jps@cat.cmu.edu (James Salsman) (11/05/88)
The first nationwide Internet/Milnet virus was okay, but it wasn't spectacular in any sense. I haven't seen the code yet, but I can tell by the infected administrators' early mumblings that an experienced network hacker could do better. Remember the high school kid who grew up with an Apple II and had a shelf full of software? Don't you remember that kid? Around 1983, every suburban high school in the country had about one per five-hundred students. His schoolmates didn't like him because he could solve any problem in 1/2 the time of the next best student. He didn't care to pay attention to fashion and personality development. His grades sucked because nobody taught what he wanted to learn. He was motivated, all right, but not for grades -- he wanted to get to {MIT, CMU, Stanford}!!! His disillusionment peaked when he found out MIT's admission folks looked at GPA's. All his friends that got in to CMU learned plenty about finite-automata, but lost plenty of OS hacking skill. He ended up at some state school with no personality but a stack of system sources and manuals to keep him company. He learned the operating system, but again, his grades sucked. But he managed enough discipline to stay in school. In his spare time he hacked at the source for the TCP/IP implementation. Disillusionment struck again when his favorite silicon valley company didn't want him, but the low-pay downtown COBOL sweat-shop did. That won't do, and grad school is out. No classes, plenty of free time. What's he going to do? Write a virus. He will not get caught unless he talks, but he's got no close friends. His virus won't directly *destroy* anything, but when it hits, it will make a splash, and he is trying for a big splash. The funny thing is, it will work. If this guy gets caught, his name and face will be all over the media. If the Judge can figure out the technobabble, the sentence will be N years probation. And maybe a few hundred hours service. Big *fucking* deal. A dozen headhunters and consulting companies are going to call him up the next morning offering big-time salary for a "Security Engineer." If he doesn't get caught, he'll find another hole and do it again until he does get caught. I respect the abilities of virus hackers. They know more than you or I, or they fail. They try not to fail. Saying that I think they are "bad" is like saying I think drunk drivers are "bad." True, but there is no way in hell to stop thousands of people with nothing better to do from being "bad" on a daily basis. The "Virus Problem" is just another problem in OS design. Face it. It's going to get a lot worse before it gets any better. -- :James P. Salsman (jps@CAT.CMU.EDU) -- :James P. Salsman (jps@CAT.CMU.EDU)