[ I realize that this is long, and also that some gnhluggers are
themselves subscribers to Phil Agre's RRE newsletter, from which
this material is extracted. Apology. However, Agre achieves
a clarity to be appreciated. Especially: "weenies". Enjoy.
-Bill ]
Phil Agre, in "[RRE]notes and recommendations", 13 May 2000:
<snip>
In response to my notes on the slippery language Microsoft has used to
evade responsibility for the security problems that were exploited by
the most recent e-mail virus, RRE readers sent me a slew of additional
quotes from Microsoft personnel, including some that are astounding.
We can begin with another example of defocusing: redefining the issue
by eliding certain elements of critics' arguments:
"The issue here isn't scripting. It's the social phenomenon of
virus writing. That virus could have been written as an executable
or on any platform or in a nonscripting language. Just because this
virus was written in a scripting language, and we happen to support
scripting in our operating system, doesn't make it a security issue."
http://news.cnet.com/news/0-1003-200-1823167.html
Read this passage closely. Leave aside the question -- hard to even
discuss because it is so conveniently vague -- of whether "that virus"
could possibly have been written in another language or even on another
platform and still been the same virus. The problematic part starts
with "Just because ...". It's conceivable that someone, somewhere has
argued that the problem is the simple existence of scripting languages.
That person would be a convenient foil, but would hardly represent the
mainstream of critical opinion. The problem, as everyone knows, is
not scripting languages, but email clients that can execute attachments
that contain scripts that can perform a wide variety of potentially
damaging actions. Blaming "the social phenomenon of virus writing"
is not reasonable. A product that can be subverted by a random college
student to cause massive worldwide damage is not secure. That's what
"secure" means.
Given the scope of the recent disaster, some people were surprised to
find the following text in a Microsoft "knowledge base" page entitled
"General Information About Using VBScript with Outlook":
VBScript is designed to be a secure programming environment. It
lacks various commands that can be potentially damaging if used in
a malicious manner. This added security is critical in enterprise
solutions.
http://support.microsoft.com/support/kb/articles/Q167/1/38.ASP
(In case the page changes, I copied and pasted above passage on the
evening of 5/8/00.)
Rereading the passage I've quoted, one notices that no claim is made
that VBScript includes no commands that can cause damage -- only that
"various commands" are not included -- and likewise that no claim
is made that VBScript under Outlook is secure -- it only has "added
security". It sounded good when I read it the first time, though.
Or consider the following passages from a message from Microsoft,
dated 5/8/00 and entitled "Special Edition -- Office News Service --
Virus Alert":
Last week a new virus began circulating through e-mail that has the
potential to affect a wide range of e-mail users including those
users running Microsoft Outlook. If run, the virus could overwrite
.jpg, .mp3 and other file types, and attempt to send a copy of
itself to everyone in the recipient's address book.
The language here attempts to break any mental association between
the virus vulnerability and Outlook. The virus, we are told, "has the
potential to affect a wide range of e-mail users including those users
running Microsoft Outlook". A hurried reader would take away the
impression that the problem is not Outlook-specific. But two seconds'
thought will raise doubts. First, the virus will only work on a
machine that can execute Visual Basic scripts. That narrows it down
quickly to a small range of Microsoft platforms. One might ask, do
other Microsoft mailers execute Visual Basic scripts in attachments?
But that's not what the passage says. It says only that the virus
"has the potential to affect a wide range of e-mail users". Someone
who uses a Windows 98 mail client besides Outlook could for whatever
reason save the attached VBS file and then specifically execute it
from the desktop. This could "affect" the user's machine (damaged
files, modified startup, reset Explorer homepage), but it wouldn't
propagate the virus because the propagation mechanism relies on the
Outlook address book. This particular claim turns out to be correct,
but you have to read it carefully.
At least the passages I have quoted so far are just evasive. Some
of Microsoft's statements have been outright false. Here is a later
passage in the same text:
1) Customers can avoid being affected by this and other viruses by
following standard best practices:
++ Never run an executable from someone you don't know.
++ Always have a good-quality virus scanner.
++ Always keep the virus scanner's signature files up to date.
This is just not true. The messages that contained this virus were
from people who had you in their address books; they are therefore
likely to be people that you know. The suggested policy of not
opening attachments (now called "running executables" -- even though
the idea that opening an attachment *is* running an executable will
be counterintuitive for most normal users) from people you don't
know will not prevent this virus from spreading. Nor will the other
suggested policies prevent the virus: the best widely used virus
scanners (for some weird reason) do not stop this sort of virus
without it being included in a signature file, and the signature files
in this case (as in other cases) were not updated until the virus had
already spread far and wide. It is little wonder, then, that the same
Microsoft message included the following disclaimer:
INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' WITHOUT
WARRANTY OF ANY KIND. The user assumes the entire risk as to the
accuracy and the use of this document.
The following astonishing passage is from an online column about
Microsoft's irresponsibility by Hiawatha Bray of the Boston Globe.
When I raised the issue with Microsoft spokesman Adam Sohn last
week, he described his idea of how companies could improve the
security of Outlook. "They should commence by beating their
employees", Sohn declared.
He chuckled to signify that he was kidding -- but only about the
floggings. Sohn was dead serious about Microsoft's utter lack
of responsibility for the Love Bug fiasco. Instead, he blamed
the silly computer users who go opening e-mail attachments.
"People shouldn't open them", said Sohn. "That's the problem."
http://www.digitalmass.com/columns/software/0508.html
A Microsoft spokesman is joking that employees should be beaten
for opening an attachment -- an attachment from a friend no less.
I am not making this up.
Finally, listen to this quote from Microsoft's inescapable Scott Culp:
In this case the virus author chose to target Outlook probably
because it gave him better reach. There isn't a security
vulnerability in Outlook involved in this at all.
http://dailynews.yahoo.com/h/nm/20000504/wr/virus_love_11.html
Mr. Culp thinks he is playing a game. Look everyone! I've managed
to spin this situation into being something good about Microsoft!
Never mind the lack of logical connection between the two sentences.
This is the company whose products are being used to rebuild the
productive infrastructure of the entire world, including large parts
of the US military. We are insane to be doing business with them.
What really causes these endless computer security disasters? We've
talked about economic factors, but now I think we have to talk about
another factor: weenies. Weenies come in two varieties, tech and
marketing. Tech weenies think they're smart but aren't mature enough
to do real engineering. Marketing weenies mechanically apply the
marketing dogmas of product differentiation but aren't capable of
having a real vision for their products. Multics was designed by
real engineers and the Mac was designed by marketing visionaries,
but Windows was designed by weenies. The most distinctive feature of
weenies is the worship of features. Tech weenies want everything to
be cool: that means hypergeneral, hyperprogrammable, hyperextensible,
no matter what hazards might result. Marketing people obsessively
look at the complete list of features in their competitors products
and command the tech weenies to include all of them, and then to
differentiate the product by adding more.
The tech weenies and marketing weenies typically hate each other, but
they have this in common: neither of them will ever voluntarily remove
a feature from a product, even if it causes billions of dollars in
damage. Tech weenies are basically designing for themselves, and have
no conception of human beings and their relationships -- and thus no
coherent trust model in their products. Marketing weenies are frantic
to get products to market, and have the shortest possible time horizon
-- and thus no concern for the world in which their products will soon
enough become ineradicable legacy systems. Weenies too often win in
high-technology competition because a critical mass of their customers
lacks detailed knowledge of the products. (Keep in mind that the real
customers of a company like Microsoft -- the ones who sign the checks
-- are generally neither the technical people nor the users.) Security
catastrophies will not disappear until the weenies are all under adult
supervision. This will never happen at Microsoft, which is managed by
two-year-olds who hire people just like themselves. One more reason to
shut it down.
</snip>
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
