The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #183 [Re: Disassembled virus?] (1 message, 1065 bytes)
NOTICE: recognises the rights of all third-party works.


From: rick@seismo.CSS.GOV (Rick Adams)
To: phage
Date: Tue 23:19:45 08/11/1988 EST
Subject: Re: Disassembled virus?
References: [Thread Prev: 181] [Thread Next: 185] [Message Prev: 184] [Message Next: 188]

The biggest reason TO publish it is to dismiss the false sense of
security that you seem to have from not publishing it.

The part that really surprises me is that you think the typical grad
student is too stupid to turn algorithms into code.  (After all, you're
willing to publicize the algorithms...)

Your "parallel" is quite poor and doesn't seem at all relevant.  A
reasonable parallel to the plutonium in your story would be an
undiscovered security hole, NOT the code itself. (Also, I'm not
convinced that a 5 megaton explosion in NYC would be a bad thing, but thats
another topic). Are you worried that university physics depts are teaching
students enough knowledge for them to make bombs? I'm not.

I understand that the knowledge necessary to make an a-bomb is
relatively simple. The difficulty is in obtaining the parts and skill
to assemble them. Do you honestly believe that not having an existing
bomb to disassemble would be big problem?

I think you've said it all without realizing it. You say "The virus
source code won't tell you anything that's been published on the
list".  Presuming that you meant to type "that hasn't been published on
the list", that is the PERFECT argument for publishing it. You said
yourself that there was no new information to be gained from it. So
whats the problem?

I still haven't heard a convincing argument that it makes ANY
difference either way. Therefor, the fact that I am curious and want to
see it is enough reason to publish it.

Don't delude people into thinking that your safeguarding of the code
makes them more secure. It doesn't.