terrorist/vandel, how could he not know about the guid? Its been common knowledge for most of a month.

  • Sorry, but they have been able to hide behind a wall of ignorance for too long.

    They knew when adding the code to their office suite that people could use it to do just what the Melissa author did.

    Since its a feature they obviously feel no blame in any of the problems features of their products cause.

    Granted it too some loon to write it, but he had the in-direct support of an bunch of people at MS. They are only concerned about their money, which means if a feature that can be abused will make money then so be it, its added anyway.

    (I hate working on Good Friday)
    .
  • Along with the worm author, user education is the culprit here--it is not Microsoft allowing Office objects to be scripted. I think it's a shame to see so much bad information being tossed about on this topic here.

    VBA macros are a good concept. It's an excellent way to tie different applications together, including a huge number of non-Microsoft applications. Hell, even bitter Microsoft rival WordPerfect makes use of VBA now. I'd be curious to know how many of the people who thought Neal Stephenson's Cryptonomicon excerpt was so spot-on are now bashing something that he roundly praised in it: VBA.

    It's not a security hole: by default, users are warned upon opening the document that it may contain a macro virus and asks them if they want to run it anyway. There are only so many safeguards that you can take for the careless before you start making it a hassle for the users who know exactly what they're doing. People can also be burned by recklessly opening up an EPS document or via an unknown document in Emacs. Getting rid of those features that can burn lazy users isn't the answer--user education is.

    I can tell you now that as time goes by, non-Microsoft users, including Linux users, are going to want a VBA analogue (using Perl, Python, etc.) to let their X apps interoperate in the same way. If the GNOME and KDE efforts aren't working on it now, they will be soon, and I'm sure that a good number of the people asking for it will be those who bash VBA at every opportunity; they won't even recognize that they're basically asking for something VBA-like for Linux. It just makes it too easy to tie different apps together to ignore. As long as the push for Linux to become easier continues, it's inevitable.

    That last line leads to the main point that people need to keep in mind: the easier that you make computers to use in good ways, the easier it is for people to use them in bad ways.

    Sure, anyone could write their own code to test other computers with all the exploits that they know, but using SATAN is much easier. Unfortunately, this makes it easier for the budding hacker (flames to /dev/null) to prey upon the uneducated/lazy user. Rather, the uneducated sysadmin in this case, who hasn't kept his system updated.

    There are plenty of examples of this, in all facets of life, not just computer-related. Education is the key, blind Microsoft hatred isn't.

    Cheers,
    ZicoKnows@hotmail.com

  • by Mr T (21709)
    Writing viruses isn't illegal in the US, distributing them isn't illegal either. Activating them and infecting other users, with out them knowing is.

    It's a tricky thing, if you out law distribution, then you have to arrest the guys at NA and Symantec because that's how they write the code. Further, many of the most sophisticated vira out there have been written by virus researchers (v2p6) trying to prove concepts, test their code, etc.. (probably a few did it trying to make a buck or two) Then there is that whole freedom of speech issue.

    What this guy did was write a virus, and transmit it to a victim who unknowingly activated it. That is against the law.

  • I've seen many a post asking if perhaps Microsoft is not just as responsible as the author of the virus - but seemingly no-one has posted (or mentioned) the other article [msnbc.com] linked to from the story that talks about just that issue.

    One of the interesting quotes from that article is a comment from the author of the Internet Worm virus:

    "There are a lot of real-world parallels. People in general are not interested in paying extra for increased safety. At the beginning seat belts cost $200 and nobdoy bought them."

    Which is a bit out of context, and meant more that people don't care about it now but they will eventually (or perhaps be mandanted to care? :-) ).
  • Sorry, it's,
    "Those who would sacrifice freedom for security deserve neither."


    --Ben Franklin
  • by reemul (1554) on Friday April 02, 1999 @02:55PM (#1951347)
    Sure, they'd arrest all of you. So? You were going to plead not guilty after posting your intentions here? Maybe they don't have the jail space for all of you. So they'll have to settle for probation, community service (you like picking up trash, right?), and some gi-normous fine with your wages garnished until you die. You get to be part of a batch justice process. A large joint trial for you and your hundred closest, with a template sentence. Followed by the next group, and the next, in lots as big as the courtroom will hold. And it'll still be a felony conviction, so no voting, no guns, good luck getting a job to pay that whopping fine. Your terms of probation will probably include the old-standby "no using a computer" for the next three years, good luck staying current and marketable. And I'm sure your probation officer will be a caring, understanding, people-person, who won't declare you in violation for quitting that miserable job you got right after your conviction when your old gig tossed you. You did know that probabtion officers get to control your life right up until the absolute last day of your time? You'll miss those friends, but associating with anyone else who got nailed at the same time is a violation of your probation.

    If tons of folks are convicted, you won't all get to hit the speaker circuit. No big advance cash from the book. No TV time to espouse your cause. No "hey, I *wrote* this cool thing." Nope, you'll just be some copycat anarchist wannbe with delusions of adequacy.

    Yup, yup, sign me up.

    That's not even sheep behavior, you've moved on to lemming. Congrats.

    -reemul

    who actually prefers that the criminally silly declare themselves in such a way, it makes them easier to spot
  • by Helmholtz (2715) on Friday April 02, 1999 @11:04AM (#1951348) Homepage
    Granted, I'm not a lawyer, in fact I really know next to nothing about law of any kind. But I do seem to remember something about 'expectation of pricacy.' It would seem to me that anybody who is tracked because they used Microsoft products did not realize that by using MS products they were having an electronic tattoo placed on their forearm, and thusly any information that was gathered by using the MS-forearm-tattoo would be inadmissable in a court of law. I could be completely off-base, but I sure hope not.

    Another reason this really scares me is suddenly the whole idea of this MS-forearm-tattoo will all of a sudden become more palatable to the general public. When you tell them that they are being tracked by a for-profit corporation the first thing they'll think is "Yeah, but it's only used to catch bad guys."

    Computers have already infiltrated our lives to an intimate level, and I find it disheartening that there seems to be both a general disregard and sullen apathy when it comes to dealing with the ramifications of this infiltration. This is doubly disturbing when you realize that everyone also agrees that this is just the tip of the iceberg.

    I guess it's time to run off to a deserted island with the Professor, Skipper, and Mary Ann. Who knows, maybe I could get Linux running on one of the Professor's coconut-computers . . .

    Sean
  • by Juggle (9908) on Friday April 02, 1999 @11:54AM (#1951349) Homepage
    Sorry I've gotta disagree with you big time here. Your malice and anger are displaced. Why? Personally I have more respect for the virus author than for anyone who fell for it. Too many people are becoming too relient on technology they don't understand.

    At least the author understood the system well enough to exploit it.

    The lusers who actually let the virus run free on their system by allowing software to run macros automatically on incoming e-mail messages are the ones I blame. Them and a culture that tries to get us to accept more technology into our life without understanding it.

    Don't get me wrong. Viruses Piss me off big time. But having been around computers since the mid eighties and for a good part of that time being too involved in "fringe activities" (Shall we say?) I have never lost any data to a virus.

    Sure I've lost some time getting rid of it but at least I leared my lesson and looked at my computing habits.

    Protecting yourself from computer viruses isn't all that much harder than locking your car doors when you get out. Of course I know a college grad who got upset when someone stole his car stereo even though he parked it with the windows open and doors unlocked.
  • by trims (10010) on Friday April 02, 1999 @01:26PM (#1951350) Homepage

    I'm a sysadmin. In the end, people like me get stuck with cleaning up the mess whenever any over-hormoned cracker decides to crack/write virii/pingbomb/etc. a machine/network. I can certainly sympathize with alot of the people calling for lynching this guy. Though I don't think that's the right answer.

    And, while I can certainly appreciate the skills that go into writing virii, that doesn't mean we should in any way encourage this sort of "skill". That includes the sort of nudge, nudge, wink, wink> comments I've seen here. Yeah, Charles Manson was one of the most skillfull and persuasive leaders of the 70s, but I don't want anymore of that type around, either.

    Microsoft (and others) deserve to get nailed with a "defective product" suit one of these days for shipping shoddy products. That day will come (sooner, I hope, than later). But encouraging vandals (and let's not kid ourselves, that's what crackers and virus-writers are) isn't the solution.

    An analogy, if I may:

    In my neighboorhood, 9 of the ten houses are built by XYZ, and come with 10 door locks (of which 5 are broken, and the other 5 are very hard to turn). 1 house (built by ABC) has 3 locks, all easily set. One day, a burgler walks down my street, wiggling the door to each house. If he can open the door, he walks in, re-arranges the furniture, and smashes a few things. If he can't open the door, he goes to the next one. So, guess what! 3 houses get sacked, and they were all made by XYZ. Now, do I complain to the police that XYZ should be held responsible for smashing my furniture? No! I help catch the burgler, send him to jail, and then file a complaint with the Better Business Bureau about the shoddy work that XYZ does (maybe even a civil suit).

    Virii-writers are pond scum. If you are smart enough to find a bug/exploit in a program, TELL CERT! That's what they're there for. Sure, the responsible company might not fix it fast. But that doesn't make it right to go smashing other people's property. If the software company isn't responsive to security demands, well, vote with your feet (and dollars). Don't buy from them.

    -Erik

  • by Skinka (15767) on Friday April 02, 1999 @11:27AM (#1951351)
    Call me pervert, but I actually enjoyed reading all those reports about Melissa spreading and knoking out mail systems ;)

    Seriously, I think this is kinda Microsofts fault. It is a fact of life, that if something can be missused, it will. And what measures does Microsoft take to prevent the missuse of Word and Excel macros? None. Of course, technically it isn't their fault, but I think it's clear that MS should fix the HUGE security holes in Office and Windows.

  • by dsfox (2694) on Friday April 02, 1999 @10:59AM (#1951352) Homepage
    Everyone believes its a law of nature that all software is susceptible to viruses like this. Even word processor documents! Why is it so impossible to explain to people that the outrage is MS-Word, not the Melissa virus!

  • by Anil (7001) on Friday April 02, 1999 @12:08PM (#1951353)

    As with all virii that expose a security flaw, I hold no grudge against the author of the Melissa virus. But, I think that while Microsoft somewhat to blame, in this instance, this should also be a warning to Unix comunity. This isn't just an email virus. It also plays social-engineering tricks on you. This virus comes from a known email address.

    If a friend sent me a PERL script and said it was amusing, it's very possible that I'd run it. I would hopefully look at the source first; and wouldn't run it as root. But, what if I felt lazy that day.

    If we aren't lazy this isn't a huge problem. Many of us would be wary of a binary, and know enough about programming to examine source code. What will our community look like next year? The Linux community is expanding quickly. We've got project s like KDE and GNOME trying to make things more user-friendly. The hacker-quotient is, and will continue, to drop rapidly.

    In this instance, User-Friendly is what caused the propogation of this bug. User-Friendly is what makes it possible for some virii to spread. Either by having automated startup routines that a user rarely sees, or doesn't know about (Mellisa would auto-run through an init file), or automated features that make you lazy. The 'user-friendly' thing for an email client to do is to make attachments automatically run, or make them easy to run.

    As we, as a community, become more user friendly; as we attract more hands-off users, I feel that we will be opening up possibilties for this kind of virus to sneak into our ranks. I can't really think of anyway to prevent this kind of program from propogating, aside from awareness. But, as we increase automation we seem to also decrease awareness.

  • by purp (12986) on Friday April 02, 1999 @11:01AM (#1951354) Homepage
    It was handy once, and will be handy to catch abject imbeciles, but the MS GUID (and the Pentium III digital serial number) won't be of any help to catching the moderately intelligent criminals. They'll skate around it somehow (I can think of two ways right now) and we'll still pay the viral price.

    My mother-in-law, a woman in her 50s who's firmly turned-on to the digital age but remains innocent of all but the most basic knowledge regarding computer security issues, is an easy target for these virii. She's still a digital toddler; she trusts all the digital adults out there and doesn't know that some of the misguided ones are out to hurt her. She's got some top-flight viral protection on her machine, but that only helps for the known virii.

    In the end, it comes down to education. As much as I hate it, I get to shatter her innocent enjoyment of computing and show her a bit of the darker side; she'll be wiser for it, I know, but watching her take such joy in the medium that I've grown inured to was quite pleasurable to me -- like hearing a five-year-old laugh at a silly joke you heard ages ago and chuckling to yourself, knowing how much more pleasure is ahead.

    Thanks, VicodinES, for dragging her into your world.

"Let every man teach his son, teach his daughter, that labor is honorable." -- Robert G. Ingersoll

Working...