The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #185 [Re: Disassembled virus?] (1 message, 1757 bytes)
NOTICE: recognises the rights of all third-party works.


From: Theodore Ts'o <tytso@ATHENA.MIT.EDU>
To: phage
Date: Wed 00:40:40 09/11/1988 EST
Subject: Re: Disassembled virus?
References: [Thread Prev: 183] [Thread Next: 194] [Message Prev: 188] [Message Next: 190]

   Date: Tue, 8 Nov 88 23:19:45 EST
   From: rick@seismo.CSS.GOV (Rick Adams)

   The part that really surprises me is that you think the typical grad
   student is too stupid to turn algorithms into code.  (After all, you're
   willing to publicize the algorithms...)

No, I'm saying that there's a significant energy barrier which exists
between "actually sitting down and writing the code" and "pulling it off
the net and compiling it".  Any twit can do the second.  I'm hoping that
people who is intelligent to turn algorithms into code will know better.
The typical freshman twit won't be able to turn algorithms into code.

   Your "parallel" is quite poor and doesn't seem at all relevant.  A
   reasonable parallel to the plutonium in your story would be an
   undiscovered security hole, NOT the code itself. (Also, I'm not
   convinced that a 5 megaton explosion in NYC would be a bad thing, but thats
   another topic). Are you worried that university physics depts are teaching
   students enough knowledge for them to make bombs? I'm not.

To use your analogy, a university should teach physics students how to
make atom bombs.  However, we should _not_ hand anyone a preassembled
bomb; and that's exactly what source code to the worm/virus would be.
(Actually, it hasn't been compiled yet :-) but you know what I mean.)

   I think you've said it all without realizing it. You say "The virus
   source code won't tell you anything that's been published on the
   list".  Presuming that you meant to type "that hasn't been published on
   the list", that is the PERFECT argument for publishing it. You said
   yourself that there was no new information to be gained from it. So
   whats the problem?

See above; the information is there, so people who want to protect
against worms and viruses know what to do.  In that case, the only thing
the code is good for is for someone who wants to make another virus.
What else would you do with the code?  Read it?  You could read the
algorithm, and probably get a lot more out of it.

Using your analogy, again, it's a lot more instructive to look at the
plans of a bomb (the algorithm) than giving the students a bomb and
asking them to look at it.  Even if you do trust the students not to set
the thing off, they would get a lot more out of the plans and

   Don't delude people into thinking that your safeguarding of the code
   makes them more secure. It doesn't.

It won't stop wizards like you and me and countless others on this list
who could easily write a better virus/worm than the one that attacked us
last week.  The only thing that stops us is our sense of honor and
ethics.  However, I hope to stop a freshman twit who has neither the
wizardliness nor the ethics.

Note that this is an argument against general publication of the source
code.  Giving the source code to trusted individuals is an entirely
different matter.  It has different problems, however.  How do you
decide who is trusted?  And how do you know if it won't get
redistributed to half the world after you give it to a few "trusted"
people?  It might become as good as generally published, in which case
the problem is reduced the above case.

						- Ted