|
Let's shape this scenario a bit differently.
I see a car. I say to myself, "I could run people down with this car". So, I get into the car, and drive down a crowded sidewalk, running people over.
Now, would 34.97% of you say "It's the victims' fault. They shouldn't have been out on the sidewalk where a car, driven illegally, might hit them"??
Would 30.36% of you say "It's the car maker's fault. They shouldn't have made car would could run people down"??
Of course not. You'd say "It's the driver's fault. He deliberate choice to intentionally hurt people".
|
|
|
|
|
I would like to a fourth opinion to vote: Antivirus Software Manufacturer. One automatic update a day is too less. One per hour should be configurable! There was time enough to warn and I think to develop the pattern. The vbs was and is very simple to analyze.
Wolfgang
|
|
|
|
|
See following link "The NewLove.VBS variant uses the filename of a file that a user has recently been working on, and places that filename in the subject line of the e-mail transmission," an FBI alert said.
http://newsnet.reuters.com/cgi-bin/basketview.cgi?b=rcom:general&s=nN1959410
|
|
|
|
|
I think all of you agree that all three parties in the pool have their part of guilt.
It's interesting on how everybody judges this situation making analogies with the non-computer world cases. Give up. It is something very specific to the computerized/networked environment we live in now.
The bad guys can be discouraged by drastic punishments, but this will not stop all of them.
You can increase the awareness of the users, but there will always be stupid/irresponsible ones.
But I think the key is to leverage the security with the potential distructive power of a product. And, since I am talking about analogies here, I will make one too: if you build nuclear power plants for personal use, isn't it wrong to advertise the ease of use (i.e. "even the children can maintain them") and to let the security measures aside?
I guess one of Murphy's laws says that it's impossible to make a foolproof device, because the fools are very inventive But this is not an excuse.
|
|
|
|
|
Found this link at Slashdot, thought it was interesting
http://www.officeupdate.microsoft.com/2000/articles/out2ksecarticle.htm , Should Microsoft protect the enduser, or should the enduser just be a hell of a lot smarter
|
|
|
|
|
There is an article at IDG (http://www.idg.net/go.cgi?id=262148) that talks about Windows vulnerability to virus attack.
Seems a little bit biased...
BTW: The plural of computer mouse is mouses: Is the plural of computer virus viruses or virii
|
|
|
|
|
>> Is the plural of computer virus viruses or virii?
If I remember correctly, the plurals are:
- virii for biological virus
- viruses for computer viru
|
|
|
|
|
A language is very much a living entity, so before we all run to our text books, we should realize that
language has meaning only in its context, and I suppose that in today's context "virii" is a totally outdated
word, and that "viruses" has very much taken over as the accepted word usage. It is the same as asking
which spelling is correct: "color" or "colour?" It depends on the context: American or British? I would think
that the IT context would use "viruses" and the general science context would use "virii." Then again, even
the general science context is changing... BLAH, BLAH, BLAH... Like Shania Twain would say: "Whatever!
|
|
|
|
|
We programmers write software and develop applications to provide functionality to the otherwise oversized paperwieght that is a computer.
This funcitonality/life of the computer can be used in two ways: benefitial, or harmful.
A computer is as much a weapon as it is a tool, and it depends ENTIRELY on the person sitting at the keyboard as to which one of these it becomes.
If software can be blamed for the creation of viruses then
by the same token a knife should be held responsible for the act of violence it was used for rather than the human culprit.
|
|
|
|
|
I agree 100% with you. I would add that if the software is to blame, then the car, and not the driver, is responsible for a hit and run accident
|
|
|
|
|
It is so ridculously easy to write Windows viruses that it's not funny! I mean anyone who is coding at the level of code found here could knock up the I Love You virus in an afternoon.
Microsoft should be to blame. The whole WSH thing was rushed to market without adequate forethought like most of MS's stuff. If Ford sold cars that would go 300 km/h but had no brakes, people would blame them for the accidents. For the same reason we should blame Microsoft for the types of "backdoors" included in WSH.
uniken
|
|
|
|
|
If you only knew how much money and skill we get off of writing virii, you would laugh your butt off. Some corps actually pay us quite well, just so corporations can "sell" their product.
Just remember, what company has the greatest to loose if there were no viruses?
SilentX
|
|
|
|
|
>> If you only knew how much money and skill we get off of writing virii, you would laugh your butt off. Some corps
>> actually pay us quite well, just so corporations can "sell" their product.
>> Just remember, what company has the greatest to loose if there were no viruses?
You seem to imply that you're a member of the Vx community. So, Mr. SilentX, which viruses have you written? How much were you paid for them? Who paid you?
Unless you give evidence that support your claims, stop trying to look smart by making vague statements
|
|
|
|
|
First, it's NOT "Mr. SilentX" it's JUST SilentX.
I've been paid around a three to four figure bases. The group I was part of before being booted for working on projects not related to the whole, commonly worked for major companies. I won't say who they are because fools like you just like to blow it off anyways.
|
|
|
|
|
>> First, it's NOT "Mr. SilentX" it's JUST SilentX.
The "Mr" was an irony.
>> I've been paid around a three to four figure bases. The group I was part ... commonly worked for major companies.
I still think you're full of crap.
>> I won't say who they are because fools like you just like to blow it off anyways.
I don't think so, I could be talking to a criminal here. There are severe penalties for criminals like you (if indeed you are a virus writer) and those who pay you (if what you say is true, which I still think is false due to the lack of evidence
|
|
|
|
|
What if the gearbox of your car causes an accident because of a faulty design?
Would you still blame the driver (user)? The software manufacturer (Microsoft) should keep in mind that the WSH feature is a security risk. Melissa already served as a warning.
Programmers should not evade their responsibility for the "tools" they create. When you father a bug, you should take care of it. :
|
|
|
|
|
Listen, I'm all for a powerful and flexible system with a low barrier to entry, and FWIW Windows is that.
But come on, it's so easy to write virus for Windows it's ridiculous. I mean writing a virus in VBScript? That makes it a little too easy.
From my perspective, Windows should assume the 99% case, that people really don't want to run .exe's and .vbs files attached to their emails. It only took what, 3 versions of MS office until it wouldn't run startup macros until it asked you at least.
To me that is just total disregard for security, and as much as I like Microsoft (and I do), I think they've really fallen down here.
I see CNN is making a BIG DEAL out of the fact that Mac and Linux users were happily unaffected by the "I LOVE YOU" virus. Microsoft should take it on the chin for this
|
|
|
|
|
I think that in many respects those "Are you sure you want to run this macro?" prompts are like car alarms. In the beginning they were extremely useful, but then after the millionth one went off you just kind of start ignoring them.
If you received an email from a friend that included a Word document that contained macros, and you'd received similar documents from him/her in the past, then would a "WARNING! WARNING!" (in true "Lost in Space" fashion) message box really stop you opening that document?
Maybe the answer is not to stop the macros from running, but rather stop them causing damage. Surely there isn't really the need for most macros to have file and network access?
|
|
|
|
|
Nail on the head there Chris.
In my opinion, applications should have permissions just like users do. Just because I run the echo command under in my administrator context doesn't mean I want the echo command to be allowed to format my harddrive.
Java's sandboxing is a bit like this, I guess. In my opinion, the whole OS should work that way.
Probably make everything too complicated for the average user, but I think we've made computing too easy for those who cannot be bothered to learn how to use their tools.
Probably also require we burn Windows NT and start with something fresh. So it'll never happen. sigh.
|
|
|
|
|
>> "Are you sure you want to run this macro?" prompts are like car alarms. In the beginning they were extremely
>> useful, but then after the millionth one went off you just kind of start ignoring them.
Couldn't agree more with you Chris. I was involved with the development of antivirus software for 5 years, and this was the greatest problem, beyond the capabilities or limitations of the software. Users just start feeling secure and ignore (or disable) all security measures.
>> Maybe the answer is not to stop the macros from running, but rather stop them causing damage. Surely there isn't
>> really the need for most macros to have file and network access?
But, there are perfectly valid cases where file and network access is necessary to perform useful tasks. In most cases it's very difficult for a piece of software to distinguish malicious intents from the good ones.
I think the solution is to nail a couple dozen of those little bastards (virus writers) and make 'em pay hard time. I think 10-15 years of jail will teach 'em to respect others work
|
|
|
|
|
>>I think the solution is to nail a couple dozen of those little bastards (virus writers) and make 'em pay hard time. I think 10-15 years of jail will teach 'em to respect others work.
Yes, that's certainly the right idea. It's not like the government hasn't been doing this since the early 90s or anything.
As long as it's this easy to do, people will write viruses. And for every one the government nails, there are a hundred others conceited enough to think they can't get caught. Do you think law enforcement agencies are willfully ignoring these crimes? They can't, with the losses corporations are taking in productivity from stuff like this.
Back up your stuff. Don't run macros. Don't use programs that can do destructive things without telling you. That's all that can be done.
|
|
|
|
|
25 years to life would be better,
Apart from the financial cost to institutions,
A virii epedemic could cost real life,
eg a Medical Institution needs to get test results
back from a Lab, but there whole internet is shut down due
to a "lovebug" and resources are being wasted etc.
I know this may sound farfetched but the worlds a big place,
and the lovebug shut down a lot of institutions worldwide.
Unfortunatly in the real world, there are to many nations that don't have the ability to enforce or investigate these crimes.
You'd need a true UN police task force.
And that isn't going to happen.
Regardz
|
|
|
|
|
Since Adam Turings findings have shown, it is not possible for one program to find out the purpose or inner workings of another, it is clear there is no such thing as a free lunch in computing.
Even your compiler doesn't unterstand your program. It just follows the rules set by the grammar of C++.
So it would never possible according to our current knowledge to automatically divide between good and bad (harmfull) software.
This takes the burden of the decision to the user. Since the user base has grown and the knowledge level has fallen, ist dangerous to rely on the user.
So in my opinion a sandbox solution is the only usable solution at the moment. And we all should force MS to move in that direction
|
|
|
|
|
>> I see CNN is making a BIG DEAL out of the fact that Mac and Linux users were happily unaffected by the "I LOVE YOU"
>> virus. Microsoft should take it on the chin for this.
When (and if) Macs and Linux have a number of users similar or above those of Windows you can bet that virus writers will target those platforms too. BTW, CNN's business is selling news, they'll take anything that increases their ratings, even if they're not very accurate technically speaking
|
|
|
|
|
>When (and if) Macs and Linux have a number of users similar or above those of Windows you can bet that virus writers will target those platforms too.
Absolutely. A shell script hastily executed by an unwary Unix user can do the same amount of damage as the worst macro virus. Even though the damage is contained to the user's directory it can be just as traumatic as if a similar script had been run on an NT or WinX box.
I also think that in time users will learn not to open macros so hastily. The message about not opening unknown .exe's is slowly sinking in - now all we have to do is warn our users about .vbs, .xls, .doc, ... :
|
|
|
|