And how the privacy risk that Redmond said would not be used for tracking was used for tracking
Steven Sinofsky, Microsoft’s former Office and Windows chief, has recalled the impact of early viruses like WM/Concept.A, Melissa and ILOVEYOU, as well as early privacy debates centered on hidden GUIDs (globally unique identifiers) in Word documents.
Sinofsky is writing a book on his time at Microsoft, currently titled Hardcore Software: Inside the Rise and Fall of the PC Revolution. We can speculate that the “Fall” bit will not endear him to current Microsoft folk flogging Windows 10 and Surface, but he has a point: the days when PCs dominated computing are long gone, lost under an avalanche of iOS and Android mobile devices, together with the sense that what really counts is not the device you use, but the cloud services you access.
He was in charge of Microsoft Office from 1998 to 2006, and then Windows from 2006 to 2012. Everything he touched was a huge success – especially Windows 7, which rescued Microsoft’s operating system after the poorly received Vista – until he oversaw the disastrous launch of Windows 8 and Surface RT.
It has been 20 years since cybercrims woke up to social engineering with an intriguing little email titled ‘ILOVEYOU’
We await his retelling of Windows 8, but in the meantime he has written an account of what it was like to be running Office when it was under attack from malware. The timing of the post, which contains extracts from a draft of the book, coincides with the 20-year anniversary of ILOVEYOU. He recalls the weekend of 5-7 May 2000 as the time when “inboxes around the world of Outlook and Exchange email users were inundated with dozens of copies of email messages with the subject line, ‘ILOVEYOU.'”
Sinofsky said he “wrote a frantic 20-page memo”, intended as a call to action for his engineering team, but never sent it, fearing it would be “too controversial” – a surprising show of restraint from the man who conceived Windows 8.
ILOVEYOU was not the first Office virus. That honour perhaps falls to Concept, which in 1995 spread by adding macros to Normal.DOT, a Word template employed automatically. Concept was annoying but relatively harmless. Then there was Melissa in early 1999, another macro virus, which spread by sending itself to the first 50 addresses in a user’s Outlook contact list. The payload in Melissa was merely a list of porn sites, but it spread so effectively that it caused denial of service and email servers were shut down, enough to cause reports of “billions in damages”.
Sinofsky implies that the ease with which Office and Outlook were compromised was linked to a free and easy culture. “The software industry had grown up from the counterculture 1960s. Steve Jobs with no shoes. Bill Gates hacking his high school computer system. Both college dropouts. What the PC industry lacked was any formal notion of what it meant to be a software engineer,” he wrote.
That said, the company took the malware threat seriously and responded. Sinofsky describes how the team came up with the Outlook Email Security Update, which disabled sending certain file types as attachments, attempted to guard Outlook against programmatic access to the address book, and raised warning messages before running any code embedded in emails. The patch came out in June 2000. The snag was that the patch broke code used by organisations to automate workflows.
“The macro capability of Outlook, as used by Melissa, developed a huge following and was a strategic aspect of the product… a key feature enterprises valued was being weaponized by virus creators,” he said.
It is no use relying on user education, he noted. “When people using software are in a flow going through some task (from opening email, to booking tickets, to opening a program, to browsing web pages) any warning messages are essentially ignored, and therefore meaningless… no one reads text when there is an OK button right there.”
Microsoft decided to break functionality for the sake of security. “The idea of breaking an important ecosystem, for a new product especially, was antithetical to Microsoft’s focus on compatibility. What the team proposed and then delivered was gutsy,” claimed Sinofsky.
It is true that the Outlook security patch and other measures since did help to control the spread of malware, but there are cases where Microsoft could have done more to control the security of its technology – ActiveX in Internet Explorer, for example.
Malware is not his only subject. Sinofsky also recalls early anxiety about the insertion of GUIDs in the metadata for Office documents. In early 1999, Richard M Smith at Phar Lap software (a programming tools company) discovered that Microsoft’s software generated GUIDs, including the MAC address which identifies a device on a network, and that these GUIDs were found in the Windows registry and in Word documents.
This was picked up by privacy advocates, and Sinofsky recalls John Markoff at the New York Times contacting Microsoft to enquire about whether Microsoft was using this to track its customers. “This conspiracy theory ran deep,” said Sinofsky, adding that “the theory was baseless and we would never do what was being suggested.”
The privacy advocates were onto something, though. The document spammed by Melissa was called LIST.DOC, and Smith noticed that it included one of these GUIDs. He posted it online. “Eventually, Smith was able to connect the whole trail of network card addresses to the creator of the virus, who was arrested in New Jersey at his parents’ home a week after releasing it,” he said. “The metadata in Office 2000 made that possible. I wish I made that up.”
A timely reminder that the only sure way to prevent tracking is to remove the identifiers that enable it. ®