December 4, 2001
11:02 AM   Subscribe

And if you write an e-mail client that allows for easy propogation of .vbs worms, you get ...
posted by Potsy at 11:07 AM on December 4, 2001

Damn. Potsy beat me.

But, we'll add the clause, "and then neglect to update said software, even after becoming aware of the security holes."
posted by Su at 11:08 AM on December 4, 2001

Gates and Ballmer: Prison Bitches For Life
posted by quonsar at 11:13 AM on December 4, 2001

How about making the vendor responsible in some small way, eh?

You'll notice that Word, Excel and/or Outbreak (oops, I mean Outlook) are the problem here. Any other vendor involved?

Micro$oft understands one thing: the bottom line. Make it expensive for them to do this and they'll stop writing virus runtime environments (the name for the Word/Excel/Outlook combo in security circles). Until this is changed you'll find Microsoft simply laughs at you behind your back.

Or, I could suggest you use another operating system and other office apps. I never get viruses. Ever.

(I realize that this doesn't make me superior. Plus, you may not have the luxury of running Linux/Solaris/FreeBSD - maybe the apps you use only run on Windows. My sympathies.)
posted by hadashi at 11:15 AM on December 4, 2001

I say bring back the stocks so we can mock the fools who use said software and infect themselves.
posted by Catch at 11:16 AM on December 4, 2001

25 years?!, Yeah I guess you're right,.. but I don't think they should do anything for creating a picture of a virus... Don't Worry You're safe...It's only a gif....

posted by danger at 11:17 AM on December 4, 2001

Mandatory sentences for anything are a bad idea.
posted by Mark at 11:20 AM on December 4, 2001

As I understand it, beyond the mischieveous fun of it for some strange people, the purpose behind hacking is 1) because it's there, much the same reason for climbing mountains or achieving space travel, and 2) to be a harbinger of warning that it CAN be done.

What would computing be without mischieveous but ultimately benevolent hacking? We would have had a few years, maybe even decades of success, but the first time someone truly malicious started to climb that mountain, the entire house of cards would have fallen because no one would have been prepared. Su and Potsy are correct. The security lapses must be detected. Since programmers and software designers seem incapable of finding holes in their own works prior to release, it is up to the user to find them. I for one am thankful for the mischieveous hackers out there, since I'm horrible at attempting to understand the difference between C++, Basic, and Cabol or whatever the hell it is. I couldn't make a virus to save my life. The fact that others (who weren't malicious about it) can has indirectly improved computing overall.

It's when it can be proven that criminal intent has occurred that the hacker should be penalized. Not before. If someone wakes up one morning and realizes he lives in a neighborhood where no government or private industry cleans up the streets, should he be penalized for picking up trash himself? That's precisely what benevolent hackers do. Granted, sometimes their efforts end up making things more of a mess in the short term, but they bring attention to the problem, and with time, it gets taken care of. In theory.

...

However, people like Danger should be boiled over oil. I almost spilled my coffee. *smirk*
posted by ZachsMind at 11:26 AM on December 4, 2001

What's amazing is that an email client isn't exactly the most difficult piece of software to create, from what I understand. You'd think someone would be able to market something that's more secure, given the billions of dollars at stake. Sure, corporations love Outlook's scheduling functionality, etc. -- but they could easily just use Outlook for internal mail only, and have all external mail come through a far less robust client.

I mean, couldn't they?
posted by mattpfeff at 11:28 AM on December 4, 2001

Got bit did you tsarfan? Certainly you should get punished for writing a destructive virus, and I hope this guy gets caught.

What would happen though, if someone wrote a virus that used (for example) and security flaw in outlook that had had a patch released more than 6 months before, and the payload was to update Outlook automatically and close the hole?

Would that be worth 25-35 years in jail?
posted by iain at 11:33 AM on December 4, 2001

I am in no way defending the creation of viruses, but I think it should be mentioned that a surpising percentage of people are real idiots when it comes to opening email attachments. I'm not a bright guy, but even I knew enough to be suspicious when I got the message in my Outlook inbox this morning. The file was only 38kb, which seemed small for a screensaver. If people were just a little more careful, this wouldn't be such a problem.
posted by Samsonov14 at 11:35 AM on December 4, 2001

Anyway, Goner or whatever it's called is only spreading because people are stupid, it's not half as bad as badtrans.b which rampaged all over the place last week.
posted by iain at 11:48 AM on December 4, 2001

Foreword; I hate Outlook.

Outlook has some powerful tools, or at least its open enough so that you can do a lot with its forms and vbs stuff. However, it can also be misused. Goner is an example of that.
posted by tomplus2 at 12:02 PM on December 4, 2001

Latest news from Redmond....

The Security Chief of Microsoft (and now the White House) announces changes to the Outlook client. It will hitherto be called Outbreak and the Inbox will be renamed Infect. This is done as a truth in advertising measure and in no way will protect you from further infestations of vbs script kiddies....

25 years?? Hell no, that's terrorism son! Let's put'em on trial for 15 seconds in front of one of Duhbya's tribunals and then promptly execute them!

John Ashcroft's latest news release:
Since Microsoft is now an extension of the executive branch of the federal government and thus one of the "good guys" they cannot be held accountable for any creation that may or may not cause susceptability to viral outbreaks. Remember, you can trust us!!!
posted by nofundy at 12:04 PM on December 4, 2001

After spending part of the morning dealing with this garbage, I'm stunned and disgusted at the people who opened the "screen saver." I'd like to see them tried by military tribunal as well, and if found guilty of opening one of these attachments, they'd have to pace in front of their office building wearing a sandwich board that reads: "I double-click anything - I spread worms & viruses." (Of course, I'm in favor of similar punishment for anyone who forwards inspirational poems or reasons "why [blanks] are better than men.")
posted by barkingmoose at 12:12 PM on December 4, 2001

I say if you're caught creating a virus you should get 25 years.

Unless you're the FBI, of course.
posted by jpoulos at 12:13 PM on December 4, 2001

mattpfeff -> you're right. After 1 semester of Java at UGA (not exactly the high school of technology), i can create a simple mialbox program by following some instructions from Sun's web pages
posted by jmd82 at 12:16 PM on December 4, 2001

Ahhhh I wonder about the positive impact of viruses on the computer industry. More computing power is dedicated towards fighting it, backup devices, anti-virus software, overtime IT hours. Each big virus is a boon to IT. Publicly they hated the Y2K bug, privately they were employed. Hell I could use a Y2K2 bug right about now.
posted by dancu at 12:19 PM on December 4, 2001

Mattpfeff, getting your average corporate computer user to understand and/or use a two client setup would be like trying to throw glass bottles through a brick wall.

Also, you'd have a hard time getting the corporate bean counters to realize why they should pay for another email client when one comes "free" with their OS or Microsoft Office.

Then there's the fact that outlook is the "preferred" client for microsoft exchange servers, meaning if a company is already using exchange and has standardized to outlook there will be resistance to change there.

And finally, there already are secure email clients. Eudora and The Bat come to mind. They won't stop stupid users from opening vbs attachments on windows machines, but you avoid the autoexecution and address book vulnerabilities of outlook. If a company wants scheduling features they have/had (although I shudder at it) Lotus as an option.
posted by alan at 12:26 PM on December 4, 2001

Wow, I guess I'm up for over 500 years of time. I've written at least 25 viruses (1992-1996), though none of them have ever been (or ever will be) released on the internet or in any other form. The most damage they ever did was to an old 386 testbed machine in my closet, and perhaps a cross-infection that targeted my shoes.

I support mandatory terms for virus distributors, though. Those people are unscrupulous, and should be beaten with bricks. Also at fault, though, are Microsoft and the american AV companies, both of whom release flawed, barely-beta-worthy software to their unsuspecting victims. And never forget that these worms couldn't propagate without bloody stupid users who actually open attachments with this sub-standard software.

I support: 10-15 year sentences for deliberate virus distributors, US$10m fines for software vendors that allow the holes, and caning for the first 200 users with giant address books that actually think l33tH4x0r@163.net is sending them a revolutionary new screen-saver in the form of a .vbs file.

***EOF***
posted by phalkin at 12:26 PM on December 4, 2001

Blaming vendors for damange to users from viruses is like blaming car manufacturers damage to cars by carjackers.

Why not? Car manufacturers know car theft exists, and that it causes multi-million-dollar losses to consumers each year. Why haven't they managed to create a theft-proof car? After all, the industry has been around 5 times longer than the computer industry. That's plenty of time to smooth out the "bugs", right?

Face it, for as long as you build more security into a program, there will always be someone determined to get around it. There are few things in this world that are completely secure (and most of those only maintain the illusion of security, eg airport security post 9/11). Yes you should make crime as difficult as possible, but you can never make it impossible.

Microsoft does a fairly good job of providing function vs. security, and whenever a gap is spotted, they do their damndest to plug it. Yes, Outlook is probably less secure than Opera - but how many people try writing a virus for Opera vs one for Outlook?

If you are determined to secure your car, you don't just stop at the vendor - you buy a crook-lock, a car alarm, a tracking device, then you make sure you park your car in secure parking, that you don't leave your keys in the lock or window down. If you didn't do these things and the car was stolen, you wouldn't blame the vendor.

But if you receive a virus through the e-mail and don't have a virus checker or firewall and it infects your computer when you opened the attachment, then you'll bitch and bitch that Microsoft didn't provide be-all-end-all security for you.

Well, from Bill to me, to pass on: Fuck You.
posted by Neale at 12:43 PM on December 4, 2001

Very intelligent, Neale. Especially the "Fuck You" part, a true measure of your character.
posted by phalkin at 1:11 PM on December 4, 2001

Microsoft Outlook is the target of so many viral outbreaks because of its popularity and Microsoft's attempt to make it more than an email client by giving it some VBA functionality. I'm a little confused about what the anti-MS jihad expects them to do in this case. Write code under the assumption that everything in the app will be used maliciously? Most viruses are spread by uneducated users these days. If anything, MS should build a warning into Outlook that says, "Hey, dumbass, this is a file that may infect your computer/ Exchange server. Think before you open it."

And to get back to the pre-hijack thread, cracking is akin to vandalism. 25 years is more manslaughter territory.
posted by eyeballkid at 1:20 PM on December 4, 2001

Neale, extending the car metaphor, what would you do if a car manufacturer released a car with no locks?

That's arguably what microsoft did when they decided all their applications would share the same scripting engine. They ignored common industry wide security concerns in favor of 'innovation'.

Microsoft has to share some (not all) of the blame for these easy to spread worms and trojans.
posted by alan at 1:23 PM on December 4, 2001

Neale, extending the car metaphor, what would you do if a car manufacturer released a car with no locks?

AND the car in question was the only one a certain market could use, because of the manufacturer's monopolistic practices, AND the resulting thefts cost the car's buyers billions of dollars, year after year....
posted by mattpfeff at 1:34 PM on December 4, 2001

Blaming vendors for damange to users from viruses is like blaming car manufacturers damage to cars by carjackers.

No, it's like blaming car manufacturers for not building in crumple zones that could save passengers from a crash. Sure, there shouldn't have been a crash, but - life being what it is - you've got to expect crashes and the car manufacturers should take some precautions to ensure it doesn't hurt anyone.

Microsoft build weak products that, in my and insurance companies opinions, don't take enough precautions and have serious security flaws. It's not all their fault, sure, but they have to take part responsibility for not anticipating real-world scenarios that could affect their customers.
posted by holloway at 1:35 PM on December 4, 2001

Write code under the assumption that everything in the app will be used maliciously?

Yes.
posted by alan at 1:49 PM on December 4, 2001

Microsoft products are about as secure as the users using them.

I have been using Outlook for years, I never use anti-viral software, and NOT ONCE have I managed to infect my computer. However, a couple of weeks ago I lost a lot of my home desktop's hard-drive when my younger sister accidentally ran a .vb file downloaded through morpheus. This has been that computers only infection.

I don't blame Morpheus for spreading the virus... I blame my sister's lack of knowledge. She knows better now, and it won't happen again.

For the same reason, I can't blame Microsoft for the incompetence of it's users.
posted by mkn at 1:53 PM on December 4, 2001

alan: Neale, extending the car metaphor, what would you do if a car manufacturer released a car with no locks? That's arguably what microsoft did when they decided all their applications would share the same scripting engine.

And I would argue it. Outlook does not have "no locks". For example, it provides user passwords, has multiple security updates, various levels of optional user increased security, ability to use certificates, etc, etc... To extend the metaphor, this is not simply going up to the car and opening the door - it's going out of your way to break past what security there is to steal the vehicle.

holloway: No, it's like blaming car manufacturers for not building in crumple zones that could save passengers from a crash.

Again, I have to disagree. This cause of the "accident" is due to a third party; the hacker. It's an intentional strike, not an accidental one. Microsoft do build in various things to prevent accidental loss of data (the "are you sure popups", crash protection, backups). It is far harder to prevent intentional security breaches. Again I state, don't expect the "base car" to protect itself, there are plenty of tools on the market to help you protect it. The same with e-mail clients; don't expect them to protect themselves; buy extra software to help you protect them. The vendor can only go so far; no software can fully prevent itself from an intentional attack.

mattpfeff: AND the car in question was the only one a certain market could use

Untrue again. In this thread three (or more??) alternatives have been mentioned. The problem is, most people don't want to either (a) pay for them, or (b) go to the trouble of installing "more" software. Again with the car analogy; if people didn't go to the effort of paying for a car alarm, or installing a tracking system, they still wouldn't complain that it was the vendor's fault, they say it was their own damn fault for not being more prepared.

the resulting thefts cost the car's buyers billions of dollars, year after year...

Which is does - but still few directly blame the car manufacturers. People blame microsoft because they're a big, ugly target, despite their best efforts to listen to the complaints and update the security because of them.

phalkin: Very intelligent, Neale. Especially the "Fuck You" part, a true measure of your character.

Hey, I didn't say it, Bill did. Don't shoot the messenger.

I say, before you blame the vendor, blame the virus writer, then blame the user for not protecting themselves properly despite the overwhelming amounts of data stating they should do so, and the numerous tools allowing themselves to do so.
posted by Neale at 1:59 PM on December 4, 2001

alan: that'd be a short, useless damned program, wouldn't it?

I agree with Neale. I have been using Outlook (and MS's Office suite) for years at home and have never managed to get infected with anything. I keep a firewall running to filter connections and Norton to scan for viruses. I know I'm doing my job, because Norton never catches anything, but I do have the safeguard there just in case. I know the firewall is doing its jobs from its logs.

I also know better than to answer emails from straight male friends that say "I love you, look at my attachment," or "chEck out thes picture3s of my hot wif!"
posted by eyeballkid at 2:10 PM on December 4, 2001

Again, I have to disagree. This cause of the "accident" is due to a third party; the hacker. It's an intentional strike, not an accidental one

And if this was a naturally occuring phenomenon? The motivation is irrelevant when deciding security. What needs to be considered is that the environment has certain qualities that will be dangerous to your software.

Now if you want to debate whether Microsoft understand the environment they are in I'll be more than happy to!

(but that ain't the thread, right?)
posted by holloway at 2:25 PM on December 4, 2001

I say, before you blame the vendor, blame the virus writer, then blame the user...

Most of us have done that. None of us support the idea of virus-writers or stupid users. Now, third on the list, we blame the vendor.
posted by jpoulos at 2:25 PM on December 4, 2001

Goner also tries to install a denial of service script on machines of IRC users, said Symantec Corp.. That could turn PCs into launch pads for denial of service attacks, which malicious hackers use to flood Web servers with traffic from multiple PCs, effectively shutting down Internet sites to legitimate traffic.


If the proliferator of this virus tries to connect to said users, it should be easy to catch him.
posted by trioperative at 2:47 PM on December 4, 2001

eyeballkid: I agree with Neale.

Wrong, I agree with you. [and thus the paradox is born!]

holloway And if this was a naturally occuring phenomenon?

And if my Aunt had balls she'd be my Uncle (I've always wanted to say that). The fact is it's not a naturally occuring phenomenon. It's an intentional, criminal act. And as I have stated, and will state again, you cannot be completely secure against an intentional, human act.

Now I would love to argue about whether there is any "naturally occuring phenomenon" in cyberspace, a completely unnatural state, but the thread, the thread!

What needs to be considered is that the environment has certain qualities that will be dangerous to your software.

Back to the car analogy; the SUV is (supposedly) built to withstand the "natural environment", but the manufacturers cannot make it theft proof. You can protect against nature almost all of the time; you cannot protect against man. Or to put it another way; you can protect against the accidental, not the intentional.

Now if you want to debate whether Microsoft understand the environment they are in I'll be more than happy to!

Sooooo tempting, but I don't think we'd be arguing much.

jpoulos: Now, third on the list, we blame the vendor.

And I say a bad gigolo blames his tool. Or something.
posted by Neale at 2:48 PM on December 4, 2001

Neale: And I would argue it. Outlook does not have "no locks". . . . [more snipped]

And I say it does, which means our old mustached nemesis should be showing up soon.

Just to be clear, I'm not saying don't blame the schmuck who released (and maybe wrote) the virus. All I'm saying is that Microsoft didn't put enough thought into security problems when they integrated all their products with the same scripting engine and has to share some of the blame.

So Neale? Behind metatalk by the bike racks, Queensbury rules?

eyeballkid That'd be a short, useless damned program, wouldn't it?

No.

There are plenty of programs on the market that are written "under the assumption that everything in the app will be used maliciously". As a quick example take Javascript in Netscape. As a developer, I'd love it if Javascript could write out any file to any location on a user's hard-drive. However, acting under the assumption that everything will be used maliciously, you'd see that a feature like this would be ripe for abuse, which is why Netscape built Javascript without any file IO. (unless you count cookies, which would involve several car metaphors, so I'll skip it)

That's what I meant by my oh so flippant 'yes'.
posted by alan at 3:05 PM on December 4, 2001

Yep, I'm with Neale on this one: for home users, they MUST have an av program; my Norton has caught a couple of friends' virus emails, but even with out it I've had viruses sent to me that never ran, because I don't open attachments that I don't trust, and my scripting settings are turned OFF!

Corporate or business users running on Exchange damn well better have not only AV on all the client machines, but a virus scanner for the Exchange server and/or IMS. Last company I worked at, we spent a few hundred dollars for a 3rd party scanner for Exchange that filtered all ingoing/ outgoing emails with a built-in virus scanner and with customizable actions for file types that are admin-specified. For example, if a user in our company sent an email with a .vbs attachment out, it was dropped at the server and an auto-reply was sent back saying "The email you have sent contained a .vbs attachment. If you mean to send this attachment, please be aware that sending .vbs attachments are prohibited to prevent the spread of email-borne viruses." Best money we spent; we went from the once-a-week outbreaks from local users, at least one of which was guaranteed to somehow have disabled their local client, to not seeing any more viruses, period.

To extend the oh-so-popular car model, even if a car manufacturer managed to build a theft-proof, accident-proof vehicle, they'd hardly be to blame if the driver refused to drive safely or wear a seatbelt.

Microsoft's in a damned-if-you-do, damned-if-you-don't situation; they're targeted for virus attacks because of their size, so more come out that are Outlook specific. Then, if they released their products with that integration disabled, bitchy sysadmins would claim it's "too difficult and complicated" to turn them on. Granted, maybe the integration was poorly conceived to begin with, but it's beside the point; as has been noted, there are plenty of easy, you-should-know-better steps to take to protect yourself, not the least of which is a freaking antivirus program, you cheapskate. :)
posted by hincandenza at 3:09 PM on December 4, 2001

Behind metatalk by the bike racks, Queensbury rules?

Okay.
posted by Neale at 3:23 PM on December 4, 2001

You can be as clean and virus-conscious as you can possibly be and still be affected. I've been fielding calls for the past hour from customers wanting to know why I haven't responded to their email. My computer is virus-free, but the single-helix mutoids that run the IT department here have cut off all email traffic to and from the company.

I called up IT and asked them: "Since the virus de jour is being passed via attachments, would it make sense to filter the mail with attachments and let the rest go through?"

Answer: "I can't answer that yes or no, sir."

Q: "Why is that? Do you know the difference between yes and no?"

A: "At this point, we don't."
posted by joaquim at 3:26 PM on December 4, 2001

Neale,

Corporate clients use Outlook because MS provides the only viable OS for their needs, and because it serves their need for a networkable scheduling tool. In terms of overall cost, including efficiency costs, it is probably the worst email client on the market. If a corporate clients picked and chose applications one by one (instead of just getting MS Office), it's doubtful that nearly as many would choose Outlook for their email -- and it's also almost certain that by now a competitor would have developed a better alternative than any of those mentioned here.

As far as the locks analogy goes, no, it's not perfect. The point is that MS has built its product in such a way that it is easily exploited by viruses. Viruses are a known, foreseeable risk. The fact that they are intentionally created by malicious individuals who deliberately exploit known weaknesses is no excuse for not fixing that weakness, given the certainty that it will otherwise be exploited.

Should users and sysadmins invest in virus protection and take precautionary measures? Of course. But does that mean that Outlook isn't a dangerous product? Not in the slightest. The fact is that it's completely unsafe for use on large corporate networks, where the risk of imperfect individual precautions reaches 100 percent and where the consequences of that exposure are the greatest. And MS couldn't care less, because people will buy it anyway.
posted by mattpfeff at 3:27 PM on December 4, 2001

It's an intentional, criminal act. And as I have stated, and will state again, you cannot be completely secure against an intentional, human act.

Actually this is the problem with the calls to jail someone for up to 35! years over virus writing. Why not just cut off their fingers tsarfan? Here's a common scenario for those who work with security:

I think there's a nasty exploit in my mailer so I test it by writing a little app and start playing around. It works on my PC. I email this off to a buddy of mine to see if it works on his too, and it does. Did I just send a virus? Am I a criminal yet? Obviously not, but if the law was to get more over-zealous this kind of legal tampering with your own equipment could very well become what Mr. Askcroft likes to call a "terrorist act."

Now there are two copies of this little app that proves there's a hole in my mailer. I submit this to a security mailing list explaining the problem and suggestions on how to fix it. I CC a copy to the whoever developed the mailer so they can make a patch, but in the meantime the info is on the mailing list because for all we know there are naughtier people out there who may already be using this exploit on machines they don't own.

So am I a criminal yet?

I upload the application as a proof of concept to my webspace and make it available for download. Am I a criminal yet? Some kiddie takes my app and makes it self-reproducing and sends it to 100 people in the wild. Am I an accomplice? If the kiddie is using my code, I am now a virus writer by definition. Am I criminal yet?

Even with the best of intentions you cannot just blame the "writer." The real culprit is the kiddie who sent it out to machines he has no access to use. His intent is obviously illegal, but everyone else who is spreading this virus is contributing to the problem. You know, the millions lost and all that. Now the smart IT people out there are unamiously agreed upon the fact that the software itself was released with very little attention to security. The software developers arguably are liable for damages if extreme carelessness is truly the case.

So who's the guilty party here? Me, the writer and spreader of the information and app exploit? The kiddie that mass mails my modified app? The software designers? From a legal perspective I may be the evil hacker and in tsarfan's world I'd be facing 35 years in jail for discovering a hole. The kiddie might also face the same charges but he could probably work a defense that I'm the virus writer and he just a mass-mailing dummy that didn't mean harm.

Calls for jailing "virus writers" are just silly. You would have to pass many laws protecting those who audit programs for security problems before you could ever start increasing the penalties for "virus writers." Then the chilling affect may make people who do find and report holes give up on it and let the real malicious guys have at your PC like you wouldn't believe.
posted by skallas at 3:29 PM on December 4, 2001

This thing helped louse up my day. My personal blessing to all smart enough to never click on attachments. I just wrote a short (and admittedly trite) bit on my confusion about what a virus is supposed to accomplish, but I will restate it here. The whole concept is sad because it only really punishes the weakest users. Nobody with a clue is going to be overly affected, unless they are working I.T., those who don't are just being tortured. Gun/fish/barrel. I cannot imagine the buzz is any greater than finding a penny in the street.

P.S. Neale, we all miss you. Come home!
posted by thirteen at 4:02 PM on December 4, 2001

::I say the death penalty would be getting off easy:: Not just for virus makers, but those people who make faux AOL Billing and InstaKiss sites trying to steal AOL people's credit card numbers and passwords.
posted by Katy Action at 5:50 PM on December 4, 2001

You spelled Microsoft with a dollar sign! Because they have a lot of money! I get it, that's funny!
posted by anildash at 7:01 PM on December 4, 2001

I swear on a stack of copies of The Bhaghavad-Gita As It Is that I could send people at my work a file called Virus.exe and they WOULD STILL open it.

lawks-a-lawsey are they dim!

You can stand behind them as they eye the .exe, tell them "by no means should you run that file," and they'll say "Ya mean this file?" as they double click the icon. I wouldn't trust them to sit the right way on a toilet, to quote Rowan Atkinson.
posted by Kafkaesque at 7:35 PM on December 4, 2001

I remember a quote on a album liner for an old Severed Heads album in the early nineties that read something like "and to the person who broke into our van and stole all our sound gear on the last tour...we hope your gonads swell up, fall off and are eaten by rabid squirrels". I think the same applies with virus writers.
posted by Greggbert at 7:42 PM on December 4, 2001

Alan, I'm not really sure what you're complaining about in this sentence: "All I'm saying is that Microsoft didn't put enough thought into security problems when they integrated all their products with the same scripting engine and has to share some of the blame." You think it's bad that every app can potentially be driven through script? I would think you're in the minority (ever heard of AppleScript? Expect?). Moreover, I don't see how that's relevant. These viruses have all been due to vulnerabilities in Outlook. Even if every app only "understood" a particular (distinct) scripting language, that wouldn't stop these problems.
posted by JasonSch at 7:42 PM on December 4, 2001

I partly fault Microsoft for the problem because they use such a lousy update/FTP/download system. The experts beat up users for not keeping up with the latest patch, but just try keeping up with all of Microsoft's updates on a 33K modem. They could at least support partial downloads. I've finally given up and gone to Pegasus, but I miss Outlook's UI.
posted by ArkIlloid at 9:22 PM on December 4, 2001

And perhaps we shouldn't even get into talking about sendmail which probably qualifies as the single historically most insecure application in computing history.
posted by KirkJobSluder at 10:05 AM on December 5, 2001

From the NYTimes: Microsoft Makes Software Safety a Top Goal:

"Every developer is going to be told not to write any new line of code," Mr. Allchin said, "until they have thought out the security implications for the product."

'Bout time.
posted by mattpfeff at 8:40 PM on January 17, 2002