Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!purdue!spaf From: spaf@cs.purdue.edu (Gene Spafford) Newsgroups: news.sysadmin Subject: Re: Would you hire The Worm? Message-ID: <5518@medusa.cs.purdue.edu> Date: 26 Nov 88 16:38:01 GMT References: <456@utoday.UUCP> <10538@ncc.Nexus.CA> <13162@ncoast.UUCP> <3738@inco.UUCP> Sender: news@cs.purdue.EDU Reply-To: spaf@cs.purdue.edu (Gene Spafford) Organization: Department of Computer Science, Purdue University Lines: 47 In article <3738@inco.UUCP> mack@inco.UUCP (Dave Mack) writes: >I, on the other hand, would certainly consider hiring him. He's clearly >a talented programmer. And after all this, I would imagine he's a hell >of a lot more serious and conscientious about it. Ahem. I've read through 3 different reverse compilations and unassembled versions of the worm program, and I can say pretty definitively that the worm program shows no evidence of the author (or authors) being a talented programmer. The code is poorly structured, there is dead code throughout, calls are made with the wrong number and kinds of arguments, effort is duplicated, and the data structures chosen are not appropriate for the task at hand. If this were code from a student in one of my courses, I would give it no more than a low C grade. It is largely luck that it worked as well as it did, and I doubt it was tested or ever run through lint. This is all discussed in my tech report (to be issued Monday). As far as being more serious and conscientious, how the heck do you know that? Perhaps the author(s) is now more serious and conscientious about not being caught. Maybe he/she/they are now more serious about causing damage the next time something like this is done. If the only punishment is a fine or a slap on the wrist, exactly what lessons do you think will have been learned from this? Even if the punishment is more severe, what do you *know* will have been learned? It would be irresponsible for a businessman to hire a failed embezzler as the company comptroller. It would be stupid to hire a admitted arsonist as the night watchman at a lumberyard. It would be criminal to hire a child molester to work as a babysitter. Even if these people had been caught, paid a fine, and served time, would you trust them with something of value to you and related to their criminal activity? To hire the author(s) of the worm to work on computer security or important computer software would be just plain stupid. He/she/they has demonstrated a total ignorance about right and wrong just to run some "neat hacks." If I knew that a company hired the author(s), I wonder if I could ever trust the software they would market. I doubt I would ever purchase anything from that company if I had any alternative at all. Think about it. -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf