gillies@p.cs.uiuc.edu (11/15/88)
I believe we should string Robert Morris up by his thumbnails.
Why? Consider this. Ten years from now, a graduate student in
biology decides to make a *REAL* virus. He says, "geez, why hasn't
the NIH innoculated the general population against this virus?
Obviously, any strain of X, Y, or Z could mutate into this virus at
any time, causing lots of harm!" So secretly, he builds the virus.
He intends to show off a weakend form of the virus, to get people to
do something. But before he finishes it, he makes a serious mistake,
and the virus escapes in mutant form. Millions of deaths follow.
What would you do to this person? How can you (ethically)
differentiate between this graduate student and Robert Morris?
We are so lucky that digital systems don't die from software bugs
(usually).
Don Gillies, Dept. of Computer Science, University of Illinois
1304 W. Springfield, Urbana, Ill 61801
ARPA: gillies@cs.uiuc.edu UUCP: {uunet,harvard}!uiucdcs!gilliesjohn@stiatl.UUCP (John DeArmond) (11/16/88)
In article <79700016@p.cs.uiuc.edu> gillies@p.cs.uiuc.edu writes: > >I believe we should string Robert Morris up by his thumbnails. > >Why? Consider this. Ten years from now, a graduate student in >biology decides to make a *REAL* virus. He says, "geez, why hasn't >the NIH innoculated the general population against this virus? >Obviously, any strain of X, Y, or Z could mutate into this virus at >any time, causing lots of harm!" So secretly, he builds the virus. >He intends to show off a weakend form of the virus, to get people to >do something. But before he finishes it, he makes a serious mistake, >and the virus escapes in mutant form. Millions of deaths follow. > >What would you do to this person? How can you (ethically) >differentiate between this graduate student and Robert Morris? > > >We are so lucky that digital systems don't die from software bugs >(usually). > > >Don Gillies, Dept. of Computer Science, University of Illinois >1304 W. Springfield, Urbana, Ill 61801 >ARPA: gillies@cs.uiuc.edu UUCP: {uunet,harvard}!uiucdcs!gillies Gawd!!!! This is getting out of control. I'm usually highly resistant to name calling but damned if this is not the stupidest thing I've ever heard. Are you really so weak between the ears that you cannot distinguish the difference between filling some memory with extraneous bits and mass murder? Does you school allow students to get anywhere near a recombinant DNA lab without some qualification and control? God, I hope not. That'd be like allowing just any old student to walk into the nuclear engineering lab and pull rods on the reactor. And do you really think any degree of punishment of Morris would have even an iota of effect on anyone so sick as to try your form of mass murder? lets face it.. About the worst thing Morris could have done if he'd been of a mind would have been to clean off every file system on the Arpanet. Big Deal!!! Sure, it would piss me off and I'd waste a bunch of time and perhaps loose some irreplacable data but outside of my maybe beating my head against the wall, no one would have suffered any real injury. And if you are foolish enough to have ANY vital function computer on the Arpanet or any other public net, then you pretty much deserve what you get. In reality, Morris wasted a few hours of each of a few dozen to perhaps a hundred people. *WOW* If that's so bad, then I would have to ask the rhetorical question: How many thousand man-hours are wasted on Net- news each day? (waste = (total hours) - (hours getting something useful)) I'd think the Morris worm would pale by comparison. anyway, back to wasting time.... John De Armond
desnoyer@Apple.COM (Peter Desnoyers) (11/17/88)
In article <79700016@p.cs.uiuc.edu> gillies@p.cs.uiuc.edu writes: >Why? Consider this. Ten years from now, a graduate student in >biology decides to make a *REAL* virus. [...] Millions of deaths >follow. > >What would you do to this person? How can you (ethically) >differentiate between this graduate student and Robert Morris? Trivially. Count the number of human deaths. 0 vs. millions. Count the number of potential, forseeable deaths. 0 vs. millions. If Morris had destroyed (shot, blown up, whatever) each of those thousands of computers - none of which were performing life-critical functions - he still would not be guilty of a single attempted or successful murder. Peter Desnoyers
duncan@geppetto.ctt.bellcore.com (Scott Duncan) (11/17/88)
In article <1564@stiatl.UUCP> john@stiatl.UUCP (John DeArmond) writes: > >In reality, Morris wasted a few hours of each of a few dozen to perhaps >a hundred people. *WOW* If that's so bad, then I would have to ask >the rhetorical question: How many thousand man-hours are wasted on Net- >news each day? (waste = (total hours) - (hours getting something useful)) >I'd think the Morris worm would pale by comparison. My understanding of what I've heard about the scope and effect of this problem suggests that many more than "a few dozen to perhaps a hundred people" were involved. This impact on system performance seems to have been such that many users of the affected systems experienced noticeable loss or degradation of system performance. There was also the time needed by some installations, I gather from trying to interpret what I read here, to bring their systems back up and reinstall some software and files. I cannot judge myself what the actual effect may have been in specific cases, but it certainly sounds like more than a few people were affected. ------------ speaking only for myself, of course, I am: Scott P. Duncan (duncan@ctt.bellcore.com OR ...!bellcore!ctt!duncan)
fransvo@htsa (Frans van Otten) (11/17/88)
In article <79700016@p.cs.uiuc.edu> gillies@p.cs.uiuc.edu writes: >Ten years from now, a graduate student in >biology decides to make a *REAL* virus. He says, "geez, why hasn't >the NIH innoculated the general population against this virus? [...] >Millions of deaths follow. The biology-student above found a 'bug' in the human body. He wants to warn the world, doing this the same way Mr. Morris warned us. That's all they have in common. Mr. Morris merely showed the bugs by creating a essential harmless worm. In contrast, the biology-student didn't just show the bugs, but in the same act he caused the deaths he wanted to warn for. >How can you (ethically) >differentiate between this graduate student and Robert Morris? Easy. -- Frans van Otten Algemene Hogeschool Amsterdam Technische en Maritieme Faculteit fransvo@htsa.uucp
rjfrey@kepler1.UUCP (Robert J Frey) (11/18/88)
In article <1564@stiatl.UUCP> john@stiatl.UUCP (John DeArmond) writes: >...lets face it.. About the worst thing Morris could have done if he'd been >of a mind would have been to clean off every file system on the Arpanet. >Big Deal!!!... > >In reality, Morris wasted a few hours of each of a few dozen to perhaps >a hundred people. *WOW* ... Now, I don't favor stringing up Morris by his thumbs, neither do I believe one can realistically equate the release of the Internet worm with the release of a potentially deadly biological agent; however, I can't join the camp of the Morris apologists either. First of all, if I fail to lock my front door and am burgled, that may very well mean I'm careless, but it doesn't mean the burgler is any less guilty of a crime. And I certainly wouldn't pat the burgler on the back for letting me know how important locked doors are! Even if there are some positive results which are incidental to the worm attack, they in no way whatsoever serve to mitigate Morris's guilt or limit his liability for any damages. As far as the true cost of the worm, I think you grossly underestimate the damages, both actual and potential. Here your comments about the amount of time wasted on the net anyway are totally irrelevant. I am entitled to waste my own time. YOU are not entitled to do it for me. Nor is the fact that lots of other people are doing bad things serve as a defence for me to do them too. Also, I think you don't understand that computers are a mature technology that's used to real work in our society. I don't know what all of the 6,000 systems disrupted were doing, and I don't think you do either, but the consequential damages from such a disruption are potentially enormous. The actual damages were not a few hundred hours, it was more like tens of thousands of hours. Not to mention the emotional turmoil and stress. What "should" happen to Morris? I think he should be prosecuted, though we should duly note that he wasn't deliberately trying to hurt anyone. He should also be held liable for the damages both direct and consequential that his handiwork caused. I also believe that should his assets prove to be insufficient to cover those claims Cornell should be liable to the extent that their own negligence contributed to those damages. ============================================================================== |Dr. Robert J. Frey | {icus, spl1, dasys1}!acsm!kepler1!rjfrey | |Kepler Financial Management, Ltd.|------------------------------------------| |100 North Country Rd., Bldg. B | The views expressed are wholly my own and| |Setauket, NY 11766 | and do not reflect those of the Indepen- | |(516) 689-6300 x.16 | dent Republic of Latvia. | ==============================================================================
moore@svax.cs.cornell.edu (Doug Moore) (11/19/88)
In article <15@kepler1.UUCP> rjfrey@kepler1.UUCP (Robert J Frey) writes: >What "should" happen to Morris? I think he should be prosecuted, though >we should duly note that he wasn't deliberately trying to hurt anyone. He >should also be held liable for the damages both direct and consequential >that his handiwork caused. I also believe that should his assets prove >to be insufficient to cover those claims Cornell should be liable to the >extent that their own negligence contributed to those damages. I don't know Morris. Morris is not a friend of mine. And I am no Robert Morris. Most students here are not prone to the kind of irresponsible behavior that caused this brouhaha. When you accuse Cornell of negligence in this matter, you are patently unfair in at least 3 ways. First, and most selfishly, you threaten me. I don't want to fill out weekly forms detailing what use I have made of Cornell computers in the last 7 days. And I can't think of anything Cornell could have done to prevent this, short of instituting just this kind of totalitarian, bureaucratic chaos. Second, institutional blame must fall at least as heavily on other institutions that Morris used to propagate his worm. While he was physically at Cornell, he actually started the worm at MIT. He had it send messages to Berkeley. I daresay he still has some accounts at Harvard. Are some or all of these institutions also financially liable for damages? Finally, what of those who knew of these security holes and did nothing? Do they not share some responsibility? Believe it or not, Cornell has been victimized as much or more than any institution by this event. Blaming Cornell or MIT or AT&T for negligence is fine, but that negligence was more widely distributed than that. Cornell's only negligence was in providing an environment in which people are treated as mature and responsible members of the community. I hope that Cornell and other institutions remain negligent in this sense, despite the fact that people are occasionally irresponsible, and despite whatever legal threats may be made against them. The only entity responsible, the only one that should be punished, is Robert T. Morris, Jr. And with members of Cornell's board of governors calling for his head, I don't think his association with Cornell will last much longer. From the world's most famous computer science department, Doug Moore (moore@svax.cs.cornell.edu)
dc@gcm (Dave Caswell) (11/25/88)
In article <22740@cornell.UUCP> moore@svax.cs.cornell.edu (Doug Moore) writes:
.>that his handiwork caused. I also believe that should his assets prove
.>to be insufficient to cover those claims Cornell should be liable to the
.>extent that their own negligence contributed to those damages.
.
.
.When you accuse Cornell of negligence in this matter, you are patently unfair
.in at least 3 ways. First, and most selfishly, you threaten me. I don't want
Doug, learn what the words "to the extent" mean, and cut the bull about
being threatened.
--
Dave Caswell
Greenwich Capital Markets uunet!philabs!gcm!dcjim@eda.com (Jim Budler) (11/26/88)
In article <617@white.gcm> dc@white.UUCP (Dave Caswell) writes: | In article <22740@cornell.UUCP> moore@svax.cs.cornell.edu (Doug Moore) writes: | [...] | .>to be insufficient to cover those claims Cornell should be liable to the | .>extent that their own negligence contributed to those damages. [...] | .in at least 3 ways. First, and most selfishly, you threaten me. I don't want | | Doug, learn what the words "to the extent" mean, and cut the bull about | being threatened. | | -- | Dave Caswell Uhm, Dave, I think you should review the 'deep pockets' laws, before you say this. Many states have 'deep pockets laws' which result in any liability, even 1%, under the law being 100% liable. In the RTM/Cornell case, if tried in California, any amount rewarded, would be paid by the combination of RTM and Cornell. After RTM put up his $10, the balance of the penalty would be paid by Cornell, even if the jury judged Cornell only 1% responsible. And don't quote the recent California deep pockets limiting initiative. That only limited the non-economic, i.e. 'pain and suffering', awards. So unfortunately, in the context you meant 'to the extent', it may be a legally meaningless term. jim -- Jim Budler address = uucp: ...!{decwrl,uunet}!eda!jim OR domain: jim@eda.com #define disclaimer "I do not speak for my employer" #define truth "I speak for myself" #define result "variable"
rjfrey@kepler1.UUCP (Robert J Frey) (11/28/88)
In article <374@eda.com> jim@eda.com (Jim Budler) writes: > >Many states have 'deep pockets laws' which result in any liability, even >1%, under the law being 100% liable. > >In the RTM/Cornell case, if tried in California, any amount rewarded, would >be paid by the combination of RTM and Cornell. After RTM put up his $10, >the balance of the penalty would be paid by Cornell, even if the jury >judged Cornell only 1% responsible. > My original comments about Cornell _possibly_ being liable were simply about that, to the extent that Cornell was liable it must be held accountable. One may or may not agree with the "deep pockets" laws, but they are a fact of life. I own a restaurant and am quite familiar with their application vis-a-vis DWI-related accidents, etc. My reaction to someone who feels my original comments were unfair or threatening is that, first, I didn't intend them to seem so in any personal way, but, second, educational institutions are no different that a lot of other organizations in that they must be held responsible for some of the acts of their constituent members. People in universities have to understand that computers are a mature technology. We don't "do interesting things" on our computers; we use them to run our business. Grown-ups take responsibility for what they do. It's not always comforting and it often feels "threatening", but the choice is to hide under a rock and do nothing at all. ============================================================================== |Dr. Robert J. Frey | {icus, spl1, dasys1}!acsm!kepler1!rjfrey | |Kepler Financial Management, Ltd.|------------------------------------------| |100 North Country Rd., Bldg. B | The views expressed are wholly my own and| |Setauket, NY 11766 | and do not reflect those of the Indepen- | |(516) 689-6300 x.16 | dent Republic of Latvia. | ==============================================================================