Xref: utzoo comp.protocols.tcp-ip:5155 comp.unix.wizards:12155
Path: utzoo!attcan!uunet!husc6!bbn!rochester!pt.cs.cmu.edu!cadre!sean
From: sean@cadre.dsl.PITTSBURGH.EDU (Sean McLinden)
Newsgroups: comp.protocols.tcp-ip,comp.unix.wizards
Subject: Implications of recent virus (Trojan Horse) attack
Keywords: virus security
Message-ID: <1698@cadre.dsl.PITTSBURGH.EDU>
Date: 5 Nov 88 16:39:44 GMT
Distribution: na
Organization: Decision Systems Lab., Univ. of Pittsburgh, PA.
Lines: 138

Now that the crime of the century has been solved and all of the
bows have been taken it is, perhaps, time to reflect a little more
on the implications of what has happened.

First of all, to the nature of the problem. It has been suggested that
this was little more than a prank let loose without sufficient restraint.
I have not seen the latest in press releases but there seems to be
a hint of "I didn't want anything like this to happen!" Perhaps not.
In fact, if the thing had not run wild and had not bogged down a number
of systems it might have gone undetected for a long time and might
have done much worse damage than our estimates suggest was done. I can
accept that the author did not anticipate the virulence of his creation
but not that it was out of some benevolent concern for the users of
other systems. Rather it was because it allowed him to be caught.

In fact, with function names such as "des", "checkother", and
"cracksome", I am less likely to believe that the intent of this
program was one of simple impishness.

Let's look, for a moment, at the effects of this system (whether
intended or otherwise). First, it satisfied a public desire for news
and, one might argue, served as a reassurance to the many technophobes
out there that our systems are as vulnerable as error prone as they,
all along, have been arguing. If you don't think that this might have
social consequences you need only look at things like community bans
on genetic research have resulted from social policy implemented as
a result of public distrust. When I was interviewed by a local news
agency the questions asked were on the order of "Does this mean that
someone could fix a Presidential Election?" (sure, Daley did it in
Chicago but he didn't used computers!), and "What implications does
this have for the nation's defense?" (In spite of reassurances from
here and CMU, the local media still insisted on the headline "Defense
Computers invaded by virus.")

Second, there is an economic conseqence. Since we were unable to
determine the extent of the programs activities we were forced to
commit programmers time to installing kernel fixes, rebuilding systems,
checking user data files, and checking for other damage. That was
the direct cost. The indirect cost comes from the delay in other
tasks that was incurred by the diversion of people's time to solving
this one. If you multiply by the effort that is going on at a number
of other sites I suspect that in salary time, alone, you are looking
at costs into the hundreds of thousands of dollars.

Perhaps, most importantly, there is the academic costs. I would argue
that that the popularity of Unix, today, is due in great part to the
development of the Berkeley Software Distribution which was made available
in source form to thousands of research and academic organizations starting
in the '70s. In a sense, it is a community designed system and although
Berkeley deserves the lion's share of the credit, it was the contribution
of hundreds of users with access to source codes that allowed the system
to evolve in the way that it did.

There is a cost to providing an academic environment and there are
responsibilities that are imposed by it. One advantage of academic is
access to information which would not be tolerated in an industrial
domain. This access requires our users to observe some code of behavior
in order to guarantee that everyone will have the same access to the
same information. The person who rips out the pages of an article from
a library journal is abusing this privilege of free access to information
and depriving others of the same. By convention, we agree not to do
that, and so we protect that system that has benefited us so that others
derive the same benefit.

A great part of the Internet was funded by DARPA because some forward
thinking individuals recognized the tremendous technological and academic
benefits that would be derived from this open network. This has resulted,
I believe, in significant economic benefits to American industry and
continues to support our leadership role in software development. It is
an an infrastructure that supports a gigantic technological community
and there are very few, if any, computer interests in this country that
were influenced by DARPA' experiment.

Within a week or two, members of the organizations responsible for this
network are going to be meeting to discuss the implications of the recent
virus(es), and mechanisms with which they can be dealt. One possible outcome
would be increased restrictions on access to the network (the Defense
Research Network is already moving along these lines). It would not
be unreasonable to consider whether a venture such as this should be
supported, at all. To restrict access to a network such as this, or
to remove the network, altogether, would be the economic equivalent
to tearing up the Interstate highway system. The effect on academic
and technological advancement would be quite serious.

The bottom line being that to suggest that program such as the
"virus" (which is really more of a Trojan Horse), was little more
than a harmless prank is to overlook what the long term effects of
both the technology, and the PUBLICATION of that technology will
have on continued academic freedom and technological growth.

But what of the nature of the act? Is there something to be said of
that? First, there is the personal tragedy, here. There is public
humiliation for the (supposed) perpetrator's father who is, himself,
a computer security expert (his employer's must be questioning whether
the son had access to specialized information though most of us realize
that the holes that were exploited were well known). There is the
jeopardy of the academic career for the programmer. But there is more
than that.

There seems to be a real lack of consideration for what are the ethical
considerations of this action. Consider, for a moment, that you are
walking down the street and the person in front of you drops a 10 dollar
bill. You have three options: 1) You can pick it up and hand it to them;
2) You can pick it up and keep it; 3) You can leave it and continue walking.
It should be obvious that these choices are not morally equivalent. To
have known about the holes in the system which allowed the virus in
(and even to have known how to exploit these), is NOT the same as actually
doing it (any more than leaving the bill on the sidewalk is the same
as pocketing it). Somewhere along the line, we fail ourselves and our
students if we don't impress upon them the need to regard the network
as a society with rights, responsibilities, and a code of professional
ethics which must be observed in order to preserve that society. There
are probably a few hundred people who could have written the code to
do what this virus did; most of those people didn't do it. Most, if
not all, of us have had the opportunity to pocket a candybar from
the local convenience store, but most of us don't. We don't, not
because we will be punished or because there are laws against it,
but because we have a social consciousness which tells us that
such an action would, in the end, would substantially degrade the
society in which we live.

What happened in this situation reflects not only a moderately
high level of programming sophistication but also a disturbingly
low level of ethical maturity.

If we tolerate those who view the network as a playground where
anyhting goes, we are going to be faced with serious consequences. But
the answer is not to change the character of the network (by increasing
restrictions and decreasing freedom of access), but to promote a sense
of character among the members of the community who work and experiment
in this network. This puts the burden on us to remember that there
is a need for us to encourage, teach, and provide examples of the
kind of behaviors that we need to preserve in order to preserve the
network.

Sean McLinden
Decision Systems Laboratory
University of Pittsburgh