The Internet Virus--A Commentary

Rick Rodgers rodgers at cca.ucsf.edu
Tue Nov 8 14:32:35 AEST 1988 

The New York Times has claimed that Robert Morris, Jr., a graduate student
in computer science at Cornell, was the author of the rogue program which
wreaked havoc on the Internet last week.  Not having seen a direct confession
from Mr. Morris, I think it appropriate to give him the benefit of doubt, and
not assume him guilty at present.  Therefore, in the remarks which follow I
prefer to use the word "culprit." Quite aside from the guilt or innocence of
Mr. Morris, the picture painted by the NYT raises serious ethical issues;
let us assume for a moment that the culprit is in every way as Mr. Morris is
described in the NYT stories.  The culprit, then, is a bright and technically
oriented young person who is socially reticent, and who perpetrated this act
out of boredom, having convinced himself that he intended no great mischief.
I leave aside interpretation of motives on the basis of the behavior of the
virus itself (the use of encryption/decryption, the fact that it did not seem
to be designed to destroy or corrupt files, etc.).  These questions arise:

1) The virus was reportedly intended as an "innocent" attempt to produce a
program which would propagate itself across machines on the network, leaving
a single copy per affected machine.  On what basis did the culprit decide that
the Arpanet was an appropriate location to carry out private experiments in
computer security; in what way can the insertion of ANY program in the machine
of someone else, without their consent, be considered "innocent?"

2) Given the frequency of programming errors in untested programs, how would
a technically experienced person assume that a program of this complexity would
work as designed the first time?  This is an act of considerable hubris.

3) If the culprit "quickly recognized that things had gone wrong," why did he
not IMMEDIATELY call local management authorities and inform them of the
problem, rather than delegating this to a friend, who then allegedly posted
instructions in an obscure place?  The first act represents a failure to
take resonsibility for one's own actions, and the second a severe lapse in
judgment.

Looking forward rather than behind, there are two issues requiring our
attention, and in both instances it is vitally important that we avoid resort
to extremes.  The first is appropriate retribution for the culprit.  At one
extreme lies the argument that this individual is a hero who has done the
network community an enormous favor.  This camp would argue that the
unethical acts described above are outweighed by the benefits of closing the
security holes exposed by this particular virus.  Aside from the omniscience
which would be required to estimate the gains, this is a particularly
pernicious form of reasoning which  
leaves the network open to any tinkerer who believes he has a demonstration
of a security bug.  Moreover, there are alternative ways to bring such
knowledge to light in a constructive manner; after LOCAL tests, such a system
could be demonstrated to responsible colleagues, ARPAnet administrators, or
software engineers in companies affected by the bugs found.  One
can even envisage a network-wide test in which a thoroughly pre-tested and
truly benign virus is intentionally released, after prior announcement
(and with some sort of mechanism for consentual participation), with
software in place to monitor its (transient) dissemination and demise,
for the purpose of studying the behavior of the network.  The mode of
introduction of the actual virus had none of these earmarks of a serious
investigation, but does leave the perpetrator open to charges of exploitation
and exhibitionism.

The calculable loss in man-hours and computing-hours is considerable, as
revealed by a simple back-of-the-envelope computation designed to err on the
side of being too small.  Approximately 6,000 processors
were affected.  Let us assume (conservatively) that there was one person
affected for every five machines, and that 12 hours were devoted to handling
problems arising from the crisis.  This results in an estimate of 14,400 man
hours lost, equivalent to 360 40-hour man weeks (nearly 7 working man-years).
This ignores the (presumably considerable) indirect costs attributable to loss
of computing time per se.  Estimates of up to 100 man-years which have appeared
elsewhere can be seen as not preposterous.

Retribution is likely to be meted out at several levels, possibly including
criminal prosecution.  Lenient or harsh, the punishment should not contribute
to making the culprit into a underground hero.  This process is already well
underway when the popular press associates the words "brilliant" and "innocent" 
with the perpetrator and his actions.  Nor should the attention he has
managed to obtain result in lucrative job offers, or other inducements to
this form of behavior.

The second issue is less tangible but of great importance: the effect this may
have upon the openness and collegiality of the network, from which each of us
has benefitted.  It is here that the culprit may leave his most damaging (and
lasting) mark.  Communication requires openness, and open systems will always
be vulnerable in some respect; their integrity will always rely ultimately upon
the decency and good judgment of the participants.

--------------------------------------------------------------------------------
R. P. C. Rodgers, M.D.                  Telephone:
Statistical Mechanics of Biomolecules   (415)476-8910 (work)
Department of Pharmaceutical Chemistry  (415)664-0560 (home)
University of California, Box 1204      E-mail:
Laurel Heights Campus, Room 102         ARPA:   rodgers at cca.ucsf.edu
3333 California St.                             rodgers at maxwell.mmwb.ucsf.edu
San Francisco CA 94118                  BITNET: rodgers at ucsfcca
USA                                     UUCP:
                                     ...ucbvax.berkeley.edu!cca.ucsf.edu!rodgers
--------------------------------------------------------------------------------
-- 
R. P. C. Rodgers, Statistical Mechanics of Biomolecules, Dept. of Pharm. Chem.,
University of California, San Francisco CA 94118  (415)476-8910
(ARPA: rodgers at cca.ucsf.edu, BITNET: rodgers at ucsfcca,
UUCP: ...ucbvax.berkeley.edu!cca.ucsf.edu!rodgers)

More information about the Comp.unix.wizards mailing list