This topic stems from a couple of discussions in GQ and the congressional debates on CSpan2. In GQ, I attempted to explain how this particular virus propagated (and how it didn’t), but several posters seemed intent on excoriating Microsoft for their lack of security, which seemed like a topic more suitable for GD.
While viewing congressional hearings on CSpan2, I witnessed several lawmakers berating representatives from MacAfee for their poor showing with respect to this virus, particularly since it bore some similarities to the Melissa virus. These congressmen were astonished that MacAfee’s antivirus product didn’t stop the LoveBug, but they stopped short of proclaiming them culpable.
Now to me this seems absurd. Blaming Microsoft and/or MacAfee for the LoveBug is akin to condemning the post office for the Unibomber. However, I make my living as a software developer, primarily for Microsoft platforms, and as such I may be biased in their favor.
I don’t expect my representative to fully understand the intricacies of software, yet if they are taking the described position then I suspect a large number of their constituents do likewise. So I throw the floor open to my esteemed fellow dopers as I try to elicit your opinions in this matter.
If Unix ran 90% of the machines in the world, there would be people writing viruses which specifically targeted and infected Unix boxes.
If Macs ran 90% of the machines in the world, there would be people writing viruses which specifically targeted and infected Mac boxes.
Microsoft DOES run 90% of the machines in the world, so people target MS software. Unix and Macs (and anything else you want to name) only seem secure because there aren’t nearly as mean people banging on them as there are on MS.
I don’t claim any great love for Microsoft but these congresspeople (and perhaps a few dopers from reading the OP) don’t know what they are talking about.
Blaming Microsoft for The Love Bug would be like blaming General Motors because someone cut your brake lines on your car. Could they armor brake lines and hide them such that no one could climb under your car and do this? Probably. Is it a waste of time, money and effort? Definitely. Protect the brake line and the crook goes for the tires next.
If the congresspeople want to crucify McAfee, Symantec and Microsoft for this then I want to be able to sue the Center for Disease Control and National Institute of Health everytime I get the flu because they were too slow to come up with a vaccine to protect me before I got sick.
The antivirus companies can’t protect you against a virus that hasn’t been written yet. Each time one pops-up they ‘teach’ their software to recognize the little bugger. The Love Bug spread so insanely quickly that even teaching their antivirus software to recognize it in less than a day was too slow.
Go after the people who wrote the virus. They’re the ones who should be the focus of our anger.
The issue is not is MS 100% at fault or 0% at fault. It is whether they contributed to the problem.
The default settings on Outlook seem to leave pretty big holes and the Love Bug exploits a known problem. On the other hand, what system admin would leave those defaults where they are?
Absolutely. Those lazy good-for-nothings at McAfee managed to be asleep at the wheel yet again, and failed to take the preventative measures that would have fjkoseau09vewu ln09087834nn(*&**N v99- j09fiu09ewuv 09ujml,joi790n$E()Nm
no one ever reads the license, but if you ever do, there is a clause that states that the software maker is not responsible for any damage the software may cause to your computer, or any damage that other software (like a virus) may cause to your computer.
picmr, what “big hole” and “known problem” in Outlook do you imagine that the LoveBug exploited? The ability to run attachments if the user expressly desires to do so?
I am not saying that I couldn’t write a virus to exploit the preview pane in Outlook. I’m just pointing out that this particular virus didn’t do it.
I am a computer programmer who has worked mostly on Unix platforms. I don’t feel MacAfee should be held responsible, but I do feel Microsoft should accept some blame as it is notorious for letting products go out the door without rigorous testing. I don’t think a bug like the ILOVEYOU virus would have been as successful on the Unix platform as Unix is a much better system. So many things about Windows are so inferior to Unix. I have known Unix boxes that have been up for over a year without rebooting yet I have to reboot my Windows laptop daily or more often. I do think Microsoft bears some responsibility.
vandal, I realize the license agreements likely preclude any legal recourse. Perhaps the debate should focus on what, if anything, should they be held accountable for in the LoveBug case, not what they actually could be.
lswote, thank you. That is a prime example of the type of logic I have been confronted with over the past week. Windows must be rebooted more frequently than Unix; ergo, Microsoft bears some responsibility for the LoveBug virus. Simply amazing.
The real security hole was not with MS Outlook, but with MS Word. If the default in Word was to not allow Word Macro programs to run, the vast majority of successful viruses/Trojans/worms out there would be powerless.
I didn’t say Microsoft bears responsibility because their software must be rebooted more frequently. I said their software is notorius for going out the door without rigorous testing. Rigorous testing includes test scenarios like firewall penetration and system vulnerbilities. My example about Unix staying up longer than Windows without rebooting is in my opinion because Unix is more completely tested before it is made available.
Come on, Iswote, there’s only so much we can expect from a piece of software. If every product put on the market were designed to be absolutely impregnable, it would be useless since it would be completely incompatible with everything. There HAVE to be “gaping holes” in the programming language in order to work. The only guaranteed method for avoiding a virus is to never hook your computer up to the Internet.
Saying that Microsoft is responsible is absurd. A lot of things said about Microsoft is absurd. Microsoft is the chosen scapegoat for things like this because they’re the Big Guy.
This kinda crap amazes me. I’m not really a defender of Microsoft but I will be here. In this case they have no culpability (rhymes with SPOOFE Bo Diddly never mind).
A computer virus is essentially a small program.
Computers run programs.
Therfore you can never truly protect against viruses without disabling the computer entirely.
Don’t believe me? Then why aren’t computers immune from viruses already?
Yes, Microsoft created Visual Basic Script and incorporated it into their programs. This allows people who are willing to do all sorts of creative and useful things with MS-Office. The ‘Love Bug’ took advantage of VB Script to whack computers.
Guess what…VB-Script viruses are a minority of viruses out there. Microsoft provided a powerful tool for people to customize their programs to their needs.
Guess what else…computers run programs. Anyone can write a program to do all sorts of things to your computer. MS-Word makes your computer behave in certain ways. Virus writers make your computer behave in certain ways also…albeit in undesirable ways.
Virus programmers are simply taking advantage of loopholes and tools in standard programming languages. Close those loopholes and you loose a TON of functionality in your program.
Again…if you don’t believe me just look at the file size of most viruses. They’re VERY small. It doesn’t take much to tell your computer to delete all files of type X. There are VERY legitimate and necessary uses in programming for stuff like this. Restrict your computer from these sorts of functions and most of your software will stop running.
lswote, even if Microsoft didn’t rigorously test their software (but they do), how is that relevant in this case? What “system vulnerability” do you think the LoveBug exploited? If a bank robber uses a getaway car, do you blame GM for designing it to run? Do you blame gun manufacturers for designing weapons that fire?
tracer, the vast majority of viruses are not Word macro viruses, and the default installation in Word 97 is for the macro virus checking to be on (see Tools, Options, General).
SPOOFE Bo Diddly
This will help, but it is by no means a guarantee. It used to be quite common for viruses to propagate through floppy disks. Viruses have even been found in shrink-wrapped installation disks!
Even if Microsoft could make a program that stopped all viruses they wouldent, they would wait till a major virus comes up then sell a product that doesent work then sell a patch on that product that fixes the viruses.
When Ford made a car in the 1970s, the Pinto, that frequently exploded when it was the front car in a rear-end collision, Ford was responsible for those deaths that occurred because their engineering flaw led directly to them.
Microsoft is directly responsible for damage caused by the Love Bug because it created the platform on which the virus is so successful (Windows + Office + Visual Basic) - indeed, the platform is responsible for the creation of a whole family of viruses that exist solely because of the ease with which viruses can be written and spread.
Ford was responsible for human deaths. Microsoft was responsible for people being cut off from their email for a few hours or days. It shouldn’t be an ideological battle to see that Microsoft is responsible, but not in any sort of “Great Satan” way. It’s not that big a deal.
However, Microsoft is generally guilty of creating the conditions of existence for the Love Bug. Their whole macro platform could implement some basic security that would prevent or hamper the Love Bug. How about checking what an attachment is going to do (rename files, email itself to everyone in your address book, delete files, send passwords), and warning the user in these cases, asking for their explicit permission? All of this could have been done after the Melissa virus, and wasn’t.
If you went into a bank to open an account, and found their cash lying all over the place, you’d walk out because they’ve created conditions under which they may be easily robbed. If they were robbed, you’d say that they’re at fault for not securing their money in at least a common sense way. It’s in this sense that Microsoft is responsible. And in the same way that you wouldn’t use that bank, incidents like this should have you seriously evaluating other OSes, or simply other software for Windows that doesn’t have this vulnerability (like using Eudora instead of Outlook).
MS has provided a tightly integrated environment without ever bothering themselves about the vulnerabilities inherent in it. They’re not eating babies for breakfast in Redmond, but they are being deliberately dense about the problems they create.
As for anti-virus software, the state of the art is still pretty poor. Once a virus is released, it’s added to their virus definition files, and can be caught before it damages someone’s system if they’re actually running the software, and if the virus has already been caught and added to the definitions.
Running it is a drain on the whole system. The software is bloated and noticeably slows the entire system at every step, causing many people to simply disable it. The software is not at the point where it can be unobtrusively resident in memory.
The Love Bug couldn’t have been stopped because it wasn’t in the definition files. By the design of antivirus software, all new viruses get at least one chance at unhindered propagation. The Love Bug made good use of its opportunity.
Perhaps a programmer more familiar with anti-virus programming could comment on the kinds of anti-viral systems that would have stopped Love Bug before it spread.
I’d better reply to hardcore (I’d rather be told I’m wrong than do a runner), and perhaps back down a bit from my “big holes” and “known problems” comments. Partly this is because my Uni was on the ball as well as using NS Messenger, and I therefore received no copies of the bug.
I would still make the following comments:
Word Macro viruses are well known and the default setting is now OFF. This is a good idea. The functionality is still there, but you are asked whether you want to use it. Outlook has some things that have been known to be damaging on by default.
How can you send 50 emails without ever pressing send or ok? Why can you change registery items without pressing ok? IE5 asks me to confirm whether I want to add a bookmark.
They might be able to get to the servers, but they wouldn’t be able to get to people like me that telnet to the servers, now would they?
vandal
Just how does a unilateral declaration by Microsoft limit its liability? Just in case that actually works, I hereby declare myself to not be liable for anything.
Jeff_42:
Just what do you mean by “a ton”? Do you consider the ability to have programs that automatically sends e-mail a “ton” of functionality? Is that functionally really necessary? I would say that probably at least 90% of MS users would never intentionally use such a thing. If the rest really want it, there could be an option to enable that functionally. Having it enabled by default is just stupid. Going back to the Pinto example, not having it burst into flames certainly would be a loss of functionality; I could think of a few rare situations in which one would want a car to burst into flames. But the possibility of such a desire is so remote that it really doesn’t justify having the car bursting into flames so readily.
Although this may sound like a fine idea while we’re thinking in terms of this particular worm, most people wouldn’t see this as a useful “feature”. Imagine your email package periodically nattering at you when it thinks you may be attempting to send out “too much” email. Now imagine the volume of complaining calls to technical support over it.
As evidence that this is not generally thought of as a good idea by application vendors, I’ll point out that I am not aware of any email package that currently does this, Windows-based, Mac-based, or UNIX-based.
If you had to press OK every time an app wanted to change registry items, your fingers would be worn out from clicking on your mouse button.
Seriously, the Registry is used for all kinds of App-specific data. Most apps that used to use INI files to store their current/default values now use the Registry instead because of the speed advantages of doing so. (The apps that I build still use INI files, but that’s because I’m a bit of a luddite.)
One could argue that you should have a protected area of the registry that only administrative functions could modify - but then only administrators could install your new copy of Quake-VII-which-requires-direct-Draw-version-43.
never mind).