The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #060 [Re: Disassembled virus?] (1 message, 1312 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/060.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Paul A Vixie <vixie@decwrl.dec.com>
To: phage
Date: Sat 18:59:28 05/11/1988 EST
Subject: Re: Disassembled virus?
References: [Thread Prev: 058] [Thread Next: 061] [Message Prev: 059] [Message Next: 061] 

# I sure hope that some organizations file some civil suits against the guy.

I've been thinking about this.  My last comment wrt punishment had to do with
potential guilty feelings after tearing the guy's arms off; I think (as is oft
the case) I spoke in haste.

Consider:

1. this will get the bugs cleaned up faster than anything else could have;

2. it could have been _much_ worse (how many files on your computer are
   writable by "daemon"?  or, what if this thing had gone very slowly and
   sat quietly until a prearranged moment, instead of going out of control
   immediately?  use your imagination -- if real harm had been intended,
   the Internet would be in deep doo doo);

3. the code was damned clever - certainly something I wasn't capable of at
   age 23;

4. it was not supposed to get as far as it did, but it escaped and went wild
   because of bugs.

All in all, I feel kinda sorry for the guy at this point.  Imagine going up
to your father, who's been working his ass off for 50 hours without sleep
trying to spin down this f---ing worm, and you have to tell him: uh, dad,
it was me.

So, no, I'm not saying it was okay.  It would've been a lot better to have
written the software, tested it on a closed network, documented its effects,
and then sent the results to Berkeley or someone else who could send out some
bugfixes; when it was over, the kid could've written a paper about it and he
would've been a small-scale hero.

Or, when it got out of his control, he should immediately have sent lots of
mail around telling the world how to kill it off.  But at 23, I would probably
have gone catatonic after letting something like that loose by mistake.

So, before we condemn the guy, let's get all the facts.  If he really is a
scumbag, fine -- but if he's a bright but careless kid, do we really want
to see him go to prison for 20 years (one figure I've heard thrown around)?

(As usual, and obviously: not speaking for my employer.)

Paul

END OF DOCUMENT

ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved.