[SLL] succinct, yet pithy... (fwd)

Steve Juranich sjuranic at maxwell.ee.washington.edu
Mon May 8 11:02:31 PDT 2000


I go this from another linux list I'm on. I'm repeating it here because of all
of the recent talk about the "ILOVEYOU" virus.

Enjoy.

--Steve J.


>

> This is from the Red Rock Digest, a list to which I subscribe, on the

> love virus.

>

>

> "Some notes on Microsoft viruses, economic history, and the rational

> side of Luddism, plus another batch of URL's.

>

>

> "I received about 60 copies of the latest Microsoft e-mail virus and

> its variants. How many did you get? Fortunately I manage my e-mail

> with Berkeley mailx and Emacs keyboard macros, so I wasn't at risk.

> But if we're talking about billions of dollars in damage, which

> equates roughly to millions of lost work days, then I think that we

> and Microsoft need to have a little talk.

>

> "Reading the press reports, Microsoft's stance toward this situation

> has been disgraceful. Most of their sound bites have been sophistry

> designed to disassociate the company from any responsibility for

> the problem. One version goes like this quote from Scott Culp of

> Microsoft Public Relations, excuse me, I mean Microsoft Security

> Response Center:

>

> This is a general issue, not a Microsoft issue. You can write a

> virus for any platform. (New York Times 5/5/00)

>

> "Notice the public relations technology at work here: defocusing the

> issue so as to move attention away from the specific vulnerabilities

> of Microsoft's applications architecture and toward the fuzzy concept

> of "a virus". Technologists will understand the problem here, but

> most normal people will not. Mr. Culp also says this (CNET 5/5/00):

>

> This is by-design behavior, not a security vulnerability.

>

> "More odd language. It's like saying, "This is a rock, not something

> that can fall to the ground". It's confusing to even think about it.

> Even though Microsoft had been specifically informed of the security

> vulnerability in its software, it had refused to fix it. Microsoft

> even tried to blame its problem on Netscape, which had fixed it:

>

> http://news.cnet.com/news/0-1005-200-1820959.html

>

> "The next step is to blame the users. The same Mr. Culp read on the

> radio the text of a warning that the users who spread the virus had

> supposedly ignored. That warning concludes with a statement to the

> effect that you shouldn't execute attachments from sources that you

> do not trust. He read that part kind of fast, as you might expect,

> given that the whole point of this virus is that people receive an

> attachment from a person who has included them in their address book.

> This particular blame-shifting tactic is particularly disingenuous

> given that the virus spread rapidly through Microsoft itself, to the

> point that the company had to block all incoming e-mail (Wall Street

> Journal 5/5/00).

>

> "Similarly, CNET (5/4/00) quoted an unnamed "Microsoft representative"

> as saying that companies must educate employees "not to run a program

> from an origin you don't trust". Notice the nicely ambiguous word

> "origin". The virus arrives in your mailbox clearly labeled as having

> been sent by a particular individual with whom you probably have an

> established relationship. It bears no other signs of its "origin"

> that an ordinary user will be able to parse, short of executing the

> attachment.

>

> "So what on earth is Microsoft doing allowing attachments to run code

> in a full-blown scripting language that can, among many other things,

> invisibly send e-mail? Says the "Microsoft representative",

>

> We include scripting technologies because our customers ask us to

> put them there, and they allow the development of business-critical

> productivity applications that millions of our customers use.

>

> "There needs to be a moratorium on expressions such as "customers ask

> us to". Does that mean all of the customers? Or just some of them?

> Notice the some/all ambiguity that is another core technology of

> public relations. Do these "customers" really specifically asked for

> fully general scripts that attachments can execute, or do they only

> ask for certain features that can be implemented in many ways, some

> of which involve attachments that execute scripts? Do the customers

> who supposedly ask for these crazy things understand the consequences

> of them? Do they ask for them to be turned on by default, so that

> every customer in the world gets the downside of them so that a few

> customers can more conveniently get the upside? And notice how the

> "Microsoft representative" defocuses the issue again, shifting from

> the specific issue of scripts that can be executed by attachments

> to the fuzzy concept of "scripting technologies", as if anybody were

> suggesting that scripting technologies, as such, in general, were to

> blame.

>

> "Microsoft shouldn't be broken up. It should be shut down.

>

> ========================================================================

> Contributions/Posts To: linux-list at ssc.com

> To Unsubscribe: linux-list-request at ssc.com, "unsubscribe" in message body

> Report Problems to: owner-linux-list at ssc.com

> List archive at: http://www.ssc.com/mailing-lists/

>




More information about the Linux mailing list