jps@cat.cmu.edu (James Salsman) (11/05/88)
The first nationwide Internet/Milnet virus was okay, but it
wasn't spectacular in any sense. I haven't seen the code
yet, but I can tell by the infected administrators' early
mumblings that an experienced network hacker could do better.
Remember the high school kid who grew up with an Apple II
and had a shelf full of software? Don't you remember that
kid? Around 1983, every suburban high school in the country
had about one per five-hundred students. His schoolmates
didn't like him because he could solve any problem in 1/2
the time of the next best student. He didn't care to pay
attention to fashion and personality development. His grades
sucked because nobody taught what he wanted to learn. He
was motivated, all right, but not for grades -- he wanted to
get to {MIT, CMU, Stanford}!!! His disillusionment peaked
when he found out MIT's admission folks looked at GPA's.
All his friends that got in to CMU learned plenty about
finite-automata, but lost plenty of OS hacking skill.
He ended up at some state school with no personality but a
stack of system sources and manuals to keep him company. He
learned the operating system, but again, his grades sucked.
But he managed enough discipline to stay in school. In his
spare time he hacked at the source for the TCP/IP
implementation.
Disillusionment struck again when his favorite silicon
valley company didn't want him, but the low-pay downtown
COBOL sweat-shop did. That won't do, and grad school is
out. No classes, plenty of free time. What's he going to
do?
Write a virus. He will not get caught unless he talks, but
he's got no close friends. His virus won't directly
*destroy* anything, but when it hits, it will make a splash,
and he is trying for a big splash.
The funny thing is, it will work. If this guy gets caught,
his name and face will be all over the media. If the Judge
can figure out the technobabble, the sentence will be N
years probation. And maybe a few hundred hours service.
Big *fucking* deal. A dozen headhunters and consulting
companies are going to call him up the next morning offering
big-time salary for a "Security Engineer."
If he doesn't get caught, he'll find another hole and do it
again until he does get caught.
I respect the abilities of virus hackers. They know more
than you or I, or they fail. They try not to fail.
Saying that I think they are "bad" is like saying I think
drunk drivers are "bad." True, but there is no way in hell
to stop thousands of people with nothing better to do from
being "bad" on a daily basis.
The "Virus Problem" is just another problem in OS design.
Face it. It's going to get a lot worse before it gets any
better.
--
:James P. Salsman (jps@CAT.CMU.EDU)
--
:James P. Salsman (jps@CAT.CMU.EDU)