Author Makes Symbian Virus Code Available

putko writes "The NY Times (registration required) has a story about a Brazilian software expert whose posted the code for his Bluetooth virus on his website. The article has a general anti-free-exchange-of-information tone to it. Security firms call him bad. Nokia is concerned. Here's his homepage (in Portuguese), so let's not unnecessarily DDoS him: The most irritating bit of all this is that the guy writes the thing, distributes it, gives it a name (eponymous) and then the stupid virus firms go and butcher it -- e.g. "Lasco.A". What's so wrong with "Velasco" already? The guy clearly wants it to be named after himself."

I don't think there should be any debate here

[orasio]

The guy discovered a fundamental flaw, and is showing the need for a fix, forcing a fix, probably. That is actually a good thing. The guy is a good guy, and gets fixed something that is broken.
If he were a bad guy, he would be playing with your credit card, or even worse, shutting the hell up, and letting someone else discover the vulnerability, and using it.

Maybe you think he should have contacted the responsible firms first, but that's too delicate, he could even end up with legal trouble because of that (think.. extortion) .
This way he will probably get the vulnerability fixed, and bluetooth users are the ones who benefit.
I don't believe it's taking it too far.

What is the right thing to do then?

[IndiJ]

It seems the debate is split mostly along the line of whether or not the dude in question should have released the code. Correct me if I'm wrong, but both sides seem to agree that knowing about a vulnerability and keeping silent is bad. The dividing point is what and how much information do you release about what you know about this vulnerability?

On the one hand, releasing the full exploit code is probably pretty damned irresponsible. Now any idiot that can tweak a line of code or two can roll their own Symbian virus. It's the functional equivalent of posting a how-to guide on making bombs from nondescript household products. Could/should the brazilian dude be liable to damages lawsuits?

On the other, the valid argument that the warning would have probably gone largely ignored by the media, and possibly Symbian OS and AV developers, without making it so crucial. The dude's big show sure brings focus on the problem, which is good.

These two positions can be trivially resolved. The "right" thing to do if you really want the problem exposed would be to write a benign virus that exploits the vulnerability in a clearly visible but harmless way (and does not propogate without control). Show that virus (openly - let the person receiving it decide whether to test it) to any media, developers or security experts you want. Include instructions on how to remove it.

Admittedly, you may not get quite the same impact, but if you play your media cards right you might get one hell of a splash. The pressure will be on Symbian developers to fix things, but the chances are small that any real malicious virii will crop up in the interim. Seems to me that that solves all the problems.

It does bring up a number of questions though - some of them new, some not. Is the Brazilian dude liable for damages that virii based on his code cause? Is keeping the exploit code from the public really in the public's best interests (maybe the open source community can make a better patch faster, or maybe giving the code to an AV company is an invitation for them to make a virus so that they can charge for the cure)? If he had given the code to developers of the OS or antivirus software, but they had kept it quiet, would they be liable if an actual outbreak occurs? If I discovered a vulnerability, and came up with a fix, could I insist on having it released for free by the OS developer (or as a free tool by an AV company)? If someone develops a virus based on this exploit code, could the Brazilian dude sue for copyright infringement? etc. etc.

One thing that is not in question is whether or not it's ok to go poking for holes in software. To say otherwise is asinine, from any perspective. Give me an asshat publicizing exploits over a criminal using them any day.