Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Melissa Syndrome

JonKatz posted more than 15 years ago | from the Crime,-Hype-and-Technological-Hostility dept.

The Internet 202

John Dillinger wasn't nailed with much more fanfare than the alleged creator of the now-famed Melissa virus, whose apprehension in New Jersey a few days ago drew a governor and a platoon of state, local and federal cyber-cops. This syndrome is becoming almost ritualistic. The virus and the arrest tell us a lot about Crime and Hype; Technological Hostility, and Closing the Distance that makes so much online hostility so easy.

CRIME AND HYPE: The Melissa Syndrome

John Dillinger himself wasn't arrested with much more fanfare. When police in New Jersey announced the "capture" last week of David Smith of Trenton, allegedly the creator and distributor of the now famous Melissa virus that's supposedly infected more than 100,000 computers and shut down several hundred corporate computer systems, it made front pages all over the country.

The FBI acted as if it had just rounded up the world's most wanted terrorist. The bureau rushed to hail its new National Infrastructure Protection Center, a division created to fight cyber-warfare threats following teenaged hackers' intrusions on U.S. Defense Department networks. "We will track down these electronic saboteurs," promised William Megary, the FBI special agent in charge of the Melissa investigation.

The case was such a public relations bonanza that New Jersey's governor - never before known to have uttered a syllable about the Internet -- turned out before the cameras to praise the "good old-fashioned detective work" that brought the villain to justice. She was flanked by the Attorney General and a battalion of law enforcement officials.

This reeks of opportunism and hype.

And it reflects the curious mythology of the Net and the Web, especially to the old-world institutions trying to figure out how to deal with it. The idea of a computer virus is genuinely chilling. But has it created enough damage or suffering to warrant this kind of coverage? Or is the idea of the virus more menacing than the reality?

Anybody who's been paying attention to the Net for any length of time has learned to be deeply suspicious of journalistic and law enforcement pronouncements about cyber-criminals. Both government and journalism have been fundamentally clueless about the dangers presented by hackers, virus-makers and other bogeymen. Dubious, unchallenged statistics are often presented as fact, great dangers invoked where they are few, sometimes no, victims. Too often, the hype hasn't fit the crime. More than anything, bureaucracies like to grow, and nothing feeds them faster than saving the public from real or perceived danger.

This drama has become almost ritualistic, ever since the famous Secret Service raids on suburban hacker bedrooms in the 80's. Law enforcement, competing for bureaucratic jurisdiction over the Internet, deeply suspicious of a culture it can't understand or control, has pressed for encryption tools and standards that challenge both privacy and freedom.

Journalists, threatened by the ferociously independent digital culture, accept and relay all sorts of unfounded accusations and statistics, and seem eager to portray the Net as a public health hazard.

So when somebody is hauled out of an apartment by publicity-hungry law enforcement agents, his equipment seized, the media enthusiastically passes along reports of massive damage and danger with little or no detail or substantiation.

The brilliant loner stalking society plays into the media's shallowest stereotypes and the public's deepest fears. In the David Smith case, the media have found their latest Kevin Mitnick style cyber-villian, another disconnected computer addict without a life, using his computer skills to prey on unsuspecting citizens and helpless companies.

The 30-year-old programmer was described as a reclusive, anti-social loner who rarely left his apartment. He allegedly named his virus after a topless dancer in Florida. He was charged with interruption of public communications, theft of computer services and wrongful access to computer systems. As noxious as viruses are, Dillinger, in fact, would have been embarrassed to be nailed on charges like this.

Journalists reported the existence of dark and menacing viral subcultures lurking on the Net and Web, working feverishly to prepare lethal viruses. Was Smith also VicodinES, another virus writer linked in Net posts with the creation and dissemination of Melissa?

According to the New York Times, the emergence of the Melissa virus "underscores the growth on the Internet of a community of virus writers and collectors. They freely trade malicious code, combine efforts to best the work of antivirus researchers, and post their creations on the Internet for anyone to download and release into the wild."

To hackers, thieves, crackers, perverts, addicts and porn-peddlers we now add viral terrorists - "the anarchic lure of virus writing," one paper called this new danger. Curiously, if typically, there was no hard evidence to support the suggestion that virus writing has become epidemic, or even to substantiate the police estimates that more than 100,000 people and hundreds of companies had been affected by Melissa. How would we know? Did they all call the FBI?

Stories like this one reinforce the idea - already entrenched in journalism and politics - that people need walls around their computers to protect themselves, their businesses and their families.

These walls sometimes take the form of legislation (the late CDA, for instance, and sometimes result in the blocking and filtering systems spreading all over the Net).

"Here we go," e-mailed Johnny Rocket, who creates, studies and then dismantles (but never distributes) computer viruses for fun. "There are some sick people out there, but why don't they ever check to see how much real harm is done? Mostly, they're dumb kids. But they don't do nearly as much harm as you would think from watching TV."

And not nearly as much as human beings do to one another in the real world either. A child mailed or killed by gunfire --- more than 5,000 American kids were casualties of guns last year -- doesn't get a fraction of the coverage or attention David Smith or Melissa will get.

TECHNOLOGICAL HOSTILITY

Still, for all the exaggeration, hostility is a reality online. Whoever created Melissa did cause harm and damage. And to human beings, not just machines. He or she also reinforced the false idea that the Net and the Web are dangerous places inhabited by threatening people, and in need of urgent policing. The FBI and its National Infrastructure Protection Center is ready and waiting.

Yet some programmers do generate destructive programs like Melissa and take some warped pleasure in distributing them. Some do make viruses for fun, the same way others love bar codes and study magnetic strip coding. This kind of behavior isn't new to the world, or unique to the Net. Every year, thousands, even millions, of people race trains across tracks, drive drunk through stop signs at high speeds, beat up their spouses and kids.

But one of the strange realities of Internet life is that it juxtaposes extreme anger and powerful friendship, closely and continuously.

The Net is awash in varying emotions and diverse responses. It brings support, creates community, makes communication easier than ever, and almost simultaneously spawns disconnection and hostility.

The nearly continuous dichotomy - making friends, receiving generous advice and direction, fending off flames and criticism, even dodging viruses and mail bombs - is so discordant as to be disorienting.

In many ways, the Net is fundamentally about community - bringing disparate, far-flung people together in new kinds of social groupings. You really can't go anywhere online by yourself and be completely alone. Technologically-driven hostility becomes even more important in that context, because community requires the members of a given group to talk about issues, forge common values, articulate goals.

The communicative social nature of the Net makes the former - the coming together -- easy, but the latter - rational discussion -- almost impossible. People who share an interest in Linux, open source or free software can come here from all over the world, but can they talk openly about the very thing that brings them together? Not often easily. Any half-dozen angry people can, and often do, disrupt a discussion in seconds (and not just here, but all over the Web), driving away people who are disinclined to trade insults or have better things to do. The effect is bizarre. The majority are driven underground and out of sight, the tiniest minority becomes a tyranny.

I've made my closest friends online, gotten many of my ideas and a torrent of thoughtful commentary. I am continuously supported, and educated. I am continuously challenged, attacked, insulted. Although I'm used to it, it's still sometimes bewildering to be praised and criticized simultaneously, for the same ideas and words, so immediately and intensely that it's hard to maintain a sense of reality at times.

Should you still listen to all the feedback, or make a point of ignoring it? Do you factor in age and gender? Do you credit the most articulate and impassioned critics? The most thoughtful? Or do you finally throw up your hands, and go by your own instincts.

When I wrote for conventional media - Rolling Stone (where I still write), New York, GQ and other places - the problem was simpler. I was trained to dismiss readers. It didn't matter what they thought. Nobody could reach me, except those taking the trouble to write and send letters.

But every idea advanced online is praised, attacked and criticized in varying degrees, sometimes within seconds of being published and for weeks, even months beyond.

The bulk of e-mail is radically different from most of the public posters on the site itself. Neither group, the flamers or the lurkers, seems to have much direct contact with or even consciousness of the other.

Unaware that I receive praise, the flamers expect me to go up in smoke. Unaware of one another, the lurkers reassure me. The lurkers sometimes know that ferocious, even vicious, debate and hostility is evident just a few scrolls down. The flamers have no idea that anything else is.

For a columnist dealing in opinions, this is a Brave New World, a parallel universe, my very own Matrix. It's sometimes impossible to know where one reality begins and the other ends.

CLOSING THE DISTANCE.

Technological vandalism and hostility - flaming, personal attacks, virus and mail-bomb attacks -- occur because the people who practice and advocate them must operate at an enormous physical and psychological distance from the people they attack and from the consequences of their actions.

Although they differ enormously in their impact, the principle is the same as scientists' and technologists' advocating the use of advanced air weapons against remote and presumably primitive peoples.

Both kinds of attacks are made possible by the disconnection technology permits. We don't see our adversaries as human beings, and don't expect to ever encounter them. So, since we have the instant and visceral technology to respond emotionally to things we fear or dislike, we attack them with the expectation that there will be no consequences. And there hardly ever are. On the Net, assaulting someone is no tougher - or riskier -- than pushing a send button.

Online violence and hostility, wildly exaggerated in terms of scope and danger but still epidemic, will diminish only when the distance between people is somehow closed by the same technology that now promotes it. Perhaps when audio and video-streaming permits live encounters with real-time video and sound. Or when phone, voice and visual messaging technologies fuse, and the presence on the other end appears, even in virtual form, as a human being.

Smith may or may not be the author of the virus, and it may or may not be as dangerous and pervasive as the publicity-hungry cyber-cops suggest. But it's still a great metaphor for the nastiness that has marked the first generation of the Net, and then the Web.

For me, the damage comes mostly from what can't happen: intelligent, continuous discussions, messages from the many lurkers who have powerful ideas but are not willing to endure the public assault that comes with expressing them.

The best resistance: to persevere. To listen to all criticism, no matter how crudely expressed, and keep writing and talking. To do anything else would be to give up the freedom that makes the Net unique. Some day, the Net will have its own equivalent of a "peace" movement, and mindless hostility will be perceived as the very direct threat to free and open speech that it is.

Exaggerated or not, techno-hostility forces community underground, into closed websites, mailing lists and e-mail. It stunts the evolution of ideas, movements and communities themselves.

It aborts ideas.

Hostility, from flames to viruses, are an inducement to the many in journalism, politics and the corporate world itching to find ways to control and curb free access on the Net and the Web.

And they are all generally acts of cowardice and malice at worst, unthinking and reflexive cruelty at best. It's no wonder that the most enthusiastic attackers hide behind anonymity.

"The lesson," wrote computer pioneer Joseph Weizenbaum in a 1976 essay explaining the people who advocated the advanced weaponry used to maim and kill during the Vietnam War, "is that the scientist and technologist must, by acts of will and of the imagination, actively strive to reduce such psychological distances, to counter the forces that tend to remove him from the consequences of his actions." jonkatz@slashdot.org

cancel ×

202 comments

Sorry! There are no comments related to the filter you selected.

Hey Katz (0)

Anonymous Coward | more than 15 years ago | (#1947749)

This is the first time you write a good essay, and do not miss the point. I agree with you.

How could you do that? Have you been on drugs lately?

yeah, yeah, yeah... (0)

Anonymous Coward | more than 15 years ago | (#1947750)

Katz, you're right about the idiocy and the self-serving incestous relationship between publicity-seeking cops and sensationalizing journalists, both seeking to pander to the inexorable public will to irresponsibility in all matters, but you're making a dangerous mistake presuming to speak for Smith or any other virus writer or hacker. If he wrote it. I don't know. He sure as hell is innocent of the actual charges against him. I'll tell you bluntly though that you don't have a goddam clue about his motivation or intentions, regardless. Hostility doesn't have a damn thing to do with it. It might if it would mean a goddam thing in a world that insists on misconstructing everything, but it doesnt. In a just world, though, the man would get a fucking medal, not a jail cell.

You come so close some times, Katz, but you're buying into the fear and propaganda you're shrewd enough to see, yet keep capitulating to. Keep trying, though, you'll get it.

Free David!
Free Kevin!

I wanna meet this Melissa chick.

Katz, some advice: (0)

Anonymous Coward | more than 15 years ago | (#1947751)

You were doing really well with this piece. It had a point, and made it. Then you rambled. Some advice: if it can be said in 5 words instead of 25, keep it short. You won't lose your audience that way. And for once, leave YOURSELF out of it. No "I recieve praise", no "I've published a book", and no resume pushing. It makes you sound condescending.

Whitman (and Gore) (0)

Anonymous Coward | more than 15 years ago | (#1947752)

Whitman made the hype worse by making the press circus, I mean, conference. Her motivations were two-fold:

1) Appear nationally on camera before her run for the NJ senate. The more exposure the better...

2) Project the feeling that NJ law enforcement is under control since she sacked the Col. of the State Police for making non-politically correct remarks (I _STILL_ can't figure out what is so wrong with profiling ethnic gangs with particular narcotics).

She seized on the moment and used the hysteria surrounding what should have been an insignificant event to further her career.

Now, if we can just get Al Gore to admit to creating the first computer virus...

you miss the point (0)

Anonymous Coward | more than 15 years ago | (#1947753)

This time, the virus author fucked up and released his identity. But what if it's impossible to find out who the author is? I can describe several scenarios in which the author can spread his virus without any possibility of getting caught. So suppose it's impossible to find out who the author is. Who gets the blame?

Are you getting the picture? Do I have to spell it out for you? If nobody is to blame, then virii become like an Act of God: unpredictable and capricious, bringing down your network and computers at a whim.

In this kind of world, which is closer than you think, the inherent unreliability of the infrastructure that permits such virii to thrive is to blame. And who created that infrastructure? Microsoft.

Religion is a virus (0)

Anonymous Coward | more than 15 years ago | (#1947754)

Exactly right, when a web site I visit starts a java applet without my permissiom, slowing down my browser, can I charge the web site owner with theft of computer systems?

The people who got the mail ran the macro.If they don't know what a program does, they shouldn't run it, right?

(Although the alleged miscreant may be guilty of stealing the account on AOL...)

re: lawsuits (0)

Anonymous Coward | more than 15 years ago | (#1947755)

Is this the same licence that says that users who do not agree to the terms of it are entitled to a refund? IMO because Microsoft and its vendors won't honor one part of the licence, all parts should be void.

It was a crime & MS wasn't at fault (0)

Anonymous Coward | more than 15 years ago | (#1947756)

The argument that it was really Microsoft's fault because their software was the victim of the virus does not hold water. Claiming the victim is at fault for a crime is wrong. If a bank is robbed, is it the bank's fault because they didn't have sufficent security?

Hmmm....well,maybe.

I know that if you accept credit cards over the internet and don't take any security precautions, you can be held liable for any damages caused by theft. And if a bank had a history of robberies and didn't take any extra security precautions, and someone was subsequently injured in a robbery, yes the bank would be held liable.

And in Microsoft's case, from all available evidence, the liabilty borders on being criminally negligent.

And no matter how you feel about virus writers, they have certainly added to the sum total of accurate knowledge on this planet, which I always assumed was a good thing.

blah blah blah, hacker cracker snacker. (0)

Anonymous Coward | more than 15 years ago | (#1947757)

hacker \Hack"er\, n. One who, or that which, hacks. Specifically: A cutting instrument for making notches; esp., one used
for notching pine trees in collecting turpentine; a hack.



cracker \Crack"er\ (kr[a^]k"[~e]r), n. 1. One who, or that which, cracks.

2. A noisy boaster; a swaggering fellow. [Obs.]

What cracker is this same that deafs our ears? --Shak.

3. A small firework, consisting of a little powder inclosed in a thick paper cylinder with a fuse, and exploding with a sharp
noise; -- often called firecracker.

4. A thin, dry biscuit, often hard or crisp; as, a Boston cracker; a Graham cracker; a soda cracker; an oyster cracker.

5. A nickname to designate a poor white in some parts of the Southern United States. --Bartlett.

6. (Zo["o]l.) The pintail duck.

7. pl. (Mach.) A pair of fluted rolls for grinding caoutchouc. --Knight.


Your right, I'll never confuse the two.

Broken Analogies (0)

Anonymous Coward | more than 15 years ago | (#1947758)


The analogies being used to describe this issue are somewhat missing the point. Blaming Smith and Wesson when someone uses one of their guns in a crime is not the same as M$ leaving open known security holes.

You can't blame S&W for the (proper) use of their product as advertised, even if it is a crime. However, if you are negligent in that you know that use of your product can cause harm but you don't fix it, you must accept some blame.

This is more closely related to the infamous Pinto that Ford decided not to fix because the anticipated cost of potential lawsuits was less than the redesign and recall costs. Microsoft knewthat the security holes existed, and therefore must accept some resposibility. They are not, however, responsible for the actions of the author, and are not 'accomplices'. They were negligent, not co-conspirators...

Better gun analogy (0)

Anonymous Coward | more than 15 years ago | (#1947759)

If you take a loaded gun with a label that says "Point in face and pull the trigger for a hell of a good time" and pass it around to a random group of people are you to blame for the morons who pull the trigger and blow their heads off?

I'm not sure if this is the best analogy. It might be more appropriate if the group of people are described as otherwise intelligent people who, due to massive PR hype from the gun companies, have accepted as fact that guns are safe and can't do any harm, even though the guns have their safety catches off by default and are known to fire in random directions when other guns fire.

Naming of Melissa virus (0)

Anonymous Coward | more than 15 years ago | (#1947760)

The virus (worm?) adds to a registry key with the word "Melissa?" in it to indicate it has already infected this machine. The keys in the registry are arbitrary, so it very well could named after the dancer.

you miss the point (0)

Anonymous Coward | more than 15 years ago | (#1947761)

So what you're saying is that any crime where the criminal it is 'impossible to the find' the criminal should be likened to 'an Act of God'.

So if the ciminal is not or cannot be found it automatically becomes the victim fault. Now, there's a great piece of logic.

That argument is so deficient on it's face as to need no rebuttal.

Technological Vaudeville.... (0)

Anonymous Coward | more than 15 years ago | (#1947762)

I must respectfully disagree on a couple of points. I think what Jon is saying has a lot of merit and I think that some of what he wrote is not dissimilar to what Rob wrote last week.

The key here is that what Jon & Rob are both saying is not that flaming is bad in of itself. Certainly criticism is an important thing that breeds better ideas. What both of them are saying is that there are better ways to criticize then to flame. If you think someone has made a mistake, or has volunteered a position you disagree with, express yourself politely. I can tell you from experience that if I state my opinion on something and someone counters me politely I'll remain open and willing to listen about 90% (no one is perfect :). If you scream at me and rant and rave I'll most likely just turn beat red from anger and stalk away. How does that encourage ideas to flow?

That's why I think Jon is right when he says "It aborts ideas." User A states his opinion and is flamed outright for it. If User B is more timid, but has a good idea, why should he post it? Who's to say he won't receive the same treatment? After all, perhaps he thought User A had some good ideas and look what happened to him.

As for "How clever! So in order to keep free access, we need to tone down our opinions and statements? Bullshit." I agree that toning down opinions and statements is not the way to keep free access, but I don't think for a second that's what Jon was trying to say. I think he was saying that so long as a large, visible seeming-majority choose to express themselves so negatively, it lends credence to the idea that the Net is populated by the kind of people that Jon said: theieves, malicous malcontents, dangerous perverts, etc. This may not be true, but the old adage that perception is as important as reality certainly applies.

In truth, I've come to believe the Net is an Anarachy. Far from what the word is popularly held to mean, it simply means "abscence of government". It has more to do with "harmony" then "chaos". The last thing I want is Big Brother stepping in to govern the Net. I like the Net free and unregulated (as I suspect you do) so that the very ideas it was founded upon can continue to flow. As my political science prof told me last week, however, anarchies will only work properly once people develop a better moral code: in a culture where you can do anything you want, you need good moral training to refrain from doing negative things. In short? It means you have to learn to treat everyone, _EVERYONE_, even people with whom you disagree with _RESPECT_, 'cause at the end of it all, we're all human. Even the Microsoft people ;)

BTW, I'm not really an Anonymous Coward, I'm just too lazy to figure out what my logon is :) I believe I'm one of EnSabahNur or CainDragon at /.

lets do it again. (0)

Anonymous Coward | more than 15 years ago | (#1947763)

Hmm...

so I sit at my text editor, and come up with some story about my kid brother, who has this kidney disease, and wants people to send him flip tabs from soda cans, and by you sending this message to 5 other people, you'll be granted an E-ticket when it comes time to reach for Nirvana.

Oh, I of course send it out from the list of e-mail addresses I've sucked off of the archives from Usenet posts on DejaNews, and of course through some pirated AOL or whatever megaISP user account is handy for me...

OK, so some Joe in Bergen County, New Jersey, is suddenly flooded when he opens his mailbox with about a million envelopes from Well Meaning! people with all their flip tabs from the week.

Hmm...

And it keeps on going even though Joe has been on all the news for the week, all the "news magazine" shows, etc., saying, "to the asshole who did this to me, the only good thing about all these flip tabs is that their density of packing is better than crushed soda cans, so I get a good price/volume ratio at the metal recycler!", and the flood of mail INCREASES?

Or it's revealed that there is no little brother, that it's all a big hoax?

Still get e-mail from well-meaning people warning you about the Good Times "virus"?

the distraction (0)

Anonymous Coward | more than 15 years ago | (#1947764)

Re: Suing Microsoft...

Someone might try, but that nasty software license will get in the way, you know, the part about Microsoft making no warranty or guarantee of suitability for their products other than being liable for replacing the media they come on...

Or, read the Java license... "don't use this software for controlling medical equipment or nuclear power plants".

Why are we blaming Microsoft? (0)

Anonymous Coward | more than 15 years ago | (#1947765)

Everyone is so quick to blame Microsoft for making crap products, and the user from being stupid. Stupid for buying Microsoft and stupid for opening up the Melissa attachment.

Don't misunderstand me. Standing up for Microsoft is not at all my point here. But everyone is posting as if some hacker/programmer/whatever has the right to exploit whatever system flaw is in the Microsoft product, just because there is the system flaw. Yes, Microsoft should fix those flaws whenever possible, and they can't be held in high regard for the complete and utter lack of quality that spews out from Redmond.

But none of this gives a programmer a right to exploit this bug. Let me illustrate. We don't blame the gun manufacturer for the mis-use of their product. We blame the guy that pulled the trigger. In this case, we don't blame Microsoft because the made a faulty product. Or I should say, we shouldn't. There wasn't really any danger in the Microsoft product unless someone exploited it.

This /. attitude of "blame Microsoft for every attrocity in the world" is waxing a little old. I hate Microsoft too. And I tremble at the current media hype surrounding this "virus." But that is no reason to accuse Microsoft of the creation of this virus. Should they remove as many possibilities in their programs for such exploitation? Absolutely. But there is no way any software company is going to have flawless code and flawless design. There will always be holes. And let's not just jump on the bandwagon and attack the enemy like we do after every article just because.

Hyperbole (0)

Anonymous Coward | more than 15 years ago | (#1947766)

"A child [maimed] or killed by gunfire --- more than 5,000
American kids were casualties of guns last year -- doesn't
get a fraction of the coverage or attention David Smith or
Melissa will get."

First of all, your very statement contains the reason why this is:
violence, even mortal violence, has become too commonplace. Melissa
was *new*.

Secondly, you are guilty of some of the same criticisms you level
against your trade. In this case: hyperbole. More than 5,000
American kids were *not* casualties of *guns* last year. They were
casualties of violence where it happened that a firearm was
employed. Guns are not self-aware.

So much for your credibility, Jon. I believe that'll be the last
of your articles I bother with.

A Pause (0)

Anonymous Coward | more than 15 years ago | (#1947767)

Hmm...

It's not that hard to do. Check to see if the msoutl8.olb library has been linked, if not, tell VBA to find it, then link it in, then run one's code. Want to see the properties & methods? In VBA it's not hard to enumerate the COM properties & methods for an object...

At least it's harder to reverse-engineer (i.e., figure out ordinal entry points, valid arguments, and determine results) from DLLs...

But COM makes it easy...

Of course, he could have written it to go through the MAPI dlls as well...

Ignorance is no excuse (0)

Anonymous Coward | more than 15 years ago | (#1947768)

Don't use a condom, get pregnant. Use Windows, get viruses. Any questions? Having stupid users is no excuse for anyone going to jail. Let the guy go and slap the 'cuffs on the terminally ignorant users who opened this email causing it to spread!

Maybe it's you who is creating villians (0)

Anonymous Coward | more than 15 years ago | (#1947769)

....or maybe not.

So I park my nice Ferrari 512BB downtown one day, and forget! and leave the keys in the ignition, and the doors unlocked.

I come back.

Suprise! It's gone!

Now who exactly is to blame for the loss of the car?

lets do it again. (1)

Anonymous Coward | more than 15 years ago | (#1947809)

'Stupidity' is perhaps a little strong. I would guess that a large number of people on the internet don't really understand what a virus is and what it can do.

By my reckoning email should be plain text (or simple HTML), and therefore unable to carry any 'un-authourised' code. The effectiveness of the Melissa virus was down to one particular program (Microsoft Word), and has proved to me how unsuitable it is as an email viewer.

Hopefully IT departments and other users have learn an important lesson.
Simon W.

It was a crime & MS wasn't at fault (1)

Anonymous Coward | more than 15 years ago | (#1947810)

I know this is going to a very unpopular view but here goes...

The actions of Mr. Smith broke the law, therefore he is a criminal (check you dictionary). If you don't like the law say so but until it's off the books we are obligated to obey the law (think social contract).

The argument that it was really Microsoft's fault because their software was the victim of the virus does not hold water. Claiming the victim is at fault for a crime is wrong. If a bank is robbed, is it the bank's fault because they didn't have sufficent security? If a person is robbed, beaten or raped, is it their fault because they did not have sufficent defenses. The macro capability was put there for a reason, and some people make use of the ability. Yes, there are things MS could do to tighten security but again, if I can figure out how to sucessfully rob a bank can I claim I didn't commit a crime because 'gee, they left this big security hole so it must be their fault'. The damage and lost productivity that this virus caused is a real and cost firms real money, it shouldn't just be written off as a cool prank.

unreasonable expectations of average users (1)

Anonymous Coward | more than 15 years ago | (#1947811)

The way company networks are being attached to the Internet, you cannot possibly expect everyone to be knowledgeable about what to do and what not to do. Additionally, it isnt likely that companies will spend the money to train everyone about network use, just like they will not train everyone in sales or purchasing or logistics...

The reason sysadmins are in such high demand, the best of whom can pretty much write their own paychecks, is that they are the ones responsible for keeping things going and heading things off. True, you cannot stop everything from comming through, but you have to realize that the average employee in your company is going to open any attachment without thinking twice. It is your job actually, to ensure that they learn as little as possible -- and what I mean is they learn what they need to do their jobs and not waste time on anything else -- noone can possibly be expected to learn everything (and to resurrect the arrogance thread from a few weeks ago, when youre being paid, "Read the book" is not an acceptable response to a question).

Educate the users in your company to a point (what this point is can vary, but maybe a networking orientation for new employees where you tell them about the basics, or what most people in this group would call common sense); but beyond this, its up to you. Sorry, but youre going to have to earn that paycheck.

...why is microsoft not blamed in the proper way ? (1)

Anonymous Coward | more than 15 years ago | (#1947812)

...of course it is no use arguing if the writer of a virus is absolutely free to spread his code without being punished for it - writing viruses is a crime in all laws that i know of.

But definitely the other parties involved in making this kind of virus possible at all are to be blamed - and there has to be consequences for them as well.

If I buy myself a car (just as some people bought themselves ms windows) which has some cool electronic computer-thingies in it (something like ABS or whatever comes with new cars) which is manipulateable from the outside (like windows computers are), noone would react to a problem similar to melissa in the way that people react to melissa.

imagine the new daimler-benz s-class car being manipulated by an aol-user kiddie who used some well known bugs in the car's software - resulting in the car not breaking any more, driving against the wall at 150mph, killing people.
yeah i know some of you think 'this is something completely different than melissa'.
but hell - wheres the difference ?

the guy who crashed the car deserves punishment. no question there.

but i believe the reaction to a mercedes having bugs similar to the bugs of windows would be quite different - you'd expect fast reaction from the media (but in a different way than in this ridiculous melissa hype) refunds, repairs on all cars of this make for free, lots of blame against the manufacturer of the car...

well - where's the difference i wanna know... ?

except that car manufacturers can't build weird shit and get away with it...

think about it :)

bah. (3)

Anonymous Coward | more than 15 years ago | (#1947813)

Everyone blames the bad, evil, nasty hackers. Nobody ever thinks to blame the poorly designed systems that they exploit. Why? People have been warning Microsoft for years about macro viruses.

Ideally all virus writers would be fully accountable and we wouldn't need to assign any blame to companies that produce shoddy software. But in reality, it will be virtually impossible to catch virus authors unless they make a colossal mistake like Melissa's author did. All you have to do is leave a floppy lying around with your macro virus on it. Label the disk "teen porn". Someone will pick it up and spread the virus for you, no way to trace it back. My point? Accountability is a myth, so let's go after the designers of these fragile infosystems.

How is that trojan a crime? (1)

Brett Viren (296) | more than 15 years ago | (#1947814)

What kind of moron runs a macro-laced Micro$oft file from someone they don't know?

Well, part of the reason why Melissa spread so much is that people received it from people they did know.

Maybe a better question is: ``What kind of moron uses MS products?'' (The answer, of course, is ``Too many'').

-Brett.

hmmm (0)

drwiii (434) | more than 15 years ago | (#1947815)

Where do we draw the line between a program that knowingly mails to everyone in your address book (so-called virus), or a program that accidently mails to everyone in your address book (possibly a mail program in development, being debugged)?

crime and deserving (1)

opus (543) | more than 15 years ago | (#1947819)

I'm really tired of people attempting to justify malicious actions by saying that the victims "deserved it" because they are "morons". (The most obnoxious case of this, of course, is saying that a rape victim "deserved" what she got because of how she dressed, how much she drank, etc. But it applies just as well to acts of electronic vandalism, such as virus writing and cracking.)

If someone leaves his back door unlocked, sure, he's a moron, and in some sense, he deserves to get burglarized. But that doesn't make the burglar any less a criminal!
--

It was a crime & MS wasn't at fault (1)

phil reed (626) | more than 15 years ago | (#1947821)

The argument that it was really Microsoft's fault because their software was the victim of the virus does not hold water.

The message earlier suggested that Microsoft be held partially responsible, since their software could have had security mechanisms built in, and Microsoft refused to do it (in some cases, suggesting that macro viruses were the responsibility of the user - "You should be aware of what you're running" or words to that effect).

Mainframe environments have had security built in for ages, and it's impossible for a virus to even exist. Microsoft wants to play in that same market, but they don't want to be held to those same standards. Well, I for one disagree. (In fact, I find it amusing that the Melissa virus apparently ran through Microsoft's internal mail system like a hot knife through butter. Hoist by their own petard.)


...phil

Gov't will want to set an example. Be afraid. (1)

gavinhall (33) | more than 15 years ago | (#1947822)

Posted by PasswdIs ScoreOne:

Since this is the first time anyone is being prosecuted for writing a virus, I fully expect the gov't to prosecute this case with a unique zeal and determination seldom seen. And if the rights of the accused and due process are not adhered to, so what? We've got to send a message to all these 'hackers' out there lest we end up with a nation of potential cyber-terrorists.

Kevin Mitnick: Four years in jail. And still not even a trial. Who's next?

Technological Vaudeville.... (1)

gavinhall (33) | more than 15 years ago | (#1947823)

Posted by wadageek:

I agree with:
"Creating a virus is an art. It is no different than the kid of your generation who took the radio apart just to put it back together again, even if some parts were left out. It is a natural instinct in humans to figure out how things work. "

But I disagree with:
"If you create a virus in order to show explicitly the obnoxious security holes in Microsoft or other OSs, you are doing the general public a service."

Saying that is like saying that vandals do the general public a service by underscoring the need for everyone to have security!

You may not be a thief if you do not make money from it - but you are in essence a vandal and a criminal.

the distraction (5)

Tom (822) | more than 15 years ago | (#1947826)

the #1 sickening thing about the whole melissa hype is how it distracts from the facts.

here we have a collection of well-known security holes practically screaming "exploit me". they should've been fixed for years, but instead they've been put deeper and deeper into the very design.
yes, I'm flaming micro$oft, but it's not them alone. it's the armada of clueless who, far from being honest about what they know and what they know nothing about, not only BELIEVE, but carry the word along - "integration is good for the customer".

in my country (i.e. germany), when I break into a bank and it is found out that the bank's security company made my job considerably easier by leaving out standard security procedures or making serious mistakes that a security company really shouldn't make, it can be made liable for parts of the damage done.
in the states, you have those idiot cases where macdonalds is sued for the same thing - negligience - because they forgot to tell some fool that hot coffee is, well, hot.

I wonder whether micro$oft will be sued for melissa-incurred damages. if you can sue macdonalds for hot coffee, than sure as hell you should sue micro$oft for gross negligience of basic security procedures.

Who should we blame (1)

Dave Fiddes (832) | more than 15 years ago | (#1947827)

Of course it's not *all* MS's fault. Many many many people turned off the security features in Word.... AFAIK you have to skip through several dialogs before Melissa can get into your system. It is the users who are dumb morons...

Of course if everyone stuck to plain text none of these things would happen regardless of what email program or OS you use... apart from the odd buffer overflow ;)

How is that trojan a crime? (1)

Brian Knotts (855) | more than 15 years ago | (#1947828)

Yes, it was irritating, yes it was malicious, but so is country music

ITYM "Hip-hop." HTH.

...

I agree with you though that as annoying as this was for people, they should put most of the blame on themselves. Of course, Microsoft deserves quite a bit of blame, too...

Civil liberties (1)

Altus (1034) | more than 15 years ago | (#1947829)

Exactly.

The longer this goes on the more likely we are to have laws pased that are supposed to stop crackers and virus writers. And with these laws in place, when a new virus comes out or a system is comprimized the public will say "How could these evil people be breaking the law like this... why cant the government stop them?"

When the public has this outlook, it will be even easier to get more such laws passed (you want to stop these people right... well then give us more power).

Its a self propogating problem... and the longer it goes on the less likely anyone will be to question the quality of the software being comprimized. The blame will be placed on the criminal or on the law enforcement agents unable to catch the criminal... and microsoft can continue to produce software with integrated virus hooks.

We cant expect end users to wake up and start holding microsoft (or any other company) accountable overnight. Its up to people like us... programmers, who need to make software that is secure... and more improtantly, MIS people who must demand more from their software...

Its about time someone got fired for choosing microsoft when the solution simply didnt fit the problem... the whole "its from vendorX just like everything else we run... it must be the most suitable solution for us" mind set has to be abolished.

But whoes going to take the first step?

melissa etc. (2)

Phil-14 (1277) | more than 15 years ago | (#1947836)

I'm not sure whether or not the concern about
Melissa might be actually justified. IMHO, the
environment many people use these days for computing is responsible for a lot of the ease
with which things like Melissa spread.

Believe it or not, viruses are something that
have to be taken very seriously. Especially by
the people who build OS's or distributions. If
they're negligent, however, no amount of panic
from anyone else is going to stop things.

I don't think Linux is virus-proof, but
at least it isn't a "hey look at all these
macros!" sort of petri dish...
Phil Fraering "Humans. Go Fig." - Rita

Quicken transfer funds from a virus (1)

joss (1346) | more than 15 years ago | (#1947838)

I was more thinking in terms of just transfering the entire account immediately :) The virus would be discovered within a couple of days, but if you infected 500000 accounts in that time (like mellissa could), it would be worthwhile. Some Germans demonstrated this with an ActiveX control, just as a little example of how amazingly defenseless THAT stuff is. Just place it on your web site and anybody visiting using IE with security turned down has a problem. The nice thing about it is that you have all this security/passwords etc to access the bank account (that most people take pretty seriously), but it does them no good at all if the data on their PCs has already been compromised. Actually, a macro virus that added a link from any index.html files on the local machine to an ActiveX control that also contained the virus (and transfered funds) would spread pretty quick.

The point is that melissa was really NOT that malicious, if someone really wanted to play silly buggers on this hugely dangerous combination of crap software and naive users they could do FAR more damage.

Religion is a virus (2)

joss (1346) | more than 15 years ago | (#1947839)

"He was charged with interruption of public communications, theft of computer services and wrongful access to computer systems."

Interesting 3 crimes listed there. I guess in some sense he was guilty of 1, but I don't see how he could be guilty of 2 or 3. Does the fact that your program is running on somebody else's hardware without their consent constitute theft of computer services. w95 was running on my hardware when I bought it - can I charge MS with theft of computer services. Likewise if your data appears on another computer does that consitute wrongful access to computer systems? How about spam, can we lock people away for 40 years for sending spam, far more offensive to me than being sent a program which I would have to be a moron to run.

Are there any specific laws against self-replicating programs. Powerful memes such as religion can be considered virus's that run on wetware and are highly contagious. Should these be illegal too ?

While I'm looking for different angles, I think he should counter-sue the US govenment for violating his copyright. When federal employees pressed the "run macro" button they ended up sending copies of his software to different organisations without consent. A variation of melissa with a nice (C) on it could be an effective way of protesting daft IP laws.

The guy has done society a huge service by waking people up to the huge security holes in their software. It would have been just as easy to send out a truly destructive virus that introduced random errors across the harddisk or appended "transfer funds" instructions to the Quicken files for people who do online banking. Now that would be an interesting virus.

Melissa, Memes, and "Good Times" (2)

Frater 219 (1455) | more than 15 years ago | (#1947840)


> Where do we draw the line between a program that
> knowingly mails to everyone in your address book
> (so-called virus), or a program that accidently
> mails to everyone in your address book (possibly
> a mail program in development, being debugged)?


... and a piece of information which suckers you into sending it to everyone in your address book (i.e. "Good Times")?

Everyone who sent along Melissa did so by pressing a button that said "Yes, run this attachment." They were conned into doing so, because the attachment was sent under false pretenses -- it seemed to be a message from a friend, but was actually a virus.

Everyone who sent along the "Good Times" warning did so by pressing a button that said "Yes, forward this message." They were conned into doing so, because the message was sent under false pretenses -- it seemed to be an important warning, but was actually a hoax.

Melissa is not entirely a computer virus. It is dependent on user interaction, making it at least partly a "virus of the mind". Where do we draw the line between a human-aided computer virus, like Melissa, and a computer-aided memetic virus, like "Good Times"?

Hacker, cracker, whacker. (2)

Frater 219 (1455) | more than 15 years ago | (#1947841)

Actually, most crackers I know are noisy boasters and swaggering fellows. And hackers do tend to be people who hack, yes.

Civil liberties (1)

Jeremy Erwin (2054) | more than 15 years ago | (#1947845)

Personally, I think viruses are interesting in that they are, in a sense, artificial life. Of course, I wouldn't want to be infected. I recognize the unique vulnerability of Windows 95, yet due to my "interest in gaming." it has become my primary platform. I'd like to have the flaws of my operating system proven by a capable virus writer, but on the other hand, I have no faith whatsoever in Microsoft to fix these flaws.

The larger problem raised by the attention of Melissa and other high profile "cracking" cases is that, if this trend continues, we may have a far more draconian regime unleshed upon us. Look at it this way-- it wasn't until the fundies discovered the net that the CDA was born. All we need now is for some senator or congressperson to get hit with a mildly annoying virus or a novice cracking attempt-- and boom, agencies start to "crack down" and rev up their "asset forfeiture" programs into high gear.

Be wary of the cyber evil!@#! (2)

Juliet (3536) | more than 15 years ago | (#1947848)

Paranoia.. its alla bout paranoia.. and things like this.. that are very public.. make the people feel safe and secure.. where its really just a charade.. kinda like airport security.. like if i really wanted to hijack a plane.. id use a plain ole gun.. of course not.. id use plastic explosives that would be undetectable.. DUH!@#!.. but people FEEL safer walking through big ass metal detectors..

Civil liberties and responsibilities (1)

cpt kangarooski (3773) | more than 15 years ago | (#1947849)

I agree. The problem of virii, rampant flaming, etc. can be addressed, though not necessarily solved, in several ways.

1. Legislation
The US government which, let's face it, has more power over the net than other governments, can heavily legislate the net and people's conduct on the net, and enforce those laws with a heavy hand.

I don't think any of us want this; that it might happen is one of the downsides of having a government that was deliberately designed to be slow and stupid.

2. Social responsibility
People should be pressured into accepting responsibility for their actions on the net. This doesn't mean they shouldn't be anonymous (see my other post on that subject). Rather, people need to think their actions through and act calmly and politely as much as possible, even if they experience no direct repercussions. Responsibility is not a matter of stimuli, response. It's roughly a moral issue. But there's no way to make people act in a moral fashion (no moral way), so...

3. Fault-tolerance
While everyone who can ought to still act responsibly, let's also encourage the establishment of fault-tolerant systems which can absorb malicious/juvinile behavior like the liquid terminator can absob bullets.

Part of this means technical fixes, like not creating juicy hooks for virii, and definately not keeping them once this vunerability is made clear. I can't believe that Microsoft takes pride in any of it's work; their stuff is real garbage on all levels.

But another part of this is a social fix. /. has implemented one type of social fix, in the creation of the moderator/score system. Honestly, I'm not a big fan of this, as it tends to lead to other people deciding what will be read by default. This ghettoizes many worthwhile posts because of moderators disliking the author, the content or not wanting to second-guess each other and bring a low score back up.

I'm sure there are other social fixes out there, if we'll only experiment.

Let's do all of the latter two we can, to avoid the former, okay?

Sigh. Another dis on anonymity? (4)

cpt kangarooski (3773) | more than 15 years ago | (#1947852)

Once again I just can't see why it is that so many people insist on everyone on the net being named. Untracable psuedonyms and pure anonymity get an incredibly bad rap here, even though it's nothing compared to the degree of identification that large corporations and various governments would prefer.

Yes, the net does have two apparently conflicting abilities. It both fosters extremely close relationships, by bringing together people who would likely never meet, with similar interests, or even who just like to talk to each other. At the same time, Katz is right in that just like the soldier who sits in a bunker thousands of miles away from the action, people can also be disassociated from each other, with the abstract, faceless ASCII world of the net insulating everyone.

Surely the exaggerated mode of speech, with concepts strongly worded to let the intonations of the voice and expressions of the face that are so essential to speech is a contributing factor here. If sarcasm (for instance) can't be distinguished in plain text from regular speech, an emoticon is not going to help that much. Written communication _can_ convey this information; after all people have written to each other for millenia. Yet, as more people now utilize it for conversational purposes with strangers, as opposed to the well thought-out letter of old to an acquantance, the number of people who fail to get their point across accurately has grown dramatically. I don't know if the overall percentage of these failures has increased though. I'll leave that for other people to debate.

Getting back to my point, yes the net has these abilities, because of fosters communication. It doesn't care to whom, from whom, or how clear.

Yet why should a person's thoughts and words be dismissed instantly only because there's no way to find out who, irl, wrote them? One of the great advantages of the net is that it's not real life. I can be a dog. More importantly, I can be a dog with something to say, and you can be a dog who wants to hear it. A name is just a matter of convenience, so as not to have to address everyone as hey-you@over-there.net. If people wish their speech to be attributed all the way back to them, that's their choice, but it doesn't necessarily mean that their words are better. Lots of people post (maybe not here, but in general) from aol or webtv or some such, which are all quite tracable. And they, because they are comfortable with their ISP, or don't know how or why they might change it, tend to get derided. Again, this is all too frequently based on a glance at a name or address, glossing over their message entirely.

Me, I don't want real-time video or sound. I feel that written communication, aside from being a more efficient use of bandwith for me, lets me choose my words in a way that speech generally does not. Yet I bet anyone five dollars that the minute a/v become the standard media for communication on the net, no one will bother reading text messages. Again, because of surface attributes, rather than the content. I will grant that communication may be richer by using such technologies (see above) but it's the discrimination based on relatively unimportant issues that galls me.

Yes, the most enthusiastic flamers and hackers (that word's meaning has multiple definitions; deal) will hide behind aliases and anonymity. So will whistle-blowers, people who fear retribution, people wishing to say things that would for one reason or another prove dangerous if posted with a name, to one's safety or reputation.

And I don't even want to get into the specter of big brother corporations and governments monitoring everyone. How many people here dislike anonymous posts, but support anonymity from Microsoft? You can't have one without the other, I'm afraid. (except possibly in Australia and New Zealand)

I am not, however, defending the author of this or any other malicious (by intent or deed) virii. Nor those who would slander or libel others. But while I don't intend to do the lantern thing, as long as there is one good reason for anonymity, it's something we really need to preserve.

I apologize if I've rambled here. One major gripe I have with /. is the small comment blank. It bugs me to only be able to read a few lines without scrolling, so I usually don't.

-cpt kangarooski

Whose fault was it, really? (5)

Bruce Perens (3872) | more than 15 years ago | (#1947853)

Microsoft's system was like a forest that hadn't had a controlled burn in decades, just waiting for one person with a match to turn it into a disaster.

Melissa was Microsoft's fault. They left their system wide open to this sort of abuse, they knew it could happen and did nothing. The fact that word macros could be abused was public knowledge for at least a year before Melissa came along. Rather than fix their system and protect a few hundred thousand users, they waited for someone to come along and set off their bomb. Someone so naive that he left incriminating evidence in the virus. The fact is, MS users are unprotected from rank amateurs.

Bruce Perens

Quicken transfer funds from a virus (1)

Chris Hiner (4273) | more than 15 years ago | (#1947854)

Hmmm.... Just imagine...
Set it up so it'll transfer $0.10 every month
to a bank account someplace... Have it label
it "MS Tax". Lesse... if there's 1 million people
out there using Quicken...

Interesting ideas... Wonder if someone is already doing it :)

Don't blame the users (3)

Elwood (4347) | more than 15 years ago | (#1947855)

I really dont think you can blame the users for this one. It is easy for us to do, because we know computers, we understand them, and we expact everyone else to be the same. The thing is, most people could care less.

See, as a small time sys admin, I try and try to drill into peoples head "Dont open attachments". But that dont work, curistory and the cat. So I explain to them, never open .exes, .bats, or .coms. Anything else, after you recive it, send a e-mail back making sure the person really send it too you (that alone can stop you from getting most e-mail viruses), and if you do open it, dont enable macros.

Think is, that is too much for most of my users. Why? Most of my users are middle age or older females that could care less about computers. They dont want to know a why or how on anything, they want to follow a 123 step recipie do do the little work they have to on the machines. And really, I cant blame them. There main job has nothing to do with computers, but people. And they can do that better then I ever could. So can I really blame them for not knowing this stuff?

The other section of people I work with is seniors that want to learn computers. These poor people are so trusting, and so eager to do right that if someone sends them something, they feel it is a insult to the sender if they don't open it. These are our grandparents trying as hard as they can to learn a way to stay in contact with their grandchildern, can I fault them for not knowing everything?

I don't think we can blame the users. I think it is the software. When I chose a OS, I would expect that vendor to have a system that works correctly. But MS is leaving a system with huge holes right in the middle, and conspiracy mode on, but here is why I think it is.

As a low lever sys admin, I work in a place where no one knows what I do here. I go about my days, usallay never talking to anyone else here, most people look at me strange when I walk down the halls. (I dont think it helps that I also keep strange hours, never turn on my main light, instead use a little table lamp so I can see the screen better and I keep moy door shut and locked all the time.) Needless to say, I don't get noticed much, so I don't get patted on the back much at all.

But because of the Melissa virus, I got my first "good job" from the Big boss in a long while, simply cause we did not get hit, some simple e-mail filters on the server was all that was needed to keep Melissa outside (a unfilterable virus would be a tough one, Melissa was easy as far as that goes). But because of all the attention Melissa got, people that did not know better thought I was superman for protecting them from her. I did nothing special, keeping e-mail filters is something ever sys admin does, it is a dull part of the job. But for a three day period of time, my bosses had it in their head I was protecting the company from evil. I could have wore tights and a cape and got away with it. Even though I did something I do a million times before, this time they knew about it, and were told by the TV it was a big deal, so they accepted it.

So you could say I benifited from Melissa. And I am not the only one. Magizines sold (When there is good news, you go out and experience it, when there is bad news, you hide inside where it is safe and watch it on TV), news shows got watched, anti-virus programs sold, IT people got kudos. Etc. People justified their paychecks because of Melissa.

For no reason at all, everday jobs got alot of attention. Sure, it only lasted for what three days? But how many people are going to to bring it up during their next review? How many extra units did anti-virus publishers sell? And how much more did mags charge for a back cover add in the special Melissa issue?

Those are the reasons Melissa was such a big deal. Melissa was just a natural progression of viruses, nothing exciting. The next one will even be that much more clever. But will it get noticed? No, these stories are only good about once every two years. Thats why the gov and his lackies had to go out and suck up the press while they can.

This whole thing was a big non-event that made a bunch a people look good, and a poor virus writer is going to publicly shuned for a while. He may have been stupid for writing a virus, but not 40 years stupid. Give the poor slob probation.

Kind or remined me of Wag the Dog.

How is that trojan a crime? (2)

boinger (4618) | more than 15 years ago | (#1947856)

I was discussing this with my grandfather...IANAL, but, what that guy did is not a crime, SFAIK. Yes, it was irritating, yes it was malicious, but so is country music. This guy getting railroaded is just another step in the wrong direction for the internet as a community.

Well, at least I was unaffected. What kind of moron runs a macro-laced Micro$oft file from someone they don't know? Anyone who does that deserves what they get.

"The Constitution admittedly has a few defects and blemishes, but it still seems a hell of a lot better than the system we have now."

5000 children harmed by guns? (1)

LarrySmith (5580) | more than 15 years ago | (#1947857)


Let's talk about the media's propensity for
using undocumented statistics. Let's talk
about that 5000 children harmed by guns last
year. Just where did that statistic come
from, and are they reliable? I don't think
even the handgun control people have nerve
enough to quote this one, 5000 children harmed
by guns a year would mean that in less than
five years every single one of us would personally
know a child harmed by a gun. Funny, I don't
know any. Am I that statistically unlikely - or
is the author using precisely the same tactic he's
deploring?

the distraction (1)

DeadEye (6229) | more than 15 years ago | (#1947859)

I never thought of this case in terms of the idiotic cases such as the McDonalds coffee incident, but I think you have a good point. I cringe every time I see a suit over something that someone should have known better than to do in the first place, but this is different. I think the bank security example is a really good one, and people should seriously consider how we hold corporations or groups that are involved in the worlds communications software responsible. Blindness or ignorance of the dangers presented by their own products is exactly what you labeled it: gross negligence!

lets do it again. (2)

MentlFlos (7345) | more than 15 years ago | (#1947861)

I can see it now.. I write a word macro 'virus' just for fun to see what it can do. Say it mails itself off to, oh, 50 people. I pass this to a friend to have him look at it and like a dolt he opens it. Bam... it spreads all over.

Stupidity will always be around, our job as sysadmins is to contain it in little clusters and beat those people to a pulp.

Just wanted to rant a little.

---------------------------------------
The art of flying is throwing yourself at the ground...
... and missing.

Who should we blame (1)

aphr0 (7423) | more than 15 years ago | (#1947862)

Alot of businesses use MS Office exlusively. It's all Microsoft's responsibility. They know quite well that the vast majority of users will never in their lives need to embed a macro in a word processing files, yet they continue to leave macros on by default.

"So, the person should use linux, god dammit! Office suites in linux can save in MS Office format!" you say? Most people up here don't even know what linux is, much less how to install and configure it. And nothing but 95/nt is officially supported here. Linux and mac people are on their own. On top of all that, lots of secretaries need to run Outlook to access their boss's schedules and calendars to set dates for meetings and such. Does linux support that?

The computing environment here is almost entirely Microsoft except for a couple of vax servers for some legacy services. We also rely very heavily on features of outlook for information exchange and communication. I'm not sure how outlook-compliant linux email apps are.

So, not everyone can just tell Microsoft and all their apps to go to hell and run off and use linux. It might very well be the best thing since sliced bread, but all that dosen't matter if it dosen't integrate well with the current information infrastructure of a business.


Explaining techno-hostility (4)

D-Fly (7665) | more than 15 years ago | (#1947863)

The basic explanation for why people behave so poorly in Internet interactions seems to be pretty simple: it's the impersonal nature of the medium.

Despite the fact that users KNOW there are other real-live humans on the other end of the wires, it is hard to get past the illusion that you are interacting with a computer that couldn't care less how many ways you flame it.

All you ever actually see is the keyboard and CRT, not JonKatz as he reads your ridiculously hostile, inarticulate rant. Actually, that's wrong; remember, it's Jon Katz, not some entity called JonKatz...

[Think of the Turing problem]

There is a very closely analogous situation in the "Road Rage" phenomenon. When you are driving down the highway and some idiot in a red Lexus cuts you off, you KNOW that it is actually some middle aged guy headed to his dead-end job in the city and he just wasn't paying attention when he pulled into your lane.

But on a different level, you have been out on the highway for 45 minutes, and the music on the radio sucks, and you have started to sort of forget that the drivers in the other cars are people, and started to anthropomorphize their cars--think of them as living competitors for space on the road.

That's why you start screaming, making obscene gestures, and maybe rear end the goddamned Lexus.

In all our new, nontraditional relationships, we have to remember to maintain the kind of empathy we reserve for flesh-and-blood, everyday interactions.

Technological Vaudeville.... (0)

Pasty Drone (8425) | more than 15 years ago | (#1947865)

Jon said:
Exaggerated or not, techno-hostility forces community underground, into closed websites, mailing lists and e-mail. It stunts the evolution of ideas, movements and communities themselves.
Wrong. Techno-hostility is a PERCEPTION by non-members of a community that they know nothing about. Without worrying about pandering to a "larger" audience or "dumbing down", ideas evolve organically and quickly.

It aborts ideas.
Absolutely the contrary is true. It allows the community to be an idea-incubator (or womb to use your analogy).

Hostility, from flames to viruses, are an inducement to the many in journalism, politics and the corporate world itching to find ways to control and curb free access on the Net and the Web.
How clever! So in order to keep free access, we need to tone down our opinions and statements? Bullshit.

And they are all generally acts of cowardice and malice at worst, unthinking and reflexive cruelty at best. It's no wonder that the most enthusiastic attackers hide behind anonymity.
First of all, your parallel usage of flames and virus is suspect at best. The two are apples and oranges. Creating a virus or a flame is neither unthinking nor reflexive, unlike your article's unthinking and reflexive mental masturbation.

Creating a virus is an art. It is no different than the kid of your generation who took the radio apart just to put it back together again, even if some parts were left out. It is a natural instinct in humans to figure out how things work.

If you create a virus to rip off money, you are a thief. If you create a virus in order to show explicitly the obnoxious security holes in Microsoft or other OSs, you are doing the general public a service. You are enabling them to see clearly why security is important to protect their data, why encryption is essential, and why (in the example of David's Melissa) using shoddy MS products is a serious business risk. I hope sincerely that the example of Melissa will be considered by the Pentagon and NATO who currently both use Microsoft Products. And don't even get me started on Los Alamos Lab, the most high-level security lab in the country, that ONLY RECENTLY put up a firewall...

---diva

Flames and viruses both serve some good purposes (1)

blocked (10071) | more than 15 years ago | (#1947869)


for(;;;) wrote:
Flames and viruses may both come across as hostility, but they share similar positive qualities. They're blunt ways to point out weakness in an argument or system.
Shooting people in the head is a blunt way to point out the dangers of guns, but it's still not a very good idea. "~We had to destroy the village in order to save it.~"

Let's not confuse negligence with vandalism (1)

blocked (10071) | more than 15 years ago | (#1947870)


Bruce Perens wrote:
Melissa was Microsoft's fault. They left their system wide open to this sort of abuse, they knew it could happen and did nothing. The fact that word macros could be abused was public knowledge for at least a year before Melissa came along. Rather than fix their system and protect a few hundred thousand users, they waited for someone to come along and set off their bomb. Someone so naive that he left incriminating evidence in the virus. The fact is, MS users are unprotected from rank amateurs.
Let's not confuse negligence with vandalism. If someone leaves a can of mace around and I use it to assault bystanders, they may have been negligent but I'm still responsible for my actions.

People without self-control create problems. The tools to screw people's lives up can always be found by some idiot child with unfocused hostility. Civilization starts at the individual level.

re: lawsuits (2)

Jesse E Tilly (10352) | more than 15 years ago | (#1947872)

Tom, I for one would encourage any company that lost measurable time due to this virus to sue Microsoft. It's will serve one multiple-faceted purpose. The first and formost in my mind is "Is Microsoft *really* liable for their products?". Proponents of Microsoft use this as an argument for commercial software. A backstop, a single point for all eventual complaints to return. The precident will make software companies the real thing: a producer of content that is liable for its product. This is different than the current image of "tool producers" who, like Craftsman and Snap-On, cannot be held liable for someone using a hammer in a murder, but can be held liable for injury should the hammer break (when they claimed it would not). Either way, the definition of software companies will change forever and bring to light the problems RMS, ESR and Linus have been trying to point out all along. It will wake up software vendors to the problems of market flooding unproven proprietary products to unsuspecting consumers who think they are being served to their best purposes. Bill Gates likes to compare his innovations to the auto industry. If so, maybe he should talk with them about government restrictions such as ABS and air bags, something the industry refused to add for years. Today, they are considered the major selling points for cars, yet 20 years ago, their proposed regulation raised cries of "innovation hinderance" and "cost inflation" by car companies. Of course, the US auto industry was suffering from something a certain US software company is suffering from: percieved quality of its product when placed next to a better competing product. Most americans know what took place over the next decade. First it was denial, "it's the Japanese underselling us", then it was FUD "buy American, it's the patriotic thing to do", then they wised up and started to produce quality cars. Had GM or Ford had the grip on transportation that Microsoft has on the software business, I think the end result would be different.

re: lawsuits (1)

The Dodger (10689) | more than 15 years ago | (#1947873)


>"Is Microsoft *really* liable for their products?".

Have you ever read the Microsoft licence? It basically says (and please do correct me if I'm wrong) that MS don't guarantee that this software will work and, if it doesn't, they aren't liable.

With open source software, you take real responsibility for the software you're running - if you don't trust it, you can hire a programmer to check it out. If you don't like something about it, you change it. You can't do that with proprietary software. And that is why open source software is more secure that proprietary software, no matter what that lame lawyer guy says.

Dodge

Who's prepared to speak out? (3)

The Dodger (10689) | more than 15 years ago | (#1947874)


Okay, so I think it's safe to say that Microsoft shares at least some of the blame for the Melissa virus. But who's going to actually stand up and say it? Apart from Emmanuel, who speaks out in defence of hackers who are arrested, imprisoned or charged on flimsy/circumstantial evidence made viable by hype and hysteria? Who has stood up and demanded to know why Kevin Mitnick has been imprisoned for four years without trial?

The media aren't interested - they lap up what they're told by so-called "experts", whether they're law-enforcement officials or Microsoft hacks. When it comes down to it, the news media's main objective isn't to report the news anymore, but to gain the largest audience share. Hype and hysteria sell to the uninformed masses, who then become the misinformed masses.

It's merely another facet of the increasingly commercialistic society we live in. I remember when the Internet was about knowledge and learning. Now it's about Porn and making money. Sooner or later, a group of people are going to get pissed off and embark on a campaign of info-terrorism which will make the whole "Free Kevin Mitnick" thing look like a fucking walk in the park.

Ideological terrorist groups used to have to align themselves with countries like Iran and Libya in order to gain the resources to make an impact. And then they had to face public hostility in the face of innocent deaths, and the prospect of a bloody demise on the wrong end of an MP5 held by an SAS or GSG-9 trooper.

Now, all we need is a computer and a modem. Noone's going to get hurt and, believe me, conventional law-enforcement organisations will be powerless to stop a dedicated info-terrorist (not these lame script kiddies). l0pht weren't bullshitting when they said that it's possible to crash the Internet. The only reason it hasn't been done so far is because the people with the skills and knowledge aren't lame enough to do it. Sooner or later, someone's going to decide that the 'Net's just not fucking worth it and it'll be a fucking disaster - we'll see billions wiped off the US stock markets as .coms go under and I wouldn't be willing to bet against another Black Monday. Or how about someone gets control of something like DNS or whatever and holds the US Govt. to ransom, demanding the release of Jack Hacker?

Y'know something? I hope I'm totally wrong. I really hope that none of this comes to pass and that it can be dismissed as Dodger in one of his infocalyptic moods.

But just imagine if Melissa's creator had more malicious and destructive intentions. Just imagine if that Alternic guy who redirected visitors to internic.net hadn't been so harmless. And how many Americans expected the World Trade Centre or Oklahoma bombings?


The Dodger

Who should we blame (1)

smileyy (11535) | more than 15 years ago | (#1947877)


The Melissa virus (and other macro-style virii) strike me as being more Microsoft and the end user's faults that anyone else. Greater society is quick to blame the virus programmer, but all the gaping security holes were put there by Microsoft.




Using MS products with this type of security holes is like going out, leaving your house unlocked, door wide open, with a sign posted in the front yard saying "Hey! My house is unlocked. Go on in! The stereo's in the living room..." and then complaining when you get robbed.




People use software with gaping security holes that they *know about* (word macro virii are old news) and then complain when those holes are exploited. If you're unwilling to close these holes, you can't complain. Of course, the other problem is that Microsoft has made leaving these holes open (sometimes) a necessity for using their software in useful ways.

How is that trojan a crime? (1)

cjs (12969) | more than 15 years ago | (#1947884)

Sure, it was irritating and malicious, but not in the way country music is. If you don't like country music, you just change the station or go to another bar. Not liking the virus doesn't help if you're the tech responsible for cleaning it up. You just cancel your dates for the next few days, maybe give away an expensive pair of theatre or game tickets, and spend your evenings fixing the trouble that this guy caused.

I don't see how this is different from, say, shouting `fire' in a crowded theatre. Sure, chances are that nobody really gets hurt. But it's still making innocent people's lives less happy.

cjs

Ignorant User IQ test (1)

jabber (13196) | more than 15 years ago | (#1947886)


Press ALT+F4 now to test your IQ.

There, all the braindead users who don't know their own computers should be gone now...

If you run a program you do not know, prepare for a big surprise. It's a feature of your computer to do things. Learn your appliance.

It's a shame that people who actually NEED the "Do not use heair dryer while bathing" warning labels are allowed to own a computer, or a car, or God forbid, even a gun...

Maybe if we were not so bent on protecting the public from it's own stupidity, the average IQ would rise in tandem with the resolution of the overpopulation problem.

There was a time when a virus was a piece of art. Not that I condone malicious virus programming, but it required hacking (the pleasant version) skills to do. You had to hand assemble the beastie, squeeze nifty little features into a few dozen bytes. Now Joe Shmoe can drag, drop, click and send. My question is, what happened to the artists? Did they all turn to OSS, for the satisfaction of being able to put their name on their work?

Dave Smith - CyberMartyr (2)

jabber (13196) | more than 15 years ago | (#1947889)

Yes, writing a virus and releasing it into the wild, is a bad, bad thing. Bad boy Davy, go stand in the corner and don't ever do it again...

But does he really deserve this level of persecution? I don't think so. The man has been set upon by rabid dogs, half of them ignorant of the technology involved, and the reset trained by the Federal government to be heavy-handed and vicious. Security and conformity enforcement through intimidation works. Da Comrade!

The effect of what he did, intentions aside, is not far removed from from the Morris Worm. Yes, Morris was prosecuted and punished, but even the government admits that it was a curiosity that ran away from a controlled environment. It's not like this guy (Smith) is Geoffrey freakin Dahmer. He's a geek, who for one reason or another, wrote an annoying bug. Sure, it touched many computers, but what DAMAGE did it really do?? It got a lot of IT people money for systems improvements, it gave many anti-virus softwares welcome exposure. It was a boon, and it got attention. Who got hurt?

Dave Smith. He will be prosecuted to the fullest extent of the law, by an ignorant, ham-handed mechanism that's been eager to sink it's teeth into a non-celebrity, just to show that you can't fight city hall, even with a computer.

"Oooohh!!! Scary computer people will launch nuclear missles with a virus!" IMHO that bespeaks badly of the federal and military security, not the crackers who are being compared to the John Gacy's of the Internet.

As for those here who claim that M$ should bear some of the burden for this Melissa fiasco, just because their cheesy software was used to make it happen.. BOLLOCKS! If I go and shoot somone, who in their right mind would blame Smith and Wesson?? What a brilliant defense for Dahmer that would have been: "Your honor, it wasn't really all MY fault, if Ginsu didn't make such sharp knives I would have never been able to eat that Thai boy."

Feh!

Hack yer' Head (1)

Prophet (13824) | more than 15 years ago | (#1947890)

"Technological vandalism and hostility - flaming, personal attacks, virus and mail-bomb attacks -- occur because the people who practice and advocate them must operate at an enormous physical and psychological distance from the people they attack and from the consequences of their actions. "

Some of use have no problem in being close, personal AND attacking you. Why would you think I wouldn't as soon smack you as look at you if I was so inclined? Fear? Consequences? Sure - just get really good at dealing with the consequences or minimize the consequences by understanding the reactions that may be generated. Woah - is this hacking?!? :b

Afraid of the Dark? (1)

pwb (14817) | more than 15 years ago | (#1947891)

This reaction isn't suprising. A basic instinct is for people to be afraid of what they don't understand. The vast majority of the population doesn't understand computers, much less hackers. So the reaction is total fear.

This doesn't excuse the reaction. I generally feel that what makes humans human is the ability to react AGAINST our basic instincts!

Mellisa was just the "internet worm" for 1999. (I still wonder if I saw the author of the worm at last years Linux Expo. The name on the name tag was right, as was his apparent age.) It wasn't a big deal. But some people are still afraid of the dark.

For more info on the internet worm, read
http://www.alw.nih.gov/Securi ty/FIRST/papers/virus/gao.txt

Religion is a virus (1)

kaisyain (15013) | more than 15 years ago | (#1947894)

A variation of melissa with a nice (C) on it could be an effective way of protesting daft IP laws.

You don't even need to do this. Everything you write is automatically copyrighted by yourself regardless of whether you put a (C) on it or not. Of course, if you haven't filed the appropriate paperwork with the appropriate government agencies then defending that copyright in court can be difficult.

It would be interesting to see what affected companies would say if you sued them for copyright infringement for running your virus without a license. :-)

Facts and clues free of charge (3)

kaisyain (15013) | more than 15 years ago | (#1947895)

For someone who claims to be interested in the facts your apparent ignorance of the McDonald's case is interesting.

The coffee, maintained at a scalding 180F-190F because the customers supposedly "like it hot", caused severe third-degree burns. She spent seven days in the hospital and was treated with skin grafts.

Initially she only wanted payment for her medical bills but McDonald's refused to even negotiate with her. Consequently she contacted an attorney who had settled another coffee burn case with McDonald's. In the course of the trial company documents revealed that "in the past decade McDonald's had received at least 700 reports of coffee burns ranging from mild to third-degree, and had settled claims arising from scalding injuries for more than $500,000."

Despite knowledge of the hazard, company officials refused to warn its customers. "There are more serious dangers in restaurants." And given the 1 billion cups of coffee sold annually, McDonald's considered the number of burn complaints to be "statistically insignificant".

After hearing such testimony a jury found McDonald's liable and awarded $200,000 in compensatory damages. The jurors deducted $40,000 for contributory negligence. Also, given McDonald's conduct, the jury awarded $2.7 million in punitive damages, which was equal to 2 days of coffee sales.

Later the judge reduced the punitive award to $480,000. While awaiting appeal the two parties settled out of court for an undisclosed sum.

The #1 sickening thing about the whole McDonald's coffee hype is how it distracts from the facts. I suppose you just glibly believed whatever it was the mass media told you about that McDonald's case didn't you? Why do you expect anyone else to behave differently when it comes to the hacker culture (or whatever you want to call it today)?

This is out of hand (2)

Master Switch (15115) | more than 15 years ago | (#1947896)

Some dork writes a prank virus, and he gets threatened with up to 40 years in jail. He would have been better off to go shoot someone. At least then he would only be looking at around 7 to 10 years. Now I don't mean trivialize murder. The point I am making is that this guy basically pulled a prank. He didn't do any tangable damage. Things are getting way out of hand. The GOVT has too much power. Why take away this man's future for a stupid prank. Why is this a crime at all? This is more humor than anything. Microsoft shouldn't have left so many stupid doors open in their software.
Anyhow, that is my take on things

Bad Metaphor (1)

Samurai Cat! (15315) | more than 15 years ago | (#1947897)

This joker didn't send out emails saying "Open this Word Document to spread a virus to a bunch of folks in your email list", though.



And why should this guy have 'every right' to write a virus that screws with people? Calling the victims 'stupid' doesn't wash... 'uninformed,' perhaps, and that still doesn't excuse it. The *intent* behind the virus was malicious, and I challenge anyone to deny that.

The charges against him (1)

forge5 (15736) | more than 15 years ago | (#1947900)

I believe the theft of computer service refers to the AOL account that he broke into to send the virus. Ditto with the third charge. This is an interesting case, its not actually that far a leap from this Macro virus to spam mail...


-Rob Ansell
-forge5
"No rest for the weary, and the insane don't need it!"

A Pause (1)

Eien (16340) | more than 15 years ago | (#1947901)

Okies, people, let's say that David Smith is the creator of the Melissa virus. Well, he's got to be somewhat good of a coder to write the blasted thing...

The Melissa virus is not an evil monstrosity designed by a lone person to bring the information world crashing down upon our heads. What he did wasn't even *hard*. It's not like he had to break into military databases, bypass the incredible security, etc.

He let people do that for him, all thanks to Micro$oft. He utilized one of the primest of security holes. People. He did use their ignorance and trust against them, true, but it still took one person to blindly trust this suspicious document they received from an outside source.

And let's look at how the Melissa virus was done. It was a Visual Basic-written Word Macro. Written on Micro$oft to affect anyone who uses Micro$oft.

Macro virii are not new. In fact, they've been around for at least two years. However, unlike conventional virii, they're complete potential has not been explored. Each new development can, in a way, be paralleled to the rise of virii in the mid-to-late '80's.

Macros are a huge security hole in Micro$oft products. If you give me access to a Windows machine, and only give me access to Word because you don't want me to use anything else, I can easily hack together a macro to let me access command.com or anything else I want.

But no one wants to believe that.

Especially not the media. Hackers generally (and please do not confuse the term hacker with cracker) dislike the media, are in a sort of revolt from it. And the media wants to, well, to maybe exaggerate it a tad, own the souls of everyone it can. The hackers are a threat.

Threats must be eliminated. Resistance is futile. You will be assimilated. Or else.

The Melissa virus has shown us three things. One, the media is evil, given the arrest of David Smith. Two, Micro$oft Office is one of the greatest hazards to a computer's security. (Micro$oft coders, please take note.) Three, macro virii are still mutating, becoming stronger.

Does anyone here still remember the big scare about Michaelangelo a few years ago? The Melissa virus scare was even worse.

But has the macro virii world truly found its Michaelangelo, or are we just seeing its preludes?

'Melissa' Virus not the point of Jon's article. (5)

CodeShark (17400) | more than 15 years ago | (#1947904)

Folks, consider the source here... Jon Katz is not writing about Microsoft (which I acknowledge has not done a very good job securing VBA -- why should a VBA macro be able to access my e-mail address book without permissions, etc.?), he's writing about the societal response to bad news and the Internet.

Then he makes (IMHO) a valuable connection of the similarity in psychological distancing involved n the use of high tech killing weapons. The 'Internet Creeps' (the so-called dark side of the Internet: porno junkies, perverts, crackers, flamers, etc.) have the advantage of anonymity from their intended victims that allows them to launch whatever type of attack they wish, without responsibility for the results of their actions.

Freedom without responsibility invariably leads to anarchy. Let me offer several examples.

  • I am (not being an ex-convict, or otherwise restricted) 100% free to buy a gun. I am not 100% free in how I use it.
    Use it wrong, and I am subject to arrest for breaking the law.
  • I am free to buy the ingredients which mixed together, could make an explosive or illegal drug.
    But if I make the explosive or drug, again, I am breaking the law, and deserve the consequence of my actions.
Similarly, I am free to write an unbelievably malicious computer virus. I am not free to distribute it without consequence. But even these thoughts are not 100% what the article is (IMHO) trying to focus our attention on.

Either we work together to make the 'Net a more livable, enjoyable, and safe place to co-exist, or we do in fact deserve the heavy-handed law enforcement and media responses which would undoubtably otherwise follow.

How is that trojan a crime? (3)

shri (17709) | more than 15 years ago | (#1947905)

I am not sure of the legal framework that goes into "making a virus" and propagating it, a federal crime. However, here are my observations on how this thing went about spreading itself in the company I work for.

a) My company is a respected and technical organisation with about 2000 people in it. We tend to work mainly with Fortune 500 type outfits.

b) Unfortunately, we are a microsoft centric company. This is true in development and also very true in our companies sales organsation. Everyone without exception has to rely on Word and Exchange for their correspondance, document creation. i.e. MS software is core to our business.

c) We were hit quiet badly, but luckily enough, the media had created enough of a frenzy on TV and in the local newspapers that we escaped the consequences.

Now onto an brief analysis of what I see as a growing problem, which a lot of linux folks are oblivious to, or tend to have an elitist attitude towards.

It is easy for a corporation to select MS products. In the good old days no one got fired for selecting IBM, these days no one gets fired for selecting MS products. This in my opinion has happend because of the "dummification" of the industry overall.

Most of the people in organisations like mine DO NOT have a choice in terms of what software they use. MS Office and Backoffice are corporate standards, for which licenses have been purchased for every luser. Given that there is every spectrum of IQ in our organsation, from Management to Intelligent and savvy users ;). What the author of the virus did was essentially created a "gun, which replicated itself everytime someone fired a shot". Imagine a weapon like that let loose on our streets.

re: lets do it again. (1)

Mike McCune (18136) | more than 15 years ago | (#1947907)

Or you just could turn off the macro languages in MS products. Unfortunately, security is an after thought in all MS products.

Countersue MS because of how he was caught? (1)

G-Force (18184) | more than 15 years ago | (#1947908)

Step back for a moment from the issue of the virus itself.. This guy sits down, playing with VB, and writes a neat little virus. It may have been his first realization of how "powerful" VB can be. He may have just learned how to write a macro and figured a simple exploit... So he writes it, mails it off to a friend (Maybe to test it?), who mails it to a friend, etc etc.. wow it worked!

But he was caught... how?

Correct me if I am wrong, but I am under the impression he was caught because of a string of code, undocumented, added to every word/excel document that takes a user's registration code and system settings and generates a unique id which is then sent out with everything he writes! Hmmm, that sounds, wow, a hell of a lot like the virus he himself may or may not have written, EXCEPT it was written into commercial software by a multi billion dollar corporation with the guise of Information Security

If that's not the ultimate irony, I am not sure what is.

Religion is a virus (1)

Pyr (18277) | more than 15 years ago | (#1947909)

"He was charged with interruption of public communications, theft of computer services and wrongful access to computer systems."

Just FYI, only the first one was related to the actual writing of the virus. He stole an account from AOL (probably with a CC generator, although maybe AOL's just lying and it was one of those "100 free hour" things and they don't want to look stupid "Oh, hey! We're giving away free accounts that anyone can use anonymously to do whatever the hell they want!"

Not only that... (2)

coreybrenner (19101) | more than 15 years ago | (#1947911)

... but it's not actually 5000 kids killed by guns. It's 5000 kids killed by morons wielding guns. Be those morons kids themselves, or no, those are the facts.

Guns don't kill people. People kill people.

Too much sensationalism. The only way to combat this type of thing is via EDUCATION, EDUCATION, EDUCATION. One of these days, hopefully, people will figure out that media is not there to disseminate news. Media exists to further the cause of media, just like bureaucracy exists to further its own existence. Sensationalism, hype, and demagoguery are the tools of media and politicians, and none of it is good for us. We all lose our rights and freedoms when the ignorant are cowed by these tyrannical forces.

Makes me want to live in a tar-paper shack in Montana and build bombs. Also makes me glad I don't own a bloody television.

--Corey

How is that trojan a crime? (1)

RyanGWU82 (19872) | more than 15 years ago | (#1947912)

It is easy for a corporation to select MS products. In the good old days no one got fired for selecting IBM, these days no one gets fired for selecting MS products. This in my opinion has happend because of the "dummification" of the industry overall.

No offense to you -- you're not the one that set your organization's IT standards -- but maybe people SHOULD start being fired for selecting MS products. A large vulnerability was found in a Microsoft product, resulting in considerable downtime for certain companies. If, say, Applix or Star Divison software was responsible for the bug, employees would be reprimanded for choosing their software. Why shouldn't the same be true for Microsoft?

Also, remember, patches were available for Sendmail (the Pro and open source versions) within hours of the virus' discovery. Many of the anti-virus companies (Symantec, etc.) published updates within hours of discovery. AFAIK, the only thing Microsoft has done is acknowledge that the vulnerability will be present in Office 2000 as well.

Ryan

Flames and viruses both serve some good purposes (1)

for(;;); (21766) | more than 15 years ago | (#1947913)

Flames and viruses may both come across as hostility, but they share similar positive qualities. They're blunt ways to point out weakness in an argument or system. A wise Win98/Outlook/Word user will look at the Melissa virus and say, "I'm going to move to a system where the makers give enough of a shit about the users to fix the software holes that allow viruses." People have known about the threat of scripting viruses for years, but only when massive damage is done do mainstream folks wake up and pay attention.

the distraction (1)

Moofie (22272) | more than 15 years ago | (#1947915)

I don't understand what the Melissa fiasco has to do with "integration". Integration IS good for the customer. I'm really really glad I don't have a different pull-chain under my dashboard to control the spark advance, fuel delivery, valve timing, and all the other wonky stuff that makes my car make pretty noises and go fast. Bad engineering (in the form of MS's VBA implementation) is not good for the customer. Integration (that is, the combination of modular parts into a seamless whole) is the best possible way to run computer. I'd LOVE for Apple to release OpenDoc under GPL. That'd be a very cool thing indeed!

How is that trojan a crime? (1)

theCoder (23772) | more than 15 years ago | (#1947918)

What kind of moron runs a macro-laced Micro$oft file from someone they don't know? Anyone who does that deserves what they get.


Except everyone who got this Melissa virus got it from someone they DID know. Fortunately, all I've heard about the virus came from news sites (no first-hand knowledge), but it seems that the message is designed to fool the recipiant into opening the document. If you didn't know about the virus, you'll just think some friend of yours sent you something important, and you'll probably open it. Chances are that you'll ignore Word's warning about a possible macro virus, and run it anyway. Once you do that, it's all over -- the virus has spread to all your friends. Melissa spread so easily because it seemed to come from a trusted source, not becaue everyone who got it and spread it was a moron.

Naming of Melissa virus (2)

gothwalk (24624) | more than 15 years ago | (#1947920)

Katz writes:
He allegedly named his virus after a topless dancer in Florida.

As I understand it, the virus was named for part of the registry modifications it makes. I could be wrong, but the CERT advisory FAQ [cert.org] says: "It was named Melissa by the antivirus software vendors."

Who Figured it Out? (And Other Musings) (1)

whimsy (24742) | more than 15 years ago | (#1947921)

I'd like to point out that the only real piece of "smoking gun" evidence, the MAC address, was discovered not by a government agent, but by the guy who originally found this security hole. The government would have just been speculating without him.

Furthermore, nobody's really talking about the privacy issues. Yes, it may have captured a suspected criminal, but it was a violation of privacy. We should hear about these things from the company.

Finally, I know this will never fly in court, but who says he had malicious intent? Maybe he was playing with macro virii and making a porno list, and he infected himself. In any case, he obviously got in way over his head, otherwise he wouldn't have gotten caught (for technical and other reasons).

Be wary of the cyber evil!@#! (1)

Merk (25521) | more than 15 years ago | (#1947923)

Er, careful never to use that analogy or even joke about that in an airport. From what I understand body cavity searches are not pleasant.

I think it's more about finding a scapegoat anyhow. If they hadn't quickly found a suspect there might actually be some tough questions asked:

  • How come Word is tied so closely to Outlook?
  • What kind of anti-macro virus security do these products have?
  • Why are average users dumb enough to enable macros on an unknown document?
  • Why is email so insecure?

40 years? (5)

Merk (25521) | more than 15 years ago | (#1947924)

Apparently if found guilty on all counts this guy could face up to 40 years in prison.

I, for one, find this ludicrous. Nobody was killed, nobody was hurt, and as far as I know no data was even lost.

I think, on general principles, anybody who writes a macro virus should face half the legal penalty of someone who writes a true machine-language virus. Afterall, in order for his/her virus to do anything the person whose computer is involved has to effectively let them, by allowing the macros to run.

Maybe the way to divide up the blame is to say any malicious things the macro virus does to the host computer can be laid squarely on the shoulders of the virus writer. Any denial of service resulting from the virus spreading is shared between the company that has a macro-virus enabled platform, and the users who don't check for virii.

In that case, this guy would be liable for writing the Simpsons quote in thousands of documents, but that's it.

But unfortunately my views aren't the views of law enforcement.

So. How is a very successfully propagating but non-destructive macro virus different from some other action resulting in denial of service? For example: the people responsible for the net clog following the Pamela Anderson / Tommy Lee videos? Lucasfilm for the popularity of the Star Wars trailers? Even the /. effect! We take down servers just has harshly as Melissa did when there's something cool to see there.

Look out Cmdr Taco -- 40 years as some guy's bitch isn't worth the coolness of maintaining /.

This stuff (1)

Smallest (26153) | more than 15 years ago | (#1947925)

If you take a loaded gun with a label that says "Point in face and pull the trigger for a hell of a good time" and pass it around to a random group of people are you to blame for the morons who pull the trigger and blow their heads off? That guy was e-mailing a loaded gun

Actually, it's more like this :
Your desk suddenly decides that it is going to send a package to all of your friends. Your friends are not wary of this perfectly normal looking package; it is addressed from you, after all. And, even though they weren't expecting a package from you, they know you and trust you.

Your friends take this package to their desk, sit down and open it. They find that the package contains a bunch of teen porn magazines. So now they're a little suspicious, of you, not of the package.

But, while they weren't looking, the package has told your friend's desk to send identical packages to everyone of your friend's friends.

Two things :
Should a package be able to talk to your desk?
Should a desk be able to send a package?

Don't the sheep ever learn (1)

NiteHaqr (29663) | more than 15 years ago | (#1947927)

How many months into 1999 are we.

It is only 4 months since Happy 99.

Fortunately I only ever read about that one - mainly cos I dont open strange .exe files.

I can't wait till someone decides to exploit the weakness in the Standard VESA library and starts blowing up monitors.

Maybe after some flashes and bangs the sheep would learn.............

5,000 kids killed by guns (3)

DonkPunch (30957) | more than 15 years ago | (#1947932)

Acutally, statistics like that get a LOT of media coverage. I suggest the author take some of her/his standards for factual reporting and apply it to other statistics. Where did you get the number "5,000"? What is the cut-off age for a child (25, 21, 18, 12)?

Anyone's death by firearms is unacceptable. When I studied criminal justice, however, I saw studies that defined a "child" as anyone under 25. This includes legal adults who were killed as part of gang activity.

If the author is going to insist on media fairness and accuracy, I would suggest also exercising it. Sensational statistics like "5,000 kids killed by guns" serve the same purpose as "100,000 computers infected by Melissa".

Sorry to go off-topic (and sound like an NRA stooge), but that statement stuck out like a sore thumb to me.

A Pause (1)

Steeldrivin (32368) | more than 15 years ago | (#1947935)

What he did wasn't even *hard*. It's not like he had to break into military databases, bypass the incredible security, etc.

What does difficulty have to do with anything?

It's not *hard* to shake a baby until it's brain-damaged.

It's not *hard* to shoot a bunch of people.

It's not *hard* to cheat a bunch of old people out of their money through a telemarketing scam.

Does that make these things okay? Are you suggesting that criminal law should be based on the *level of difficulty* of a crime?

Get a grip.

How is that trojan a crime? (1)

White Bear (32720) | more than 15 years ago | (#1947936)

"What kind of moron runs a macro-laced Micro$oft file from someone they don't know?"

But, in fact, the major social engineering feature of the attack was that it was specifically designed to come from someone you _do_ know. IMHO _that_ was the real inovation in this expliot, not threading together a collection of security holes like so many Cheerios on a string.

How is that trojan a crime? (1)

sputty69 (33011) | more than 15 years ago | (#1947937)

The same kind of moron who thinks that just by reading a text file, you too can catch a virus.

The said part is that IT professionals must deal with this sort of thing everyday. In my shop, I've told people that if they run a file they recieved as an attachment, there SOL because I'm not going to drop everything to help them.

Stupidity on your part does not create an emergency on my part.

Would you open the door before peeking? (1)

Gischer (33166) | more than 15 years ago | (#1947938)

Very few "middle aged or older ladies" who live in an urban or suburban setting would dream of opening the door of their home before checking through a peephole to see if they were willing to trust the knocker.
I think they are capable of learning to do the equivalent with email, but it will take a while.

This stuff (5)

Madhatter (33678) | more than 15 years ago | (#1947940)

If you take a loaded gun with a label that says "Point in face and pull the trigger for a hell of a good time" and pass it around to a random group of people are you to blame for the morons who pull the trigger and blow their heads off? That guy was e-mailing a loaded gun (if it was him responsible for spreading it) and people very stupidly opened up stuff they had no idea was about. Is he to blame for everyone being so lax about their own security in the computer world?
On top of that, I've seen entire mail networks brought down by one lone dumbass who hits reply all to a system e-mail that causes a crazy loop drawing in other dumbasses telling her to shut up and before long servers are crashing all over the network(MS-Mail 3.2 BTW).
Freedom of information. He has every right to write a macro virus if he wants to. Who can prove that he did or didn't spread his melissa ho all over the internet? I look forward to seeing how this plays out in front of a jury. The poor sots are going to be confused to hell by the end, and probably turn into disgrunteled cyber-terrorists.

Microsoft is an accomplice (aiding and abetting) (1)

Jameson Burt (33679) | more than 15 years ago | (#1947941)

Unix/Linux have no viruses, though traveling
internet under "root" privileges can break security.
Seeking user-friendliness, Microsoft has produced
software that will act on anybody's program/message. This is not secure. Since Microsoft additionally piggy-backed internet, it became even more vulnerable to "viruses". Using Microsoft's Word and OS on internet amounts to standing naked in Central Park, then complaining you were molested.

When you run around naked in Central Park, you expect to be molested. You should complain little about the molester (Melissa author), but should complain about people without clothes (Microsoft's insecure software). Children run around naked. When children become adults (adult operating systems), they dress like adults (perhaps Linux or BSD Unix).

Your companies bad decision (1)

dagarath (33684) | more than 15 years ago | (#1947942)

Word can be configured to use .rtf formats or others that don't contain macros. So, while you may not be able to discard MS products, you as the user can choose how it's used.

In addition, your IT/IS department has obviously choosen that your company should be vulnerable to this kind of attack. If you choose not to lock the front door, don't be surprised when someone walks in.

Don't mistake my intention, whoever started this worm should be caught and slapped on the hand. But, the 'damage' (downtime, flooded servers, lost productivity) is the result of poor choices on the user and corporate level.

reasonable expectations of average users (1)

dagarath (33684) | more than 15 years ago | (#1947943)

Using a computer and it's applications should not be considered 'common knowledge'. An 'average' user should understand somethings about the system. And I would not expect that person to learn the basics without some formal education / inservice / training.

A good sysadmin could have deflected Melissa, that's true. But, Melissa is not the point, it was just one example of a email worm / virus. The end user must assume some responsibility for the security of their system. You may feel that's expecting too much from an 'average' user.... if so then the definition of an 'average' user needs to be raised.

It's also a mistake to assume that the end users don't know what they are doing. You never know, that 'clerk' on the second floor may be a kernel hacker at home.

executable attachments (3)

dagarath (33684) | more than 15 years ago | (#1947946)

Melissa just takes advantage of people that rely on binary executable attachments to email. MS users are of course much more vulnerable to this. How many times have you saved an attachment, set it chmod 700, and executed it?

Contrast that with an attachment in Outlook, Outlook Express, Eudora, etc. Attachment - double click - .. oops!

Just as windows users should learn not to execute email attachments that are *.exe, they shouldn't execute *.doc files.

The automatic response I expect is : "but, that's how our users work". That's not acceptable. Ignorance shall not become a defense. If a user becomes infected with Melissa, it's their own fault. They were too trusting. (perhaps sad, but true)

Any company or government agency that was hit by Melissa needs to do some serious re-education of their users and implement some policy about email attachments. For example: 1. No *.exe attachments to email (maybe even filter them out) 2. No *.doc (or other macro containing formats) 3. All attached files should be in *.rtf or *.txt format.

Safe Computing like Safe Sex depends on EDUCATION.

Maybe it's you who is creating villians (1)

dbillen (33698) | more than 15 years ago | (#1947947)

I think you're projecting your own need to create villians.

Let me ask a question: Pretend that you are in some law enforcment position, and it is your responsibility to enforce sensible laws which prohibit vandalism on the internet.

Almost no one is ever truly convicted of violating these laws, and the vandalist know that.

What would you do?

Of course, this assumes that the laws are sensible. I see a lot of postings which explain that it's the fault of the "victims" for having security leaks. This is ridiculous. You could apply that to anything. I suppose that by the same logic - we shouldn't have laws against murder. After all, don't murderer's simply expose the weakness in their victims defenses, thereby helping us all to become stronger?

Infamous Lurker (1)

nekr0tek (148478) | more than 15 years ago | (#1947949)

Hello all I am one of Jon's Infamous Lurkers, I agree with alot of what he has said here. But ture indeed is the fact that the OS makers are at blame as well. Macro virus are incredibly dangerous and easy to code VB is a wonderful tool for such projects but for the really good one you must program in Assembly, that dead language that no one really knows all that well. The mellisa Virus could have been much worse, It could have replicated and mailed it's self then over wrote every file of a type on the hard drive. It how ever is not that hard to remove I have been a consultant for a few years and helped A certain major Pizza Franchise corporation through a marco virus clensing. It was vary harmless as well, matter a fact we only lost 4 documents company wide, it propogated through e-mail, It did however cost the corporation a pretty penny to rid them selves of the virus. But the whole thing was blown way out of preportion, this guy is not even close to being a Kevin M. Thanks for the great colums keep up the good work
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?