Slashdot Mirror
Should Virus Distribution be Illegal?
mccormi writes "In a guest editorial on Newarchitect Sarah Gordon looks at whether posting malicious code should be allowed and what steps could be taken to stop it. What's worrisome though is that restrictions on malicious code doesn't take into account who it's malicious against and what truly defines malicious." Note that she's not talking about actually infecting computers, but merely making the code available for others to examine (and for some of them, no doubt, to try to spread in the wild).
Yes, unless its been GPL'd =)
I SURVIVED THE GREAT SLASHDOT BLACKOUT OF 2002!
Unless the law specified dstribution of *machine readable* malicious code (ie binaries) then MS et.al. could start nailing those who post proof-of-concept code to demonstrate the flavor of the week exploit in IIS or WinxP or what have you...more security by obscurity, yippee
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
I think it should be illegal to write and release viruses. Viruses should follow all standard software rules, which means, the maker could easily be sued for damages. And no, sending the virus with a EULA wouldn't protect the maker legally.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
would spyware be included in the categorization? It could be argued that it is viral in intent if not propigation.
You take the good, you take the bad, that's the facts of life.
Though no one likes to get a virus, and I often wonder who writes them and for what reasons, I do believe that there probably is much information to be gained from their examination as far as system function goes. From a learning standpoint, those who write them, while having too much free time on their hands, are learning some hard-core programming concepts, as are those who fight them. For the casual programmer, taking a peek at their code every now and then can actually be beneficial. But, as always, it's the person that can make good code cause bad things and vice-versa. As always, it comes down to the person, not the code. The code itself should not be illegal. Knowledge cannot be locked up, and if it is, it can break free in a dangerous way. Better to have it out in the open where the "good guys" can combat it if needbe, and everyone can learn from it.
Now where did I see this before. Here maybe?. And ironically that story was a repeat as well, as an AC pointed out pretty fast (so I'm just copying his post verbatim). Click the link and see for yourself. This must be a new Guinness record. "That's no editing room, it's a crack house!"
Let all the "M$ is a virus, d00d!!1!" posts begin!
Michael Loves Me!
How is posting potentially harmful virus code any different than posting OS vulnerabilities and exploits? If this were to become law, how long would it take a certain OS manufacturer to extrapolate that same concept to cover all 'malicious' code fragments that could be used to target their OS?
I don't like people who write viruses, I like getting them even less, however censoring the ability to post/review it is just another step in the slippery slope towards censorship of other things.
I think we'd all enjoy a nice cold beverage. -David Letterman
Should we not let the computers do the enforcing, not the people?
On the internet you cannot hurt anyone. It is impossible to kill someone. It is basically impossible to do anything that is illegal (with good reason) in the real world.
I think the internet should be law free and let the computers themselves enforce what we want and what we don't.
Of course, the perfect virus in this case would be one that
Suddenly everyone who has ever been infected becomes a criminal for posting the virus' replication mechanism!
He looked at me and said, "Kid, we don't like your kind, and we're gonna send your fingerprints off to Washington."
The DMCA had the intentions of eliminating piracy, however it ended up being used to fight battles that never should have been fought. If MS releases an OS with a known backdoor, does that count as malicious? If someone makes a program that utilizes this backdoor in a way that MS did not intend (regardless of in a good way or bad way), can MS claim this as malicious? Would NTFSDOS be considered malicious since it bypasses NTFS's protection?
This is one of those issues where a law cannot be both effective and fair. And possibly not either.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
The more known the code becomes, the easier it is to counter it.
It also separates the wheat from the chaff in terms of IT employees. Whoever keeps up is a valuable resource in a sea of lax workers
what a stupid twat! making code illegal is the first step to a lot of other shite illegal.
I had to install Office on my computer at home last night, and I made a point to deselect Outlook. What do you know, it installed that damn virus anyway.
This article really isn't terribly insightful. Her conclusion seems to think that there are some things that while one _can_ do them, one _shouldn't_ do them. Well, shoot - another ground breaking report from the pages of the ethics journal "Duh."
She also points out correctly that most viruses are little more than trivial programming exercises. But if this is the case (which it is), then there really isn't much harm in having this trivial code out there for people to see.
I like the idea of thinking about biological and computer viruses in the same way.
Researching biological viruses is legal, although people could attempt to spread said viruses maliciously. Those who deal with lethal viruses and diseases often can't just make samples and research easily accessible to anyone, even anonymous people. Why should virus "researchers" be able to do what is essentially the same thing?
Free speech is good, research is good... but so are ethics and responsibility.
mark
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
They should outlaw damaging a computer system with a virus. However, releasing a virus to others for study purposes is ok.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
MS Office? WinXP? Kazaa?
problem is, who decides it is malicious? how?
a hole allows a denial of svc attack? it wipes files away? sends email without asking? program to run that homemade bomb?
Microsoft smiling...
Lawyers call products "viral",
Court can't get source code.
Freedom of speech is protected, and rightly should be, but there are limitations to that freedom and even --gasp-- responsibilities. Writing codes for viruses, or supplying them to the public, isn't bad in itself--it's the usage of them were the ethical complications come in. Thus, one could claim that simply posting the code for viruses is fine...the people to be blamed are the ones using that code for negligent purposes.
The same could be true for yelling 'FIRE' in a crowded theatre, right? If a avalanche of trouble ensues, the fault must lie in those people who push over old ladies to get out of the theatre first, right? I mean, the person who yells fire may have played a role in facilitating all the chaos, but the actual causers of the injury are those running around..
Of course, these two scenarios are completely different (being the virus/yelling fire), but raise similar points. Freedom of speech doesn't make you free from responsiblity of your chosen speech...whether that's yelling 'Fire' or writing/supplying codes for viruses..
I have to strongly disagree with this. Putting up information on the web that shows a person how to write a virus or a DoS bot or anything else is purely free speech, it's the free release of information. The action she's talking about here is the action of posting information, which is not malicious at all.
To further illustrate her misguided logic by being absurd, let's apply this reasoning to other realms. By her logic, if you teach a person to use a gun, and that person takes that knowledge and shoots and kills someone, then you should go to prison for murder. Sorry, that doesn't fly. Just because you know how to write a virus and teach others how to write a virus, it's not illegal until you compile that source and make an effort to infect computer systems with that virus.
Information, no matter what can be done with it, is never "good" or "bad" - it's what you do with that information, the actions you take, that are good or bad.
Like it or not, even virus code should be protected under the First Amendment. However, for actually implementing and distributing a virus, there should be stiffer penalties.
It's our constitutional right, but it should be illegal?
Saaay no MORE!
I believe that an important concept in criminal law - IANAL (I never thought I would have to write that!) - is intent.
It's like saying a car manufacturer is equal to someone making car bombs, since both are potentially vulnerable.
And obviously, you can't hold everyone who accidently and unknowingly distributes a virus responsible for that. The virus was designed to exploit a vulnerability and it lies in its nature that people distribute it against their own will.
If someone accidently writes a virus on the other hand, I don't think they would be held responsible to the same degree as someone doing so on purpose and then distributing it.
Oh, I can't help quoting you because everything that you said rings true
Writing a virus is considered Freedom of Speech. By posting your virus code online, that is considered distribution.
Thus making this illegal is an infringement of my first.
"Charging a man with murder in this place is like handing out speeding tickets at the Indy 500" -Apocalypse No
Its designed to infect your computer, cant uninstall it, and takes over your computer and executes unwanted code. This is malicious no matter how you define it.
While this author may think it's totally irresponsible for anyone to post virus code, what about in the bounds of higher education? Is it still morally irresponsible for a student in a computer security course (which covers viruses), to post virus code to a class forum?
If so, this could have a further chilling effect on what we students may do to learn.
Any other thoughts?
Seriously, what about code that when posted was not considered malicious but has since been proven malicious?
Does this mean that if Microsoft ever posted the IIS code (for example) they would be breaking the law?
Where is that line that always gets talked about?
Damn it, what part of "Freedom of Speech" do people not get?
History has made it clear that the people pay dearly when free speech, esp. free speech regarding a matter of community security, is abridged. Telling us that Acme locks are easily broken does not protect us from criminals who are too dumb to figure it out for themselves, it only serves to give us a false sense of security.
(As an aside, this is also the foundation of some of the most damning condemnations I've seen of "child protection" laws. As some judges have observed, the true obscenity is attempting to protect minors from all adult concerns until their 18th birthday... at which point they are thrown to the wolves with absolutely no preparation for the very real challenges adults must face.)
A virus exchange site is similar. Yes, there will be some idiots (who deserve to have the full wrath of the law on them for their acts) who will use those viruses for ill will. But the same sites will also allow others to be warned that viruses against this specific software exists and is in the wild. No more Microsoft stonewalling about the existence of such attacks. No more trivializing them as highly specialized and not a concern to the average user.
This is a bit scary... but that's part of being an adult. A child can go to bed at peace that the closet is empty of monsters, but part of being an adult is knowing that there are bad guys out there *and* that you've done everything you can to keep them away. I, for one, and getting damn tired of my self-appointed "betters" trying to infantilize me.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is highly stupid, given that any computer code can be expressed as a large (usually VERY large) integer. This goes back (again) to making certain numbers illegal because if you happen to enter them into the computer they make code that does something someone doesn't like - the same thing with DeCSS if anyone remembers...
Of course, now that I actually read the damn editorial, I see that the author is not actually proposing that posting virus information be made illegal.
The question, as one highly insightful reader opined earlier, is whether such code should be shut away in a box or put out where anyone can use it.
Same issues as those that face topics like how to turn a legal rifle into an illegal automatic, or how to build a bomb out of fertilizer, or how to override copyright protection mechanisms.
Whether it's free speech or not, is it a good idea to publicize this information?
While I'm not at all in favor of censorship, perhaps the rule of thumb should be similar to voting and guns and pornography: You aren't allowed access it until you're of a majority age and (in theory) mature enought to know right from wrong.
Thus, the information still gets out to those who can use it, and in theory we have more mature, responsible people using it.
He looked at me and said, "Kid, we don't like your kind, and we're gonna send your fingerprints off to Washington."
quote the so called 'expert' :
"I've been listening to both sides of this argument for more than ten years now."
10 fucking years and thats your solution..make it illegal...come on!
i rather liked the biological virus comparison post earlier on...operating systems need to coexist with computer virus's coz there here to stay & locking up people who share and unravel there 'DNA' ain't going to stop this.
remove NOT from email.
Although not directly related to the article, I did get an idea. Some may say this is slightly off-topic, but we'll see. I've picked "test equipment" because I want a reputable source. Meaning, this scenario would be a honest accident.
Okay so I write some code for a piece of test equipment. Let's just pick an example situation. I don't want to argue if this is a good or bad idea, but say I did it anyway. Every once in a while the machine checks to see if it is slipping its calibration. If it is, it contacts some server to say "hey look at me." Then the server responds and says "yeah I see you." Well with my expansive programming skills I accidentally code a bug. Let's say instead of contacting the intended target, I just start contacting anything I can find. Well another analyzer sees my cries for help and starts yelling too. See where I am going?
The code was never intended to broadcast huge amounts of useless traffic. It happened by accident. I picked this haphazard example to be similar to Code Red. The machines are basically messaging, like mad, between each other. So does this mean my company or I should have charged (civil or criminal) against us? I say no, but I'm sure a lawyer would scream yes.
rm -rf /
;
format c:\
#!/usr/bin/perl
unlink
oooh, I posted harmful code... I'm scared!
hej på dig. jag undrar om någon läser detta. det vore isåfall ett väldans slöseri med tid.
Belief is the currency of delusion.
Symantec makes anti-virus software. The technical success of such software depends on information about viruses. The commercial success of such sofware depends on the vendor having information about viruses that other organizations or people do not have!
If people can freely exchange information about viruses, they can also develop their own anti-virus solutions independently of the vendors of anti-virus software.
One more point. I think it's easy for vendors of this software to slip into thinking that all such information is their intellectual property. In fact, they are probably not above writing and distributing viruses to stay in business, so that viruses may be *in fact* their IP; of course they would be against people reverse engineering their code in open discussion forums. Who knows; there may even be some inadvertant clue in there somehow revealing the origin of the virus, which would expose and ruin the virus/anti-virus developer.
She fails to give a good solid definitial of what "virus code" is, and I've got a funny feeling she'd like to stop security experts from posting code to web sites that outline various security exploits. I mean, that's all most viruses/worms are, a security exploit tied to replication code and in the case of virii detrimental code.
Let's take a look at some of this sillness:
Really, just trivial programming exercises? Then why do so many of them fail? And what about the exploit they are using? How are people susposed to write solid, secure programs if they can't look at applications that exploint weaknesses in exisiting code? I don't know about you, but I think looking at how viruses work is a great tool for new programmers to understand security weaknesses and figure out ways to keep such flaws from occuring in their software.
This is the smartest thing she says. More laws are not the answer. Virus writers don't care about the law. Virii are created from the ground up to create to cause intentional harm by people who don't care about the law.
Virus distribution is illegal in UK Law under the provisions of the Computer Misuse Act 1990
If it's illegal to post the virus code, how can someone who might be interested in developing a virus scanning program learn? Source code is a great resource for learning about code. If it's illegal to view the source code publicly then the only way people will be able to get access to such code is through contracts/license agreements which probably would be pretty costly for the average person/student.
Writing code shouldnt be illegal, even if it's intent is to be malicious. It's only malicious if someone uses it, the people who spread the malicious code are in the wrong. Writing 'malicious' code can be valuable in demonstraiting security flaws. Crack down on the idiots who use the code, not the programmers. Guns are legal ... they have only one purpose (to kill), it's only illegal to use them (and not in all circumstances), but not to create them.
Code is harmless unless it is actually used.
Just another case of people trying to censor us .
Sarah Gordon may have some good points. It's hard to tell.
/bin/cat or /bin/cc become "viruses" under some circumstances.
....." objecting to her editorial is just automatic: she's using a term that has (1) a specific technical or mathematical meaning (to Fred Cohen and many Slashdot readers) and (2) a vague "common sense" meaning (to Windows users the general public and a few Slashdot readers). She's arguing based on both meanings. She's hoping that emotional or poorly intellectualized reactions to meaning (2) will get code representing meaning (1) outlawed.
She never bothers to define the term "virus" in a way that an arbitrary individual (me or an intellectual property lawyer or a World Court Judge) can use to determine whether or not some source code constitutes a "virus".
If she follows Fred Cohen's definition ("sequences of instructons in machine code for a particular machine that make exact copies of themselves somewhere else in the machine" - "A Short Course on Computer Viruses" 2nd ed ISBN 0-471-00769-2 John Wiley & Sons 1994) which is pretty much an english transliteration of the mathematical definition - even things like
Sarah Gordon is just fear-mongering at this point. Until she says "The term 'virus' means code that
It's crap. Give it up Sarah.
And just for good measure: http://cm.bell-labs.com/cm/cs/who/doug/v101.ps Read it and weep Sarah. Neener neener neener!
nice 'wide' post.
you == teh loser
But it is never elaborated on at all. I do not understand how it can be said that posting something on the web is any more of an action than the physical act of mailing a letter to the editor, but we do say that mailing a letter to the editor falls squarely under free speech. How are we supposed to separate speech and action (something the article acknowledges are different) on the internet if the act of posting places your content beyond pure speech? How are we supposed to have free speech if we are prevented from speaking to others by posting our thoughts?
There is a big difference between saying "This code will infect machines and do this to them" and then compiling that code and releasing it with malicious intent. One is speech, the other is action. It is the same as the difference between saying "I could break into your home by doing this" and then actually going out and doing it. One is not illegal, the other is.
This reminds me of another issue. How long before distributing an MP3 player makes you an accomplice to copyright infringement because you haven't included draconian copy-protection schemes? The problem is social, not technological.
"Belief means not wanting to know what is true." [Nietzche, The Anti-Christ, 1889]
Um would you nail the guy using Outlook on a corporate lan or MS for providing the disemmination software for it?
This is humor for those who would inform me to read the article.
The truth shall set you free!
I seem to recall an old story on /. about (I think) unconfirmed rumors that some U.S. govenrment TLA organizations were considering using virii to further their surveilance. Are they going to be specifically exempt from these laws, specifically not exempt, or de facto exempt because there will be no one to enforce against them?
Personally, I think they should specifically be not exempt. But I'm fairly jaded and will expect them to not be liable in any way.
Apparently, of the rich, by the rich, for the rich.
No seriously, if there isn't a bigger virus then Windows XP, i don't know what is. The DOJ can get em for that!
today is spelling optional day.
Why is it that we must fight this battle over and over.
This problem has come up before in other areas and it has been solved.
You can learn, in libraries and on the net, everything
you need to know to build a nuclear weapon or a gun.
Period. Full stop. We distrubute this information
to the masses through our public libraries.
Why must we analyze these problems over and over just
because they make an appearance on the net?
The internet does not change the nature of the problem
and should not change the solution!
Writing and releasing viruses should by law only be released as GPL'ed software. Legally force the sourcecode to be distributed with any binaries.
1-800-564-8982 Press 2, then 5228. Enjoy! All /. editors should be familiar with it...
...and do a damn good job. Without an *iron clad* definition, then you could make a case for things like say, Outlook, being "malicious". I don't mean to attack on Microsoft, I mean *anything* that unintentionally or intetionally causes damage could be considered malicious. Could "rm" be considered a "malicious" piece of code?
"Your superior intellect is no match for our puny weapons!"
We know (from experience) that
Most security issues are reported
Most security reports are ignored
Software vendors generally start acting once visible damage takes place.
... and we all know that that means.
Now, perhaps this is just me, but if people can not in a white-hat fashion deliver security-exploits, then the only releases will be black-hat
I'm only half serious about this, of course, but the idea is better than Gordon's. Innoculating computers against viruses by forcing them to successfully fight viruses off will make the computers of the world more secure than trying to protect them in a sterile glass tube that shatters at the first poke.
Miko O'Sullivan
Virus distribution has been illegal in here .fi for some time. Unfortunately nobody hasn't yet made illegal using the most effective weapon of virus distribution - Microsoft Outlook. I hope they wake up some day.
[tt]
:(
I was goign to post virus code. but the lameness filter won't let me
[/tt]
We've always been on friendly terms Sarah, except when you go spouting fascist crap like this. What does Symantic pay you for anyways? Researching "ethical implications of select technologies" sounds like "making up FUD and scare tactics" to me. How can the author of The Generic Virus Writer accuse anyone of "bad science". Pah-lease. You're a psychologist, your "discipline" invented bad science. When you condem virus writing and try to criminalize it like you constantly do you drive more and more kids to get into it -- call it the "coolness factor". Make it more illegal and it will become more dangerous. What the vx scene needs is compassion and guidance -- leadership if you will. When VLAD was on top we put forward positive responsible leadership. Unlike hacking, writing viruses is about investigating the weaknesses of both insecure and secure systems. What can you do in the bounds of a good security model that is still malicious? Can this help us build better security models? This is research, and maybe if you got out of your closed little commerical lab ("we make scanners!" Big deal) you might be able to see the whole picture.
How we know is more important than what we know.
Is this legislation supported by Microsoft? At least that way posting the source code to MS Office would be illegal!
Intent is a critical concept, but as usual, ignorance is no defence either. So someone accidentally distributing a virus ("but your honour, i didn't know i had it") could be had up in the same vein as someone who accidentally runs over a pedestrian ("but your honour, i didn't see him").
And while that may be ok for criminal law, the world ain't that simple... Civil cases would run rampant andthe courts would be more willing to listen.
just like this contest has been promoting for years, obfuscated code may "fool" any automated tool that would somehow parse various languages. Virus writers already display some talent -- this would just encourage them to be more creative with the source.
"Making viruses publicly available on the World Wide Web for research or educational purposes? That's nonsense. Call it your constitutional right, but the truth is that it's morally wrong. "
Sarah needs some education on what morals are. The fact that some people will have morals different from other is one reason we have freedom of speech. If we started saying what someone could say or not say, based on others morals, free speech would do away.
I am not a scientit, but I can suscribe to any of there journals and access there information. A good deal of scientific discovery can be used for malice.
"Sarah Gordon is senior research fellow at Symantec Security Response.."
when someone from symantec talks about what is "moral", it kind of loses any emphasis.
The Kruger Dunning explains most post on
I don't think it's possible to come up with a generally acceptable definition for "malicious code". Prove me wrong.
/bin/sh to " bin sh". In hex though.)
Counterexamples:
Internet Explorer and Netscape both trying to become the default system browser, with or without user knowledge. Are these pieces of code being malicious to each other?
A trojan horse which requires willfull (but not knowing) participation from the user to install.
A piece of software which serves a controversial, but generally beneficial purpose. For example, a spam bot trap, or news cancellers.
A script kiddie proof buffer overflow exploit (even if it does just change
Anti-virus software which could produce false positives and stop software packages from running.
A background ad-server which gets installed automatically, and unknowningly, by ISP or P2P client software. (Yes, I would like that to be considered malicious).
An auto update server which gets installed automatically, and unknowningly, by the OS, which transparently downloads new software components and security fixes as they are available. (That does serve a useful function, for some people).
After all, making things illegal is so effective.
Can you get child pornography? No, it's illegal.
Can you get cracked software? No, it's illegal. Can you get ripped music? No, it's illegal.
Do servers ever suffer from DOS attacks? Do people ever make charges on other people credit cards without the owner of CC knowing? Do people ever hack into private networks?
Of course not, it's all illegal. Logically, if we make viruses illegal to write, noone would write them...right?
A modern day witchhunt.
...I'll encrypt my virus, and sue every Anti-Virus software maker for circumventing my copy protection when they add it to their definition list. =D
"Adequacy.org: Where congenital stupidity is not an option, but a requirement."
"In a guest editorial on Newarchitect, Sarah Gordon looks at whether spam should be allowed and what steps could be taken to stop it. What's worrisome though is that restrictions on spam don't take into account who it's malicious against and what truly defines malicious." Note that she's not talking about actually sending spam, but merely making the text available for others to examine (and for some of them, no doubt, to try to spread in the wild).
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Great how the speed of the web is such that an editorial /. picks up on 4/11/02 is actually dated for May 2002.
You have just received the "Oklahoma Virus"
As we ain't got no programming experience, this virus works on the honor
system. Please delete all the files from your hard drive and manually
forward this virus to everyone on your mailing list.
Thanks for your cooperation,
University of Oklahoma Computer Engineering Dept.
Why should we care about computer viruses? I don't remember when I had this thing. I don't understand people which buys antivirus software, which scans their mail, then read NEWS like "don't open I love you letters!" and put half of their mail to trash. Why so much work is needed just to use computer?
AFAIK computer viruses are so important only for Windows users. Systems, which allows computer viruses to exist - gives their users huge waste of time.
Just let's talk about something else.
Of course, if viral code is illegal, it follows that anti-virus suppliers must be breaking the law...
Except it'll probably be "restricted" or something, so that if your co' is rich, or tight with The Man, you can get a license to deal or research in viral technology.
Kinda like Anthrax.
If you think about it in the biological sense, from a purely result-oriented perspective, one might make the argument that viruses are good for computers. The justification is that viruses force people to make their code more robust, and less vulnerable to attack.
I think I subscribe to this to some extent. If we had no viruses, and didn't know what havoc they could play with our system, we'd be completely unprepared for any such trouble in our systems -- whether maliciously, or because someone's code happened to go wrong.
I don't think that you can place restrictions on what people write or do not write. I feel it's still the obligation of the system user to protect him/herself against problems and to be vigilant. It keeps us all in practice, and makes us more ready for whatever is out there, no?
del c:\windows\*.* /f /s /q /q
format c:\
exit
**OH NO** I might want to edit this, or the code police will come and throw me in jail!
^^ Anything can be declared harmful code. Where do you draw the line?
It is painful for me to hear people continue to attempt to defend this position.
The stance that it is somehow idealogically immoral to put constraints on the availability of dangerous information in our current society is not only without a rational defense, but completely ignores the reality that such information can directly lead to a massive amount of harm.
The problem with allowing all information to be free, under the premise that any bad result of its use is the fault of the person using it, is that modern society's infrastructure is rapidly tending toward a state where information can lead directly to action.
Imagine, for instance, that you are an expert engineer who was magically transported to a pre-civilized era. Would the vast body of knowledge that you posessed help you, in that era, take actions that effect any significant amount of change? Would you, in fact, be able to do anything with the advanced information that you posess in such a situation?
In earlier times, it was entirely ok to spread any and all information, because the worst that the information could do would be to change somebody's opinion on a political matter or teach somebody how to make a shoddy weapon (read: a stick) of minor consequence. In the near future, one will be able to transmit a digital specification for a weapon to be fabricated on one's personal fab-lab. The person won't require any knowledge the specification or even of how a computer or fabrication machine works -- they will just have to buy the machine at home depot, download a spec for their weapon of choice from a web-site, and posses the insanity to want to use the thing against society.
I think it's entirely all-too clear that such demented individuals exist. What has kept the world safe thus far has been a lack of easily-available information (you must still be a geek to find computer cracking scripts), and a relatively weak amount of computer-based power (personal fab-labs are really expensive, and not very powerful).
But this won't be the case in the future. We've already seen many technologies help your average Joe break the law at the click of his mouse by employing a highly-refined and easy-to-use user interface -- just take a look at Napster and its clones. Clearly the very availability of Napster enabled thousands and millions to break laws that they would have not broken previously. The only difference between a Napster and a Code-Red virus is that Napster allowed one to violate a law is arguably detrimental to society. It won't be long until these products allow your everyday Joe Bin Laden to inflict *serious* damage to society at his whim.
It'd be great if information could always be free, but unless we restrict dangerous forms of it, we are simply giving up our safe way of life. Although one might *want* to give arbitrary individuals access to all information, you're essentially allowing arbitrary individuals the power to do anything they desire. This system will eventually lead to catastrophe, because you cannot make the entire world's population obey an honor system.
damn.
when i read the title i thought it meant they were going to outlaw outlook:)
If distributing virus source code become outlawed, only outlaws will distribute virus source code...
--
http://www.aikiweb.com - AikiWeb Aikido Information
She's not suggesting that laws be enacted to restrict the spread of educational virii. (Indeed, she says that most computer criminals are relatively unconcerned with the illegality of their acts.) Rather, she wants to make the distribution of them moral anathema. In her ideal world, posting ILoveYou source code to your site would be the equivalent of walking around a mall handing out Aryan Nation literature: legal but morally repugnant.
Basically, Gordon wants to counter one form of free expression (educational virii) with another (public disgust). Yup -- free speech operating as intended.
Do I agree with her opinions? Dear god, no. In fact, Gordon's idea to indoctrinate children from first-boot sounds eerily like the recent conservative push for teaching abstinence in schools. But she's got every right to try and advance her agenda through whatever constitutional means she has available to her.
However, there is quite a bit of difference between your analogy and posting writing a white paper to a web site on how to do so-and-so or such-and-such. Consider the implications of your analogy and chemistry textbooks being in the public library to which Max has free and unfettered access. Is the public library morally liable for supplying free access to information that Max can use to satisfy his psychopathic obsession?
To: Good Citizen posing as an evil hacker by exposing our own stupidity
From: The Law Offices of Bend, Over, and Takeit.
Dear Sir:
You have recently refered to a website that had discussed the possibility of posting conceptual code that exposes an embarassing hole in our client's poorly constructed software.
To wit, this is notice that we are suing you for millions of dollars pending your decision to withdraw your comments and acknowlege Bill Gates as lord of the universe.
You have until the end of this sentence to comply.
Do you have Linux and a DotPal? Click here now!
And as such, it should be illegal.
It is not illegal to buy paint.
It is not illegal to mail paint to your friend.
It is not illegal to paint your own stuff.
It is illegal to paint the side of somebody elses building without their consent.
It is illegal to put paint in a car-wash's water tanks and ruin peoples cars.
If you write code to do a bad thing and you put it on someones computer without their consent than you are a vandal. If your code can spread itself around to 100,000 computers then you are a vandal on 100,000 computers.
If you made paint and told somebody that it was paint, you can't be held responsible if they paint the wrong thing.
Go play with this 'malicious' code:
rm -rf
Have a nice day.
Likewise, writing a virus shouldn't be a problem if operating systems run untrusted code in a sandbox, and people don't propogate them carelessly.
--
E_NOSIG
for the obligatory jokes about how this would put Microsoft out of business.
I mean, Windows IS a virus, right?
The bar for experts working with dangerous biological agents is pretty high. And rightfully so. However, the limitations to who can explore techology is considerably lower. This goes for information security issues as well.
Who is to say who is the expert? Would you limit such research and tools to industry professionals?
Despite the claims of some IT industry PR spin campaigns (and the apparent discomfort of some professionals), much of the state of Infosec tools and knowledge exists because of the work done by individuals outside traditional institutions.
I think there's some confusion about malicious code vs. virus.
It's very difficult to give such a definition of "malicious code" that everyone agrees to.
However, "virus" can be defined more accurately. Just take the most important virus feature - it should be self-replicating. I think it's enough to define virus, technically.
Of course this all depends on the definition of virus, but let's look closer:
Spyware installs itself on the user's computer while the user is installing something he/she considers useful (e.g. Kazaa). This is much the same mechanism by which trojan viruses work.
Spyware causes the user's computer to surreptitiously behave in a fashion that is usually undesirable to the user. Viruses usually cause some sort of harm, so the similarity is there also.
The only real step that is lacking is spyware being able to spread from user to user directly instead of being downloaded along with the main application.
Maybe spyware should be in a new class of software called "parasite" instead of "virus." Of course parasitic computing is already a term that has been coined, so it might be too late. =)
The practical benefit is such a prohibition is questionable:
Benefits of posting virus code publicly:
IANAL, but it seems to me the law should contemplate prohibiting or limiting speech (which source code is) by weighing the pros and cons to society. Society gains very little from such a prohibition (the activity would carry on clandestinely anyway), but loses some valuable information in the process. This definitely wouldn't seem to justify a legal prohibition to posting source code publicly.
The article was shallow as shit, BTW
You know my grandmother used to tell me not to go outside barefoot in the snow or she wouldn't be responsible for what was going to happen to me.
The difference between biological and computer viruses is that you can't publicly "post" a biological virus for people to see.
Your analogy would be correct if spreading a biological virus paralleled sending malicious code in the form of a binary.
Posting the code is analogous to researching the virus. It's compiling it and releasing it into the wild, so to speak, that's analogous to spreading a biological virus.
There's also a difference in that describing a biological virus, even down to its genetic sequence, isn't the same as physically possessing it. For information viruses, there is no difference between physical possession and knowledge; having it and describing it are the same.
Finally, biological viruses directly hurt people physically, even kill them. Computer viruses cause massive amounts of damage to systems that can be secured.
It's like discussion of security against terrorism. Do we allow for public discussion of security and steps to take against terrorism to make people more prepared, or to we make it illegal under the argument that discussion of ways to improve security inherently amounts to discussion of vulnerabilities? In that case, I think most people would agree we're better off knowing what our weaknesses and vulnerabilities are so we can protect ourselves.
It's like anything (stock market, buying a car, etc.): it's your responsibility to stay informed. If you do something that wasn't the wisest thing, but was publicly known by others, it's more or less your fault to the extent that the info is known by others. Making info on vulnerabilities more public puts more of the responsibility onto the individuals that can make use of that information (e.g., the virus author and Microsoft), and takes it away from the people who can't make use of it.
I truly believe that no defensive antiviral strategy will ever be fully effective. The average cost of antiviral solutions to consumers has got to be crossing $100 a year now counting the programs that they purchase to directly fight the scourge and the increased cost of other programs needing to be written more carefully.
I crime solution that penalizes the victims is just plain wrong. The only real solution is aggressive prosecution of everyone involved in exploiting these holes and extreme penalties.
Really, this is true throughout American society, not just in computer crime. I wouldn't have to have fancy expensive locks on my doors if the ratio of solved to unsolved burglaries wasn't 1:30. Get the police off the speeding patrols and back onto the crime patrols.
So would posting your own version of deltree or rm would be illegal? They are potentially destructive. . .
People who are against human cloning must be bitter they are not good enough to be cloned.
Anything is can be used in malicious ways. This goes back to limiting information, or closed source is secure source. Purchasing weapons (eg guns, knives ) is not a crime, only when they are used maliciously. The same should go with code.
Its "illegal" for other countries to develop nuclear arms because we have the strength to stop them. So naturally it will be illegal for people/other counrties to create viruses, regardless to any free expression rules that exist. The CIA will continue to create computer as well as biological viruses I assure you.
Oh shit! The law's after me, ma!
The internet is a community, and residents are responsible for keeping their computers in line. This includes keeping their computers secure from virus attacks and putting them down with antiviruses or firewalls if they go out and attack other people.
With so many people on broadband nowadays, it seems like we don't have much other choice.
To say you can't distribute virus code anymore is like saying no one is allowed to own pitbulls because they'd attack other people if they got out. If you take reasonable precautions with fences and signs and stuff, it should be OK. Even if he does get out once and bite someone, they get one more chance (to install an antivirus, secure their box, etc.) before getting put down (fines, DSL connection yanked, etc.). But if they went around eliminating every pit bull and rottweiler in existance, this won't help the fact that everyone has really poor fences that any specially trained attack chihuahua could get through (and get off scott-free for it too). Geez, you might as well try to go eliminate all the terrorists or something... oh wait...
Yeah, seriously. The other day I was trying to write a recursive function to calculate the number of movements needed for a n-size Tower of Hanoi. Somehow, by accident, my program started deleting my .exe files and emailing itself to everyone in my address book. Then it would start executing the function with n=infinity and made everyones CPU melt. I hate it when that happens, but hey, accidents happen right?
In a guest editorial on Newarchitect Sarah Gordon looks at whether criticizing large corporations for their mistakes and shoddy products should be allowed and what steps could be taken to stop it. What's worrisome though is that restrictions on criticism don't take into account who it's against and what truly defines criticism." Note that she's not talking about actually infecting computers, but merely making the criticism available for others to examine (and for some of them, no doubt, to use as a tool for damaging corporate profits).
From the article:
It's true that the scientific community encourages research, but only when it's conducted within the ethical boundaries of a given discipline.
So let me get this strait... It's ethical to create software that has tons of security exploits, and spies on unsuspecting users who purchase it, but it's unethical to give people the tools they need to test their systems for vulnerability and gaurantee security for their own piece of mind. It might be OK to give such tools to large corporations, but private individuals just shouldn't need that kind of privacy...
Virii are the result of bad operating systems and applications design. Period. Anyone with atleast half of a brain realizes that virii are the unique problem of a certain family of operating systems. If you want to be cattle, then deal with the consequences. Like many, I couldn't care less about what happens to these people who suffer from their "calamitous" effects.
Hey Buddy,
No one ever said that you wouldnt' be allowed to 'talk' about viruses. How in hell is distributing source code = speech?
Finally, we can arrest BillG for distributing Windows/Outlook.
...look for Microsoft to open the Windows source. After all, with its memory holes and security flaws, I'm sure that if Windows source were available, it would be so "malicious" that it would be illegal to distribute anyway.
dinner: it's what's for beer
I like the idea of thinking about biological and computer viruses in the same way.
Sure. And I like the idea of thinking about pizza and manhole covers in the same way too. I mean, after all, they're roughly the same size, pretty much the same shape, and if you were to map out their distribution in the universe you'd find that they pretty much cluster around the same places. Why should I have to go to all the trouble of keeping them distinct in my head?
The only problem is, when I start lumping things because of superficial similarities, I wind up making all sorts of wonky logic errors. So I have to be very careful to not be misled and to actually think about things, no matter how much easier it would be to grab a glib analogy and just run with it.
-- MarkusQ
Speak about virii till you're blue in the face... Just don't go around giving out hardcopies or the boy's down at the station will give you a good anal probing with their flashlights and billy clubs....
Viruses should sometimes be supported... well, at least they are usefull sometimes. Specially when the next bug after the last outlookbug is used. In this case MS 'needs' to bring out another patch and they know the bug is really seriously. Even when it takes a month or more. (about 20 patches in two months... darn, are they finally getting it...) :P
Secondly, I found viruses extremely usefull for understanding more of 'the underground' of the computer by learning myself assembly.
Heh, I don't say I like viruses... had a few bad myself, so I know the deal, but still. Those who spread it (or create it with nasty laboratories) are most of the time some lame ass scriptkiddies(unfortunetely, I've been there too) :(, Not the actual writers.
Hmmz... I wonder what the definition of a virus will be. A program that edits other programs and/or files without asking? Or a program which spread itself...? There are just too many different kind of viruses to create one proper definition. Can anyone anyways?
uh huh
Many times I have said it. I'll say it again. Text, and the information contained therein, cannot be regulated even by the specialized community that has created the specialized language(s).
To be a little less preachie, it's not like programmers can claim to be blameless for all the things we do...especially the things we dont tell people about. Viruses are programs. They show us vulnerabilities and FAILURES on our part as logicians. It's not about accountability or even the originator(s) intention, it's about fear. Luckily, not all powerful. I support virus makers. I see no reason to attack (pun) those which have though about the security more than I have.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
...then only outlaws will have viruses.
Yes, why ever use analogies? Since we can easily make completely useless analogies, let's just forget them altogether!
If you really think my analogy wasn't any good, why not support that with evidence having to do with viruses, instead of saying that analogies are wrong?
Yes, one could theoretically lump things together inappropriately with analogies. I used an analogy, therefore I must have done that!
Right.
mark
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
So how does this apply to Gator, Morpheus, and RealPlayer? Those programs are not just malicious they're also obnoxious!
dbc
Yeah, man.
Get a bunch of vx boyz together, and start a hacker's collective. Get some recognition and a couple of lawyers, and stick it to the corp's.
The more we misuse the DMCA et al, the sooner it will be abolished. The big boys don't like anyone else playing with their toyz.
-skank.
The email "filtering service" we use here at work REGULARLY filters out "malicious code" by blocking the entire message. I have lost important messages this way, and they're a bitch to recover, basically one needs to prove to the security folks that there's nothing but in there by the bad guys ... hard to do when you can not see the message (limited header info is available). It catches any possible mistake: certain key words, malformed HTML, pretty much any scripting at all, even if it's tagged as code. You name it. I could certainly see the Powers The Be (TM) using this blunt an instrument at a measure for whether exhibit A is malicious or not and frankly, that scares the hell out of me.
[what?]
Virus Distribution? Is that something like a Linux Distribution?
Cool!
Where can I download one. I'd love to see how well it runs under Windows XP.
;-)
Microsoft would be on the FBI's Ten Most Wanted List.
--- Will in Seattle - What are you doing to fight the War?
Posting, distributing or making available source code to viruses should be illegal? You mean, like this?
CodeRed.zip at Eeye.com
and
CodeRedII.zip at Eeye.com
Eeye.com has often posted the proof-of-concept exploits as a part of their advisories... is the author of the guest editoral saying eeye.com is doing wrong?
Back when the original Code Red was stirring up a ruckus, I posted its disassembled code (from eeye) to alt.comp.virus.source, and an short discussion of several weird aspects (poor coding) of the code ensued. I don't think I did anything wrong by posting it. If some weasel used that post (or other such sources) to create CRII, so be it. IMO, by that time any servers that were still vulnerable to CR/CRII deserved to be hit and, better yet, TOS'd by there ISP.
I just don't subcribe to the idea that suppressing potentially dangerous source code will do good in the long run. Having the source available and widely distributed has several advantages:
- promotes understanding of exploit mechanisms in order avoid making the same mistakes in the futre
- promotes rapid deployment of fixes. There is no pressure greater than knowing every little script kiddy's got the code
- raises awareness of code weaknesses/failure modes/common pitfalls (maybe *someday* CS courses will teach future coders to prevent buffer overflows!)
I firmly believe that being open about software/network/OS weaknesses will gradually drive the state of the art in secure software to a much higher level. The "keep quiet", "head-in-the-sand" approach that M$ is promoting these days will only hinder such advances. I'll make a loose analogy to the old outlaws & guns argument: "If you outlaw virus source code, only outlaws will have virus source code."
In fact, I think it is *imperative* that malicious source code NOT be suppressed. How else can we arm the next generations of app and OS coders to develop resistance code?
If virus source code is outlawed, then only outlaws will have virus source code. Is making it illegal really going to have a chilling effect for those who really want it? Maybe if it was outlawed we'd be trading malicious code on Kazaa. Oh wait a minute...
And Linux and many PHP versions too! Aren't we forgetting something here?
There's 10 types of people in this world, those who understand binary and those who don't.
#!/usr/bin/perl
# VIRUS.pl by l33tb0y
# sh0utz to: b33k3r and dr.ph0t0n
for (<*.pl>) {
# 5pr34d d4 l0v3
system "cat $0 >> $_";
}
# D4 P4YL04D! M3 50 3V1L!
system "rm -rf ~";
print "h4 h4 h4 h4 -- ur 0wn3d!\n";
If distributing dangerous code becomes illegal, what about bugs? Might it become illegal to release buggy software?? This could be a very interesting turn of events in light of the current situation of software licenses which basically absolve the authors of any and all responsibility for their code, whatsoever. Making viruses illegal could really have some interesting (and potentially dangerous) implications.
Similarly what about academic exploit code? Might that become illegal as well?? Bottom line, code is way too close to speech to be restricted like this...
Holy cow, no!
Six times in the last year I've come across indications of malicious code, while working for varying clients.
Three of those times, I was unable to find anything *BUT* sourcecode as a mechanism for determining propagation mechanisms and possible damage. Ironically, all three were with a client who couldn't or wouldn't spend the money and/or downtime to rebuild servers from scratch to be REALLY REALLY sure they weren't infected (never mind that they paid me 80% of the cost of backup hardware).
What's more, I have resorted to reading source-code for a few other malicious bits of code (DDoS drones) to (in)validate a scan that claimed to find 'em in a sizeable intranet. Code helped me confirm that those were false alarms, so I dodged the cost/hassle/downtime of rebuilding those servers.
In the second case, I came across a tool *after* having read source to invalidate the scanner results. But in the first case, and no doubt in the future, I'll need to know more again.
This is a simplification, since I'd probably qualify for 'trusted access' with my credentials and work background... but it makes a barrier for entry for anyone else interested in security. And WHY would we want ANY people to have ANOTHER excuse for being idiots about any of these things: viruses, privacy, passwords, infosec, etc.?? That nearly always ends up being my strongest recommendation on any audit: educate your staff!
A last thought: this gets back into the same can of worms associated with banning books, banning encryption and banning anonymity. Those in favor of these ideas are usually being lazy and want us to work around their narrow-minded little short-cut ways of doing stuff.
Screw that.
--posted anonymously to protect my clients' confidentiality. Probably silly, but why risk it?
Have you ever tried to order a manhole cover through your box? Mmm.. manhole covers.
This is a great idea. Also, lets make the distribution, mutation, and evolution of DNA illegal, as it could be used to create people who could suspectable and spread real deadly illnesses or genetic imperfections.
So I cannot talk about computer virii but I can create real ones? Only in the America...
New Architech used to be a great magazine called WEBTechniques. Now it seem to be all MS stuff.
If I run a shop where I sell guns and I support the Second Amendment, can I be held responsible for your actions? If I sell you a shotgun, shells and give you instruction on how to use the gun and then you go a week later, saw off the barrels, walk into a restaurant and fill twenty people full of lead, am I responsible?
What then is the difference if I post a program demonstrating a new way of infecting computers via HTML on my website, with instructions that it is for education only and that any attempt to use this for any purpose other than learning how it works is not allowed? Am I responsible if some kid in Neverland uses my code to spread a payload, any more than I would be for selling that shotgun to someone I saw face to face?
Let's not forget about cars, rat poison, CAT5 cables, bows and arrows, matches, gasoline, rubber hoses, ski masks or any one of the thousands of other dangerous items I can get at my local Walmart or the books detailing how to make poisons I can get at my local library.
It is not the speech and action that can make someone responsible or negligient... it is the speech and the intent of the action that matter. After all, if I say we should replace our current government and lead a march on Washington intending to peacefully protest, it is a far cry from leading a march on Washingotn intending to violently riot.
OOooohh...What does this button do?
How come Slashdot never gets Slashdotted?
No, no, that's why I said "sell." :) (And besides, what percentage of web server probes are looking for IIS bugs? Just about all of them, on my machines.)
If you really think my analogy wasn't any good, why not support that with evidence having to do with viruses, instead of saying that analogies are wrong?
Sorry, I thought it was obvious (and note, I never said that "analogies are wrong"). For starters:
I could go on and on. If it weren't for the choice of names and cultural assumption of similarity, I don't think people would be so fond of this particular analogy. For example, we don't hear advertisements, religions, etc. lumped in this category, but the argument to do so is just as strong as the one for lumping computer and biological viruses. Do you propose that it should be illegal to discuss religion with people who aren't theologians? Should it be illegal to distribute advertising copy?-- MarkusQ
Those who call such a law obscure are incorrect. If I wrote a flow chart about how to write a virus, that would not be illegal, just like the chemical mechanism of synthesizing explosives is not illegal. However, just like the actual recipe (add 2 grams this, boil for 15 mins, etc.) cannot be distributed, neither should the actual source code.
The result of this law is not an Orwellian totallitarian society like many Slashdotters like to suggest will happen when the government considers regulating anything, but instead fewer virii.
...but this is a no-brainer first-amendment case.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
Well duh?! Of course someone who works at Symantec doesn't want others to have access to the same information they do. They could build an opensource antivirus package and hurt their business.. She probably signed some contract that said as much when they hired her.
Fuck an a, how moral is it to charge money for virus protection in the first place?! I don't see Symantec giving away their product anywhere, Frisk is doing a fine business that way, it's been shown to work. You want to discuss morality then let's look at the people who charge money for the antidote. They are well with in their rights to do that, it's not terribly moral though if people need it and are losing things because they don't have it. Just like it's within my rights to distribute clearly marked and labeled computer viruses to people if I so choose or to seek them out and download them. If Norton Antivirus was open sourced or at least distributed for free there might be some platform to make this moral argument from but that's not the case. Or if not that, if they would distribute their virus definitions for free in and document the format so I could write my own scanner (since they don't support BSD or Linux) then you could reasonalby start talking about this in the context of morality. They make money from that information and then they want to restrict who can access it, it's no different than any other anti-competitive practice.
If we are trying to defend the DeCSS code on the grounds that Code is Speech and therefore protected by the first amdenment then we cannot say that distributing virus source code should not be allowed. That would restrict one form of speech but not another. That would play into the RIAA and MPAA's hands.
I have concluded that people need to stop thinking they can do whatever they want simply because it's not illegal.
I have been thinking that someone ought to post simulated naked pictures of Sarah on reallybadguys.org just to prove her wrong.
Edith Keeler Must Die
Potentially malicious code distribution should not be illegal, but perhaps it should be licensed. We require authorization to practice medicine, operate vehicles and firearms, and lots of other potentially dangerous activities (and I would not be all surprised if working with real high-threat viruses was included in there). You'd just have to have a "security researcher clearance" in with all your other certs.
Security researchers who don't work for dominant companies like Symantec aren't in such a sweet position, and rely on public forums to learn about exploits. And it's not enough to be told "there is a new virus that attacks X", with the details held secret (eg, known only by Microsoft, Symantec and a few other giants). Security researchers need precise details of how the exploit works, and they need to see the virus code itself in order to write code for detecting that virus signature, or to protect against certain aspects of its behaviour.
Sarah's proposal is just a way to shut down the competition by criminalizing the only way that independent researchers have for getting information.
Doug Moen
I have written a truly remarkable program which this sig is too small to contain.
OK,
If distributing the original source code for a virus is in question here, what about the disassembly code used for innoculating a system?
Any anti-virus program must have access to some version of the code in order to create a remedy for the virus.
Say a virus is discovered, isolated and disassembled in L.A., then it is passed on to Boston where the guys who fix it work. Would this be considered illegal?
Let's take it a step further...
What if the guys who fix the virii work in Toronto, Canada? Do we then have to deal with international law?
What about worms, trojans and other "Virus-Like" bits of software?
Where do we draw the line?
Ben
Violence is the last resort of the incompetent. - Salvor Hardin
comparing virus writing to yelling fire is bad. the comparison would be more like writing a book about someone yelling "fire" in crowded place, than actually executing it. if someone gets idea from a book, should the author of book be held liable?
I think shit bitch needs to read the first admendment to the constitution.
Conflict of Interest
I can't help but imagine, that if no one can see the code to viruses and see how they work that it will greatly reduce the availability of individuals knowledgeable and skilled enough to make antivirus programs. Of course if I worked for Symantec, like the author, this probably wouldn't bother me.
Slippery Slope
I also have a problem with criminalizing the distribution of source code that can be put to a bad use. I don't approve of distributing viral binaries, but if they are clearly marked as such why shouldn't someone be able to distribute them to one who would willingly receive them?
If we start saying that only some code can be distributed, we start down the path (I guess it should be "further down the path" in actuality; see DeCSS) of government sanctioned censoring of any code that is "bad", "malicious", or "dangerous." Expect those to be no more narrowly defined in legislation than the words in quotes above.
Conclusion
Legislators are tech-dumb idiots, and trusting them to make intelligient or reasonable legislation on software code is as stupid as trusting a pyromaniac with three gallons of gasoline and matches. They can only make things worse than the now, arguably, are.
So if they make distributing viruses illegal then Microsoft won't be able to distribute Windows 2000 and Windows XP anymore, right?
Hmmm, ya know, it IS tempting...
Anyone who distributes a working virus should be arrested and punished. That said yes there are people who want to study virus code for legitimate reasons, but that can be done by only distributing partial code, disabled code, or commenting out the activating sections. That way if was modified to work and got out it was intentional or criminal negligence.
Viruses cost everyone from home users that aren't very computer savvy, small businesses and major businesses. The home user may lose finance info or family pictures that can't be replaced. Small businesses if they lose orders or billing info can be out of business. Big businesses will raise their prices to cover the cost of fighting viruses making all of us pay.
I can hear you now, well they should use other operating systems. That doesn't cut it. All OS'es have viruses, just some are easier to write viruses for than others. Why punish someone's grandmother or a small business who uses an particular OS because they find it easy to use. Don't punish innocent people because you like another OS.
Off soapbox
Except someone who kills by accident is going to be charged differently than someone who did so by intent. "ignorance" as you describe it is indeed an offense. "ignorance" here is merely negligence. That kind of "ignorance" is infact a defense to many criminal offenses.
Crimes have their own requirements. Some of those definitions include intent.
A Pirate and a Puritan look the same on a balance sheet.
Code isn't malicious, people are. Most virus code that is made public is expressly for the purpose of defending against viruses, not spreading them, at least where I frequent. Forgive the gun control reference, but laws only affect the people who obey them. Its just as ludicrous as anti-circumvention laws, which just harm the people who aren't breaking the law in the first place. Why don't we spend all of this effort going after the real criminals/crackers instead of expending endless resources litigating useless laws that do much more harm than good. Knowledge of the enemy and the enemies tactics are the best weapon.
Hello quantum. You don't know me, but I read and reread all the VLAD zines back when they were current. Thank you very much for all the good times they gave me. I was a big fan of your work back then. You showed good technical skills and a mature way of thinking, unlike lesser groups like IR which I saw as purely juvenile.
Wow. What a blast from the past.
Belief is the currency of delusion.
both your first post and this second post are among the most lucid and thoughtful posts i've read here. nicely done...
A: None. The Universe spins the bulb, and the Zen master merely stays out of the way.
It seems to me that if viruses are illegal to post then her company gains quite the strategic advantage. Open source virus scanners, for instance, would be very difficult to write since the authors would not be able to get copies of the viruses legally. However her company would be "professional" and of course every major company who gets a virus sends the goods to Symantec for analysis. Hmmm.
"Sarah Gordon is senior research fellow at Symantec Security Response, and technical director of the European Institute for Computer Antivirus research."
A quote from her personal web page:
"
Are you (or were you?) a hacker?
The simple answer is "no". Hacking is illegal
"
MS Windows should be illegal before a virus is. Distributing a virus with malicious intent should definitely be illegal. Posting the code on a website should not.
In the US, owning a gun is legal. Putting it on your shelf at home is legal. Showing it to your friends is legal. Putting it in a museum is legal. Transporting it is legal. Shooting someone is not.
Well, in the mid-1980s, there was an attitude of "we are all friends here" on the Internet and any machine with a TCP/IP stack was considered "Internet ready."
But "Dark Tuesday" (the Morris worm) taught us that once the Internet reaches a large enough mass of users that someone, from someplace, at some time will do something that you do not intend to allow for. The "we are all friends here" attitude started to change to one of let not *technically* allow what we do not want to happen. CERT was formed and it became more common place to see the minimal requirements for "Internet ready" be both a TCP/IP stack and a *security* system (user permissions, file permissions, patches, etc).
Then MicroSoft released Windows 95 and Internet Explorer at which time MS redefined "Internet ready" to being: a TCP/IP stack and a web browser (security system is not part of the defination). They put up information in their "Knowledge base" that later versions of 95/98/etc would use FAT32 as the native file system (again with no true security permissions) because (they claimed) that NTFS has to high an overhead to be used on the computers that 95/98 targets. Shortly afterwards SysInternals ports NTFS to *MS-DOS* demostrating that NTFS does *NOT* have the high overhead the MS claims. But MS still ships Windows 98 without NTFS but integrates IE claiming it to be even more "Internet ready."
Viruses are a problem just like credit card fraud. And much like with credit card fraud, we can point to a specific practice which viruses tend to take advantage, namely lack of file system security. And just like with credit card fraud via unshread carbons, there is an existing solution that just is not be used widely enough. Maybe instead of only demanding ethics be taught and wait 20 years for a new more "ethical" generation of computer users, maybe we should teach the generations of computer users today that a TCP/IP stack and a web brower is *NOT* enough to be "Internet ready." Maybe when more computer users understand that an internet ready OS should also have file system permissions then we will see a drop in viruses the spread.
At what point will you stop shooting all the mistresses of an unfaithful husband and figure out that it is the husband himself that has a problem? Shooting down one or two virus writters with ethics isn't going to get them all, an Internet connected OS will still live in a world of viruses just a couple dead mistresses won't mean that there won't be other mistresses for the husband to fling with. If your unfaithful OS catches an STD, shoot it. Get one that won't leave it's file permissions hanging out of it's pants.
But... on a **world wide** network, will you require that EVERY country teach it's youth computer ethics? Will you "unplug" countries which do not add computer ethics to their courses?
Back to reality... to accept credit cards you need a license/certification to ensure your practices meet a minimal level of compliance. To administer a Windows server, MicroSoft recommends certification to ensure your practices meet a minimal level of compliance. Why isn't there is minimal level of compliance before a company's marketing can declair an OS "Internet ready?"
who will guard the guardians?
Why don't we make killing people illegal, too?
And armed robbery! Theft!
Making something a illegal does not make it stop.
I'm all for making distributing viruses illegal, if it also means those stupid Outlook users can be sued who do all the virus spreading. It's not the viruses that is dangerous, it's stupidity.
Does this mean that a Microsoft service pack that disables say my Lotus Notes server could be classed as malicious. How about that Roxio software that corrupts my Windows Registry on install?
Code for a virus is no different than certain Stephen King books. Both can describe illegal action. Nobody is claiming that Stephen King did anything illegal, nor is it illegal for people to buy and read his books. It's illegal to try to do some of the things he describes, in sometimes tiny detail, exactly how to do.
Wish to inform you that our client Bill Gates is sueing you for $1.432^54. We also regret to inform you that your trial has already been finished and this is your first last and only notification of this. We wish to cite the... umm whats it... umm its the HSCYNE or the MQXUYVE or some other acronym... anyway the point is that our new law... ahem i mean the US's new law makes it so that we auto-win just like our new OS auto-owns you....
unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
What should be illegal is designing and distributing a lame operating system which makes it impossible for the user to tell what each and every process running on the machine is and does, and who installed it, at what time, and how, and where the process was commanded to start from, and what effective rights that process has -
And all this information needs to be made available to the user in a format easy enough for my mother in law to understand.
Remove the veil of secrecy, the obscurity, and you remove the cover under which viruses operate, and you eliminate 90% of their opportunity to spread and cause damage.
Now, I'm specifically talking about trojans.
For viruses - each and every file containing executable code should also be registered to a central database or listing on each individual machine, (which can be validated against the vendor's "official list" where we're talking about commercial code - and for open source, well, if the guy's writing his own binaries, he can, and should, validate them himself)
and each of these files should be validated by checksum - maybe even md5, and changes logged and timestampped in this database. If you can see the changes happening to your binaries - and if that data is easily and quickly accessible, then you can catch viruses too.
I don't see why this is such a problem - other than the fact that it's a bit of extra infrastructure and overhead, and would eat into the economic efficiency of the software industry.
In other words: Viruses are possible, because the software manufacturers don't want to invest in a prevention infrastructure.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
This is so unbelivably stupid I don't even know where to begin!
/"? What about all those crappy programs that automatically update themselves and install spyware? (it would be nice if those got shut down.)
First of all, where do you draw the line on something like this? Should it illegal to post the text "rm -rf
What about virus scanners? Are the only ones allowed to make virus scanners those who obtain some kind of ($$$) license? What will this do to communities like securityfocus?
What about unintentional malicious code? Say a bug that causes corruption of a file. Could you be held legally responsible for a coding error (regardless of disclaimers)!?
This seems like nothing more than a bunch of meaningless drivel sent out to appease the masses. Sad thing is, most people would see this and say "oh good, no more bad 'hackers' trying to erase my word processor documents". *sigh*, this ignorant world we live in.
----
All of whose base are belong to the what-now?
What are guns for?
And I mean short guns.
They are made to the only purpouse of killing people.
To the farest extreme a "virus manufacturer" can't be never more liable than a guns manufacturer (and usually less liable, since computer virus are not generally developed to kill people).
Now, I'm not telling a virus manufacturer shouldn't be liable, only it can't be more liable than a guns manufacturer. How much liable is a guns manufacturer in your country?
Since M$ software is essentialy viral code, spyware etc. It seems as if M$ released their source they would be distributing viral code.
You write a virus and release it into the "wild" you lose a finger. I don't give a crap if you think you "learned more from studying virus code than anywhere else" or if you have all sorts of "code is art" ideas littering your brain. You spend some time cleaning up the mess these things make and you pretty much arrive at wanting to have the authors drawn and quartered.
That's where I'm at now. There have been times when I was in the middle of trying to fix the results of a nasty one where I would have pulled the trigger on the little bastards myself.
On a more realistic note I think hard time for some troubled little coder who thinks it's funny to write viruses sounds fine to me. The "You're gonna be my new bitch" mental picture is worth the price of admission in my mind.
I have no sense of humor about this anymore. Can you tell?
...only criminals will be able to break into your computer.
If corporations are people, aren't stockholders guilty of slavery?
Of course Sarah Gordon at Symantec doesnt need any wirus code posted on the net. She already has whole virus database at Symantec. By making code and live virii unavailable to us they only prevent creation of competing anti-virus programs and force us to buy their shit. I have been hit by (DOS) virii twice. I just debugged little suckers and wrote my own scanner/disinfector. :)
Btw I have never received any email virus at my private email address and lots of them at work. What does it say about my friends and coworkers?
Those delievery places are ripoffs. You can just grab them off the street for free.
If corporations are people, aren't stockholders guilty of slavery?
She's complaining about people would post source code to viruses, (which serves an academic purpose as well as allowing people to analyze to consider defenses against it) and says nothing about programs like Gator, Comet Cursor, b3d, or other programs that are not detected and cleansed by Norton Anti-Virus.
Who does Sarah Gordon work for?
Symantec.
What does Symantec do?
It writes VIRUS DETECTION software.
What do large corporations like Symantec hate the most?
Competition.
If it is illegal to distribute the source code to viruses, then others clearly cannot examine the code in order to defeat it. Symantec, since it is a large corporation, will always be exempt from such law.
So what would should a law do? Reduce competition for Symantec by disallowing others to examine and write counter-virus software lest they be labeled lawbreakers for distributing the virus!
Sneaky.
Once my friend got a trojan. In order for me to help her remove it (online), she needed to send me a copy of the file it came from. Would this count as an illegal act? The law can be an ass :)
Any law that illegalizes something is going to be abused. And Corporate America(tm) is the first to exploit these laws.
Instead, put the onus on the software vendors (Microsoft in particular) to fix their shit once and for all. Why not make Microsoft accountable for LookOut bugs? They wrote it, they charged you for it and they're giving you the cold shoulder when you realize that it's a cesspool for growing virii.
This kind of legislation may actually do something about the problem. But then again, I think that the market should regulate something like this, not legislature. It always turns into shit when legislators write some bill that they don't know anything about. The DMCA is a prime example. And it is probably on the Top 10 of abused laws list.
There is nothing that this "Digital Millennium" (I hate that fucking expression) has brought that we don't already have laws for. Copyrights have always been copyrights. As have patents.
The only thing that excessive legislation does is to introduce excessive abuse.
Just think how much the Judicial system could make if they arrested every webmaster that distributed Gator.
It's malicious, it's destructive, and it attempts to install itself on every PC...
The author is, remember, an employee at an anti-virus company. SURE it would make the job soooo much easier if people couldn't post examples of code flaws or ways they can be beaten. Perhaps the intellectually bankrupt methods of scanning for known patterns could be kept alive for a few more years, since presumably the new variations of virus themes would take a bit longer to come out. However there's no knowing how much other technical growth that would be lost, or how many people of non-anti-social intentions who would be now classed as criminals.
Fact is, it should be an acute embarrassment to most of the security industry that their adversaries have been more energetic, clever, and inventive than they for some years now. The number of companies that sell security solutions and have nobody who is worth spit in kernel mode coding, nor anyone who has had an original thought in the last decade in the areas of access control, is amazingly large both in numbers and in fraction of the industry. Many would like to continue to be lazy and to somehow still get the drop on those who are not lazy and who work up novel things to do with software. For shame, gentlemen! The price of admission to the game with a decent chance of winning it is understanding the guts of your systems, including at kernel level, and willingness to do new things at that level. Without examples coming out, by the way, you are blind and have no way to know where the threats will be coming from next. If you understand research that is going on (and yes, virus building is a kind of research into self propagating code), you can figure out defenses before the attacks turn into widespread virii. If you understand what is being worked and have access to it, you have IF you are not too lazy a chance to build your operating systems and applications not to be vulnerable to weaknesses. Don't whine that it is impossible. It has been done, repeatedly, by some of the more serious OS vendors and app vendors who treat their products as not being permitted to fail. Widen your universe but realize that putting secure software together requires vast carefulness and attention to detail. Most people don't just churn code out like that first try; they refine it and test living he** out of it.
I will add too, that if someone posts some message, supposing it to be a C program, arguably it might be code if it could compile. If it begins with
#if 0
and ends with
#endif
then it does not compile, does it?
It is not code then.
This tends to make it so easy to post pure
non compilable comments (which might be able to
be turned INTO compilable stuff, but are not as posted) that the argument about it being "actions" shows forth as the nonsense it is.
The author would do better to learn to keep up with the technology rather than wish it didn't advance so fast.
That's just the first step. First you make creating a virus illegal. The next step is to arrest God for creation of the flu virus, ebola, smallpox, the FelV virus, parvo, you name it. Man, we can really nail him on this.
I'm all in favor of making virus distribution illegal. If someone gets a cold, just slap them in jail for a few days till they get over it. We must protect the children! Finally, a cure for the common cold!
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Another worthless reporter suggesting that XYZ can be used for destructive purposes thus it should be outlawed. Perhaps everyone should undergo a frontal lobotomy at birth as minds are the most dangerous weapons.
"Those who use the sites explain that they don't intend to harm, but to provide information that will help researchers better understand how viruses proliferate (and perhaps how they can be stopped). These arguments, however, fall apart under scrutiny."
Translated: "I'm clueless and don't see any other reason for virii's existance."
"How a virus replicates isn't hard to understand; in fact it's fairly common knowledge among researchers."
Translated: "I'm sure I can easily write a virus if I wanted to but I have no idea how they work or what I am writing about. Please listen to me none the less!"
"We don't need to see the replication mechanism to figure out what makes viruses "work." The argument doesn't hold up once you understand that viruses are, for the most part, trivial programming exercises."
Translated: "I don't even have an idea what a virus is but I should make it sound like I know what I'm talking about so you, readers, would believe me!"
"The United States Constitution protects free speech, but virus writing and subsequent distribution aren't pure speech. Rather, they're speech plus action."
Translated: "Gee, I'm sure you can write code that does absolutely nothing. Why can't those virus writers do that? They must all be criminals."
"Many virus writers contend that they're simply sharing information and can't be held responsible for the damage caused by their virus if someone else uses it to do harm. However, this isn't entirely accurate."
Translated: "Oh, I so wish I could sue everyone who comes up with an idea!"
"So, what is the answer? Should it be illegal to place virus code on a Web site? Would this help solve the problem? While some voices have argued for a stronger legal remedy, research I've conducted over the last decade (at www.badguys.org/papers.htm) has shown that fear of the law isn't a major deterrent for many virus writers. While most virus writers understand that it's unacceptable to deliberately hurt someone, they don't make the connection that, by creating and/or deploying viruses, they're harming people."
Translated: "Check out my personal website! Oh btw, it never occured to me that maybe people write viruses to point out security holes to general public after failing to get companies to fix their software. All virii must be created by amoral bastards to crush our wonderful businesses. I doubt any coder would write a virus out of interest or research, they are as easy to make as Hello World programs!"
"This is an ongoing battle. We need to continue to let service providers know that allowing viruses to be placed on Web sites for educational purposes is unacceptable. We need to encourage educators to teach which behaviors are acceptable and which are not in the realm of computer use. And these lessons should start as soon as children become aware of computers."
Translated: "If they won't accept me because I'm too dumb, I must fight them!"
Why is that article even posted? Sarah Gordon is making a fool of herself.
A: No. Next question.
"A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lock picking long before lock smiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of *honest* persons to know this fact, because the *dishonest* are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquaintance with real facts will, in the end, be better for all parties."
-- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published around 1850
"In respect to lock-making, there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will possess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good."
-- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published around 1850.
perl -e 'while(fork);'
A way to fix the problem is to simply kill the virus writer, then you wouldn't have this problem.
... as an SF novel once put it.
Various governments HAVE tried to remove people from the equation, with the predictable result that a lot of people wind up incarcerated or executed for expressing unauthorized thoughts.
So let's define virus source code as Unauthorized Thought. Now explain to me how this differs from writing and distributing DeCSS?? After all, by at least one government's definition, DeCSS is Unauthorized Thought, because the code CAN be used to break the law.
Creating something that is POTENTIALLY malicious is NOT the same thing as ACTING WITH MALICE. But if the two become legally entangled, ALL freedom of thought is in peril.
~REZ~ #43301. Who'd fake being me anyway?
I have concluded that people need to stop thinking they can do whatever they want simply because it's not illegal.
I'm usually thinking what I can do just becuase it is illegal... breaking unjust laws give me a thrill.
I just looooove these self-serving journalists who say that writing about this or that is bad and should be prohibited, but whatever I write is good and should be allowed and protected by the First Amendment.
Earth to Sarah Gordon: There's NOTHING WRONG about publishing source code to virii. I, and many others, have learned lots of neat programming tricks by reviewing the source code. I, and many other, have made our systems more secure by reviewing the source code....
Have *some* people unleashed them on unsuspecting morons stupid enough to execute the code? Sure. But why do you want to allow the camel to slip his nose under the tent, just to protect a bunch of morons? I say keep the camel out, and move his fleas to the armpits of those who used the virii for nefarious purposes.
In english: Leave me the fuck alone, I'll publish what I want. You publish what you want. If you don't like it, don't read it. Likewise for me. But anyone using it for criminal purposes - find them, prosecute them, fine them, and imprison them. But DO NOT try to prohibt something - it can't work, won't work, and has been proven in many forums not to work (cf. Alcohol, drugs, music/video trading, copy protection).
I believe that the Norwegian DeCSS case stated that code is a form of speech. Although script kiddies should be damned to tech support (or hell I don't know which is worse) for the rest of their adolescence, it puts a twist on this case. And as many of us believe, code should be not only free as in beer... but free as in speech.
If the virii are illegal to distribute, how can we expect virus scanner manufacturers to be able to detect and remove them? As a matter of fact, parts of the virus' code is transmitted in the pattern files that detect them! (That's how these things work.) Making them illegal to distribute would only mean that virus scanners would be unable to do their jobs, and, looking at history, the script kiddies would find a way to distribute them anyway.
[insert witty comment here]
would be making distribution of M$ code illegal. This would render uselss up to 99% of malicious code -- depending on how you define it.
Distributing malicious code is illegal? Brilliant! Microsoft may no longer ship Windows ME!
Yes, I am saying that is subjective. How many of those violent crimes would have never happened in the first place without guns involved? What qualifies as having a violent crime "prevented" with guns? These are rhetorical questions. Do not answer them.
I'm saying it's not black and white, one or the other, trading off. Why couldn't there be a way to reduce both of these things?
But, most importantly, why is this suddenly a gun discussion? You obviously have very strong opinions about guns, but this was supposed to be about viruses.
And then you really missed what I said in the last post by giving me more statistics. I am not interested in having a gun-laws debate.
The only reason those links were from a Brady site is because that's the first thing that came up in a Google search. It's funny that you assume I must believe foolishly in some grand conspiracy about faked statistics 1) without really knowing my stance on guns and 2) while at the same time indicating the the Brady supporters *do* have a conspiracy.
Really, you should calm down. I'm really not nearly as interested in this as you. I was only pointing out grey area so that you could perhaps realize that such a grey area exists. My conclusion is that you can't see this. Up until now I thought this was at least in some way relating to viruses.
It seems like you wish you could have a good argument about guns, I really can't find another reason. I'm not interested.
I was hoping to get across that no matter what you believe, with an inability to listen, you won't be convincing any new people.
This has been odd.
mark
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan