Xref: utzoo comp.protocols.tcp-ip:5201 comp.unix.wizards:12185 Path: utzoo!utgpu!attcan!uunet!seismo!sundc!pitstop!sun!ember!dre From: dre%ember@Sun.COM (David Emberson) Newsgroups: comp.protocols.tcp-ip,comp.unix.wizards Subject: Re: a holiday gift from Robert "wormer" Morris Summary: Glorification of a Jerk Message-ID: <76424@sun.uucp> Date: 7 Nov 88 20:06:23 GMT References: <1698@cadre.dsl.PITTSBURGH.EDU> <2060@spdcc.COM> Sender: news@sun.uucp Distribution: na Lines: 53 In article <2060@spdcc.COM>, eli@spdcc.COM (Steve Elias) writes: > "Wormer" Morris has quite a career ahead of him, i'll bet. > he has done us all a favor by benevolently bashing bsd 'security'. > I knew about this sendmail bug at least four years ago, courtesy of Matt Bishop (now at Dartmouth). He wrote a paper detailing at least a half dozen holes in the Unix system and methods for constructing trojan horses which was so dangerous that he responsibly decided not to publish it, but instead to give selected copies to people who could fix some of the problems. He also wrote an article for the Usenix newsletter, ;login, which explained how to write secure setuid shell scripts--a major source of security holes. Matt did not "benevolently bash" anyone's machines. His behaviour, while unsung by the press and the Usenet community, is an example of the highest in profession- al and academic standards. This is the kind of behaviour that we should be extolling. It is a pity that the perpetrator of this hack, allegedly Mr. Morris, is now hailed as a famous "expert" in computer security. No doubt he will make a fortune after the noise dies down as a security consultant. In fact, I saw someone quoted in this morning's Wall Street Journal as saying that the perpetrator was someone he would love to hire! Not I! I would think that prison would be a better place for a person who cost the government, several universities, and many companies untold thousands of man-hours and millions of dollars in downtime and effort spent tracking this piece of garbage down. And it is almost certain that all the copies of the virus haven't been found. Unfortunately, the press seems to grab hold of every stupid jerk like this and hail him as some sort of genius. Somehow the issue of computer security evokes images of high school kids firing off MX missles or some other vision which terrifies the public, and the press loves sensation more than substance. A few years ago there was pandemonium in the press when someone told them that terminals with programmable function keys could be trojan-horsed. Big deal! But the media broadcast repeatedly the "revelation" that most terminals in the world had this "bug." Now they are jumping up and down because the recent virus made its way into Lawrence Livermore and NASA Ames--even though it didn't make it into any classified machines. The news people are more interested in irresponsibly stirring people into a frenzy than they are in responsible reporting of facts. I call upon my fellow computing professionals to promote ethical behaviour amongst their students and colleagues and to denounce destructive misuse of computing knowledge. I also call upon them to refuse to participate in the glorification of people in the profession who engage in this kind of behaviour. We must police ourselves and censure those amongst us who engage in this type of computer crime. Much is at risk if hysterical reporters cause hysterical law makers to place restrictions on networks, on the capability of hardware, on access to computing facilities, or on software. Computer security costs a great deal of money, like defense spending. I for one would rather see this money go for better things. Dave Emberson (dre@sun.com)