[SLL] succinct, yet pithy... (fwd)
sjuranic at maxwell.ee.washington.edu
Mon May 8 11:02:31 PDT 2000
I go this from another linux list I'm on. I'm repeating it here because of all
of the recent talk about the "ILOVEYOU" virus.
> This is from the Red Rock Digest, a list to which I subscribe, on the
> love virus.
> "Some notes on Microsoft viruses, economic history, and the rational
> side of Luddism, plus another batch of URL's.
> "I received about 60 copies of the latest Microsoft e-mail virus and
> its variants. How many did you get? Fortunately I manage my e-mail
> with Berkeley mailx and Emacs keyboard macros, so I wasn't at risk.
> But if we're talking about billions of dollars in damage, which
> equates roughly to millions of lost work days, then I think that we
> and Microsoft need to have a little talk.
> "Reading the press reports, Microsoft's stance toward this situation
> has been disgraceful. Most of their sound bites have been sophistry
> designed to disassociate the company from any responsibility for
> the problem. One version goes like this quote from Scott Culp of
> Microsoft Public Relations, excuse me, I mean Microsoft Security
> Response Center:
> This is a general issue, not a Microsoft issue. You can write a
> virus for any platform. (New York Times 5/5/00)
> "Notice the public relations technology at work here: defocusing the
> issue so as to move attention away from the specific vulnerabilities
> of Microsoft's applications architecture and toward the fuzzy concept
> of "a virus". Technologists will understand the problem here, but
> most normal people will not. Mr. Culp also says this (CNET 5/5/00):
> This is by-design behavior, not a security vulnerability.
> "More odd language. It's like saying, "This is a rock, not something
> that can fall to the ground". It's confusing to even think about it.
> Even though Microsoft had been specifically informed of the security
> vulnerability in its software, it had refused to fix it. Microsoft
> even tried to blame its problem on Netscape, which had fixed it:
> "The next step is to blame the users. The same Mr. Culp read on the
> radio the text of a warning that the users who spread the virus had
> supposedly ignored. That warning concludes with a statement to the
> effect that you shouldn't execute attachments from sources that you
> do not trust. He read that part kind of fast, as you might expect,
> given that the whole point of this virus is that people receive an
> attachment from a person who has included them in their address book.
> This particular blame-shifting tactic is particularly disingenuous
> given that the virus spread rapidly through Microsoft itself, to the
> point that the company had to block all incoming e-mail (Wall Street
> Journal 5/5/00).
> "Similarly, CNET (5/4/00) quoted an unnamed "Microsoft representative"
> as saying that companies must educate employees "not to run a program
> from an origin you don't trust". Notice the nicely ambiguous word
> "origin". The virus arrives in your mailbox clearly labeled as having
> been sent by a particular individual with whom you probably have an
> established relationship. It bears no other signs of its "origin"
> that an ordinary user will be able to parse, short of executing the
> "So what on earth is Microsoft doing allowing attachments to run code
> in a full-blown scripting language that can, among many other things,
> invisibly send e-mail? Says the "Microsoft representative",
> We include scripting technologies because our customers ask us to
> put them there, and they allow the development of business-critical
> productivity applications that millions of our customers use.
> "There needs to be a moratorium on expressions such as "customers ask
> us to". Does that mean all of the customers? Or just some of them?
> Notice the some/all ambiguity that is another core technology of
> public relations. Do these "customers" really specifically asked for
> fully general scripts that attachments can execute, or do they only
> ask for certain features that can be implemented in many ways, some
> of which involve attachments that execute scripts? Do the customers
> who supposedly ask for these crazy things understand the consequences
> of them? Do they ask for them to be turned on by default, so that
> every customer in the world gets the downside of them so that a few
> customers can more conveniently get the upside? And notice how the
> "Microsoft representative" defocuses the issue again, shifting from
> the specific issue of scripts that can be executed by attachments
> to the fuzzy concept of "scripting technologies", as if anybody were
> suggesting that scripting technologies, as such, in general, were to
> "Microsoft shouldn't be broken up. It should be shut down.
> Contributions/Posts To: linux-list at ssc.com
> To Unsubscribe: linux-list-request at ssc.com, "unsubscribe" in message body
> Report Problems to: owner-linux-list at ssc.com
> List archive at: http://www.ssc.com/mailing-lists/
More information about the Linux