AWCTTYPA@UIAMVS.BITNET ("David A. Lyons") (03/04/89)
Date: Fri, 3 Mar 89 11:00:58 GMT From: Doug Gwyn <haven!adm!smoke!gwyn@PURDUE.EDU> Subject: Re: virus info should not be supressed I (Dave) wrote: >Information about how viruses work should not be surpressed, period. >[...] potential victims (people who could have their houses broken >into or their data destroyed) need to know what risks are involved in >trusting their locks or their computer software. Doug writes: >Well, using your analogy with locks, the fact is that nearly any home >can be surreptitiously entered in only a few seconds by anyone >sufficiently clever and skillful who is also armed with the relevant >knowledge about how to exploit weaknesses in locking systems. > >[...] Obviously, under such circumstances, widespread publication of >ways to open residential locks, even if not in recipe format, is not >ethically justifiable. It isn't at all obvious to me. I maintain that the people who would abuse the knowledge already have it, and the people who won't deserve to know to exactly what degree they are vulnerable. The analogy between locks and computer software is far from perfect, and I believe much more strongly that computer virus information should be freely available than I believe that lock-breaking info should. --David A. Lyons bitnet: awcttypa@uiamvs DAL Systems CompuServe: 72177,3233 P.O. Box 287 GEnie mail: D.LYONS2 North Liberty, IA 52317 AppleLinkPE: Dave Lyons
gwyn@smoke.BRL.MIL (Doug Gwyn ) (03/05/89)
In article <8903031623.aa07644@SMOKE.BRL.MIL> AWCTTYPA@UIAMVS.BITNET ("David A. Lyons") writes: >Doug writes: >>[...] Obviously, under such circumstances, widespread publication of >>ways to open residential locks, even if not in recipe format, is not >>ethically justifiable. >It isn't at all obvious to me. I maintain that the people who would >abuse the knowledge already have it, and the people who won't deserve >to know to exactly what degree they are vulnerable. Maybe I should have explicity stated what I thought was an obvious implication: The typical burglar does NOT have full information about how to exploit the weaknesses in residential security systems. Generally all they need to know is how to smash open a flimsy door or how to break a window; that's the sorry state of home security. Illegal entry via lockpicking or similar "surreptitious" means is relatively rare, and a good thing too -- insurance companies are less likely to pay off if there are no signs of forced entry. My contention is that arming burglars with the means of effecting easy surreptitious entry would turn an already bad problem into a serious disaster, and that the general public would not show any more sense about dealing with this problem than they show about anything else. Viruses spread via BBSes for the most part are more analogous to slipping the latch with a credit card or getting the key from under the doormat than to lockpicking. The major technical worry, for example, for DoD computers, concerns access by unauthorized users and misuse of resources by authorized users. These concerns existed before any significant attention was being paid to "viruses", and the folks working on solutions for these issues are quite well informed about viruses already. Widespread publication of virus information won't help noticeably with efforts to genuinely improve computer system security, but it may cause the public to clamor for ineffective, oppressive measures to be taken (such as the recent computer security bill). On the other hand, publication within the technical community should not pose a serious problem, because that community already is in a position to cause trouble if they want to. I generally agree with the contention that generic discussion of viral techniques in the technical community is not a problem, but that publication of source code etc. would pose a problem. That's because BBS operators are likely to publish such virus source code (or a compiled version) to puff up their phony self-image, with the consequence that numerous people who would never on their own work hard enough to come up with a functioning virus would use the posted ones instead, adding immensely to the number of people spreading the problem.