rodgers@cca.ucsf.edu (Rick Rodgers) (11/08/88)
The New York Times has claimed that Robert Morris, Jr., a graduate student
in computer science at Cornell, was the author of the rogue program which
wreaked havoc on the Internet last week. Not having seen a direct confession
from Mr. Morris, I think it appropriate to give him the benefit of doubt, and
not assume him guilty at present. Therefore, in the remarks which follow I
prefer to use the word "culprit." Quite aside from the guilt or innocence of
Mr. Morris, the picture painted by the NYT raises serious ethical issues;
let us assume for a moment that the culprit is in every way as Mr. Morris is
described in the NYT stories. The culprit, then, is a bright and technically
oriented young person who is socially reticent, and who perpetrated this act
out of boredom, having convinced himself that he intended no great mischief.
I leave aside interpretation of motives on the basis of the behavior of the
virus itself (the use of encryption/decryption, the fact that it did not seem
to be designed to destroy or corrupt files, etc.). These questions arise:
1) The virus was reportedly intended as an "innocent" attempt to produce a
program which would propagate itself across machines on the network, leaving
a single copy per affected machine. On what basis did the culprit decide that
the Arpanet was an appropriate location to carry out private experiments in
computer security; in what way can the insertion of ANY program in the machine
of someone else, without their consent, be considered "innocent?"
2) Given the frequency of programming errors in untested programs, how would
a technically experienced person assume that a program of this complexity would
work as designed the first time? This is an act of considerable hubris.
3) If the culprit "quickly recognized that things had gone wrong," why did he
not IMMEDIATELY call local management authorities and inform them of the
problem, rather than delegating this to a friend, who then allegedly posted
instructions in an obscure place? The first act represents a failure to
take resonsibility for one's own actions, and the second a severe lapse in
judgment.
Looking forward rather than behind, there are two issues requiring our
attention, and in both instances it is vitally important that we avoid resort
to extremes. The first is appropriate retribution for the culprit. At one
extreme lies the argument that this individual is a hero who has done the
network community an enormous favor. This camp would argue that the
unethical acts described above are outweighed by the benefits of closing the
security holes exposed by this particular virus. Aside from the omniscience
which would be required to estimate the gains, this is a particularly
pernicious form of reasoning which
leaves the network open to any tinkerer who believes he has a demonstration
of a security bug. Moreover, there are alternative ways to bring such
knowledge to light in a constructive manner; after LOCAL tests, such a system
could be demonstrated to responsible colleagues, ARPAnet administrators, or
software engineers in companies affected by the bugs found. One
can even envisage a network-wide test in which a thoroughly pre-tested and
truly benign virus is intentionally released, after prior announcement
(and with some sort of mechanism for consentual participation), with
software in place to monitor its (transient) dissemination and demise,
for the purpose of studying the behavior of the network. The mode of
introduction of the actual virus had none of these earmarks of a serious
investigation, but does leave the perpetrator open to charges of exploitation
and exhibitionism.
The calculable loss in man-hours and computing-hours is considerable, as
revealed by a simple back-of-the-envelope computation designed to err on the
side of being too small. Approximately 6,000 processors
were affected. Let us assume (conservatively) that there was one person
affected for every five machines, and that 12 hours were devoted to handling
problems arising from the crisis. This results in an estimate of 14,400 man
hours lost, equivalent to 360 40-hour man weeks (nearly 7 working man-years).
This ignores the (presumably considerable) indirect costs attributable to loss
of computing time per se. Estimates of up to 100 man-years which have appeared
elsewhere can be seen as not preposterous.
Retribution is likely to be meted out at several levels, possibly including
criminal prosecution. Lenient or harsh, the punishment should not contribute
to making the culprit into a underground hero. This process is already well
underway when the popular press associates the words "brilliant" and "innocent"
with the perpetrator and his actions. Nor should the attention he has
managed to obtain result in lucrative job offers, or other inducements to
this form of behavior.
The second issue is less tangible but of great importance: the effect this may
have upon the openness and collegiality of the network, from which each of us
has benefitted. It is here that the culprit may leave his most damaging (and
lasting) mark. Communication requires openness, and open systems will always
be vulnerable in some respect; their integrity will always rely ultimately upon
the decency and good judgment of the participants.
--------------------------------------------------------------------------------
R. P. C. Rodgers, M.D. Telephone:
Statistical Mechanics of Biomolecules (415)476-8910 (work)
Department of Pharmaceutical Chemistry (415)664-0560 (home)
University of California, Box 1204 E-mail:
Laurel Heights Campus, Room 102 ARPA: rodgers@cca.ucsf.edu
3333 California St. rodgers@maxwell.mmwb.ucsf.edu
San Francisco CA 94118 BITNET: rodgers@ucsfcca
USA UUCP:
...ucbvax.berkeley.edu!cca.ucsf.edu!rodgers
--------------------------------------------------------------------------------
--
R. P. C. Rodgers, Statistical Mechanics of Biomolecules, Dept. of Pharm. Chem.,
University of California, San Francisco CA 94118 (415)476-8910
(ARPA: rodgers@cca.ucsf.edu, BITNET: rodgers@ucsfcca,
UUCP: ...ucbvax.berkeley.edu!cca.ucsf.edu!rodgers)shz@packard.UUCP (S. Zirin) (11/09/88)
Just a minor correction: Substitute "staff" for each occurrence of "man" in the below fragment, yielding "staff-hours", "staff-weeks" and "staff-years". Seth Zirin att!packard!shz In article <1460@ucsfcca.ucsf.edu> rodgers@cca.ucsf.edu.UUCP writes: >The calculable loss in man-hours and computing-hours is considerable, as >revealed by a simple back-of-the-envelope computation designed to err on the >side of being too small. Approximately 6,000 processors >were affected. Let us assume (conservatively) that there was one person >affected for every five machines, and that 12 hours were devoted to handling >problems arising from the crisis. This results in an estimate of 14,400 man >hours lost, equivalent to 360 40-hour man weeks (nearly 7 working man-years). >This ignores the (presumably considerable) indirect costs attributable to loss >of computing time per se. Estimates of up to 100 man-years which have appeared >elsewhere can be seen as not preposterous. > >R. P. C. Rodgers, M.D.
dave@jplopto.uucp (Dave Hayes) (11/09/88)
Dr. R. P. C. Rodgers, thank YOU for your refreshingly rational look at an issue which has already gone to the point of emotional extremism for some. In the same spirit, I would like to take the opportunity to answer some of your questions. >2) Given the frequency of programming errors in untested programs, how would >a technically experienced person assume that a program of this complexity would >work as designed the first time? This is an act of considerable hubris. On the contrary, there are some programmers who can make extremely complex programs work the first time. To be sure, they are rare. But it is within the realm of possibility. If we assume, for the moment, that Mr. Morris was indeed the culprit, some of his statements to the Times indicated that the virus was not yet completed. According to various accounts the virus "got out of hand" much faster than was intended, most probably during a debug session. How does one debug a virus? One could assume that at some point, the replication mechanisms would work but the other mechanisms (perhaps malign) were still inoperative pending further testing. Perhaps the culprit released the virus too soon and whatever constant held the "replication factor" was too large. > 3) If the culprit "quickly recognized that things had gone wrong," why did he > not IMMEDIATELY call local management authorities and inform them of the > problem, rather than delegating this to a friennd... Let's get real here. If the culprit deleted any trace of the files used to generate the virus, there would be no obvious way to prove the culprit's guilt except for a frantic phone call to local management. If I were the culprit, I would trust my friends more than I would trust local management. Still, with an operation of that magnitude it's a wonder that the culprit would tell ANYBODY at all. It is reasonable to assume that the person responsible is bright enough to know the consequences of any malicious act perpetrated on thousands of computers belonging to government, industry, and schools. This line of reasoning makes me wonder if Mr. Morris is a culprit or a scapegoat. While I, and many other system administrators, will not condone malicious hacking, this appears to be the only vehicle for plugging security holes that is effective in a short period of time. And while it is never possible to make a truly secure system, we can sure come a lot closer than we are now. ------------------------------------------------------- The opinions expressed here are my own and not necessarily those of my employer. ------------=====<<<<(Dave Hayes)>>>>=====------------- dave%jplopto@jpl-mil.jpl.nasa.gov {cit-vax,ames}!elroy!jplopto!dave
rk@bigbroth.UUCP (rohan kelley) (11/09/88)
In article <1460@ucsfcca.ucsf.edu>, rodgers@cca.ucsf.edu (Rick Rodgers) writes: > > Quite aside from the guilt or innocence of Mr. Morris, the picture painted by the NYT raises serious ethical issues; > The culprit, then, is a bright and technically oriented young person who is socially reticent, and who perpetrated this act out of boredom, having convinced himself that he intended no great mischief. > 3) If the culprit "quickly recognized that things had gone wrong," why did he not IMMEDIATELY call local management authorities and inform them of the problem, rather than delegating this to a friend, who then allegedly posted instructions in an obscure place? The first act represents a failure to take resonsibility for one's own actions, and the second a severe lapse in > judgment. > > It was here that the culprit may leave his most damaging (and lasting) mark. Communication requires openness, and open systems will always be vulnerable in some respect; their integrity will always rely ultimately upon the decency and good judgment of the participants. > What rick rogers has done is make a strong case for requiring a course in ethics for every CS major. It may not work, but a little more ethics in all our professions wouldn't hurt. We put some pretty powerful stuff in the hands of some pretty young (and sometimes immature) individuals in the CS courses across the country. Perhaps we should also tell them something of the ethics required for the "open systems" to do what it was intended! rk
jbn@glacier.STANFORD.EDU (John B. Nagle) (11/10/88)
In article <11029@elroy.Jpl.Nasa.Gov> dave@jplopto.UUCP (Dave Hayes) asks: >How does one debug a virus? On an isolated network of machines, obviously. John Nagle
henry@utzoo.uucp (Henry Spencer) (11/10/88)
In article <698@packard.UUCP> shz@packard.UUCP writes: >Just a minor correction: Substitute "staff" for each occurrence of "man" >in the below fragment, yielding "staff-hours", "staff-weeks" and >"staff-years". From a handy dictionary: "man, n. [pl. men] 1, a mammal of the genus Homo. 2, a person; a human being. 3, the human race; mankind..." If they have non-human staff, then I can see the legitimacy of the objection! (I have no quarrel with people who prefer to avoid the use of masculine words as generic forms, provided that readability does not suffer, but criticizing people for using legitimate English is ridiculous.) -- The Earth is our mother. | Henry Spencer at U of Toronto Zoology Our nine months are up. |uunet!attcan!utzoo!henry henry@zoo.toronto.edu
spaf@cs.purdue.edu (Gene Spafford) (11/10/88)
In article <236@bigbroth.UUCP> rk@bigbroth.UUCP (rohan kelley) writes: >What rick rogers has done is make a strong case for requiring a course >in ethics for every CS major. It may not work, but a little more >ethics in all our professions wouldn't hurt. We put some pretty >powerful stuff in the hands of some pretty young (and sometimes >immature) individuals in the CS courses across the country. Funny you should mention that. I'm on a taskforce of ACM & IEEE-CS members working to define "Curriculum 90" for CS & CS undergraduate programs. The members of the netire committee have been in agreement for the last year that there will be a substantial, required amount of work in ethics and professionalism as part of the recommended undergrad major. We have been worried that many schools would fight such a recommendation. Thanks to the worm incident, I doubt we'll have quite so much resistance. Now if only we could get some Thorazine into Weemba and teach him about professionalism.... -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
mrm@sceard.UUCP (M.R.Murphy) (11/11/88)
In article <5365@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes: |In article <236@bigbroth.UUCP> rk@bigbroth.UUCP (rohan kelley) writes: |>What rick rogers has done is make a strong case for requiring a course |>in ethics for every CS major. It may not work, but a little more |>ethics in all our professions wouldn't hurt. We put some pretty |>powerful stuff in the hands of some pretty young (and sometimes |>immature) individuals in the CS courses across the country. | |Funny you should mention that. I'm on a taskforce of ACM & IEEE-CS |members working to define "Curriculum 90" for CS & CS undergraduate |programs. The members of the netire committee have been in agreement |for the last year that there will be a substantial, required amount of |work in ethics and professionalism as part of the recommended undergrad |major. We have been worried that many schools would fight such |a recommendation. Thanks to the worm incident, I doubt we'll |have quite so much resistance. Lawyers-To-Be attend required ethics courses. Draw your own conclusions about the efficacy of ethics courses. | |Now if only we could get some Thorazine into Weemba and teach him |about professionalism.... We're all amateurs. |-- |Gene Spafford |NSF/Purdue/U of Florida Software Engineering Research Center, |Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 |Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf -- Mike Murphy Sceard Systems, Inc. 544 South Pacific St. San Marcos, CA 92069 UUCP: {nosc,ucsd}!sceard!mrm INTERNET: mrm%sceard.UUCP@ucsd.ucsd.edu
hans@duttnph.UUCP (Hans Buurman) (11/11/88)
In article <5365@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes: >Funny you should mention that. I'm on a taskforce of ACM & IEEE-CS >members working to define "Curriculum 90" for CS & CS undergraduate >programs. The members of the netire committee have been in agreement >for the last year that there will be a substantial, required amount of >work in ethics and professionalism as part of the recommended undergrad >major. We have been worried that many schools would fight such >a recommendation. Thanks to the worm incident, I doubt we'll >have quite so much resistance. > >Now if only we could get some Thorazine into Weemba and teach him >about professionalism.... Come on, Mr. Spafford. You cannot believe that a course in ethics will get each and every undergraduate to live by the rules. And remember, it's the individual that we're afraid of, not the group. I live in a country where they do such things. If somebody is nasty to (put any minority from rec.humor here :-), they will have a rule forbidding it and pressure groups and lessons in schools telling you why you shouldn't do it, from a Catholic, Protestant, Humanist, or any other point of view. And although this seems to work somewhat (I think we're kind of a nice people, a bit boring perhaps), it doesn't mean that there are no excep- tions. There is also the fact that doing something bad has an extra appeal to some people. See the "are you absolutely sure you want to do this" message rn issues when you are posting for an example. This doesn't mean that you shouldn't teach ethics. It just isn't the solution. What you're trying to teach Weemba is idealism, and I don't think he'll buy that. ----------------------------------------------------------------------------- Hans Buurman | hans@duttnph.UUCP Pattern Recognition Group | mcvax!dutrun!duttnph!hans Faculty of Applied Physics | tel. 31 - (0) 15 - 78 46 94 Delft University of Technology | the Netherlands | ----------------------------------------------------------------------------- Disclaimer: any opinions expressed above are my own.
cramer@optilink.UUCP (Clayton Cramer) (11/11/88)
In article <5365@medusa.cs.purdue.edu., spaf@cs.purdue.edu (Gene Spafford) writes: . In article <236@bigbroth.UUCP. rk@bigbroth.UUCP (rohan kelley) writes: . .What rick rogers has done is make a strong case for requiring a course . .in ethics for every CS major. It may not work, but a little more . .ethics in all our professions wouldn't hurt. We put some pretty . .powerful stuff in the hands of some pretty young (and sometimes . .immature) individuals in the CS courses across the country. . . Funny you should mention that. I'm on a taskforce of ACM & IEEE-CS . members working to define "Curriculum 90" for CS & CS undergraduate . programs. The members of the netire committee have been in agreement . for the last year that there will be a substantial, required amount of . work in ethics and professionalism as part of the recommended undergrad . major. We have been worried that many schools would fight such . a recommendation. Thanks to the worm incident, I doubt we'll . have quite so much resistance. . . Gene Spafford So tell me: how will a *class* in ethics make someone more responsible and concerned about right and wrong? I don't think I've ever seen a person become responsible or moral as a result of a class -- this seems to be a set of values kids acquire (or don't acquire) pretty young. -- Clayton E. Cramer ..!ames!pyramid!kontron!optilin!cramer
jfh@rpp386.Dallas.TX.US (John F. Haugh II) (11/11/88)
In article <1988Nov9.200939.6069@utzoo.uucp> henry@utzoo.uucp (Henry Spencer) writes: |In article <698@packard.UUCP> shz@packard.UUCP writes: |>Just a minor correction: Substitute "staff" for each occurrence of "man" |>in the below fragment, yielding "staff-hours", "staff-weeks" and |>"staff-years". | |From a handy dictionary: | |"man, n. [pl. men] 1, a mammal of the genus Homo. 2, a person; a human |being. 3, the human race; mankind..." | |If they have non-human staff, then I can see the legitimacy of the objection! Henry - [ and others ] I suspect the complaint was that not only were individuals involved [ and hence 'man-hours' ] but entire EDP staffs where tied up with the Internet virus. I will be very seriously pissed of if Wormer gets off with no jail time. -- John F. Haugh II +----Make believe quote of the week---- VoiceNet: (214) 250-3311 Data: -6272 | Nancy Reagan on Artifical Trish: InterNet: jfh@rpp386.Dallas.TX.US | "Just say `No, Honey'" UucpNet : <backbone>!killer!rpp386!jfh +--------------------------------------
pjh@mccc.UUCP (Pete Holsberg) (11/12/88)
In article <1988Nov9.200939.6069@utzoo.uucp> henry@utzoo.uucp (Henry Spencer) writes:
=From a handy dictionary:
=
="man, n. [pl. men] 1, a mammal of the genus Homo. 2, a person; a human
=being. 3, the human race; mankind..."
=
=If they have non-human staff, then I can see the legitimacy of the objection!
=
=(I have no quarrel with people who prefer to avoid the use of masculine
=words as generic forms, provided that readability does not suffer, but
=criticizing people for using legitimate English is ridiculous.)
=The Earth is our mother. | Henry Spencer at U of Toronto Zoology
^^^^^^^
And when someone says, "Will all Americans please stand up.", do you
leap to your feet? Yes or no?
--
Pete Holsberg UUCP: {...!rutgers!}princeton!mccc!pjh
Mercer College CompuServe: 70240,334
1200 Old Trenton Road GEnie: PJHOLSBERG
Trenton, NJ 08690 Voice: 1-609-586-4800nelson@sun.soe.clarkson.edu (Russ Nelson) (11/12/88)
In article <17827@glacier.STANFORD.EDU> jbn@glacier.STANFORD.EDU (John B. Nagle) writes: In article <11029@elroy.Jpl.Nasa.Gov> dave@jplopto.UUCP (Dave Hayes) asks: >How does one debug a virus? On an isolated network of machines, obviously. Or restrict the virus to a given subnet. Like immunizing people with a "killed virus". -- --russ (nelson@clutx [.bitnet | .clarkson.edu]) To surrender is to remain in the hands of barbarians for the rest of my life. To fight is to leave my bones exposed in the desert waste.
jerry@olivey.olivetti.com (Jerry Aguirre) (11/12/88)
In article <17827@glacier.STANFORD.EDU> jbn@glacier.UUCP (John B. Nagle) writes: >In article <11029@elroy.Jpl.Nasa.Gov> dave@jplopto.UUCP (Dave Hayes) asks: >>How does one debug a virus? > > On an isolated network of machines, obviously. > > John Nagle There are simpler ways than dedicating a group of systems and the network connecting them. The most obvious is to criple the virus (or worm) so it can't live on normal systems. Say something like: test -f /tmp/worm_ok || exit in the startup script or the equivalent in program code. Another way is to build in a list of host addresses that can be infected. The code that sets up the network connection could then take an error return if the requested address wasn't in the list.
linimon@killer.DALLAS.TX.US (Mark Linimon) (11/12/88)
In article <5365@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes: >Now if only we could get some Thorazine into Weemba and teach him >about professionalism.... Agreed. Possibly we could just get him a job, like you and I have. My advice to Mr. Weemba: get a job, get a life, and grow up. Mark Linimon Mizar uucp: {convex, killer}!mizarvme!linimon
spaf@cs.purdue.edu (Gene Spafford) (11/12/88)
This is not the forum to discuss pedagogical philosophy, nor do I have the time or energy to debate it. However, many people on this net seem to believe that every problem must be possible to solve with a single answer. That ain't necessarily so. Sometimes, you advance in increments, be they increments of making your system more secure, or increments of guiding students to discover how to deal with questions of right and wrong they may not have even discovered existed. In particular: In article <542@dutrun.UUCP> hans@duttnph.UUCP (Hans Buurman) writes: >Come on, Mr. Spafford. You cannot believe that a course in ethics >will get each and every undergraduate to live by the rules. And remember, >it's the individual that we're afraid of, not the group. I never claimed a course in ethics (or anything else) will help each and every undergraduate live by the rules. However, it will help a significant number of students understand the rules bit better than the current system does, and that is important. If we advance the average, it is a gain even if we don't advance every point. There will always be some students who cannot be reached through anything we do -- they act as if they know everything already. A few of them even post here regularly :-) We think a course requirement in professional and ethical issues will be an aid, not a "cure." -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
pjh@mccc.UUCP (Pete Holsberg) (11/13/88)
The function of a class on ethics is to raise the consciousness of the
attendees. There are probably *many* young programmers/students/?? who
don't realize that breaking into someone's machine is wrong.
Of course, it will not deter those who know it is wrong but do it anyway.
--
Pete Holsberg UUCP: {...!rutgers!}princeton!mccc!pjh
Mercer College CompuServe: 70240,334
1200 Old Trenton Road GEnie: PJHOLSBERG
Trenton, NJ 08690 Voice: 1-609-586-4800root@utoday.UUCP (Ross M. Greenberg) (11/13/88)
Perhaps a class in ethics over the next few years might show how many
users of the net were adversely affected by this worm attack, and how
doing such a thing (affecting so many people without their permission)
might be something called "unethical"?
Perhaps just using RTM (if, indeed, he was the bad guy) as an example
of what happens to a person when they lack ethics?
Ross M. Greenberg
{my own views}bzs@encore.com (Barry Shein) (11/13/88)
>So tell me: how will a *class* in ethics make someone more responsible >and concerned about right and wrong? I don't think I've ever seen a >person become responsible or moral as a result of a class -- this seems >to be a set of values kids acquire (or don't acquire) pretty young. >-- >Clayton E. Cramer You're missing the point. The intention is not to mend the broken, the intention is to try to get a bunch of mostly young people in a room once and try to convince them not to do some of these things. Part of the method would be: a) Convincing them that *most* of the obnoxious things they are going to think up are not clever and have been tried before. Making them memorize a long list of pranks might really dampen the adolescent enthusiasm that they've thought up something clever. NOTE: I DO NOT THINK WHAT RTM (ALLEGEDLY) DID WAS CLEVER, it was stupid and obvious, all of it. b) Informing them of the possible outcome of their behavior, if they must, is useful. I wish I had a nickel for every kid who said "gee, it was *only* a joke". F**K YOU! That's not a JOKE! YOU WANT A JOKE, HERE'S A JOKE!..."rm -rf ~yourname" HA HA HA, now go away... Someone has to say at least once that files are property and represent people's work, that the support staff's time is valuable and is as amused at your horsing around as your typical chemical lab TA is amused at you throwing reagants about the room. AND, that there could very well be legal implications of your actions beyond our control, what they are, and what results you might expect (eg. if you break into someone else's private files and they decide to press charges or sue you may very well be up the proverbial creek if the evidence is there, and it has *nothing* to do with local policy, sorry.) c) Finally, what is expected of people on public networks, beyond "the obvious". Things like which ones frown on commercialism (an error I've seen new users make innocently trying to help a friend make a buck.) The whole problem here is ignorance. If given the information they still choose to ignore it (and hopefully there will be less such problems as at least some will be convinced, even if only of the detectability of their acts and consequences) well you did the best you could. At least you did *something* which probably helped somewhat. Actually, I'd go one step further and require a course like the above and certification of completion as a minimum requirement to obtain access to a computer attached, even indirectly, to a public network. Failure to obey this could result in an institution's loss of access to networks and quite possibly denial of contracts from research agencies, at least as a second-order effect. Failure by the individual (at any point in his/her career) could result in revocation of his/her certification and consequent loss of ability to earn a living or an education (etc) in this field (after due process) and permanent notation of the facts of the case available for security or employment review (maybe, I'd be glad to hear arguments about the accessibility issue tho it's not critical.) Seems better than facing 20 years in prison and other lynch-mob stuff the public will dream up, allows professionals to have an effective hand in reviewing infractions rather than going immediately to the public courts where there's no requirement that the judge or jury have any understanding of the details of the infraction and provides an effective and direct method of punishment for those who are found guilty, loss of livelihood in this field. Of course further criminal and economic liabilities are possible, but at least there is a first line of action. -Barry Shein, ||Encore|| P.S. This is an argument for absolute minimal and mostly ethical competence, not for actual competence in the field which I will agree is a whole other can o' worms. Think of it more like a driver's or ham radio operator's license than a professional certification of competence. Proof that you might know actions and consequences relating to misuse of shared computing facilities and the opportunity to lose access.
daveb@gonzo.UUCP (Dave Brower) (11/13/88)
In article <5390@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes: >In article <542@dutrun.UUCP> hans@duttnph.UUCP (Hans Buurman) writes: >>Come on, Mr. Spafford. You cannot believe that a course in ethics >>will get each and every undergraduate to live by the rules. And remember, >>it's the individual that we're afraid of, not the group. > >I never claimed a course in ethics (or anything else) will help each >and every undergraduate live by the rules. However, it will help a >significant number of students understand the rules bit better than the >current system does, and that is important... As a data point, I observe that the curriculum required by most Bar Associations for acceditation of law schools includes courses in "Professional Responsibility." My dim recollection is that this was added in the '70s after Watergate in response to the belief that the legal training had failed to instill proper ethics. I don't know if this is seen as a successful innovation. It would be hard to say that lawyers are generally more ethical now than they were generally in 1972. Certainly the public confidence in that profession has not been increased in the aftermath. This is a very difficult issue. To add something to a curriculum means dropping something else. Should we trade "Formal Testing methods" for "Professional Responsibility?" The central issue is public confidence in computer systems and their related formal and informal instutions. It is why Universities take such a hard line on plagarism and why lawyers do get disbarred. This case points questions at the professional/academic computer science community. Is this an isolated case to be dismissed, or an indication of the same general ethical laxity widely believed to exist in the legal profession? It is therefore *most* troubling that the worm-master of the Internet is believed to be a fairly typical hacker/scientist within the academic/professional community. It would be much easier to dismiss if this were the proverbial 14 year old with an Apple-II and a modem. Then the finger wouldn't be pointed at us. And yet, as one previous poster noted, most personal ethical systems are in place before one gets to college. The kid who was a cracker at 14 seems unlikely to be changed by a one semester course at 21. I was tempted to restrict followups to comp.edu, but chose not to. This may very well be the most important discussion that has ever taken place on the network, and it seems unwise to limit it or wish that it would just go away. -dB
scott@attcan.UUCP (Scott MacQuarrie) (11/13/88)
In article <398@mccc.UUCP>, pjh@mccc.UUCP (Pete Holsberg) writes: > > And when someone says, "Will all Americans please stand up.", do you > leap to your feet? Yes or no? > Do you mean North or South Americans? ;-) Scott MacQuarrie AT&T Canada Inc. uunet!attcan!scott p.s. My opinions are my own
spaf@cs.purdue.edu (Gene Spafford) (11/14/88)
In article <460@gonzo.UUCP> daveb@gonzo.UUCP (Dave Brower) writes: >This is a very difficult issue. To add something to a curriculum means >dropping something else. Why do you say that? If we add material on parallel architectures and algorithms, does that mean that we should drop OS? Or if we add a section on functional languages, we should drop any mention of compilers? A curriculum is an evolving thing meant to instruct students both in the important topics and in how to integrate those topics and continue their education. Adding new material does not always mean something else gets dropped. It can mean that some older topics get less emphasis, or it could simply mean that there is another required course added to the core. -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
kent@ssbell.UUCP (Kent Landfield) (11/14/88)
In article <457@utoday.UUCP> root@.UUCP (Ross M. Greenberg) writes: >Perhaps a class in ethics over the next few years might show how many >users of the net were adversely affected by this worm attack, and how >doing such a thing (affecting so many people without their permission) >might be something called "unethical"? Excuse me, but how is a class on ethics going to *show* anything? >Perhaps just using RTM (if, indeed, he was the bad guy) as an example >of what happens to a person when they lack ethics? I am so glad that I live in a country where members of the press are not bias in any way, and that they do not condone kangaroo courts. :-) RTM has been tried and convicted thousands of times since Nov 3. It is nice to know that members of the press are jumping on the band wagon as well. Perhaps a class in ethics is in order, but don't think that just because you are not a programmer/systems person that you are above attending. >Ross M. Greenberg >{my own views} Its a good thing. I'd hate to think that this is the quality of thought that goes into producing UNIX!Today. ---- Kent Landfield Phone: (402) 291-8300 Sterling Software FSG/IMD e-mail: kent@ssbell 1404 Ft. Crook Rd. South This seat is occupied. Bellevue, NE. 68005-2969 FAX: (402) 291-4362
pjh@mccc.UUCP (Pete Holsberg) (11/15/88)
In article <3474@vpk4.UUCP> scott@attcan.UUCP (Scott MacQuarrie) writes: =In article <398@mccc.UUCP>, pjh@mccc.UUCP (Pete Holsberg) writes: => => And when someone says, "Will all Americans please stand up.", do you => leap to your feet? Yes or no? => =Do you mean North or South Americans? = = =;-) = =Scott MacQuarrie =AT&T Canada Inc. =uunet!attcan!scott = =p.s. My opinions are my own I thought that Henry was a Norte Americano, amigo. No? -- Pete Holsberg UUCP: {...!rutgers!}princeton!mccc!pjh Mercer College CompuServe: 70240,334 1200 Old Trenton Road GEnie: PJHOLSBERG Trenton, NJ 08690 Voice: 1-609-586-4800