Xref: utzoo news.admin:3951 news.sysadmin:1327 Path: utzoo!utgpu!attcan!uunet!husc6!ukma!mailrus!umich!itivax!scs From: scs@itivax.UUCP (Steve C. Simmons) Newsgroups: news.admin,news.sysadmin Subject: Re: A Question Of Ethics (was: Re: A *Big* Thank You) Message-ID: <372@itivax.UUCP> Date: 10 Nov 88 15:41:23 GMT References: <361@itivax.UUCP> <367@execu.UUCP> <1294@tmpmbx.UUCP> <367@itivax.UUCP> <709@stylus.cme-durer.ARPA> Reply-To: scs@itivax.UUCP (Steve C. Simmons) Organization: Industrial Technology Institute Lines: 37 In article <709@stylus.cme-durer.ARPA> klm@stylus (Ken Manheimer) writes: >In article <367@itivax.UUCP> scs@itivax.UUCP (Steve C. Simmons) writes: >>The ethical thing to do would have been to inform the local sysadm >>of the hole, and get the patch out as has been done in other recent >>(non-worm) cases. Instead this guy chose to keep his knowledge a >>secret and "play" with it. > >No no no no no no no. > >Ethical thing to do?? Is it not relevant to ethical considerations >that you take some sort of effective counteraction? Inform the local >sysadm of the hole?? And what if the local sysadm already knew about >the hole, and said "Yeah, if you invoke help in sendmail's interpreted >mode it talks about this debug option - don't worry so much, everybody >knows about it, and nothing bad has happened." >[[and goes on to an excellent discussion]] The arguement you make is a general ethical one, and has merit. But this isn't talk.philosophy (yeah, I know I started the thread :-)). If we grant Morris the best of motives ("see how easy I did X?"), it feels very much like someone who, in order to show his local fire department is worthless, starts a "safe" fire. Unfortunately it gets out of hand and burns his whole house down. Yes, when the authorities will not allow time/money/resources to do the security fixes the guy who knows of the hole is in a tough spot. Two wrongs, tho, don't make it right. As for the folks who claim we're all better off because of this, I'm curious. What fixes have come forward since the worm *but not related to it*? None that I've seen. Folks are suddenly a lot more security conscious in general but are applying fixes only on this relatively narrow point. I'd say that we've had only a narrow improvement so far. -- Steve Simmons ...!umix!itivax!scs Industrial Technology Institute, Ann Arbor, MI. "You can't get here from here."