Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!texbell!sugar!peter From: peter@sugar.hackercorp.com (Peter da Silva) Newsgroups: alt.hackers Subject: Re: Computer Abuse / Product Liability / Criminal Statutes / ECPA Message-ID: <4948@sugar.hackercorp.com> Date: 17 Jan 90 13:35:37 GMT References: <22359@usc.edu> Reply-To: peter@sugar.hackercorp.com (Peter da Silva) Organization: Sugar Land Unix - Houston Lines: 68 Approved: peter@sugar.hackercorp.com First of all, I agree with blackcat that the ECPA is seriously deficient in many areas, particularly in the quixotic attempt to legislate privacy for cellular phones. One thing that I found amusing in his article, though, was the following: > o One sorry bugger to date has introduced a virus that managed to > utilize a little known defect in DEC and SUN system software ... > and the rest of his case is currently on trial & making history. > I would note that his effort (the INTERNET virus) meets each of > the criteria discussed so far in this group for being a "hack" > of the highest level ... one requiring a considerable degree of > expertise ... and one (from personal examination of virus code) > which was not readily understood by an experienced hacker. Well first of all it's a worm not a virus. A virus is a passive partner in transmission between systems. But that's a nitpick. More importantly, analysis of the Internet Worm has been widely disseminated, and this analysis shows that it's not the work of a particularly skilled programmer. One knowledgable in the details of the systems involved, perhaps, but clumsy and given to very poor coding practices. If that's a "hack of the highest order" then it's a sad commentary on this new generation of hackers. > o In any case, I believe the new generation hackers [ be encouraged to engage in productive work, such as updating old PD and freeware versions of INGRES and X...] Most of these folks are not competant to do this. They've a lot of patience, but little technical skill. As you said, RTM's buggy little program was a "hack" of the highest order. What could low-order hackers do? I can understand their frustration. As little as ten years ago there was a whole range of interesting programs that had yet to be ported to personal computers. Today the "market" for PD terminal programs, editors, and the like is glutted. There's no place for newbies to prove themselves, other than in destructive activity. How many teenagers even appreciate the value of an X server when they don't have anywhere to run the clients? Newer and less popular machines like the Amiga and Atari ST still have room for creative hacking: look at MIDInet on the ST, or all the PD device drivers on the Amiga. But older machines like the Mac and the PC are either unable to support stuff like this, or again the market is glutted. And it's the older machines that the vast majority of would-be hackers have access to. > Obligatory hacking report: I am trying to fix a generic security problem > involving the triggering of data terminal answerback buffers by whatever > program elects to send a ^W in the course of displaying a message. You're lucky. There are a lot of terminals out there that permit more extensive programming. There's one guy who has a file that when catted takes over the terminal and pretends to delete all the user's files. In an academic environment this could be deadly. > FINAL COMMENT: The INTERNET virus should be treated as a product liability > question. In my opinion, DEC and SUN should pay the cost of the cleanup > effort... If they indeed ignored bug reports, yes. But that will come out in the trial. The Internet is deliberately a moderately low-security environment, and it will be subject to similar pranks in the future so long as people don't have any resposibility for their actions. I'm not particularly upset with RTM, but then we weren't affected, but I think that if he gets off lightly it'll open the floodgates for more disruption: either through pranks or ill-advised security measures that reduce the usability of the Internet. -- Peter "Have you hugged your wolf today" da Silva `-_-' 'U` "I haven't lost my mind, it's backed up on tape somewhere"