Path: utzoo!attcan!uunet!husc6!linus!heart-of-gold!jc From: jc@heart-of-gold (John M Chambers) Newsgroups: comp.protocols.tcp-ip Subject: Re: a holiday gift from Robert Morris Message-ID: <168@heart-of-gold> Date: 15 Nov 88 15:15:02 GMT References: <1698@cadre.dsl.PITTSBURGH.EDU> <2060@spdcc.COM> <24@jove.dec.com> <566@husc6.harvard.edu> Distribution: na Organization: Mitre Corp, Bedford, MA, USA Lines: 49 In article <566@husc6.harvard.edu>, cherry@husc4.HARVARD.EDU (Michael Cherry) writes: > In article <565@husc6.harvard.edu> kovar@husc4.UUCP (David Kovar) writes: > >If at all possible, punish RTM to the fullest extent of the law. It may > >be more than he deserves but unfortunately (?) someone must set the > >example and show that such anti-social activities are not acceptable. > > It is difficult to agree however it is analogous to a brilliant University > Molecular Biologist experimenting on a biological virus but through > inadequate precautions results in a large number of dogs in North America > becoming infected. The released virus could be completely harmless - but > I don't think this country would want or should allow this act to go > completely unpunished. > Well, now, that depends on what you want for an after-effect. I'd suggest that punishing rtm would likely have a deterrent, but that perhaps you might not really want that, if you think about it. Consider: I am a hacker (oops, I mean a professional software engineer :-) who has discovered an interesting security hole in a widely-used piece of software. What should I do with the information? The obvious suggestion is that I should start by telling my employers and the vendor(s) about it, so they can fix it. Well, it has become clear that many people had been warning of the sendmail "feature" that the worm used for at least two years, and absolutely nothing was done by any vendor to fix it. My experience is that if you just announce that you've found a problem, you are treated like Chicken Little. You must demonstrate the problem, if you want people to listen to you. OK, so you write up a little demo and send it around. What happens? Unless you are perfect, and your code runs without bugs on all systems (including some you've never seen), your example will do something like rtm's worm, and half the world will be calling for prosecution. You'll use a whole lot of your time (and money) defending yourself. You *won't* be thanked for what you did. You'll wish you had kept your big mouth shut. There is, of course, a third course. You could just add your demo to your own personal library of security-related code, and quietly let people know that you have it. You might then be able to get some interesting (not to say lucrative) jobs from organizations that have a use for your knowledge. Think about it. There are lessons for all of us here. But is the above really the lesson you want to teach? -- From: John Chambers From ...!linus!!heart-of-gold!jc (John Chambers) Phone 617/217-7780 [Send flames; they keep it cool in this lab :-]