Taking responsibility

July 19, 1999
by Zac Belado

In a March 1988 Byte magazine article entitled "Beyond Macro Programming," Bill Gates talked about the "creation of object models that would enable developers to control all the elements of an application, providing full application programmability." The ultimate fruition of this concept was last April's rash of Word/Outlook/Windows users who were afflicted with an outbreak of the Melissa virus. A macro virus in a Word file that was used to send email to the first 50 entries in an Outlook address book.

This topic came to my mind today as I was reading an article in my local newspaper that discussed how Canadian IT professionals are asking the Canadian government to enact stiffer penalties for "hacking". The example that invariably came up in the article was the Melissa virus and how it, in a twisted homagé to 70's shampoo commercials, caused mail servers the world over to pack it in under the strain of everyone telling 50 of the dearest friends about a list of passwords to pornographic websites. And so on, and so on…

Mind you this entire incident has always struck me as a perfect example of the press concentrating on the wrong issue. There was never any mention of the fact that the virus itself was able to wreck what havoc it did because of a lack of common-sense on the part of Microsoft software engineers. The press also paid little attention to the fact that the virus' author was tracked down and ultimately apprehended by an investigator reading details of the users machine out of an early copy of an the infected Word document. What frightened the hell out of me about this whole situation was not that a Word virus was able to cause mail servers the world over to pack it in (although how hard is it to make an NT mail server crash?) but that there was enough information stored, without the author's knowledge, in the document for the police to track the author down.

The author of the virus, David Smith has been charged on five felony counts of computer theft, unlawful computer access, illegal interruption of public communication and conspiracy that could result in prison terms totaling 40 years and fines amounting to nearly a half-million dollars. All of this for releasing a Word macro virus that did nothing more than send out some email. My question though, is what sort of penalties is Microsoft going to incur for writing a set of software objects that are so lacking in basic security that they allow this sort of tampering in the first place?

Microsoft has known that this is a serious problem for years. Office 95's release was quickly followed by an immediate outbreak of macro viruses. Not that this was really all that suprising. The average 5-year-old probably could have told you about the anarchic possibilities that a macro system with almost no security present. But instead of fixing the problem, or adding decent security, Microsoft has done nothing but add options to Office products that allow you to disable macros. Options that obviously no-one uses, as the extent of the reported problems with Melissa can attest to. And why should the only serious security option for users be to disable the features of a product? Features that users are paying for. Presumably part of the continued cost of software is the innovative new features added to it. Will Microsoft give me a rebate on Office if I can't use the macro features? Or even a step further, will Microsoft take financial responsibility for the problems that their software causes?

The obvious solution to this problem is to not use Office…or any Microsoft software, as Melissa's delightfully crafted integration with Outlook shows. If you could. In a market that used to be flooded with competing word processing packages, Microsoft has emerged with about 90% of the total market share. Which is great for Microsoft and for macro virus writers. Microsoft even beat Java to the punch and extended to virus authors the ability to "write once and infect everywhere". Mac and Windows machines being equally at risk to Gates' dream of "full application programmability".

The comparison between David Smith and Microsoft is interesting. Even though it is almost impossible to prove that Smith deliberately set out to cause royal hell among the world's mail servers he is being charged as if he had. Smith is being forced to take full responsibility for the results of his actions even if he didn't actually intend the outcome. Microsoft, on the other hand, is not being forced to be responsible for allowing a system to continue and prosper when they are fully aware of the extent of the damages and the potential damages that the system causes.

So if David Smith is such a pernicious threat that he deserves 40 years in jail then what is Microsoft's liability? And why have there not been more calls for Microsoft to solve this problem? If a car manufacturer can be held accountable for accidents caused by deficiencies in their products then why can't a software company be held financially accountable for the same?

So the next time your company has to bite $70,000 in CD duplication fees because of a macro virus, maybe you should get your lawyers on the phone. Or maybe a more elegant solution would be to take all those copies of Office and Outlook and toss them in the dumpster and go back to using software products that cared less about "full application programmability" and more about just working properly. And letting you work with your colleagues without the very real fear that opening up an Excel spreadsheet wasn't going to cause your mail server to crash.

Zac Belado is a programmer, web developer and rehabilitated ex-designer based in Vancouver, British Columbia. He currently works as an Application Developer for a Vancouver software company. His primary focus is web applications built using ColdFusion. He has been involved in multimedia and web-based development, producing work for clients such as Levi Straus, Motorola and Adobe Systems. As well, he has written for the Macromedia Users Journal and been a featured speaker at the Macromedia Users Convention.