The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #074 [Re: Disassembled virus?] (1 message, 1901 bytes)
NOTICE: recognises the rights of all third-party works.


From: bostic@okeeffe.Berkeley.EDU (Keith Bostic)
To: phage
Date: Sun 01:34:13 06/11/1988 EST
Subject: Re: Disassembled virus?
References: [Thread Prev: 069] [Thread Next: 070] [Message Prev: 073] [Message Next: 075]

> Keith, I rarely disagree with you this strongly, but frankly I'm rather
> pissed off at you.

This is getting out of hand.  I think (hope?) that what the other
people on the list are hearing is not what I'm trying to say.  Let
me try one more time.  Then, if you still disagree, I suggest you
ask Mike Karels to post a copy (

> I and probably at least a dozen other people on this list are quite capable
> of decompiling the virus without your help. I am also quite capable of
> writing one from scratch that's a least as good and probably better.

This is absolutely true -- you, for example, could decompile it
one hell of a lot faster than I could.  Without Dave Pare, Donn
Seeley  and Chris Torek here we'd have been working until sometime
next year.  To make absolutely sure the record is clear, my part
in the decompilation was minimal, at most.

> The challenge, from my point of view would be to do it so that I
> couldn't be traced. Writing the actual virus is childs play by
> comparison.

True -- for you!  Not for the people that read comp.unix.questions.

> This "trust me, I know whats good for you" attitude is something I
> would expect from IBM or ATT, but not Berkeley.

We're (I'm) *not* trying to say that.  I promise you that we have
told you *everything* that is even mildly interesting about the
code.  I would have no problem giving you or Doug Comer or Gene
Spafford copies of the worm.  But I do not think it's appropriate
to post it to the net or to a mailing list.  I think it entirely
possible that someone will pull a copy off the net, and try to
improve it, or "test it, just for fun".  If you can give me a way
that I can distribute the code, and then not feel guilty
if/when that happens, I'm willing to do it.  It seemed a lot simpler
to refuse to give anyone the code than to try and figure out who
was "trustworthy".

> Why don't you stop the rest of us from wasting their valuable time
> duplicating work that you have already done.
> We're adults. Really.

Yes, but are you willing to trust everyone on "phage", let alone
everybody that reads USENET?  Gene, you created this mailing list,
are you willing to "guarantee" that noone on the list will act in
an irresponsible manner?  Would you be willing to accept legal
responsbility to that effect?  Actually, that's an interesting
question -- if I post the code and someone uses it, am I legally
liable?  Maybe I should ask the Berkeley lawyers, but we both know
what they'll say!

> The truly comical part is you actually think that keeping the
> source to your self makes any difference.

I'm hoping, I really am.

> One of the basic tenets of computer security is that security
> through obscurity DOES NOT WORK.

We have not been obscure -- everybody that we've been able to reach
knows *exactly* how this thing works.  I just don't want to put the
mechanism onto the net.  Surely you can understand that.

> Now I'm tempted to submit a paper to the next USENIX conference
> that goes into explicit detail about how best to write a
> virus for Berkeley UNIX.

If it details security problems and methodologies, I think it's
great.  You didn't hear me object to the virus paper for January's
USENIX!  If you want to print source code for such a program, I
don't think it's such a good idea.