Originally Published: Tuesday, 9 May 2000 Author: Matt Michie
Published to: featured_articles/Featured Articles Page: 1/1 - [Std View]

It's Survival of the Fittest

This week, the ILOVEYOU virus burned through millions of e-mails, infecting computers around the globe. In the Linux community, it is tempting to mock the less fortunate Windows users. Further, it would be nice to place the blame with Microsoft, but is it possible for a similar situation to occur with Linux distributions?

This week, the ILOVEYOU virus burned through millions of e-mails, infecting computers around the globe. In the Linux community, it is tempting to mock the less fortunate Windows users. Further, it would be nice to place the blame with Microsoft, but is it possible for a similar situation to occur with Linux distributions?

The recent outbreak can only infect computers with Microsoft Windows using Microsoft Outlook as an e-mail client. This particular virus is able to spread using the tight integration of Visual Basic Scripting with the e-mail client. The technology is easy to use. In fact, the script is only about 250 lines worth of code. Certainly the programmers at Microsoft met one of their ease of use goals.

At this point, one has to question the wisdom of including such a powerful scripting language in an e-mail client. Microsoft insists that customers demand these things. Perhaps they do, but why is it enabled by default? Why wasn't a sand box security model used, where only "harmless" code would be allowed to execute? It would be pretty difficult to write a similar Java applet virus.

From this, it would seem that Microsoft should be held somewhat responsible for their "defective" product. They wouldn't even have to do their famous innovating to find a good security model for untrusted code. In an age where there is talk of Information Warfare, it is frightening to realize that a relatively unskilled programmer in the Philippines was able to cause millions of dollars worth of damages around the world.

Worse, is that this virus actually brought to a halt e-mail communications in the United States Department of Defense, the Senate, the British Parliament, and even infected classified machines in the National Security Agency! Hopefully some heads were turned to these possibilities. It is almost criminal that these agencies would trust a commercial company with an important communications channel. It is obvious someone hasn't thought through the implications that closed source has on their security. Maybe next time, someone will just directly insert the back door in the Outlook source code instead of relying on a virus payload.

Of course, all of these users had to agree to Microsoft's shrink wrap licensing which disavows Microsoft from all culpability for any software defects. At this point, the Linux users really start laughing at the people who want to know who to blame if something goes wrong. Apparently not Microsoft. Then we go on to point out how this would never be able to happen under Linux.

But wait! If we want to throw out Microsoft's "evil" shrink wrap licensing so we can hold them legally responsible for their products, we'd also have to throw out the clause in the GPL which states:

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

There are similar clauses in most other open source licenses as well. Do we really need or want to hold all programmers completely liable for their programs? What would the consequences be for open source hackers, if they knew that their uses could sue them for program failure?

We also need to question the statement that a virus like this could never happen in a Linux world. The lovebug virus was more of a trojan horse that relies on social engineering to trick a user into running malicious code. Although, most Linux users today would not fall for such a trick, as Linux becomes more prevalent and easier to use, such a ruse might work. Or if a widespread security hole was found, something similar to the Morris Internet Worm could become a reality again.

Most Linux users are quick to point out that even if malicious code was run, it could only affect the users own account. True, but it could be argued that this is also the case for Windows NT and 2000. Instead of laughing at the Windows users, it would be interesting to see an open source solution providing the same functionality as VB script and the security of Java. Perhaps something like Kaffe could be embedded into new mailers such as Evolution.

Having a viable solution which provides the same functionality as Outlook, would make Linux advocacy much simpler. Instead of making light of the Windows users plight, we can begin to move them over to a superior solution.

Matt Michie is a Computer Science student living in New Mexico. He maintains a small web page at http://web.nmsu.edu/~mmichie.