Path: utzoo!attcan!uunet!ncrlnk!ncrcae!hubcap!gatech!mcnc!thorin!clocs!davis
From: davis@clocs.cs.unc.edu (Mark Davis)
Newsgroups: comp.misc
Subject: Re: CALL FOR VOTES:  DID HE DO US A SERVICE OR NOT?
Summary: He did a disservice because he encourages others and
	 plugging all of the holes is impossible.
Message-ID: <5272@thorin.cs.unc.edu>
Date: 11 Nov 88 21:41:25 GMT
References: <1330@stiatl.UUCP> <202@hsi86.hsi.UUCP> <6081@killer.DALLAS.TX.US>
Sender: news@thorin.cs.unc.edu
Distribution: na
Lines: 25


All of you who claim that Morris did us a service are overlooking an
important point: you can't plug all of the insecurities.

A security hole is simply a bug in the security system.  Any casual
student of software engineering knows that removing all bugs in a
large, complex system is impossible (See "Mythical Man Month" by Fred
Brooks for data.)  By the way, would any UNIX/Internet wizard care to
extimate how many security holes have already been plugged?  Therefore,
security holes will be with us as long as we have an internet that is
useful.  Bright people will always be able to find those unfixed bugs.
The worst thing is closing the security problems will result in a less
usable system or worse, new bugs that break the existing applications.

So what has Morris done for us?  He has wasted a large amount of money
(programmer time and computer resources).  He has gained notoriety,
thereby encouraging thousands of ethically lacking people with similar
skills to one-up him by making a bigger splash.  As I said above, the
bigger splash will always be possible as long as there is an internet.

No thank you Mr. Morris.  You have not helped and you will hurt us
a lot.  You go on my list of people to never (1) hire or (2) buy or
recommend their products.

- Mark (davis@cs.unc.edu or decvax!mcnc!davis)