pda@stiatl.UUCP (Paul Anderson) (11/09/88)
This is a call for votes on whether netters feel that:
yes) the recent worm was a service and the fellow should
at least be left to die in peace (...if not thanked).
no) did us a great disservice and should be prosecuted to
the fullest extent of the law.
Send your votes to: {your favorite major node}!gatech!stiatl!gpb
Set the subject line to 'yes' or 'no'.
An automatic vote counter will be run to process and tabulate
entries. You will receive a return receipt indicating your
message arrival. Votes with an invalid subject line will
be returned with a message to that effect. You may only
vote once.
The ballot will be terminated on 11/15/88 (tuesday). You
will not have to wait 2 hours to vote, so do so...
The results will be posted in news.admin within a couple
of days of the end of the count.
paul
--
Paul Anderson gatech!stiatl!pda (404) 841-4000
X isn't just an adventure, X is a way of life...
--
Paul Anderson gatech!stiatl!pda (404) 841-4000
X isn't just an adventure, X is a way of life...wright@hsi.UUCP (Gary Wright) (11/11/88)
In article <1330@stiatl.UUCP> pda@stiatl.UUCP (Paul Anderson) writes: >This is a call for votes on whether netters feel that: > >yes) the recent worm was a service and the fellow should > at least be left to die in peace (...if not thanked). > >no) did us a great disservice and should be prosecuted to > the fullest extent of the law. > I think you missed (at least) two other possibilities: 1) the recent worm was a service *and* the fellow should be prosecuted to the fullest extent of the law. 2) the recent worm did us a great disservice *and* the fellow should at least be left to die in peace. Other possibilities depend on the level of service you think was provided by the worm, what kind of damage was caused by the worm, and the punishment that should result. Personally, I think that it was good that these security flaws were pointed out, but that is no excuse for the time and money that was wasted. Others have said that there were better ways to go about publicizing the security flaws, I agree. I also wonder what the real intentions were. According to reports I have read, the worm was not supposed to be detected. Ok, so he successfully, quietly, penetrates 6,000 computers. Then what? What would have been his next experiment? Even if he had no malicious intent, who is to say that his next experiment would not have had a more serious, damaging flaw? -- Gary Wright ...!uunet!hsi!wright Health Systems International wright@hsi.uu.net
chasm@killer.DALLAS.TX.US (Charles Marslett) (11/11/88)
In article <202@hsi86.hsi.UUCP>, wright@hsi.UUCP (Gary Wright) writes: :: In article <1330@stiatl.UUCP> pda@stiatl.UUCP (Paul Anderson) writes: :: >This is a call for votes on whether netters feel that: :: > :: >yes) the recent worm was a service and the fellow should :: > at least be left to die in peace (...if not thanked). :: > :: >no) did us a great disservice and should be prosecuted to :: > the fullest extent of the law. :: I think you missed (at least) two other possibilities: :: :: 1) the recent worm was a service *and* the fellow should :: be prosecuted to the fullest extent of the law. :: :: 2) the recent worm did us a great disservice *and* the fellow should :: at least be left to die in peace. ... :: Personally, I think that it was good that these security flaws were :: pointed out, but that is no excuse for the time and money that was :: wasted. Others have said that there were better ways to go about :: publicizing the security flaws, I agree. On the other hand, I have yet to see a "better" way -- all the ones that have been posted have probably already passed under the bridge and we all know the "hole" was not plugged. My only reservation is that the only really effective way to publicize a security flaw is to do real damage (as someone on the net put it: wrap the car around a tree, and the next time I'll remember to lock it!). So he did no real service? (lock 'em up (:-)!) :: -- :: Gary Wright ...!uunet!hsi!wright :: Health Systems International wright@hsi.uu.net Charles Marslett STB Systems, Inc. <-- apply all standard disclaimers chasm@killer.dallas.tx.us
barmar@think.COM (Barry Margolin) (11/12/88)
In article <6081@killer.DALLAS.TX.US> chasm@killer.DALLAS.TX.US (Charles Marslett) writes: >In article <202@hsi86.hsi.UUCP>, wright@hsi.UUCP (Gary Wright) writes: >:: wasted. Others have said that there were better ways to go about >:: publicizing the security flaws, I agree. >On the other hand, I have yet to see a "better" way -- all the ones that >have been posted have probably already passed under the bridge and we >all know the "hole" was not plugged. Assuming you are correct that there is no better way, that does not absolve him. If I ignore all the reminders about using car seat belts, should someone intentionally crash into me to prove to me that I'm endangering myself? An even better analogy would be to car manufacturers producing cars with inferior seat belts; should someone crash into a bunch of them so that the manufacturer will recall them and fix them? We can certainly hope that such behavior would result in safer cars in the future, but is that justification enough for the damage that is done in the process of making the point? One of the problem with all these discussions is that many assumptions are being made about the perpetrator's intent, yet he has made no public statement about it yet (as far as I know). We don't know that his purpose was to "publicize the security flaws." In fact, the only statement I've heard that is attributed to him is that the worm propogated faster than he expected, from which I infer that if it had been working as he planned it might have gone unnoticed because it wouldn't have eaten up so much CPU time. If the purpose were for the worm to be undetected, it wouldn't really publicize the flaws, would it? To stretch the automobile analogy to its breaking point, this would be like someone going around, breaking into people's cars, and untuning their engines so that they get slightly lower mileage; few people would notice, and those who were would probably assume they were an isolated case, not part of a large conspiracy. Barry Margolin Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
davis@clocs.cs.unc.edu (Mark Davis) (11/12/88)
All of you who claim that Morris did us a service are overlooking an important point: you can't plug all of the insecurities. A security hole is simply a bug in the security system. Any casual student of software engineering knows that removing all bugs in a large, complex system is impossible (See "Mythical Man Month" by Fred Brooks for data.) By the way, would any UNIX/Internet wizard care to extimate how many security holes have already been plugged? Therefore, security holes will be with us as long as we have an internet that is useful. Bright people will always be able to find those unfixed bugs. The worst thing is closing the security problems will result in a less usable system or worse, new bugs that break the existing applications. So what has Morris done for us? He has wasted a large amount of money (programmer time and computer resources). He has gained notoriety, thereby encouraging thousands of ethically lacking people with similar skills to one-up him by making a bigger splash. As I said above, the bigger splash will always be possible as long as there is an internet. No thank you Mr. Morris. You have not helped and you will hurt us a lot. You go on my list of people to never (1) hire or (2) buy or recommend their products. - Mark (davis@cs.unc.edu or decvax!mcnc!davis)
news@tank.uchicago.edu (NetNews) (11/12/88)
From: daryl@arthur.uchicago.edu (Daryl McLaurine)
Path: arthur!daryl
When I was young(er), I too wished to streach my horizons to the limit, and
since at the time the conditions were right, (little to no scocial interaction,
VERY intelegent (;-}), and a very hyperactive sence of curiosity), life
ordained me to be a 'hacker' (IE: definiton 1: Person who uses intimate
knowledge of ether the system, programming enviroment, or both in developing
programs supposedly beyond that systems's capability.)
It was cool, I had fun, nobody harmed me, and I made a lot of people happy.
Then I got hurt.
A person to whom I trusted used some of the things I taught him to do some
VERY bad things.
THIS WAS NOT COOL. MANY PEOPLE GOT HARMED. ESPECIALY ME.
Leaving out some very sorrid details, I got to see what harm a little
'harmless' exploring can do. Now I work as a consulting P/A, specialising
in system security and mathmatical modeling ( also trying to break the world's
record for most nights of sleeplessness ;-}).
Bottom line: If this person would have posted an alert to the net with a sample
program, THAT would have been a very valuable service.
This person did harm.
He should be made to understand this. Jail will not teach this lesson. Having
him see some of the mess that he caused will.
(all opinions and spelling mistakes are mine, Flame On.)
^
<{[-]}>-----------------------------------------------------------------------
V Daryl McLaurine, Programmer/Analyst (Consultant)
| Contact:
| Home: 1-312-955-2803 (Voice M-F 7pm/1am)
| Office: Omegan Consultants (Use Home Number 9am-4pm)
| -or-
| University of Chicago Mathematics Dept.
| daryl@zaphod or neuro.UChicago.edu
==\*/=========================================================================john@frog.UUCP (John Woods) (11/14/88)
In article <31053@think.UUCP>, barmar@think.COM (Barry Margolin) writes: > An even better analogy would be to car > manufacturers producing cars with inferior seat belts; should someone > crash into a bunch of them so that the manufacturer will recall them > and fix them? A very interesting analogy indeed! What does it usually take to get a manufacturer to fix an inferior design? A calm, reasoned statement something like "Hey, these seat belts have a tensile strength so low that they would typically snap at 20 MPH?" Fat chance. Usually it takes pages and pages of accident reports of people killed and maimed by the defect, plus enough publicity that the auto manufacturer cannot just ignore the problem. RISKS DIGEST just now mentioned that PGN incidentally discovered one Internet site that still hasn't close the SMTP door. Weemba was right. Monthly worm drills sound like a REAL good idea... -- John Woods, Charles River Data Systems, Framingham MA, (617) 626-1101 ...!decvax!frog!john, john@frog.UUCP, ...!mit-eddie!jfw, jfw@eddie.mit.edu Science does not remove the TERROR of the Gods!
davidsen@steinmetz.ge.com (William E. Davidsen Jr) (11/14/88)
In article <744@tank.uchicago.edu> daryl@arthur.UUCP (Daryl McLaurine) writes: | Bottom line: If this person would have posted an alert to the net with a sample | program, THAT would have been a very valuable service. I disagree. Posting a "how to" program would have allowed many people to play with virus programs even though they were not able to figure out the hole themsleves. Without an actual problem probably 10% of the admins would take the time to fix it, and the rest would say "I'll fix it if there's a real problem," and "I can't run without debug, I could get my .cf to work." We have a person here who felt that Sun was better than Ultrix because Ultrix had debug off. The only way to get get people to do something is to kick them. Hard. I am not claiming that this justifies kicking people, not am I defending the use of the worm (I would feel fine about a long prison sentence for things like that, having been burned by a hacker before). But I do agree that what was done had a high ratio of good result to consequences. Someone used the analogy of stealing a car to teach people not to leave their keys. I think that what happened recently is more like locking the door and leaving the car sitting with the keys inside. It was a major embarassment and inconvenience, but didn't have the long term effect that wiping files would have. that -- bill davidsen (wedu@ge-crd.arpa) {uunet | philabs}!steinmetz!crdos1!davidsen "Stupidity, like virtue, is its own reward" -me
julian@uhccux.uhcc.hawaii.edu (Julian Cowley) (11/21/88)
In article <744@tank.uchicago.edu> Daniel McLaurine writes: >When I was young(er), I too wished to streach my horizons to the limit, and >since at the time the conditions were right, (little to no scocial interaction, >VERY intelegent (;-}), and a very hyperactive sence of curiosity), life >ordained me to be a 'hacker' (IE: definiton 1: Person who uses intimate >knowledge of ether the system, programming enviroment, or both in developing >programs supposedly beyond that systems's capability.) [...] >THIS WAS NOT COOL. MANY PEOPLE GOT HARMED. ESPECIALY ME. I sympathize with you completely. I, too, at a tender age, had the same conditions before me and I fell into the same pitfall of finding out how far the system could be pushed. Our actions were eventually discovered by the system administrators, and we were punished by removing our access to the system. Was their action "just" enough? I am not sure, since some of us were allowed back onto the same system within a month's time. How can there be any social lessons to be learned from such behavior? I can understand why Morris would be enthused about "teaching" people about their security problems, but is that behavior entirely social? I think not. >Bottom line: If this person would have posted an alert to the net with a sample >program, THAT would have been a very valuable service. I agree with you. His methods, although they may have been legitimately positive, were not scientific. If he were a minor, that may be understandable. But a grad student? He should have realized his actions were bordering on the destructive side. He could have accomplished much more by isolating a set of machines and publishing the results in a computer security journal. He would have discovered his "bug" at least. >This person did harm. Yes, he did. The implications of his actions are new to us, and therefore it is understandable that we are having a hard time dealing with them. I hate to admit it, but I think that if he is not dealt with in a just manner, then it will encourage other "hackers" to repeat the same mistake. They must understand that there are more factors at stake than just the security of the net. Any person who releases a worm, virus, what have you upon the net is digging their own grave, because so far the ethics of computer hacking have encouraged us to share (in a scientific manner) our results to others. With such viruses abound, there can be no such sharing. >He should be made to understand this. Jail will not teach this lesson. Having >him see some of the mess that he caused will. True. I don't think he realized how grave a mistake he was making at the time he was comtemplating releasing his program upon the net. Jail would have no affect in any way upon his understanding of this. Sadly, the kind of punishment we have nowadays (jails) is the kind which does not intend to teach the person why he is being punished. This applies to more than just Morris: there are more than one kinds of crime. ><{[-]}>----------------------------------------------------------------------- > V Daryl McLaurine, Programmer/Analyst (Consultant) > | Contact: > | Home: 1-312-955-2803 (Voice M-F 7pm/1am) > | Office: Omegan Consultants (Use Home Number 9am-4pm) > | -or- > | University of Chicago Mathematics Dept. > | daryl@zaphod or neuro.UChicago.edu >==\*/========================================================================= julian@uhccux.uhcc.hawaii.edu uunet!ucsd!nosc!uhccux!julian julian@uhccux.bitnet "People who aren't amused don't talk."
mml@srhqla.UUCP (Michael Levin) (11/23/88)
In article <2675@uhccux.uhcc.hawaii.edu> julian@uhccux.uhcc.hawaii.edu (Julian Cowley) writes: > >>He should be made to understand this. Jail will not teach this lesson. Having >>him see some of the mess that he caused will. > >True. I don't think he realized how grave a mistake he was making at >the time he was comtemplating releasing his program upon the net. Jail >would have no affect in any way upon his understanding of this. Sadly, >the kind of punishment we have nowadays (jails) is the kind which does >not intend to teach the person why he is being punished. This applies >to more than just Morris: there are more than one kinds of crime. I don't think that if Morris is jailed, it will be to teach HIM a lesson- it will be to scare off other people. That probably would do *some* good, as some people respond well to intimidation. On the other hand, some personalities simply take that as a challenge. I don't think, however, that the press' hyping this talk of 'computer virus' is very healthy. Man (especially males) is desirous of playing God (no, I'm not turning this into a religious discussion, just a human one). By creating 'life' in a machine (i.e., a computer that can 'catch' a 'virus' must be alive, right) man is playing God. This is a bunch of crap. Today's computers are just machines, and to attribute all of these theatrical human characteristics to them is foolish. A computer 'virus' is simply a program which exploits certain bugs in the system. THAT's ALL! ! ! Why don't we simply think of this incident in it's correct light- our systems are vulnerable to exploitation by others because of certain inherent defects in them. Much in the same way as my car leaves me vulnerable to some yahoo smashing into me on the road. Big deal. Mike Levin -- +----+ P L E A S E R E S P O N D T O: +------+-*-*-*-*-*-*-*-* | Mike Levin, Silent Radio HeadQuarters, Los Angeles (srhqla) | No room for a * | Path:{aeras|csun|pacbell|pyramid|telebit}!srhqla!levin |'snappy remark'* +-------------------------------------------------------------+-*-*-*-*-*-*-*-*