The Internet Virus--A Commentary

Dave Hayes dave at jplopto.uucp
Wed Nov 9 10:13:56 AEST 1988 

Dr. R. P. C. Rodgers, thank YOU for your refreshingly rational look at an 
issue which has already gone to the point of emotional extremism for some.
In the same spirit, I would like to take the opportunity to answer some of your
questions.

>2) Given the frequency of programming errors in untested programs, how would
>a technically experienced person assume that a program of this complexity would
>work as designed the first time?  This is an act of considerable hubris.

On the contrary, there are some programmers who can make extremely complex 
programs work the first time. To be sure, they are rare. But it is within the realm
of possibility. If we assume, for the moment, that Mr. Morris was indeed the culprit,
some of his statements to the Times indicated that the virus was not yet
completed. According to various accounts the virus "got out of hand" much faster 
than was intended, most probably during a debug session. How does one debug a 
virus? One could assume that at some point, the replication mechanisms would
work but the other mechanisms (perhaps malign) were still inoperative pending
further testing. Perhaps the culprit released the virus too soon and whatever
constant held the "replication factor" was too large. 

> 3) If the culprit "quickly recognized that things had gone wrong," why did he
> not IMMEDIATELY call local management authorities and inform them of the
> problem, rather than delegating this to a friennd...
                                                     
Let's get real here. If the culprit deleted any trace of the files used
to generate the virus, there would be no obvious way to prove the culprit's guilt
except for a frantic phone call to local management. If I were the culprit, 
I would trust my friends more than I would trust local management. Still, with 
an operation of that magnitude it's a wonder that the culprit would tell ANYBODY
at all. It is reasonable to assume that the person responsible is bright enough
to know the consequences of any malicious act perpetrated on thousands of computers
belonging to government, industry, and schools. This line of reasoning makes me 
wonder if Mr. Morris is a culprit or a scapegoat. 

While I, and many other system administrators, will not condone malicious
hacking, this appears to be the only vehicle for plugging security holes
that is effective in a short period of time. And while it is never possible
to make a truly secure system, we can sure come a lot closer than we are now.

-------------------------------------------------------
        The opinions expressed here are my own         
       and not necessarily those of my employer.  
------------=====<<<<(Dave Hayes)>>>>=====-------------
          dave%jplopto at jpl-mil.jpl.nasa.gov 
          {cit-vax,ames}!elroy!jplopto!dave

More information about the Comp.unix.wizards mailing list