Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!sharkey!aucis!bnick From: bnick@aucis.UUCP (Bill Nickless) Newsgroups: comp.misc Subject: Re: Right of reply, virus- public, private- a thin line Summary: Is virus protection writing a "black art"? Message-ID: <145@aucis.UUCP> Date: 21 Feb 89 16:09:51 GMT References: <415@odin.cs.hw.ac.uk> <827@atanasoff.cs.iastate.edu> Organization: Andrews University, Berrien Springs, MI Lines: 35 In article <827@atanasoff.cs.iastate.edu>, jwright@atanasoff.cs.iastate.edu (Jim Wright) writes: > Hence the open question for net.discussion: At what point does information > about viruses become too sensitive to be openly discussed? How much > information do *you* want? Would you feel safer if only those who > wrote protection software (plus the virus writers) knew what was going > on? Does anybody care? The problem with censorship of any kind is that the censors are putting themselves in a position of controlling what others can learn. It's a "I know better than you, and you don't need to know that" attitude. Even if we agree that only "those who wrote protection software" be appraised of new developments, who is going to decide on the distribution of the information? Do you give that information only to NSA employees, Ph.d's, persons employed in a computer-based company with >100 employees, undergraduate computer science majors (like myself), high school hackers, or who? Let's compare this to locksmithing. The technology of the typical Yale lock is rather old (try decades old!) and can be understood by someone with a minimal mechanical aptitude. Do we restrict that information? Not really. Do we restrict information on how to pick locks? No. We throw people in the slammer for picking locks or faking keys--and locksmiths too! I suppose the same question could be asked about any security-related bug reports. If someone finds a bug in AT&T System V that allows them superuser privelege, I sincerely hope they spread the word that the capability exists to as large a cross-section of the net as possible, so there can be the largest possible chance of a fix or work-around. This also gives sysadmins the ability to watch for security violations taking place, and to take appropriate actions. -- Bill Nickless Andrews University Computer Science Department ...!sharkey!aucis!bnick or bnick@aucis.UUCP Unix Support Group "Help! I'm locked up in this .signature factory!"