Xref: utzoo news.admin:3901 news.sysadmin:1207 Path: utzoo!attcan!uunet!cme-durer!klm From: klm@cme-durer.ARPA (Ken Manheimer) Newsgroups: news.admin,news.sysadmin Subject: Re: A Question Of Ethics (was: Re: A *Big* Thank You) Message-ID: <709@stylus.cme-durer.ARPA> Date: 8 Nov 88 20:45:26 GMT References: <361@itivax.UUCP> <367@execu.UUCP> <1294@tmpmbx.UUCP> <367@itivax.UUCP> Reply-To: klm@stylus (Ken Manheimer) Organization: National Bureau of Standards, Gaithersburg, MD Lines: 97 In article <367@itivax.UUCP> scs@itivax.UUCP (Steve C. Simmons) writes: >In article <1294@tmpmbx.UUCP> pengo@tmpmbx.UUCP (Hans H. Huebner) writes: >> [...] >>Let's be happy that it is over, and that the Internet is now more secure. > >Let's not. Suppose you found a security hole that would let you assasinate > [...] > >The ethical thing to do would have been to inform the local sysadm >of the hole, and get the patch out as has been done in other recent >(non-worm) cases. Instead this guy chose to keep his knowledge a >secret and "play" with it. No no no no no no no. Ethical thing to do?? Is it not relevant to ethical considerations that you take some sort of effective counteraction? Inform the local sysadm of the hole?? And what if the local sysadm already knew about the hole, and said "Yeah, if you invoke help in sendmail's interpreted mode it talks about this debug option - don't worry so much, everybody knows about it, and nothing bad has happened." And then even if something was posted about it, what portion of the sys-admin concerned computer population do you think such a portion would reach, and what portion of them do you think would take action? These are, for the most part, not unknown bugs we're talking about, hey? There is enourmous investment in computing business/operating system development to just try to keep up with, and attempt to tame, the problems that bite you. The costs of less immediate threats, like "obscure" security holes, are abstract enough to make plans to fix them fall through the cracks. If you don't agree, consider (as people have mentioned repeatedly) that the flaws the worm exploited are generally acknowledged to not be new or particularly abstruse bugs - the potential application of the sendmail debug option is relatively obvious, if you happen to be aware of its existence. They are (hopefully 'were') entrenched bugs, with concerns about fixing them outweighed by the endorsement of their presence in "all the other versions and incarnations" of bsd operating systems. "If the (other) companies don't care about them, why should i?" Then along comes someone who gets the bugs on the front page of most newspapers. This is no mean feat. Resolving these bugs, which someone should have invested time to do already, becomes the chore of (very) numerous sys admins around the net, and everyone gets some public egg on their faces for not having taken care of the problem previously. However, the way it happened had all the earmarks of a great adventure with a happy ending - the shock and challenge of an unknown invader, mustering of defensive forces ("disease control" in various computing centers), recovery of atrophied lines of communication, contributions of individual heroes on the front lines, sweat, diagnosis, and solution of the problem, tracking (and discovery!) of the mysterious culprit, and controversy, lots of controversy. People were mobilized and had the opportunity to meet with success. That's good. I think the general public got the impression of a victory of the mythical computer wizards over a ferocious dragon, rather than the defense of concerned computer hackers over another hacker's heavy (and proliferous) but entirely toothless worm. And that impression is not too bad to have around, either. As far as i'm concerned, the real danger right now concerns finding a balanced response to the situation - obviously the climate regarding system security is going to change. If not enough effort is invested, the copycat hacks that we'll be seeing (very soon now) will outstrip the improvements, get through, and some significant portion of them won't be so benign as our promiscuous little worm... On the other hand, if administration becomes reactionary in their attitude towards the network and takes a facist, "curtail-access" attitude, then we're all going to see our work become more difficult, and, for that matter, less enjoyable. I have heard hints that the R Morris intended for the worm to make its journey and go away, leaving only definite evidence that it had been everywhere, so he could then say "see what's possible?" I would bet that if he had accomplished this the story would not have made the front pages of the New York Times or the Washington Post, and fewer sysAdmin's supervisors would be on their sysAdmin's backs. I suppose this would be preferable from at least the sysAdmin's perspectives, and the shock would be sufficient to get some action (and avoid administrative fascism), anyway. Still, i feel that the mobilization and eventual kudos effected to meet the challenge of an overt and active intruder to our cozy world is the best attitude to start to get out of our collective complacency. >Steve Simmons ...!umix!itivax!scs >Industrial Technology Institute, Ann Arbor, MI. >"You can't get here from here." Ken Manheimer klm@cme.nbs.gov or ..!uunet!cme-durer!klm National Institute of Standards and Technology (Formerly "National Bureau of Standards") Factory Automation Systems, Software Support These are not a sentence, these are pixels.