Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!agate!labrea!rutgers!bellcore!ka9q.bellcore.com!karn From: karn@ka9q.bellcore.com (Phil Karn) Newsgroups: news.sysadmin Subject: Re: The virus Message-ID: <11591@bellcore.bellcore.com> Date: 7 Nov 88 14:34:31 GMT References: <5311@medusa.cs.purdue.edu> <2072@ddsw1.MCS.COM> <241@ispi.UUCP> <11581@bellcore.bellcore.com> <5330@medusa.cs.purdue.edu> Sender: news@bellcore.bellcore.com Reply-To: karn@ka9q.bellcore.com.UUCP (Phil Karn) Organization: Home for Burned-out Hackers Lines: 63 Gene, I respectfully disagree. After I posted my note, I discovered that the phage mailing list has had a raging debate about precisely this point. Even though I wrote my original note because *I* wanted a copy of the virus/worm source so I could be well-informed for my management's sake, I have to side with those calling for complete disclosure. The only issue in my mind is the exact timing of the public release. I make the following arguments for my position. 1. Making the source available would help enormously in assuaging management fears about additional, presently undetected damage the worm might have caused (it might really have been a virus, for example). They are likely to be uncomfortable having to trust and rely on the expertise of a fairly small group of people they don't know. By no means am I casting aspersions on those who have been cracking the virus; only trying to calm what may well be unfounded fears. Complete disclosure is the best antidote to paranoia. 2. The worm source just isn't that much more dangerous than knowledge of the security holes it used. Frankly, I'm surprised that Morris used it to build a worm. Two things are paramount to a system cracker: undetectability, followed closely by untraceability in case of detection. If I were a spy with knowledge of the sendmail hole, I would have cracked systems one by one, perhaps through a series of "cheesebox" systems to avoid being traced. Until now I haven't really thought much about the design of worms, but even without the benefit of hindsight it seems fairly obvious to me that controlling the exact rate of their spread (to avoid detection) is very difficult. Why should I risk the possibility of a worm getting out of hand just to save me the trouble of cracking systems semi-manually? 3. It is just not that hard to turn the worm's binary into something really destructive. It certainly does not *require* the source code to do so. In fact, it doesn't even require patching the .o file. Just link it with a module that replaces _exit (or another suitably chosen system call executed near the end) with a function that first executes "rm -rf /", then loops. 4. The source will get out anyway, in one form or another; this is inevitable. Lots of people have been decompiling it, and not all feel that it should be kept secret. Perhaps I only have to wait for it to appear in the New York Times... :-) 5. Making the source code generally available is perhaps *the* best way to prod the vendors into fixing *lots* of holes in their systems, not just the ones exploited by the worm. Face it, we all know how vendors behave -- everyone does the least work possible, subject to the vocalness of their customers' demands. Several people have already stated that they knew of the hole in sendmail for many years and they just chalked it up to the net being composed of benign people. Since it wasn't generally known (I didn't know about it, for example) there was no general cry to fix it, and it lay open long enough for Morris to come along and exploit it. 6. I found it ironic to read that the elder Morris recently submitted a paper on UNIX security for publication, but his employer squelched it. Who knows what was in that paper? Perhaps, just perhaps, maybe it contained a description of the hole in sendmail, among other things. Perhaps, just perhaps, Robert Jr., learned of this hole from his dad. Perhaps if that paper had been published, people would have taken steps to protect themselves before the younger Morris had unleashed his worm. In sum: SECURITY THROUGH OBSCURITY JUST DOESN'T WORK! Phil