Well Eudora, Netscape Mailer, and any other non-MS mailers do just fine. Security really is “easy” when you choose to make a secure product instead of busily trying to maximize your profits in a consequence-free monopolistic market. Non MS software is usually more secure because they have to work under the yoke of normal market forces. MS doesn’t and every OE user is going to, if not already, suffer.
The question of responsibility isn’t cut and dry like that. There’s liability, there can be many liable parties. MS is definatly one of them and consumers have a strong case against them since Judge Jackson’s verdict.
C’mon, Spoofe, you’re sticking your head in the sand now. “It hasn’t been done, so it must not be easy to do it” is pretty faulty logic. It’s not just that it’s doable, it’s something that lots of people have pointed out repeatedly in the media; MS still does nothing about it, while others have already avoided the problem. That says one thing: MS doesn’t care to fix it. That’s why they’re responsible. Not 100% responsible, and not responsible in the way the kid who wrote/released the virus is. They’re as responsible as a bank that leaves the cash lying around the lobby: they didn’t tell anyone to steal some, but if they get robbed, it’s their own damn fault.
IMO, this is a poor analogy. Besides the obvious fact that you are comparing deaths to email, with the LoveBug you have an additional factor – malicious intent. Outlook doesn’t explode with a virus if you accidentally install it wrong, the virus is a direct result of someone with somewhat evil intentions. A more correct comparison would be if someone made a car bomb out of it. Perhaps this wouldn’t be as easy to do if the car were powered by electricity instead of gasoline, but it still wouldn’t be Ford’s fault.
Look at it another way – that same car can be used to break the law by driving in excess of 100 mph. Clearly this is illegal, yet the car is operating exactly as designed. GM could limit each automobile so this speed would be unattainable, but they don’t. Try blaming them in court when you get your next speeding ticket.
You would think so, but guess what – Outlook already does this. By default, when a user double-clicks the attachment, a dialog box opens that warns of a possible virus, tells the user only to run files from someone they trust, and asks if they really do want to run it. And probably 99% of the people affected by this virus did not change the default setting, they simply clicked “Ok” when confronted with the warning.
Creating conditions that make it easier to commit a crime do not make one responsible for the crime, assuming that was not the sole purpose whenever those conditions were created. GM makes it easy to speed, Smith and Wesson manufacture weapons used to commit murder, and HP produces printers used in counterfeiting. Yet I doubt anyone will blame them when their products are used in criminal activities.
It’s not my own damn fault if someone breaks into my home and steals money from me, regardless of where I stored it. I can have expensive gifts under a tree in my living room and bright blinking lights outside my home indicating that fact, but it still wouldn’t be my fault if the gifts were stolen. This type of logic is similar to blaming the rape victim because her dress is too short.
As I noted above, the program wasn’t run “automatically and silently”, it required user interaction. Outlook doesn’t run the program – the OS does. Outlook simply passed the file to the OS when the user double-clicked it, then confirmed they did wish to execute the file. Melissa ran differently, as part of a macro in Word, but even it required the user to answer Yes to a dialog box about enabling macros.
If you want to blame someone, I think it would make more sense to blame the antivirus vendors. Their products run at the OS level explicitly to stop this sort of thing. Strangely enough, this is a function that is crying out to be absorbed into the OS, yet MS has thus far stayed away from this industry. And if the DOJ gets their way, MS will have an extremely difficult time integrating this functionality into the OS.
What “obvious exploit” are you talking about? The ability to execute programs if the user so desires? How many more dialog boxes would you deem acceptable before allowing the user to continue? One? Ten? Certainly we could erect more barriers to program execution, but at some point you no longer have a functional computer system.
When discussing the DDOS (Distributed Denial of Service) attacks and the Unix servers you stated:
which totally misses the point. Besides, being hacked is usually worse than being infected by a virus. You went on to say
This report seems to indicate that corporate unix boxes were compromised as well. The point I’m trying to make is no system is immune from security breaches. Novice users and sysadmins will tend not to keep up with the latest security patches and procedures on a unix system, just as with Windows. But in no way are the sysadmins of those platforms responsible for the DDOS attacks. Neither are unix programmers, Sun, or the computer hardware manufacturers. You could almost make a case for the hackers that created the tools for executing the DDOS being somewhat responsible, but even they didn’t do anything illegal or immoral. Only the perps are at fault for the attacks, just as with the LoveBug.
Hardcore, even MS isn’t standing by their product anymore, because of the issues raised in posts like mine MS is now offering a Outlook security update. Some interesting strategies here, like different security settings for .exe, .vbs., etc… Also defaulting to putting all email attachments into ‘restricted’ zones and disabling ActiveX controls.
If you pro-MS people are right then why is MS doing exactly what so many of its critics have been telling it to do? Sorry, MS was wrong, defending monopolistic practices and unsecure software is simply stupid.
More here:
Horselover, it’s VERY easy for you to criticize Microsoft AFTER the Lovebug breaks out… how come you weren’t criticizing these security features BEFORE the bug got around? The way I see it, it’s YOUR fault that so much money was lost due to this virus. You should have anticipated it coming and complained about it beforehand.
Hehe, okay I’ll bite. How well do you know me? If you did you’d be well informed about MS software. Maybe you mean on this forum, well I’ve only been here for a short while (look to the left you’ll see my registration) so I can’t exactly hop in a time machine.
You can also find some posts of mine when Melissa came out on slashdot.org (read it if you really want to stay on-top of tech issues) and USENET. Sorry I value my anonymitiy, so I won’t give out my username.
For the record, I stopped using OE when Melissa struck and started using NS after the 100th activeX hole in IE. When I do use IE, activeX is off. I’ve also removed ports 137-139 on my windows machine and am running a firewall on top of that. All commercial spyware has been found and removed.
Well you did want to hear about me.
Err, blaming me for not coming to your house and deleting your copy of OE isn’t exactly the same as MS not sending its users warnings or updates(until today after MUCH damage was done) as I’m not a vendor and not resposible for the software. Anyways it was all public knowledge, if you choose too stop being ignorant there is much information just waiting for you to scoop up.
Horselover, you’re missing the point. There’s only so much that Microsoft should be expected to anticipate. Until a virus rolls around, NOBODY has ANY idea that it’d be coming. And don’t point to Melissa and say “See? See?!?” 'cuz Hardcore’s already shown that there’s significant difference between the two viruses.
There’d be reason to yell at Microsoft if they didn’t provide any updates for the Lovebug. Apparently, they did.
This is the argument that I’m getting from you here… Microsoft didn’t anticipate the Lovebug, and therefore is liable for all its’ damages. I can come up with analogies up the yin-yang to show the flaws in that reasoning.
If MS offers a patch to change Outlook, that doesn’t imply anything about their stance concerning their product. Nor does it mean they are responsible for malicious actions by others. Using your logic, car manufacturers would be liable for all injuries prior to the installation of airbags. Or perhaps more appropriately, all car thefts prior to anti-theft devices.
Now you are just exhibiting a bias. The security of the software didn’t matter in this case, as everyone who executed the program explicitly wanted to do so. If there had been an extra step (or 2, or 3, etc.) 95% of them simply would have taken these actions to see what was in the file. I haven’t a clue how “monopolistic practices” could have affected the situation.
In fact, creating the conditions under which a crime is easier to commit is itself a crime, under the name of “criminal negligence” or something like that. The crime involves gross or deliberate negligence that contributes to the crime. By analogy, if I leave a firearm sitting unsupervised on my front lawn where the neighbour’s kids can reach it, and little Timmy blows little Sally’s head off with it, I’m guilty of criminal negligence just because, if the gun weren’t left out on the lawn, little Sally would be alive today.
Guns are an interesting comparison here, considering the civil case in New York state last year where a jury found several gun manufacturers liable for damages related to gun deaths, because the plaintiffs demonstrated in court that the manufacturer’s practice of flooding states like Louisiana (with weak gun laws) led directly to a market for cheap, illegal firearms in states like New York (with stricter gun laws), along with the deaths that resulted from that market. The gun manufacturers knew that they were contributing to that market, and sold the guns anyway.
**
If this is relating to the bank analogy, then no, it’s not your fault if someone breaks in. But common sense says that if you leave a stack of bills on your front lawn overnight, within arm’s reach of the sidewalk, then it’s your own fault if it’s not there in the morning.
You’re correct that Outlook requires one click to execute files; I didn’t remember this because I never open executable attachments.
What Melissa and LoveBug had in common (thus making Melissa a fair warning about the possibility of LoveBug) is that Melissa used visual basic script to propagate by emailing copies of itself to everyone in your contact list. This is exactly how LoveBug replicated. When Melissa happened, everyone pointed out what a huge security problem this ‘feature’ was (not word macros as a security flaw, but that visual basic had too much unfettered access to the underlying OS). MS did nothing about it, and a year later we have LoveBug.
Spoofe, please stop arguing that MS programmers can’t foresee every possible problem with a virus; I’m not suggesting they can. If the fact that their platform gave rise to a whole new family of viruses didn’t tell them that they should consider the security aspects of it, then Melissa should have at least told them that visual basic script shouldn’t be allowed to access the contact list, at least not silently. Again, a security sandbox for Outlook attachments would be a better solution, but since security isn’t MS’s priority, I won’t hold my breath.
The “obvious exploit” is the one that Microsoft is fixing with their patch, which seems to me sufficient to prevent another virus of this kind. I agree that they’re not changing their stance; they’re acknowledging something they should have acknowledged at least a year ago, and would have fixed in the first place if they’d thought about it for a bit. There are plenty of free resources on the Internet dealing with computer security and viruses.
Perhaps you think I’m excusing the virus authors from responsibility; I’m not. They are certainly responsible for the damage. They are not solely responsible, though.
Then one of the arguments involved here is whether or not Microsoft is guilty of gross or deliberate negligence. Since I think it’s a safe bet that Microsoft didn’t want its’ customers to be infected with a virus, the latter can be ignored. Gross negligence? I don’t see that in the product. From what’s been determined in this thread, the Lovebug took advantage of existing pathways that are meant to run programs.
Since we seem to love analogies (don’t get me wrong, I love 'em too), here’s my own: Say someone robs a bank with a Smith & Wesson handgun. They get away in a Ford Taurus, and drive down an access road to their hideout. By the above logic, we can conclude that the parties at blame would be Smith & Wesson, Ford, and the city that put a street exactly where it’s convenient for bank robbers to use it.
Microsoft would be guilty of negligence if they didn’t release a patch after the advent of the Lovebug. No matter what protective measures that are taken, there comes a point where it becomes cost-prohibitive. If Microsoft were to make a product that wasn’t vulnerable to any type of virus, it would be very difficult to make, very inconvenient to use, and would ultimately be a pipe-dream.
I think all the victims of the Lovebug should just take their licks and move on… after all, that’s all that can really be done.
Go back and reread my last post, Spoofe. Specifically, the part where I mention that the ‘existing pathways’ exploited by LoveBug had already been exploited before, by Melissa and its clones, and that after Melissa, MS was crucified in the press for those ‘existing pathways’. That they didn’t fix them is negligent.
“Deliberate negligence” doesn’t mean they intended their customers to get the virus. It means they knew about the conditions that contributed and deliberately ignored them. Once again, negligent.
Again, I find this to be a very poor analogy. Guns exist only to cause damage and kill, so it stands to reason that our laws concerning them would be much stricter than any operating system or email client. Leaving a loaded gun on the lawn in no way compares to providing a platform to execute programs.
Even trying to use your analogy, you keep leaving out the malicious intent of the virus writer. The programs didn’t explode naturally in some child’s hand because Microsoft left them laying around – an evil third party fabricated something nasty out of the provided parts and then mailed it to everyone with a sign on it saying “I Love You - Push my button”.
A better analogy to try would be something concerning cars. They exist for many purposes other than injury and death, so you don’t get sued for trying to flood the market with them. If I use my car to crash through your bedroom wall tonight, you can’t sue Toyota for making it easy.
Yet I leave my car (equivalent to a stack of bills) within arms reach of the sidewalk every night. If it is not there tomorrow, you can bet I will call the police and try to have someone charged with stealing it. I doubt the police will try to blame me.
Outlook actually requires a double-click to initiate the attachment, then a third click in a dialog box confirming that you realize this attachment may have a virus, but you wish to execute it anyway.
Melissa used VBA (visual basic for applications) hosted by Word, while the LoveBug used vb scripting hosted by the OS. Not an important distinction, but it is different.
I keep hearing this, yet it still makes no sense. Even if there was no VBA or vb scripting, the virus writer simply would have taken one more simple step – he would have compiled the program. If you think this somehow would have been an insurmountable obstacle for the virus writer and would have deterred him from releasing it, well then I guess your point would be valid. I find this to be an irrelevant point.
Microsoft is crippling the program by preventing the download of executable files through Outlook. To me, this is not a desirable quality, and will likely result in users migrating to a different email client that does allow this functionality. There are far too many “dancing baby” type files that users enjoy sending to one another for me to see everyone giving up this ability. Corporate users will probably have no choice.
IMO, the virus authors are solely responsible. Using your logic would create a chain of culpability from Microsoft, to Intel, to the Phone Company, to the ISP, etc.
First, Microsoft is not crippling Outlook. You can receive executable files. You can’t open them while they’re an attachment. You can save them to your hard drive and run them; you can’t execute them from the email.
As for my use of guns for the purposes of analogy, I’m not comparing viruses to firearms. They’re a useful subject to illustrate my continued point, which is about negligence: specifically, the point that MS refused to put in place reasonable measures to prevent foreseeable problems about which they were continually attacked in the press by computer users and programmers that would have prevented the spread of LoveBug. That LoveBug could happen was as obvious to MS as it is obvious to us that if MS did nothing about LoveBug, then the next LoveBug would soon be coming.
I have yet to detect an appreciable difference between VBA and Visual Basic, even though I program in both. I suspect that the difference in names is a marketing strategy and nothing more.
The virus writer could have compiled it; he could have written the virus to operate completely independently of Outlook. The difference between what LoveBug is and what it could be is that the compiled, Outlook independent version would be much more difficult to write, and would probably be less reliable. Microsoft’s responsibility lies in the fact that they made it easy for the author to write the virus and for the virus to replicate. To refer to my gun analogy, I’m at fault when Timmy kills Sally with my gun because I left it unsupervised in a place where Timmy could easily find and misuse it. If Timmy broke into my basement, broke the lock on my gun cabinet, stole the gun and loaded it, then I would not be responsible since I took reasonable precautions to prevent anyone using one of my guns.
The chain of culpability Hardcore claims I’m creating stops at the point where it’s no longer reasonable for a causal contribution to the process to be foreseen and prevented. Intel could not foresee LoveBug being a direct result of their chips. Microsoft could foresee LoveBug because of Melissa, and because many people have consistently written on the security problems of their platform, specifically related to visual basic and the integration of their office apps and mail client.
First, Microsoft is not crippling Outlook. You can receive executable files. You can’t open them while they’re an attachment. You can save them to your hard drive and run them; you can’t execute them from the email.
As for my use of guns for the purposes of analogy, I’m not comparing viruses to firearms. They’re a useful subject to illustrate my continued point, which is about negligence: specifically, the point that MS refused to put in place reasonable measures to prevent foreseeable problems about which they were continually attacked in the press by computer users and programmers that would have prevented the spread of LoveBug. That LoveBug could happen was as obvious to MS as it is obvious to us that if MS did nothing about LoveBug, then the next LoveBug would soon be coming.
I have yet to detect an appreciable difference between VBA and Visual Basic, even though I program in both. I suspect that the difference in names is a marketing strategy and nothing more.
The virus writer could have compiled it; he could have written the virus to operate completely independently of Outlook. The difference between what LoveBug is and what it could be is that the compiled, Outlook independent version would be much more difficult to write, and would probably be less reliable. Microsoft’s responsibility lies in the fact that they made it easy for the author to write the virus and for the virus to replicate. To refer to my gun analogy, I’m at fault when Timmy kills Sally with my gun because I left it unsupervised in a place where Timmy could easily find and misuse it. If Timmy broke into my basement, broke the lock on my gun cabinet, stole the gun and loaded it, then I would not be responsible since I took reasonable precautions to prevent anyone using one of my guns.
The chain of culpability Hardcore claims I’m creating stops at the point where it’s no longer reasonable for a causal contribution to the process to be foreseen and prevented. Intel could not foresee LoveBug being a direct result of their chips. Microsoft could foresee LoveBug because of Melissa, and because many people have consistently written on the security problems of their platform, specifically related to visual basic and the integration of their office apps and mail client.
This is not what Microsoft is reporting. They claim they will remove the ability to download executable files through the email client. You will need a different method to exchange executable files in the future. I would definitely classify this as crippling the program.
Making a computer easy to use and program does not make one responsible for the damage someone does with it. Once again, using your logic, I could sue Toyota for making it easy for someone to drive one of their cars through my bedroom wall. Or making it easy to break the law by speeding. Why do you only wish to apply this type of logic to Microsoft?
Well, if you call copying the code into the VB IDE, then selecting Make Exe difficult, then yeah. Might have to add a reference or two, but it would take all of 5 minutes to complete. How it would be any less reliable, I haven’t a clue.
I can’t begin to tell you how offensive I find this analogy. I have repeatedly tried to dislodge you from it, yet you persist. Comparing guns to an email client is ludicrous to begin with and insulting to me, particularly since I recently lost a family member to a self-inflicted gunshot. I think I am starting to understand how Jewish people feel when someone makes a stupid comparison to Hitler.
Please try to understand it one more time. It is not illegal for you to leave fertilizer within easy reach of Timmy, just like an email client or an operating system. Yet if Timmy were to make a bomb from the fertilizer by pouring gas on it and igniting it, you still would not be negligent. Those materials are rightly used to fertilize your lawn and cut your grass. And here we would be talking about actual destruction of property and injuries, not a simple “lost time” estimated monetary value.
Many people have also written many articles singing Microsoft’s praises for their integration and ease-of-use issues. If you don’t think Intel has known for a long time that viruses can be executed on their chips, well… sure. I think you are being quite naive and unreasonably biased. ISP’s know that it is easy to use their connections to distribute viruses, hate mail, obscenity, etc. In no way does any of this make them responsible.
I agree with Hardcore that the gun analogy is really frail. Are you comparing the gun to the virus? A better analogy would be this: You’re Microsoft, little Timmy is the customer, the window to your living room is Outlook (or, the application in Outlook that made the Lovebug possible), and the virus is the intruder that smashes through your window and shoots Timmy in the head (by the way, Hardcore, I’m sorry to hear about your loss, and doubly sorry to continue dragging this out). Anyway, would you be considered negligent because you didn’t put bars over your window? Of course not.
Are you comparing the gun to Outlook? Again, I don’t see how this is feasible, since Outlook itself does nothing destructive on its own, and a gun exists solely to project a bullet at very very high speeds.
I think it’s also been demonstrated that Melissa is NOT (I repeat, NOT NOT NOT) the same as the Lovebug. That’s like saying beer is the same as wine. They’re similar, they work in similar ways, they do similar things, and they attack with similar styles, but they’re different enough so as Microsoft couldn’t have foreseen the coming of the Lovebug. Unless they have clairvoyant’s in the higher council, which can be dispelled by the notion that these seers would have noted the coming Justice Dept. inquiry.
