ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #203 [Re: Disassembled virus?] (1 message, 1175 bytes)
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: rick@seismo.CSS.GOV (Rick Adams)
Date: Wed 13:22:14 09/11/1988 EST
Subject: Re: Disassembled virus?
References: [Thread Prev: 193] [Thread Next: 118] [Message Prev: 202] [Message Next: 205]
I asked Peter Denning what his opinion of this was. I think it is right on target. (For those who don't know Peter Denning, he is an ex president of ACM, ex Department Head at Purdue and has published lots of leading edge papers on operating systems and security.) ---rick From email@example.com Wed Nov 9 12:15:36 1988 Message-Id: <8811091715.AA22915@hydra.riacs.edu> Date: Wed, 9 Nov 88 09:15:30 pst From: Peter J. Denning <firstname.lastname@example.org> To: rick@seismo.CSS.GOV Subject: Re: publishing the internet "worm" code Cc: email@example.com Our policy in ACM with respect to controversial information relative to security is simple. We recognize that there is a short term risk in publishing the details of an attack, because the defenses are not yet formed and those who would make life miserable for the majority might take advantage. We also see that there is a long term gain in having those who want to make the networks effective and safe for all participants see where designs are weak and work to strengthen them. Thus we will publish detailed information about attacks provided that the article reveals the design flaws and advocates changes that will overcome them. Put another way, we don't want to glorify the attacks or make folk heros out of the attackers. We do want to encourage the "good guys" to improve the designs so that we can achieve the goal of open information sharing in healthy networks whose immune systems protect effectively against diseases. If you publish the virus code somewhere, I would suggest it be annotated by someone so that attention is called to the places were the design flaws are exploited. The annotator should attach some general conclusions and recommendations to system designers and operators. Hope this helps. Peter cc: Peter Neumann
END OF DOCUMENT
|ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved.|