Slashdot Mirror

← Back to Stories (view on slashdot.org)

Author Makes Symbian Virus Code Available

Posted by Hemos on from the learn-from-mistakes dept.

putko writes "The NY Times (registration required) has a story about a Brazilian software expert whose posted the code for his Bluetooth virus on his website. The article has a general anti-free-exchange-of-information tone to it. Security firms call him bad. Nokia is concerned. Here's his homepage (in Portuguese), so let's not unnecessarily DDoS him: The most irritating bit of all this is that the guy writes the thing, distributes it, gives it a name (eponymous) and then the stupid virus firms go and butcher it -- e.g. "Lasco.A". What's so wrong with "Velasco" already? The guy clearly wants it to be named after himself."

11 of 49 comments (clear)

  1. I'm confused by bwalling · · Score: 4, Insightful

    This posting seems rather sympathetic to this guy. Free exchange of information? Your credit cards are information - should I freely exchange those with everyone? So, not all information should be exchanged. Why should we be so nice to his website? He's not being so nice to our cell phones. And who cares what the name of the virus is? It's not like he discovered a new comet or something positive.

    There's something to be said for being open and free, but there's also taking it too far.

    1. Re:I'm confused by tka · · Score: 3, Insightful

      Yep, even though one might think of it as a positive thing to expose security problems in software, I don't. One should first contact the company about this. And then after a while, depending on what the company response was, release it. The security problem might not be due to originally bad design or lack of interest in security.. In which case the company should suffer from it.

      But now, we, the customers suffer from it.

  2. jealousy by St.+Arbirix · · Score: 2, Insightful

    The A/V companies got mad that they didn't think of the virus first.

    What good is antivirus software if it can't protect against all viruses? How better to protect against them to have written them yourself?

    -1 flamebait

    --
    Direct away from face when opening.
  3. Why Lasco.A...? by Grab · · Score: 2, Informative

    Simple. You need the ".A" to indicate it's the first of its type. Since this dumbass has released the virus code to the world, you can bet there's going to be a ".B", ".C", etc.. In fact I doubt one alphabet will be enough to count them all.

    As for using this guy's name, why would we want a virus writer and distributor to become famous?

    Grab.

  4. I don't think there should be any debate here by orasio · · Score: 4, Interesting

    The guy discovered a fundamental flaw, and is showing the need for a fix, forcing a fix, probably. That is actually a good thing. The guy is a good guy, and gets fixed something that is broken.
    If he were a bad guy, he would be playing with your credit card, or even worse, shutting the hell up, and letting someone else discover the vulnerability, and using it.

    Maybe you think he should have contacted the responsible firms first, but that's too delicate, he could even end up with legal trouble because of that (think.. extortion) .
    This way he will probably get the vulnerability fixed, and bluetooth users are the ones who benefit.
    I don't believe it's taking it too far.

    1. Re:I don't think there should be any debate here by hummassa · · Score: 3, Insightful

      But this is the only way to tell the companies: fix this or the whole world will know how to exploit it.

      --
      It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
    2. Re:I don't think there should be any debate here by orasio · · Score: 3, Insightful

      Please! try thinking!
      Just because nice guys refrain from discovering vulnerabilities, it doesn't mean the bad guys will!!
      The guy is just trying to force the hole to be closed.
      The situation before this guy was that your phone was vulnerable, and you were ignorant. The situation now is that your phone is vulnerable, and you are aware of it, and probably won't buy another vulnerable bluetooth device until it's fixed.
      I don't understand why you prefer the first scenario. It's actually possible to write vulnerability-free software. It is way too expensive, but maybe it should be required.
      If people keep thinking that holes whuld just be overlooked instead of fixed, there will never be any value on providing secure software.

  5. Malware routinely gets renamed by babbage · · Score: 3, Informative
    The most irritating bit of all this is that the guy writes the thing, distributes it, gives it a name (eponymous) and then the stupid virus firms go and butcher it -- e.g. "Lasco.A". What's so wrong with "Velasco" already? The guy clearly wants it to be named after himself."

    It's not much of a leap to assert that most malware is, on some level, a form of ego tripping, and most malware authors, much like the authors of any other software, would like to see their work spread far and wide.

    Hence, antivirus companies always change the name.

    Whether or not a virus had a name to begin with, each vendor will select a name of their own for it to deprive the author of that fame. Why encourage them, you know?

    But there's the other bit of ego -- each vendor will select a name of their own. For a prominent attack, one of these names will make it into he wider media, and being the vendor that named it is itself an ego boost for that company.

    So, all of this naming nonsense is just a stupid dickwaving ego contest. We'd almost be better off if we did like the National Weather Service and named each year's outbreaks in advance, before any of them are spotted in the wild, just to neutralize the stupid games that go on over what this junk gets called. Not that that'll ever happen, of course...

    --
    DO NOT LEAVE IT IS NOT REAL
  6. Re:Yeah by Damhna · · Score: 2, Informative

    I'll back it up.
    It is the explicit (and logical) intention of AV comapanies not to name rogues in the fashion the author desires.

    Symantec's Policy is as folloes
    Virus names consist of a Prefix, a Name, and often a Suffix.

    * The Prefix denotes the platform on which the virus replicates or the type of virus. A DOS virus usually does not contain a Prefix.
    * The Name is the family name of the virus.
    * The Suffix may not always exist. Suffixes distinguish among variants of the same family and are usually numbers denoting the size of the virus or letters.

    The Code Red virus got its name from an eEye Digital Security researcher's beverage of choice -- the cola variety of Mountain Dew soft drink -- the night they picked through the corruptive code.

    Symantec Security Response senior director Vincent Weafer, who referred to Code Red's caffeine-based name, told NewsFactor that there are some things researchers do not use when naming worms:

    "We don't use the name of the virus writer because we don't want to give name recognition for something that's done for publicity, and we don't use the date because there are so many trigger dates and it's such an easy thing to change that it wouldn't make any sense," Weafer said.

    "After that, it comes down to the researcher and what they find unique about a particular virus," Weafer added.

    Quotes above from :
    http://securityresponse.symantec.com/avcenter/vnam einfo.html/
    http://www.newsfactor.com/perl/story/15662.html#st ory-start/
    http://users.tcworks.net/virus/naming.htm/

  7. What is the right thing to do then? by IndiJ · · Score: 2, Interesting

    It seems the debate is split mostly along the line of whether or not the dude in question should have released the code. Correct me if I'm wrong, but both sides seem to agree that knowing about a vulnerability and keeping silent is bad. The dividing point is what and how much information do you release about what you know about this vulnerability?

    On the one hand, releasing the full exploit code is probably pretty damned irresponsible. Now any idiot that can tweak a line of code or two can roll their own Symbian virus. It's the functional equivalent of posting a how-to guide on making bombs from nondescript household products. Could/should the brazilian dude be liable to damages lawsuits?

    On the other, the valid argument that the warning would have probably gone largely ignored by the media, and possibly Symbian OS and AV developers, without making it so crucial. The dude's big show sure brings focus on the problem, which is good.

    These two positions can be trivially resolved. The "right" thing to do if you really want the problem exposed would be to write a benign virus that exploits the vulnerability in a clearly visible but harmless way (and does not propogate without control). Show that virus (openly - let the person receiving it decide whether to test it) to any media, developers or security experts you want. Include instructions on how to remove it.

    Admittedly, you may not get quite the same impact, but if you play your media cards right you might get one hell of a splash. The pressure will be on Symbian developers to fix things, but the chances are small that any real malicious virii will crop up in the interim. Seems to me that that solves all the problems.

    It does bring up a number of questions though - some of them new, some not. Is the Brazilian dude liable for damages that virii based on his code cause? Is keeping the exploit code from the public really in the public's best interests (maybe the open source community can make a better patch faster, or maybe giving the code to an AV company is an invitation for them to make a virus so that they can charge for the cure)? If he had given the code to developers of the OS or antivirus software, but they had kept it quiet, would they be liable if an actual outbreak occurs? If I discovered a vulnerability, and came up with a fix, could I insist on having it released for free by the OS developer (or as a free tool by an AV company)? If someone develops a virus based on this exploit code, could the Brazilian dude sue for copyright infringement? etc. etc.

    One thing that is not in question is whether or not it's ok to go poking for holes in software. To say otherwise is asinine, from any perspective. Give me an asshat publicizing exploits over a criminal using them any day.

    --
    It's hard to soar like an eagle when you're surrounded by turkeys.
  8. I wonder... by IndiJ · · Score: 3, Insightful

    You know, my gut reaction on reading the article as posted was, "What a goddamn piece of bullshit flamebait - who cares whether or not the guy doesn't get to name the virus he created?"

    But then I thought about it. Regardless of what it is, it is something that this Brazilian dude wrote. It's his intellectual property. He should have the right to name it. For the antivirus companies to tag it with their own name is equivalent to WalMart getting a box of "Home on the range" DVD's, ripping the covers off and selling them as "WalMart presents: The Disney cow movie!".

    And before anyone offers any arguments about "not wanting to encourage virus-writers", let me say: bullshit. It doesn't matter whether it's a program, a novel, a song or a painting ... or a virus - intellectual property is intellectual property. Even people in jail own the copyrights on their goddam prison tatoos. Even Osama bin Laden has his copyrights. The laws are quite clear on this.

    So... yeah. Velasco it is.

    --
    It's hard to soar like an eagle when you're surrounded by turkeys.