Forgot your password?
typodupeerror
The Internet

The Melissa Syndrome 202

Posted by JonKatz
from the Crime,-Hype-and-Technological-Hostility dept.
John Dillinger wasn't nailed with much more fanfare than the alleged creator of the now-famed Melissa virus, whose apprehension in New Jersey a few days ago drew a governor and a platoon of state, local and federal cyber-cops. This syndrome is becoming almost ritualistic. The virus and the arrest tell us a lot about Crime and Hype; Technological Hostility, and Closing the Distance that makes so much online hostility so easy.

CRIME AND HYPE: The Melissa Syndrome

John Dillinger himself wasn't arrested with much more fanfare. When police in New Jersey announced the "capture" last week of David Smith of Trenton, allegedly the creator and distributor of the now famous Melissa virus that's supposedly infected more than 100,000 computers and shut down several hundred corporate computer systems, it made front pages all over the country.

The FBI acted as if it had just rounded up the world's most wanted terrorist. The bureau rushed to hail its new National Infrastructure Protection Center, a division created to fight cyber-warfare threats following teenaged hackers' intrusions on U.S. Defense Department networks. "We will track down these electronic saboteurs," promised William Megary, the FBI special agent in charge of the Melissa investigation.

The case was such a public relations bonanza that New Jersey's governor - never before known to have uttered a syllable about the Internet -- turned out before the cameras to praise the "good old-fashioned detective work" that brought the villain to justice. She was flanked by the Attorney General and a battalion of law enforcement officials.

This reeks of opportunism and hype.

And it reflects the curious mythology of the Net and the Web, especially to the old-world institutions trying to figure out how to deal with it. The idea of a computer virus is genuinely chilling. But has it created enough damage or suffering to warrant this kind of coverage? Or is the idea of the virus more menacing than the reality?

Anybody who's been paying attention to the Net for any length of time has learned to be deeply suspicious of journalistic and law enforcement pronouncements about cyber-criminals. Both government and journalism have been fundamentally clueless about the dangers presented by hackers, virus-makers and other bogeymen. Dubious, unchallenged statistics are often presented as fact, great dangers invoked where they are few, sometimes no, victims. Too often, the hype hasn't fit the crime. More than anything, bureaucracies like to grow, and nothing feeds them faster than saving the public from real or perceived danger.

This drama has become almost ritualistic, ever since the famous Secret Service raids on suburban hacker bedrooms in the 80's. Law enforcement, competing for bureaucratic jurisdiction over the Internet, deeply suspicious of a culture it can't understand or control, has pressed for encryption tools and standards that challenge both privacy and freedom.

Journalists, threatened by the ferociously independent digital culture, accept and relay all sorts of unfounded accusations and statistics, and seem eager to portray the Net as a public health hazard.

So when somebody is hauled out of an apartment by publicity-hungry law enforcement agents, his equipment seized, the media enthusiastically passes along reports of massive damage and danger with little or no detail or substantiation.

The brilliant loner stalking society plays into the media's shallowest stereotypes and the public's deepest fears. In the David Smith case, the media have found their latest Kevin Mitnick style cyber-villian, another disconnected computer addict without a life, using his computer skills to prey on unsuspecting citizens and helpless companies.

The 30-year-old programmer was described as a reclusive, anti-social loner who rarely left his apartment. He allegedly named his virus after a topless dancer in Florida. He was charged with interruption of public communications, theft of computer services and wrongful access to computer systems. As noxious as viruses are, Dillinger, in fact, would have been embarrassed to be nailed on charges like this.

Journalists reported the existence of dark and menacing viral subcultures lurking on the Net and Web, working feverishly to prepare lethal viruses. Was Smith also VicodinES, another virus writer linked in Net posts with the creation and dissemination of Melissa?

According to the New York Times, the emergence of the Melissa virus "underscores the growth on the Internet of a community of virus writers and collectors. They freely trade malicious code, combine efforts to best the work of antivirus researchers, and post their creations on the Internet for anyone to download and release into the wild."

To hackers, thieves, crackers, perverts, addicts and porn-peddlers we now add viral terrorists - "the anarchic lure of virus writing," one paper called this new danger. Curiously, if typically, there was no hard evidence to support the suggestion that virus writing has become epidemic, or even to substantiate the police estimates that more than 100,000 people and hundreds of companies had been affected by Melissa. How would we know? Did they all call the FBI?

Stories like this one reinforce the idea - already entrenched in journalism and politics - that people need walls around their computers to protect themselves, their businesses and their families.

These walls sometimes take the form of legislation (the late CDA, for instance, and sometimes result in the blocking and filtering systems spreading all over the Net).

"Here we go," e-mailed Johnny Rocket, who creates, studies and then dismantles (but never distributes) computer viruses for fun. "There are some sick people out there, but why don't they ever check to see how much real harm is done? Mostly, they're dumb kids. But they don't do nearly as much harm as you would think from watching TV."

And not nearly as much as human beings do to one another in the real world either. A child mailed or killed by gunfire --- more than 5,000 American kids were casualties of guns last year -- doesn't get a fraction of the coverage or attention David Smith or Melissa will get.

TECHNOLOGICAL HOSTILITY

Still, for all the exaggeration, hostility is a reality online. Whoever created Melissa did cause harm and damage. And to human beings, not just machines. He or she also reinforced the false idea that the Net and the Web are dangerous places inhabited by threatening people, and in need of urgent policing. The FBI and its National Infrastructure Protection Center is ready and waiting.

Yet some programmers do generate destructive programs like Melissa and take some warped pleasure in distributing them. Some do make viruses for fun, the same way others love bar codes and study magnetic strip coding. This kind of behavior isn't new to the world, or unique to the Net. Every year, thousands, even millions, of people race trains across tracks, drive drunk through stop signs at high speeds, beat up their spouses and kids.

But one of the strange realities of Internet life is that it juxtaposes extreme anger and powerful friendship, closely and continuously.

The Net is awash in varying emotions and diverse responses. It brings support, creates community, makes communication easier than ever, and almost simultaneously spawns disconnection and hostility.

The nearly continuous dichotomy - making friends, receiving generous advice and direction, fending off flames and criticism, even dodging viruses and mail bombs - is so discordant as to be disorienting.

In many ways, the Net is fundamentally about community - bringing disparate, far-flung people together in new kinds of social groupings. You really can't go anywhere online by yourself and be completely alone. Technologically-driven hostility becomes even more important in that context, because community requires the members of a given group to talk about issues, forge common values, articulate goals.

The communicative social nature of the Net makes the former - the coming together -- easy, but the latter - rational discussion -- almost impossible. People who share an interest in Linux, open source or free software can come here from all over the world, but can they talk openly about the very thing that brings them together? Not often easily. Any half-dozen angry people can, and often do, disrupt a discussion in seconds (and not just here, but all over the Web), driving away people who are disinclined to trade insults or have better things to do. The effect is bizarre. The majority are driven underground and out of sight, the tiniest minority becomes a tyranny.

I've made my closest friends online, gotten many of my ideas and a torrent of thoughtful commentary. I am continuously supported, and educated. I am continuously challenged, attacked, insulted. Although I'm used to it, it's still sometimes bewildering to be praised and criticized simultaneously, for the same ideas and words, so immediately and intensely that it's hard to maintain a sense of reality at times.

Should you still listen to all the feedback, or make a point of ignoring it? Do you factor in age and gender? Do you credit the most articulate and impassioned critics? The most thoughtful? Or do you finally throw up your hands, and go by your own instincts.

When I wrote for conventional media - Rolling Stone (where I still write), New York, GQ and other places - the problem was simpler. I was trained to dismiss readers. It didn't matter what they thought. Nobody could reach me, except those taking the trouble to write and send letters.

But every idea advanced online is praised, attacked and criticized in varying degrees, sometimes within seconds of being published and for weeks, even months beyond.

The bulk of e-mail is radically different from most of the public posters on the site itself. Neither group, the flamers or the lurkers, seems to have much direct contact with or even consciousness of the other.

Unaware that I receive praise, the flamers expect me to go up in smoke. Unaware of one another, the lurkers reassure me. The lurkers sometimes know that ferocious, even vicious, debate and hostility is evident just a few scrolls down. The flamers have no idea that anything else is.

For a columnist dealing in opinions, this is a Brave New World, a parallel universe, my very own Matrix. It's sometimes impossible to know where one reality begins and the other ends.

CLOSING THE DISTANCE.

Technological vandalism and hostility - flaming, personal attacks, virus and mail-bomb attacks -- occur because the people who practice and advocate them must operate at an enormous physical and psychological distance from the people they attack and from the consequences of their actions.

Although they differ enormously in their impact, the principle is the same as scientists' and technologists' advocating the use of advanced air weapons against remote and presumably primitive peoples.

Both kinds of attacks are made possible by the disconnection technology permits. We don't see our adversaries as human beings, and don't expect to ever encounter them. So, since we have the instant and visceral technology to respond emotionally to things we fear or dislike, we attack them with the expectation that there will be no consequences. And there hardly ever are. On the Net, assaulting someone is no tougher - or riskier -- than pushing a send button.

Online violence and hostility, wildly exaggerated in terms of scope and danger but still epidemic, will diminish only when the distance between people is somehow closed by the same technology that now promotes it. Perhaps when audio and video-streaming permits live encounters with real-time video and sound. Or when phone, voice and visual messaging technologies fuse, and the presence on the other end appears, even in virtual form, as a human being.

Smith may or may not be the author of the virus, and it may or may not be as dangerous and pervasive as the publicity-hungry cyber-cops suggest. But it's still a great metaphor for the nastiness that has marked the first generation of the Net, and then the Web.

For me, the damage comes mostly from what can't happen: intelligent, continuous discussions, messages from the many lurkers who have powerful ideas but are not willing to endure the public assault that comes with expressing them.

The best resistance: to persevere. To listen to all criticism, no matter how crudely expressed, and keep writing and talking. To do anything else would be to give up the freedom that makes the Net unique. Some day, the Net will have its own equivalent of a "peace" movement, and mindless hostility will be perceived as the very direct threat to free and open speech that it is.

Exaggerated or not, techno-hostility forces community underground, into closed websites, mailing lists and e-mail. It stunts the evolution of ideas, movements and communities themselves.

It aborts ideas.

Hostility, from flames to viruses, are an inducement to the many in journalism, politics and the corporate world itching to find ways to control and curb free access on the Net and the Web.

And they are all generally acts of cowardice and malice at worst, unthinking and reflexive cruelty at best. It's no wonder that the most enthusiastic attackers hide behind anonymity.

"The lesson," wrote computer pioneer Joseph Weizenbaum in a 1976 essay explaining the people who advocated the advanced weaponry used to maim and kill during the Vietnam War, "is that the scientist and technologist must, by acts of will and of the imagination, actively strive to reduce such psychological distances, to counter the forces that tend to remove him from the consequences of his actions." jonkatz@slashdot.org

This discussion has been archived. No new comments can be posted.

The Melissa Syndrome

Comments Filter:
  • by Anonymous Coward
    'Stupidity' is perhaps a little strong. I would guess that a large number of people on the internet don't really understand what a virus is and what it can do.

    By my reckoning email should be plain text (or simple HTML), and therefore unable to carry any 'un-authourised' code. The effectiveness of the Melissa virus was down to one particular program (Microsoft Word), and has proved to me how unsuitable it is as an email viewer.

    Hopefully IT departments and other users have learn an important lesson.
    Simon W.
  • by Anonymous Coward
    I know this is going to a very unpopular view but here goes...

    The actions of Mr. Smith broke the law, therefore he is a criminal (check you dictionary). If you don't like the law say so but until it's off the books we are obligated to obey the law (think social contract).

    The argument that it was really Microsoft's fault because their software was the victim of the virus does not hold water. Claiming the victim is at fault for a crime is wrong. If a bank is robbed, is it the bank's fault because they didn't have sufficent security? If a person is robbed, beaten or raped, is it their fault because they did not have sufficent defenses. The macro capability was put there for a reason, and some people make use of the ability. Yes, there are things MS could do to tighten security but again, if I can figure out how to sucessfully rob a bank can I claim I didn't commit a crime because 'gee, they left this big security hole so it must be their fault'. The damage and lost productivity that this virus caused is a real and cost firms real money, it shouldn't just be written off as a cool prank.
  • by Anonymous Coward
    The way company networks are being attached to the Internet, you cannot possibly expect everyone to be knowledgeable about what to do and what not to do. Additionally, it isnt likely that companies will spend the money to train everyone about network use, just like they will not train everyone in sales or purchasing or logistics...

    The reason sysadmins are in such high demand, the best of whom can pretty much write their own paychecks, is that they are the ones responsible for keeping things going and heading things off. True, you cannot stop everything from comming through, but you have to realize that the average employee in your company is going to open any attachment without thinking twice. It is your job actually, to ensure that they learn as little as possible -- and what I mean is they learn what they need to do their jobs and not waste time on anything else -- noone can possibly be expected to learn everything (and to resurrect the arrogance thread from a few weeks ago, when youre being paid, "Read the book" is not an acceptable response to a question).

    Educate the users in your company to a point (what this point is can vary, but maybe a networking orientation for new employees where you tell them about the basics, or what most people in this group would call common sense); but beyond this, its up to you. Sorry, but youre going to have to earn that paycheck.
  • ...of course it is no use arguing if the writer of a virus is absolutely free to spread his code without being punished for it - writing viruses is a crime in all laws that i know of.

    But definitely the other parties involved in making this kind of virus possible at all are to be blamed - and there has to be consequences for them as well.

    If I buy myself a car (just as some people bought themselves ms windows) which has some cool electronic computer-thingies in it (something like ABS or whatever comes with new cars) which is manipulateable from the outside (like windows computers are), noone would react to a problem similar to melissa in the way that people react to melissa.

    imagine the new daimler-benz s-class car being manipulated by an aol-user kiddie who used some well known bugs in the car's software - resulting in the car not breaking any more, driving against the wall at 150mph, killing people.
    yeah i know some of you think 'this is something completely different than melissa'.
    but hell - wheres the difference ?

    the guy who crashed the car deserves punishment. no question there.

    but i believe the reaction to a mercedes having bugs similar to the bugs of windows would be quite different - you'd expect fast reaction from the media (but in a different way than in this ridiculous melissa hype) refunds, repairs on all cars of this make for free, lots of blame against the manufacturer of the car...

    well - where's the difference i wanna know... ?

    except that car manufacturers can't build weird shit and get away with it...

    think about it :)
  • by Anonymous Coward on Tuesday April 06, 1999 @09:16AM (#1947813)
    Everyone blames the bad, evil, nasty hackers. Nobody ever thinks to blame the poorly designed systems that they exploit. Why? People have been warning Microsoft for years about macro viruses.

    Ideally all virus writers would be fully accountable and we wouldn't need to assign any blame to companies that produce shoddy software. But in reality, it will be virtually impossible to catch virus authors unless they make a colossal mistake like Melissa's author did. All you have to do is leave a floppy lying around with your macro virus on it. Label the disk "teen porn". Someone will pick it up and spread the virus for you, no way to trace it back. My point? Accountability is a myth, so let's go after the designers of these fragile infosystems.
  • What kind of moron runs a macro-laced Micro$oft file from someone they don't know?

    Well, part of the reason why Melissa spread so much is that people received it from people they did know.

    Maybe a better question is: ``What kind of moron uses MS products?'' (The answer, of course, is ``Too many'').

    -Brett.

  • The reason sysadmins are in such high demand, the best of whom can pretty much write their own paychecks, is that they are the ones responsible for keeping things going and heading things off. True, you cannot stop everything from comming through, but you have to realize that the average employee in your company is going to open any attachment without thinking twice. It is your job actually, to ensure that they learn as little as possible -- and what I mean is they learn what they need to do their jobs and not waste time on anything else -- noone can possibly be expected to learn everything (and to resurrect the arrogance thread from a few weeks ago, when youre being paid, "Read the book" is not an acceptable response to a question).

    Good sysadmin will have a mail server that won't be overloaded by Melissa, his POP and IMAP servers will pass huge amount of mail without any glitches, and quotas will be set on filesystems, so users won't fill up the disk, and he won't use M$ Word by himself, so he won't participate in Melissa distribution. Users will be infected, and their mailboxes will be full of garbage, and potentially their data will be lost, but this is not what sysadmin should waste his time and efforts on.

    Because if he will be busy installing 2^32-1'th version of antivirus on his M$ Exchange server instead of configuring and maintaining reliable network, the first copy of Melissa (or whatever mutant that will still pass through his "antivirus") will cause DoS on all his services, and all his network will be dead -- for users that received Melissa, for users that didn't receive Melissa and for customers that use company's web server. And that will be far worse than few tens of thousands of email messages.

  • by Alex Belits (437)

    Most of the people in organisations like mine DO NOT have a choice in terms of what software they use. MS Office and Backoffice are corporate standards, for which licenses have been purchased for every luser. Given that there is every spectrum of IQ in our organsation, from Management to Intelligent and savvy users ;). What the author of the virus did was essentially created a "gun, which replicated itself everytime someone fired a shot". Imagine a weapon like that let loose on our streets.

    Good! When more incidents like this will be brought to public attention with honest and intelligent explanation, some people actually will start thinking, what kind of standards they are following. As for you, who cares about you having or not having a choice? You work with people that can't solve the problem with idiots at work in any other way than giving everyone a system designed for idiots => you pay the price.

  • The fact that a macro can do these things is a designed-in feature of MS OOffice, and it's probably in Lotus and WordPerfect too. If a different Linux/Windows/Mac/OS2 office suite (er, automation platform) is immune is because it's either feature deficiant, allows the user to disable certain functionality, or it has some sort of code-signing infrastructure. (I can't think of any different solutions.) Some posters seem to be leaning towards the feature-deficient solution.

    You have missed the point. The flaw in M$ design is that there is no distinction between data files and executables. Any kind of macro functionality can be implemented in office-style package without placing self-executable stuff into data files, yet M$ did precisely that -- made possible to create a file that looks just like plain document yet if displayed triggers execution of a script, contained in it in the same "context" as normal macro operations, performed by macros built into package or written by the user.

    Good design shouldn't prevent anyone to send macros just like nothing prevents anyone to mail lisp files to each other, but it isn't possible to email someone lisp source in a way that emacs (that consists almost entirely from "macros" in lisp) will automatically execute it when the user just wants to see the data.

  • I'm really tired of people attempting to justify malicious actions by saying that the victims "deserved it" because they are "morons". (The most obnoxious case of this, of course, is saying that a rape victim "deserved" what she got because of how she dressed, how much she drank, etc. But it applies just as well to acts of electronic vandalism, such as virus writing and cracking.)

    If someone leaves his back door unlocked, sure, he's a moron, and in some sense, he deserves to get burglarized. But that doesn't make the burglar any less a criminal!
    --
  • The company that makes Tylenol was held accountable for the deaths of 7 people when someone put cyanide in some acetominophen capsules and replaced them on store shelves.

    They were held liable because it was found that they could have reasonably known that at some point someone could attempt to do such a thing, and had taken no steps to prevent it.

    Point that logic at the Melissa virus. Microsoft made it possible, they know it's possible, and they've taken virtually no action to prevent it. If liability under the law is consistent, shouldn't they be held at least partially liable?

    Many have pointed out the terms of the EULA as being Microsoft's ace in the whole, in that they disclaim any and all liability. I would just like to point out that AFAIK, EULA's have yet to be shown to be valid contracts, and additionally, many jurisdictions have laws specifically outlawing this type of disclaimer.

  • The argument that it was really Microsoft's fault because their software was the victim of the virus does not hold water.

    The message earlier suggested that Microsoft be held partially responsible, since their software could have had security mechanisms built in, and Microsoft refused to do it (in some cases, suggesting that macro viruses were the responsibility of the user - "You should be aware of what you're running" or words to that effect).

    Mainframe environments have had security built in for ages, and it's impossible for a virus to even exist. Microsoft wants to play in that same market, but they don't want to be held to those same standards. Well, I for one disagree. (In fact, I find it amusing that the Melissa virus apparently ran through Microsoft's internal mail system like a hot knife through butter. Hoist by their own petard.)


    ...phil
  • Posted by PasswdIs ScoreOne:

    Since this is the first time anyone is being prosecuted for writing a virus, I fully expect the gov't to prosecute this case with a unique zeal and determination seldom seen. And if the rights of the accused and due process are not adhered to, so what? We've got to send a message to all these 'hackers' out there lest we end up with a nation of potential cyber-terrorists.

    Kevin Mitnick: Four years in jail. And still not even a trial. Who's next?
  • Posted by wadageek:

    I agree with:
    "Creating a virus is an art. It is no different than the kid of your generation who took the radio apart just to put it back together again, even if some parts were left out. It is a natural instinct in humans to figure out how things work. "

    But I disagree with:
    "If you create a virus in order to show explicitly the obnoxious security holes in Microsoft or other OSs, you are doing the general public a service."

    Saying that is like saying that vandals do the general public a service by underscoring the need for everyone to have security!

    You may not be a thief if you do not make money from it - but you are in essence a vandal and a criminal.


  • my point was not that everyone should be sued for everything they're remotely responsible for.

    my point was about that GROSS NEGLIGIENCE. everyone can make a mistake. but making the same well-known mistake over and over again is a different issue.

    in other words, my employer can not fire me for trashing the network. (at least according to german laws he can't.) however, if I do it several times, always because I ignored basic procedures, then he very well can.


  • I must apology for my lack of knowledge on this particular case. I was unaware of the details as you write them, because nothing like that was published over here.
  • by Tom (822) on Tuesday April 06, 1999 @09:20AM (#1947826) Homepage Journal
    the #1 sickening thing about the whole melissa hype is how it distracts from the facts.

    here we have a collection of well-known security holes practically screaming "exploit me". they should've been fixed for years, but instead they've been put deeper and deeper into the very design.
    yes, I'm flaming micro$oft, but it's not them alone. it's the armada of clueless who, far from being honest about what they know and what they know nothing about, not only BELIEVE, but carry the word along - "integration is good for the customer".

    in my country (i.e. germany), when I break into a bank and it is found out that the bank's security company made my job considerably easier by leaving out standard security procedures or making serious mistakes that a security company really shouldn't make, it can be made liable for parts of the damage done.
    in the states, you have those idiot cases where macdonalds is sued for the same thing - negligience - because they forgot to tell some fool that hot coffee is, well, hot.

    I wonder whether micro$oft will be sued for melissa-incurred damages. if you can sue macdonalds for hot coffee, than sure as hell you should sue micro$oft for gross negligience of basic security procedures.
  • Of course it's not *all* MS's fault. Many many many people turned off the security features in Word.... AFAIK you have to skip through several dialogs before Melissa can get into your system. It is the users who are dumb morons...

    Of course if everyone stuck to plain text none of these things would happen regardless of what email program or OS you use... apart from the odd buffer overflow ;)
  • Yes, it was irritating, yes it was malicious, but so is country music

    ITYM "Hip-hop." HTH.

    ...

    I agree with you though that as annoying as this was for people, they should put most of the blame on themselves. Of course, Microsoft deserves quite a bit of blame, too...

  • Exactly.

    The longer this goes on the more likely we are to have laws pased that are supposed to stop crackers and virus writers. And with these laws in place, when a new virus comes out or a system is comprimized the public will say "How could these evil people be breaking the law like this... why cant the government stop them?"

    When the public has this outlook, it will be even easier to get more such laws passed (you want to stop these people right... well then give us more power).

    Its a self propogating problem... and the longer it goes on the less likely anyone will be to question the quality of the software being comprimized. The blame will be placed on the criminal or on the law enforcement agents unable to catch the criminal... and microsoft can continue to produce software with integrated virus hooks.

    We cant expect end users to wake up and start holding microsoft (or any other company) accountable overnight. Its up to people like us... programmers, who need to make software that is secure... and more improtantly, MIS people who must demand more from their software...

    Its about time someone got fired for choosing microsoft when the solution simply didnt fit the problem... the whole "its from vendorX just like everything else we run... it must be the most suitable solution for us" mind set has to be abolished.

    But whoes going to take the first step?
  • I think he was meaning depersonalization rather than anonymity. Many (certainly not all) flamers would not behave the same way in person even in a group of strangers who never exchanged names (Even if non-violence was somehow assured).

    The difference is that even though nobody has a name, they relate to each other as people. Put a partition and a teletype between those same anonymous people, and let the flamewars begin.

  • I find it interesting (in a sick sort of way), that the virus writer basically pulled a prank on the order of simple vandalism, and is facing more punishment than a murderer.

    Truly, he deserves punishment, vandalism is a crime. He should be looking at restitution, a fine up to $1000 and up to a year in jail. Instead, he faces 40 years (for all practical purposes, life).

    I suspect that fear plays a large role in that. It's not a few email servers crashing that inspires all of that, it's the fear that one person could trivially cause all of that trouble, and make essential, ubiquitous, and 'incomprehensable' PC turn on their users.

  • I have to wonder if the many businesses using MS products have yet understood the implications of the gaping security hole in Word. This is where MS should get their punishment for crappy security. After the fine demo of the problem, the people who make software decisions should be re-thinking their word processers. Somehow, though, I suspect it's going to take another ton or two of bricks to make that happen.

    For example, someone I know once did a security demonstration to convince management that macros (in Notes) were a very bad idea. The demo was to send a 'humor of the day' email to the vice president of the company. The email had a macro that sent a PGP signed letter of resignation from the vice president to the president. Macros were ordered dis-abled immediatly.

    I have to wonder what the ramifications would be if a gaping security hole were exploited to cause some person harm. (for example, a word macro that changes any instance of 'Bill Gates' to 'Bill "Hitler" Gates'). Now, a document that has been infected and modified in that way is widely distributed. Would the company that distributed the document be held negligent for allowing a large security hole to cause them to lible Mr. Gates?

  • Of course, if people try not only to carefully and properly express themselves in text, and more importantly keep their cool and try to understand their fellow man, the depersonalization is rendered moot.

    For the most part, I agree. My only reservation is those people who flame first, read never. But, I suppose there allways have been people like that, and there allways will be.

    As for anon postings, I think they can serve several valuable purposes. After all, sometimes people have important things to say which could get them fired. Others are just terribly shy and should be allowed to interact at a level they're comfortable with.

    Of course psuedonyms are reletive. For all I know you used your real name, and for all you know, I am a psuedo.

  • MS liabilities are interesting, but I'm also talking about a company who buys a MS product. The argument being that ABCco knowingly and negligently used a product with security flaws and as a result libeled a customer. (At least that's the arguement)

    That sort of thing is not without prescident in civil court, but usually applies to physical security and safeguarding another's property. I'm not sure how it might play out for software.

    I am not a lawyer, nor do I play one on TV (but I saw an episode of "Matlock" once!)

  • With the recent publicity on bedroom hackers ISP's came up with some new rules. Mainly, they give you 9Megabits/sec, but the only software you can use on their LAN is Windows running a MSIE client.
  • I'm not sure whether or not the concern about
    Melissa might be actually justified. IMHO, the
    environment many people use these days for computing is responsible for a lot of the ease
    with which things like Melissa spread.

    Believe it or not, viruses are something that
    have to be taken very seriously. Especially by
    the people who build OS's or distributions. If
    they're negligent, however, no amount of panic
    from anyone else is going to stop things.

    I don't think Linux is virus-proof, but
    at least it isn't a "hey look at all these
    macros!" sort of petri dish...
    Phil Fraering "Humans. Go Fig." - Rita

  • the more I read about the hoopla over this virus, the more I want to switch industries to something less blatantly silly and immature (like concrete production)

    - It has become clear just HOW stupid ZDNet and its target readership are. I still can't fathom that people actually ate up the dumbed-down explanations, the conspiracy-theory GUID matching saga, the prediction of hundreds of millions of dollars of lost productivity, etc. It was a BENIGN MACRO VIRUS! This doesn't deserve a whole "special report".

    Of course, on the bright side, the "truly professional" trade rags, like InformationWeek or InfoWorld, barely had a peep about Melissa.

    - People who were affected were those who were stupid enough to click "YES" when the "Do you want to run this macro (which may be a virus) ?" question came up. I have little sympathy for them or their IT departments. Macro viruses have been a well-known threat for years, and avoidance training should have been provided.

    - The obtuse "virus protection schemes" from IT shops are beyond ludicrous. Go to Bob Lewis' infoworld column this week and read about how they removed EVERYONE'S FLOPPY DRIVE at one shop, and you now had to use a floppy under lock & key to copy disks....

    - They want to put a benign macro virus writer in jail for 40 years, when arguably, all of the damage (tied up mail servers and crashed NT boxes) were the result of a) stupid operators and b) shoddy technology.

    In all, this whole incident makes me ill. I hope that if open source does anything, it helps to bring FUD like this down to a tolerable level.
  • I was more thinking in terms of just transfering the entire account immediately :) The virus would be discovered within a couple of days, but if you infected 500000 accounts in that time (like mellissa could), it would be worthwhile. Some Germans demonstrated this with an ActiveX control, just as a little example of how amazingly defenseless THAT stuff is. Just place it on your web site and anybody visiting using IE with security turned down has a problem. The nice thing about it is that you have all this security/passwords etc to access the bank account (that most people take pretty seriously), but it does them no good at all if the data on their PCs has already been compromised. Actually, a macro virus that added a link from any index.html files on the local machine to an ActiveX control that also contained the virus (and transfered funds) would spread pretty quick.

    The point is that melissa was really NOT that malicious, if someone really wanted to play silly buggers on this hugely dangerous combination of crap software and naive users they could do FAR more damage.
  • "He was charged with interruption of public communications, theft of computer services and wrongful access to computer systems."

    Interesting 3 crimes listed there. I guess in some sense he was guilty of 1, but I don't see how he could be guilty of 2 or 3. Does the fact that your program is running on somebody else's hardware without their consent constitute theft of computer services. w95 was running on my hardware when I bought it - can I charge MS with theft of computer services. Likewise if your data appears on another computer does that consitute wrongful access to computer systems? How about spam, can we lock people away for 40 years for sending spam, far more offensive to me than being sent a program which I would have to be a moron to run.

    Are there any specific laws against self-replicating programs. Powerful memes such as religion can be considered virus's that run on wetware and are highly contagious. Should these be illegal too ?

    While I'm looking for different angles, I think he should counter-sue the US govenment for violating his copyright. When federal employees pressed the "run macro" button they ended up sending copies of his software to different organisations without consent. A variation of melissa with a nice (C) on it could be an effective way of protesting daft IP laws.

    The guy has done society a huge service by waking people up to the huge security holes in their software. It would have been just as easy to send out a truly destructive virus that introduced random errors across the harddisk or appended "transfer funds" instructions to the Quicken files for people who do online banking. Now that would be an interesting virus.


  • > Where do we draw the line between a program that
    > knowingly mails to everyone in your address book
    > (so-called virus), or a program that accidently
    > mails to everyone in your address book (possibly
    > a mail program in development, being debugged)?


    ... and a piece of information which suckers you into sending it to everyone in your address book (i.e. "Good Times")?

    Everyone who sent along Melissa did so by pressing a button that said "Yes, run this attachment." They were conned into doing so, because the attachment was sent under false pretenses -- it seemed to be a message from a friend, but was actually a virus.

    Everyone who sent along the "Good Times" warning did so by pressing a button that said "Yes, forward this message." They were conned into doing so, because the message was sent under false pretenses -- it seemed to be an important warning, but was actually a hoax.

    Melissa is not entirely a computer virus. It is dependent on user interaction, making it at least partly a "virus of the mind". Where do we draw the line between a human-aided computer virus, like Melissa, and a computer-aided memetic virus, like "Good Times"?

  • Actually, most crackers I know are noisy boasters and swaggering fellows. And hackers do tend to be people who hack, yes.
  • The alleged author of Melissa was not caught using the GUID. This is a myth which was propagated, among other places, in the Slashdot article about his capture -- even though it was not mentioned in the linked news article.

    Please stop propagating this hoax. It's almost as bad as "Good Times".
  • Pardon me, Mr. A. C., but you really should learn to read what is before you before you respond to it. I recognize that this is difficult, but it is utterly necessary if we are to discuss real-world situations.

    I do not believe that the virus writer shouldn't be held responsible for his actions, nor did I imply such. I certainly do not believe that the actual victims of the virus were responsible for the damage caused, any more than the owners of the MS-robots in my fairy-tale were responsible for their own deaths.

    However, I do believe that Microsoft has deceived its customers by encouraging them to think themselves secure and protected when using their computers, when in fact they are exposed to risks which a marginal amoung of responsible engineering would prevent. MS has billed its operating systems and applications software as being better than, or at least as good as, their competitors, when in fact MS software is uniformly ill-made and riddled with design flaws (not "security holes") which expose users to the kind of victimization perpetrated by the author of Melissa.

    Microsoft is not the victim of the Melissa virus, except insofar as, by using their own shoddy software, they exposed themselves to the same attack to which they exposed their unsuspecting customers. Microsoft is an accessory before the fact.
  • by Frater 219 (1455) on Tuesday April 06, 1999 @12:54PM (#1947844) Journal
    It is true that what the author of Melissa did was a Bad Thing, because it misled people and caused some amount of damage & disruption. However, this does not absolve MS of responsibility for knowingly exposing their customers to an unnecessary and unjustified risk.

    Already too many analogies have been posted here, but let me contribute just one more:

    Suppose that everyone in the world owned robots built by Microsoft. Everyone believed that these robots followed the Three Laws of Robotics, as put forth by Dr. Asimov:


    1. A robot shall not harm a human, nor through inaction permit a human to come to harm.

    2. A robot shall follow the orders of a human, except when doing so would violate Rule 1.

    3. A robot shall protect its own existence, except when doing so would violate Rules 1 or 2.


    All other robots followed the Three Laws, the Laws being embedded into the kernels of the other robots' OSes. However, the MS-robots were not so trustworthy. It is not that they were designed to harm people, but rather that while each of them bore a sticker printed in large letters "THIS ROBOT IS USER FRIENDLY" (which people took to mean that it followed the Laws) none of the MS-robots actually had the Laws programmed into them. When they did follow the Laws, it was because it was the easy thing to do.

    Sometimes the MS-robots would run around and collide with people accidentally, hurting the people rather badly. Owners of MS-robots got used to these crashes, and accepted them as a normal part of owning a robot, even though other manufacturers' robots did not crash.

    One day, a fiendish roboticist named Relkid Omadan wrote a computer virus for these MS-robots. When infected by this virus, a robot would run up to its owner, beeping happily. It would say to the owner, "Press my red button, then my blue button! Please!" As soon as the owner did this, the robot would strangle the user to death, then run off and infect twenty other robots with the virus.

    Several hundred people were killed by the infected robots, and several thousand streets were clogged up with robots running around looking for other robots to infect. The disruption was massive. M. Omadan was, of course, tracked down, tried, and condemned as a murderer and a clogger-up of streets.

    Some radicals claimed that MS, by not programming the Three Laws of Robotics into their robots, was complicit in the murders. People trust their robots, the radicals claimed, but MS-robots abuse that trust because they aren't secure.

    Were the radicals right? Or was MS just a company trying to make money by selling robots, bearing no responsibility for the fact that its robots' deceptive friendliness concealed the capability of becoming murderers?
  • Personally, I think viruses are interesting in that they are, in a sense, artificial life. Of course, I wouldn't want to be infected. I recognize the unique vulnerability of Windows 95, yet due to my "interest in gaming." it has become my primary platform. I'd like to have the flaws of my operating system proven by a capable virus writer, but on the other hand, I have no faith whatsoever in Microsoft to fix these flaws.

    The larger problem raised by the attention of Melissa and other high profile "cracking" cases is that, if this trend continues, we may have a far more draconian regime unleshed upon us. Look at it this way-- it wasn't until the fundies discovered the net that the CDA was born. All we need now is for some senator or congressperson to get hit with a mildly annoying virus or a novice cracking attempt-- and boom, agencies start to "crack down" and rev up their "asset forfeiture" programs into high gear.

  • If I go and shoot somone, who in their right mind would blame Smith and Wesson??
    Uh oh bad analogy. The guy who released the virus was also the guy who manufactured the virus. To use your analogy, it would be like holding Microsoft responsible for creating humans that were able to be killed via bullets, even though a cure for bullet-death had been discovered years prior. If Microsoft has control over the population of 80% of the people, and they have the power to make them invulnerable to bullets, it sounds like a pretty keen thing of them to do in my books.
  • I read an article earlier this (last?) week about how awful Katz's articles were, how egotistical he was, blah, blah, blah. I took note of the opinion, reserving judgement until I could read some of his material myself. I read the essay, was thoroughly impressed by it, then stunned to see Katz's name at the end. A mark of how another person's opinions can color your own, no matter how hard you resist.

    So where are all the "awful" essays he's written? I for one, having read only this article, am impressed with his style and skill as a writer. His comments and opinions on this matter are pensive, highly accurate, very articulate, and deeply insightful (oh, that all Slashdot posts by readers were this well done). Why is there this hobby on the net (at least on Slashdot) of flaming this man? The only person I've seen flambe'd to a roastier state is RMS. What's the story?
  • Paranoia.. its alla bout paranoia.. and things like this.. that are very public.. make the people feel safe and secure.. where its really just a charade.. kinda like airport security.. like if i really wanted to hijack a plane.. id use a plain ole gun.. of course not.. id use plastic explosives that would be undetectable.. DUH!@#!.. but people FEEL safer walking through big ass metal detectors..

  • I agree. The problem of virii, rampant flaming, etc. can be addressed, though not necessarily solved, in several ways.

    1. Legislation
    The US government which, let's face it, has more power over the net than other governments, can heavily legislate the net and people's conduct on the net, and enforce those laws with a heavy hand.

    I don't think any of us want this; that it might happen is one of the downsides of having a government that was deliberately designed to be slow and stupid.

    2. Social responsibility
    People should be pressured into accepting responsibility for their actions on the net. This doesn't mean they shouldn't be anonymous (see my other post on that subject). Rather, people need to think their actions through and act calmly and politely as much as possible, even if they experience no direct repercussions. Responsibility is not a matter of stimuli, response. It's roughly a moral issue. But there's no way to make people act in a moral fashion (no moral way), so...

    3. Fault-tolerance
    While everyone who can ought to still act responsibly, let's also encourage the establishment of fault-tolerant systems which can absorb malicious/juvinile behavior like the liquid terminator can absob bullets.

    Part of this means technical fixes, like not creating juicy hooks for virii, and definately not keeping them once this vunerability is made clear. I can't believe that Microsoft takes pride in any of it's work; their stuff is real garbage on all levels.

    But another part of this is a social fix. /. has implemented one type of social fix, in the creation of the moderator/score system. Honestly, I'm not a big fan of this, as it tends to lead to other people deciding what will be read by default. This ghettoizes many worthwhile posts because of moderators disliking the author, the content or not wanting to second-guess each other and bring a low score back up.

    I'm sure there are other social fixes out there, if we'll only experiment.

    Let's do all of the latter two we can, to avoid the former, okay?

  • Yes, that probably was more of what he was getting at. Certainly the net, given that the only significant form of communication is text, does depersonalize communication. No argument there.

    Of course, if people try not only to carefully and properly express themselves in text, and more importantly keep their cool and try to understand their fellow man, the depersonalization is rendered moot.

    Understanding can come from content-rich conversation. For example, irl conversation; you can see facial expressions, differences in tone of speech, etc. But it can also be manufactured through an effort to listen openly to other people.

    I'm not a big fan of flamers, but when I do respond to them, I treat them just as I would like to be treated myself. It works surprisingly well, and I highly reccomend it. If it doesn't, then perhaps you found someone not worth talking to. But the important thing is that you checked to see if that was the case, rather than assume that it was in the first place.

    Anyhow, I'm sorry for the digression from the article in the earlier post. I've really been getting fed up with the large numbers of people on /. who casually dismiss anonymous and psuedonymous postings. At least, in the comments I've been reading.

  • Horribly, horribly evil.

    God I'd hate to think of what the government would do to the net if this happened. Especially if they couldn't capture &| try the culprit.

    If you were careful though, and fortunate in certain respects, it would pretty certainly work. Good thing I don't make enough money to need to balance it on my computer. Also good that I use a Mac.

  • by cpt kangarooski (3773) on Tuesday April 06, 1999 @10:17AM (#1947852) Homepage
    Once again I just can't see why it is that so many people insist on everyone on the net being named. Untracable psuedonyms and pure anonymity get an incredibly bad rap here, even though it's nothing compared to the degree of identification that large corporations and various governments would prefer.

    Yes, the net does have two apparently conflicting abilities. It both fosters extremely close relationships, by bringing together people who would likely never meet, with similar interests, or even who just like to talk to each other. At the same time, Katz is right in that just like the soldier who sits in a bunker thousands of miles away from the action, people can also be disassociated from each other, with the abstract, faceless ASCII world of the net insulating everyone.

    Surely the exaggerated mode of speech, with concepts strongly worded to let the intonations of the voice and expressions of the face that are so essential to speech is a contributing factor here. If sarcasm (for instance) can't be distinguished in plain text from regular speech, an emoticon is not going to help that much. Written communication _can_ convey this information; after all people have written to each other for millenia. Yet, as more people now utilize it for conversational purposes with strangers, as opposed to the well thought-out letter of old to an acquantance, the number of people who fail to get their point across accurately has grown dramatically. I don't know if the overall percentage of these failures has increased though. I'll leave that for other people to debate.

    Getting back to my point, yes the net has these abilities, because of fosters communication. It doesn't care to whom, from whom, or how clear.

    Yet why should a person's thoughts and words be dismissed instantly only because there's no way to find out who, irl, wrote them? One of the great advantages of the net is that it's not real life. I can be a dog. More importantly, I can be a dog with something to say, and you can be a dog who wants to hear it. A name is just a matter of convenience, so as not to have to address everyone as hey-you@over-there.net. If people wish their speech to be attributed all the way back to them, that's their choice, but it doesn't necessarily mean that their words are better. Lots of people post (maybe not here, but in general) from aol or webtv or some such, which are all quite tracable. And they, because they are comfortable with their ISP, or don't know how or why they might change it, tend to get derided. Again, this is all too frequently based on a glance at a name or address, glossing over their message entirely.

    Me, I don't want real-time video or sound. I feel that written communication, aside from being a more efficient use of bandwith for me, lets me choose my words in a way that speech generally does not. Yet I bet anyone five dollars that the minute a/v become the standard media for communication on the net, no one will bother reading text messages. Again, because of surface attributes, rather than the content. I will grant that communication may be richer by using such technologies (see above) but it's the discrimination based on relatively unimportant issues that galls me.

    Yes, the most enthusiastic flamers and hackers (that word's meaning has multiple definitions; deal) will hide behind aliases and anonymity. So will whistle-blowers, people who fear retribution, people wishing to say things that would for one reason or another prove dangerous if posted with a name, to one's safety or reputation.

    And I don't even want to get into the specter of big brother corporations and governments monitoring everyone. How many people here dislike anonymous posts, but support anonymity from Microsoft? You can't have one without the other, I'm afraid. (except possibly in Australia and New Zealand)

    I am not, however, defending the author of this or any other malicious (by intent or deed) virii. Nor those who would slander or libel others. But while I don't intend to do the lantern thing, as long as there is one good reason for anonymity, it's something we really need to preserve.

    I apologize if I've rambled here. One major gripe I have with /. is the small comment blank. It bugs me to only be able to read a few lines without scrolling, so I usually don't.

    -cpt kangarooski
  • by Bruce Perens (3872) <bruce@perens.com> on Tuesday April 06, 1999 @10:30AM (#1947853) Homepage Journal
    Microsoft's system was like a forest that hadn't had a controlled burn in decades, just waiting for one person with a match to turn it into a disaster.

    Melissa was Microsoft's fault. They left their system wide open to this sort of abuse, they knew it could happen and did nothing. The fact that word macros could be abused was public knowledge for at least a year before Melissa came along. Rather than fix their system and protect a few hundred thousand users, they waited for someone to come along and set off their bomb. Someone so naive that he left incriminating evidence in the virus. The fact is, MS users are unprotected from rank amateurs.

    Bruce Perens

  • Hmmm.... Just imagine...
    Set it up so it'll transfer $0.10 every month
    to a bank account someplace... Have it label
    it "MS Tax". Lesse... if there's 1 million people
    out there using Quicken...

    Interesting ideas... Wonder if someone is already doing it :)
  • by Elwood (4347) on Tuesday April 06, 1999 @10:35AM (#1947855) Homepage
    I really dont think you can blame the users for this one. It is easy for us to do, because we know computers, we understand them, and we expact everyone else to be the same. The thing is, most people could care less.

    See, as a small time sys admin, I try and try to drill into peoples head "Dont open attachments". But that dont work, curistory and the cat. So I explain to them, never open .exes, .bats, or .coms. Anything else, after you recive it, send a e-mail back making sure the person really send it too you (that alone can stop you from getting most e-mail viruses), and if you do open it, dont enable macros.

    Think is, that is too much for most of my users. Why? Most of my users are middle age or older females that could care less about computers. They dont want to know a why or how on anything, they want to follow a 123 step recipie do do the little work they have to on the machines. And really, I cant blame them. There main job has nothing to do with computers, but people. And they can do that better then I ever could. So can I really blame them for not knowing this stuff?

    The other section of people I work with is seniors that want to learn computers. These poor people are so trusting, and so eager to do right that if someone sends them something, they feel it is a insult to the sender if they don't open it. These are our grandparents trying as hard as they can to learn a way to stay in contact with their grandchildern, can I fault them for not knowing everything?

    I don't think we can blame the users. I think it is the software. When I chose a OS, I would expect that vendor to have a system that works correctly. But MS is leaving a system with huge holes right in the middle, and conspiracy mode on, but here is why I think it is.

    As a low lever sys admin, I work in a place where no one knows what I do here. I go about my days, usallay never talking to anyone else here, most people look at me strange when I walk down the halls. (I dont think it helps that I also keep strange hours, never turn on my main light, instead use a little table lamp so I can see the screen better and I keep moy door shut and locked all the time.) Needless to say, I don't get noticed much, so I don't get patted on the back much at all.

    But because of the Melissa virus, I got my first "good job" from the Big boss in a long while, simply cause we did not get hit, some simple e-mail filters on the server was all that was needed to keep Melissa outside (a unfilterable virus would be a tough one, Melissa was easy as far as that goes). But because of all the attention Melissa got, people that did not know better thought I was superman for protecting them from her. I did nothing special, keeping e-mail filters is something ever sys admin does, it is a dull part of the job. But for a three day period of time, my bosses had it in their head I was protecting the company from evil. I could have wore tights and a cape and got away with it. Even though I did something I do a million times before, this time they knew about it, and were told by the TV it was a big deal, so they accepted it.

    So you could say I benifited from Melissa. And I am not the only one. Magizines sold (When there is good news, you go out and experience it, when there is bad news, you hide inside where it is safe and watch it on TV), news shows got watched, anti-virus programs sold, IT people got kudos. Etc. People justified their paychecks because of Melissa.

    For no reason at all, everday jobs got alot of attention. Sure, it only lasted for what three days? But how many people are going to to bring it up during their next review? How many extra units did anti-virus publishers sell? And how much more did mags charge for a back cover add in the special Melissa issue?

    Those are the reasons Melissa was such a big deal. Melissa was just a natural progression of viruses, nothing exciting. The next one will even be that much more clever. But will it get noticed? No, these stories are only good about once every two years. Thats why the gov and his lackies had to go out and suck up the press while they can.

    This whole thing was a big non-event that made a bunch a people look good, and a poor virus writer is going to publicly shuned for a while. He may have been stupid for writing a virus, but not 40 years stupid. Give the poor slob probation.

    Kind or remined me of Wag the Dog.
  • I was discussing this with my grandfather...IANAL, but, what that guy did is not a crime, SFAIK. Yes, it was irritating, yes it was malicious, but so is country music. This guy getting railroaded is just another step in the wrong direction for the internet as a community.

    Well, at least I was unaffected. What kind of moron runs a macro-laced Micro$oft file from someone they don't know? Anyone who does that deserves what they get.

    "The Constitution admittedly has a few defects and blemishes, but it still seems a hell of a lot better than the system we have now."


  • Let's talk about the media's propensity for
    using undocumented statistics. Let's talk
    about that 5000 children harmed by guns last
    year. Just where did that statistic come
    from, and are they reliable? I don't think
    even the handgun control people have nerve
    enough to quote this one, 5000 children harmed
    by guns a year would mean that in less than
    five years every single one of us would personally
    know a child harmed by a gun. Funny, I don't
    know any. Am I that statistically unlikely - or
    is the author using precisely the same tactic he's
    deploring?
  • As for those here who claim that M$ should bear some of the burden for this Melissa fiasco, just because their cheesy software was used to make it happen.. BOLLOCKS! If I go and shoot somone, who in their right mind would blame Smith and Wesson?? What a brilliant defense for Dahmer that would have been: "Your honor, it wasn't really all MY fault, if Ginsu didn't make such sharp knives I would have never been able to eat that Thai boy."

    your post is right on the money. in regard to the above, though: i recall some big american city (i want to say dc, but really don't remember) was planning to sue a gun manufacturer (colt, i believe) for this very thing not too long ago. i don't know how far the issue has moved since then. it's absolutely absurd to blame the maker of a tool for the tool users' actions. what's more absurd, though, is that people think that's a good idea.
  • I never thought of this case in terms of the idiotic cases such as the McDonalds coffee incident, but I think you have a good point. I cringe every time I see a suit over something that someone should have known better than to do in the first place, but this is different. I think the bank security example is a really good one, and people should seriously consider how we hold corporations or groups that are involved in the worlds communications software responsible. Blindness or ignorance of the dangers presented by their own products is exactly what you labeled it: gross negligence!
  • In that case, this guy would be liable for writing the Simpsons quote in thousands of documents, but that's it.

    Copyright infringement on a disgusting level. In addition to that, fraud for making it look like other people were breaking the copyright laws.

    Orcslicer
  • I can see it now.. I write a word macro 'virus' just for fun to see what it can do. Say it mails itself off to, oh, 50 people. I pass this to a friend to have him look at it and like a dolt he opens it. Bam... it spreads all over.

    Stupidity will always be around, our job as sysadmins is to contain it in little clusters and beat those people to a pulp.

    Just wanted to rant a little.

    ---------------------------------------
    The art of flying is throwing yourself at the ground...
    ... and missing.
  • Alot of businesses use MS Office exlusively. It's all Microsoft's responsibility. They know quite well that the vast majority of users will never in their lives need to embed a macro in a word processing files, yet they continue to leave macros on by default.

    "So, the person should use linux, god dammit! Office suites in linux can save in MS Office format!" you say? Most people up here don't even know what linux is, much less how to install and configure it. And nothing but 95/nt is officially supported here. Linux and mac people are on their own. On top of all that, lots of secretaries need to run Outlook to access their boss's schedules and calendars to set dates for meetings and such. Does linux support that?

    The computing environment here is almost entirely Microsoft except for a couple of vax servers for some legacy services. We also rely very heavily on features of outlook for information exchange and communication. I'm not sure how outlook-compliant linux email apps are.

    So, not everyone can just tell Microsoft and all their apps to go to hell and run off and use linux. It might very well be the best thing since sliced bread, but all that dosen't matter if it dosen't integrate well with the current information infrastructure of a business.


  • by D-Fly (7665) on Tuesday April 06, 1999 @09:46AM (#1947863) Homepage Journal
    The basic explanation for why people behave so poorly in Internet interactions seems to be pretty simple: it's the impersonal nature of the medium.

    Despite the fact that users KNOW there are other real-live humans on the other end of the wires, it is hard to get past the illusion that you are interacting with a computer that couldn't care less how many ways you flame it.

    All you ever actually see is the keyboard and CRT, not JonKatz as he reads your ridiculously hostile, inarticulate rant. Actually, that's wrong; remember, it's Jon Katz, not some entity called JonKatz...

    [Think of the Turing problem]

    There is a very closely analogous situation in the "Road Rage" phenomenon. When you are driving down the highway and some idiot in a red Lexus cuts you off, you KNOW that it is actually some middle aged guy headed to his dead-end job in the city and he just wasn't paying attention when he pulled into your lane.

    But on a different level, you have been out on the highway for 45 minutes, and the music on the radio sucks, and you have started to sort of forget that the drivers in the other cars are people, and started to anthropomorphize their cars--think of them as living competitors for space on the road.

    That's why you start screaming, making obscene gestures, and maybe rear end the goddamned Lexus.

    In all our new, nontraditional relationships, we have to remember to maintain the kind of empathy we reserve for flesh-and-blood, everyday interactions.
  • Sorry, but the scope of this fella's crime was international and disabled critical business and gov't computing resources all over the place. It should make a lot of noise. The 'net is still the most liberated, unregulated piece of context in the known universe.
  • by floyd (8635)
    Exactly!

    What's really galling to me is how all the coverage focuses on the Evil Hacker. Duh. Melissa was a stupid little macro that can only exist on Microsoft products. Why isn't anyone reporting that?

    This is not the work of an evil programmer - it's the logical outcome of shitty products (windows and outlook). Hmph.
  • So go ahead and sue MS now, but what happens when a security flaw shows up in Linux? ( it cannot be!). But it has happened and will happen again... who then is responsible for the damages?

    This is not a question tha can be easily answered by "Sue Microsoft!", you must consider the larger picture.

  • by Evan Vetere (9154) on Tuesday April 06, 1999 @09:21PM (#1947868)

    I read in a major weekly news magazine that the Melissa virus had clogged up and shut down tens of thousands of mailservers, and saw a few techs quoted saying it had "brought mail transfer on the Net to a standstill." The second is not true; the first is highly implausible.

    This virus relies on a human vector; it doesn't propogate with the speed of electricity or a Pentium III - it only moves as fast as a man can check his email, download a text file, and open Microsoft Office (the latter, we know, takes forever).

    I was not, and I know of no one who was, affected by this virus.

    The internet technicians who are employeed in Fortune 500 companies - the ones who get interviewed about these events more than the people who designed the Net's various subsystems in the first place - need to start gauging their replies very carefully. If they don't, they'll succeed in scaring a large number of people away from the Net and reducing the importance of their own jobs. I'm pretty convinced they're doing these interviews and exaggerating impact for their own ego enlargement, so they can hear the reporter on the other end of the telephone gasp in shock.

    I could be mistaken. I hope I am.


  • for(;;;) wrote:
    Flames and viruses may both come across as hostility, but they share similar positive qualities. They're blunt ways to point out weakness in an argument or system.
    Shooting people in the head is a blunt way to point out the dangers of guns, but it's still not a very good idea. "~We had to destroy the village in order to save it.~"

  • Bruce Perens wrote:
    Melissa was Microsoft's fault. They left their system wide open to this sort of abuse, they knew it could happen and did nothing. The fact that word macros could be abused was public knowledge for at least a year before Melissa came along. Rather than fix their system and protect a few hundred thousand users, they waited for someone to come along and set off their bomb. Someone so naive that he left incriminating evidence in the virus. The fact is, MS users are unprotected from rank amateurs.
    Let's not confuse negligence with vandalism. If someone leaves a can of mace around and I use it to assault bystanders, they may have been negligent but I'm still responsible for my actions.

    People without self-control create problems. The tools to screw people's lives up can always be found by some idiot child with unfocused hostility. Civilization starts at the individual level.

  • Erm...the person who stole it?
  • Tom, I for one would encourage any company that lost measurable time due to this virus to sue Microsoft. It's will serve one multiple-faceted purpose. The first and formost in my mind is "Is Microsoft *really* liable for their products?". Proponents of Microsoft use this as an argument for commercial software. A backstop, a single point for all eventual complaints to return. The precident will make software companies the real thing: a producer of content that is liable for its product. This is different than the current image of "tool producers" who, like Craftsman and Snap-On, cannot be held liable for someone using a hammer in a murder, but can be held liable for injury should the hammer break (when they claimed it would not). Either way, the definition of software companies will change forever and bring to light the problems RMS, ESR and Linus have been trying to point out all along. It will wake up software vendors to the problems of market flooding unproven proprietary products to unsuspecting consumers who think they are being served to their best purposes. Bill Gates likes to compare his innovations to the auto industry. If so, maybe he should talk with them about government restrictions such as ABS and air bags, something the industry refused to add for years. Today, they are considered the major selling points for cars, yet 20 years ago, their proposed regulation raised cries of "innovation hinderance" and "cost inflation" by car companies. Of course, the US auto industry was suffering from something a certain US software company is suffering from: percieved quality of its product when placed next to a better competing product. Most americans know what took place over the next decade. First it was denial, "it's the Japanese underselling us", then it was FUD "buy American, it's the patriotic thing to do", then they wised up and started to produce quality cars. Had GM or Ford had the grip on transportation that Microsoft has on the software business, I think the end result would be different.

  • >"Is Microsoft *really* liable for their products?".

    Have you ever read the Microsoft licence? It basically says (and please do correct me if I'm wrong) that MS don't guarantee that this software will work and, if it doesn't, they aren't liable.

    With open source software, you take real responsibility for the software you're running - if you don't trust it, you can hire a programmer to check it out. If you don't like something about it, you change it. You can't do that with proprietary software. And that is why open source software is more secure that proprietary software, no matter what that lame lawyer guy says.

    Dodge
  • by The Dodger (10689) on Tuesday April 06, 1999 @09:57AM (#1947874) Homepage

    Okay, so I think it's safe to say that Microsoft shares at least some of the blame for the Melissa virus. But who's going to actually stand up and say it? Apart from Emmanuel, who speaks out in defence of hackers who are arrested, imprisoned or charged on flimsy/circumstantial evidence made viable by hype and hysteria? Who has stood up and demanded to know why Kevin Mitnick has been imprisoned for four years without trial?

    The media aren't interested - they lap up what they're told by so-called "experts", whether they're law-enforcement officials or Microsoft hacks. When it comes down to it, the news media's main objective isn't to report the news anymore, but to gain the largest audience share. Hype and hysteria sell to the uninformed masses, who then become the misinformed masses.

    It's merely another facet of the increasingly commercialistic society we live in. I remember when the Internet was about knowledge and learning. Now it's about Porn and making money. Sooner or later, a group of people are going to get pissed off and embark on a campaign of info-terrorism which will make the whole "Free Kevin Mitnick" thing look like a fucking walk in the park.

    Ideological terrorist groups used to have to align themselves with countries like Iran and Libya in order to gain the resources to make an impact. And then they had to face public hostility in the face of innocent deaths, and the prospect of a bloody demise on the wrong end of an MP5 held by an SAS or GSG-9 trooper.

    Now, all we need is a computer and a modem. Noone's going to get hurt and, believe me, conventional law-enforcement organisations will be powerless to stop a dedicated info-terrorist (not these lame script kiddies). l0pht weren't bullshitting when they said that it's possible to crash the Internet. The only reason it hasn't been done so far is because the people with the skills and knowledge aren't lame enough to do it. Sooner or later, someone's going to decide that the 'Net's just not fucking worth it and it'll be a fucking disaster - we'll see billions wiped off the US stock markets as .coms go under and I wouldn't be willing to bet against another Black Monday. Or how about someone gets control of something like DNS or whatever and holds the US Govt. to ransom, demanding the release of Jack Hacker?

    Y'know something? I hope I'm totally wrong. I really hope that none of this comes to pass and that it can be dismissed as Dodger in one of his infocalyptic moods.

    But just imagine if Melissa's creator had more malicious and destructive intentions. Just imagine if that Alternic guy who redirected visitors to internic.net hadn't been so harmless. And how many Americans expected the World Trade Centre or Oklahoma bombings?


    The Dodger
  • I agree with many people here that DOC files need to be treated as EXE files in attachments. I keep all macros disabled in all my office programs until I have a need from them. Besides, noone at work would e-mail me something with a "here is what you are looking for :-)"
  • This is truly and utterly hopeless. Someone goes out and writes a piece of software which takes advantage of a bug in a system put in place by MS. MS has been warned of this. Users have been warned of this. But nothing, if anything, has been done.

    People. *points to the cities* The people out there don't give a fuck. People are killed everyday and the news counts it off as a daily occurance. Accidents kill people. Drunk drivers kill people. Tobacco kills people. And yet nothing substantial is done. Why?

    Why is the government so willing to step on peoples' rights to "bring the evil-doer to justice" when it comes to computer crimes but is so god-damned apathetic when it comes to drugs, rapes, murders, and theft?

    It is ridiculus.

    I don't think it's _just_ MS's fault or _just_ the end-users' fault, or _just_ the programmer of the virus's fault. It is everyone's fault. For being apathetic to problems. For running companies and BLINDLY trusting a company even when they know better. For writing programs with known bugs and not taking the time to go back and fix it. For accepting these problems as "normal".

    THESE PROBLEMS ARE NOT FUCKING NORMAL!

    My god.. if a car you bought broke down every day, you'd be pissed as hell, but you accept the fucking fact that when your computer crashes, that it's just life. That is plain stupid. ANYONE who goes through life just accepting that has something wrong with them. Either it was forced upon them or it was something they came to accept, but they should seriously consider looking over their lives again. Because there IS something wrong when our society has such a screwed up system where punishment and action no longer coincides with the actual threat.

    Someone else posted that there is a real underlying threat. That this one macro virus which _can_ be discovered, was. But what about those which can't be discovered?

    We have a REAL problem. And all the authorities can think of doing is either covering it up, getting rid of the people who are trying to do it, or profiting off of it. Whatever happened to fixing the problem?

    Solve the fundamental problem. A simple directive. But no one seems to want to do it. Complaining about costs and corporate image and all that crap. Here's some news: Someone being able to get into the corporate computers is pretty freaking bad for the corporate image.

    People are worrying about another world war with the current bombing situation. I think people should be more worried about an internal war in America with information.

    Just my two cents.


    - Wing
    - Reap the fires of the soul.
    - Harvest the passion of life.

  • The Melissa virus (and other macro-style virii) strike me as being more Microsoft and the end user's faults that anyone else. Greater society is quick to blame the virus programmer, but all the gaping security holes were put there by Microsoft.




    Using MS products with this type of security holes is like going out, leaving your house unlocked, door wide open, with a sign posted in the front yard saying "Hey! My house is unlocked. Go on in! The stereo's in the living room..." and then complaining when you get robbed.




    People use software with gaping security holes that they *know about* (word macro virii are old news) and then complain when those holes are exploited. If you're unwilling to close these holes, you can't complain. Of course, the other problem is that Microsoft has made leaving these holes open (sometimes) a necessity for using their software in useful ways.

  • Okay, so I think it's safe to say that Microsoft shares at least some of the blame for the Melissa virus. But who's going to actually stand up and say it?

    Actually, traffic on various NT mailing lists has been heavily hostile towards MS design flaws in Office. ZDNet has a legthy attack Microsoft's approach (not fixed in Office2000) in today's PCWeek.com. Whereas earlier macro outbreaks had been pretty much confined to the desktop techs, this Melissa thing has been big enough that it's landed right on the CIO's desk. I'm sure that Microsoft has had many friendly discussions with some of their large customers about this issue.


    --
  • If you're a student or an independant contractor, sure you could switch to an alternative platform (Linux, MacOS, and OS/2 are not technically safer, but are unlikely targets just for market share reasons.)

    But the point of an office automation platform is that everyone in your organization has the same client plaform to work off of. There's a defacto need for standarization in a business enviornment, and it has to do with more than file formats.

    Note that I said "automation platform" and not "three useful programs" - lots of people do use the scripting features in MS Office. (Although I don't, and I wish I could turn it off.) The Melissa virus is nothing more than a mail merge using your address book. Once could imagine that type of thing could be highly useful for people.

    This sort of automation is not automatically exploited. Microsoft chose the stupidest route for protection - a simple Y/N question. They could have also prompted you 100 times "OK to access address book?" "OK to send mail?" "OK to modify Word Defaults?", but that would get old real quick if you were running a legitimate application.

    The other solution is a code signing infrastructure, where macros could be assigned differing rights depending who signed the code. Imagine grafting this onto the 100 million user base of MS Office - it would be damn near impossible.

    Hopefully KOffice and the other new clean design Office products can handle this problem intelligently. However right now proposing a Linux/whateverOffice solution is essentially asking users to accept a lower level of functionality to keep them safe from the scary evil viruses. If KOffice and others make the mistake that Microsoft did, just wait a few years when Linux has a more significant desktop penetration, and we'll start seeing Linux macro viruses.
    --
  • What, everybody will forget regular user accounts and log in as root, then forget all about security?

    I think you misunderstand what the Melissa "virus" is. It runs entirely in a normal user's security context (on an NT machine) and does not 'exploit' any 'holes'. It simply accesses *your* address book (which you could do manually) and sends mail (which you also could do manually) and disables the virus warning in Word (which you could also do). It does not interfear with other users on the same machine or act in a root context.

    So login security has nothing to do with it - which is entirely my point. The fact that a macro can do these things is a designed-in feature of MS OOffice, and it's probably in Lotus and WordPerfect too. If a different Linux/Windows/Mac/OS2 office suite (er, automation platform) is immune is because it's either feature deficiant, allows the user to disable certain functionality, or it has some sort of code-signing infrastructure. (I can't think of any different solutions.) Some posters seem to be leaning towards the feature-deficient solution.
    --
  • I don't think the intent of the virus WAS malicious. How was he to know it would spread so quickly? If it was going to be malicious, why didn't he have it send mail to ALL of the people in the address book? It seems to me that he was trying to pull a little prank, and he grossly overestimated the intelligence of the majority of the computer-using population. And what's wrong with 40 years of gay sex? I know people who've had 40 years of it, they aren't complaining...

    -lx
  • Not me. I'm rather quiet pin-tail duck, and I'm sick of getting confused with people who exploit poor computer security! Wake up, media! Make up a different term for those people. We had it first.

    -lx
  • for the poor ones that get caught. I know what they did was wrong bla bla bla, but in most cases they are awesome programmers, and are doomed to never touch a computer again. Personally, I wouldn't survive too easily...
  • Sure, it was irritating and malicious, but not in the way country music is. If you don't like country music, you just change the station or go to another bar. Not liking the virus doesn't help if you're the tech responsible for cleaning it up. You just cancel your dates for the next few days, maybe give away an expensive pair of theatre or game tickets, and spend your evenings fixing the trouble that this guy caused.

    I don't see how this is different from, say, shouting `fire' in a crowded theatre. Sure, chances are that nobody really gets hurt. But it's still making innocent people's lives less happy.

    cjs

  • >>>Someone might try, but that nasty software license will get in the way, you know, the part about Microsoft making no warranty or guarantee of suitability for their products other than being liable for replacing the media they come on...
    This license, like every other license, contract and/or agreement, was written by lawyers, for lawyers. Hence, it can be broken by lawyers, modified by lawyers and challenged by lawyers. Just because some company slaps a string of words on a product does not make it legally binding for all time IF there is indeed demonstratable negligence involved.

    Case in point..amusement park rides. They all have their standards disclaimers.."ride at own risk" sort of things. But if one of them fails mechanically and it is due to negligence, you can bet the lawsuits would be flying fast and furious. Disclaimer or no disclaimer.


  • Press ALT+F4 now to test your IQ.

    There, all the braindead users who don't know their own computers should be gone now...

    If you run a program you do not know, prepare for a big surprise. It's a feature of your computer to do things. Learn your appliance.

    It's a shame that people who actually NEED the "Do not use heair dryer while bathing" warning labels are allowed to own a computer, or a car, or God forbid, even a gun...

    Maybe if we were not so bent on protecting the public from it's own stupidity, the average IQ would rise in tandem with the resolution of the overpopulation problem.

    There was a time when a virus was a piece of art. Not that I condone malicious virus programming, but it required hacking (the pleasant version) skills to do. You had to hand assemble the beastie, squeeze nifty little features into a few dozen bytes. Now Joe Shmoe can drag, drop, click and send. My question is, what happened to the artists? Did they all turn to OSS, for the satisfaction of being able to put their name on their work?
  • I certainly hope that that lawsuit went nowhere. It would set a very dangerous precedent. If a gun maker were to be held liable for murders and accidents involving their product, where would it end?

    Would Anheuser-Busch and Ford be defendants along with the drunk driver?

    And you're right. It's the populace that is to blame. The legal maneuverings are, after all, intended to benefit the public (or am I totally naive, and it's all the lawyer's fault?). The idea that someone would have the stones to sue MacDonalds for having doused their own crotch with scaling coffee, is ludicrous. These people should not only be laughed out of court, they should (as per British rules) be made to refund the cost of frivilous lawsuit. Further, they should be kept from breeding more idiots.

    However, there is some strength to the argument that M$ is at fault, at least in part. Tech-minded people have known for a long time, that M$ Office is swiss cheese, security-wise. This has been said elsewhere in this forum numerous times. M$, IMHO, has shirked the responsibility of keeping the PAYING public informed about the shortcomings of their product. Mind you, they are not obligated to fix it, it is their product to develop as they will. But, they have the moral obligation (uh-oh! How objective can THAT be?) to keep their customers aware.

    Here Ford has them beat hands down. If something more than nominal rust appears on a tranny-mount, they issue a recall and have it replaced free of charge. (Just got a notice regarding my father's Lincoln) And you can't argue cost, since M$ is making money hand over fist, and their production costs for a patch are nil.

    What the software industry needs is a vocal watchdog organization to point and yell each time the emperor streaks the town square. Maybe some of the primus mobilae of OSS could knock heads together and propose a Software Underwriters Association?
  • Interesting point. Where is the list (I'm sure it's long) of bugs present in M$ e-Comm related software? Anything from FrontPage to ISS and MTS.

    If these, in the presence of nominal conditions, can be shown (or even more effectively MADE) to cause serious financial (or even public opinion) losses to major corporations, M$ would find themselves under tangible pressure to do right.
  • Yes, writing a virus and releasing it into the wild, is a bad, bad thing. Bad boy Davy, go stand in the corner and don't ever do it again...

    But does he really deserve this level of persecution? I don't think so. The man has been set upon by rabid dogs, half of them ignorant of the technology involved, and the reset trained by the Federal government to be heavy-handed and vicious. Security and conformity enforcement through intimidation works. Da Comrade!

    The effect of what he did, intentions aside, is not far removed from from the Morris Worm. Yes, Morris was prosecuted and punished, but even the government admits that it was a curiosity that ran away from a controlled environment. It's not like this guy (Smith) is Geoffrey freakin Dahmer. He's a geek, who for one reason or another, wrote an annoying bug. Sure, it touched many computers, but what DAMAGE did it really do?? It got a lot of IT people money for systems improvements, it gave many anti-virus softwares welcome exposure. It was a boon, and it got attention. Who got hurt?

    Dave Smith. He will be prosecuted to the fullest extent of the law, by an ignorant, ham-handed mechanism that's been eager to sink it's teeth into a non-celebrity, just to show that you can't fight city hall, even with a computer.

    "Oooohh!!! Scary computer people will launch nuclear missles with a virus!" IMHO that bespeaks badly of the federal and military security, not the crackers who are being compared to the John Gacy's of the Internet.

    As for those here who claim that M$ should bear some of the burden for this Melissa fiasco, just because their cheesy software was used to make it happen.. BOLLOCKS! If I go and shoot somone, who in their right mind would blame Smith and Wesson?? What a brilliant defense for Dahmer that would have been: "Your honor, it wasn't really all MY fault, if Ginsu didn't make such sharp knives I would have never been able to eat that Thai boy."

    Feh!
  • "Technological vandalism and hostility - flaming, personal attacks, virus and mail-bomb attacks -- occur because the people who practice and advocate them must operate at an enormous physical and psychological distance from the people they attack and from the consequences of their actions. "

    Some of use have no problem in being close, personal AND attacking you. Why would you think I wouldn't as soon smack you as look at you if I was so inclined? Fear? Consequences? Sure - just get really good at dealing with the consequences or minimize the consequences by understanding the reactions that may be generated. Woah - is this hacking?!? :b
  • This reaction isn't suprising. A basic instinct is for people to be afraid of what they don't understand. The vast majority of the population doesn't understand computers, much less hackers. So the reaction is total fear.

    This doesn't excuse the reaction. I generally feel that what makes humans human is the ability to react AGAINST our basic instincts!

    Mellisa was just the "internet worm" for 1999. (I still wonder if I saw the author of the worm at last years Linux Expo. The name on the name tag was right, as was his apparent age.) It wasn't a big deal. But some people are still afraid of the dark.

    For more info on the internet worm, read
    http://www.alw.nih.gov/Securi ty/FIRST/papers/virus/gao.txt

  • MSNBC (go figure!) wrote an article asking whether or not MS is partially to blame for these problems. Obviously (given their parentage), they don't come down too hard on Microsoft, but they don't let them/themselves off the hook that quickly, either. Check it out. [msnbc.com]
  • At the risk of writing a "me too" post... me too, brother. Taken to its logical extreme, that line of reasoning implies that if your web server is attacked, you deserved it for not firewalling it properly; if you get hit and killed by a drunk driver, you deserve it for being on the road on St. Patrick's day (or New Year's Eve, ad nauseaum); if you're mugged, you deserved it for not being able to defend yourself.

    And you know what? A lot of this computer stuff is pretty complicated. You and I understand what we do because we are either smart, or worked at it really hard, or were indoctrinated in a techie culture, or some combination of the three. Saying nasty things about "kl00l3zz n3Wb33z" just makes it harder for people trying to get by, and that sucks.

  • A variation of melissa with a nice (C) on it could be an effective way of protesting daft IP laws.

    You don't even need to do this. Everything you write is automatically copyrighted by yourself regardless of whether you put a (C) on it or not. Of course, if you haven't filed the appropriate paperwork with the appropriate government agencies then defending that copyright in court can be difficult.

    It would be interesting to see what affected companies would say if you sued them for copyright infringement for running your virus without a license. :-)
  • by kaisyain (15013) on Tuesday April 06, 1999 @11:36AM (#1947895)
    For someone who claims to be interested in the facts your apparent ignorance of the McDonald's case is interesting.

    The coffee, maintained at a scalding 180F-190F because the customers supposedly "like it hot", caused severe third-degree burns. She spent seven days in the hospital and was treated with skin grafts.

    Initially she only wanted payment for her medical bills but McDonald's refused to even negotiate with her. Consequently she contacted an attorney who had settled another coffee burn case with McDonald's. In the course of the trial company documents revealed that "in the past decade McDonald's had received at least 700 reports of coffee burns ranging from mild to third-degree, and had settled claims arising from scalding injuries for more than $500,000."

    Despite knowledge of the hazard, company officials refused to warn its customers. "There are more serious dangers in restaurants." And given the 1 billion cups of coffee sold annually, McDonald's considered the number of burn complaints to be "statistically insignificant".

    After hearing such testimony a jury found McDonald's liable and awarded $200,000 in compensatory damages. The jurors deducted $40,000 for contributory negligence. Also, given McDonald's conduct, the jury awarded $2.7 million in punitive damages, which was equal to 2 days of coffee sales.

    Later the judge reduced the punitive award to $480,000. While awaiting appeal the two parties settled out of court for an undisclosed sum.

    The #1 sickening thing about the whole McDonald's coffee hype is how it distracts from the facts. I suppose you just glibly believed whatever it was the mass media told you about that McDonald's case didn't you? Why do you expect anyone else to behave differently when it comes to the hacker culture (or whatever you want to call it today)?
  • Some dork writes a prank virus, and he gets threatened with up to 40 years in jail. He would have been better off to go shoot someone. At least then he would only be looking at around 7 to 10 years. Now I don't mean trivialize murder. The point I am making is that this guy basically pulled a prank. He didn't do any tangable damage. Things are getting way out of hand. The GOVT has too much power. Why take away this man's future for a stupid prank. Why is this a crime at all? This is more humor than anything. Microsoft shouldn't have left so many stupid doors open in their software.
    Anyhow, that is my take on things
  • This joker didn't send out emails saying "Open this Word Document to spread a virus to a bunch of folks in your email list", though.



    And why should this guy have 'every right' to write a virus that screws with people? Calling the victims 'stupid' doesn't wash... 'uninformed,' perhaps, and that still doesn't excuse it. The *intent* behind the virus was malicious, and I challenge anyone to deny that.
  • Correct me if I am wrong, but I am under the impression he was caught because of a string of code, undocumented, added to every word/excel document that takes a user's registration code and system settings and generates a unique id which is then sent out with everything he writes!

    Close enough for Microsoft work. According to the news story cited in last week's /. Melissa coverage, the actual tracing was done by comparing the MAC address (a unique identifier on every network card, necessary for networking to work) which was embedded in two documents -- the Melissa virus's host document, and some documents on this guy's web site.

    So, the information being inserted by Microsoft Office into your documents is your MAC address (a.k.a. your NIC address, or your ethernet address, or "those funny numbers that your network driver displays when it starts up").

    Yes, this is a legitimate privacy issue. If you value your privacy, then perhaps you should not use Microsoft Office.

  • driving against the wall at 150mph, killing people. yeah i know some of you think 'this is something completely different than melissa'. but hell - wheres the difference ?

    There are several differences:

    • The Melissa virus did not kill or harm anyone. This is extremely important -- a lot of people are losing their perspective about this.
    • The Melissa virus is real, not hypothetical. We can discuss hypothetical situations all day long, but they don't carry nearly as much importance as real situations.
    • The Melissa virus involves computers, and not cars. A lot of people react differently to computers than they do to cars, despite the fact that the car is an order of magnitude more expensive and arguably more complex and harder to work with. (How many people here could reinstall their operating systems from the original media? How many could rebuild their car from replacement parts, if given all the necessary tools? Now turn these questions around and apply them to the non-computer-savvy people you know.)

    I liked the Tylenol analogy the best. Businesses hit by this virus should get together and file a class-action lawsuit against Microsoft for contributory negligence. Even if the lawsuit is settled out of court in secret, or takes years of tedious litigation, the public exposure of Microsoft's gaffes would be a service to the computer industry. And the time to do this is now, while the Melissa virus is still fresh in people's minds. Remember, the outcome of the lawsuit isn't as important as the perception of Microsoft that the lawsuit would create in the public consciousness.

    It's about time we (the hacker community) used big business's tactics against them. We don't even have to do much -- just encourage a few upset people to seek justice. And we're not lying or misleading -- we're only telling the truth.

  • Folks, consider the source here... Jon Katz is not writing about Microsoft (which I acknowledge has not done a very good job securing VBA -- why should a VBA macro be able to access my e-mail address book without permissions, etc.?), he's writing about the societal response to bad news and the Internet.

    Then he makes (IMHO) a valuable connection of the similarity in psychological distancing involved n the use of high tech killing weapons. The 'Internet Creeps' (the so-called dark side of the Internet: porno junkies, perverts, crackers, flamers, etc.) have the advantage of anonymity from their intended victims that allows them to launch whatever type of attack they wish, without responsibility for the results of their actions.

    Freedom without responsibility invariably leads to anarchy. Let me offer several examples.

    • I am (not being an ex-convict, or otherwise restricted) 100% free to buy a gun. I am not 100% free in how I use it.
      Use it wrong, and I am subject to arrest for breaking the law.
    • I am free to buy the ingredients which mixed together, could make an explosive or illegal drug.
      But if I make the explosive or drug, again, I am breaking the law, and deserve the consequence of my actions.
    Similarly, I am free to write an unbelievably malicious computer virus. I am not free to distribute it without consequence. But even these thoughts are not 100% what the article is (IMHO) trying to focus our attention on.

    Either we work together to make the 'Net a more livable, enjoyable, and safe place to co-exist, or we do in fact deserve the heavy-handed law enforcement and media responses which would undoubtably otherwise follow.

  • by shri (17709) <shriramc@gmail . c om> on Tuesday April 06, 1999 @09:53AM (#1947905) Homepage
    I am not sure of the legal framework that goes into "making a virus" and propagating it, a federal crime. However, here are my observations on how this thing went about spreading itself in the company I work for.

    a) My company is a respected and technical organisation with about 2000 people in it. We tend to work mainly with Fortune 500 type outfits.

    b) Unfortunately, we are a microsoft centric company. This is true in development and also very true in our companies sales organsation. Everyone without exception has to rely on Word and Exchange for their correspondance, document creation. i.e. MS software is core to our business.

    c) We were hit quiet badly, but luckily enough, the media had created enough of a frenzy on TV and in the local newspapers that we escaped the consequences.

    Now onto an brief analysis of what I see as a growing problem, which a lot of linux folks are oblivious to, or tend to have an elitist attitude towards.

    It is easy for a corporation to select MS products. In the good old days no one got fired for selecting IBM, these days no one gets fired for selecting MS products. This in my opinion has happend because of the "dummification" of the industry overall.

    Most of the people in organisations like mine DO NOT have a choice in terms of what software they use. MS Office and Backoffice are corporate standards, for which licenses have been purchased for every luser. Given that there is every spectrum of IQ in our organsation, from Management to Intelligent and savvy users ;). What the author of the virus did was essentially created a "gun, which replicated itself everytime someone fired a shot". Imagine a weapon like that let loose on our streets.

  • by dillon_rinker (17944) on Tuesday April 06, 1999 @12:42PM (#1947906) Homepage
    Your post tends to support the idea that MS is liable for damages caused by their software. McDonald's makes their coffee too hot. A woman accidentally pours it on her genitals. A jury find McDonald's liability to be $160K and the woman's $40K. MS sells an office suite that defaults to totally insecure. On their web site, there is doubtless information about how to secure it, so a customer is at least partially liable for damage caused by macro viruses, but I believe that Microsoft could also be found liable for some damages. Of course, the EULA states something to the effect that by using their software, you agree that any harm is your fault. Too bad McDonald's didn't put a EULA on their coffee.
  • ... but it's not actually 5000 kids killed by guns. It's 5000 kids killed by morons wielding guns. Be those morons kids themselves, or no, those are the facts.

    Guns don't kill people. People kill people.

    Too much sensationalism. The only way to combat this type of thing is via EDUCATION, EDUCATION, EDUCATION. One of these days, hopefully, people will figure out that media is not there to disseminate news. Media exists to further the cause of media, just like bureaucracy exists to further its own existence. Sensationalism, hype, and demagoguery are the tools of media and politicians, and none of it is good for us. We all lose our rights and freedoms when the ignorant are cowed by these tyrannical forces.

    Makes me want to live in a tar-paper shack in Montana and build bombs. Also makes me glad I don't own a bloody television.

    --Corey
  • Katz writes:
    He allegedly named his virus after a topless dancer in Florida.

    As I understand it, the virus was named for part of the registry modifications it makes. I could be wrong, but the CERT advisory FAQ [cert.org] says: "It was named Melissa by the antivirus software vendors."

  • by Merk (25521) on Tuesday April 06, 1999 @10:04AM (#1947924) Homepage

    Apparently if found guilty on all counts this guy could face up to 40 years in prison.

    I, for one, find this ludicrous. Nobody was killed, nobody was hurt, and as far as I know no data was even lost.

    I think, on general principles, anybody who writes a macro virus should face half the legal penalty of someone who writes a true machine-language virus. Afterall, in order for his/her virus to do anything the person whose computer is involved has to effectively let them, by allowing the macros to run.

    Maybe the way to divide up the blame is to say any malicious things the macro virus does to the host computer can be laid squarely on the shoulders of the virus writer. Any denial of service resulting from the virus spreading is shared between the company that has a macro-virus enabled platform, and the users who don't check for virii.

    In that case, this guy would be liable for writing the Simpsons quote in thousands of documents, but that's it.

    But unfortunately my views aren't the views of law enforcement.

    So. How is a very successfully propagating but non-destructive macro virus different from some other action resulting in denial of service? For example: the people responsible for the net clog following the Pamela Anderson / Tommy Lee videos? Lucasfilm for the popularity of the Star Wars trailers? Even the /. effect! We take down servers just has harshly as Melissa did when there's something cool to see there.

    Look out Cmdr Taco -- 40 years as some guy's bitch isn't worth the coolness of maintaining /.

  • The initial wave of media reports suggested the authorities were using the GUID to help track the virus author. After Mr. Smith was arrested, very little was mentioned about the GUID in any stories.

    The GUID in question pointed to a virus writer who goes by the handle "VicodinES". Authorities believe that Mr. Smith built Melissa by combining parts of other virii. One of the original virus elements of Melissa was allegedly created by VicodinES -- hence the attached GUID.

    The authorities do not believe that David Smith is VicodinES. In their opinion, the GUID is not reliable as evidence (this point was made on slashdot by many posters long before Smith's arrest).

    /* BTW -- I can't help but wonder if the GUID would be "reliable" if it HAD pointed to David Smith. I also wonder if it becomes useful to Smith's defense now. */
  • by DonkPunch (30957) on Tuesday April 06, 1999 @10:17AM (#1947932) Homepage Journal
    Acutally, statistics like that get a LOT of media coverage. I suggest the author take some of her/his standards for factual reporting and apply it to other statistics. Where did you get the number "5,000"? What is the cut-off age for a child (25, 21, 18, 12)?

    Anyone's death by firearms is unacceptable. When I studied criminal justice, however, I saw studies that defined a "child" as anyone under 25. This includes legal adults who were killed as part of gang activity.

    If the author is going to insist on media fairness and accuracy, I would suggest also exercising it. Sensational statistics like "5,000 kids killed by guns" serve the same purpose as "100,000 computers infected by Melissa".

    Sorry to go off-topic (and sound like an NRA stooge), but that statement stuck out like a sore thumb to me.
  • I used to think that "knowledge = power" was just a cute quote someone picked up and put in their signature file.

    More times than not, nowadays, it really rings true.

    Some say the death of the Internet was when AOL got newsgroup access and every post from there was repeated in duplicate (at least) for the first week. The homogenization of "our" Internet still causes quite a bit of pain among the intelligentsia.

    I'm sorry John, I couldn't bear to stay with you for this whole article, but I think you got your point across about half-way into it.

    My company doesn't understand the Internet, what a virus is, or a macro for that matter. Our IT management did their fieldwork when ATs and VT100 terminals were the rage. They wax eloquent about punch cards and green monitors. They stopped learning a long time ago.

    They are scared, because they don't know.

    Knowledge = power

    In my case knowledge also let's me form a basis for an opinion on a subject. An opinion that usually doesn't involve "hammer them to death" tactics and thusly is not the preferred response the things like the Melissa macro.

    Scared companies and governments do dangerous over-the-top things. That's what's happening here.

    When an IT manager can't guarantee to the upper management that this won't happen again, maybe tomorrow, the fear sets in.

    Punishment, swift and aggressive is called for. Someone must be found to blame. Set an example. Show the world that you are not powerless. Try and convict the "author" or his roommate. Vilify his parents in the press. Trash his lifestyle. Whatever is necessary to apportion the blame. Because it can't be MY fault. I was only following orders. From Microsoft, my anti-virus company, the manufacturer of my computer, etc.

    That's the way it works around here: Plausible deniability.

    Really sick stuff. Shift the blame to someone who cannot possibly defend himself.

    That's the American way.

    Jack
  • by Madhatter (33678) on Tuesday April 06, 1999 @09:36AM (#1947940)
    If you take a loaded gun with a label that says "Point in face and pull the trigger for a hell of a good time" and pass it around to a random group of people are you to blame for the morons who pull the trigger and blow their heads off? That guy was e-mailing a loaded gun (if it was him responsible for spreading it) and people very stupidly opened up stuff they had no idea was about. Is he to blame for everyone being so lax about their own security in the computer world?
    On top of that, I've seen entire mail networks brought down by one lone dumbass who hits reply all to a system e-mail that causes a crazy loop drawing in other dumbasses telling her to shut up and before long servers are crashing all over the network(MS-Mail 3.2 BTW).
    Freedom of information. He has every right to write a macro virus if he wants to. Who can prove that he did or didn't spread his melissa ho all over the internet? I look forward to seeing how this plays out in front of a jury. The poor sots are going to be confused to hell by the end, and probably turn into disgrunteled cyber-terrorists.
  • by dagarath (33684) on Tuesday April 06, 1999 @10:04AM (#1947946)

    Melissa just takes advantage of people that rely on binary executable attachments to email. MS users are of course much more vulnerable to this. How many times have you saved an attachment, set it chmod 700, and executed it?

    Contrast that with an attachment in Outlook, Outlook Express, Eudora, etc. Attachment - double click - .. oops!

    Just as windows users should learn not to execute email attachments that are *.exe, they shouldn't execute *.doc files.

    The automatic response I expect is : "but, that's how our users work". That's not acceptable. Ignorance shall not become a defense. If a user becomes infected with Melissa, it's their own fault. They were too trusting. (perhaps sad, but true)

    Any company or government agency that was hit by Melissa needs to do some serious re-education of their users and implement some policy about email attachments. For example: 1. No *.exe attachments to email (maybe even filter them out) 2. No *.doc (or other macro containing formats) 3. All attached files should be in *.rtf or *.txt format.

    Safe Computing like Safe Sex depends on EDUCATION.

Forty two.

Working...