Path: utzoo!attcan!uunet!cos!hadron!inco!mack
From: mack@inco.UUCP (Dave Mack)
Newsgroups: news.sysadmin
Subject: Re: Would you hire The Worm?
Message-ID: <3768@inco.UUCP>
Date: 28 Nov 88 18:47:50 GMT
References: <456@utoday.UUCP> <10538@ncc.Nexus.CA> <13162@ncoast.UUCP> <3738@inco.UUCP> <5518@medusa.cs.purdue.edu>
Reply-To: mack@inco.UUCP (Dave Mack)
Organization: McDonnell Douglas-INCO, McLean, VA
Lines: 88

In article <5518@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes:
>In article <3738@inco.UUCP> mack@inco.UUCP (Dave Mack) writes:
>>I, on the other hand, would certainly consider hiring him. He's clearly
>>a talented programmer. And after all this, I would imagine he's a hell
>>of a lot more serious and conscientious about it.
>
>Ahem.  I've read through 3 different reverse compilations and unassembled
>versions of the worm program, and I can say pretty definitively that
>the worm program shows no evidence of the author (or authors) being
>a talented programmer.  The code is poorly structured, there is dead 
>code throughout, calls are made with the wrong number and kinds of
>arguments, effort is duplicated, and the data structures chosen are
>not appropriate for the task at hand.  If this were code from a
>student in one of my courses, I would give it no more than a low C
>grade.  It is largely luck that it worked as well as it did, and
>I doubt it was tested or ever run through lint.
>
>This is all discussed in my tech report (to be issued Monday).

I bow to your expertise in this matter, but I do have a question.
Haven't you ever written a program that contained redundant or
dead code that you intended to hack out in the final version?
Second, you're dealing with decompiled versions which don't include,
for example, preprocessor commands. Who knows what was in there
before cpp got hold of it? (I'm assuming (urk!) that this was
originally in C, not hand-coded assembler.) Finally, coding system calls
with weird arguments is one of the classic methods of probing for
holes in an operating system. In which case, why would one bother
running it through lint?

>As far as being more serious and conscientious, how the heck do you
>know that?  Perhaps the author(s) is now more serious and conscientious
>about not being caught.  Maybe he/she/they are now more serious about
>causing damage the next time something like this is done.  If the only
>punishment is a fine or a slap on the wrist, exactly what lessons do
>you think will have been learned from this?  Even if the punishment is
>more severe, what do you *know* will have been learned?

Again, an assumption. I suppose that I'm just a chicken, but I thought
that having his name spattered across the evening news, having the FBI
probing through every aspect of his life, etc., might have a slightly
sobering effect on him.

>It would be irresponsible for a businessman to hire a failed embezzler
>as the company comptroller.  It would be stupid to hire a admitted
>arsonist as the night watchman at a lumberyard.  It would be criminal
>to hire a child molester to work as a babysitter.  Even if these people
>had been caught, paid a fine, and served time, would you trust them
>with something of value to you and related to their criminal activity?

You ignore the matter of intention. Nobody embezzles money accidentally.
Nobody molests children accidentally. How do you know that the "culprit"
released this thing into the Internet intentionally? Can you prove
that the release of the worm was intentional rather than accidental?

>To hire the author(s) of the worm to work on computer security or
>important computer software would be just plain stupid.  He/she/they
>has demonstrated a total ignorance about right and wrong just to run
>some "neat hacks."

Same point as above. You're comment about "right and wrong" assumes
that he intended the thing to penetrate the net as opposed to being a
"proof of concept" program which was never intended to actually execute
outside a controlled environment. From your description of the decompiled
code, especially the bit about dead and redundant code, it sounds very
much like something that was unfinished.

Wouldn't it be interesting if all of this had happened because he
accidentally deleted a line containing a chroot(2) call?

>If I knew that a company hired the author(s), I wonder if I could ever
>trust the software they would market.  I doubt I would ever purchase
>anything from that company if I had any alternative at all.  Think
>about it.

I have. I'd put him in QA. Great marketing gimmick: "Even the author of
the Great Internet Worm of '88 was unable to penetrate our code." :-)

How about waiting to hear RTMjr's side of the story, Gene? Remember the
old gag about innocent until proven guilty? You keep talking about ethics
and morality, but you seem ready to lynch the guy without a trial.

If it could be proven that the worm's author did intentionally release
the beast and that there was no evidence of repentance on his part, then
no, I wouldn't hire him. As far as I know, neither point has been proven.

Dave Mack
Disclaimer: Not necessarily the views of my employer.