Hacker News new | past | comments | ask | show | jobs | submit login
Love Bug worm's creator tracked down to repair shop in Manila (bbc.com)
193 points by known 5 months ago | hide | past | favorite | 94 comments

I would like to say thank you to him, since it opened a huge budget and mandate for my security team at the time.

No more draining discussion if AV needed to be installed on particular systems, the right to wipe any employees desk or laptop in case of "issues", create outbound firewall rules (yes those where new, and yes it saved a lot of damage 3 years later when Slammer hit, but that's another story) and budget to install "monitoring services" on whatever we'd like.

The total data loss was limited, the costs of employees not being able to work was a lot worst.

I guess that at the height of Windows market saturation.

I thought it was rude to pay for an OS and then have to pay separately for software to protect that OS. It seemed off to me that the guy who wrote Melissa got jail time, but nothing happened to those who sold the software needed to run viruses.

I stopped having Windows installed after Slammer hit. After almost two decades away, I got a job at a big American company that issues Windows laptops and lo-and-behold there's some seperately purchsed AV software installed.

It makes the laptop a space heater. If I don't explicitly shut it down, the AV software never drops below 30% CPU and the thing's fans never stop running. They accidentally dropped AV for a couple weeks when they upgraded my machine from Windows 7 to 10 and it shaved five minutes off a ~17 minute Maven build. I'm one employ of tens or hundreds of thousands producing all this extraneous waste heat.

My friends needle me about BitCoin's environmental impact. I ask them what the overhead of AV has been.

The comparison of bitcoin Vs AV energy usage is a bit ridiculous. No one of buying hundreds of GPUs to mine AV.

That said, both are wasteful and ultimately neither should exist.

>No one of buying hundreds of GPUs to mine AV

No, rather companies are buying thousands of computers to install AV on.

Bitcoin miners are a actually a very small minority of computer users, whereas AV results in an extra 10-30% power overhead (possibly more, if we factor in that modern cpus throttle way down if not under load) for the majority of all the corporate PCs in operation, to say nothing of home users.

Back of the napkin math suggests that the comparison is indeed ridiculous, but only because AV usage absolutely dwarfs bitcoin usage.

My pet peeve is VP9 on YouTube vs Chrome on MacOS. My original estimate lack of codec on MacOS / YouTube's choice to drop x264 for high resolution videos waste as much power as entire country Puerto Rico.

It's even impossible to play 8K YouTube videos on highest end MacBook and Chrome. It's ironic that MKBHD uploading them without being able to play them himself.

Wait until you hear about web browsers...

> The comparison of bitcoin Vs AV energy usage is a bit ridiculous. No one of buying hundreds of GPUs to mine AV.

No, but they run almost everywhere.

I'd be very surprised if bitcoin mining produces even 1% of the CO2 emissions of what AV software does. Mostly because the reward from mining has been competed so low that if you have to pay normal amounts for electricity, it's nowhere near profitable, so mining mostly happens in places with very low electricity prices, such as towns in China near hydroelectric dams with massive excess production.

Sometime last year, someone had writeup where they worked out that buying enough gas (I forget if "natural" or "-oline") to mine 1 bitcoin, ignoring fixed costs like the generator or GPU, would cost them ~1.2 BTC. That might change if you live near a oil well/refinery/coal mine, but I'd kinda like to see a statistical analysis of whether bitcoin time-between-blocks varies with time of day based on which areas have excess solar power.

I keep wondering can you design a solar panel that uses photonic bitcoin mining. That would be ridiculously efficient.

If you want to make money with solar seems like it’d be a lot easier to just sell the electricity back into the grid

Only until everyone else has them too

Honestly, we probably should be grateful that this was the first big scare. It was a huge outbreak, but at the same time a very visible and relatively benign worm.

Exactly. Compared with what organised crime, nation states, political organisations, special interest groups and some shady companies are doing with hacking, manipulation, worms, and botnets nowadays this is pretty benign. A helpful wakeup call to everyone to take security more seriously, in fact.

> The total data loss was limited, the costs of employees not being able to work was a lot worst.

The productivity costs of all those mitigating measures shouldn't be ignored either. Modern corporate Windows images are incredible in how much CPU and RAM they can waste even at idle.

It's probably shit metric as my two browsers open now use 10GB of RAM on MacOS, but Windows 10 requires 2-4x less minimum RAM to run when compared with latest Ubuntu...

The problem isn't Windows. It's all the third-party stuff that gets added to Windows by corporate IT departments.

Well, any given holiday keeps workers from working. I don't value that as much as some folks. We all got a day off!

But it was certainly a wake-up call. And such a simple trick, to fool the world in a day.

Cyberpunk, being broke and writing a virus to steal access passwords -- and then he ends up running a phone repair stall, even more cyberpunk.

Reminds me of rtm's chapter in the book CYBERPUNK by Katie Hafner, pg's in there too. Except neither of them are now broke and running a phone stall in Manila.

rtm’s worm is mentioned in ‘The Cuckoo’s Egg’ by Cliff Stoll as well. While Cliff was working with rtm’s dad, cryptographer Robert H. Morris, to solve his hacker case, rtm released the worm.

His dad was Chief Scientist of the NSA National Computer Security Center at the time :)

How the heck can someone talented enough to write a virus end up in a phone repair shop?

Phone repair shop in Manilla is gonna be very different from repair shop in western mall. In manilla they gonna resolder any component from a salvaged phone, where in west you gonna buy a new case for it (probably exaggeration from both ends).

My point is - it was quite exciting and interesting job for early 2000s, probably paid ok too. There was some software to crack and occasionally write something. Nowadays the hardware is much cheaper when adjusted for inflation, but people still need the service. Jailbreak scene continues to exist too.

Also transitioning from writing a simple virus into production software is a long long way.

Maybe judge rule him shall not touch computer for life(and for everybody's good?)

Never seen a starker illustration of the idea that poverty anywhere eventually makes itself everyone's problem. Dude just wanted affordable internet access, and that was enough of an incentive for him to do something that accidentally caused billions of dollars in losses around the world.

Here's a fun thought: was that cheaper to the global community than whatever infrastructural improvements that would have allowed de Guzman stable-enough internet access to not seek out his infamous solution? What other situations like this are there waiting in the wings, and would fixing them cost more or less than the alternative of letting those situations play out as they may? Think how 9/11, terrorist attacks in general, are spurred on by groups aggrieved by socioeconomic or cultural conditions; what would it cost to placate them? Do we not because it would ultimately be more onerous?

> what would it cost to placate them?

You’ve only to pay ‘em the Danegeld and then you’ll get rid of the Dane!

As a Dane I support this sentiment!

That’s an interesting though. Serious question: how do you quantify inequalities that represents a systemic risk versus ones that do not?

I ask because perfectly equal wealth distribution or maybe even desirable (see many attempts at communism ending badly). Further, there are parts of the world where people have very different cultures and “standards of living” and are happy, which is not dangerous even as it is not “equal.”

So how do you best quantify and anticipate which “infrastructure differences” are fine and maybe even locally optimal, versus which ones are going to lead to harm?

Ask people what they want, and then listen when they tell you?

Therein lies another problem: the perceived cost of improvements is modified by the perceptions of "deservedness" on the part of the people paying. Compare post-WWII to post-WOT investment. The Marshall Plan et al. were correctly perceived as being less expensive than the alternative of letting wounds fester and courting another war, but I'd argue that this relatively clear-eyed approach was influenced by who the investment was going to (Westerners, European, white people) and what it was to be used for (returning Europe to its former glory after utter destruction). There has been no talk of that kind of investment in Iraq/Syria/Afghanistan/Libya, whatever their people may desire.

> He also created a title for the email attachment that would have global appeal, tempting people across the world to open it. "I figured out that many people want a boyfriend, they want each other, they want love, so I called it that," he said.

Great product management

Its pretty fascinating how a lot of these technically adept hackers all tend to come from relatively poor environments. Even now a lot of the security bug bounty programs have a large proportion of Indians in relatively poverished villages somewhere. Russia after the collapse of the soviet union produced a ton of hackers. In China some of the most technically competent people I've interacted with doing shady stuff with bots and REing games and what not come from some random village. I'd say this is meritocracy working at its best and something you'd only see in the online world

I think the fact that you find more people in the world with technical talent who are also poor has a lot to do with the fact that there are a lot more poor people in the world than rich. If a talent is equally spread throughout humanity, then one would expect most recipients of that talent to be poor.

But poor people also have unequal access to educational resources for learning technical skills.

And this is the perfect economic justification for free high-quality education, with some form of acceleration for the best students. This is especially in a country that has a high valued currency - as low and no-skilled jobs that can be outsourced, will be outsourced - but really true for any country as it only increases their talent pool. So if a country, like the US, wants to improve productivity, they should have an education system much like many places in Asia.

Yes. But I don't see what this has to do with the topic at hand?

Not all replies have to be counter to the parent post. I was just riffing off your parent post, much like you were. The topic of the thread being that the poor have unequal access to education, but that exceptional talent may exist within that cohort. I just wanted to emphasise the economic incentives of universal access to educational opportunities.

Maybe it's just that if you're from one of those places you likely have no formal credentials and no relevant local employment options, not at you recruitable abroad. So they do what they can, and a small fraction are successful in good or bad ways.

Also I notice that coders from wealthy backgrounds focus on high level languages, abstractions, etc. I don't see a lot of people digging down to the fundamental technical implementation, and actually tend to look down on such inclinations as over optimization.

On the other hand, a poor person probably has access to a very limited range of technology, so ends up learning the technology inside and out. Maybe they also don't even have regular electricity or internet, so has to learn technology using pencil, paper and by thinking about it. Much more likely to give a deep understanding of the subject matter.

Wealthy people have to be more productive as they are paid more for their productivity.

Being paid more for productivity would imply the opposite about wealthy people, in my mind.

Are you implying that working less while delivering more is somehow bad (or working equally and delivering 10x is somehow perverse?)

Those aren't the only possible options. Another is that if a person is paid more for the same productivity, they are incentivized to be less productive.

Not a valid argument.

Is there any evidence besides movie cliches to indicate there are indeed more hackers in poor countries?

I'm not sure if this is in fact true, but it seems to be.

I think it's because when you grow up poor, you _have_ to hack. If not computers, then something. I'm living in Mexico right now, and it's incredible the ways people figure out how to make money, and figure out how to just make things work.

The article starts with:

> "Filipino Onel de Guzman, now 44, says he unleashed the Love Bug computer worm to steal passwords so he could access the internet without paying."

But that's not true, according to the same article. That was just the first one he created, then he created something different to spread around the world. It doesn't say his intentions, but for sure it was not to steal local passwords for internet access.

By the end of the article:

> "He claims he initially sent the virus only to Philippine victims, with whom he communicated in chat rooms, because he only wanted to steal internet access passwords that worked in his local area.

However, in spring 2000 he tweaked the code, adding an auto-spreading feature that would send copies of the virus to victims' Outlook contacts, using a flaw in Microsoft's Windows 95 operating system. He also created a title for the email attachment that would have global appeal, tempting people across the world to open it."

> The man behind the world's first major computer virus outbreak

> The Love Bug pandemic began on 4 May, 2000.

The Melissa virus happened the year prior.[1] The Morris worm[2] happened in 1988. Also, interestingly, PG shows up in the article for that one,

> It is usually reported that around 6,000 major UNIX machines were infected by the Morris worm; however, Morris' colleague Paul Graham claimed, "I was there when this statistic was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them."

[1]: https://en.wikipedia.org/wiki/Melissa_(computer_virus)

[2]: https://en.wikipedia.org/wiki/Morris_worm

That jumped out at me too. There were a lot of others; Michelangelo got a lot of press. I remember being in the doctor's office on March 6th 1992, and all the computers' power switches were conspicuously taped shut and the receptionist told me to not turn on the computer (that was like 6 feet behind the counter) because the hard disk would get wiped.



> he tweaked the code, adding an auto-spreading feature that would send copies of the virus to victims' Outlook contacts, using a flaw in Microsoft's Windows 95 operating system.

What's the flaw?

The flaw was the entire security model of Windows 95. The "virus" was a VBS script that the email convinced humans to double-click on, which ran the script immediately with enough privileges to access virtually anything on the computer.

That sounds like it was entirely on Outlook. An email client should not allow you to accidentally execute code.

But if you did want to purposefully execute code, you’re saying a mail client shouldn’t let you open an attachment by design?

As far as I remember, this wasn’t a more advanced virus that self-executed upon being opened. People had to willingly double-click the VBS file. The self-replication and use of the address book was clever — and it was a definite Windows flaw that ultimately allowed it all to work — but I don’t think allowing people to willfully execute an attachment is a flaw.

It was after Melissa and this incident that you started seeing the very public campaigns telling people not to open unknown or weird attachments. And AV vendors like Norton started doing more robust AV updates online (rather than selling new virus definitions on floppy disk or CD-ROM) each year. Norton was already doing online definition updates in 2000, but I seem to recall (I was 16 so my memory is fuzzy) the updates becoming more frequent. I do remember having to install ILoveYou patches on my dad’s computer and my uncle’s computer down the street. I’m also pretty sure this was one of the viruses we purposefully sent around our high school’s network that helped get the entire county infected. Novell’s enterprise rules didn’t catch up until it was too late.

>But if you did want to purposefully execute code, you’re saying a mail client shouldn’t let you open an attachment by design?

That sounds reasonable. You should have to save the attachment and run it from disk. The chances of any hunk of executable code being of some potential use on your particular architecture and OS was low back in the Win95 days and is even lower these days.

If I recall...

That file extensions were hidden by default and that double clicking on a .vbs file ran it.

A fresh install of Windows 10 will still try to pull that off.

Like an exe. And thank the lord we can still easily run all the code we want on Windows. We can't say the same thing about our mobiles or video game consoles, and OS X is making it as hard as they can.

I ditched OSX a while back and that idiotic measure was a significant contributor

I'm not familiar with OSX anymore, are you referring to the Developer ID Certificate requirement? That's all I found with a quick search.

Applications have to be signed now (unless you explicitly turn off all protections), yes, but I think GP is referring to Gatekeeper — which would prevent a file from executing unless you right click and choose “allow” for programs from an unknown developer. But a right click could get it to run. Now applications need to be notarized with Apple in order to work in macOS (unless you flat out disable all security), which adds an extra burden on developers but ostensibly offers much more security.

> offers much more security

Does it tho? In what way? Anyone can create or steal a developer account. You can still notarise malicious software. It just that it gives some lead for investigators to follow (for couple of cases per year that are significant enough).

p.s. how App Stores were designed by accepting binaries rather than source code for review is beyond me. Such an obvious oversight.

I seem to recall that was something Windows 98 introduced. It was possible to hide extensions in '95, but it wasn't a default until '98.

It's Windows 95.

Beyond the fact that W95 was a terrible POS security-wise, I can't find any more detailed information with a brief Google search. I wish there was a site that did in-depth analysis of how a virus worked and presented that technical information for public readers.

edit: Although, this is decent https://malware.wikia.org/wiki/ILoveYou

> W95 was a terrible POS

In their defense, it wasn't really designed for cash registers anyway.

Yes, but when you market yourself as a general purpose OS, someone is bound to use it somewhere they deem to be a general purpose. Not to mention it's easier for lay people to program things for Win95 than other OS due to availability and also due to VB.

When I was a kid and saw an out of order POS was showing Win95 desktop (could be NT. When did NT start having start menu?), I thought it was cool. I wanted to play Solitaire on it while waiting for my mom to finish paying at some other counter.

Whoosh! I believe the comment you replied to was a dad-joke level double entendre.

> When did NT start having start menu?

Windows NT 4 in 1996 had a similar shell to Windows 95.

> Whoosh! I believe the comment you replied to was a dad-joke level double entendre.

That was a master level dad joke. I didn't realize either until reading your comment.

Here is the source code: http://www.cexx.org/loveletter.htm

I love that the guy put in his email and physical location.

It was a .vbs that the user has to run by clicking on it

I was always impressed when they tracked down the Lahore based brothers behind the world's first computer virus outbreak, Brain.

It was made easier by the fact they included their address and phone in the code, back in the days when viruses were legal and everyone read the code.

Time did a Cyberpunk-esque classic write up at the time, but it is paywalled


Another blog- https://nustscienceblog.wordpress.com/2015/05/12/the-compute...

He did it because he could not afford internet access.

Security is an economic problem.

The economy is a technical problem. Just like computer viruses.

That's what money is. A technology. We need to make it into a high technology.

I can not afford a helecopter...

The optics are a bit different there...

Can we change the thread title to reference ILOVEYOU instead? I thought the article was about "Herbie", the TV show about a Volkswagen.

I assumed we were going to hear about the mechanic who maintained Herbie and is now making a living in a small car repair shop somewhere. Definitely a strange title.

I have to admit I was slightly disappointed it wasn't that. But this is an interesting story too.

It was called Love Bug by newspapers at the time: http://news.bbc.co.uk/2/hi/uk_news/736080.stm

Maybe: "Creator of Love-Bug computer virus (2000) tracked down..."

The Love Bug was actually a _film_ with multiple sequels. https://en.wikipedia.org/wiki/The_Love_Bug#Story_and_develop... It did get a lot of television play, though.

Herbie was also in several movies titled The Love Bug e.g. https://www.imdb.com/title/tt0064603/

Well, since we’re on the topic I read the word ‘repair’ as a verb.

I thought a shop in Manila had tracked down the bug’s creator to repair their computers.

Ok, we've added a worm to the bug above. Maybe that will work.

ILOVEYOU would probably trigger OWMYEYES complaints. Not the global minimum.

Maybe try "iloveyou worm"? Although it's admittedly less recognizable without the SHOUTINGCASE letters.

The best way to get this done is to mail hn@ycombintaor.com, the link at the bottom of the page. They are quite responsive.

Me too. I was very confused.

I’m not sure I would’ve recognized it if it said “ILOVEYOU”. “Love Bug” was how the media referred to it at the time, and I immediately knew what the title was referencing. It sounds like I’m a minority here; I have no idea what “Herbie” is.

cc @dang

That doesn't work. You have to email hn@ycombinator.com to be sure that we'll see a message.

Well, relatively sure, anyhow. We sift through the spam bin pretty carefully.

You know, for years I was under the impression you had a script that grepped for references to @dang because I'd done this before to excellent effect.

Don't know where I got the idea.

Me too

I thought it was about A Bug's Life(Pixar)

It's weird that the BBC doesn't refer to the worm by it's more well-known name: ILOVEYOU

ILOVEYOU malware is a less ambiguous headline and would result in fewer clicks.

Let alone might get actually blocked by content-inspecting AV because signatures are only added, not removed.

Only in Scunthorpe

The Wikipedia article has both names and the sources it cites seem to be divided about equally.

Media have an incentive to make titles misleading and incomplete.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact