Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!decwrl!purdue!haven!adm!smoke!gwyn From: gwyn@smoke.BRL.MIL (Doug Gwyn ) Newsgroups: comp.sys.apple Subject: Re: virus info should not be supressed Message-ID: <9776@smoke.BRL.MIL> Date: 3 Mar 89 11:00:58 GMT References: <8903022303.aa13084@SMOKE.BRL.MIL> Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) ) Followup-To: mod.security Organization: Ballistic Research Lab (BRL), APG, MD. Lines: 49 In article <8903022303.aa13084@SMOKE.BRL.MIL> AWCTTYPA@UIAMVS.BITNET ("David A. Lyons") writes: >Information about how viruses work should not be surpressed, period. >There was an excellent piece about this in the RISKS Digest a few >months ago, consisting mainly of a quote from a 19th-century (I >think) document about whether information about locks (door locks, >etc) should be surpressed. The answers are the same: people who >want to pick locks or write viruses can get the information in any >case, and most likely they have had it for a long time. > >On the other hand, the potential victims (people who could have their >houses broken into or their data destroyed) need to know what risks >are involved in trusting their locks or their computer software. > >Now, I don't advocate that source code for viruses be posted, but >explanations of how viruses (in general and in particular) work >_should_ be. The same goes for virus _detectors_. If users don't >understand how viruses spread and how virus detectors attempt to >stop them, how can we expect the general public to see viruses as >anything but completely mysterious, random things to be paranoid >about? Well, using your analogy with locks, the fact is that nearly any home can be surreptitiously entered in only a few seconds by anyone sufficiently clever and skillful who is also armed with the relevant knowledge about how to exploit weaknesses in locking systems. The plain truth is that "consumers" have NOT forced the market to move very far in the direction of reliable, affordable physical security. Most motion in that direction has been prompted by industrial and government-agency needs backed by pressure from those customers on the lock manufacturers. I don't think anything short of a patently out-of-control epidemic of burglary would even wake up the general public to the realization that their property is not secure, and then my estimate would be that they would clamor for the wrong kinds of "solutions" to the problem instead of demanding genuinely better security from the hardware manufacturers. That is because people who suddenly get concerned about an issue seldom invest the study necessary to arrive at valid conclusions. Obviously, under such circumstances, widespread publication of ways to open residential locks, even if not in recipe format, is not ethically justifiable. On the other hand, people in the security industry definitely DO need access to all relevant information. The difficult problem that needs to be solved is how to adequately limit entry into the profession to minimize the number of crooked people obtaining knowledge they'd use for nefarious purposes, without keeping out persons with a legitimate interest. That's a difficult issue, one that governments continually have to face with regard to classified information. These issues are probably best addressed in the mod.security newsgroup, rather than comp.sys.apple.