I'm sorry but I find it difficult to have any sympathy for anyone who was
"victimized" by ILOVEYOU. It amazes me that people who as a rule are intelligent
enough to not eat candy left on their doorstep will without pause run any
program sent to them via an equally anonymous delivery system like email.

Sure, there is a security issue of sorts here it probably is too easy to
automate Outlook. But what REAL damage was done? Companies are inconvenienced
because they shut down email servers as a knee-jerk response to the situation,
but was there any data lost? Anything stolen?

There is a simple solution that would render these idiotic VBscript worms
impotent immediately: Set Outlook's Attachment Security to High so you have
to manually launch any attachments (most other mail readers have a similar
setting), and NEVER EVER launch any attachments with a VBS extension. Then
there will be some accountancy for the idiots who RUN these things - the
real villains in this story if you ask me.

> ...but was there any data lost?

Monte: Yes, several Web and media companies lost data in the form of
graphics files that were overwritten by the virus.
---
Phil Weber

"Then there will be some accountancy for the idiots who RUN these things -
the real villains in this story if you ask me."

I agree wholeheartedly. The line of reasoning which tries to place blame
on the design of Outlook is akin to a line of reasoning which blames automobile
design (which allows drunk drivers to crash the cars).

The responsibility here lies squarely with the users. Do something stupid,
and you are likely to pay a penalty.

Microsoft left a huge door open by allow outside sources access to local files
and directories. Think about it...You can access ANY file on a users system
through the File system object (which is exactly what the ILOVEYOU virus
did). There are NO security settings for this object.

Why would you allow anyone who can write a script file access your files?
Outside of cookies, what other file(s) would anyone on the outside need
access to? And if you are going to allow access to files, why delete and
overwrite?

Microsoft needs to take the blame for this...period. When they released
the scripting host, they were warned repeatedly about what could happen and
they ignored it. That is why we now have these worm viruses running around.
Anyone can write a script file that will destroy files with just a few lines
of code. And let's not forget, web pages can and do contain client side
scripts as well. The ILOVEYOU virus is just the tip of the iceberg.

Welcome to the electronic age.

Hi Brian --

> Microsoft left a huge door open by allow outside sources access to local files
> and directories.

LOL! Are you serious? You're not, right?

> Think about it...You can access ANY file on a users system
> through the File system object (which is exactly what the ILOVEYOU virus
> did). There are NO security settings for this object.

VBS only has access to local resources when executed *locally*. Duh. There's no
hole here. These folks *chose* to run a script on *their* system. What's confusing
about this?

> Why would you allow anyone who can write a script file access your files?

Good question. Did you? Why? I sure as **** didn't, and neither did anyone in my
office.

> Outside of cookies, what other file(s) would anyone on the outside need
> access to? And if you are going to allow access to files, why delete and
> overwrite?

You really don't get it, do you?

> Microsoft needs to take the blame for this...period. When they released
> the scripting host, they were warned repeatedly about what could happen and
> they ignored it.

Oh, BS. DOS supported batch files, and most command processors still do. If I send
you an ILOVEYOU.TXT.BAT with a single line:

del c:\*.* /s /q

Would it be Microsoft's fault that you're too stupid not to run it? Scripting is
part of all operating systems. Fact of life.

> That is why we now have these worm viruses running around.

Wrong again, bucko. We have them because idiots fall for it every time.

> Anyone can write a script file that will destroy files with just a few lines
> of code. And let's not forget, web pages can and do contain client side
> scripts as well. The ILOVEYOU virus is just the tip of the iceberg.

Best advice for you: Unplug your modem and save $20 bucks a month!

> Welcome to the electronic age.

Latecomer, huh? That's okay. Stick with it awhile, and I'm sure you'll get the hang
of it!

Later... Karl
--
http://www.mvps.org/vb

>
>Would it be Microsoft's fault that you're too stupid not to run it? Scripting
is
>part of all operating systems. Fact of life.
>

Yes it's "stupid" for a developer to run a script from an untrusted source.
But guess what- other people besides developers and uber-geeks use computers.
(this is why they pay us developers so well...) People who have no idea what
a script or .vbs file is, and recieve such apparently from someone they
know. The software they rely on should provide reasonable security to the
AVERAGE person, without requiring a programming degree to understand or configure.

So the fact that millions did run the attachment and suffer damage... does
this mean that millions of users are ALL idiots and should be disconnected
from the Internet?

Also, VBS scripting is NOT a fact of everyones life. Majority of users don't
use it/ need it/ want it - especially for incoming email from the world...
yet it's defaulted ON.

(PS "Chris"/"Guy" - Bite Me. Hard. No I don't use Linux. Normal people use
computers, too. Try to meet some.)

Hi Ken --

> >Would it be Microsoft's fault that you're too stupid not to run it? Scripting is
> >part of all operating systems. Fact of life.
>
> Yes it's "stupid" for a developer to run a script from an untrusted source.
> But guess what- other people besides developers and uber-geeks use computers.

Cut 'em off if they don't know what they're doing. Give 'em hardcoded silicon, like
that crap Elison is promoting.

> (this is why they pay us developers so well...) People who have no idea what
> a script or .vbs file is, and recieve such apparently from someone they
> know. The software they rely on should provide reasonable security to the
> AVERAGE person, without requiring a programming degree to understand or configure.

Why? They want a flexible machine, one that can be programmed to do anything, that's
what they get. They want a "smart toaster," that can be arranged as well. If they
want a programmable machine that can't be infected by internet-borne viruses, yeah,
pull their modem.

> So the fact that millions did run the attachment and suffer damage... does
> this mean that millions of users are ALL idiots

Yes.

> and should be disconnected from the Internet?

Just from their hard drives. HTH!

> Also, VBS scripting is NOT a fact of everyones life. Majority of users don't
> use it/ need it/ want it - especially for incoming email from the world...
> yet it's defaulted ON.

Oh, grow up. Batch files are "defaulted on," as well. We've survived with those for
decades.

Later... Karl
--
http://www.mvps.org/vb

"Monte" <NotQuite@SpamMeNot.Com> wrote in message
news:391ab8b0$1@news.devx.com...
> Sure, there is a security issue of sorts here it probably is too easy to
> automate Outlook. But what REAL damage was done? Companies are
inconvenienced
> because they shut down email servers as a knee-jerk response to the
situation,
> but was there any data lost? Anything stolen?

I think it's kind of funny that the news media is bandying about numbers
like 45 million machines infected & $10billion lost. Of course that comes
out to a rather ridiculous $220/machine......

--
Truth,
James Curran
http://www.NJTheater.com
http://www.NJTheater.com/JamesCurran

"James Curran" <jamescurran@mvps.org> wrote in message
news:3922a3c6$1@news.devx.com...
>
> I think it's kind of funny that the news media is bandying about
numbers
> like 45 million machines infected & $10billion lost. Of course
that comes
> out to a rather ridiculous $220/machine......
>
> --
> Truth,
> James Curran
> http://www.NJTheater.com
> http://www.NJTheater.com/JamesCurran

It does sound exaggerated, but still within reason. Web graphic
artists could easily have lost upwards of tens of thousands in art in
a matter of seconds with that little virus. That should make up for
quite a number of the other machines that just lost work time (though
for myself, I can say that work time alone is a rather expensive
loss). I bill my server time based on connectivity. If my provider is
down beyond their "guaranteed" hours, I don't have to pay the bill.
For those businesses that have clauses like mine, the ISP's could be
out quite a bit just based on the service agreements.

I find it very hard to imagine that many businesses *not* having a
current backup of at least the last weeks work on a separate drive (I
prefer CDR). Had I opened the virus I would only have lost about a
days worth of work. CDR's have dropped below 35c/each here in the last
month, yet the world seems to have forgotten about backups.

The AntiVirus companies are the ones that are going to make the money
on this 'event', but I think all these people that were affected would
be better off investing in CDRW's. <g>

Regards,

Shawn K. Hall
Programmer / Analyst
*Please* post/respond in the newsgroups!
http://i.am/shawnkhall

> I find it very hard to imagine that many businesses *not*
> having a current backup of at least the last weeks work
> on a separate drive.

Shawn: Restoring from backups takes time, and as we all know, time = money.
So even if no data is irretrievably lost, a virus infection can still cost a
company money in the form of time spent (wasted?) restoring and disinfecting
computers.
---
Phil Weber

"Phil Weber" <pweber@teleport.com> wrote in message
news:39267a78@news.devx.com...
> Shawn: Restoring from backups takes time, and as we all know, time =
money.
> So even if no data is irretrievably lost, a virus infection can
still cost a
> company money in the form of time spent (wasted?) restoring and
disinfecting
> computers.
> ---
> Phil Weber

Agreed, but if you've read the details from the articles on ZDNet
you'd think nobody in the entire industry ever heard of backup before.
The "downtime" can be considerably small too. Using Ghost I can create
an image of my entire drive in a matter of 15 minutes, and restoring
it takes even less time. I don't need to reinstall an OS, I don't need
to worry about configuration issues or anything of the sort, because I
have a useable image on reserve. The data files get backed up at least
once a week, via a pre-designed template (C:\My Documents\*.* & C:\My
Website\*.*, recursive) which burns it to CDR as well. *If* my
computer were to go out I would have my system restored with all of
the data from less than a week back in a matter of 20 to 30 minutes at
most.

Who can afford *not* to have a backup? I understand what you're saying
about the time spent being time wasted, but viruses have been in the
inductry as long as the programmers, and they're not going to go away.
It's a fact of life in this business.

--
Shawn K. Hall
Programmer / Analyst
*Please* post/respond in the newsgroups!
http://i.am/shawnkhall

"Shawn K. Hall" <shawnkhall@iname.com> wrote in message
news:3926b367$1@news.devx.com...
> The "downtime" can be considerably small too. Using Ghost I can create
> an image of my entire drive in a matter of 15 minutes, and restoring
> it takes even less time.

Shawn,

This is very well if you are talking about one computer. I have a customer
who has over 8,000 (yes, that's EIGHT THOUSAND) PC's in just one location.
At fifteen minutes per machine, it would take just over 83 man days to
restore all of these, assuming you work 24 hours a day. Working an eight
hour day, it would take one guy 249 days to restore all of these. Since
there's only 260 working days in a year, assuming the guy takes his two
weeks vacation it would take him the ENTIRE WORKING YEAR to restore all of
these machines, with one day off for sick leave. And that's just at the one
location. This company has offices in 9 southeastern states.

Of course I realize that in this situation they'd have more than one guy
working on it, but now maybe you can see the staggering cost involved for a
large corporation.

Robert

"Robert C. Cain" <robert.cain@comsys.com> wrote in message
> > The "downtime" can be considerably small too. Using Ghost I can
create
> > an image of my entire drive in a matter of 15 minutes, and
restoring
> > it takes even less time.
>
> Shawn,
>
> This is very well if you are talking about one computer. I have a
customer
> who has over 8,000 (yes, that's EIGHT THOUSAND) PC's in just one
location.
> At fifteen minutes per machine, it would take just over 83 man days
to
> restore all of these, assuming you work 24 hours a day. Working an
eight
> hour day, it would take one guy 249 days to restore all of these.
Since
> there's only 260 working days in a year, assuming the guy takes his
two
> weeks vacation it would take him the ENTIRE WORKING YEAR to restore
all of
> these machines, with one day off for sick leave. And that's just at
the one
> location. This company has offices in 9 southeastern states.
>
> Of course I realize that in this situation they'd have more than one
guy
> working on it, but now maybe you can see the staggering cost
involved for a
> large corporation.

Robert,

Ghost can multicast an image. You could build several at a time - I
don't know the exact limitation since I've never done that before, but
I imagine even a handful of techs could rebuild all 8000 in a much
more reasonable amount of time than the 2 1/2 months you quoted. I do
agree that it is a major cost involved in rebuilding computers. But
*nothing* is going to change the fact that as developers and users we
are targeted by virus authors, and we will be required to deal with
these costs regardless.

Anyway, my post was directed to the developers, like me, that use only
a few computers for development. Though there *are* means of securing
yourself, nothing is perfect, and we must accept that proceeding
without a recent backup - with costs to do so so outrageously *low*
compared to having to rewrite the code lost - is simply insane.

Regards,

Shawn K. Hall
Programmer / Analyst
*Please* post/respond in the newsgroups!
http://i.am/shawnkhall

>
> Microsoft left a huge door open by allow outside sources access to local
files
> and directories. Think about it...You can access ANY file on a users
system
> through the File system object (which is exactly what the ILOVEYOU virus
> did). There are NO security settings for this object.
>
> Why would you allow anyone who can write a script file access your files?
> Outside of cookies, what other file(s) would anyone on the outside need
> access to? And if you are going to allow access to files, why delete and
> overwrite?
>
> Microsoft needs to take the blame for this...period. When they released
> the scripting host, they were warned repeatedly about what could happen
and
> they ignored it. That is why we now have these worm viruses running
around.
> Anyone can write a script file that will destroy files with just a few
lines
> of code. And let's not forget, web pages can and do contain client side
> scripts as well. The ILOVEYOU virus is just the tip of the iceberg.

So by your definition, if I accidently leave my front door unlocked and
someone comes in and trashes my place and maybe even kills me, ~I~ bear all
of the responsibility? Thats stupid.

Yes, MS should bear ~some~ of the responsibility by ignoring certain
security issues, but it is without question the loser cretins who create
these viruses in the first place (not to mention the idiots who propogate
them) who bear the ~majority~ of the blame.

Bob.

>So by your definition, if I accidently leave my front door unlocked and
>someone comes in and trashes my place and maybe even kills me, ~I~ bear
all
>of the responsibility? Thats stupid.
>

I don't think that's the correct analogy. It's a little more like this: If
you sell me a house, but don't tell me that you've given a key to millions
of people, then you've misled me into thinking my locked door is more secure
than it is. I think that comes under the heading of something like "criminal
negligence" or "reckless endangerment".

The problem is that Outlook is equipped with a facility that let's a user
"Open" any file that is received as a mail attachment. Now, most users aren't
very sophisticated about understanding the "Opening" a file can be very dangerous
if that file is an "executable" of some sort. What makes things worse, the
list of "executable" file attachments is getting longer all the time. Back
in simpler days, all a user had to know was not to type a filename on the
command line if the file ended in COM, EXE, or BAT. But the list of "executables"
is getting too long, and it would be a full time job for even the most savvy
user to keep up with them. I, for one, am a developer who uses VB, but I
still didn't realize that "VBS" files contained VBScript code that would
be executed by the new Windows Scripting Host. I was vaguely aware that the
thing existed, but I didn't know the details. Well, we all do now, don't
we?

The irony is that the "open attachment" capability of Outlook was something
MS did specifically for less-experienced users who don't know how to save
an attachment file and then go look it up in the file system and launch it.
By making it super convenient, they made it super dangerous.... sort of
like putting an automatic door-opener on your front door that you can't turn
off.

> By making it super convenient, they made it super dangerous.... sort of
like putting an automatic door-opener on your front door that you can't turn
off.

I like that!!! That is a good analogy. I also agree with your perspective.
Yet, the other post makes a valid point. Even if MS gives out a key to
millions of people that unlocks my door, the first person who uses it without
my permission should still be held accoutable for a crime. Leaving my door
unlocked is not a tacit agreement that anyone can come in and trash the place.
So I feel the first step is that we (society) must begin to realize that
malicious virus developers are a *serious* threat to society. That laws,
existing or otherwise need to be enhanced such that punishment fits the crime
of causing billions of dollars of damage or worse, causing deaths.

Also, I feel MS and any other software manufacturer need to go that one extra
step and build into their systems more checks, more safeguards without taking
away from the ease of use. My Father is not that computer savvy so he needs
the simplicity of click and it runs. What he also needs is an OS that could
tell him, "Danger Will Robinson" when he is about to run something without
his knowledge (or delete something). To use you analogy, I can't stop the
buglar from coming through the automatic front door, but with the press of
a button, I can freeze him in place and throw him out just before he hits
me because I was warned.

Justin


"Russ" <rholsclaw@j-space.com> wrote:
>
>
>>So by your definition, if I accidently leave my front door unlocked and
>>someone comes in and trashes my place and maybe even kills me, ~I~ bear
>all
>>of the responsibility? Thats stupid.
>>
>
>I don't think that's the correct analogy. It's a little more like this:
If
>you sell me a house, but don't tell me that you've given a key to millions
>of people, then you've misled me into thinking my locked door is more secure
>than it is. I think that comes under the heading of something like "criminal
>negligence" or "reckless endangerment".
>
>The problem is that Outlook is equipped with a facility that let's a user
>"Open" any file that is received as a mail attachment. Now, most users
aren't
>very sophisticated about understanding the "Opening" a file can be very
dangerous
>if that file is an "executable" of some sort. What makes things worse,
the
>list of "executable" file attachments is getting longer all the time. Back
>in simpler days, all a user had to know was not to type a filename on the
>command line if the file ended in COM, EXE, or BAT. But the list of "executables"
>is getting too long, and it would be a full time job for even the most savvy
>user to keep up with them. I, for one, am a developer who uses VB, but
I
>still didn't realize that "VBS" files contained VBScript code that would
>be executed by the new Windows Scripting Host. I was vaguely aware that
the
>thing existed, but I didn't know the details. Well, we all do now, don't
>we?
>
>The irony is that the "open attachment" capability of Outlook was something
>MS did specifically for less-experienced users who don't know how to save
>an attachment file and then go look it up in the file system and launch
it.
> By making it super convenient, they made it super dangerous.... sort of
>like putting an automatic door-opener on your front door that you can't
turn
>off.

"Russ" <rholsclaw@j-space.com> wrote in message
news:39417c02$1@news.devx.com...
> I don't think that's the correct analogy. It's a little more like this:

A better analogy: Every year Ed McMahon sends millions of people a
letter saying "You may have already won $10,000,000". Every year a couple
yahoos receive the letter, and start spending the money. So who's at fault
here:

Ed McMahon?
The morons who believed the letter?
The US Postal Service for delivering it?

--
Truth,
James Curran
http://www.NJTheater.com (Professional)
http://www.NJTheater.com/JamesCurran (Personal)
http://www.BrandsForLess.com (Day Job)

> >So by your definition, if I accidently leave my front door unlocked and
> >someone comes in and trashes my place and maybe even kills me, ~I~ bear
> all
> >of the responsibility? Thats stupid.
> >
>
> I don't think that's the correct analogy. It's a little more like this: If
> you sell me a house, but don't tell me that you've given a key to millions
> of people, then you've misled me into thinking my locked door is more
secure
> than it is. I think that comes under the heading of something like
"criminal
> negligence" or "reckless endangerment".
>
<SNIP>

Oh, I agree that MS sort of left the door open for these types of security
problems and deserves a small slice of the blame (at least with respect to
this issue).

I am simply staggered by the number of people who blame MS solely for these
problems. Worse, some nitwits out there actually ~praise~ the virus writers
as some sort of noble hacker, valiantly demonstrating the security holes in
the evil Microsoft's products.

IMNSHO, as my analogy implied, its the loser malcontent a-holes that take
advantage of the security holes in the first place that deserve the vast
majority of the ire and blame. "Frig 'em all! A bullet in the head of each
virus writer!" is how I see it.

Bob.

"Bob Rafuse" <bobrafuse@yahoo.com> wrote in message
news:394a9c8a$1@news.devx.com...
> I am simply staggered by the number of people who blame MS solely for
these
> problems. Worse, some nitwits out there actually ~praise~ the virus
writers
> as some sort of noble hacker, valiantly demonstrating the security holes
in
> the evil Microsoft's products.

I Agree.. The way I see it. Say I were to take a car and drive down the
sidewalk, running people down. Is it the victims fault, for walking on a
sidewalk where a car could drive down? Is it the auto makers fault, for
building a car which could be driven on the sidewalk? Or is it my fault,
for driving on the sidewalk?

--
Truth,
James Curran
http://www.NJTheater.com (Professional)
http://www.NJTheater.com/JamesCurran (Personal)
http://www.BrandsForLess.com (Day Job)

"James Curran" <jamescurran@mvps.org> wrote in message
news:394fa3e7$2@news.devx.com...
> "Bob Rafuse" <bobrafuse@yahoo.com> wrote in message
> news:394a9c8a$1@news.devx.com...
> > I am simply staggered by the number of people who blame MS solely for
> these
> > problems. Worse, some nitwits out there actually ~praise~ the virus
> writers
> > as some sort of noble hacker, valiantly demonstrating the security holes
> in
> > the evil Microsoft's products.
>
> I Agree.. The way I see it. Say I were to take a car and drive down
the
> sidewalk, running people down. Is it the victims fault, for walking on a
> sidewalk where a car could drive down? Is it the auto makers fault, for
> building a car which could be driven on the sidewalk? Or is it my fault,
> for driving on the sidewalk?
>

Yet another analogy follows ;^)

MS's implementation of security could also be compared to a person giving a
17-year old boy a bottle of whiskey and the car keys, saying "Have fun!",
and then acting surprised when the crash occurs.

MS doesn't deserve all of the blame, but they do bear some responsibility
for making it incredibly easy for viruses like this to exist.

Mark