The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #217 [Late-breaking news] (1 message, 2121 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/217.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Gene Spafford <spaf>
To: phage
Date: Wed 20:57:16 09/11/1988 EST
Subject: Late-breaking news
References: [Thread Prev: 214] [Thread Next: 219] [Message Prev: 213] [Message Next: 215]

How do I get into these messes?

Earlier this evening, I got a phone call from someone at the National
Computer Security Center.  It seems that there was a disassembled
version of the worm code in an ftp directory here at Purdue, and they
wanted to see if I had influence to have it removed.  I told them that
it really shouldn't make a difference, since not only could others
disassemble the code, but it also couldn't be used to recreate the worm
except with major effort.  Besides, with the C source posted to the
mailing list last night, it really didn't matter if everyone saw the
assembly or not.

15 minutes later, I got mail from people on campus indicating that the
NCSC people had called the president of the University and leaned on
him to have it removed.  He leaned on someone else, etc and it got
removed.

15 minutes later, another call from NCSC.  They wanted confirmation
that the code was really for the worm and not the helper program.  The
guy at the other end then issued an "oh my!" exclamation and explained
that this was deep worry time for the folks at NCSC since many, many
sites do not have patches in place and may not for some time due to
lethargy by code maintainers (commercial and otherwise).  Discussion
ensued.  I did not reveal any names, but I explained that the original
posting of the source had been LAST FRIDAY at noon to a list at MIT,
and the one to our list was a simple remailing.  This further ruined
his evening, I'm afraid.

He called back a few minutes later.  The FBI has been told that
hundreds of copies of the code have potentially been distributed to
people around the country and we could face a new outbreak.  I was told
not to be surprised if the FBI visited here; the NCSC is prohibited by
law from collecting any data on US citizens, so the guy said he
wouldn't ask for names even if I was willing to give them (I'm not).
However, the FBI is not so contrained.  No law appears to have been
broken, but they are very worried nonetheless.

Okay, so where do we stand here?  Well, as far as I'm concerned, until
they establish a clear and present danger to national security,
evidence a warrant, use torture, or ply me with women, money and tenure
:-), I will not disclose the composition of the mailing list, nor the
names of the parties involved in the (re)distribution of the code.
Further, under my understanding of the Electronic Communications
Privacy Act, to disclose the list contents to anyone not on the list
alias might be a violation of Federal law (disclosing mail).  Of
course, anyone else on the list with an archive of old messages and
access to the sendmail VRFY command here may decide to turn the info
over if prompted for it. Anyone here at Purdue can dump the alias
file if they want, so my refusal to assist may not amount to much,
and I won't guarantee that I'll be too obstinant if pressed hard.

This may turn out to be nothing.  The NCSC folks will just have ulcers,
we'll get a few weeks rest, and the whole thing will blow over.  Or, it
could be that the Chaos Club (or similar) will unleash a new virus
based on a new hole and this old code.  That is not beyond the realm of
possibility.  We should establish some organization to deal with the
next crisis in case something like that happens.  Perhaps a phone tree?
:-)

On a lighter note, the NCSC guy also said they were going to lean
*very* heavily on the computer companies to provide security upgrades
in a very timely fashion.  I'm not sure exactly what that means, but
our friends at Sun, DEC, etc. should be able to tell us soon.  I
suspect it means a change in the way those companies handle software
updates, perhaps.

Last of all, a number of you violently objected to adding John Markhoff
to the mailing list.  I will honor that and not add him at this time.
If you want to mail something to him through me, please feel free to
do so.

--spaf

END OF DOCUMENT