jik@athena.mit.edu (Jonathan I. Kamens) (11/16/88)
In article <79700016@p.cs.uiuc.edu> gillies@p.cs.uiuc.edu writes: > >Why? Consider this. Ten years from now, a graduate student in >biology decides to make a *REAL* virus. He says, "geez, why hasn't >the NIH innoculated the general population against this virus? >Obviously, any strain of X, Y, or Z could mutate into this virus at >any time, causing lots of harm!" So secretly, he builds the virus. >He intends to show off a weakend form of the virus, to get people to >do something. But before he finishes it, he makes a serious mistake, >and the virus escapes in mutant form. Millions of deaths follow. > >What would you do to this person? How can you (ethically) >differentiate between this graduate student and Robert Morris? Your analogy has so many flaws, and is so ridiculous in general, that I don't know where to begin the list. Might as well just jump right in with the most obvious one: 1. COMPUTERS ARE NOT PEOPLE. A computer "virus" (actually, what Morris wrote was a worm) does not kill people. It is a crime in every country in the world (as far as I know) to kill people, while the laws about "killing computers" are much less clear-cut. Attacking the general populace is quite different from attacking a computer network. 2. Morris' worm did no permanent damage, nor was it meant to. Your analogy compares that to a virus that kills millions of people. Ridiculous. 3. Taking advantage of bugs in computer software is just a bit different from developing virus strains that can kill millions of people. Do you really think that the probabilities of the two events you compared taking place are of similar magnitudes? I don't think so at all. I'm a sophomore undergraduate, and I'd say that *I* could probably write some really damaging code if I wanted to; on the other hand, I doubt that there are many sophomore biology students that can build a virus strain that can kill millions. 4. While it is (theoretically) possible to find all of the security bugs in Unix and fix them (Don't flame me on this, I know it isn't possible in practice, but the supposition I am making is that since the amount of code involved is finite, the number of security holes is finite.), it is certainly not possible to find every possible virus strain and inoculate (notice the spelling) every human being on the planet against all of those strains. Therefore, it is unreasonable for the biology grad student to say, "People should be inoculated against this virus so I should prove it by releasing it!" while it *is* reasonable to ask why several known bugs in Unix software were not fixed. 5. The National Institute of Health pays a lot more attention to people who claim that they've discovered a new, dangerous virus than the Internet system administrators (apparently) payed to the discoverers of the sendmail hole and the fingerd bug. If this grad student were to call up the NIH and say, "I've discovered a virus that can easily mutate from a common strain but that can cause massive sickness in the population," I suspect they'd listen and act. This was obviously not the case with sendmail and fingerd. 6. You ask how we can "ethically" differentiate between the biology student and Morris. I ask *you*, how can you ethically *compare* them? I refuse to acknowledge even for a moment that slowing down or even destroying data (which Morris' worm did not do) on a few computers is in any way related to releasing a deadly virus into the atmosphere. The two are simply not comparable, and should not be compared, when discussing moral issues. 7. Morris' alleged purpose in creating the worm was not to do any damage, or even to alert people to the security holes he exploited, but rather simply prove that it could be done. His worm was simply supposed to live, while remaining undiscovered. The same cannot be said for the student's virus presented in your scenario -- he intended to get people sick, even if only a minor sickness. Well, I think I hit upon the major ones. Anybody have anything to add? DISCLAIMER: All references to Morris in the text above refer to acts he is alleged to have committed, although it may not in fact be proven (or true) that he did, in fact, commit them. All knowledge of his actions presented in this article were gained through publicly accessible sources such as newspaper articles and Usenet postings. Furthermore, although I stated that I might have the ability to write damaging computer code, I have not done so and would not do so. (Now *that's* a disclaimer) Jonathan Kamens MIT '91