Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!agate!bionet!ig!arizona!joel From: joel@arizona.edu (Joel Snyder) Newsgroups: news.sysadmin Subject: Re: Possible Fines for Virus Perpetrator Message-ID: <7735@megaron.arizona.edu> Date: 8 Nov 88 04:48:26 GMT References: <456@l5comp.UUCP> <12081@dscatl.UUCP> <16600@agate.BERKELEY.EDU> <5332@medusa.cs.purdue.edu> Reply-To: jms@mis.arizona.edu (Joel Snyder) Distribution: na Organization: U of Arizona MIS Dept, Tucson Lines: 30 sending out patches are completely irrelevent. Are you saying that if I discovered the same bug and brought it to the attention of Digital that their cost of sending out emergency patches wouldn't be the same? This is not a "lock" which *I* put on my system and which someone has forced. This is a lock which I bought from a very large computer company with the reasonable assurance that any J. Random Hacker couldn't pick it in the time it takes me to pick my nose. No matter how the fact that there is a bug in the "lock" was brought to the attention of our various and sundry computer vendors, they still have the same obligation to get a fix out to their users as soon as possible. The only argument I would be willing to accept is that if I brought the matter up with vendors privately, they might have more time to thoroughly test things and make sure that there aren't other problems of a similar ilk in other pieces of code. As it is, a couple of programmers are going to spend some long hours, some software distribution centers are going to put in some overtime, and we're going to get a marginally more expensive patch. I'm not necessarily in favor of thanking Morris for pointing out the security hole; I think he should get the sh*t beaten out of him by the people who had to spend long hours last week because he didn't have the decency to bring up his discovery (which I guess was reasonably well known to the sendmail gurus) in a little less sensational way. But talking of fines, sentences, and class action suits sounds like a lot of economic nonsense to me. Joel Snyder University of Arizona MIS Dep't jms@mis.arizona.edu