lindsay@dscatl.UUCP (Lindsay Cleveland) (11/07/88)
In article <456@l5comp.UUCP> john@l5comp.UUCP (John Turner) writes: > > So, it was Robert T. Morris Jr., was it? > >I believe the contemplated charges are 'unlawful access to a federal computer' >(multiple counts?) and 'fraudulent use of a federal computer'; the second >charge is good for twenty years hard time, the first for up to a year and a >$250,000 fine. Pretty heavy stuff for a 23 year-old Cornell grad student. > Since my site was not infected, I am somewhat removed from the 'heat of the moment'. I would surmise that a lot of the sites who *were* damaged by the virus and expended much real cash in man-hours (overtime!) chasing it down would be interested in proceeding with a class-action suit against the fellow to recover damages. Whether or not it made it through all the courts, appeals, etc. is perhaps not as useful as the scare it would throw into some other clowns who might think of trying a similar worm/virus "just for a bit of fun!" Let me join in the chorus of applause for those many net.people who quickly came up with answers and solutions, and for their great efforts in spreading the word to the rest of the net. Cheers, Lindsay Lindsay Cleveland Digital Systems Co. Atlanta, Ga gatech!dscatl!lindsay (404) 497-1902 (U.S. Mail: PO Box 1149, Duluth, GA 30136)
weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/07/88)
In article <12081@dscatl.UUCP>, lindsay@dscatl (Lindsay Cleveland) writes: >> So, it was Robert T. Morris Jr., was it? >I would surmise that a lot of the sites who *were* damaged by the >virus and expended much real cash in man-hours (overtime!) chasing it >down would be interested in proceeding with a class-action suit against >the fellow to recover damages. Well gee. Divide $10K say by 10K computers say, and they each win $1. Next you subtract off the lawyers' fees... Hmmm... Economics wasn't your major, I presume? > Whether or not it made it through all >the courts, appeals, etc. is perhaps not as useful as the scare it >would throw into some other clowns who might think of trying a similar >worm/virus "just for a bit of fun!" I see that you, like thousands of others, don't really understand. Robert T Morris Jr has done everyone a FAVOR. Instead of thanking him for maybe waking up people on the ARPANET to how DAMN EASY IT IS TO INFILTRATE, you, like thousands of others, just think he's some annoying clown out there who gets off on crashing the net. Guess what? Well, maybe he is an annoying clown, but that's irrelevant. There are thousands of computers out there extremely vulnerable to attack. Instead of wailing on about class-action suits to recover "damages", all these sites that just maybe have woken up and plan to actually take secur- ity seriously should pay RTM in moneys saved from the potential *BILLIONS* that could be lost for being so many ostriches. WAKE UP FOLKS! This may very well prove to be your last warning. >Let me join in the chorus of applause for those many net.people who >quickly came up with answers and solutions, and for their great >efforts in spreading the word to the rest of the net. Yup, good show there. I hope you're not smugly counting on the next rogue code to be so easy to notice and eliminate by some of my fellow Berkeley grad students? DO SOMETHING **NOW** TO PROTECT YOURSELVES! WAKE UP FOLKS! ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
rjd@occrsh.ATT.COM (Randy_Davis) (11/07/88)
In article <456@l5comp.UUCP> john@l5comp.UUCP (John Turner) writes:
:
: So, it was Robert T. Morris Jr., was it?
:
:I believe the contemplated charges are 'unlawful access to a federal computer'
:(multiple counts?) and 'fraudulent use of a federal computer'; the second
:charge is good for twenty years hard time, the first for up to a year and a
:$250,000 fine. Pretty heavy stuff for a 23 year-old Cornell grad student.
Agreed. Though he did bring some machines to their knees from the
side-effect of the virus starting all those mail processes at one time, I fail
to understand why everyone is yelling for his head. I see at least two
reasons he should not be heavily prosecuted:
1) He did not destroy data.
2) The worm (not virus, as I understand it) pointed out, in a very graphic
way, the vulnerablility of some systems, in a relatively non-destructive
fashion. It probably will get a lot more action than any simple security
notice would.
Sounds like the only reason it did any damage at all was an oversight on the
hacker's part, that the spawning of all those sendmail processes would slow
the machines to a standstill.
Yeah, sure, this view is going to be unpopular, and is probably irrelavent
anyway, as he is going to be in high demand as a security expert - probably
enough so that somebody might offer him the fine money as a hiring bonus.
This is, of course, assuming he is found guilty if charges are filed.car@pte.UUCP (Chris Rende) (11/08/88)
In article <440@occrsh.ATT.COM>, rjd@occrsh.ATT.COM (Randy_Davis) writes: > 2) The worm (not virus, as I understand it) pointed out, in a very graphic > way, the vulnerablility of some systems, in a relatively non-destructive > fashion. It probably will get a lot more action than any simple security > notice would. - There is a difference between pointing something out and taking advantage of it. - "relatively non-destructive": What does that mean? Contradiction in terms. How would you like it if someone did something <relatively non-destructive> to your car? your house? your person? If you left your car door unlocked in a parking lot, how would you like to find someone sleeping in it. That's <relatively non-destructive> right? It was not necessary to let the worm/virus loose on the world in order to <point out> that a problem existed. car. -- Christopher A. Rende Multics,DTSS,Shortwave,Scanners,StarTrek uunet!{umix,edsews}!rphroy!pte!car TRS-80 Model I: Buy Sell Trade Motorola VME1131 M68020 SVR2 Precise Technology & Electronics, Inc.
les@chinet.chi.il.us (Leslie Mikesell) (11/09/88)
In article <312@pte.UUCP> car@pte.UUCP (Chris Rende) writes: >It was not necessary to let the worm/virus loose on the world in order to ><point out> that a problem existed. Wasn't it? There have been many postings indicating that many people have known about the security holes for several years now. Obviously the people who knew don't talk to the people who care (or the people who care don't listen to the people who know). Now, the people who care know and the problem will be fixed. Les Mikesell
rjd@occrsh.ATT.COM (Randy_Davis) (11/10/88)
In article <312@pte.UUCP> car@pte.UUCP (Chris Rende) writes:
[.....]
%- "relatively non-destructive": What does that mean? Contradiction in terms.
% How would you like it if someone did something <relatively non-destructive>
% to your car? your house? your person?
%
%If you left your car door unlocked in a parking lot, how would you like to
%find someone sleeping in it. That's <relatively non-destructive> right?
Sure is!!! Not something you would like, but what did it hurt???? Perhaps
the person sleeping in it protected it from being vandalized (to take the
stupid analogy to the logical conclusion).
Concerning this rather mindless comment: What is so contradictory about
"relative non-destructive"??? Destruction is always relative to what one
wants. Think about it....
%It was not necessary to let the worm/virus loose on the world in order to
%<point out> that a problem existed.
%
%car.
%--
%Christopher A. Rende Multics,DTSS,Shortwave,Scanners,StarTrek
%uunet!{umix,edsews}!rphroy!pte!car TRS-80 Model I: Buy Sell Trade
%Motorola VME1131 M68020 SVR2 Precise Technology & Electronics, Inc.
Riiiiight. Perhaps I mispoke myself. I should have said "Completely Non-
destructive", because the only damage done to the machines was the slowdown
brought about by the worm generating lots of requests to other machines.
There is already a mechanism in place to limit the number of network
transactions most protocols will do in a given time period. Why not in
this software?
Bugs in software are constantly being announced. Bugs that allow root
access even. Many are ignored or just not announced loud enough because lazy
administrators do not realize the damage that can be done. This bug had
a HUGE potential for harm, which may have already occured without the admins
even knowing it (regarding the theft of information).
Since this bug COULD have been implemented in such a way that it could
operate totally without detection, those administrator probably owe this guy
a LARGE thanks for pointing out to them the hole existed in such a way that
they could not ignore. It is VERY possible that someone before this guy
found it and was using it to swipe information in a TOTALLY undetected
manner.
ON THE OTHER HAND - Maybe prosecution should follow, as the only reason it
was noticed was via a bug in the author's own program, otherwise it WOULD
have possibly gone undetected.... (Thinking about this from an "intent"
point of view.)
Come On - THINK about it....
Randyfarber@linc.cis.upenn.edu (David Farber) (11/10/88)
I cannot help it .. I must comment. "all we lost is cycles" ... "it showed people the problem"... and on and on. I would like to point out that there were perhaps hundreds of scientists and engineers (that may be very small) who could not use networks or get adequate response from their systems or generate their proposals or missed trips due to dead mail systems etc etc. The network is NOT a toy, it is a facility to a big community of working people who count on it. I suspect you would be upset if a biologist let loose a recombinent dna bug to see what would happen, or if someone brought down the east coast power system to show that it can be done (and it can). I will leave off professional ethics and such but.... I am keep thinking of a scientist (I hope heshe does not exist) who decides to test the nuclear winter theory by starting a war. Come on now. Dave David Farber; Prof. of CIS and EE, U of Penn, Philadelphia, PA 19104-6389 Tele: 215-898-9508; FAX: 215-274-8192 "The fundamental principle of science, the definition almost, is this: the sole test of the validity of any idea is experiment." -- R. P. Feynman
daveh@marob.MASA.COM (Dave Hammond) (11/10/88)
In article <312@pte.UUCP> car@pte.UUCP (Chris Rende) writes: >It was not necessary to let the worm/virus loose on the world in order to ><point out> that a problem existed. I disagree. There has been much discussion of network infiltration in the past, but little effort expended on more than discussion. All too often the network community relies on rules of fair-play and an assumption that all net.users are responsible individuals who would not take advantage of published security faults, because that would be "antisocial" behaviour. Maybe in Utopia. But this is the real world and there are countless agressively enterprenaurial people who would like nothing better than to take advantage of situations which might further their cause (or career). Regardless of the resulting implications, and very often *because* of the implications. In this instance letting the worm loose on the world has had some immediately sobering effects. With any luck, one of the results will be the enhancement of the BSD network user interface. I do NOT advocate tighter network access or withholding important information. I DO advocate increased file system and path search security. While his style tends to be a bit radical, I whole-heartedly agree with weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) who expressed an interest in seeing Mr. Morris reexecute his worm on a monthly basis until it no longer succeeds. Dave Hammond UUCP: ...!uunet!masa.com!{marob,dsix2}!daveh DOMAIN: daveh@marob.masa.com ----------------------------------------------------------------------------
chcu321@ut-emx.UUCP (Michael J. Liebman) (11/10/88)
Although the virus only slowed down machines, I don't think we should
overlook the potential for damage by such a virus. Suppose the virus
had infected a machine performing on-line process control calculations
at a large chemical plant? Or if hospital emergency rooms could not
access medical histories? Obviously, these are hypothetical cases,
but I think they illustrate the difficulty in determining which types
of viruses are "relatively nondestructive".
----------------------------------------------------------------------------
Michael J. Liebman mjl%cheme1.decnet@iv1.cc.utexas.edu
Department of Chemical Engineering liebman@iv1.cc.utexas.edu
University of Texas at Austin chcu321@emx.cc.utexas.edu
(512) 471-5150.ma.bell
@@
@@@@@ @@@
@@ @@@@@ @@@@@@
@@@@ @@@@@ @@@@@@ Where the Blue Ridge yawns its greatness,
@@@@@ @@@@@ @@@@@@ where the Tigers play;
@@@@@ @@@@ @@@@@ Here the sons of dear old Clemson
@@@@@ @@@ reign supreme alway.
@@@@@@ @@@@@@
@@@@@@@@@@ @@@@@@@@ Dear old Clemson, we will triumph
@@@@@@@@@@@@ @@@@@@@@ and with all our might;
@@@@@@@@@@@@@ @@@@@@ That the Tigers' roar may echo
@@@@@@@@@@@@@ @@@@ o'er the mountain's height.
@@@@@@@@@@@@@
@@@@@@@@@@
@@@@@@
----------------------------------------------------------------------------ssd@sugar.uu.net (Scott Denham) (11/11/88)
In article <312@pte.UUCP>, car@pte.UUCP (Chris Rende) writes: > - "relatively non-destructive": What does that mean? Contradiction in terms. > How would you like it if someone did something <relatively non-destructive> > to your car? your house? your person? Leaving my car door open and messing up my radio knobs might be a "relatively non-destructive" way of pointing out to me that I had left the door unlocked. Stealing the car and wrapping it around a tree would be somewhat different! > > If you left your car door unlocked in a parking lot, how would you like to > find someone sleeping in it. That's <relatively non-destructive> right? > Relative to trashing it, yes > It was not necessary to let the worm/virus loose on the world in order to > <point out> that a problem existed. > But would anyone have LISTENED had he only pointed out the problem. It seems lots of folks have pointed out problems like this only to be told "No, nobody is going to find a way to get in through that *tiny* hole". Without actally DEMONSTRATING the "worm", he'd likely be viewed by many as just another whiz-kid who thinks he's smarter than the system designers. Scott Denham Western Atlas International > --
daniel@island.uu.net (Dan "1461 days of Bush is 1462 too many..." Smith) (11/12/88)
In article <6101@netnews.upenn.edu> farber@linc.cis.upenn.edu.UUCP (David Farber) writes: > [....] I suspect you would be >upset if a biologist let loose a recombinent dna bug to see >what would happen, or if someone brought down the east coast >power system to show that it can be done (and it can). > > >David Farber; Prof. of CIS and EE, U of Penn, Philadelphia, PA What a fool! And a professor too?! Did you ever take *Critical Thinking*, your professorship? This is a "Questionable Analogy". Bringing down the internet *and* deleting lots of files *and* planting worms and viruses that continue to pop up when the internet is brought back up is orders of magnitude less serious than: >I am keep thinking of a scientist (I hope heshe does not exist) >who decides to test the nuclear winter theory by starting a war. or the release of a dna bug... Not only that...but what we have been talking about on the net is an order of magnitude less serious than my example scenario of deleted files and resurfacing worms and viruses. >Come on now. Look in the mirror and say that, Mr. Farber. I'm sick of the general news media not being able to explain this problem adequately, but I'm outraged that a "Prof. of CIS and EE, U of Penn" would mix apples and oranges. Do us all a favor and retire. dan -- DanSmith IslandGraphics 4000CivicCenterDr SanRafael MarinCo CA 94903 4154911000 415 332 FAST(h) 491 0402(Fax)|d: Nobodys' fault but mine| UnixFeastsMusicFilm daniel@island.uu.net unicom!daniel@pacbell.com {lll-crg,apple}!well!dansmith
bradb@ai.toronto.edu (Brad Brown) (11/14/88)
In article <312@pte.UUCP> car@pte.UUCP (Chris Rende) writes: | If you left your car door unlocked in a parking lot, how would you like | to find someone sleeping in it. That's <relatively non-destructive> | right? Well, If I found someone sleeping in my car I'd kick them out pretty fast, but I sure wouldn't call the cops or give them a hard time. And perhaps next time I parked I'd me more careful not to leave the door unlocked -- it would have been my fault if the person who used my car as a bedroom had taken the stereo instead... (-: Brad Brown :-) bradb@ai.toronto.edu
jpdres10@usl-pc.usl.edu (Green Eric Lee) (11/15/88)
In article <312@pte.UUCP> car@pte.UUCP (Chris Rende) writes: >In article <440@occrsh.ATT.COM>, rjd@occrsh.ATT.COM (Randy_Davis) writes: >>2) The worm (not virus, as I understand it) pointed out, in a very graphic >> way, the vulnerablility of some systems, in a relatively non-destructive >> fashion. It probably will get a lot more action than any simple security >> notice would. > >If you left your car door unlocked in a parking lot, how would you like to >find someone sleeping in it. That's <relatively non-destructive> right? > >It was not necessary to let the worm/virus loose on the world in order to ><point out> that a problem existed. The Arpanet's security problems have been pointed out time and again, but nothing has ever been done about them. As for your analogy: if I found someone sleeping in my car, I would understandably be quite irritated, and would demand that he remove himself immediately. However, unless he decided not to do so, and thus deprived me of use of my automobile (at least until the police arrived), I see no use for prosecuting him. So yeah, it's a nuisance. But no permenant harm was done, so I see no reason to treat it like a capital crime. The death penalty is a bit harsh a punishment for speeding, no? -- Eric Lee Green P.O. Box 92191, Lafayette, LA 70509 {ames,mit-eddie,osu-cis,...}!killer!elg, killer!usl!elg, etc.
joel@peora.ccur.com (Joel Upchurch) (11/16/88)
One point I think that hasn't been made is that from all the material
I've seen so far it wasn't Morris' intent to bring the Internet to
it's knees, it was an bug in his program that caused it. The program
appears to have been designed to QUIETLY penetrate each system and
report the information back to Morris. We really don't know what
Morris intended to do with this information.
A good analogy might be of someone entering my home when I'm not
there. Let's say he tries all the windows and doors and discovered
that I forgot to lock one or that the lock doesn't work very well. He
is then caught by the police while he is in my house. Now he hasn't
threatened my physical safety (I wasn't home remember?), and the
police caught him before he did anything, so I don't KNOW he intended
to rob me or whatever. His acts have pointed out to me that I may
need to more careful about the security of my home, so in some sense
he has done me a service. However this doesn't mean that I should
shake his hand and thank him, rather than try to get him thrown in
jail for criminal trespass or breaking and entering or whatever else I
can make stick.
In many cases that data we keep on our computers is as valuable or
more so than anything physical objects we keep in our homes. Even if
the data has no monetary value there are privacy issues at stake.
Should someone be able to read my private letters because I forgot to
lock my desk? Are these people any less criminals because their tools
are modems and compilers rather than lockpicks and prybars? Should we
ignore these acts because they are committed by well-educated middle
class people from unbroken homes rather than ghetto illiterates? Of
course this raises the more general issue of the way white collar
crime is treated in our society. What will we do when someone commits
a murder by altering hospital patient records in their computer?
It seems to me that what we faced with is that our technology is
changing rapidly and that our ethical standards aren't keeping up.
Our new technologies are creating new areas of criminal and
anti-social behavior and it going to take awhile before most people
realize that these kinds of actions are, in fact, criminal.
--
Joel Upchurch/Concurrent Computer Corp/2486 Sand Lake Rd/Orlando, FL 32809
joel@peora.ccur.com {uiucuxc,hoptoad,petsd,ucf-cs}!peora!joel (407)850-1040utoddl@ecsvax.uncecs.edu (Todd M. Lewis) (11/16/88)
In article <98@usl-pc.usl.edu>, jpdres10@usl-pc.usl.edu (Green Eric Lee) writes: > In article <312@pte.UUCP> car@pte.UUCP (Chris Rende) writes: > >If you left your car door unlocked in a parking lot, how would you like to > >find someone sleeping in it. That's <relatively non-destructive> right? > > As for your analogy: if I found someone sleeping in my car, I would > understandably be quite irritated, and would demand that he remove > himself immediately. However, unless he decided not to do so, and > thus deprived me of use of my automobile (at least until the police > arrived), I see no use for prosecuting him. If, however, people at shopping malls routinely left their cars unlocked with little or no ill effect, knowing that it was a bad idea, and then one day found one or more vagrants sleeping in nearly every car in the lot, the shopping community might decide to start locking its collective doors! "Gosh! I knew they could, but I would never have believed they actually would..." --Todd
kent@lloyd.camex.uucp (Kent Borg) (11/17/88)
In article <88Nov14.153720est.7112@neat.ai.toronto.edu> bradb@ai.toronto.edu (Brad Brown) writes: > >And perhaps next time I parked I'd me more careful not to leave the >door unlocked -- it would have been my fault if the person who used >my car as a bedroom had taken the stereo instead... Have we come to the point that locking my car is not my decision but my obligation? I grew up in a suburb of Minneapolis where we never locked our car (except maybe on Halloween), and I think my parents still don't--when at the store I mean, they certainly don't lock the car when it is parked at their house. I always liked not fighting with so many keys and have always thought it a virtue that people should be proud of, but to read the above comment one would think all those people are being immoral to have arrived at a condition where things are fairly safe. I, for one, am not ready to use Boston (where I am now) as an example of proper behavior that should be imposed upon the rest of the world. In Boston I always lock my car, and I think that aspect of Boston is a shame, not a good example for how the world _should_ be. To be extreme, I _could_ wear a bullet proof vest, but if I don't, and I get shot, does it become MY fault? In talking about the internet worm let's not blame the victim. It is the people who unleash worms and viruses who are at fault. Period. Kent Borg kent@lloyd.uucp or hscfvax!lloyd!kent
jik@athena.mit.edu (Jonathan I. Kamens) (11/20/88)
In article <3728@peora.ccur.com> joel@peora.UUCP writes: >One point I think that hasn't been made is that from all the material >I've seen so far it wasn't Morris' intent to bring the Internet to >it's knees, it was an bug in his program that caused it. The program >appears to have been designed to QUIETLY penetrate each system and >report the information back to Morris. We really don't know what >Morris intended to do with this information. Yes we do. The program does not "appear to have been designed to ... penerate each system and report the information back to Morris." The only information reported by Morris was one byte of *uninitialized* (i.e. random) sent to a port at Berkeley to which he didn't even have access. Yes, it was designed to penetrate quietly and survive. But no, it was not designed to send any useful information back to Morris, such as passwords he could use to break into other systems. At the very most, he used the data byte sent to Berkeley to monitor the spread of the virus. Morris *did not* intend to gain any special privileges on any machines on the net. Even if he doesn't say that out loud himself, his code does. And I've seen the code. Jonathan Kamens MIT '91