Back to article
The Real Lessons of ILOVEYOU
Just Wait Until More Sophisticated Scripts Head our Way
May 9, 2000
The eruption of rogue e-mail attachments last week ought to have taught the exponentially growing online community a great deal, but it looks as if the lessons were mostly missed.
If one turned on the television or radio, even the television channel half-owned by the leading software maker, one heard that a "virus" written by a "hacker" had brought the online world to its knees and raised new questions "about the security of e-commerce." Well. It wasn't a virus, it was a Visual Basic script. It wasn't written by a hacker, it was written by what in the computer security world is known as a "script kiddie." And it had nothing whatsoever to do with e-commerce, save for the fact that no doubt some people were busy cleaning up their machines instead of browsing eBay.
But no one who has paid any attention at all could have expected better from the mainstream media. Frankly, they seldom get much right. (And I say this as someone who spent years as a network news editor. Twain's comment on law and sausage--that anyone who values either should never watch it get made--applies to newscasts as well.) Sadly, the "experts" who appeared on most of these programs were just as bad, perhaps in part because the majority of them were also in the business of selling software that scans for things like the ILOVEYOU.txt.vbx script. It is this very unreliability of information that has made online services such as this one essential.
There are some extremely important lessons to be learned from ILOVEYOU and its clones, and the computer professional who fails to notice them now will surely be taught them more forcefully later.
Here are a few of the more important ones:
The Visual Basic scripts that did all the damage did the damage only on machines running Microsoft software. They were able to do the damage only because Microsoft added that capability as a "feature." As it happens, the architecture of the Windows operating system is such that it is particularly vulnerable to malicious attacks of this sort; Linux, the other Unices, and the MacOS isolate the user from the system such that damage is minimized, unless the system administrator has intentionally defeated security safeguards. There is no "virus scanner" for Linux because there is no need for one. Because Windows is not by design a multiuser system, the user can far more easily do serious damage to the entire system. So can his proxies, in the form of mail attachments. This isn't "piling on" Microsoft; it's simply a fact.
(Alas, the media made it seem as if ILOVEYOU trashed all computers everywhere; there were whole sections of the online world that never saw the thing and would have been untroubled had it appeared. Early this year, a Visual Basic script arrived as an attachment to a post on a Linux mailing list to which I subscribe. It came from, of all places, someone at salon.com. There were a few comments about it and a nastygram to salon.com--one has a right to be angry when shot at, even if missed--but mostly it was a ho-hum event. This would not have been the case had it been sent to, say, a Windows gaming list.)
Despite all the reported damage, ILOVEYOU was an amateurish script. A friend who inhabits the Visual Basic newsgroups reported these comments made by newsgroup readers after the source of ILOVEYOU had been posted: "Rookie app...At least 4 exploits rolled into one. He used a nested If instead of a Select Case... Rookie." "Now that someone *else* has let the cat out of the bag, the typo I was referring to is on line #162... 'fileexist=msg', in the folderexist function. To me, that should've been 'folderexist=msg'. If the author was intending to call the 'fileexist' function, there would have an argument present, see line #41 & 54. Had it not been for the fact that all error trapping was disabled, this probably would've stopped the script in it's tracks." "The script does some really awkward things, and could be cut by at least 25% by optimizing the code." "The folderexist() function is called on line #65, in the listadriv sub. Odd thing, though, the code doesn't capture whatever folderexist() returns, like it's being called as a sub instead."
Much has been made of the allegation that a 15-year-old is the author of the thing, though reports vary as to whether this is true. (Apparently not, as police yesterday apprehended an adult who allegedly launched the script. But no one was surprised when a teenager was originally fingered.) It is likewise claimed that the distributed denial-of-service attacks that did bring big e-businesses to their knees this year was also the work of an early teenager. Pause for a minute and let that roll round your mind: The Internet, the very foundation of the "new economy," is said to have been twice crippled in as many months by children not yet old enough to drive a car. There seems to be a little bit of a security problem here, don't you think?
But let's follow this thread to its logical end. If this is what child vandals can do, what do you suppose real experts could do? How do you know they aren't already doing it? How do you know they aren't already doing it to you? If you think some virus scanner or flimsy firewall with its default settings maintained will protect you or your company, you are probably wrong. Likewise, just as every user who misconfigured his software a decade ago claimed its failure to function was due to a "virus," today those symptoms are more often than not attributed to having been "cracked." In both cases the claim was sometimes true, but often it wasn't and isn't. Welcome to the first manifestation of computer terrorism--not unlike the box containing the teddy bear, put on the floor for a minute, that is taken from the airport terminal by police bomb-disposal crews and blown to stuffing at some remote location. Every time a computer problem that isn't caused by malicious software or cracking is blamed on one of those things, the script kiddies and crackers have gained another victim.
Meanwhile, there are the guys who are really good at breaching computer security. Do you think for a minute that such a person, having gained access to your machine, is just going to break some stuff and leave? Do you suppose somebody would go to all that trouble for an end that profits him not at all? It's been well over a decade since Clifford Stoll wrote his still-exciting "Cuckoo's Egg," a must-read for anyone interested in online security. And even then, the young European crackers who had broken into classified Pentagon machines had learned that East Germany would happily provide them with money for cocaine in exchange for the secrets they had gleaned. Is it by any stretch reasonable to imagine that computer crime hasn't gotten any more sophisticated?
And yet we hear that a highly classified NSA computer was punched out by the ILOVEYOU e-mail script. Has no one learned anything? What in the world is an e-mail system doing on a machine containing intelligence data? And what is that machine doing running an unsecure operating system?