[109610] in Cypherpunks
Melissa and Microsoft GUID
daemon@ATHENA.MIT.EDU (Anonymous)
Tue Mar 30 20:19:17 1999
Date: Wed, 31 Mar 1999 03:00:37 +0200 (CEST)
From: Anonymous <nobody@replay.com>
To: cypherpunks@cyberpass.net
Reply-To: Anonymous <nobody@replay.com>
The interesting story in the Melissa virus is that it was apparently
created with Microsoft tools, which means that it has embedded authorship
tags. The existence of this information just came out last month,
shortly after the Intel Pentium III flap. Every Microsoft user gets
assigned a unique identifying number (Global User ID), and this number is
uploaded to Microsoft under some circumstances when registering software
(Windows 98, so far). The number is then embedded in documents created
by that user, without his knowledge.
Of course, when presented with this information, Microsoft put on their
genial corporate face and pretended ignorance. We are led to believe
that some peon in cubicle 1237-A decided to add this feature, without
the knowledge or approval of Microsoft management.
Isn't it far more likely that this feature was an intentional addition,
provided for the benefit of law enforcement? No doubt intended to be
kept secret, it would be invaluable for tracing many forms of electronic
communications, from bomb and death threats to viruses. Once the culprit
is identified via this technology, conventional search and surveillance
can be used to develop evidence to be used in court, with no revelation
of the tracing technology.
Now we have the bizarre spectacle of Richard Smith, the software developer
who discovered Microsoft's GUID technology, using it to track down the
author of the Melissa virus. Apparentlyu we are to assume that the FBI
and Microsoft itself are completely in the dark in these matters:
Other researchers, like Richard Smith, CEO of Phar Lap Software,
have traced its origins to a virus writer who goes by the code name
VicodinES.
Working with Swedish virus tracker Fredrik Björck, Smith managed to
match serial numbers from tools for creating viruses on VicodinES's
Web site to serial numbers embedded in the code of the virus.
Björck was the first to notice that the Melissa virus was similar
to some of the macro viruses created by VicodinES. "I verified this
connection by downloading a bunch of Vic's virus 'toolkits' and found
that the GUID 'electronic fingerprint' in the Melissa list.doc file
also appeared in many of the .DOC files in Vic's toolkits," Smith
said Monday in an email.
Smith discovered the existence of the GUID in Microsoft documents
earlier this month.
(see http://www.wired.com/news/news/technology/story/18819.html, which
also has links to VicodinES's web site and background stories on the
GUID.)
This aspect of the story has not gotten the play it deserves. We have
an anti-privacy feature suddenly being put to use to thwart a dangerous
threat. Does this set a precedent? Were all those Microsoft and Intel
bashers wrong? Do we now need to support and even require "taggants" in
electronic documents? No one is covering this privacy-vs-security angle.
If the GUID is successfully used to track down the Melissa author, we
can expect to see pressure to add similar features in other types of
software, including back doors for OS access. Of course they have to
be kept secret to be truly effective. We may see law enforcement push
for this in the next few years. Australia recently authorized police
to break into computers. Getting the manufacturers to put in back doors
is the next step.
