Xref: utzoo news.admin:3892 news.sysadmin:1189
Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!agate!labrea!rutgers!mailrus!umich!itivax!scs
From: scs@itivax.UUCP (Steve C. Simmons)
Newsgroups: news.admin,news.sysadmin
Subject: A Question Of Ethics (was: Re: A *Big* Thank You)
Message-ID: <367@itivax.UUCP>
Date: 8 Nov 88 03:11:09 GMT
References: <361@itivax.UUCP> <367@execu.UUCP> <1294@tmpmbx.UUCP>
Reply-To: scs@itivax.UUCP (Steve C. Simmons)
Organization: Industrial Technology Institute
Lines: 27

In article <1294@tmpmbx.UUCP> pengo@tmpmbx.UUCP (Hans H. Huebner) writes:
>Maybe you should better thank this guy as well, since he revealed some
>nasty bugs in widespread operating systems.  He SURELY showed everyone that
>computer systems are not secure, and that security IS a thing one has to be
>aware of.  Just imagine what would have happened if the worm/virus had
>contained some nasty code to destroy files or the like.  The sendmail bug
>certainly gave the worm access rights to destroy mail and eventually other
>vital system information.
>
>Let's be happy that it is over, and that the Internet is now more secure.

Let's not.  Suppose you found a security hole that would let you assasinate
the president.  Should you:
  (a) Tell the secret service, -- or --
  (b) Take a toy gun and take advantage of the hole?
If you chose (b), don't be surprised if the secret service gives you a
sudden case of lead poisoning.

The ethical thing to do would have been to inform the local sysadm
of the hole, and get the patch out as has been done in other recent
(non-worm) cases.  Instead this guy chose to keep his knowledge a
secret and "play" with it.  He's as culpable as if he'd accidently
dropped a vial full of smallpox bacteria in a public place.

-- 
Steve Simmons		...!umix!itivax!scs
Industrial Technology Institute, Ann Arbor, MI.
"You can't get here from here."