Xref: utzoo comp.unix.wizards:12191 news.sysadmin:1186 Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!agate!ucbvax!ucsfcgl!cca.ucsf.edu!rodgers From: rodgers@cca.ucsf.edu (Rick Rodgers) Newsgroups: comp.unix.wizards,news.sysadmin Subject: The Internet Virus--A Commentary Keywords: ethics networks communication computer viruses Message-ID: <1460@ucsfcca.ucsf.edu> Date: 8 Nov 88 04:32:35 GMT Organization: Computer Center, UCSF Lines: 98 The New York Times has claimed that Robert Morris, Jr., a graduate student in computer science at Cornell, was the author of the rogue program which wreaked havoc on the Internet last week. Not having seen a direct confession from Mr. Morris, I think it appropriate to give him the benefit of doubt, and not assume him guilty at present. Therefore, in the remarks which follow I prefer to use the word "culprit." Quite aside from the guilt or innocence of Mr. Morris, the picture painted by the NYT raises serious ethical issues; let us assume for a moment that the culprit is in every way as Mr. Morris is described in the NYT stories. The culprit, then, is a bright and technically oriented young person who is socially reticent, and who perpetrated this act out of boredom, having convinced himself that he intended no great mischief. I leave aside interpretation of motives on the basis of the behavior of the virus itself (the use of encryption/decryption, the fact that it did not seem to be designed to destroy or corrupt files, etc.). These questions arise: 1) The virus was reportedly intended as an "innocent" attempt to produce a program which would propagate itself across machines on the network, leaving a single copy per affected machine. On what basis did the culprit decide that the Arpanet was an appropriate location to carry out private experiments in computer security; in what way can the insertion of ANY program in the machine of someone else, without their consent, be considered "innocent?" 2) Given the frequency of programming errors in untested programs, how would a technically experienced person assume that a program of this complexity would work as designed the first time? This is an act of considerable hubris. 3) If the culprit "quickly recognized that things had gone wrong," why did he not IMMEDIATELY call local management authorities and inform them of the problem, rather than delegating this to a friend, who then allegedly posted instructions in an obscure place? The first act represents a failure to take resonsibility for one's own actions, and the second a severe lapse in judgment. Looking forward rather than behind, there are two issues requiring our attention, and in both instances it is vitally important that we avoid resort to extremes. The first is appropriate retribution for the culprit. At one extreme lies the argument that this individual is a hero who has done the network community an enormous favor. This camp would argue that the unethical acts described above are outweighed by the benefits of closing the security holes exposed by this particular virus. Aside from the omniscience which would be required to estimate the gains, this is a particularly pernicious form of reasoning which leaves the network open to any tinkerer who believes he has a demonstration of a security bug. Moreover, there are alternative ways to bring such knowledge to light in a constructive manner; after LOCAL tests, such a system could be demonstrated to responsible colleagues, ARPAnet administrators, or software engineers in companies affected by the bugs found. One can even envisage a network-wide test in which a thoroughly pre-tested and truly benign virus is intentionally released, after prior announcement (and with some sort of mechanism for consentual participation), with software in place to monitor its (transient) dissemination and demise, for the purpose of studying the behavior of the network. The mode of introduction of the actual virus had none of these earmarks of a serious investigation, but does leave the perpetrator open to charges of exploitation and exhibitionism. The calculable loss in man-hours and computing-hours is considerable, as revealed by a simple back-of-the-envelope computation designed to err on the side of being too small. Approximately 6,000 processors were affected. Let us assume (conservatively) that there was one person affected for every five machines, and that 12 hours were devoted to handling problems arising from the crisis. This results in an estimate of 14,400 man hours lost, equivalent to 360 40-hour man weeks (nearly 7 working man-years). This ignores the (presumably considerable) indirect costs attributable to loss of computing time per se. Estimates of up to 100 man-years which have appeared elsewhere can be seen as not preposterous. Retribution is likely to be meted out at several levels, possibly including criminal prosecution. Lenient or harsh, the punishment should not contribute to making the culprit into a underground hero. This process is already well underway when the popular press associates the words "brilliant" and "innocent" with the perpetrator and his actions. Nor should the attention he has managed to obtain result in lucrative job offers, or other inducements to this form of behavior. The second issue is less tangible but of great importance: the effect this may have upon the openness and collegiality of the network, from which each of us has benefitted. It is here that the culprit may leave his most damaging (and lasting) mark. Communication requires openness, and open systems will always be vulnerable in some respect; their integrity will always rely ultimately upon the decency and good judgment of the participants. -------------------------------------------------------------------------------- R. P. C. Rodgers, M.D. Telephone: Statistical Mechanics of Biomolecules (415)476-8910 (work) Department of Pharmaceutical Chemistry (415)664-0560 (home) University of California, Box 1204 E-mail: Laurel Heights Campus, Room 102 ARPA: rodgers@cca.ucsf.edu 3333 California St. rodgers@maxwell.mmwb.ucsf.edu San Francisco CA 94118 BITNET: rodgers@ucsfcca USA UUCP: ...ucbvax.berkeley.edu!cca.ucsf.edu!rodgers -------------------------------------------------------------------------------- -- R. P. C. Rodgers, Statistical Mechanics of Biomolecules, Dept. of Pharm. Chem., University of California, San Francisco CA 94118 (415)476-8910 (ARPA: rodgers@cca.ucsf.edu, BITNET: rodgers@ucsfcca, UUCP: ...ucbvax.berkeley.edu!cca.ucsf.edu!rodgers)