matthews@eleazar.dartmouth.edu (Jim Matthews) (11/08/88)
In article <1445@anasaz.UUCP> john@anasaz.UUCP (John Moore) writes: > >According to press reports, RM spent his summers working at AT&T >on "Unix Communications Software Security". Anyone with a source >license check to see if he slipped a trojan horse into uucico >or uuxqt or something? >-- As a matter of fact, one of the things Robert did at Bell Labs (while still a high school student, I believe) was fix some of the glaring security holes in uucp (AT&T Bell Laboratories Technical Journal, 10/84). It is very easy in the aftermath of something like this to indulge in the devil theory of crime -- that all bad things must come from evil minds. The more you find out about rtm I believe the more you will find he has in common with the people criticizing his behavior. He has done significant work in computer security, including warning people for years about the security holes that made the worm possible. He has worked as a sysadmin for an arpanet host. He is a serious student of computer science and was making contributions to the field at an age when most of us were trying to learn Pascal. He's also one hell of a great guy, and no one seems more appalled by the effects of his actions than he is. We can argue about the advisability of what he did, but I urge you to resist the temptation to pigeon-hole someone you don't know on the basis of fragmentary information. Jim Matthews Dartmouth Software Development
kovar@husc4.HARVARD.EDU (11/10/88)
In article <10791@dartvax.Dartmouth.EDU> matthews@eleazar.dartmouth.edu (Jim Matthews) writes: >It is very easy in the aftermath of something like this to indulge in >the devil theory of crime -- that all bad things must come from evil >minds. The more you find out about rtm I believe the more you will find >he has in common with the people criticizing his behavior. He has done >significant work in computer security, including warning people for >years about the security holes that made the worm possible. He has >worked as a sysadmin for an arpanet host. He is a serious student of >computer science and was making contributions to the field at an age >when most of us were trying to learn Pascal. He's also one hell of a >great guy, and no one seems more appalled by the effects of his actions >than he is. >We can argue about the advisability of what he did, but I urge you to >resist the temptation to pigeon-hole someone you don't know on the basis >of fragmentary information. >Jim Matthews I may be a really nice guy but if I, by accident, kill someone by driving recklessly, the state of MA is going to toss me in jail for manslaughter. And I'd expect as much. Nice people are just as responsible for their actions as "evil" people. If we fail to prosecute someone just because they appear to be nice, brilliant, et al, then what's to stop many others from doing similar things and claiming "I'm just as nice as RTM! Let me go." With the press holding RTM up on high many a hacker is going to say, "This is how I get recognition! This is how I get a job!" And, surprise!, it'll work. Set an example and set it before things get out of hand. If at all possible, punish RTM to the fullest extent of the law. It may be more than he deserves but unfortunately (?) someone must set the example and show that such anti-social activities are not acceptable. Perhaps a suitable punishment, at least in this case, is just denying RTM access to any systems that connect to any other systems. You pollute our nest and we're going to toss you out of it. -David Kovar Technical Consultant Harvard University
cherry@husc4.HARVARD.EDU (Michael Cherry) (11/10/88)
In article <565@husc6.harvard.edu> kovar@husc4.UUCP (David Kovar) writes: >In article <10791@dartvax.Dartmouth.EDU> matthews@eleazar.dartmouth.edu (Jim Matthews) writes: >>We can argue about the advisability of what he did, but I urge you to >>resist the temptation to pigeon-hole someone you don't know on the basis >>of fragmentary information. > >If at all possible, punish RTM to the fullest extent of the law. It may >be more than he deserves but unfortunately (?) someone must set the >example and show that such anti-social activities are not acceptable. It is difficult to agree however it is analogous to a brilliant University Molecular Biologist experimenting on a biological virus but through inadequate precautions results in a large number of dogs in North America becoming infected. The released virus could be completely harmless - but I don't think this country would want or should allow this act to go completely unpunished. Mike Cherry Systems Analyst cherry@mgh-coffee.harvard.edu J. Michael Cherry Systems Analyst/Manager Department of Molecular Biology cherry@mgh-coffee.harvard.edu Wellman 9, Mass General Hospital cherry%mgh-coffee@husc6.bitnet Boston, MA 02114 (617) 726-5955
paulr@prapc2.UUCP (Paul Raulerson) (11/12/88)
In article <10791@dartvax.Dartmouth.EDU> matthews@eleazar.dartmouth.edu (Jim Matthews) writes: >In article <1445@anasaz.UUCP> john@anasaz.UUCP (John Moore) writes: >> >>According to press reports, RM spent his summers working at AT&T >>on "Unix Communications Software Security". Anyone with a source >>license check to see if he slipped a trojan horse into uucico >>or uuxqt or something? [deleted text] >It is very easy in the aftermath of something like this to indulge in >the devil theory of crime -- that all bad things must come from evil >minds. The more you find out about rtm I believe the more you will find >he has in common with the people criticizing his behavior. He has done >significant work in computer security, including warning people for >years about the security holes that made the worm possible. He has >worked as a sysadmin for an arpanet host. He is a serious student of >computer science and was making contributions to the field at an age >when most of us were trying to learn Pascal. He's also one hell of a >great guy, and no one seems more appalled by the effects of his actions >than he is. > >We can argue about the advisability of what he did, but I urge you to >resist the temptation to pigeon-hole someone you don't know on the basis >of fragmentary information. > >Jim Matthews Gee, What a *HELL* of an attitude to take about someone who has just cost a lot of people and organizations a terrifically large amount of resources. To a great extent, this wonderful wacky and extremely open net of ours is self policing. People who abuse their privs most often loose them. Once, when I was a tad younger, I might have agreed with you about showing more compassion and understanding, but since I have been running this system at some cosiderable expense, and deaing professionally with the government for about 10 years, I feel that this self policing action should be encouraged. After all, there is nothing in the world stopping Mr. Morris from going off and starting his own network, as secure as he wishes now is there? But participation in a group environment means you have to be responsible enough to realize that other peoples' resources are NOT your personal private toys to play with. I think it is far more humane to have Mr. Morris recognized by System Adminsitrators everywhere as a security risk, and be denied access, with threat of legal action is his illegal activites continue, than it is to slap him on the wrist and tell those same System Adminstrators that he CANNOT be denied access because he really didn't mean it and is sorry for what he did. People have to be responsible for themselves, and yes, they have to realize everyone makes mistakes and be willing to "forget" them. However, there is *always* a price associated with such forgetfulness, and Mr. Morris, or whoever the guilty critter was, has yet to pay for his play. This isn't really a personal attack on anyone, it is just more of a defense of the openess we all share here, and what it may take to keep it open. Anyone wishing to has the matter over some more, your welcome to mail me and if it seems reasonable, I'll summarize the opinions and post 'em back as a single message. -- Paul Raulerson & Paul Raulerson & Associates +---------------------------+ Data/Voice: 1+215-275-2429 / 1+215-275-5983 | OS/who? Why bother? Isn't | Cis: 71560,2016 Bix: paulr | Mess-Dos bad enough? | UUCP: ...!rutgers!lgnp1!prapc2!paulr +---------------------------+
jc@heart-of-gold (John M Chambers) (11/15/88)
In article <566@husc6.harvard.edu>, cherry@husc4.HARVARD.EDU (Michael Cherry) writes: > In article <565@husc6.harvard.edu> kovar@husc4.UUCP (David Kovar) writes: > >If at all possible, punish RTM to the fullest extent of the law. It may > >be more than he deserves but unfortunately (?) someone must set the > >example and show that such anti-social activities are not acceptable. > > It is difficult to agree however it is analogous to a brilliant University > Molecular Biologist experimenting on a biological virus but through > inadequate precautions results in a large number of dogs in North America > becoming infected. The released virus could be completely harmless - but > I don't think this country would want or should allow this act to go > completely unpunished. > Well, now, that depends on what you want for an after-effect. I'd suggest that punishing rtm would likely have a deterrent, but that perhaps you might not really want that, if you think about it. Consider: I am a hacker (oops, I mean a professional software engineer :-) who has discovered an interesting security hole in a widely-used piece of software. What should I do with the information? The obvious suggestion is that I should start by telling my employers and the vendor(s) about it, so they can fix it. Well, it has become clear that many people had been warning of the sendmail "feature" that the worm used for at least two years, and absolutely nothing was done by any vendor to fix it. My experience is that if you just announce that you've found a problem, you are treated like Chicken Little. You must demonstrate the problem, if you want people to listen to you. OK, so you write up a little demo and send it around. What happens? Unless you are perfect, and your code runs without bugs on all systems (including some you've never seen), your example will do something like rtm's worm, and half the world will be calling for prosecution. You'll use a whole lot of your time (and money) defending yourself. You *won't* be thanked for what you did. You'll wish you had kept your big mouth shut. There is, of course, a third course. You could just add your demo to your own personal library of security-related code, and quietly let people know that you have it. You might then be able to get some interesting (not to say lucrative) jobs from organizations that have a use for your knowledge. Think about it. There are lessons for all of us here. But is the above really the lesson you want to teach? -- From: John Chambers <mitre-bedford.arpa!heart-of-gold!jc> From ...!linus!!heart-of-gold!jc (John Chambers) Phone 617/217-7780 [Send flames; they keep it cool in this lab :-]
der@sfmag.UUCP (D.Rorke) (11/16/88)
> >According to press reports, RM spent his summers working at AT&T > >on "Unix Communications Software Security". Anyone with a source > >license check to see if he slipped a trojan horse into uucico > >or uuxqt or something? > >-- > > As a matter of fact, one of the things Robert did at Bell Labs (while > still a high school student, I believe) was fix some of the glaring > security holes in uucp (AT&T Bell Laboratories Technical Journal, > 10/84). The author of the article you reference was not the Robert Morris under suspicion (although it may be his father). The biographical notes at the end of the paper indicate that the Robert H. Morris who co-authored the paper had been employed at Bell Labs since 1960. > It is very easy in the aftermath of something like this to indulge in > the devil theory of crime -- that all bad things must come from evil > minds. The more you find out about rtm I believe the more you will find > he has in common with the people criticizing his behavior. He has done > significant work in computer security, including warning people for > years about the security holes that made the worm possible. He has > worked as a sysadmin for an arpanet host. He is a serious student of > computer science and was making contributions to the field at an age > when most of us were trying to learn Pascal. He's also one hell of a > great guy, and no one seems more appalled by the effects of his actions > than he is. Being a "great guy" is not sufficient. As members of society we are also expected to exhibit a reasonable degree of responsible judgement. Perfectly nice people get roaring drunk, get into their cars, and unintentionally run over little children. Although this analogy is lacking in some ways it is meant to dramatically make the point that nice, well intentioned people can do irresponsible things that cost the rest of society a great deal. Such people must be held accountable for the results of their irresponsibility. The person responsible for this virus may in fact be a "great guy" in many ways and may not have thought there was anything wrong with what he was doing. If so, he had a very poor understanding of the ethics involved. Although we may feel sorry for him we cannot afford to easily excuse such poor judgement. > We can argue about the advisability of what he did, but I urge you to > resist the temptation to pigeon-hole someone you don't know on the basis > of fragmentary information. > > Jim Matthews > Dartmouth Software Development Dave Rorke attunix!der
wbe@bbn.com (Winston B Edmond) (11/16/88)
In article <168@heart-of-gold> jc@heart-of-gold (John M Chambers) writes: >Consider: I am a hacker (oops, I mean a professional software engineer :-) >who has discovered an interesting security hole in a widely-used piece of >software. What should I do with the information? > >.... You must demonstrate the >problem, if you want people to listen to you. > >OK, so you write up a little demo and send it around. What happens? Unless >you are perfect, and your code runs without bugs on all systems (including >some you've never seen), your example will do something like rtm's worm, >and half the world will be calling for prosecution. I think it rather unlikely that being imperfect or having a program with bugs would cause the program to act like a worm if hadn't been mostly written to be that anyway. But since you asked, there's another, simpler, solution: attack the software supplier's host directly. This doesn't require writing code to replicate, read host tables, decrypt password tables, etc. -- just write a file called VIRUS in "/" owned by root or daemon or whatever, and let the vendor know about it. Attacking the vendor's host is just as illegal and unethical as writing a worm that attacks the whole Internet, but it will keep the N-1 other Internet administrators from calling the FBI. Before resorting to this, however, a phone call to the right person at the site to be attacked might be just as effective. For the more paranoid among us, we can wonder whether or not such security holes have already been exploited to modify some vendor's software without the vendor's knowledge. -WBE
dtynan@sultra.UUCP (Der Tynan) (11/17/88)
In article <168@heart-of-gold>, jc@heart-of-gold (John M Chambers) writes: > > OK, so you write up a little demo and send it around. What happens? Unless > you are perfect, and your code runs without bugs on all systems (including > some you've never seen), your example will do something like rtm's worm, > and half the world will be calling for prosecution. > > From: John Chambers <mitre-bedford.arpa!heart-of-gold!jc> Huh? Why is it everyone seems to think that because of a simple bug, RTM's code ran amok on Internet. WITHOUT the bug, the infection would have spread to *more* systems, and not have been noticed. I fail to see that if I wrote a 'little demo', that had a bug, it would suddenly turn into the Master Control Program (courtesy of 'Tron'), and go screaming off into the ether. A 'demo' program DOES NOT need to try THREE different ways of infecting a system. It does not need to have facilities for up to TWENTY different machine types. I also fail to see the connection between 'no-one listening' and the 'right' to release a worm on the community. - Der -- dtynan@zorba.Tynan.COM (Dermot Tynan @ Tynan Computers) {apple,mips,pyramid,uunet}!Tynan.COM!dtynan --- If the Law is for the People, then why do we need Lawyers? ---
chris@GYRE.UMD.EDU (Chris Torek) (11/20/88)
In article <566@husc6.harvard.edu> cherry@husc4.harvard.edu (Michael Cherry) writes: >It is difficult to agree however it is analogous to a brilliant University >Molecular Biologist experimenting on a biological virus but through >inadequate precautions results in a large number of dogs in North America >becoming infected. The released virus could be completely harmless - but >I don't think this country would want or should allow this act to go >completely unpunished. I will grant you this analogy with one small change: The `virus' must be one that makes the dogs bark all night for two days in a row, keeping everyone awake. ( :-) ? ) Chris