The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #194 [Disassembled virus?] (1 message, 2015 bytes)
NOTICE: recognises the rights of all third-party works.


From: Robert L. Krawitz <rlk@Think.COM>
To: phage
Date: Wed 09:44:48 09/11/1988 EST
Subject: Disassembled virus?
References: [Thread Prev: 185] [Thread Next: 186] [Message Prev: 192] [Message Next: 193]

   Date: Wed, 9 Nov 88 00:40:40 EST
   From: Theodore Ts'o <>

   No, I'm saying that there's a significant energy barrier which
   exists between "actually sitting down and writing the code" and
   "pulling it off the net and compiling it".  Any twit can do the
   second.  I'm hoping that people who is intelligent to turn
   algorithms into code will know better.  The typical freshman twit
   won't be able to turn algorithms into code.

The "typical freshman twit" (remember that both of us were "typical
freshman twits" not long ago) might have lots of trouble mutating a
"working" code in any "useful" way.  Pulling the program off the net
and compiling it will probably draw more attention to whomever
compiled it, because people know how to trace it; figuring out a new
hole might be a lot harder.  And lots of high school students know how
to turn algorithms into code.

   To use your analogy, a university should teach physics students how to
   make atom bombs.  However, we should _not_ hand anyone a preassembled
   bomb; and that's exactly what source code to the worm/virus would be.
   (Actually, it hasn't been compiled yet :-) but you know what I mean.)

Given that a D student at Princeton figured out how to make an atom
bomb, evidently people are taught enough (if not directly, than in
research skill) to design one.  Building it is another story
altogether.  Coming up with a working worm/virus from the code might
not be all that easy.

   See above; the information is there, so people who want to protect
   against worms and viruses know what to do.  In that case, the only
   thing the code is good for is for someone who wants to make another
   virus.  What else would you do with the code?  Read it?  You could
   read the algorithm, and probably get a lot more out of it.

Well, if the information is there, isn't the best reference the
source?  Knowing how the program was designed is very useful for
someone who wants to understand how people approach these so that they
know how to protect their systems...

   It won't stop wizards like you and me and countless others on this
   list who could easily write a better virus/worm than the one that
   attacked us last week.  The only thing that stops us is our sense
   of honor and ethics.  However, I hope to stop a freshman twit who
   has neither the wizardliness nor the ethics.

If someone gets bitten twice by the same security hole, then that's
their problem.  Modifying the worm in a non-trivial way is probably
almost as hard as writing one from scratch.

   Note that this is an argument against general publication of the
   source code.  Giving the source code to trusted individuals is an
   entirely different matter.  It has different problems, however.
   How do you decide who is trusted?  And how do you know if it won't
   get redistributed to half the world after you give it to a few
   "trusted" people?  It might become as good as generally published,
   in which case the problem is reduced the above case.

You do have the source.  How does everyone else know that they can
trust you, disclaimers of honor and ethics aside?  [Note that I
actually have no reason to distrust Ted and the other Athena/SIPB
people who disassembled it; I've known them personally for several
years and have nothing but the highest trust for them; I believe that
my point is nonetheless valid.  The alleged perpetrator of this worm
was supposedly not trying to be destructive, either; he miscalculated
and it went out of control.]

harvard >>>>>>  |		Robert Krawitz <>
bloom-beacon >  |think!rlk
topaz >>>>>>>>  .		rlk@a.HASA.disorg