Perhaps the only thing more frustrating than the damage caused by viruses is the realization that one has very little recourse when they do strike.
They're a hit-and-run by an unknown assailant.
No wonder Melissa virus creator David Smith's arrest and pending trial is viewed by many with such pernicious glee. For once, it seems, one of these faceless delinquents will be brought to justice, and get what he deserves.
Compare Smith's case with that of Taiwanese information engineer Chen Ing-hau. Taipei authorities recently fingered the 24-year-old man as responsible for the highly damaging CIH, or "Chernobyl" virus — so named because it strikes on anniversaries of the April 26, 1986 Soviet nuclear disaster. Chernobyl's last outbreak erased data on tens of thousands of computers worldwide, rendering many unusable.
But while David Smith could potentially land more prison time than some repeat rapists, the only punishment Ing-hau has received to date for his role in creating the virus has been a demerit from the Tatung Institute for Technology, where he studied computer science. That was over a year ago.
Unlike Melissa, it seems Chernobyl's victims have very little hope of restitution for data lost to the virus. So while there may be an opportunity to finally make an example of David Smith, I question whether slapping a programmer with a 40-year sentence will really contribute much to ending the threat of malicious software. Before we go blindly locking away virus authors, maybe we should first examine their motives.
First an admission: David Smith and I have something in common. Perhaps my life of crime eventually might have landed me in the same spot in which Smith now finds himself — had I maybe been just a little bit better at it.
Melissa wreaked havoc on networks nationwide in March, using a combination of Microsoft's Word and Outlook software for Windows to spread copies of itself rapidly across the Internet, via email. The resulting flood of messages soon choked afflicted mail servers, rendering them incapable of processing genuine email as they struggled beneath the load of Melissa-generated mail. It was the first big virus outbreak of 1999.
My own career in computer virus authoring ended years ago, before there was much of an Internet, and when MS-DOS was the PC operating system of choice. Dubbed Leprosy-B, my last (and somewhat ineffectual) virus was the follow-up to a similarly timid program I'd written earlier, called (predictably enough) Leprosy.
About 10 minutes after putting the finishing touches on Leprosy-B, I accidentally let it loose on my own hard drive. It promptly infected half my development tools and a random number of system files, before I could get it in check. As I embarked on a long night of re-installing infected software, I got my first real taste of what a royal pain in the ass computer viruses can be.
As a teenager, crippling entire computer networks worldwide was the farthest thing from my mind as I toiled late nights writing the Leprosy virus. For one thing, I just wasn't skilled enough a programmer to pull off such a feat — but it was a lot easier to write a tiny virus program than a huge application, like a word processor.
Today, even complete novices can create their own computer virus with the help of one of the several "virus construction kits" available for download from some hacker sites on the 'Net. Most virus software, in fact, remains no great wonder, relying on a small number of instructions to achieve a few clever tricks. It's generally a fluke when one manages to travel as widely and achieve its goal as successfully as Chernobyl or Melissa.
While some virus outbreaks might accurately be categorized as industrial espionage, most virus authors seek little more for their efforts than a certain kind of notoriety within the computing underground. Getting your virus out into public circulation is a little like spray painting your name on walls: It's a way to gain recognition amongst your peers. But while most graffiti taggers might hesitate before defacing the ceiling of the Sistine Chapel, viruses generally make no distinction about which systems they destroy.
Since most virus attacks tend to be executed with all the cunning of throwing eggs at a passing car, maybe the solution lies elsewhere besides prosecuting the authors of these tiny terrors. Maybe it's time we addressed the issue of what makes viral software possible to begin with.
As the number of computer viruses has grown over the years, a cottage industry of anti-virus software has appeared to combat the problem. We regularly hear about anti-virus software causing various crashes and conflicts with other programs. None of these packages, however, does very much to strike at the root cause of computer viruses — the vulnerability of the operating system itself.
Sun Microsystems had the right idea with the "sandbox" security model of its Java language. Java applets downloaded from an untrusted source on the Web aren't allowed access to most of the OS features that would allow a virus to spread. Sun realized that the creation of a globally networked computer environment meant new security measures had to be developed to protect users from all their new neighbors. It's an idea as simple as installing a deadbolt on your front door.
Contrast Sun's ideas to Microsoft's, whose decision to build a complete programming language into its word processor without any significant security measures spawned an entire new subcategory of Macro Viruses — now one of the most commonplace forms of viruses encountered. Melissa itself fell into this category. Further, Microsoft's ActiveX technology for the Web can allow viral code to run virtually unchecked on a Windows computer directly over the network.
I'm not about to say David Smith shouldn't be held responsible for damages caused by Melissa should he be found guilty of creating and releasing that virus. But I also feel it's the responsibility of software manufacturers to adapt to the vulnerabilities of today's networked computing model by creating secure software environments for us to work in. The technology exists; it's only a matter of making an effort to deploy it.
Try asking your operating system vendor sometime what steps they're taking to protect you from attack by hostile software. If the answer you get is that they're helping to prosecute David Smith, don't buy it.
Today there are hundreds of David Smiths worldwide, and a new David Smith is born every day. There's only one Microsoft. Can't they do any better than to point the finger?
