Re: a holiday gift from Robert "wormer" Morris


David Emberson (ember!dre@sun.com)
7 Nov 88 20:06:23 GMT


In article <2060@spdcc.COM>, eli@spdcc.COM (Steve Elias) writes:
> "Wormer" Morris has quite a career ahead of him, i'll bet.
> he has done us all a favor by benevolently bashing bsd 'security'.
>

I knew about this sendmail bug at least four years ago, courtesy of Matt
Bishop (now at Dartmouth). He wrote a paper detailing at least a half dozen
holes in the Unix system and methods for constructing trojan horses which was
so dangerous that he responsibly decided not to publish it, but instead to
give selected copies to people who could fix some of the problems. He also
wrote an article for the Usenix newsletter, ;login, which explained how to
write secure setuid shell scripts--a major source of security holes. Matt did
not "benevolently bash" anyone's machines. His behaviour, while unsung by
the press and the Usenet community, is an example of the highest in profession-
al and academic standards. This is the kind of behaviour that we should be
extolling.

It is a pity that the perpetrator of this hack, allegedly Mr. Morris, is now
hailed as a famous "expert" in computer security. No doubt he will make a
fortune after the noise dies down as a security consultant. In fact, I saw
someone quoted in this morning's Wall Street Journal as saying that the
perpetrator was someone he would love to hire! Not I! I would think that
prison would be a better place for a person who cost the government, several
universities, and many companies untold thousands of man-hours and millions of
dollars in downtime and effort spent tracking this piece of garbage down. And
it is almost certain that all the copies of the virus haven't been found.

Unfortunately, the press seems to grab hold of every stupid jerk like this and
hail him as some sort of genius. Somehow the issue of computer security evokes
images of high school kids firing off MX missles or some other vision which
terrifies the public, and the press loves sensation more than substance. A few
years ago there was pandemonium in the press when someone told them that
terminals with programmable function keys could be trojan-horsed. Big deal!
But the media broadcast repeatedly the "revelation" that most terminals in the
world had this "bug." Now they are jumping up and down because the recent
virus made its way into Lawrence Livermore and NASA Ames--even though it didn't
make it into any classified machines. The news people are more interested in
irresponsibly stirring people into a frenzy than they are in responsible
reporting of facts.

I call upon my fellow computing professionals to promote ethical behaviour
amongst their students and colleagues and to denounce destructive misuse of
computing knowledge. I also call upon them to refuse to participate in the
glorification of people in the profession who engage in this kind of behaviour.
We must police ourselves and censure those amongst us who engage in this type
of computer crime. Much is at risk if hysterical reporters cause hysterical
law makers to place restrictions on networks, on the capability of hardware,
on access to computing facilities, or on software. Computer security costs a
great deal of money, like defense spending. I for one would rather see this
money go for better things.

                        Dave Emberson (dre@sun.com)



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:29 GMT