So, who's *really* to blame for the Love Bug costing billions?
May 6, 2000 7:03 PM   Subscribe

So, who's *really* to blame for the Love Bug costing billions? Phil Agre makes a pretty good argument that the least Microsoft's can get away with is contributory negligence in this RRE piece.
posted by baylink (17 comments total)
BTW: I didn't get a single copy.

Well, except on my network management mailing list, where about 17 people forwarded it along on purpose, for "study".
posted by baylink at 7:04 PM on May 6, 2000

(Oh, and apologies: that was courtesy of Linux WeeklyDaily News.)
posted by baylink at 7:15 PM on May 6, 2000

I could only stomach about half of that article.

Everyone's jumping down Microsoft's throat because this happens to be a Visual Basic Script file. Talk about obsessive. You could easily write a plain old .EXE file to scrounge your hard drive for e-mail addresses, send off copies of the .EXE to all the addresses found and toast all your mp3s and porn. That'd be way more effective, too. I have nobody in my address book, but I probably have hundreds if not thousands of e-mail addresses saved and cached all over my hard drive.

And as I pointed out in an earlier post, the fact that it's a .VBS file almost guarantees that everyone got the very, very clear warning message that what they're running might be a virus. Were it an .EXE, an awful lot of people most likely would have had the warning already turned off for "files of that type".

What's next? Scream at Microsoft for allowing batch files to delete things? You could do a lot of damage with one of those suckers...

posted by lzealand at 8:54 PM on May 6, 2000

Is Microsoft any more liable for allowing people to execute malicious code on other people's systems than Napster is for allowing people to pirate music with their app? The thought here is that both Outlook and the Napster app are just platforms being abused by folks who are breaking the law.


posted by jkottke at 8:57 PM on May 6, 2000

Well, I know I'm not to blame. I've advised against the use of Windows and Outlook whenever possible.
posted by raster at 9:15 PM on May 6, 2000

And whose idea was it to build these so-called 'computers' with destructive properties?

posted by lzealand at 9:19 PM on May 6, 2000

Oh, shit, where was it? Someone help me out here: there was an article with the line, "If Microsoft Outlook were a car, it would have been recalled."

It's amazing that the business infrastructure has gotten to the point where some chump in Manila can wreak havoc in such a manner.

As for Mister Kottke's excellent question, I would say that it involved intent and motive. Ahem:

To continue the car analogy, a car is manufactured with the intent that it will be used to transport people to and from locations. Now, it's entirely possible that someone with no driving experience could start a car and cause some major damage. It's also very possible that someone with malicious intent could get behind the wheel and plow through a crowded park and kill lots of people. It is a matter of trust that you will not get in your car and plow into a school bus. Automobile manufacturers are well aware that their products could be used to intentionally kill people, but that is a risk that people accept in return for easy, speedy transportation.

Outlook is like a car. Yes, someone can release a virus and intentionally cause mayhem. But that's a risk that people accept in return for easy, speedy communication.

Now then. Let us consider the bhong. Oh, excuse me, the "water filtration pipe," as you must refer to it while you're in the head shop - oops, I mean, the smoke shop. Now, while one could argue that the manufacturer of the bhong is blameless should a bhong owner smoke illicit materials with the apparatus, let's face it - bhongs are used to smoke marijuana, which is an illegal activity. They are designed for that purpose.

Napster is a bhong. As much as they might argue that they have no control over what people trade over their network, let's face it - Napster is used to trade pirated MP3s, which is an illegal activity. Napster is designed for this purpose.

Much like marijuana, trading pirated MP3s has its detractors and its proponents. That doesn't detract from the basic fact that both activities are against the law, and any devices/programs that facilitate illegal activities are, at the very least, suspect.

I am certainly not saying that Microsoft is blameless in the ILOVEYOU debacle. While I'm not the one to decide, it could be argued that Microsoft's product is unsafe and should be recalled, much like cars with severe engineering defects. Fortunately, making a software patch is easier than a nationwide voluntary recall, so here's hoping Microsoft removes its thumb from its ass and corrects this problem.

I'm also not saying that Napster's the devil. While I'm ambivalent about the illegal copying of music, Lars Ulrich is singlehandedly turning me towards Napster, if for nothing else but his overwhelming hypocrisy. And let's face it, Dr. Dre isn't hurting because of trading MP3s. (My objections remain ethical rather than practical or financial.)

So there you go. That's my two cents, for what it's worth.

posted by solistrato at 11:09 PM on May 6, 2000

Wha--Did someone mention a Microsoft car?

posted by fooljay at 12:06 AM on May 7, 2000

This is a bit off topic, but you mentioned it, solistrato. :-)

Napster could also be compared to a gun or a VCR in the early days. The purpose of a gun is to kill. Sure, there are some who practice marksmanship, but most shots fired from guns around the world are meant to kill. And yet, they aren't being banned.

In the early days of VCRs, there was no Blockbuster. VCRs were used for two things: porn and taping television. Yet, the Supreme Court ruled that a technology cannot be ruled illegal if it had a "viable non-infringing use".

And Napster DOES indeed have such a use. Trading promotional or non-commercial, non-copyrighted music.
posted by fooljay at 12:19 AM on May 7, 2000

Excellent catch, Fooljay; I'd missed that one.

But to turn the topic back to "mail user agents that open attachments automatically", I have documentation that Eudora Pro can do this, although I expect that it is *not* the default.

The question at hand, which I do not have the software present to confirm, is this: does *any* version of Microsoft Outlook (95, 97, 2K, Express, etc, ...)

a) have the capability of automatically opening attachments using the Windows file extension association rules, or

b) have the capability of executing script attachments internally using Visual Basic for Applications, and

c) can such a program do this without popping up the "you may be about to commit suicide" dialog -- in *any* configured security level.

And let's not forget

d) did someone come along before the user and check the "don't ask me this again" dialog, as geeks in IT departments are wont to do. *I* do it... but only on my own machines.
posted by baylink at 8:47 AM on May 7, 2000

Thanks Baylink. You are correct about Eudora. It is not the default and the software strongly advises you to think again when you go to turn it on
posted by fooljay at 10:02 AM on May 7, 2000

As I see it, the only way Outlook Express or Microsoft are at fault is if somehow this .vbs file managed to automatically run itself somehow. THAT would constitute a bug, an exploit, a security hole. As far as I can tell from all of the really sketchy news reports and user accounts of it, this is not at all what happened.

"Opening" a file in Outlook Express is no different than double clicking on it in Explorer. If this .vbs file were stuck on users' desktops and they double-clicked on it, it would have run and they wouldn't have even gotten a warning. Tough nuts, suckers. Think before you open shit or kiss your mp3s and porn goodbye.

posted by lzealand at 12:01 PM on May 7, 2000

Here's the catch in writing a commercial application: no matter what feature set you create, there are uses for the product that you either never imagined or simply didn't have the time to implement. As a result, many applications solve this problem by making the core functionality available in some form through API calls or by implementing scriptability. When the application can import documents or files that contain scripts, you've got a breeding ground for viruses/trojan horses/etc. Compound that with an application that, itself, is a network based app and you can retransmit the offending code trivially (by the by, even if Outlook didn't allow access to _sending_ mail, the POP protocol is *so* easy that writing a VB implementation of it that talks to winsock would be pretty easy). Having scriptable apps is great--it's very flexible and is a fantastic story for System Integrators, but a Turing complete script language comes with a security risk.
posted by plinth at 2:58 PM on May 7, 2000

Actually, fooljay, I considered using the gun argument, but felt that it was a bit too strong and overzealous. After all, a gun has only one intended purpose: to injure and kill living things. It's a weapon, and I didn't want to cast Napster as the equivalent of a lethal instrument. Plus, I didn't want to start a 2nd Amendment debate.

I used the bhong analogy because, in my opinion, smoking pot and trading MP3s are about the same as far as crimes go. But ENOUGH about MP3s - we're talking Microsoft Outlook here. ;)

The problem is that Joe Windows User couldn't give two fig leaves about viruses, scripting technologies, how Outlook works, etc. He just wants to type letters, get his spreadsheet up, surf the Web and send emails. Anything more complicated than that and he calls the sysadmin.

Viruses prey on ignorance.
posted by solistrato at 6:56 PM on May 7, 2000

Digitally signed scripts, anyone?

If the scripter's public key had to be manually installed on each client, it wouldn't be that big a deal for Netadmins (I know, I am one and I do this crap everyday), but it would save a lot of hassle for the 90 million home owners of Microsoft Solitaire, and that thing they package it with...

posted by baylink at 7:07 PM on May 7, 2000

The technology exists (cab etc) but isn't being used. Care to take a guess why?
posted by plinth at 5:31 AM on May 8, 2000

I for one believe it's possible for users to have had the script run "automagically". There are about six different kinds of Outlook out there alone, not counting Internet Mail and Inbox. Depending on which versions you had and the order they were installed, who knows what your scripting security settings might be.

It is annoying that Microsoft doesn't start people off with scripting turned off, but on the other hand, the things they do set up to nag the user get turned off all the time because who wants to click three or four times to download a file EVERY time?

I do believe that as a principle features that are not likely to be used by most end-users (macros, scripting) should be turned off by default.
posted by dhartung at 4:11 PM on May 8, 2000

« Older Uhoh! Leggo my napster!   |   Cybersex addiction? Newer »

This thread has been archived and is closed to new comments