I’m going to mentally change the word “Microsoft” above to “Application Vendor” in an effort to keep this conversation on an even keel.
Virtually all shrink-wrapped software contains this sort of declaration. By agreeing to purchase software which contains this declaration, you’ve agreed to the terms. (The declaration should either be on the outside of the package, or should contain a clause letting you return the package for a refund if you read the agreement on opening the package and don’t agree to using the software on those terms.)
You can’t unilaterally declare yourself to be not liable for anything if the other party in the transaction hasn’t have the opportunity to agree to (or even hear about) your terms. Your purchasing and subsequently using a software package that contains a declaration in a prominent place makes the above declaration not unilateral.
To run the application, probably not. To sell it, probably yes. Most corporations run through checklists when deciding which software to purchase, and the vendor with the most checkmarks is usually the vendor that wins. (“Their package is the most complete.”)
Hansel, the car analogy doesn’t fit. Ford neglected a painfully obvious flaw that didn’t meet safety standards regarding accidents that, yes, are quite likely to happen (especially in this country). Note the word “accidents”. If you’re driving, and somebody wanted to crash into you badly enough, NO car design EVER will prevent them from doing so.
There isn’t any way to protect your computer 100% from a virus. A virus exploits pathways in a popular program that exist for the program to function. Talking about “do we really need to send fifty E-mails?” is really a lot of nitpicking. The Microsoft design teams couldn’t possibly anticipate every possible virus out there, and expecting them to do so is very unrealistic. By saying “well, couldn’t you have done this or that etc.” is all well and good… IN RETROSPECT.
I think the whole “blame Microsoft” deal stems from the fact that they haven’t caught the creator of the Lovebug yet (or have they? I stopped paying attention to the Lovebug when all the “blame Microsoft” baloney began). After all, it’s human nature to blame SOMEONE so as to exact vengeance, and as I’ve always said, Microsoft is the obvious target 'cuz they’re the big guy.
As I tried to make clear before, simply blaming Microsoft is a useless activity. I pointed out that Ford’s error cost lives; Microsoft’s annoyed people for a few hours.
That said, the analogy doesn’t fail. The problems in the software that permitted the Love Bug were obvious and well known, since before the Melissa virus. They had the opportunity to fix it, in retrospect, and simply didn’t bother. Failing to take reasonable precautions against obvious exploits means, to me, that MS is responsible.
I hope you’re not suggesting that, since we can’t protect ourselves from all viruses, all the time, that we shouldn’t even try. Love Bug wasn’t an innovative virus; it didn’t expose unknown vulnerabilities. It used common tricks that everyone has known about for years. Security experts have repeatedly attacked Microsoft for exactly the things that made Love Bug work.
Yes, a virus exploits pathways that exist. They also do so in unique ways that are detectable and preventable. Perhaps I want to send an email to everyone in my address book. The software could easily tell the difference between me doing it, and a script doing it; likewise deleting or renaming files; likewise making changes to the registry to cause program X to start up at boot time; likewise downloading software from the internet and emailing all passwords stored on a machine. MS isn’t to blame because they made it possible; they’re to blame because they made it easy, knew it was easy, and didn’t do a damn thing about it.
Someone pointed out that, if Unix were 90% of the desktops out there, a lot more viruses would target those systems. This is disingenuous: more viruses would get written, but they’d never be this easy to write, they’d do far less damage, and they’d never happen a second time. Why? Because Unix systems are far more security conscious. In fairness to MS, unix security has been under development for a lot longer. That doesn’t excuse MS’s laissez-faire attitude to security, though.
But it’s still unilateral. Suppose I sell a car to you. A week later, I tell you that I’m going to take away the car if you don’t sign a document limiting my liability. I would think that you would laugh at me; once I sell something, I have no right to put further conditions on the sale.
Well, everyone has the opportunity to look at this website; it’s open to the public. It’s no more my fault if someone doesn’t find it than it’s MS’s fault if someone doesn’t see the liscense agreement hidden away in their computer.
**
[/QUOTE]
Are you telling me that a company would refuse to buy a program if it doesn’t have, as a default, the ability to receive applications through e-mail which automatically send more e-mail? Let me ask you something: just how often is what the Love Bug did something which a user would actually want to happen? If no one actually wants to use something, it’s not functionality, it’s liability.
The problems that permitted the viruses weren’t obvious and well-known… they’re NOT PROBLEMS. They’re essential parts of the programming. If you were to take away a lot of these “problems” in software that prohibit viruses from working, the purpose for the software existing in the first place would vanish. That’s like saying (going back to the car analogy again) that, in a car accident a person gets stuck inside because the door crumples inward and traps him, the door is a flaw in the cars’ design.
A virus works because someone sees malicious purpose in something that’s supposed to be a useful tool. If I were to murder a hundred people with a hammer, would Black & Decker be yelled at for not making their hammers out of materials too soft and weak to act as a murder weapon? Hell no. It’s ridiculous to assume that Microsoft will create a product that doesn’t do its job out of fear of viruses.
And with regards to Unix… its high-levels of security probably contribute to the fact that its not on 90% of the computer on the planet. When a program is working behind such a solid brick wall, not many applications can get through. Windows is popular because it’s very malleable… it works quite well with a wide range of programs on the market, instead of “specializing” more with a smaller range of applications. Unfortunately, this multi-purpose nature of Windows happens to make it vulnerable when some attention starved teenager in the Phillipenes wants to shmack the rest of the world upside the head.
That’s asking a lot from a computer, don’t you think? I think it would be better for you to say “I could easily tell the difference between etc. etc.” A computer can’t. Perhaps you’re thinking that a computer would be better off if all automatic functions were removed and everything done manually? Then you’d be back to punch-cards, my friend, and the computer would run VE-E-E-E-ERY slowly. Microsoft scandisk, Cybermedia Oilchange, and numerous other disk cleanup and doctoring programs automatically remove and re-organize files in order to get your computer to run better. There’s a large number of people who find automatic E-mailing to be very convenient; hence, it was included in the software. Just about ANYthing can be done to ANY computer by taking advantage of series of loopholes found in the system… loopholes that are necessary for vital programs to function.
I believe it’s time to point out that the last great Internet attack (which wasn’t a virus, but then neither was this one) was a UNIX-based one. The massive denial-of-service problems that caused temporary shutdowns of several of our major web sites was caused by malicious programs that crackers managed to insert onto many different Unix computers and then activate simultaneously to flood specific web sites.
This particular technique was fairly easy to set up on many Unix sites, but not on Windows-based systems. Why? Because it took advantage of a basic feature of Unix-based systems that isn’t available on Windows-based systems - a feature that opened those Unix systems up to security breaches.
That’s the problem with features - they often offer “features” to more folks that we’d originally anticipated.
Now you’re just getting silly. Stating liability terms as part of a sale and unilaterally declaring them a week later isn’t the same thing, and you know it. The license agreement we’re talking about is part of the original purchase.
Again, this comparison is just silly. This website is totally unrelated to your declaration, and there’s no reason why a vendor who’s software you are contemplating purchasing would visit here as part of that purchase. Not only is the licensing agreement prominently displayed in the physical package that you’ve pruchased to get a software vendor’s application, you’re often forced to read it (or at least claim that you’ve read it after it’s presented on your screen) during the actual installation process.
Microsoft in particular is often so paranoid about this that you can’t even click on the “Yes” button until after you’ve scrolled all the way to the bottom of their license text. Not only are you shown the agreement before the actual installation, you have to have at least physically seen it in full before you can proceed.
That’s exactly what I’m telling you. Haven’t you ever been part of a large organization making a purchasing decision before?
That’s the way decision grids work. An organization that needs to make a purchasing decision developes a list of features they want, then compares a list of alternative packages against that list of features in a grid. Although the features list usually starts out with only those items that the organization originally thought of on it, it typically gets larger as the organization notices new and exiting features that exist in each of the products it’s looking at (“hey, look - these folks have a preview panel. That’s a nice feature - let’s add it to our list”). The vendor with the most checkpoints wins - and the vendors’ marketing folks know it.
It’s not just corporations that act this way. Do we really use twelve cupholders in our new SUVs? No. Do we tend to purchase SUVs with twelve cupholders over SUVs with only ten? Yes.
It ocurs to me that one could get the impression from reading my posts in this thread that I’m a fan of the current versions of the software licensing agreements that most vendorssem to be using these days. (The ones that say they’re not liable for anything, aparently including their product working as advertised.) I’m not.
I think the confusion here is that you think I’m suggesting those features be removed. I’m not. Those features are problems when they let the Love Bug happen. It’s not asking a lot from a computer to do the sort of things I’m suggesting. It could start with Outlook asking you “do you really want to run this executable file?” when you try to open a .exe or .vbs file. That in itself would’ve stopped a lot of people. Outlook could then ask the user for confirmation if an attachment it opens is going to perform certain tasks (and it already knows that the attachment is doing it, not you), like emailing others, changing the registry, or deleting files. For people’s convenience, they could go into the options, and switch off this sort of confirmation. But because people rarely change their default settings (demonstrated by studies), they probably wouldn’t, and would realize quite quickly that a love letter wouldn’t want to do this many things to their computer.
The whole problem here, which was demonstrated by Melissa, is Outlook running a viral program automatically and silently when an attachment is opened. Microsoft could’ve shipped a patch, and the next Outlook, with a few simple confirmations and checks that would’ve required a user to click several times to do everything the Love Bug wanted (as they did, minimally, with Excel and Outlook). 90% of the people receiving it probably would’ve figured something was wrong, and wouldn’t have clicked all the way through.
Its high level of security has nothing to do with its popularity. Windows is 90% of the desktop market because it’s much easier for non-computer professionals to use in general, and rode the wave of widespread computerization in the 80s and 90s. The security I’m talking about is all behind the scenes - user/group scope, things like that.
You’ve said this before, Spoofe - that unix “specializes” in certain areas. [rant edited out]. You seem to think that the unices are niche OSes, when they’re not. The core OS is much better developed, over a longer period, and when things like the Love Bug happen (like the Morris Worm), the problem is fixed, quickly and effectively. There was one Morris Worm, and no more.
I don’t see why MS can’t do the same things, at least for viruses we’ve already experienced.
As for the recent DDOS (Distributed Denial of Service) attacks, unix boxes were hacked; so were windows boxes on cable or DSL connections, and they took part in the attacks as well, running as zombies. It’s not the same problem. They were hacked, not infected. This is not typical of unix security, because it was universities that were hacked - they always have lousy security because they’re run by CS students coming and going in annual waves, with a massive, multi-user system with which they can’t keep up. No corporate unix systems were hacked for the DDOS attacks because corporations using unix secure them properly.
It’s worth a thread all its own, but you do not agree to everything in a shrink wrap licence by opening it up. A corporation can’t deny liability in its licence if it’s something the courts would normally determine that they are liable for, even if you use the software. This is standard contract law - you aren’t bound by a clause that’s not legal, even if you knowingly sign. It’s a standard piece of contract boilerplate that if any of the clauses are found to be invalid, it does not invalidate the whole contract; that clause is simply stricken from the agreement. To be clear about this: you sign a contract saying that if you breach the contract, you may be killed with impunity. You breach; you’re killed by goons. Whoever killed you is guilty of murder, because you can’t sign away your life.
It’s interesting because there’s an act being pushed by software vendors called UCITA, which would make that denial of liability permissible. Currently, a corporation that lost key information in the Love Bug attack could sue Microsoft for damages; no company has had great enough damages to go after MS (or Oracle, or Sun…). After UCITA passes, no. It’s passed in several states already, and software vendors are very anxious to have it because they know that their licence doesn’t protect them.
Outlook defaults to not automatically running any attachment to an e-mail. The problem is not in the software; it’s in the user. Anyone who decided to alter the security settings so as to save himself a couple of mouse clicks deserves everything that he gets.
(Incidentally, what are your (plural) settings? No idea? Use “Tools|Options|Security|Attachment Security” to find out).
As for people not clicking all the way through a stream of confirmation messages, this is not decideable without a good survey showing how stupid, ignorant, and/or lazy the average user is or isn’t. The installers, corporate and retail (they work for a corporation, but they aren’t installing the software for a corporation) have to get a certain amount of the blame, too. In fact, anyone who has ever said words to the effect of, “Downgrade the security settings on this machine” deserves part of the blame.
Your comments on university computers running UNIX are a case in point. Does UNIX have all sorts of nifty security features? Yep. Do the grad student hackers bother with them? Too often, nope (if I had a dollar for every open port at a university that’s been used as a “mule” by a spammer to send me junk e-mail, I might not be able to retire yet, but I’d be a lot closer than I am).
Asking that question would be seen as unneccessarily annoying by most people - after all, you double-click on an attached file specifically to run it. It would be kind of like having your car announce “driving is an inherently dangerous act - are you sure that you want to do this?” every time you turn on the ignition. Or perhaps wanting to hold your car company liable because it didn’t do this given that it’s technically feasable.
Also, your reply to “are you sure?” questions like this tend to get automatic fairly quickly. Have you ever automatically typed “yes” to a “del .” prompt only to realize a moment later that you were in the wrong directory? I certainly have.
(Unix systems, of course, don’t ask “are you sure?” questions when you do things like type “rm *” or attempt to launch (or delete) applications. I kind of prefer that, actually.)
Uhh, no it couldn’t. Once you’ve launched an attached file, it’s being run by the operating system, and what it’s doing is out of Outlook’s hands. And, as we’ve mentioned, asking whether to permit it every time an application wants to modify a registry entry would get pretty tedious (and your replies would get pretty automatic) very quickly.
Do you have a cite for that? I’m ask because that’s not what I remember reading, and I’m not aware of anything in the Windows platform that lets outside agents set up zombie tasks. Windows is just not oriented towards outside processes starting up tasks on a local machine - it’s always been a desktop system.
Again, this is not what I remember reading at the time. I remember reading newspaper articles that specifically mentioned local (to Philadelphia) corporations that inadvertantly assisted in those DOS attacks because their Unix machines had been hacked into.
Remember, those waves of “CS students” don’t disappear - they become your local corporations’ technical support people in another year or two.
Perhaps I wasn’t clear when I said that the problem with Outlook is that it automatically and silently executes attachments. You’re correct that it doesn’t automatically execute an attachment when the email is viewed. What Outlook does is allow you to execute a viral attachment in the same way that you would open an attached file to read: you double-click on it. Before a user realizes that she hasn’t opened something to read, all the viral code is executed. This is the flaw, and why Love Bug worked well - everyone thought they were opening a love letter, either a real one or some email joke. It would be trivial for Outlook in its default settings to distinguish between a data file and an executable file, and ask the user to confirm the executable.
It’s been demonstrated in studies that something like 90% of users never change the defaults. That being the case, it behooves MS to set reasonable security as the default; hell, it would be a selling point (“a secure environment right out of the box!”). I see confirming the execution of anything that will significantly affect your system as reasonable (how often do you have to click “next” when you’re installing software?). As Spoofe said, the programmers can’t foresee every eventuality; as I replied, they can foresee ones that have already occured, like Melissa.
You mistake me if you think that I believe Microsoft owes everyone a refund or something because of the Love Bug. My reaction to this is that Microsoft doesn’t take security seriously, and as Love Bug demonstrated, that’s a big problem. You can have all the contempt for users you want; it doesn’t change the fact that MS knew Love Bug could happen, that it had happened before, and they’re the ones who made it possible.
If I was setting up a new system for our company instead of managing the current one, I wouldn’t choose Microsoft products. Love Bug is one of several reasons why (licencing fees and forced upgrades being two of the others).
**
Security sandboxes are a well established programming practice - it’s why a user on a unix system can’t trash the system, and why java applets are safe in your browser. Implementing the same thing for executables run from an email wouldn’t be difficult. That said, asking confirming questions when the app in the sandbox wants to change the system outside the sandbox would clue in almost all users that it’s not a love letter they’re seeing. If you were emailed a file that you wanted to install, you could run it outside the sandbox by saving it to your hard drive first; a trivial step, where it can then run with the user’s knowledge and full permissions on the system.
On the DDOS attacks, the perp hacked universities in California - that’s how the FBI tracked him or her that far. That was only one step in the process of launching the attacks, but it was apparently the easiest. As for a cite for the use of windows boxes as zombies, I’ll have to look it up. I know that, in principle, there’s no reason that a win32 box with a static IP couldn’t be used as a zombie: they can run persistent services (like personal web server), and as Love Bug shows, hacking a win32 box running win95/98 is trivial. Set the registry to start the zombie agent invisibly, and there it is.
This cite does not specifically implicate win32 platforms in the recent high-profile DDOS attacks, but it does list two trojans that turn win32 boxes into zombies.
Yes, I certainly do know it. But that’s not what we’re talking about.
No it's not. If you go into a store to buy software, will the clerk not let you have the software until you sign an agreement? Of course not. Once you walk out of the store and you have the software and the store has your money, the sale is over.
If any agreement appears during the installation process, then that’s clearly after the sale, and not part of the original purchase. Suppose after you bought the car, you discovered that you couldn’t start the car unless you agree to limit the manufacturer’s liability. You’ve already paid for the car; the sale is over. What right does the manufacturer have to prevent you from using something that you’ve already paid for?
And all of this is irrelevant to the Outlook sitaution anyway because there is no separate sale of Outlook; it’s a part of the hardware purchase.
Then your beef is clearly with CompUSA or Fry’s Electronics (or whatever), not with Microsoft. Microsoft sells their product to vendors, who sign the license agreement that authorizes them to sell it. The license agreement that YOU have with Microsoft is one that you agree to upon INSTALLING the software. The problem is, nobody ever reads those things.
Hansel…
I wish I could say that you’re right. I really do. But your advice and comments assume that the general populace knows what they’re doing when using a computer, and they really don’t. Microsoft’s default installation settings are geared towards the lowest common denominator in terms of computer savvy (which, unfortunately, is REALLY low). Apparently, they found that the default settings should be set the way they are. Which is why, in some ways, UNIX is a better OS than Windows, since it requires its users to know what they’re doing. My whole stance is that UNIX isn’t as marketable.
Perhaps there should be some sort of test of computer skill before people buy software… if they’re not skilled enough to use it, too bad for them. You may think I’m joking, but I’m really not… stupid people get themselves into stupid situations and blame someone else for it. HOWEVER… I do agree that Microsoft doesn’t take its security seriously enough. They mass-produce a product as quickly as possible to rake in the dough.
Just out of curiosity… how many people out there actually use MS Outlook? I sure don’t.
You’re making my point for me, Spoofe: the lowest common denominator is pretty low in terms of computer knowledge. That’s why they don’t know that you shouldn’t open every attachment, and why most can’t tell the difference between an attachment that’s safe to open, and one that’s not. That’s why taking reasonable steps to close likely exploits in a program like Outlook is important. My point isn’t that the average user can effectively judge whether or not to click “OK” on a dialogue box asking permission to delete files; my point is that the average user is going to get some idea that they’re not opening a love letter when the computer is asking “are you sure you want to delete those files?”, and probably hit “cancel”. That’s what the people at my company do, and then check with one of the IS people; we’ve warned the users often enough about viruses that they call us the minute things get weird.
I don’t know why you believe that MS knows what the default setting should be, in terms of research, or evidence that the current defaults are somehow best. Think about the billions they lost trying to break into the media game with the Sidewalk websites. They’re a corporation like any other; they can be as clueless as any other.
Only recently has Linux become marketable as a desktop solution. If I were building our computer network from scratch, I could have Red Hat 6.0 running KDE desktop in front of everyone, and no one would know enough about computers to feel like they weren’t getting the normal computing environment. Once they were as comfortable with it as they are now with windows, I doubt they’d think their system was deficient compared to what’s on the computers at their brother-in-law’s company.
Unix was never a player in the marketplace that put MS on top; it was Mac vs. MS, and Mac lost. But the unices are still dominant as far as special applications and servers go, and that’s unlikely to change soon (every time I get into one of these threads, I wish I had the statistics for worldwide computer OS breakdown. Talk about MS owning the desktop ignores a huge portion of the machines out there doing far more important work than running Minesweeper. If anyone can supply them, I’d be grateful).
At my company, everyone. It’s what the IS department installs, and no one knows about alternatives like Eudora, and no one really cares. They’ve got email; that’s what matters. I’m guessing, but I believe that corporate environments like mine are the most fertile ground for Love Bugs, not individual users at home.
Is MS Outlook designed for businesses? If it was, that’d explain the lax security default settings… I think it’d be a safe assumption for Microsoft developers to think that professional, college-educated businessmen would be capable of setting their own software security levels.
The average user doesn’t want to be working through confirmation windows, the average user wants the computer to do everything for them. You’re asking for features that look good on paper, but in practice would be really annoying to consumers, and if your product is annoying, nobody wants your product, and you lose money.
And don’t bring up that fact that a virus is a lot more annoying than clicking “okay” a bunch of times because I KNOW that. But when there’s not a virus running around, the average user doesn’t think “boy, I’m glad this program is designed to prevent my computer from being infected with a virus”, he/she is thinking “man, I HATE having to press ‘okay’ all the time! This is SO inconvenient! I’m going to get a different program!”
Not true, Microsoft targets and markets it products directly at new users with ‘innovations’ like easy to use GUI, Wizards, and doing its best to muscle competing (better) products out of the market.
Outlook/Exchange is business software and Outlook Express is residential software, thats why its free. A product like OE in any other industry would have been eliminated and replaced with a more secure one way before Melissa struck let alone its .vbs twin ILOVEYOU.
MS’s abusive monopolistic position gives them a very unfair advantage over products which are secure or at least default to secure settings. I’ve worked with many college educated and non-college educated businessmen as you put it and neither know anything about scripting languages or security settings. Heck most IT managers approve of the MS solution and you can see where that got them.
I can see a real class-action suit against those who were sold unsecure software, which runs scripts in preview panels (man thats stupid), under pretenses of false advertising and under the yoke of an abusive monopoly.
This simply isn’t true. Unix and its varients don’t allow root access unless you’re logged in as root. That means no installing programs, deleting anything out of your allocated disk space, no access to system files …etc. Win 3.11/95/98 have you always logged in as ‘root,’ thats why you can run a simple 1 line .bat file that can erase your entire drive. Your kids can run it, your cat could if she stepped on the right keys. I’m not saying its impossible to secure root on a Unix box, but its a hell a lot more difficult to do than copying some virus onto an attachment file.
On top of that Windows and MS network software comes with all sorts of unsecure settings and very dangerous scripting languages built right in. Add in their unfair abusive monopolistic position and you’ve got a recipe for disaster. Well, make that many disasters.
You might be making a point with the Mac comparision, but Mac software doesn’t attach unsecure scripting languages to its applications, if you ignore IE, and there’s a strong belief in some circles that Macs are more secure than NT or Unix because it doesn’t have a command line interface to hack. Not to mention MacOS and applications have to compete on a real market without the perks of being a monopoly which helps to produce stable and secure software.
Okay, okay, there’s a lot of ideas out there about how Microsoft could have prevented the Lovebug from getting through. If it were so “easy”, I think that these security features would have been implemented. Since they so obviously haven’t been implemented, I’d imagine that it’s not as simple as a lot of people have made it out to be.
Of course, all this speculation still leaves us with the question… is Microsoft responsible for some punk kid creating a virus and sending it around? My answer: Of course not.