Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!rutgers!cmcl2!adm!smoke!gwyn From: gwyn@smoke.BRL.MIL (Doug Gwyn ) Newsgroups: comp.sys.apple Subject: Re: don't supress virus information Message-ID: <9790@smoke.BRL.MIL> Date: 5 Mar 89 02:02:46 GMT References: <8903031623.aa07644@SMOKE.BRL.MIL> Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) ) Followup-To: mod.security Organization: Ballistic Research Lab (BRL), APG, MD. Lines: 46 In article <8903031623.aa07644@SMOKE.BRL.MIL> AWCTTYPA@UIAMVS.BITNET ("David A. Lyons") writes: >Doug writes: >>[...] Obviously, under such circumstances, widespread publication of >>ways to open residential locks, even if not in recipe format, is not >>ethically justifiable. >It isn't at all obvious to me. I maintain that the people who would >abuse the knowledge already have it, and the people who won't deserve >to know to exactly what degree they are vulnerable. Maybe I should have explicity stated what I thought was an obvious implication: The typical burglar does NOT have full information about how to exploit the weaknesses in residential security systems. Generally all they need to know is how to smash open a flimsy door or how to break a window; that's the sorry state of home security. Illegal entry via lockpicking or similar "surreptitious" means is relatively rare, and a good thing too -- insurance companies are less likely to pay off if there are no signs of forced entry. My contention is that arming burglars with the means of effecting easy surreptitious entry would turn an already bad problem into a serious disaster, and that the general public would not show any more sense about dealing with this problem than they show about anything else. Viruses spread via BBSes for the most part are more analogous to slipping the latch with a credit card or getting the key from under the doormat than to lockpicking. The major technical worry, for example, for DoD computers, concerns access by unauthorized users and misuse of resources by authorized users. These concerns existed before any significant attention was being paid to "viruses", and the folks working on solutions for these issues are quite well informed about viruses already. Widespread publication of virus information won't help noticeably with efforts to genuinely improve computer system security, but it may cause the public to clamor for ineffective, oppressive measures to be taken (such as the recent computer security bill). On the other hand, publication within the technical community should not pose a serious problem, because that community already is in a position to cause trouble if they want to. I generally agree with the contention that generic discussion of viral techniques in the technical community is not a problem, but that publication of source code etc. would pose a problem. That's because BBS operators are likely to publish such virus source code (or a compiled version) to puff up their phony self-image, with the consequence that numerous people who would never on their own work hard enough to come up with a functioning virus would use the posted ones instead, adding immensely to the number of people spreading the problem.