Who's really responsible for viruses?

Opinion by Rich Pasco

The recent "I love you" virus and its variants "Joke", "Mother's Day", etc. have received a lot of press lately, but very few reports have accurately pinpointed responsibility.

The virus contains an executable attachment which sends copies of itself to everyone in the victim's e-mail address book and damages a number of files on the victim's system. The damage in lost data and wasted time around the world is staggering.

So, considering the scope of the damage, its author should be severely punished for the most heinous crime of the century, right?

Wrong. Although his actions are reprehensible, he was just a small component of the cause. The vastly bigger responsibility lies with the millions of users running an e-mail client which makes it easy to execute (follow the instructions in) attachments to e-mail.

Suppose you hired a butler to look after your household affairs. Suppose you had instructed your butler that every time a letter was delivered in the U.S. mail, he was to open it and follow any instructions contained therein.

Suppose that one such letter contained instructions to go to the neighborhood copy shop and make copies of the letter and to mail them to every one of your correspondents. And then having done so, the instructions continued, the recipient to go through your personal filing cabinet, shred the original documents contained therein, and replace each of them with a copy of that letter.

You returned home one day to find that your butler had obediently followed those instructions. On whom would you place more blame? The distant and unknown author of the anonymous letter? Your butler who was so naive as to follow its instructions without a lick of common sense? Or yourself, for telling him to follow its instructions in the letter?

As recently demonstrated, Microsoft Outlook can be such a blindly obedient butler. The victims were all using Outlook. Microsoft should have known better than to publish an e-mail client that makes it easy to execute attachments without warning users of the danger. I'm told that Outlook can be configured otherwise, but few people make this change, because some can't be bothered and others may not know it's possible.

I am pleased to note that my system was not infected despite receiving many copies of the recent virus, because my e-mail client, Netscape Communicator, does not execute any attachments without my explicit permission. And I won't give that permission unless I know exactly who wrote the code and what it does. At least not now.

In mid-1999 I received an unsolicited e-mail from a friend with an attachment entitled "Zipped Files.exe". And I was naive then, so I gave my system permission to execute the attachment. The damage done in the next few minutes took several days of cautious, skilled work to repair. I was lucky because I had backups, and the system on which I ran the virus did not have access to them at the time.

The very painful lesson was: When you execute any program on your computer, you turn over total control of your computer system to its distant, unknown author. Do you really want to do that?

If you get infected with a virus, as you assess responsibility for your woes, do not neglect the publisher of your e-mail software, which by default surrenders control of your computer system to that distant stranger. And do not neglect yourself for installing and/or using such software.

In no way do I intend to excuse the writer of ILOVEYOU, any more than I excuse the irresponsible teenager who starts a wildfire that destroys a few thousand houses. Both the virus writer's and the arsonist's actions are reprehensible. But my comment goes beyond simply being angry at one individual who intended to cause harm, to examining the infrastructure that so easily allows harm to spread.

In either case, the real lesson for society is not that we need more severe punishment for virus writers or young arsonists, but that we need to develop our computer networks and our housing tracts so that they are immune to the spread of viruses and wildfires. And while it's easy for consumers to to point the finger at the "big guys" (like Microsoft or the city planning commission), each of us need to educate ourselves and take responsibility for our own personal environments, whether in setting up our e-mail client or in cutting down vegetation around our houses.

In some sense, running Microsoft Outlook with its default settings is like planting eucalyptus trees all around your house and yard.

I feel as sorry for the ILOVEYOU victims as I did for the victims of the Lexington and Oakland Hills fires, but in each case, I encourage all of us to look at our own choices and find ways to be responsible for our environment rather than victims of it.

Relevant web sites

Index to all of Rich Pasco's articles on e-mail and viruses

Rich Pasco's home page

Copyright © 2001 Richard C. Pasco. All rights reserved.