ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #194 [Disassembled virus?] (1 message, 2015 bytes)
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: Robert L. Krawitz <rlk@Think.COM>
Date: Wed 09:44:48 09/11/1988 EST
Subject: Disassembled virus?
References: [Thread Prev: 185] [Thread Next: 186] [Message Prev: 192] [Message Next: 193]
Date: Wed, 9 Nov 88 00:40:40 EST From: Theodore Ts'o <firstname.lastname@example.org> No, I'm saying that there's a significant energy barrier which exists between "actually sitting down and writing the code" and "pulling it off the net and compiling it". Any twit can do the second. I'm hoping that people who is intelligent to turn algorithms into code will know better. The typical freshman twit won't be able to turn algorithms into code. The "typical freshman twit" (remember that both of us were "typical freshman twits" not long ago) might have lots of trouble mutating a "working" code in any "useful" way. Pulling the program off the net and compiling it will probably draw more attention to whomever compiled it, because people know how to trace it; figuring out a new hole might be a lot harder. And lots of high school students know how to turn algorithms into code. To use your analogy, a university should teach physics students how to make atom bombs. However, we should _not_ hand anyone a preassembled bomb; and that's exactly what source code to the worm/virus would be. (Actually, it hasn't been compiled yet :-) but you know what I mean.) Given that a D student at Princeton figured out how to make an atom bomb, evidently people are taught enough (if not directly, than in research skill) to design one. Building it is another story altogether. Coming up with a working worm/virus from the code might not be all that easy. See above; the information is there, so people who want to protect against worms and viruses know what to do. In that case, the only thing the code is good for is for someone who wants to make another virus. What else would you do with the code? Read it? You could read the algorithm, and probably get a lot more out of it. Well, if the information is there, isn't the best reference the source? Knowing how the program was designed is very useful for someone who wants to understand how people approach these so that they know how to protect their systems... It won't stop wizards like you and me and countless others on this list who could easily write a better virus/worm than the one that attacked us last week. The only thing that stops us is our sense of honor and ethics. However, I hope to stop a freshman twit who has neither the wizardliness nor the ethics. If someone gets bitten twice by the same security hole, then that's their problem. Modifying the worm in a non-trivial way is probably almost as hard as writing one from scratch. Note that this is an argument against general publication of the source code. Giving the source code to trusted individuals is an entirely different matter. It has different problems, however. How do you decide who is trusted? And how do you know if it won't get redistributed to half the world after you give it to a few "trusted" people? It might become as good as generally published, in which case the problem is reduced the above case. You do have the source. How does everyone else know that they can trust you, disclaimers of honor and ethics aside? [Note that I actually have no reason to distrust Ted and the other Athena/SIPB people who disassembled it; I've known them personally for several years and have nothing but the highest trust for them; I believe that my point is nonetheless valid. The alleged perpetrator of this worm was supposedly not trying to be destructive, either; he miscalculated and it went out of control.] harvard >>>>>> | Robert Krawitz <email@example.com> bloom-beacon > |think!rlk topaz >>>>>>>> . rlk@a.HASA.disorg
END OF DOCUMENT
|ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved.|