The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #082 [Re: some points to make with the media] (1 message, 2267 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/082.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Gene Spafford <spaf>
To: phage
Date: Sun 23:24:16 06/11/1988 EST
Subject: Re: some points to make with the media
References: [Thread Prev: 157] [Thread Next: 091] [Message Prev: 161] [Message Next: 132]

I spent the weekend in Atlanta at an ACM workshop -- what I time
to be away.

In that time, I was interviewed on the phone by folks from a couple of
different newspapers...they tracked me down.  I also spoke briefly
with some folks ta NBC who were thinking about a spot on the "Today"
show (it fell through -- just as well), and with John Markoff at
the NYT.

The points I've been trying to make are the ones Erik and Doug
mentioned plus:

* Cracking the Internet and Unix systems is no big deal.  We all know
that it is a less-than-secure environment.  We have literally hundreds
or thousands of individuals who could have written similar or worse
programs IF THEY WANTED TO.  However, the majority of people on the
network are not vandals.  They work to fix problems instead of
exploit them (lucky for us!).

* This worm was a criminal act.  It definitely violates many state
laws, and possibly some federal laws.

* This was vandalism at its worse -- with direct and indirect losses in
the $100K or $1M range.  Not only did it disrupt and occupy all these
people nationwide for the better part of days, think of the costs to
Sun and DEC as they have to rush fixes to their customers under
maintenance.  Ouch!

* There is little wonder that the kid would behave like this
considering that his father's comments were "This was the work of a
bored college student." and "This will be useful in the long run since
people will pay more attention to security." Yeah, somebody finds
dynamite in the street and blows up people's houses.  That's better
than reporting it to the authorities because it will get more attention
paid to the dangers of leaving dynamite around.  And this guy is at the
NSC?  Lord help us!  Be careful if you comment on this, but someone
should make the point that we hope his father is being misquoted else
perhaps someone should more closely examine if he had any input to the
worm.

* If this guy is not prosecuted, think how that will encourage the next
"bored graduate student" who comes along and finds a hole in the OS.
We need to stress to the press that there are likely to be criminal and
civil suits over this.  He is *not* innocent.  His actions were
premeditated -- the worm could not be used for anything other than what
it did.  If it escaped early or was more intense than planned matters
little (as Doug Comer noted in an earlier message).  I am not without
some compassion, but this kind of conduct should not be addressed
with a hand-slap and a "tsk-tsk".

(In fact, I urge all of you to consult with your legal departments
about considering civil damage lawsuits for the time spent cleaning up
after the virus.  You might also find out if you have a state law that
covers this, then nudge your state attorney generals.)

* The problem was not a breakdown of security, but a breakdown of
ethics.  In some ways, that shouldn't surprise too many people -- we
tend not to cover ethical issues in computer science programs.  I'm
teaching a course here this semester on ethics, liability and
responsibility, so if someone wants more info on that, let me know
and I can provide you with some info and/or references.

* Last of all, NEVER refer to Robert Morris as the guy who did it
unless you preface it with "alleged" or "claimed".  Give him the
benefit of the doubt here, either until he is convicted or
confesses.  The evidence seems clear, but we are not a jury.
(Think what a nifty frame this could make -- spread the virus
and create a lynch-mod atmosphere, then plant the source files
in someone else's account and "leak" some hints so they are
discovered.  In fact, if Morris doesn't confess, could any of
you prove beyond reasonable doubt that he was the author?
Think about it.)


After some sleep, I'll try to come up with some more coherent
comments on the whole thing  If any of you talk to some media
people who would like some comments on the ethics involved,
feel free to refer them to me if you wish: 317-494-7825.

--spaf

END OF DOCUMENT