Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!bbn!bbn.com!wbe
From: wbe@bbn.com (Winston B Edmond)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: a holiday gift from Robert Morris
Message-ID: <32357@bbn.COM>
Date: 16 Nov 88 05:03:36 GMT
References: <1698@cadre.dsl.PITTSBURGH.EDU> <2060@spdcc.COM> <24@jove.dec.com> <566@husc6.harvard.edu> <168@heart-of-gold>
Sender: news@bbn.COM
Reply-To: wbe@BBN.COM (Winston B Edmond)
Distribution: na
Organization: BBN Systems and Technologies Corporation, Cambridge, MA
Lines: 31

In article <168@heart-of-gold> jc@heart-of-gold (John M Chambers) writes:
>Consider:  I am a hacker (oops, I mean a professional software engineer :-)
>who has discovered an interesting security hole in a widely-used piece of
>software.  What should I do with the information?
>
>....  You must demonstrate the
>problem, if you want people to listen to you.
>
>OK, so you write up a little demo and send it around.  What happens?  Unless
>you are perfect, and your code runs without bugs on all systems (including
>some you've never seen), your example will do something like rtm's worm,
>and half the world will be calling for prosecution.

I think it rather unlikely that being imperfect or having a program with bugs
would cause the program to act like a worm if hadn't been mostly written to
be that anyway.  But since you asked, there's another, simpler, solution:
attack the software supplier's host directly.  This doesn't require writing
code to replicate, read host tables, decrypt password tables, etc. -- just
write a file called VIRUS in "/" owned by root or daemon or whatever, and let
the vendor know about it.

Attacking the vendor's host is just as illegal and unethical as writing a
worm that attacks the whole Internet, but it will keep the N-1 other Internet
administrators from calling the FBI.  Before resorting to this, however, a
phone call to the right person at the site to be attacked might be just as
effective.

For the more paranoid among us, we can wonder whether or not such security
holes have already been exploited to modify some vendor's software without
the vendor's knowledge.
 -WBE