Melissa suspect arrested 424
Stone Table writes
"MSNBC reports that the FBI arrested a suspect believed to have authored the Melissa virus "
This is definitely a tricky one: course, its a windows email
virus, so it doesn't affect most of us, but he was tracked
using the MS GUID. Justice? Big Brother? I'm not sure
which.
Evidence is completely circumstantial (Score:1)
Here's another news story with more details... (Score:1)
Do you people READ? (Score:1)
Fnkmaster
(no password)
Arrest who ? (Score:1)
Ms is not the only "trusted" software vendor which does this. Normally, cookies are harmless but used in combination with ActiveX controls embedded in programs and even documents, they can serve as relaying agents for information which is personal or sensitive to one's business.
Here some individual launches a macro-email virus and faces criminal charges, most likely. On the other hand large corporations do even worse and admit it and go unpunished.
The justice department case is a sham. These and other matters are criminal in nature. Some others include industrial sabatoge of competitors software (OS2, DRDos, etc). Industrial sabatoge is very serious, and carries the death penality in China and some other nations. Perhaps MS executive should be extradited there to face prosecution. At least some nations (India, France) are now banning the use of Microsoft software for critical national security tasks. Mostly because it's closed source and these nations want to insure that nothing fishy is going on with it (like the GUID stuff not to mention unreliability).
These are not technology issues, IMHO. Organized crime is still organized crime whether one is practicing extortion of labor unions and dynamiting competitors' factories or extortion of hardware vendors and sabatoging competitors' software with hidden OS gotchas.
Nothing could be a greater threat to freedom than the monopolistic racketeering by corporations and mergers into a national or international syndicate. Yet, those involved need not be prosecuted in civil court on technology and anti-trust grounds that are difficult for most people to understand.
Criminal activity like extortion, sabatoge, and theft of personal and business information is easy to understand.
Even if the "arrest" has nothing to do with the GUID trojan horse (nobody but the FBI knows yet)
in all the news articles the press is focusing too much on individuals who screw with the system mostly for amusement or revenge instead of the real culprits who should do *hard time in prison* for criminal racketeering.
It's time to take the gloves off and demand that criminal charges be brought against Microsoft. If not in the United States, then elsewhere.
Melissa vindicates Muth! (Score:1)
"Indeed, some Linux advocates say Linux's small footprint, efficient code and lack of integration with surrounding technology is what makes it appealing. Muth disagrees.
'People want more integration,' he said. 'They want to take a bar chart from Excel and put it in Word. On the server side they want strong queuing and security. This is all done through integration. Linux has a low degree of integration. Linux is basically a big step backward for those two reasons plus others.'
I can just hear him saying "People want to have a Word macro send email to all your friends, without any confirmation from you!"
Let's not. (Score:1)
Ever read "Civil Disobediance?"
Actually... (Score:1)
what was it that was illegal about mellissa?? (Score:1)
In alot of states there are laws against purposely damaging computer equipment (probably from way back when computers were still curiosities, to protect them from tech-fearing luddites).
Charges will never stick. (Score:1)
Great, so the dude gets off. it doesn't end there....
Because of this ruling, there will be binding legal precedent stating that Microsoft's GUID is an illegal invasion of privacy... this opens Microsoft up to about a gazillion and one (rough estimate) lawsuits. Not to mention that it won't look too good for the defence at the DOJ trial. I will be quite interested to see how this turns out.
Disclaimer: I am not a legal expert. My knowledge of the legal system comes from 2 high school law classes and wtaching Law and Order religiously.
- Adam Schumacher
cybershoe@mindless.com [mailto]
N.A.R.T. #009
P.W.T.T.K.S.S.S.T.H.U. #001
An Apology - was: Charges will never stick. (Score:1)
I made my post based on the information I had heard from other sources, and just skimmed this particular document.
Again, sorry.
Microsoft dual role (Score:1)
Piss off (Score:1)
I don't decide what the users at my company get. I just get stuck supporting it. Gotta pay for school somehow, you know.
Next time, maybe you ought to get your facts straight before you open your cakehole.
----
Too friggin bad (Score:1)
If I ever see another person with a copy of stoned, I swear I'm gonna have to go on a shooting spree.
----
What I get (Score:1)
----
the charges (Score:1)
second-degree charges of interruption of public communication, conspiracy to commit interruption of public communication and attempts to commit those offenses, as well as the third-degree offense of theft of computer services.
Also of note is that the CNN article makes no mention of the MS GUID being part of the evidence that led to his arrest. Apparently he was tracked through an AOL account.
--
A more likely conspiracy... (Score:1)
--
Robert Morris' punishment (Score:1)
Robert T. Morris was convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision. His appeal, filed in December, 1990, was rejected the following March.
--
Maaskant, as in Jan? (Score:1)
Mike...
oh please (Score:1)
And what's unreasonable about opening something you weren't expecting, if it's from someone you know? Personally, I wouldn't allow an auto-run macro to run even under those conditions, but most people probably would, and that's reasonable.
what was it that was illegal about mellissa?? (Score:1)
I'm not trying to blame the whole thing on the victims, but especially in this case, with Microsoft Word explicitly warning the user beforehand, it's hard to determine where the line should be drawn.
What's the big deal here??? (Score:1)
The big deal for my company was two or three full days of unexpected, unscheduled, unenjoyable work for 1 Security person, 2 PC techs, and 6 help desk staff persons. The real kicker is that we don't even use Outlook as an email client. We still believed that we should remove all malicious virus' from our systems. We certainly don't want to be infecting other systems with a virus due to our carelessness or lack of digital hygene. So now you add up all the time WASTED on virus eradication PLUS the time lost to other projects (yeah we have a few scheduled in 1999) and the Mellisa "prank" was extremely costly. I realize that we cannot send this guy a bill for this time wasted so I am clinging to the hope he gets what he deserves in some darkened corner of a jail cell.
it's going to be very had to prove the he wrote it (Score:1)
whether they prove he wrote it or not.. its not that easy to charge him.. they need to find intent, and the prove fact that he was the one who released it into the wild..
writing virii is as legal and legit as writing any common program.. its only its use that can get someone into trouble..
Clearly he is a script-kiddie (Score:1)
What a moron. Did he even try to cover his tracks?
This frightens me (Score:1)
Because it can be used as justification for allowing "Big Brother" type schemes to prosper. Don't forget that the US government has at times requested that wiretapping be legal without a warrant, not to mention key escrow and such. Despite the protestations to the contrary, the US government doesn't want you to have privacy, and this kind of thing may be used as good PR for those efforts. "See how good this is, whe caught a criminal because of it!" The next thing you know, the gov will be REQUIRING this. For the sceptics, remember the Clipper chip?
This while thing is such bulls**t (Score:1)
Pull your head out of your butt and _THINK_ for once.
Personally I've been using computers for about 19 years now and it never ceases to amaze me the number of hateful, immature cretins who are out there who think it is fine to victemize those who know less than they do.
The victem is never at fault. (Score:1)
Is the trusting old lady at fault when she gets swindled by a con artist?
Is the college coed at fault when some psycho rapes her in the park?
Are you at fault when someone bigger and stronger than you kicks your ass just because he feels like it?
The fault always lies with those who victemize others. They _CHOSE_ to commit acts againts others (be it voilent or otherwise).
You total Missed his point (Score:1)
Okay, try this: I give you a gun and you go target shooting with it. I didn't bother to tell you that the nice wood-grain platic handle is actually made of C4 and that when that first shot is fired the whole thing is going to explode and turn your arm into ground beef. Is this okay?
Or how about I distribute a new, and very complex code library for Linux that does really cool stuff and then when your not looking it suddenly fills your network with so much garbage traffic it bombs your network?
49 months (Score:1)
TedC
Driving-license for the internet? (Score:1)
Doesn't anyone care WHY this can happen? (Score:1)
after all, the '89 worm exploited a hole in sendmail.
That is true, but it wasn't a well known hole that nobody had bothered to close. Macro viruses have been around for a while now, and are just as big a hole now as when they were introduced. UNIX has it's holes, but when they are discovered, they are closed. Usually before anything really bad happens.
In short, Virus writer = criminal. MS != criminal. MS= crappy software? Not exactly news.
Doesn't anyone care WHY this can happen? (Score:1)
True, but that was an administrative failure. At least they had the opportunity to close the holes. You don't get that if you're still waiting for the vendor to acknowledge the problem's existance.
Outlawing virus writing is dangerous (Score:1)
J.
What can be learned from this (Score:1)
natural consequences of release were crimes. (Score:1)
BULLSHIT! (Score:1)
The notion that Unix has less viruses because it's 'unpopular' is just weak Microsoft apologism.
Confusing the issue. (Score:1)
This crap is ancient history, as old as bulletin boards.
It's no different than putting an exploding gas tank on a pinto.
I can only guess that you don't. (Score:1)
Merely deciding that you are never going to open untrusted attachments is no more a solution than deciding that you are never going to run untrusted binaries.
What do you think gives us that freedom? Just as in other things, freedom does not come from anarchy but from just the right balance of chaos and order.
The order in Word/OLE is lacking. The ensuing anarchy results in the deprivation of liberty.
Too friggin bad (Score:1)
Too friggin bad (Score:1)
Ruger doesn't do this.
what was it that was illegal about mellissa?? (Score:1)
Giving people nothing to loose is bad public policy, especially when those people are capable of causing havoc on a grand scale.
What if this had been a real (bio) virus? (Score:1)
You did know that most communicable diseases can be stopped by good hygeine didn't you?
Too friggin bad (Score:1)
Life in the 21st century is simple: (Score:1)
How do you get arrested for exploiting a security hole in an operating system that lacks any kind of security? If the maker of that operating system owns all the world's computing assets. If you want to live on this planet, start kissing Microsoft's ass.
Nothing to do with Big Brother. (Score:1)
Is Geocities breaking the law? (Score:1)
They should be. . .
GUID or bad? (Score:1)
I think this is why they're "not discussing" the details. I bet it had nothing to do with the GUID, unless it had the SN of his copy of Word registered to his employer or something.
what was it that was illegal about mellissa?? (Score:1)
Take THAT microsoft!
what was it that was illegal about mellissa?? (Score:1)
Cracking AOL accounts with AOHell and writing Word Macros hardly qualifies a person. . .
Too bad. (Score:1)
Compare this to the Netscan site [netscan.org], which lists networks which can be used to execute a smurf attack, because they haven't been secured against directed broadcast pings. On the face of it, Netscan is a huge resource for idiots who want to smurf people --- but far more importantly, it brings the brokenness of the networks to the attention of the sysadmins who run them, when they wouldn't have noticed otherwise.
Melissa is hardly a particularly damaging virus; it doesn't scrag your hard drive or damage your files. It does very little more than prove just how catastrophically broken certain Microsoft applications are --- Outloook and Word for exposing users to email-borne viruses that were once a myth, and MS's mail servers for crashing under load that Sendmail or qmail would laugh at.
By no means does this justify virus-writing. However, it places a good deal of the blame for the damage caused by Melissa at the feet of Microsoft and its unthinking customers. Buy a known-insecure system, get what you deserve.
Confusing the issue more. (Score:1)
The susceptibility of Microsoft products to network-reproducing macro viruses is due to designed-in features.
Furthermore, Microsoft has known that macro viruses exist for several years now. They have done little to protect their customers --- little even to draw attention to the threat, because they don't want to be held responsible in the market for their design mistakes.
While MS might not be legally liable for criminal negligence or complicity in the distribution of the Melissa virus, they are definitely ethically in the wrong. They are bad engineers, not simply for making a shoddy product but for ignoring and denying responsibility for the shortcomings which are direct, obvious byproducts of its design.
The author of the Melissa virus was doing a bad thing in writing it. But from this bad intent comes not only the bad result --- users spammed, systems crashed --- but also potentially a good result: Microsoft being held responsible in the market for their product's blatant failure to meet basic security needs.
Confusing the engineers more. (Score:1)
(This is why some E.E.'s look down on computer scientists; it's also why software certifications with the word "engineer" in the title have gotten "real" engineers a bit indignant at times.)
Because programming is not legally considered engineering, even though IMHO ethically there are similarities between the wrong done by an incompetent or sloppy engineer and that done by an incompetent or sloppy programmer, I doubt that MS's programmers can be held legally liable for their shoddy work.
In fact, because the EULA on all MS products disclaims "merchantability for any particular purpose", it's likely that MS can't be held legally liable if their code does nothing at all, or even does something destructive. The only way to hold them responsible is in the marketplace --- by not buying their crap.
MAC address is easily changed (Score:1)
Some device drivers don't support it, though.
what was it that was illegal about mellissa?? (Score:1)
This should be a warning to all OS's (Score:1)
The only reason that this has not happened to the same extent with Linux, and Unix in general is not so much that it is not possible, but mostly due to the fact that the user base is slightly more technically knowledgable, and less likely to be caught by a similar trick. - eg. distributing a 'cool perl app...'
The fundimental question is really what sort of ietf standard could be applied to prevent this from happening again?
The forced re-entry of password check when sending out Userid (eg. non root) messages with over 5 to 10 recepients?
One of the major problems is that this type of mail type virus has not been considered by any of the rfc and ietf drafters.. It is a new 'concept', pardon the pun.
The outcome of various ideas to eliminate this type of attack mean that every major mail distribution system must be reconfigured. All clients would have to make allowances for the change in standards as well. - While this is not a big issue for open source, the effects of a major revamp of closed source applications is huge.
This little virus may be the turning point where the justifiablity of proprietry solutions in mail and information transmition goes out the window.
I still think Melisa is a worm... (Score:1)
The fact remains that it was engineered by a form of lowlife.
What's the big deal here??? (Score:1)
1) Melissa can, under certain conditions, infect another document and send it as an attachment to the list of fifty recipients. Thereby creating the possibility of distributing confidential information to those who have no right to that information.
2) It amounts to a mass DoS attack that makes the
Too bad. (Score:1)
You can't be serious! That's like saying "All he did was point the gun and pull the trigger - No big deal. The real problem was that the gun was loaded."
I do agree that gross insecurity and/or over-reliance on software is a bad thing, but exploiting them is just wrong.
GUID has liitle or no value (Score:1)
It's only a matter of time before newer viruses are developed. There are supposed to be a lot of interesting features in Melissa: apparently it resets Word to read macros without prompting the user.
The fact that it advertises pornography sites is peculiar. A much more effective virus would advertise "Make Money Fast." Another good place to insert viruses might be in resumes. Some HR departments require the use of MS Word attachments. Many of them may well have their email servers set up in a vulnerable fashion.
Pentum III / GUID Whats next? (Score:1)
Don't care about the virus but about BigBrother. (Score:1)
But what i don't like the possibility that the Goverment can track you. Now by MS GUID, and intel PIII serial number.
Next, here in the netherlands they might implement a toll-way system around the busiest highway. So next the goverment can track a lot of my movement.
The already reported that somewhere close to 2001 they plan to use satelites for that.
At that time they can check the whole country. So i lost a freedom. The freedom to move somewhere without somebody knowing it. Because the goverment can track... That's what i hate about this stuff!
Offcourse my example only related to normal cars. But it's getting real close to the all seeing goverment!
GUID has liitle or no value (Score:1)
Too friggin bad (Score:1)
Look dude, most corporate users that I've run across know very little about computers but are forced to use them in their jobs. Why wouldn't the average persone "fall for it?" Do you think your Mom wouldn't open an attachment that a friend emailed her? What about your Grandma? Not everyone can be expected to spend the time and energy needed to keep up with technology. Most people just know what they need to know to get their job done.
I'm currently helping to migrate GM from Win3.1 to Win95. You know how much training users are getting? Zero. The only help they get is a brief rundown from me on where to find there apps before I move on to the next unit because I've got a schedule to keep. So what should these users do? Should they go to their boss and say "I'm not going to rely on technology I don't understand... here is my resignation." Or should they stay up late at night trying to master a technology that they have no personal interest in? Computers don't interest everyone y'know.
Robert Morris @ MIT? (Score:1)
Could be interesting...
actually it doesn't depend on new laws (Score:1)
Since the earliest days of computer "cracking", it has always been against the law to use one iota
of cpu cycles on someone-else's computer in an unauthorized way. If this guy wrote a program
that intentionally did this, he broke the law as soon as one cpu cycle got used to open the
address book on the infected computer. The legal theory is that you are stealing the cpu cycles.
This is how people got procecuted in the '80's. This is the same legal theory that protects FAX
machines against SPAM, and you against telemarketers.
Proving that actions were unauthorized was kinda tough (you did open the attachement after all) so
they passed new laws making this easier to prove. Now prosecuters only need to show intent in that
you knew that your program would do this.
BTW:
1. unsolicited email is now illegal in several states in the US.
2. any time things cross US state lines, the feds get involved (interstate commerce clause).
3. public disruption laws have always existed (illegal to yell "fire" in a crowded room).
Much ignorance in this thread (Score:1)
it may be but that doesn't excuse the fact that documents are given the control to do these kind of things. the scripts should be separate from the document and it's likely that linux heads would be smart enough to do it this way. i'm sure that even wordperfect does it this way.
"The lie, Mr. Mulder, is most convincingly hidden between two truths."
it's going to be very had to prove the he wrote it (Score:1)
"The lie, Mr. Mulder, is most convincingly hidden between two truths."
What if this had been a real (bio) virus? (Score:1)
very bad analogy. to the best of my knowledge, this virus killed noone. a proper analogy would be if this virus caused a nuclear bomb to go off.
"The lie, Mr. Mulder, is most convincingly hidden between two truths."
Re: (Score:1)
Re: (Score:1)
what was it that was illegal about mellissa?? (Score:1)
Plus i mean is this guy prosacutable in the uk if he released it in the us?? just because it ended up in the uk does that mean he falls under their juristiction??
the charges (Score:1)
I'd love to charge them for that!
Can we protest by ALL getting arrested? (Score:1)
federal computer crimes (Score:1)
what is the definition of virus, legally???
DON'T FALL FOR THE FBI'S LATEST TRICK!!! (Score:1)
the charges (Score:1)
What is the crime? (Score:1)
Hell yes.
Although I don't find the Melissa virus to be all that awful (it's just DOS, and pretty funny too), and I have some sucspicions about the whole affair, it is completely irrelevant whether or not there's a 'lock on the door.'
If someone steals something, even if it was unprotected, then he's still a thief. Of course, I still think that Microsoft ought to have been found guilty of negligence for such awfully insecure products years ago by someone. They are partially to blame, but that doesn't absolve people breaking into your computer just because it's easier.
Happenstantial synchronicity - NOT! (Score:1)
Is it at all possible that Microsoft set the whole thing up? Well, this does come hot on the heels of the GUID contraversy, which they're taking a good bit of flack for. Could the GUID be more important to them than people had thought? (which would be why they'd be willing to try to save it)
And with all the press (even some in major media outlets), why didn't the alleged author (who's would be pretty smart to develop this virus) alter the GUID? (Caveat: If neither MS nor the accused guy in NJ did it, then the actual author is smart enough ;)
So Microsoft would have had to set someone up (who is a likely candidate for a fall anyhow; if I were Microsoft I'd look for someone who's written other macro virii, similarly trackable through the GUID database, pirates software, always quiet and kept to himself...) which would not be terribly difficult. After all, they're the only ones who have the GUID database and if they felt it necessary they could easily fudge it to point to whomever they liked, prior to it (or a subset of it) being entered into evidence.
And although I have not been directly effected by Melissa (I use a Mac, and pine on Linux, via telnet, for mail) it seems to me that it's just a very virulent DOS attack. The file it propagates is kind of funny, really. So why all the hype, unless MS (which is already known to feed reporters in the trades information, and could presumably expand their operation a bit) were to have been hyping it? And they sure reported early on the arrest of that suspect. Although this is all conjecture, it does make you think.
Microsoft are the ones who need to be arrested (Score:1)
packages that people find useful (Microsoft Word and Excel) then they deliberately engineer them so that anyone with half a brain can write a virus to disrupt processing. They then integrate this product with others so "You won't know where the desktop ends and the Internet begins".
If GM desinged cars like that, they would put the fuel fuiller pipe on the dashboard (next to the cigarette lighter) because it made everything easily accessible to the driver.
Confusing the issue. (Score:1)
gastanks were exploding, it was not because a bunch of mechanics were running around lighting them on fire. And then blaming Ford for the resulting explosion.
ALL software has bugs. The fact that MS has more then their share is not an excuse to take advantage of those bugs. If the intention of the melissa virus was to point out those problems, why not simply release a patch to fix it?
Whoever wrote the melissa virus is a vandel.
The fact that it may be a 30 yr old vandel just makes it sadder.
GUID needs more serious thought. (Score:2)
I know that people fear abuse of GUID technology, it reduces privacy. I implore you to consider how? We have police forces, the IRS, Social Security Agency, Credit Agencies and many other institutions that have our censent and the government's consent to gather information and rule over us. We as a society have granted them that right. Why? To avoid anarchy. Also, the founders of our country knew that placing people in power and giving them authority to rule, requires us to subject ourselves to them and reduces our freedom. They did not throw their hands up and say, "We can't make a truly free society," or "We can't make a society that is free from corruption." They designed a system with checks and balances, knowing full well that it wasn't perfect, but it was better than nothing. Our police force lives under this system, with mayors and cheifs of police as elected officials. There have been times and there are places where the police have abused power, but how many of us would say, "We can't have a perfect police force, so lets not have one at all."
For that is what we are saying by trying to get rid of the GUID concept all together. I grant you, that although I do not know what all the flaws are, the current setup is most likely not an acceptable candidate for a final implementation of such technology. I do think such technology can be of great benefit to the users of the Internet and society in general if we go about creating such technology carefully, with much forthought. If possible we may want to find ways to implement a checks and balance system in the technology to help prevent abuse. Ultimately it is an issue that needs serious consideration, and not a flippant answer either for or against.
Ryan
Doesn't affect us?? (Score:2)
I was just on the phone with a friend who was telling me how the Fourtune 500 company he works for had their entire email system go from fully functional to worthless in fourty five minutes. Wow!
me too (Score:2)
OJT - Internet 101 (Score:2)
Thing is, though, as folks here have pointed out, 1. Anyone who uses the 'net at work has to know the basics of safe comptuing. These folks get educated by their sysadmins/network folks who have to know what goes on "out there". It's a big bad place, with lots of script kiddies, and older folks who should know better, just squirming in their collective jeans to get at an unsecure network. Users have to be made aware of this. Don't open an attachment from anyone unless you're expecting one. Draconian, but a bit safer. 2. MS shares blame for this. Period. This whole episode points out, yet again, that MS products are inherently unsafe in a real networked environment, and that MS applications that pose as server products can't walk the walk. The usual spin from MS will be Alice-in-Wonderland Pt. II, but I guess that par for their course.
IT WASN'T THE GUID THAT NAILED THIS GUY... (Score:2)
If you would read the CNN article...
http://www.cnn.com/TECH/computing/9904/02/melis
You'd find out they nabbed this guy by tracking the posting host, the AOL account, and then the phone line used to dial up to AOL.
About the only thing the GUID would be used for might be a piece of evidence linking the document to the computer used to write the virus.
DON'T FALL FOR THE FBI'S LATEST TRICK!!! (Score:2)
what is really puzzling is that they aren't even attempting to address the real issue. that is, "why does a microsoft word document have enough access to your operating system to be able to inflict such damage?!?" if someone broke into the white house and shot the president, the first question they would ask (after thanking the guy) is "how did he get in and what can be done to prevent this is in the future?". i am shocked and amazed that the fbi has not publicly asked this question of microsoft first. i'm sure there are copies of word in the fbi office, aren't they concerned?!?! of course they know what the real issue is. but as they say, the easiest way to cover something up is to ask the wrong question. the fbi is asking the wrong question to deceive you. DON'T FALL FOR THIS TRICK!!!
you think i'm paranoid?? please remember just a few weeks ago the fbi has proposed an initiative to monitor citizen's bank accounts and would have been given them the right to investigate anyone with "questionable transactions". the fbi has also been trying for years to get broader wiretapping rights to counter "terrorists". to the fbi, every citizen is a terrorist. i might even be dead tomorrow for writing this. DON'T FALL FOR THIS TRICK!!!
"The lie, Mr. Mulder, is most convincingly hidden between two truths."
what was it that was illegal about mellissa?? (Score:2)
Confusing the issue. (Score:2)
While I dont think this guy should get the death penalty he did cause email servers to crash and untold amounts of work and effort to IS departments across the WORLD. Lets not even think about the career effects that could be caused by unintentionly sending your boss a list of porno links. He should be punished for it and it is a crime.
Lets face it the guy is 30 years old. Hes a little too old to be a vandel and he should have known better.
As a side note, if this guy really thinks of himself as a bad ass cyber terrorist/vandel, how could he not know about the guid? Its been common knowledge for most of a month.
Microsoft should share some of the blame as well. (Score:2)
They knew when adding the code to their office suite that people could use it to do just what the Melissa author did.
Since its a feature they obviously feel no blame in any of the problems features of their products cause.
Granted it too some loon to write it, but he had the in-direct support of an bunch of people at MS. They are only concerned about their money, which means if a feature that can be abused will make money then so be it, its added anyway.
(I hate working on Good Friday)
.
Much ignorance in this thread (Score:2)
Along with the worm author, user education is the culprit here--it is not Microsoft allowing Office objects to be scripted. I think it's a shame to see so much bad information being tossed about on this topic here.
VBA macros are a good concept. It's an excellent way to tie different applications together, including a huge number of non-Microsoft applications. Hell, even bitter Microsoft rival WordPerfect makes use of VBA now. I'd be curious to know how many of the people who thought Neal Stephenson's Cryptonomicon excerpt was so spot-on are now bashing something that he roundly praised in it: VBA.
It's not a security hole: by default, users are warned upon opening the document that it may contain a macro virus and asks them if they want to run it anyway. There are only so many safeguards that you can take for the careless before you start making it a hassle for the users who know exactly what they're doing. People can also be burned by recklessly opening up an EPS document or via an unknown document in Emacs. Getting rid of those features that can burn lazy users isn't the answer--user education is.
I can tell you now that as time goes by, non-Microsoft users, including Linux users, are going to want a VBA analogue (using Perl, Python, etc.) to let their X apps interoperate in the same way. If the GNOME and KDE efforts aren't working on it now, they will be soon, and I'm sure that a good number of the people asking for it will be those who bash VBA at every opportunity; they won't even recognize that they're basically asking for something VBA-like for Linux. It just makes it too easy to tie different apps together to ignore. As long as the push for Linux to become easier continues, it's inevitable.
That last line leads to the main point that people need to keep in mind: the easier that you make computers to use in good ways, the easier it is for people to use them in bad ways.
Sure, anyone could write their own code to test other computers with all the exploits that they know, but using SATAN is much easier. Unfortunately, this makes it easier for the budding hacker (flames to /dev/null) to prey upon the uneducated/lazy user. Rather, the uneducated sysadmin in this case, who hasn't kept his system updated.
There are plenty of examples of this, in all facets of life, not just computer-related. Education is the key, blind Microsoft hatred isn't.
Cheers,
ZicoKnows@hotmail.com
Why? (Score:2)
It's a tricky thing, if you out law distribution, then you have to arrest the guys at NA and Symantec because that's how they write the code. Further, many of the most sophisticated vira out there have been written by virus researchers (v2p6) trying to prove concepts, test their code, etc.. (probably a few did it trying to make a buck or two) Then there is that whole freedom of speech issue.
What this guy did was write a virus, and transmit it to a victim who unknowingly activated it. That is against the law.
Microsoft Responsible? A link on that as well. (Score:2)
One of the interesting quotes from that article is a comment from the author of the Internet Worm virus:
"There are a lot of real-world parallels. People in general are not interested in paying extra for increased safety. At the beginning seat belts cost $200 and nobdoy bought them."
Which is a bit out of context, and meant more that people don't care about it now but they will eventually (or perhaps be mandanted to care?
Yeah, I'm anal... (Score:2)
"Those who would sacrifice freedom for security deserve neither."
--Ben Franklin
Let's not. (Score:3)
If tons of folks are convicted, you won't all get to hit the speaker circuit. No big advance cash from the book. No TV time to espouse your cause. No "hey, I *wrote* this cool thing." Nope, you'll just be some copycat anarchist wannbe with delusions of adequacy.
Yup, yup, sign me up.
That's not even sheep behavior, you've moved on to lemming. Congrats.
-reemul
who actually prefers that the criminally silly declare themselves in such a way, it makes them easier to spot
What happened to expectation of privacy? (Score:3)
Another reason this really scares me is suddenly the whole idea of this MS-forearm-tattoo will all of a sudden become more palatable to the general public. When you tell them that they are being tracked by a for-profit corporation the first thing they'll think is "Yeah, but it's only used to catch bad guys."
Computers have already infiltrated our lives to an intimate level, and I find it disheartening that there seems to be both a general disregard and sullen apathy when it comes to dealing with the ramifications of this infiltration. This is doubly disturbing when you realize that everyone also agrees that this is just the tip of the iceberg.
I guess it's time to run off to a deserted island with the Professor, Skipper, and Mary Ann. Who knows, maybe I could get Linux running on one of the Professor's coconut-computers . . .
Sean
Too friggin bad (Score:3)
At least the author understood the system well enough to exploit it.
The lusers who actually let the virus run free on their system by allowing software to run macros automatically on incoming e-mail messages are the ones I blame. Them and a culture that tries to get us to accept more technology into our life without understanding it.
Don't get me wrong. Viruses Piss me off big time. But having been around computers since the mid eighties and for a good part of that time being too involved in "fringe activities" (Shall we say?) I have never lost any data to a virus.
Sure I've lost some time getting rid of it but at least I leared my lesson and looked at my computing habits.
Protecting yourself from computer viruses isn't all that much harder than locking your car doors when you get out. Of course I know a college grad who got upset when someone stole his car stereo even though he parked it with the windows open and doors unlocked.
Another Perspective... (Score:3)
I'm a sysadmin. In the end, people like me get stuck with cleaning up the mess whenever any over-hormoned cracker decides to crack/write virii/pingbomb/etc. a machine/network. I can certainly sympathize with alot of the people calling for lynching this guy. Though I don't think that's the right answer.
And, while I can certainly appreciate the skills that go into writing virii, that doesn't mean we should in any way encourage this sort of "skill". That includes the sort of nudge, nudge, wink, wink> comments I've seen here. Yeah, Charles Manson was one of the most skillfull and persuasive leaders of the 70s, but I don't want anymore of that type around, either.
Microsoft (and others) deserve to get nailed with a "defective product" suit one of these days for shipping shoddy products. That day will come (sooner, I hope, than later). But encouraging vandals (and let's not kid ourselves, that's what crackers and virus-writers are) isn't the solution.
An analogy, if I may:
In my neighboorhood, 9 of the ten houses are built by XYZ, and come with 10 door locks (of which 5 are broken, and the other 5 are very hard to turn). 1 house (built by ABC) has 3 locks, all easily set. One day, a burgler walks down my street, wiggling the door to each house. If he can open the door, he walks in, re-arranges the furniture, and smashes a few things. If he can't open the door, he goes to the next one. So, guess what! 3 houses get sacked, and they were all made by XYZ. Now, do I complain to the police that XYZ should be held responsible for smashing my furniture? No! I help catch the burgler, send him to jail, and then file a complaint with the Better Business Bureau about the shoddy work that XYZ does (maybe even a civil suit).
Virii-writers are pond scum. If you are smart enough to find a bug/exploit in a program, TELL CERT! That's what they're there for. Sure, the responsible company might not fix it fast. But that doesn't make it right to go smashing other people's property. If the software company isn't responsive to security demands, well, vote with your feet (and dollars). Don't buy from them.
-Erik
Go Melissa! (Score:3)
Seriously, I think this is kinda Microsofts fault. It is a fact of life, that if something can be missused, it will. And what measures does Microsoft take to prevent the missuse of Word and Excel macros? None. Of course, technically it isn't their fault, but I think it's clear that MS should fix the HUGE security holes in Office and Windows.
Doesn't anyone care WHY this can happen? (Score:4)
This should be a warning to all OS's (Score:4)
As with all virii that expose a security flaw, I hold no grudge against the author of the Melissa virus. But, I think that while Microsoft somewhat to blame, in this instance, this should also be a warning to Unix comunity. This isn't just an email virus. It also plays social-engineering tricks on you. This virus comes from a known email address.
If a friend sent me a PERL script and said it was amusing, it's very possible that I'd run it. I would hopefully look at the source first; and wouldn't run it as root. But, what if I felt lazy that day.
If we aren't lazy this isn't a huge problem. Many of us would be wary of a binary, and know enough about programming to examine source code. What will our community look like next year? The Linux community is expanding quickly. We've got project s like KDE and GNOME trying to make things more user-friendly. The hacker-quotient is, and will continue, to drop rapidly.
In this instance, User-Friendly is what caused the propogation of this bug. User-Friendly is what makes it possible for some virii to spread. Either by having automated startup routines that a user rarely sees, or doesn't know about (Mellisa would auto-run through an init file), or automated features that make you lazy. The 'user-friendly' thing for an email client to do is to make attachments automatically run, or make them easy to run.
As we, as a community, become more user friendly; as we attract more hands-off users, I feel that we will be opening up possibilties for this kind of virus to sneak into our ranks. I can't really think of anyway to prevent this kind of program from propogating, aside from awareness. But, as we increase automation we seem to also decrease awareness.
Security for Dummies (Score:5)
My mother-in-law, a woman in her 50s who's firmly turned-on to the digital age but remains innocent of all but the most basic knowledge regarding computer security issues, is an easy target for these virii. She's still a digital toddler; she trusts all the digital adults out there and doesn't know that some of the misguided ones are out to hurt her. She's got some top-flight viral protection on her machine, but that only helps for the known virii.
In the end, it comes down to education. As much as I hate it, I get to shatter her innocent enjoyment of computing and show her a bit of the darker side; she'll be wiser for it, I know, but watching her take such joy in the medium that I've grown inured to was quite pleasurable to me -- like hearing a five-year-old laugh at a silly joke you heard ages ago and chuckling to yourself, knowing how much more pleasure is ahead.
Thanks, VicodinES, for dragging her into your world.