Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!agate!labrea!rutgers!bellcore!jupiter!karn From: karn@jupiter..bellcore.com (Phil R. Karn) Newsgroups: news.sysadmin Subject: Re: Possible Fines for Virus Perpetrator Message-ID: <11597@bellcore.bellcore.com> Date: 8 Nov 88 03:15:09 GMT References: <456@l5comp.UUCP> <12081@dscatl.UUCP> <16600@agate.BERKELEY.EDU> <5332@medusa.cs.purdue.edu> Sender: news@bellcore.bellcore.com Reply-To: karn@jupiter.UUCP (Phil R. Karn) Distribution: na Organization: Bell Communications Research, Inc Lines: 52 The many discussions I've heard on the morality of Robert Morris's actions inevitably seem to include arguments based on analogies with other security breaches. Robbing banks to demonstrate lax security, tossing matches into gasoline tanks, jimmying door locks in houses, etc, have all been mentioned. Without necessarily taking issue with any particular analogy, I would like to point out the pitfalls of such arguments. Laws, codes of ethics and moral behavior, etc, have evolved over a much longer time than have computers and computer networks. For most traditional acts, everyone has a pretty clear idea of the difference between right and and wrong. For example, the notion that it is wrong to enter someone's house without permission has been well established for many years. Most kids learn and understand this very early. But what constitutes "permission" to "access" a computer system is not always clear. Logging into someone's account without their permission and rummaging through their private files is now generally considered wrong. But what about rummaging through a system's anonymous FTP directory? In my own mind, putting something in an anonymous FTP directory is tantamount to placing a stack of copies by the curb next to a sign that says "FREE -- take one", or posting it on a (physical) bulletin board for all to see. Does everyone feel this way? How about the naive user who puts a file in /usr/spool/ftp without knowing the convention? Can he later flame with any justification about the "back door" in FTP that made his file freely available to one and all? Suppose someone finds something in an anonymous FTP directory that the owner didn't really want made public -- is it still up for grabs? That's not so easy to answer. One man's "standard convention" is another man's security hole. Here's an analogy of my own that, in my opinion, is just as good as any I've heard. Someone calls up a random person on the phone and says the following: "Tape record what I am saying, and play it to three of your friends. Then get your gun and shoot yourself." Suppose that a sizeable fraction of the population actually *obeys* these instructions. (Note that no threat was expressed or implied). Irresponsible? Of course. Immoral? Yes. But can you really completely exempt the victim from at *all* of the blame? Of course not! And Morris's worm didn't ask the recipient to shoot itself. Computers and networks are a whole new realm, and analogies made with more conventional acts may be misleading. New traditions as to "fault" when something unpleasant happens in a computer network will have to evolve over time, just as the rules and laws have for motor vehicle operation. I am in no way defending Morris or his actions; I am as angry at him as anyone else, although some of my anger is also directed at those who created the holes he exploited, either deliberately or through sloppy coding. I am only asking that people look at things as they are, without arguing solely by analogy. Hopefully one of the results of this incident will be a better defined consensus as to what the difference between right and wrong is in the computer world, one that we can expect people to learn and respect in the future. Phil