Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Microsoft blames Love Bug on users and DOJ

By Anonymous Zero in News
Mon May 08, 2000 at 05:38:10 PM EST
Tags: Security (all tags)
Security

In this column, Boston Globe tech columnist Hiawatha Bray asks Microsoft spokesman Adam Sohn why Microsoft's Outlook client still has the scripting features that were exploited by the Melissa virus to silently email copies of itself to everyone in the an Outlook address book... Sohn instead described his idea of how companies could improve the security of Outlook. "They should commence by beating their employees," Sohn declared. He chuckled to signify that he was kidding [but] was dead serious about Microsoft's utter lack of responsibility for the Love Bug fiasco. Instead, he blamed the silly computer users who go opening e-mail attachments. "People shouldn't open them," said Sohn. "That's the problem." Also today Bill Gates has a column in Time magazine where he states " The DOJ scheme also effectively imposes a ban of up to 10 years on the addition of any significant new end-user features to Windows... Updates to Windows and Office technologies that could, for example, protect against attacks such as the Love Bug virus would also be much harder for computer users to obtain."


Gates also urges you to think about the children with this plea: The DOJ scheme permanently prohibits any further improvements to the Internet software in Windows. It would mean no improvements in browser technology and no support for new standards or technologies that would otherwise have helped protect your privacy or the safety of your children online. So please people, think about the children.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o this column
o a column in Time magazine
o Also by Anonymous Zero


Display: Sort:
Microsoft blames Love Bug on users and DOJ | 41 comments (41 topical, editorial, 0 hidden)
Whoops! This post tripped my MS/MP... (none / 0) (#12)
by Neolith on Mon May 08, 2000 at 01:18:44 PM EST

Neolith voted -1 on this story.

Whoops! This post tripped my MS/MP3 filter...

Like the article. It especially br... (3.00 / 1) (#11)
by gandalf_grey on Mon May 08, 2000 at 01:23:23 PM EST

gandalf_grey voted 1 on this story.

Like the article. It especially brings to light Gate's propaganda regarding "save the children". Pandering to the fears of parents everywhere. Come on. Let's get real here. They've basically given their email client the ability to run any software automatically. They are at fault. The "LOVE BUG" could have been written by a 10-year old. It's not very complex. It was only a matter of time before somebody did this, and someone will do it again in the near future. Had the code actually been complex, and did it's deed a little more quietly, it might have been a whole lot worse. Let's consider this one the warning... and a tiny bit of user education.

This is sily. Is this real? Think... (none / 0) (#13)
by charsplat on Mon May 08, 2000 at 01:27:15 PM EST

charsplat voted -1 on this story.

This is sily. Is this real? Think of the children? and beat the users?

No, it couldn't be because a simple... (none / 0) (#7)
by Zarniwoop on Mon May 08, 2000 at 01:39:34 PM EST

Zarniwoop voted 1 on this story.

No, it couldn't be because a simple lack of security in the clients, or in the operating system! Seriously, WHY should vbscript capabilities be built into outlook and word by default? Just a bad idea. Of course, us unix users can keep laughing, for now...

Well, this will start a round of MS... (none / 0) (#17)
by slycer on Mon May 08, 2000 at 01:44:09 PM EST

slycer voted 1 on this story.

Well, this will start a round of MS bashing, but that's always fun.
I can't believe that Bill's comments are being taken seriously. How will being split into 2 companies prevent anti-virus work from happening? Besides that, Microsoft says they are not responsible.. then they say that they are the only people that can make the system less susceptible? Does anyone else see the double standard in the 2 comments?

*Sob* Gosh, I feel so sorry for Poo... (2.00 / 1) (#19)
by Saint Zero on Mon May 08, 2000 at 01:56:27 PM EST

Saint Zero voted -1 on this story.

*Sob* Gosh, I feel so sorry for Poor Ole Bill and his Little company. FUD, pure and simple. Would be fun to rip to shreds, if I cared.
---------- Patron Saint of Nothing, really.

God, no. ... (none / 0) (#6)
by error 404 on Mon May 08, 2000 at 01:56:57 PM EST

error 404 voted -1 on this story.

God, no.

Make it stop.

Aaaaaargh......


..................................
Electrical banana is bound to be the very next phase
- Donovan

brilliant...just brilliant...they s... (none / 0) (#2)
by Emacs on Mon May 08, 2000 at 02:15:10 PM EST

Emacs voted 0 on this story.

brilliant...just brilliant...they stand behind the spin docotrs and repeat their mantras... a real textbook example on how to market a company... just brilliant..deny deny deny.. then go to the un-educated public and try to spread fear with the "This will hurt your children" ... just friggin brilliant..

+1 for the love bug story, and +1 f... (none / 0) (#21)
by genehack on Mon May 08, 2000 at 02:18:20 PM EST

genehack voted 1 on this story.

+1 for the love bug story, and +1 for the story about the new column from Satan^WGates.

-1 for combining them into one item.

Can't bring myself to care about an... (none / 0) (#1)
by Demona on Mon May 08, 2000 at 02:29:05 PM EST

Demona voted 0 on this story.

Can't bring myself to care about anything Microsoftian.

I'm really of two minds on the whol... (none / 0) (#18)
by Wodin on Mon May 08, 2000 at 02:33:00 PM EST

Wodin voted 1 on this story.

I'm really of two minds on the whole idea of non-responsibility. Windows is blameless to a certain extent, in that none of their actions were technically responsible for this. They created a powerful tool for use with Windows, and someone abused that tool. I really felt that they were at fault until I realized that I could create a perl script that would do most of what this did, and it would probably be easier for me to do it. The only trick would be getting the users to run it, which is a problem of social engineering, not the software itself. However, the extent to which the system is built into the OS is fairly scary, and Microsoft is definitely responsible for that. Integration is a double-edged sword. Whenever I hear people talking about it, I think of Spiderman -- "With great power comes great responsibility." Live with it, and educate the users is Microsoft's stance. I suppose the alternative would be sacrificing some of the power of VBasic to close the security holes, which is fine with me, but might cause problems overall.

Won't anybody think of the children... (4.00 / 1) (#4)
by skim123 on Mon May 08, 2000 at 02:56:35 PM EST

skim123 voted 1 on this story.

Won't anybody think of the children?

I had a long discussion with a friend of mine on this issue, who's to blame for the "I Love You" worm? I argued MS was not to blame, arguing that blaming Microsoft for this was like blaming the gun industry for gun-related deaths.

Money is in some respects like fire; it is a very excellent servant but a terrible master.
PT Barnum


Re: Won't anybody think of the children... (3.00 / 1) (#30)
by adamsc on Mon May 08, 2000 at 09:21:17 PM EST

I'd agree that is fundamentally another "Dumb Luser Screws Up System" problem, with the exception that there's one big interface botch that Microsoft made: file extension hiding is just plain wrong. To be more Mac-like, they chose to have the default option to hide the extension rather than doing file-type detection the right way. While there are many drawbacks to this approach, the largest is that it lets things like "virus.txt.vbs" look like "virus.txt" to the user. Telling people not to double-click on .vbs files is useless, because most users will never see the .vbs!

I've also heard that Outlook's preview pane makes it a little too easy to open attachments. Since I gave up on Outlook rather quickly, I can't verify if this is true but it seems plausible. Ideally there'd be some way of sandboxing untrusted code, perhaps similar to the way JavaScript requires signed scripts for potentially dangerous functions, regardless of where it comes from.

[ Parent ]

The Preview Pane (none / 0) (#34)
by pwhysall on Tue May 09, 2000 at 06:33:52 AM EST

Well, it all depends. As usual.

If you have an email from someone that's in HTML or plain text format, the fact that an attachment is present is indicated by a paperclip button in the far right of the header part of the preview pane.

However, if the message has arrived in rich text or Word format, the attachments will be right there in the message, as icons.

As for signing scripts and controls, this is a complete waste of time, as was demonstrated a year or two ago by the developer who obtained a legitimate certificate for an ActiveX control that was malicious.

All Microsoft said was "He shouldn't have done that!".
--
Peter
K5 Editors
I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
CheeseBurgerBrown
[ Parent ]

Re: The Preview Pane (none / 0) (#41)
by adamsc on Wed May 10, 2000 at 08:01:07 PM EST

As for signing scripts and controls, this is a complete waste of time, as was demonstrated a year or two ago by the developer who obtained a legitimate certificate for an ActiveX control that was malicious.
I meant using some sort of cryptographic signature to verify trusted scripts on the local system. This signing would be done locally instead of by the developer. Unsigned scripts would execute with the least privileges; signed scripts could be given certain privileges by the user or an admin. This would allow people to use useful functionality without automatically giving a virus author the same capabilities.

That said, anyone want to take bets that some user would still click the "Give Permission" button? Obviously businesses would want some way to prevent John Q User from being able to do this.

[ Parent ]

But when you consider the marketing, (none / 0) (#38)
by error 404 on Tue May 09, 2000 at 01:09:07 PM EST

it's more like blaming a gun maker that specializes in brightly colored handguns with cartoon characters on them for gradeschoolers.

Remember - Microsoft's message is that this is software for regular people, software that requires zero maintainance. Software you don't have to be an expert to use.

And in this case, software that you don't have to be an expert to write worms in. Ghod, what a lame gob of code.

..................................
Electrical banana is bound to be the very next phase
- Donovan

[ Parent ]
Aargh. Whatever happened to protec... (none / 0) (#10)
by smiley on Mon May 08, 2000 at 02:59:26 PM EST

smiley voted 1 on this story.

Aargh. Whatever happened to protecting children by having parents that were involved and interested in what their kids were doing, off and on-line?

What about product liability? If my car started itself up and drove through a neighbor's bay window, I'd be suing the car company (or selling the rights to Hollywood). If it was MSCar, I'd be told that I should have siphoned the gas out and this wouldn't have happened and that I should have know better.

We need a new name... ... (none / 0) (#3)
by henrik on Mon May 08, 2000 at 03:09:25 PM EST

henrik voted -1 on this story.

We need a new name...
Kuro5hin.org || Microsoft and MP3, from the trenches

Akademiska Intresseklubben antecknar!

Re: We need a new name... ... (none / 0) (#23)
by evro on Mon May 08, 2000 at 06:13:23 PM EST

Which would you rather see? Stories in the queue about MS/MP3/whatever other worn out buzzword or nothing at all? I'd always prefer there be something there to vote on.
---
"Asking me who to follow -- don't ask me, I don't know!"
[ Parent ]
Re: We need a new name...... (none / 0) (#25)
by Wodin on Mon May 08, 2000 at 06:48:23 PM EST

Just expanding on the comment given above:

If you don't like the current content, find something that interests you and submit it!

You obviously know how to do this, as your previous stories attest. Whether or not the stories in the queue are ones you are interested in doesn't mean that you have to be sarcastic about k5 as a whole, it just means you need to contribute more. I am quite satisfied, and if I find something interesting, I'll create a submission myself.



[ Parent ]
Re: We need a new name...... (none / 0) (#31)
by rusty on Mon May 08, 2000 at 10:16:23 PM EST

Yeah, for the record, I'm with you there. :-/ I also agree with the other responses that say "For God's sake, PLEASE submit something else!" But I see the gist of your drift-- enough already. I kinda wouldn't mind having a day without news if it meant a day w/out another MP3/MS story. :-)

____
Not the real rusty
[ Parent ]
It's always somebody else's fault. ... (none / 0) (#9)
by marlowe on Mon May 08, 2000 at 03:21:12 PM EST

marlowe voted 1 on this story.

It's always somebody else's fault.
-- The Americans are the Jews of the 21st century. Only we won't go as quietly to the gas chambers. --

Good write-up. ... (none / 0) (#14)
by pb on Mon May 08, 2000 at 03:29:51 PM EST

pb voted 1 on this story.

Good write-up.

Think about the children.

Bill Gates has two children, guys, if this goes through, they'll starve, and he might have to get a real job! :)
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall

The Bill Clinton approach! Blame e... (none / 0) (#8)
by scorpion on Mon May 08, 2000 at 03:40:42 PM EST

scorpion voted 1 on this story.

The Bill Clinton approach! Blame everyone else..... I guess Bill's lessons have been learned by a lot of people.

Re: The Bill Clinton approach! Blame e... (5.00 / 1) (#27)
by Dr.Dubious DDQ on Mon May 08, 2000 at 07:07:21 PM EST

"I did not have monopolistic relations with that software, Internet Explorer.
I did not harass anyone to buy, not a single time, never."
--Someone famous named Bill, trying to weasel their way out of another scandal...
"Given the pace of technology, I propose we leave math to the machines and go play outside." -- Calvin
[ Parent ]
Whine, whine, whine. Sorry, I don'... (none / 0) (#20)
by deimos on Mon May 08, 2000 at 03:46:12 PM EST

deimos voted 1 on this story.

Whine, whine, whine. Sorry, I don't feel bad for Billy.
irc.kuro5hin.org: Good Monkeys, Great Typewriters.

I don't think Microsoft is at fault... (none / 0) (#15)
by kovacsp on Mon May 08, 2000 at 03:50:52 PM EST

kovacsp voted 1 on this story.

I don't think Microsoft is at fault either. Well, only as much as it was GMs fault for their cars exploding. I got the attachment, of course I was using Pine. It was amusing reading the source of the script even before I heard about it on the news.

Yeah, I'm sure the DOJ would put so... (none / 0) (#5)
by evro on Mon May 08, 2000 at 04:43:23 PM EST

evro voted 1 on this story.

Yeah, I'm sure the DOJ would put something in there that says "And NO bug fixes!" On some level I agree that it's the user's fault, but why shouldn't they open an attachment from a friend? Why is VBscript given such free reign over the system? Is it actually used by anyone for a constructive purpose? I had never even heard of a vbscript before this virus fiasco.
---
"Asking me who to follow -- don't ask me, I don't know!"

I love the "for the children" bit... (none / 0) (#16)
by bardop on Mon May 08, 2000 at 05:38:10 PM EST

bardop voted 1 on this story.

I love the "for the children" bit

Re: I love the (none / 0) (#36)
by dlc on Tue May 09, 2000 at 10:59:35 AM EST

    I love the "for the children" bit

What's disgusting is that this is the kind of rhetoric that is going to capture the hearts of the general population. This is what Microsoft is doing -- trying to get all the public sympathy they can.

Microsoft took out a full page ad in the Boston Globe the other day (and probably other major papers as well) seeking sympathy from the public based on the I LOVE YOU virus. They used the (fallacious) argument "This will happen all the time if Microsoft gets broken up" (paraphrased).

Unfortunately, this (grabbing public sympathy) is going to work.

darren


(darren)
[ Parent ]

sounds ok. (1.00 / 1) (#22)
by feline on Mon May 08, 2000 at 06:02:42 PM EST

I'm gonna have to agree with billy on this one, I think that users were, in part, responcible for opening attachments from people they don't know.

For instance, did anyone notice that the attachements (at least when I saw this on the news) had a .doc.vbs extention? Wouldn't this be the least bit suspect, even to the silliest and most un-experienced of windows users?

I'm not saying that outlook users are irresponcibel stupid clods, just that they seem a bit absent-minded.

It didn't really affect me anyway, pine and yahoo! mail user here :)
------------------------------------------

'Hello sir, you don't look like someone who satisfies his wife.'

Re: sounds ok. (5.00 / 1) (#29)
by pretzelgod on Mon May 08, 2000 at 08:30:14 PM EST

Wouldn't this be the least bit suspect, even to the silliest and most un-experienced of windows users?

You must be kidding. My parents don't even know what an attachment is. I'm not kidding. The don't even know what .doc means. How could they? A file called foo.doc is shown only as "foo".

Considering that the Love Bug messages came from friends and family, and considering all the stupid love letters and chain letters and crap that they forward to each other, there's no way they could be expected not to open the attachment. This is entirely Microsoft's fault.


-- 
Ever heard of the School of the Americas?


[ Parent ]
Re: sounds ok. (none / 0) (#32)
by rongen on Tue May 09, 2000 at 05:39:26 AM EST

I would like to point out that many Outlook configurations "auto-preview" messages and, in doing so, display their attachments automatically... While the user may have chosen this behaviour intentionally it is still pretty bad that a preview of a message could execute a program that has this much "power"... And the really scary thing is that the "power" this program has isn't really anything more advanced then a few deletions, replacements, and mail sending etc... Really bad security policy. This sort of thing should only be able to do very limited damage (perhaps running the script in an isolated VFS) and should prompt the user before removing, replacing, sending mail, etc...
read/write http://www.prosebush.com
[ Parent ]
not ok (none / 0) (#35)
by dlc on Tue May 09, 2000 at 10:56:00 AM EST

    I'm gonna have to agree with billy on this one, I think that users were, in part, responcible for opening attachments from people they don't know.

Except that, in this case, the attachment gets run automatically. The effects of the code are obvious as soon as you look at the code, but by the time you see the code, it's too late. Well, not for me; mutt displayed the code as text. I printed it out, took a look at it (some of the sloppiest crap I think I've ever seen, by the way), and showed it to the local NT folks, so they would know what to clean up.

I showed the plain text of the message to our local support guys, and made fun of them for a while. As the Mutt homepage says, ironically true in this case, All mail clients suck, this one just sucks less.

darren


(darren)
[ Parent ]

correction: attachments from people they *do* know (1.00 / 1) (#37)
by Anonymous Zero on Tue May 09, 2000 at 11:21:23 AM EST

Remember the ILOVEYOU virus emails itself te everyone in your address book so it looks to the recipient as if you emailed this attachment to them so they blindly trust you and open it.

[ Parent ]
Re: Microsoft blames Love Bug on users and DOJ (none / 0) (#24)
by hgc on Mon May 08, 2000 at 06:21:58 PM EST

"... Updates to Windows and Office technologies that could, for example, protect against attacks such as the Love Bug virus would also be much harder for computer users to obtain."

If it were impossible for computer users to obtain Windows and Office and updates thereof, then there would be no Love Bug Virus attacks.

Sounds good to me.

Seriously though, Bill sounds more and more like the lame, whining jerk that he is.

I'll worry about my kids myself, and I don't need any M$ products to 'protect them' with.
_________________
Real programmers use: cat - | gdb /usr/src/linux/vmlinux /dev/mem

Re: Microsoft blames Love Bug on users and DOJ (none / 0) (#26)
by Didel on Mon May 08, 2000 at 07:04:00 PM EST

blowing more smoke. STFU Bill.

"Outlook users are idiots", says MS Spok (4.00 / 1) (#28)
by Dr.Dubious DDQ on Mon May 08, 2000 at 07:21:22 PM EST

Instead, he blamed the silly computer users who go opening e-mail attachments. "People shouldn't open them," said Sohn. "That's the problem."

This seems analogous to, say, Smith & Wesson making a holster that sits on your hat, with the barrel pointed right between your eyes, then saying "well, users shouldn't touch the gun when it's pointed between their eyes...."
It's TRUE, but the fact is that they designed something to encourage users to act in a foolish manner. And, whereas even particularly stupid people are likely to know better than to point guns at their heads, otherwise-intelligent people who aren't particulary computer-savvy (would they be using Outlook if they were?) will, at Microsoft's insistence, assume that if things are made easy to do, it is because they are supposed to do them.
"Given the pace of technology, I propose we leave math to the machines and go play outside." -- Calvin

Re: Microsoft blames Love Bug on users and DOJ (none / 0) (#33)
by Paul Dunne on Tue May 09, 2000 at 05:39:52 AM EST

Yawn. BillG always blames the users for everything. Did you know that MS software has no bugs? Dumb lusers just don't know how to use it properly -- allegedly.
http://dunne.home.dhs.org/
Love bug must have hit Bill (none / 0) (#39)
by error 404 on Tue May 09, 2000 at 01:16:06 PM EST

Otherwise he would have gotten the Microsoft email that says this isn't our fault and we aren't going to do anything about it.

He really should contact the spin department and get the story straight.

Maybe then the email would have said it isn't our fault and we aren't going to do anything about it because the DoJ won't let us.

..................................
Electrical banana is bound to be the very next phase
- Donovan

Re: Microsoft blames Love Bug on users and DOJ (none / 0) (#40)
by Anonymous Hero on Tue May 09, 2000 at 04:47:15 PM EST

You gotta wonder if Bill got hit. I mean, I'm sure he uses Outlook, and he probably has a very large address book...

Microsoft blames Love Bug on users and DOJ | 41 comments (41 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!