[NTLUG:Discuss] What is love?

[Richard Cobbe]

Lo, on Monday, 8 May, 2000, Mark Bainter did write:

> Richard Cobbe [cobbe at directlink.net] wrote:
> > Anyway, it is possible to use VBscript and Outlook and all of these
> > features that ILOVEYOU exploits to essentially provide a mail front-end to
> > a database.  To the user, it appears that the mail message is a form, much
> > like one that would appear on a web page.
> > 
> > While you can do the same thing with a properly-formatted plain-text mail
> > message and a Perl script, this isn't a bad feature if you've got users who
> > don't want to learn complex input syntaxes.  As in so many other
> > situations, though, the greater simplicity comes at a price.  (In this
> > case, the price would seem to be approaching $1 billion, at least according
> > to CNN! <grin>)
> 
> I don't really care if they want to support that.  It's fine if they want
> to have a feature like that.  But, you have to be smart about it.  And
> allowing just any ol' joe to send you a message that runs with full
> permissions is just plain negligent.  Everyone is talking about how much
> the person who wrote it should be punished, but I think there are two
> other parties that need to accept culpability here too.  First, Microsoft
> for writing the tool and being so irresponsible when it comes to
> security.  Second, the people who used those products and who chose to
> click on a suspicious attachment.  In some cases a 3rd party of IT people
> who chose the software.  Look, if you leave your stereo system out on
> your front lawn, how much can you really complain when someone finally
> comes along and steals it?  Yes, it was still wrong for that person to
> steal it, but really!

Oh, I wasn't trying to completely excuse Microsoft.  As useful as this
feature may be, the fact that they (apparently) didn't consider its
security ramifications is, as I said, completely inexcusable.

However, their error here was not saying, 'Oh, what the hell, this could be
useful, let's add this feature,' as some on the list appeared to be
implying.  Rather, it was saying, 'ok, this feature is useful because it
allows X, Y, and Z,' and then (apparently) completely failing to consider
the consequences of the feature.

Note that I say "apparently" several times above.  I'm giving MS the
benefit of the doubt and attributing the gaping security hole here to an
oversight.  If, on the other hand, they *were* aware of it and fully
understood the consequences, but they included it *anyway*, well, that's a
different story.  While I don't know if that sort of willful ignorance is
illegal, it's most certainly unethical.

Richard

> -- 
> There I was, lying, cheating and back-stabbing my way up the corporate
> ladder, feeling pretty darn good about myself, when someone told me the 'J'
> in 'WWJD' meant *Jesus* I thought it meant *Judas*!  Hoo boy, am I red in
> the face!

I truly love your sig.  Did you write that, or did you get it from someone
else?