Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ucbvax!husc6!purdue!spaf From: spaf@cs.purdue.edu (Gene Spafford) Newsgroups: news.admin Subject: Re: Getting Even Message-ID: <5343@medusa.cs.purdue.edu> Date: 8 Nov 88 02:59:49 GMT References: <367@execu.UUCP> <265@acheron.UUCP> <1636@pikes.Colorado.EDU> Sender: news@cs.purdue.EDU Reply-To: spaf@cs.purdue.edu (Gene Spafford) Followup-To: news.sysadmin Organization: Department of Computer Science, Purdue University Lines: 56 [I originally posted this in news.sysadmin (where this discussion should be), but it bears repeating here.] I've been seeing a lot of commentary from people claiming that we should be grateful that the worm (it is *not* a virus -- a virus includes itself in the code of other programs and only runs when they do; a worm is a independent entity) exposed some security problems for us. Some of those same people are claiming that Robert Morris, Jr. should not be prosecuted because he did us a favor, and it was somehow our fault for not fixing the problems sooner. That attitude is completely reprehensible! That is the exact same attitude that places the blame for a rape on the victim; I find it morally repugnant. Consider an analogy: Locks built in to the handle of a door are usually quite poor; deadbolts are a preferred lock, although they too are not always secure. These standard, non deadbolt locks can be opened in a few seconds with a screwdriver or a piece of plastic by someone with little training. Now, if you have such a lock on your door, and you wake up in the middle of the night to find that a stranger has broken into your home and is wandering about, bumping into things in the dark and breaking them, how do you react? Do you excuse him because the lock is easy to circumvent? Do you thank him because he has shown you how poor your locks are? Do you think *you* should be blamed because you never got around to replacing the lock with a better one and installing a burgler alarm? We have failed to imbue society with the understanding that computers contain property, and that they are a form of business location. If someone breaks our computers, they put us out of work. If someone steals our information, it is really theft -- not some prank gone awry. If someone broke into the NY Times and vandalized their printing presses, it would not be dismissed as the work of a bored college student, and even if it was the son of the editor, I doubt anyone would make a statement that "It will ultimately be a good thing -- we'll be forced to improve our security." We cannot depend on making our systems completely secure. To do so would require that we disconnect them from each other. There will always be bugs and flaws, but we try to cover that by creating a sense of responsibility and social mores that say that breaking and cracking are bad things to do. Now we have to demonstrate to the world that this is the case, and we will back it up with legal action, or we'll continue to risk having bored students and anti-social elements cracking whatever we replace the systems with until there is no longer any network. That is not a risk I want to deal with. -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf