Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!mit-eddie!rutgers!ucsd!ucbvax!SPAM.ISTC.SRI.COM!robert From: robert@SPAM.ISTC.SRI.COM (Robert Allen) Newsgroups: comp.protocols.tcp-ip Subject: Re: "Morris did it"--the new excuse? Message-ID: <8811142005.AA02573@milk10> Date: 14 Nov 88 20:05:36 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 91 >Scientists and researchers at a university like mine were unable to use >their computers and network links during the virus attack, and lost >valuable time. As always, some were up against deadlines and may well >be hindered now in their chances for getting results before a confer- >ence, or in getting a grant proposal out before deadlines. When I've taught courses that use computers, I told students that under almost all circumstances, computer downtime would not be an excuse for lateness. The one exception I've ever made involved granting everyone a week's extension. I've never worked assuming that the machines I use are 100% reliable. Do the scientists/researchers at your site do so-- even on critical stuff? If someone has a grant proposal riding on get- ting something done by a certain deadline, what happens if there's a major disk crash at your site? I would expect, and have in fact seen, professors give extensions in those cases where the loss of computing facilites CLEARLY had an unrecovereable impact on exams/assignments. In most cases the loss of facilites was not CLEARLY to blame, since people often wait until the last minute before starting to work. This is seldom the case with proposals or contracts deadlines (in my experience). >This is serious business! Yes this is *all* serious business. Computers used primarily for USENET or hack or what-not can be dead for awhile and merely inconvenience lots of people. But now you cite computers where users cannot afford to have computers to be down for long--do the sites that run them without having any contingency plans whatsoever? Such sites are irresponsible. My site is rather well equipped with computing facilites. Most every person has a Sun on their desk, and we also have several VAXen. Even with this plethora of equipment, we were UNABLE to continue work for about 2 days when the virus hit. If a group that has adequate facilies cannot survive such an outage, then certainly places such as Universities, which usually have inadequate quantities of computers, will be very hard hit by such a virus as we are discussing. Short of maintaining a seperate hardware fall- back, it is my contention that it is IMPOSSIBLE to have a contingency plan other than what was used across the U.S., namely, lots of late night work by system staff people who were trying to second guess the designer of the virus/worm. I have not posted anything about the virus since others were posting plenty. Just this once however I'll make my opinion known. The designer of the virus clearly intended for it to secretly infiltrate other computers, and sit there, using up a quantity of CPU and memory. The design of the code that implemented the infecting agent was designed to prevent anyone from deducing what the process was doing. Although the virus did crash a few systems from swap space problems, it apparently (as far as we know) did nothing overtly malicious. The reason the virus was so damaging, was that the perpetrator DIDN'T TELL ANYONE what it was doing. For that reason we had to keep our systems down until we determined, as best we were able, that no trojan horses had been planted. If the perpetrator had "gone public" with the code, the fix, or even an overview of what the virus DIDN'T do, then perhaps people would be more willing to cut the guy some slack. I've known more than a few people who broke UNIX security at one time or another. Some of them did it to get even with some system administrators, most did it to see if it could be done. I do not automatically call for a pound of flesh from all "crackers" or "hackers" who break security. In this case however, I think that the negligence demonstrated by the per- petrator is rather gross. He was playing with a dangerous thing to start with. He also INTENDED that it `infect' other machines on a semi-permanent basis. He DIDN`t tell anyone how to combat it when it got out of control, nor did he come forth to assure people that the virus was benign. This is a mistake that I might expect of a freshman student, but certainly not a grad student. This single fact is the most damning of the perpetrator in my opinion. Finally, I don't think that what he did required any great amount of brilliance. As someone who spent some amount of time in stat labs with people who could break security of UNIX at will, I can tell you that all that is really required is an inquisitive mind, lots of patience, and decent C programming experience. It also requires a certain kind of mind set. If the perpetrator discovered the sendmail bug and the fingerd bug WITHOUT source code access, then I would consider using the word "brilliant" to describe him. As it is, I would say he was a competant C and UNIX programmer. As for punishment? I agree with others that jail time is counter productive in a case like this. Community service of some type relating to computers, plus perhaps a fine, would be more conducive to getting the point across that some of us can't afford to sit around a stat lab (anymore) figuring out how to screw the system (not a really great challenge), and we can't afford to have our machines down for 2 days at a stretch. Robert Allen, robert@spam.istc.sri.com