Path: utzoo!attcan!uunet!peregrine!elroy!forsight!jato!herron.uucp!jbrown
From: jbrown@herron.uucp (Jordan Brown)
Newsgroups: news.sysadmin
Subject: Re: Possible Fines for Virus Perpetrator
Message-ID: <9@herron.uucp>
Date: 9 Nov 88 05:54:34 GMT
References: <456@l5comp.UUCP> <12081@dscatl.UUCP> <16600@agate.BERKELEY.EDU> <5331@medusa.cs.purdue.edu>
Reply-To: jbrown@jato.jpl.nasa.gov
Distribution: na
Lines: 27

spaf@cs.purdue.edu (Gene Spafford) writes:

> That was an unkind comment, Weemba.  It also misses the fact that such
> a class action suit could be filed for millions, not $10K.  I suspect
> that Sun Microsystems will expend a few $100K on this -- not only to
> eradicate the worm in their internal network, but they will have the
> expense of FedEx'ing copies of patches to all their sites under
> maintenance.  DEC will have similar costs.  Then there is BBN and....

It's not fair to count patch costs against the worm.  The patch costs
would have occurred even if the fellow had never run the program, only
written a letter describing the problem.

Too often you see a newspaper article which claims that some computer
break-in "cost $100K", and when you look closely there was little direct
direct damage and the $100K was to fix security so it couldn't happen again.
This is akin to claiming that the burglar is responsible for paying for
you putting in a security system.

Of course, if it hadn't been so spectacular, maybe they wouldn't have
distributed the patches.  Then when somebody does something actually
malicious using the hole, Sun (or whoever) would be up for one whopping
gross negligence-style suit.

By all means send the guy the bill for the manpower wasted eradicating
the worm, but don't ask him to pay for fixing all the systems in the
world so it can't happen again.