CALL FOR VOTES: DID HE DO US A SERVICE OR NOT?
Paul Anderson
yes) the recent worm was a service and the fellow should
at least be left to die in peace (...if not thanked).
no) did us a great disservice and should be prosecuted to
the fullest extent of the law.
Send your votes to: {your favorite major node}!gatech!stiatl!gpb
Set the subject line to 'yes' or 'no'.
An automatic vote counter will be run to process and tabulate
entries. You will receive a return receipt indicating your
message arrival. Votes with an invalid subject line will
be returned with a message to that effect. You may only
vote once.
The ballot will be terminated on 11/15/88 (tuesday). You
will not have to wait 2 hours to vote, so do so...
The results will be posted in news.admin within a couple
of days of the end of the count.
paul
--
Paul Anderson gatech!stiatl!pda (404) 841-4000
X isn't just an adventure, X is a way of life...
--
Paul Anderson gatech!stiatl!pda (404) 841-4000
X isn't just an adventure, X is a way of life...
Peter Desnoyers
code that we had written, stand up in court with it, and prove
authorship beyond reasonable doubt? How much harder would it
be if the author was not cooperative? (i.e. plead innocent)
Peter Desnoyers
Gary Wright
>This is a call for votes on whether netters feel that:
>
>yes) the recent worm was a service and the fellow should
> at least be left to die in peace (...if not thanked).
>
>no) did us a great disservice and should be prosecuted to
> the fullest extent of the law.
>
I think you missed (at least) two other possibilities:
1) the recent worm was a service *and* the fellow should
be prosecuted to the fullest extent of the law.
2) the recent worm did us a great disservice *and* the fellow should
at least be left to die in peace.
Other possibilities depend on the level of service you think was provided
by the worm, what kind of damage was caused by the worm, and the punishment
that should result.
Personally, I think that it was good that these security flaws were
pointed out, but that is no excuse for the time and money that was
wasted. Others have said that there were better ways to go about
publicizing the security flaws, I agree.
I also wonder what the real intentions were. According to reports I have
read, the worm was not supposed to be detected. Ok, so he successfully,
quietly, penetrates 6,000 computers. Then what? What would have been
his next experiment? Even if he had no malicious intent, who is to say
that his next experiment would not have had a more serious, damaging flaw?
--
Gary Wright ...!uunet!hsi!wright
Health Systems International wri...@hsi.uu.net
Charles Marslett
:: In article <13...@stiatl.UUCP> p...@stiatl.UUCP (Paul Anderson) writes:
:: >This is a call for votes on whether netters feel that:
:: >
:: >yes) the recent worm was a service and the fellow should
:: > at least be left to die in peace (...if not thanked).
:: >
:: >no) did us a great disservice and should be prosecuted to
:: > the fullest extent of the law.
:: I think you missed (at least) two other possibilities:
::
:: 1) the recent worm was a service *and* the fellow should
:: be prosecuted to the fullest extent of the law.
::
:: 2) the recent worm did us a great disservice *and* the fellow should
:: at least be left to die in peace.
:: Personally, I think that it was good that these security flaws were
:: pointed out, but that is no excuse for the time and money that was
:: wasted. Others have said that there were better ways to go about
:: publicizing the security flaws, I agree.
On the other hand, I have yet to see a "better" way -- all the ones that
have been posted have probably already passed under the bridge and we
all know the "hole" was not plugged. My only reservation is that the
only really effective way to publicize a security flaw is to do real damage
(as someone on the net put it: wrap the car around a tree, and the next
time I'll remember to lock it!). So he did no real service? (lock 'em
up (:-)!)
:: --
:: Gary Wright ...!uunet!hsi!wright
:: Health Systems International wri...@hsi.uu.net
Charles Marslett
STB Systems, Inc. <-- apply all standard disclaimers
ch...@killer.dallas.tx.us
Barry Margolin
>In article <2...@hsi86.hsi.UUCP>, wri...@hsi.UUCP (Gary Wright) writes:
>:: wasted. Others have said that there were better ways to go about
>:: publicizing the security flaws, I agree.
>On the other hand, I have yet to see a "better" way -- all the ones that
>have been posted have probably already passed under the bridge and we
>all know the "hole" was not plugged.
Assuming you are correct that there is no better way, that does not
absolve him. If I ignore all the reminders about using car seat
belts, should someone intentionally crash into me to prove to me that
I'm endangering myself? An even better analogy would be to car
manufacturers producing cars with inferior seat belts; should someone
crash into a bunch of them so that the manufacturer will recall them
and fix them? We can certainly hope that such behavior would result
in safer cars in the future, but is that justification enough for the
damage that is done in the process of making the point?
One of the problem with all these discussions is that many assumptions
are being made about the perpetrator's intent, yet he has made no
public statement about it yet (as far as I know). We don't know that
his purpose was to "publicize the security flaws." In fact, the only
statement I've heard that is attributed to him is that the worm
propogated faster than he expected, from which I infer that if it had
been working as he planned it might have gone unnoticed because it
wouldn't have eaten up so much CPU time. If the purpose were for the
worm to be undetected, it wouldn't really publicize the flaws, would
it? To stretch the automobile analogy to its breaking point, this
would be like someone going around, breaking into people's cars, and
untuning their engines so that they get slightly lower mileage; few
people would notice, and those who were would probably assume they
were an isolated case, not part of a large conspiracy.
Barry Margolin
Thinking Machines Corp.
bar...@think.com
{uunet,harvard}!think!barmar
Mark Davis
All of you who claim that Morris did us a service are overlooking an
important point: you can't plug all of the insecurities.
A security hole is simply a bug in the security system. Any casual
student of software engineering knows that removing all bugs in a
large, complex system is impossible (See "Mythical Man Month" by Fred
Brooks for data.) By the way, would any UNIX/Internet wizard care to
extimate how many security holes have already been plugged? Therefore,
security holes will be with us as long as we have an internet that is
useful. Bright people will always be able to find those unfixed bugs.
The worst thing is closing the security problems will result in a less
usable system or worse, new bugs that break the existing applications.
So what has Morris done for us? He has wasted a large amount of money
(programmer time and computer resources). He has gained notoriety,
thereby encouraging thousands of ethically lacking people with similar
skills to one-up him by making a bigger splash. As I said above, the
bigger splash will always be possible as long as there is an internet.
No thank you Mr. Morris. You have not helped and you will hurt us
a lot. You go on my list of people to never (1) hire or (2) buy or
recommend their products.
- Mark (da...@cs.unc.edu or decvax!mcnc!davis)
Rostyk Lewyckyj
Let's review a couple of items
1. His father is a highly placed computer security expert.
2. There is a reasonably large published literature on viruses,
and other means of penetrating computer security.
3. Most if not all computer (black thumb) penetrators get hired
as security consultants.
4. His worm is noticed because it lacks a timer to slow its activity
to below the notice threshold.
5. He does not try it on an isolated system of machines.
And more pertinently how does it get out if it is not intentionally
set loose?
6. As a graduate student he does need to think of a future job.
No I don't for a moment think that Mr. Morris junior had any evil
intents to harm any system. He may even have done the UNIX world
a favor. Though perhaps it would be better to have let the sleeping
dog lie, rather than perhaps have it wake other dogs that may be
more vicious.
However I need to be convinced that this was an experiment that
got out of hand by accident. Perhaps he should not be punished as
a criminal. But I think that he should pay some monitary fine and
be legally enjoined from accepting a computer security related
position for a period of say ten years. In some sense a parole.
-----------------------------------------------
Reply-To: Rostyslaw Jarema Lewyckyj
urj...@ecsvax.UUCP , urj...@tucc.bitnet
or urj...@tucc.tucc.edu (ARPA,SURA,NSF etc. internet)
tel. (919)-962-9107
NetNews
Path: arthur!daryl
When I was young(er), I too wished to streach my horizons to the limit, and
since at the time the conditions were right, (little to no scocial interaction,
VERY intelegent (;-}), and a very hyperactive sence of curiosity), life
ordained me to be a 'hacker' (IE: definiton 1: Person who uses intimate
knowledge of ether the system, programming enviroment, or both in developing
programs supposedly beyond that systems's capability.)
It was cool, I had fun, nobody harmed me, and I made a lot of people happy.
Then I got hurt.
A person to whom I trusted used some of the things I taught him to do some
VERY bad things.
THIS WAS NOT COOL. MANY PEOPLE GOT HARMED. ESPECIALY ME.
Leaving out some very sorrid details, I got to see what harm a little
'harmless' exploring can do. Now I work as a consulting P/A, specialising
in system security and mathmatical modeling ( also trying to break the world's
record for most nights of sleeplessness ;-}).
Bottom line: If this person would have posted an alert to the net with a sample
program, THAT would have been a very valuable service.
This person did harm.
He should be made to understand this. Jail will not teach this lesson. Having
him see some of the mess that he caused will.
(all opinions and spelling mistakes are mine, Flame On.)
^
<{[-]}>-----------------------------------------------------------------------
V Daryl McLaurine, Programmer/Analyst (Consultant)
| Contact:
| Home: 1-312-955-2803 (Voice M-F 7pm/1am)
| Office: Omegan Consultants (Use Home Number 9am-4pm)
| -or-
| University of Chicago Mathematics Dept.
| daryl@zaphod or neuro.UChicago.edu
==\*/=========================================================================
John Woods
> An even better analogy would be to car
> manufacturers producing cars with inferior seat belts; should someone
> crash into a bunch of them so that the manufacturer will recall them
> and fix them?
A very interesting analogy indeed! What does it usually take to get a
manufacturer to fix an inferior design? A calm, reasoned statement something
like "Hey, these seat belts have a tensile strength so low that they would
typically snap at 20 MPH?" Fat chance. Usually it takes pages and pages of
accident reports of people killed and maimed by the defect, plus enough
publicity that the auto manufacturer cannot just ignore the problem.
RISKS DIGEST just now mentioned that PGN incidentally discovered one Internet
site that still hasn't close the SMTP door. Weemba was right. Monthly worm
drills sound like a REAL good idea...
--
John Woods, Charles River Data Systems, Framingham MA, (617) 626-1101
...!decvax!frog!john, jo...@frog.UUCP, ...!mit-eddie!jfw, j...@eddie.mit.edu
Science does not remove the TERROR of the Gods!
William E. Davidsen Jr
| Bottom line: If this person would have posted an alert to the net with a sample
| program, THAT would have been a very valuable service.
I disagree. Posting a "how to" program would have allowed many people
to play with virus programs even though they were not able to figure out
the hole themsleves. Without an actual problem probably 10% of the
admins would take the time to fix it, and the rest would say "I'll fix
it if there's a real problem," and "I can't run without debug, I could
get my .cf to work." We have a person here who felt that Sun was better
than Ultrix because Ultrix had debug off.
The only way to get get people to do something is to kick them. Hard.
I am not claiming that this justifies kicking people, not am I defending
the use of the worm (I would feel fine about a long prison sentence for
things like that, having been burned by a hacker before). But I do agree
that what was done had a high ratio of good result to consequences.
Someone used the analogy of stealing a car to teach people not to
leave their keys. I think that what happened recently is more like
locking the door and leaving the car sitting with the keys inside. It
was a major embarassment and inconvenience, but didn't have the long
term effect that wiping files would have.
that
--
bill davidsen (we...@ge-crd.arpa)
{uunet | philabs}!steinmetz!crdos1!davidsen
"Stupidity, like virtue, is its own reward" -me
gil...@p.cs.uiuc.edu
I believe we should string Robert Morris up by his thumbnails.
Why? Consider this. Ten years from now, a graduate student in
biology decides to make a *REAL* virus. He says, "geez, why hasn't
the NIH innoculated the general population against this virus?
Obviously, any strain of X, Y, or Z could mutate into this virus at
any time, causing lots of harm!" So secretly, he builds the virus.
He intends to show off a weakend form of the virus, to get people to
do something. But before he finishes it, he makes a serious mistake,
and the virus escapes in mutant form. Millions of deaths follow.
What would you do to this person? How can you (ethically)
differentiate between this graduate student and Robert Morris?
We are so lucky that digital systems don't die from software bugs
(usually).
Don Gillies, Dept. of Computer Science, University of Illinois
1304 W. Springfield, Urbana, Ill 61801
ARPA: gil...@cs.uiuc.edu UUCP: {uunet,harvard}!uiucdcs!gillies
Jonathan I. Kamens
>
>Why? Consider this. Ten years from now, a graduate student in
>biology decides to make a *REAL* virus. He says, "geez, why hasn't
>the NIH innoculated the general population against this virus?
>Obviously, any strain of X, Y, or Z could mutate into this virus at
>any time, causing lots of harm!" So secretly, he builds the virus.
>He intends to show off a weakend form of the virus, to get people to
>do something. But before he finishes it, he makes a serious mistake,
>and the virus escapes in mutant form. Millions of deaths follow.
>
>What would you do to this person? How can you (ethically)
>differentiate between this graduate student and Robert Morris?
Your analogy has so many flaws, and is so ridiculous in general, that
I don't know where to begin the list. Might as well just jump right
in with the most obvious one:
1. COMPUTERS ARE NOT PEOPLE. A computer "virus" (actually, what
Morris wrote was a worm) does not kill people. It is a crime in
every country in the world (as far as I know) to kill people, while
the laws about "killing computers" are much less clear-cut.
Attacking the general populace is quite different from attacking a
computer network.
2. Morris' worm did no permanent damage, nor was it meant to. Your
analogy compares that to a virus that kills millions of people.
Ridiculous.
3. Taking advantage of bugs in computer software is just a bit
different from developing virus strains that can kill millions of
people. Do you really think that the probabilities of the two
events you compared taking place are of similar magnitudes? I
don't think so at all. I'm a sophomore undergraduate, and I'd say
that *I* could probably write some really damaging code if I wanted
to; on the other hand, I doubt that there are many sophomore
biology students that can build a virus strain that can kill
millions.
4. While it is (theoretically) possible to find all of the security
bugs in Unix and fix them (Don't flame me on this, I know it isn't
possible in practice, but the supposition I am making is that since
the amount of code involved is finite, the number of security holes
is finite.), it is certainly not possible to find every possible
virus strain and inoculate (notice the spelling) every human being
on the planet against all of those strains. Therefore, it is
unreasonable for the biology grad student to say, "People should be
inoculated against this virus so I should prove it by releasing
it!" while it *is* reasonable to ask why several known bugs in Unix
software were not fixed.
5. The National Institute of Health pays a lot more attention to
people who claim that they've discovered a new, dangerous virus
than the Internet system administrators (apparently) payed to the
discoverers of the sendmail hole and the fingerd bug. If this grad
student were to call up the NIH and say, "I've discovered a virus
that can easily mutate from a common strain but that can cause
massive sickness in the population," I suspect they'd listen and
act. This was obviously not the case with sendmail and fingerd.
6. You ask how we can "ethically" differentiate between the biology
student and Morris. I ask *you*, how can you ethically *compare*
them? I refuse to acknowledge even for a moment that slowing down
or even destroying data (which Morris' worm did not do) on a few
computers is in any way related to releasing a deadly virus into
the atmosphere. The two are simply not comparable, and should not
be compared, when discussing moral issues.
7. Morris' alleged purpose in creating the worm was not to do any
damage, or even to alert people to the security holes he exploited,
but rather simply prove that it could be done. His worm was simply
supposed to live, while remaining undiscovered. The same cannot be
said for the student's virus presented in your scenario -- he
intended to get people sick, even if only a minor sickness.
Well, I think I hit upon the major ones. Anybody have anything to
add?
DISCLAIMER: All references to Morris in the text above refer to acts
he is alleged to have committed, although it may not in fact be
proven (or true) that he did, in fact, commit them. All knowledge
of his actions presented in this article were gained through
publicly accessible sources such as newspaper articles and Usenet
postings. Furthermore, although I stated that I might have the
ability to write damaging computer code, I have not done so and
would not do so.
(Now *that's* a disclaimer)
Jonathan Kamens
MIT '91
Obnoxious Math Grad Student
>>I believe we should string Robert Morris up by his thumbnails.
>>Why? Consider this. Ten years from now, a graduate student in
>>biology decides to make a *REAL* virus. He says, "geez, why hasn't
>>the NIH innoculated the general population against this virus?
>>Obviously, any strain of X, Y, or Z could mutate into this virus at
>>any time, causing lots of harm!" So secretly, he builds the virus.
>>He intends to show off a weakend form of the virus, to get people to
>>do something. But before he finishes it, he makes a serious mistake,
>>and the virus escapes in mutant form. Millions of deaths follow.
>>What would you do to this person? How can you (ethically)
>>differentiate between this graduate student and Robert Morris?
>Your analogy has so many flaws, and is so ridiculous in general, that
>I don't know where to begin the list. Might as well just jump right
>in with the most obvious one:
>[multiple explanations of the bogosities present omitted]
I have had widespread success in introducing "Maroney Award winning" as
an adjectival phrase for describing extremely stupid USENET postings, and
"Maroney" itself as a noun meaning "very stupid USENETter". It has just
occurred to me that we have another eponymogenetic opportunity here, one
that can even be approached scientifically!
I propose that "gilly" be introduced as a unit of measure for analogical
bogosity. Don Gillies' posting, which I've saved a copy of, shall serve
the same purpose for this that the master kilogram kept in France does
for measuring mass. Any posting equal in its analogical bogosity to
Don's posting will be deemed to have one gilly of bogosity. For most
purposes, this unit is too large. The milligilly = .001 gillies shall
serve more typical outrageous analogies, the microgilly = .000001 gillies
shall serve mildly outrageous analogies, and the nanogilly = .000000001
gillies shall serve for more normal analogies.
For example, if someone compares killing thousands of humans with the
crashing of thousands of machines, that analogy would be deemed to have
one milligilly of bogosity. Those who analogized RTM's deed with the
killing of a few persons (eg, those who wondered why my officemates and
I don't where bullet proof vests) are deemed to have committed merely
one microgilly of bogosity. And those who carry the analogy down to
even more humdrum levels, like someone sleeping in your car that you
left unlocked, are now deemed to have commited a whopping nanogilly of
a bogus analogy--ie, hardly bogus at all.
Larger units of comparison are possible. For example, someone who com-
pared the crashing of a few machines with the killing of millions would
be at the kilogilly level of bogosity. More recently, we have seen people
compare telling Jewish jokes with the Holocaust. This is at the megagilly
or more likely gigagilly level of bogosity.
It will be difficult to calibrate the gilly scale at all magnitudes, but
with your efforts I think it can be done. Go to it, people. When you see
a bogus analogy made anywhere on USENET, compare it with the above quoted
">>" posting of Don Gillies, and let us know just how many gillies worth
of bogosity are present.
I thank you. Don Gillies will thank you. USENET will thank you.
ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
John DeArmond
Gawd!!!! This is getting out of control. I'm usually highly resistant
to name calling but damned if this is not the stupidest thing I've ever
heard. Are you really so weak between the ears that you cannot distinguish
the difference between filling some memory with extraneous bits and mass
murder? Does you school allow students to get anywhere near a recombinant
DNA lab without some qualification and control? God, I hope not.
That'd be like allowing just any old student
to walk into the nuclear engineering lab and pull rods on the reactor.
And do you really think any degree of punishment of Morris would have
even an iota of effect on anyone so sick as to try your form of mass murder?
lets face it.. About the worst thing Morris could have done if he'd been
of a mind would have been to clean off every file system on the Arpanet.
Big Deal!!! Sure, it would piss me off and I'd waste a bunch of time and
perhaps loose some irreplacable data but outside of my maybe beating my
head against the wall, no one would have suffered any real injury.
And if you are foolish enough to have ANY vital function computer on the
Arpanet or any other public net, then you pretty much deserve what you
get.
In reality, Morris wasted a few hours of each of a few dozen to perhaps
a hundred people. *WOW* If that's so bad, then I would have to ask
the rhetorical question: How many thousand man-hours are wasted on Net-
news each day? (waste = (total hours) - (hours getting something useful))
I'd think the Morris worm would pale by comparison.
anyway, back to wasting time....
John De Armond
Peter Desnoyers
>Why? Consider this. Ten years from now, a graduate student in
>biology decides to make a *REAL* virus. [...] Millions of deaths
>follow.
>
>What would you do to this person? How can you (ethically)
>differentiate between this graduate student and Robert Morris?
Trivially. Count the number of human deaths. 0 vs. millions. Count the
number of potential, forseeable deaths. 0 vs. millions. If Morris had
destroyed (shot, blown up, whatever) each of those thousands of
computers - none of which were performing life-critical functions - he
still would not be guilty of a single attempted or successful murder.
Peter Desnoyers
Scott Duncan
>
>In reality, Morris wasted a few hours of each of a few dozen to perhaps
>a hundred people. *WOW* If that's so bad, then I would have to ask
>the rhetorical question: How many thousand man-hours are wasted on Net-
>news each day? (waste = (total hours) - (hours getting something useful))
>I'd think the Morris worm would pale by comparison.
My understanding of what I've heard about the scope and effect of this
problem suggests that many more than "a few dozen to perhaps a hundred
people" were involved. This impact on system performance seems to have
been such that many users of the affected systems experienced noticeable
loss or degradation of system performance. There was also the time needed
by some installations, I gather from trying to interpret what I read here,
to bring their systems back up and reinstall some software and files. I
cannot judge myself what the actual effect may have been in specific cases,
but it certainly sounds like more than a few people were affected.
------------
speaking only for myself, of course, I am:
Scott P. Duncan (dun...@ctt.bellcore.com OR ...!bellcore!ctt!duncan)
Frans van Otten
>biology decides to make a *REAL* virus. He says, "geez, why hasn't
>the NIH innoculated the general population against this virus?
>Millions of deaths follow.
The biology-student above found a 'bug' in the human body. He wants to
warn the world, doing this the same way Mr. Morris warned us. That's all
they have in common. Mr. Morris merely showed the bugs by creating a
essential harmless worm. In contrast, the biology-student didn't just
show the bugs, but in the same act he caused the deaths he wanted to warn
for.
>How can you (ethically)
>differentiate between this graduate student and Robert Morris?
Easy.
--
Frans van Otten
Algemene Hogeschool Amsterdam
Technische en Maritieme Faculteit
fra...@htsa.uucp
Robert J Frey
>
>In reality, Morris wasted a few hours of each of a few dozen to perhaps
Now, I don't favor stringing up Morris by his thumbs, neither do I believe
one can realistically equate the release of the Internet worm with the
release of a potentially deadly biological agent; however, I can't join
the camp of the Morris apologists either. First of all, if I fail to lock
my front door and am burgled, that may very well mean I'm careless, but it
doesn't mean the burgler is any less guilty of a crime. And I certainly
wouldn't pat the burgler on the back for letting me know how important locked
doors are! Even if there are some positive results which are incidental to
the worm attack, they in no way whatsoever serve to mitigate Morris's guilt
or limit his liability for any damages.
As far as the true cost of the worm, I think you grossly underestimate the
damages, both actual and potential. Here your comments about the amount
of time wasted on the net anyway are totally irrelevant. I am entitled to
waste my own time. YOU are not entitled to do it for me. Nor is the fact
that lots of other people are doing bad things serve as a defence for me
to do them too. Also, I think you don't understand that computers are a
mature technology that's used to real work in our society. I don't know
what all of the 6,000 systems disrupted were doing, and I don't think
you do either, but the consequential damages from such a disruption are
potentially enormous.
The actual damages were not a few hundred hours, it was more like tens of
thousands of hours. Not to mention the emotional turmoil and stress.
What "should" happen to Morris? I think he should be prosecuted, though
we should duly note that he wasn't deliberately trying to hurt anyone. He
should also be held liable for the damages both direct and consequential
that his handiwork caused. I also believe that should his assets prove
to be insufficient to cover those claims Cornell should be liable to the
extent that their own negligence contributed to those damages.
==============================================================================
|Dr. Robert J. Frey | {icus, spl1, dasys1}!acsm!kepler1!rjfrey |
|Kepler Financial Management, Ltd.|------------------------------------------|
|100 North Country Rd., Bldg. B | The views expressed are wholly my own and|
|Setauket, NY 11766 | and do not reflect those of the Indepen- |
|(516) 689-6300 x.16 | dent Republic of Latvia. |
==============================================================================
Doug Moore
>What "should" happen to Morris? I think he should be prosecuted, though
>we should duly note that he wasn't deliberately trying to hurt anyone. He
>should also be held liable for the damages both direct and consequential
>that his handiwork caused. I also believe that should his assets prove
>to be insufficient to cover those claims Cornell should be liable to the
>extent that their own negligence contributed to those damages.
I don't know Morris. Morris is not a friend of mine. And I am no Robert
Morris. Most students here are not prone to the kind of irresponsible
behavior that caused this brouhaha.
When you accuse Cornell of negligence in this matter, you are patently unfair
in at least 3 ways. First, and most selfishly, you threaten me. I don't want
to fill out weekly forms detailing what use I have made of Cornell computers
in the last 7 days. And I can't think of anything Cornell could have done to
prevent this, short of instituting just this kind of totalitarian, bureaucratic
chaos. Second, institutional blame must fall at least as heavily on other
institutions that Morris used to propagate his worm. While he was physically
at Cornell, he actually started the worm at MIT. He had it send messages to
Berkeley. I daresay he still has some accounts at Harvard. Are some or all of
these institutions also financially liable for damages? Finally, what of those
who knew of these security holes and did nothing? Do they not share some
responsibility?
Believe it or not, Cornell has been victimized as much or more than any
institution by this event. Blaming Cornell or MIT or AT&T for negligence is
fine, but that negligence was more widely distributed than that. Cornell's
only negligence was in providing an environment in which people are treated
as mature and responsible members of the community. I hope that Cornell and
other institutions remain negligent in this sense, despite the fact that people
are occasionally irresponsible, and despite whatever legal threats may be made
against them.
The only entity responsible, the only one that should be punished, is Robert
T. Morris, Jr. And with members of Cornell's board of governors calling for
his head, I don't think his association with Cornell will last much longer.
From the world's most famous computer science department,
Doug Moore (mo...@svax.cs.cornell.edu)
Julian Cowley
>When I was young(er), I too wished to streach my horizons to the limit, and
>since at the time the conditions were right, (little to no scocial interaction,
>VERY intelegent (;-}), and a very hyperactive sence of curiosity), life
>ordained me to be a 'hacker' (IE: definiton 1: Person who uses intimate
>knowledge of ether the system, programming enviroment, or both in developing
>THIS WAS NOT COOL. MANY PEOPLE GOT HARMED. ESPECIALY ME.
I sympathize with you completely. I, too, at a tender age, had the same
conditions before me and I fell into the same pitfall of finding out how
far the system could be pushed. Our actions were eventually discovered
by the system administrators, and we were punished by removing our
access to the system. Was their action "just" enough? I am not sure,
since some of us were allowed back onto the same system within a month's
time. How can there be any social lessons to be learned from such
behavior? I can understand why Morris would be enthused about "teaching"
people about their security problems, but is that behavior entirely
social? I think not.
>Bottom line: If this person would have posted an alert to the net with a sample
>program, THAT would have been a very valuable service.
I agree with you. His methods, although they may have been legitimately
positive, were not scientific. If he were a minor, that may be
understandable. But a grad student? He should have realized his actions
were bordering on the destructive side. He could have accomplished much
more by isolating a set of machines and publishing the results in a
computer security journal. He would have discovered his "bug" at
least.
>This person did harm.
Yes, he did. The implications of his actions are new to us, and
therefore it is understandable that we are having a hard time dealing
with them. I hate to admit it, but I think that if he is not dealt with
in a just manner, then it will encourage other "hackers" to repeat the
same mistake. They must understand that there are more factors at stake
than just the security of the net. Any person who releases a worm,
virus, what have you upon the net is digging their own grave, because so
far the ethics of computer hacking have encouraged us to share (in a
scientific manner) our results to others. With such viruses abound,
there can be no such sharing.
>He should be made to understand this. Jail will not teach this lesson. Having
>him see some of the mess that he caused will.
True. I don't think he realized how grave a mistake he was making at
the time he was comtemplating releasing his program upon the net. Jail
would have no affect in any way upon his understanding of this. Sadly,
the kind of punishment we have nowadays (jails) is the kind which does
not intend to teach the person why he is being punished. This applies
to more than just Morris: there are more than one kinds of crime.
><{[-]}>-----------------------------------------------------------------------
> V Daryl McLaurine, Programmer/Analyst (Consultant)
> | Contact:
> | Home: 1-312-955-2803 (Voice M-F 7pm/1am)
> | Office: Omegan Consultants (Use Home Number 9am-4pm)
> | -or-
> | University of Chicago Mathematics Dept.
> | daryl@zaphod or neuro.UChicago.edu
>==\*/=========================================================================
jul...@uhccux.uhcc.hawaii.edu
uunet!ucsd!nosc!uhccux!julian
jul...@uhccux.bitnet
"People who aren't amused don't talk."
Michael Levin
>
>>He should be made to understand this. Jail will not teach this lesson. Having
>>him see some of the mess that he caused will.
>
>True. I don't think he realized how grave a mistake he was making at
>the time he was comtemplating releasing his program upon the net. Jail
>would have no affect in any way upon his understanding of this. Sadly,
>the kind of punishment we have nowadays (jails) is the kind which does
>not intend to teach the person why he is being punished. This applies
>to more than just Morris: there are more than one kinds of crime.
I don't think that if Morris is jailed, it will be to teach HIM a
lesson- it will be to scare off other people. That probably would do *some*
good, as some people respond well to intimidation. On the other hand, some
personalities simply take that as a challenge. I don't think, however, that
the press' hyping this talk of 'computer virus' is very healthy.
Man (especially males) is desirous of playing God (no, I'm not
turning this into a religious discussion, just a human one). By creating
'life' in a machine (i.e., a computer that can 'catch' a 'virus' must be
alive, right) man is playing God. This is a bunch of crap. Today's
computers are just machines, and to attribute all of these theatrical
human characteristics to them is foolish. A computer 'virus' is simply a
program which exploits certain bugs in the system. THAT's ALL! ! !
Why don't we simply think of this incident in it's correct light-
our systems are vulnerable to exploitation by others because of certain
inherent defects in them. Much in the same way as my car leaves me
vulnerable to some yahoo smashing into me on the road. Big deal.
Mike Levin
--
+----+ P L E A S E R E S P O N D T O: +------+-*-*-*-*-*-*-*-*
| Mike Levin, Silent Radio HeadQuarters, Los Angeles (srhqla) | No room for a *
| Path:{aeras|csun|pacbell|pyramid|telebit}!srhqla!levin |'snappy remark'*
+-------------------------------------------------------------+-*-*-*-*-*-*-*-*
Dave Caswell
.>that his handiwork caused. I also believe that should his assets prove
.>to be insufficient to cover those claims Cornell should be liable to the
.>extent that their own negligence contributed to those damages.
.
.
.When you accuse Cornell of negligence in this matter, you are patently unfair
.in at least 3 ways. First, and most selfishly, you threaten me. I don't want
Doug, learn what the words "to the extent" mean, and cut the bull about
being threatened.
--
Dave Caswell
Greenwich Capital Markets uunet!philabs!gcm!dc
Jim Budler
| In article <22...@cornell.UUCP> mo...@svax.cs.cornell.edu (Doug Moore) writes:
|
| .>to be insufficient to cover those claims Cornell should be liable to the
| .>extent that their own negligence contributed to those damages.
| .in at least 3 ways. First, and most selfishly, you threaten me. I don't want
|
| Doug, learn what the words "to the extent" mean, and cut the bull about
| being threatened.
|
| --
| Dave Caswell
Uhm, Dave, I think you should review the 'deep pockets' laws, before you say
this.
Many states have 'deep pockets laws' which result in any liability, even
1%, under the law being 100% liable.
In the RTM/Cornell case, if tried in California, any amount rewarded, would
be paid by the combination of RTM and Cornell. After RTM put up his $10,
the balance of the penalty would be paid by Cornell, even if the jury
judged Cornell only 1% responsible. And don't quote the recent California
deep pockets limiting initiative. That only limited the non-economic,
i.e. 'pain and suffering', awards.
So unfortunately, in the context you meant 'to the extent', it may be
a legally meaningless term.
jim
--
Jim Budler address = uucp: ...!{decwrl,uunet}!eda!jim OR domain: j...@eda.com
#define disclaimer "I do not speak for my employer"
#define truth "I speak for myself"
#define result "variable"
Robert J Frey
>
>Many states have 'deep pockets laws' which result in any liability, even
>1%, under the law being 100% liable.
>
>In the RTM/Cornell case, if tried in California, any amount rewarded, would
>be paid by the combination of RTM and Cornell. After RTM put up his $10,
>the balance of the penalty would be paid by Cornell, even if the jury
>judged Cornell only 1% responsible.
>
My original comments about Cornell _possibly_ being liable were simply
about that, to the extent that Cornell was liable it must be held accountable.
One may or may not agree with the "deep pockets" laws, but they are a fact
of life. I own a restaurant and am quite familiar with their application
vis-a-vis DWI-related accidents, etc. My reaction to someone who feels my
original comments were unfair or threatening is that, first, I didn't intend
them to seem so in any personal way, but, second, educational institutions
are no different that a lot of other organizations in that they must be
held responsible for some of the acts of their constituent members.
People in universities have to understand that computers are a mature
technology. We don't "do interesting things" on our computers; we use them
to run our business. Grown-ups take responsibility for what they do. It's
not always comforting and it often feels "threatening", but the choice is
to hide under a rock and do nothing at all.
Frank A. Ward
Internet Worm. I do not know if this story is true, but it seems that
it could be.
My friend went to dinner with a group, one of whom claimed to know the
true author of the Worm, and it was not Morris! He said that the NSA
did not want the true identity to be known so they needed someone to
take the rap. Morris's father was involved since he is a top computer
security expert. When Morris (Jr.) learned about the case he said,
"I'll take the rap." And he did. There was an understanding that any
legal problems for Morris would be quietly defused.
As supporting evidence: The Worm attempted to report its progress to a
particular machine at berkeley.edu. This was reported as deliberate
mis-direction on the part of Morris.
Does anyone have any conclusive evidence that Morris is or is not the
true author of the Worm?
F. Ward || And the student asked, "Master, why can you not simply
---------+| tell me the answer? Why must learning be so difficult?"
disclaimer| And the master said, "Why do you ask me these questions?"