From: eugene.leitl@lrz.uni-muenchen.de
Date: Tue May 09 2000 - 10:04:02 PDT
(((something relevant from silent-tristero on the habitual MS fiasco)))
From: potso no takkyubin <silent-tristero@world.std.com>
Re: MSFT Split -- ILOVEYOU says Hell Yeah!
from "Sean Colbath" <scolbath@bbn.com>
and chess@us.ibm.com
Re: virus mutation
from Chris Leithiser <cleithis@bc.cc.ca.us>
and "Merritt, Anne M" <amerritt@co.intel.com>
and "Andrew A. Gill" <superluser@mail.isc.rit.edu>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Sean Colbath" <scolbath@bbn.com>
Subject: Re: MSFT Split -- ILOVEYOU says Hell Yeah!
Date: Mon, 8 May 2000 21:42:48 -0400
----- Original Message -----
From: "Brett Ellington Steiger III (He's baaaack)" <rali@tifosi.com>
To: "Silent Tristero" <silent-tristero@world.std.com>
Sent: Friday, May 05, 2000 11:23 PM
Subject: MSFT Split -- ILOVEYOU says Hell Yeah!
>
> OK ... so the programming is crap, but if you wade through the VBS
> scripting of the ILOVEYOU trojan[1] you will see that when it scoops
> the address lists from LookOUT[2] it does so via system calls ...
>
> Yes, Microsoft has created a mechanism IN THE OPERATING SYSTEM to
> read the address book OF THE APPLICATION ...
Yes, if you consider a COM call to be a system call... Just to be precise,
the call "3Dmapi.AddressLists" can occur in the address space of the
executing program, or a separate process. It is no more a system call than
a call to any other dynamically linked library in the user's path.
-----------------------------------------------------------
From: chess@us.ibm.com
Date: Tue, 9 May 2000 09:01:12 -0400
Subject: Re: MSFT Split -- ILOVEYOU says Hell Yeah!
If I may wax slightly pedantic...
> [1] +trojan+, dammit, not "Love bug" not virus, trojan ...
Sure it's a Trojan horse in that it does something you don't want it to do,
but what makes it more interesting is that it's a Trojan horse that
*replicates*, so it's nice to have special names to call attention to that
fact. "Virus" and "worm" are both words for "replicating Trojan". They
have slightly different connotations (viruses tend to infect
already-existing "programs" or "files", whereas worms tend to be
"self-contained"), but they're near synonyms. I like the word "worm" best
for the Love Letter thing myself, but "virus" is IMHO acceptable as well.
> Yes, Microsoft has created a mechanism IN THE OPERATING SYSTEM to
> read the address book OF THE APPLICATION ...
While I think Microsoft could certainly be doing a better job of adding
security at the same rate that they add complexity, I don't think the above
is quite accurate. The operating system doesn't itself provide a way to
get at the application's address book, it just provides a way for the
application (any application) to register the fact that "I have an
entrypoint called FOO" (or anything else). Outlook registers the fact that
it exists, and that it has calls like "GetNameSpace" (and that GetNameSpace
returns on object that has properties like AddressLists, and so on). Other
programs (like the Love Letter script) can then set up a connection to
Outlook, and call the various registered entrypoints and stuff. It's not
IMHO a bad programming paradigm (nothing inherently wrong with OO dynamic
linking?); the problem is that there's no notion of *trust levels*. If you
run a thing at all, it has free run of the machine, or at least as free run
as you yourself do. What's needed is something like the Java trust model,
where the operating system knows that the running progam was just casually
executed from a piece of mail, and therefore shouldn't be allowed to do
certain things (mass-mailing, file-erasing, etc). Duh! *8)
DC
[I once heard that Symbolics considered the obviously useful
feature of permitting embedded lisp in email, which would
have been relatively trivial to do, but they didn't
do it because of the obvious security problems.
This was in 1982 or so.
I'm sure my hazy memory will be corrected.
Microsoft, I think, still hasn't grokked the network. They
still release programs as though computers will only
communicate with the computers of other people who work for
the same organization and who can be fired for doing
something so stupid as propagating an email virus that costs
the company money.
Of course, they could make big progess just by going through
old UNIX security bug reports, and fixing the same flaws in
NT. ---pozzo]
-----------------------------------------------------------
Date: Mon, 08 May 2000 16:02:43 -0700
From: Chris Leithiser <cleithis@bc.cc.ca.us>
Subject: Re: virus mutation
Bill Lambert wrote:
>
> [I wonder... how many people on this list use Outlook Express?
> I would guess the % is lower than the populace at large :-)
> - Not DM ]
>
> == Bill ==
I don't use it, for the obvious reasons. They're trying to force me.
When that happens, I will abandon it alltogether and get my e-mail
through Hotmail. Yes, I know it's a tentacle of the Evil Empire.
-----------------------------------------------------------
From: "Merritt, Anne M" <amerritt@co.intel.com>
Subject: RE: virus mutation
Date: Mon, 8 May 2000 16:30:58 -0700
[I wonder... how many people on this list use Outlook Express?
I would guess the % is lower than the populace at large :-)
- Not DM ]
Sadly LookOut is the mail client forced upon us at my place
of work. I suppose I shouldn't complain too much - it replaced
cc:Mail, a far more evil interface.
I and several other cow-orkers held out as long as possible with
our Unix shell accounts, but when they assigned us each a
LookOut mailbox and we became responsible for the contents, well,
it's kinda hard to argue with the guy who signs your paycheck.
<OFF TOPIC>
Up until a few days or so I received s-t via my home account, but
mysteriously they stopped arriving. I do hope that my ISP didn't
bounce one or something, but I have nothing showing this. They
just stopped coming. I wonder if its a side effect of the ILOVEYOU
virus, or if the potsmaster just decided he didn't like the looks
of my old address or my recent posts. Oh well, good thing I get
this at work too...
</OFF TOPIC>
[Dunno how it happened (though majordomo sometimes unsubs
addresses on its own after a couple of days of bouncing).
Fixed. ---pozzo]
Anne Marie
amerritt@aracnet.com
-----------------------------------------------------------
Date: Mon, 08 May 2000 20:17:05 -0400 (EDT)
From: "Andrew A. Gill" <superluser@mail.isc.rit.edu>
Subject: Re: virus mutation
On Fri, 5 May 2000, Bill Lambert antagonized the horn and now...
>
> [I wonder... how many people on this list use Outlook Express?
> I would guess the % is lower than the populace at large :-)
> - Not DM ]
Of course, this requires the following settings be enabled:
- Outlook Express (the proper version, I'd assume)
- HTML email preferred
- VBscript auto-execute
Each of these things alone is something that S-Ters would probably not
prefer, let alone Windows in general.
-- |Andrew A. Gill |I posted to Silent-Tristero and| |<superluser@mail.rit.edu> |all I got was this stupid sig! | |alt.tv.simpsons CBG-FAQ author | | | (Report all obscene mail to Le Maitre Pots)| |<http://trystero.rh.rit.edu> Temporary sig: --If I'm wrong, feel free to correct me.
-----------------------------------------------------------
This archive was generated by hypermail 2b29 : Tue May 09 2000 - 16:50:45 PDT