My work place was just one of the many sites hit this Thursday by the
Contrary to what you may hear, the virus doesn’t really depend on
a specific security flaw in Outlook (except for how easy it is to use it
from an external program to send mail). It doesn’t run when you read the
infected e-mail. It will run once you open (double click) the attachment.
And once you’ve done that,
it doesn’t really matter what mail client you’re using. If the
attachement is a program or a script with an associated interpreter,
it will run.
The point here isn’t the insecurity of a mail client, it’s the
vulnerability of the typical high-tech work place: Everyone running
the same platform (windows), with the same e-mail client (Outlook)
open. Everyone has updated Microsoft products with WScript.exe, and
the whole thing has a permenant connection to the internet.
And as far as opening attachements goes, the work place is the worst offender, with
everyone’s pals sending them kewl pics, animations, screen savers
and whatever. It’s part of the culture there.
It’s Bangkok without condoms, and any high schooler
can cut and paste together a new HIV strain in the span of a lazy afternoon.
ILOVEYOU is a pretty lazy hack, done by a bored high-schooler.
It looks like something put together by someone with little programming
skill from some windows scripting host code samples.
And it burned through my workplace like a brushfire.
If there’s someone who is left looking stupid after this virus it’s
Anitvirus software manufacturers. Their software is still looking
for boot-sector parasites written by smart assembler hackers, but
these are going extinct alongside the floppy disk. Programs that rely on lists of known viruses look ridicilous when the current
windows monoculture let’s script kiddies write killer worms in 10 minutes.
Maybe its time Microsoft started taking security seriously.
When every cell around has the same DNA, new kinds of viruses thrive,
and these drive the development of new solutions. Really big
multi-cellular bodies have immune systems to protect themselves,
which are quite different (and several orders of magnitude more
sophisticated) than the “anti-virus software” single-celled organisms
Maybe Microsoft should get into
the anti-virus business
The existance of MS created hundreds of niches where other software companies thrive.
Once in a while, MS go after one
of these niches and crush their competition like bugs. Once it was
the FAX software people, another time it was people working on 3D
software APIs, and most noticably it was Netscape’s browser niche.
Having MS eat up the anti-virus business will be a development
most users would cheer.
Breaking up Microsoft is brain-surgery with chainsaws, used to
remedy a mental health issue. But MS have been in denial about
an obvious problem. By having their software everywhere, making all
the pieces play nice together, enabling automation, etc. they’ve
done some remarkable things. But they did this while ignoring
the core problem of security. It is time for them to realize the
fundemental problem and do something about it.
I don’t think MS can get around the problem of Security (“developing an immune system”)
with a white paper or “security update”. They can’t just whip up
a security-concious version of WScript.exe, cmd.exe and their other
general interpreters without breaking lots of stuff everywhere, and
they probably aren’t going to really address the problems of users
running unsafe content in any forseeable version of Windows.
How about instead of breaking up MSoft, the US government passes a regulation specifying that no more than 50% of the desktops in any
work place may run an OS from the same manufacturer? There are
stupider regulations, and this will at least hinder the spreading
of viruses a bit, so it’s a bit of a safety regulation. (I say from
the same manufacturer to catch the smart alec who thinks that NT
& Win98 are different OSes – “we play both kinds of music, Country
This will break the MS monopoly, which is based on business sales.
It won’t actually damage the company, but it will force it to
deliver solutions for hetrogeneous environments.
Web applications and cross-platform browsers (like the one made by
whatstheirname) will get a big boost out of this.
People will stop sending Word and Powerpoint attachments (or stupider
things; a publisher I know, a Mac-only shop, once received a logo from
a client as an image file embedded in a Word document…).