Internet – Ethics of Publicizing Security Vulnerabilities
The Ethics of Publicizing Security Vulnerabilities Abstract: In 1988, Robert T. Morris Jr. released the Internet Worm Virus, which essentially shut down the entire internet for a day. Morris wrote the virus using known vulnerabilities in the UNIX operating system. When these vulnerabilities are discovered, should they be publicized or kept secret to prevent further attacks? These issues relate closely to the concepts of open source versus proprietary software development. In 1988, Robert T. Morris Jr., a Cornell graduate student, released a computer virus. The goal of this virus was to propagate itself across the Internet and to infect as many machines as possible in as little time as possible. The Internet Worm, as it came to be known, was very successful; it infected millions upon millions of machines and essentially shut down the entire Internet for roughly twenty four hours. As a result of his creation and release of the Internet Worm, Robert Morris spent years in courts and paid significant amounts of money in lawyer and court fees, but never went to prison for his actions. The Internet Worm case brings up an extremely important issue that increases in importance each year as the world becomes increasingly networked via the internet and through other means; should people have access to information about vulnerabilities in computer systems, or should these vulnerabilities remain secret? At the time that Robert Morris wrote the Internet Worm, there were known vulnerabilities in the UNIX Operating System’s Finger command, and in the Sendmail Daemon, the program responsible for transmitting electronic mail from one machine to another. Anyone who had some amount of expertise in the UNIX Operating System knew of these weaknesses, yet no one had made an attempt to fix the problem. Robert Morris apparently viewed this situation as a matter that needed attention, which many people speculate as his reason for creating the Internet Worm. His ingenious virus used these vulnerabilities to attack systems and to propagate itself across the internet. One fact is definitely known. This is the fact that the Internet Worm gave many thousands of computer experts a strong reason to fix these vulnerabilities. It is necessary to realize one important fact about the internet worm virus; it was not totally malicious. That is, Morris did not write the virus so that it would try to do any damage to the hardware or software of the machines it infected.