jwright@atanasoff.cs.iastate.edu (Jim Wright) (02/21/89)
Let me start out by saying that I in no way want to question Dave's motives, ethics, etc. I just believe the question of hiding/publicizing virus information warrants at least a little discussion. In article <415@odin.cs.hw.ac.uk> davidf@cs.hw.ac.uk (David.J.Ferbrache) writes: |Firstly, I have never in the past tried to hush up the virus issue, in fact |I distribute the virus-l public mailing list to the UK, and have set up an |informations server to distribute details of known viruses, disinfection |software and general information on viruses to any site in the UK. I like this. |Anyone involved in the virus field will know the widespread outrage that |followed the release of the source code of even benign viruses. The entire |field is very sensitive, and any person writing a report treads a wary line |between being flamed for being secretive and being flamed for being to open. |Sigh. And so the question becomes, where to draw the line. I have no ready answer. |There are strong indications that each time a viruses source code is |published either in academic journal or popular journal, a large number |of mutant strains pop up. I believe this. Unfortunately it seems typical of the virus-writing vermin. Hence the open question for net.discussion: At what point does information about viruses become too sensitive to be openly discussed? How much information do *you* want? Would you feel safer if only those who wrote protection software (plus the virus writers) knew what was going on? Does anybody care?
bnick@aucis.UUCP (Bill Nickless) (02/22/89)
In article <827@atanasoff.cs.iastate.edu>, jwright@atanasoff.cs.iastate.edu (Jim Wright) writes: > Hence the open question for net.discussion: At what point does information > about viruses become too sensitive to be openly discussed? How much > information do *you* want? Would you feel safer if only those who > wrote protection software (plus the virus writers) knew what was going > on? Does anybody care? The problem with censorship of any kind is that the censors are putting themselves in a position of controlling what others can learn. It's a "I know better than you, and you don't need to know that" attitude. Even if we agree that only "those who wrote protection software" be appraised of new developments, who is going to decide on the distribution of the information? Do you give that information only to NSA employees, Ph.d's, persons employed in a computer-based company with >100 employees, undergraduate computer science majors (like myself), high school hackers, or who? Let's compare this to locksmithing. The technology of the typical Yale lock is rather old (try decades old!) and can be understood by someone with a minimal mechanical aptitude. Do we restrict that information? Not really. Do we restrict information on how to pick locks? No. We throw people in the slammer for picking locks or faking keys--and locksmiths too! I suppose the same question could be asked about any security-related bug reports. If someone finds a bug in AT&T System V that allows them superuser privelege, I sincerely hope they spread the word that the capability exists to as large a cross-section of the net as possible, so there can be the largest possible chance of a fix or work-around. This also gives sysadmins the ability to watch for security violations taking place, and to take appropriate actions. -- Bill Nickless Andrews University Computer Science Department ...!sharkey!aucis!bnick or bnick@aucis.UUCP Unix Support Group "Help! I'm locked up in this .signature factory!"