Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ames!ncar!tank!nic.MR.NET!hal!cwjcc!tut.cis.ohio-state.edu!bloom-beacon!mit-eddie!uw-beaver!cornell!moore From: moore@svax.cs.cornell.edu (Doug Moore) Newsgroups: comp.misc Subject: Re: CALL FOR VOTES: DID HE DO US A SER Message-ID: <22740@cornell.UUCP> Date: 18 Nov 88 19:56:38 GMT References: <1330@stiatl.UUCP> <79700016@p.cs.uiuc.edu> <1564@stiatl.UUCP> <15@kepler1.UUCP> Sender: nobody@cornell.UUCP Reply-To: moore@svax.cs.cornell.edu (Doug Moore) Distribution: na Organization: Cornell Univ. CS Dept, Ithaca NY Lines: 39 In article <15@kepler1.UUCP> rjfrey@kepler1.UUCP (Robert J Frey) writes: >What "should" happen to Morris? I think he should be prosecuted, though >we should duly note that he wasn't deliberately trying to hurt anyone. He >should also be held liable for the damages both direct and consequential >that his handiwork caused. I also believe that should his assets prove >to be insufficient to cover those claims Cornell should be liable to the >extent that their own negligence contributed to those damages. I don't know Morris. Morris is not a friend of mine. And I am no Robert Morris. Most students here are not prone to the kind of irresponsible behavior that caused this brouhaha. When you accuse Cornell of negligence in this matter, you are patently unfair in at least 3 ways. First, and most selfishly, you threaten me. I don't want to fill out weekly forms detailing what use I have made of Cornell computers in the last 7 days. And I can't think of anything Cornell could have done to prevent this, short of instituting just this kind of totalitarian, bureaucratic chaos. Second, institutional blame must fall at least as heavily on other institutions that Morris used to propagate his worm. While he was physically at Cornell, he actually started the worm at MIT. He had it send messages to Berkeley. I daresay he still has some accounts at Harvard. Are some or all of these institutions also financially liable for damages? Finally, what of those who knew of these security holes and did nothing? Do they not share some responsibility? Believe it or not, Cornell has been victimized as much or more than any institution by this event. Blaming Cornell or MIT or AT&T for negligence is fine, but that negligence was more widely distributed than that. Cornell's only negligence was in providing an environment in which people are treated as mature and responsible members of the community. I hope that Cornell and other institutions remain negligent in this sense, despite the fact that people are occasionally irresponsible, and despite whatever legal threats may be made against them. The only entity responsible, the only one that should be punished, is Robert T. Morris, Jr. And with members of Cornell's board of governors calling for his head, I don't think his association with Cornell will last much longer. From the world's most famous computer science department, Doug Moore (moore@svax.cs.cornell.edu)