The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #203 [Re: Disassembled virus?] (1 message, 1175 bytes)
NOTICE: recognises the rights of all third-party works.


From: [email protected] (Rick Adams)
To: phage
Date: Wed 13:22:14 09/11/1988 EST
Subject: Re: Disassembled virus?
References: [Thread Prev: 193] [Thread Next: 118] [Message Prev: 202] [Message Next: 205]

I asked Peter Denning what his opinion of this was. I think it
is right on target. (For those who don't know Peter Denning, he
is an ex president of ACM, ex Department Head at Purdue and has
published lots of leading edge papers on operating systems and security.)


From [email protected] Wed Nov  9 12:15:36 1988
Message-Id: <[email protected]>
Date: Wed, 9 Nov 88 09:15:30 pst
From: Peter J. Denning <[email protected]>
To: [email protected]
Subject: Re:  publishing the internet "worm" code
Cc: [email protected]

Our policy in ACM with respect to controversial information relative
to security is simple.  We recognize that there is a short term
risk in publishing the details of an attack, because the defenses
are not yet formed and those who would make life miserable for the
majority might take advantage.  We also see that there is a long
term gain in having those who want to make the networks
effective and safe for all participants see where designs are
weak and work to strengthen them.  Thus we will publish detailed
information about attacks provided that the article reveals
the design flaws and advocates changes that will overcome them.
Put another way, we don't want to glorify the attacks or make
folk heros out of the attackers.  We do want to encourage the
"good guys" to improve the designs so that we can achieve the
goal of open information sharing in healthy networks whose
immune systems protect effectively against diseases.

If you publish the virus code somewhere, I would suggest it
be annotated by someone so that attention is called to the
places were the design flaws are exploited.  The annotator
should attach some general conclusions and recommendations
to system designers and operators.

Hope this helps.
cc: Peter Neumann