From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: DAVIDF@cs.heriot-watt.ac.uk
Date:         Wed, 20 Jun 90 16:32:04 BST 
Message-Id:   <$TGWGCZNQBTQK at UMPA>
Subject:      Virus-L vol 0 issue #1016


Virus-L Digest Sun, 16 Oct 88, Volume 0 : Issue #1016

Today's Topics

Isn't "hacker" an honorific?
Re: networks
I am proud to be a hacker!
RE: I am proud to be a hacker!
Re: Policy on Informants

------------------------------

Date:         Sun, 16 Oct 88 15:51:00 EDT
From:         "Peter D. Junger" <JUNGER@CWRU>
Subject:      Isn't "hacker" an honorific?

I find  it  troublesome--and  perhaps  even  a  subject  that  has  ethical
implifications--that  in the current discussion about the student who wrote
a virus that got away, the term "hacker" is used as if it were some sort of
label applied to a class of criminals,  like  the  label  "burglar".  As  I
understood  the  original  use  of  the  term,  it described those who make
computers do what they they want the silly machines to do,  as  opposed  to
"loosers"  who  can  only  do  what the machine (and its administrators and
programmers) lets them do. Admittedly some HACKERS want to  do  undesirable
things  with  their  machines, but others write EMACS. Considering the fact
that the virus in question was written in some sort of job control language
and that it blew up in its author's face--he sounds more like a looser than
a hacker. Users often want to do undesirable things too.

The use of the word "hacker" on  this  list  thus  seems  to  me  a  rather
unpleasent  example of group defamation. I suspect that part of the dislike
for hackers that is expressed within the computer community is  based,  not
on  the  fact  that  some hacks are nasty, but on the fact that hackers are
free, i.e., out of control, i.e., out of the control  of  those  who  don't
like people to be free.

On the other hand, perhaps there is no ethical issue at  all.  Perhaps  the
word  "hacker"  has  come  to  be  a  pejorative because words change their
meanings over time, and that is all there is to it. After  all,  I  my  old
highschool  geometry  teacher worked during the summer as a computer. Words
do change.

Peter Junger              JUNGER@CWRU

--------------------

Date:         Sun, 16 Oct 88 10:41:24 EDT
From:         SHERK@UMDD
Subject:      Re: networks
In-Reply-To:  Message received on Fri, 14 Oct 88  18:49:33 EDT

>>     The (c) Brain virus called INT 26h directly, so it can't infect
>>a network drive. This is the blessing/curse of machine dependent code!
>>Erik Sherk

>Interesting, however the virus can call the same routines that the DOS
>server does.  Thus, only if the server file is read-only AT THAT END
>can you be sure that a virus cannot infect the server.  If code at the
>user end can write to the server, in any way, then a virus code can do
>the same.  Read-only files, protected at the server end where the
>virus is assumed not to reside, are protected.
>(as an aside, we have moved the discussion from MAC to DOS here, we
>also are discussing what a virus can do, not what known viruses
>actually do.  I for one am discussing potential and not existing
>threats.)

Your point is well taken. Here at U of Maryland we are very concerned  with
network  server  security.  That  is  why we are trying to implement an NFS
server to serve all of the three types  of  microcomputers  in  our  public
workstation rooms. A Network File System offers Unix style security for our
users programs and data ( i.e. a user can run a program from a execute only
disk  and still have read/write access to his data files on the server). It
seems to me, that you are against any write access to a server  because  of
the  potential for a virus to infect public programs.:-) Do you think that,
because of a *potential* threat, we should limit the functionality  of  our
servers?

Erik Sherk
Workstation Programmer, Computer Science Center
University of Maryland

--------------------

Date:         Sun, 16 Oct 88 23:29:21 EDT
From:         "Prof Arthur I. Larky" <AIL0@LEHIGH>
Subject:      I am proud to be a hacker!

I've been a 'hacker' for 32 years. I wrote programs for Lehigh computers to
do things I thought needed doing even though no one asked for them. I don't
attack other people's computers because I don't want people attacking mine.
(Fred Cohen attacked one of mine and I dumped him off of  it  immediately.)
Sometimes  I  attack one of my own computers, but usually by accident. Lets
find some other term for the malicious ones and keep 'hacker' for  the  guy
who likes to see what useful things he can do with a computer. I wonder how
you  get someone to pay a $2300 fine without going to court? Also, would he
have paid if he knew he was going to be thrown out of school? The fact that
the school could re-consider and up the penalties proves that  universities
are not bound by such minor legalities as double jeopardy. Art

--------------------

Date:         Sun, 16 Oct 88 23:58:00 EST
From:         ZDABADE@VAX1.CC.LEHIGH.EDU
Subject:      RE: I am proud to be a hacker!

>  Lets find some other term for the malicious ones and keep 'hacker'
>for the guy who likes to see what useful things he can do with a
>computer.

Oftentimes, a student who  has  a  reputation  for  being  a  "hacker,"  or
experienced  computer  user, might be charged with computer mischief merely
for being labelled as such, even though s/he  might  not  be  the  type  of
person who would ever do anything maliciously.

David  - "It could happen to me.  It could happen to you."

--------------------

Date:         Sun, 16 Oct 88 13:47:00 EDT
From:         WHMurray@DOCKMASTER.ARPA
Subject:      Re: Policy on Informants
In-Reply-To:  Message of 11 Oct 88 16:14 EDT from "Mark F. Haven"

>The punishment of the Albany student was way out of line - a 2K fine
>and booting him out of school for a dumb mistake which he
>immediately tried to rectify?

It is difficult for me to assess the appropriateness of the  punishment.  I
have  no  difficulty  at  all  with the $2380. As I understand the original
submission, this was restitution, not a fine. It is well settled in  common
law that anyone who plays with dangerous things is liable to others for any
damage that he causes.

As to probation, as recommended by the Student Committee  on  Conduct,  and
expulsion,  as  granted  by  the  authorities  on  appeal  from  the system
administrators, it seems to me that there is some  data  missing.  I  would
like  to  know  what rules, besides the obvious social ones against playing
with dangerous substances in crowded  places,  were  violated.  Under  what
explicit rules or agreements did the student use the system? What sanctions
were  provided  in those rules or agreements? If the punishment was imposed
"ex post facto," then I have some little sympathy. However, if the  student
knowingly  put  himself in danger of a published sanction, then I have none
at all.

Participation  in  an  academic  environment  carries   with   it   certain
responsibilites.  These  include  the responsibility not to "blot another's
copy book," use his work without proper attribution, and not to tamper with
his experiments. Because it is often  difficult  to  understand  how  these
rules  apply  in  a  computer  environment,  I  think  that  it  behooves a
self-interested academic community to put its members on  explicit  notice.
In  order  to  enforce their interest, such a community must be prepared to
shun, ostracize, and expel those who  violate  the  notices.  While  I  can
sympathize  with  one  who  unintentionality offends in the absence of such
explicit notice, I do not necessarily believe  that  the  failure  to  give
notice  about  every  possible kind of offense compromises the right of the
community to invoke sanctions  for  offenses  that  fall  under  the  broad
definitions of unacceptable behavior.
____________________________________________________________________
William Hugh Murray                     216-861-5000
Fellow,                                 203-966-4769
Information System Security             203-964-7348 (CELLULAR)
Ernst & Whinney                         ARPA: WHMurray @ DOCKMASTER
2000 National City Center               MCI-Mail: 315-8580
Cleveland, Ohio 44114                   TELEX: 6503158580
                                        FAX: 203-966-8612
21 Locust Avenue, Suite 2D              Compu-Serve: 75126,1722
New Canaan, Connecticut 06840           TELEMAIL: WH.MURRAY/EWINET.USA

--------------------

*** end of Virus-L issue ***