[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

<nettime> tough love digest (fwd)

<schnipp, schnipp>

And who do we love? We love the journalists who, despite having the =
source of the ILOVEYOU virus repeatedly delivered to them as an =
attachment, said that it could 'steal your bank details' (Channel 5) and =
that it affected Macintoshes (BBC News Online) but not users of the =
'Lycos operating system' (The Times. We loved NETWORK ASSOCIATES boast =
that they 'believed [it] to have orignated in Manila' and 'We have the =
name of who we think it is but we're not saying' (amazing detective =
work, given that the handle and location of the author is in the first =
line of the script). We loved that one of the first propagators in the =
UK was McAfee's PR company. We loved watching MoneyFacts send it to =
their entire mailing list, then apologise using a cc: list of their =
subscribers. We loved it when mail gateways led to it being sent by fax =
and SMS. And we loved it when Microsoft pretended that it had nothing to =
do with their lousy security provision in Outlook and Windows =


to: "Red Rock Eater News Service" <rre@lists.gseis.ucla.edu>
subject: [RRE]notes and recommendations [abridged]

Some notes on Microsoft viruses <...>

I received about 60 copies of the latest Microsoft e-mail virus and
its variants.  How many did you get?  Fortunately I manage my e-mail
with Berkeley mailx and Emacs keyboard macros, so I wasn't at risk.
But if we're talking about billions of dollars in damage, which
equates roughly to millions of lost work days, then I think that we
and Microsoft need to have a little talk.

Reading the press reports, Microsoft's stance toward this situation
has been disgraceful.  Most of their sound bites have been sophistry
designed to disassociate the company from any responsibility for
the problem.  One version goes like this quote from Scott Culp of
Microsoft Public Relations, excuse me, I mean Microsoft Security
Response Center:

  This is a general issue, not a Microsoft issue.  You can write a
  virus for any platform.  (New York Times 5/5/00)

Notice the public relations technology at work here: defocusing the
issue so as to move attention away from the specific vulnerabilities
of Microsoft's applications architecture and toward the fuzzy concept
of "a virus".  Technologists will understand the problem here, but
most normal people will not.  Mr. Culp also says this (CNET 5/5/00):

  This is by-design behavior, not a security vulnerability.

More odd language.  It's like saying, "This is a rock, not something
that can fall to the ground".  It's confusing to even think about it.
Even though Microsoft had been specifically informed of the security
vulnerability in its software, it had refused to fix it.  Microsoft
even tried to blame its problem on Netscape, which *had* fixed it:


The next step is to blame the users.  The same Mr. Culp read on the
radio the text of a warning that the users who spread the virus had
supposedly ignored.  That warning concludes with a statement to the
effect that you shouldn't execute attachments from sources that you
do not trust.  He read that part kind of fast, as you might expect,
given that the whole point of this virus is that people receive an
attachment from a person who has included them in their address book.
This particular blame-shifting tactic is particularly disingenuous
given that the virus spread rapidly through Microsoft itself, to the
point that the company had to block all incoming e-mail (Wall Street
Journal 5/5/00).

Similarly, CNET (5/4/00) quoted an unnamed "Microsoft representative"
as saying that companies must educate employees "not to run a program
from an origin you don't trust".  Notice the nicely ambiguous word
"origin".  The virus arrives in your mailbox clearly labeled as having
been sent by a particular individual with whom you probably have an
established relationship.  It bears no other signs of its "origin"
that an ordinary user will be able to parse, short of executing the

So what on earth is Microsoft doing allowing attachments to run code
in a full-blown scripting language that can, among many other things,
invisibly send e-mail?  Says the "Microsoft representative",

  We include scripting technologies because our customers ask us to
  put them there, and they allow the development of business-critical
  productivity applications that millions of our customers use.

There needs to be a moratorium on expressions such as "customers ask
us to".  Does that mean all of the customers?  Or just some of them?
Notice the some/all ambiguity that is another core technology of
public relations.  Do these "customers" really specifically asked for
fully general scripts that attachments can execute, or do they only
ask for certain features that can be implemented in many ways, some
of which involve attachments that execute scripts?  Do the customers
who supposedly ask for these crazy things understand the consequences
of them?  Do they ask for them to be turned on by default, so that
every customer in the world gets the downside of them so that a few
customers can more conveniently get the upside?  And notice how the
"Microsoft representative" defocuses the issue again, shifting from
the specific issue of scripts that can be executed by attachments
to the fuzzy concept of "scripting technologies", as if anybody were
suggesting that scripting technologies, as such, in general, were to

Microsoft shouldn't be broken up.  It should be shut down.


#  distributed via <nettime>: no commercial use without permission