Author Makes Symbian Virus Code Available

putko writes "The NY Times (registration required) has a story about a Brazilian software expert whose posted the code for his Bluetooth virus on his website. The article has a general anti-free-exchange-of-information tone to it. Security firms call him bad. Nokia is concerned. Here's his homepage (in Portuguese), so let's not unnecessarily DDoS him: The most irritating bit of all this is that the guy writes the thing, distributes it, gives it a name (eponymous) and then the stupid virus firms go and butcher it -- e.g. "Lasco.A". What's so wrong with "Velasco" already? The guy clearly wants it to be named after himself."

I'm confused

[bwalling]

This posting seems rather sympathetic to this guy. Free exchange of information? Your credit cards are information - should I freely exchange those with everyone? So, not all information should be exchanged. Why should we be so nice to his website? He's not being so nice to our cell phones. And who cares what the name of the virus is? It's not like he discovered a new comet or something positive.

There's something to be said for being open and free, but there's also taking it too far.

Re:I'm confused

[tka]

Yep, even though one might think of it as a positive thing to expose security problems in software, I don't. One should first contact the company about this. And then after a while, depending on what the company response was, release it. The security problem might not be due to originally bad design or lack of interest in security.. In which case the company should suffer from it.

But now, we, the customers suffer from it.

I don't think there should be any debate here

[orasio]

The guy discovered a fundamental flaw, and is showing the need for a fix, forcing a fix, probably. That is actually a good thing. The guy is a good guy, and gets fixed something that is broken.
If he were a bad guy, he would be playing with your credit card, or even worse, shutting the hell up, and letting someone else discover the vulnerability, and using it.

Maybe you think he should have contacted the responsible firms first, but that's too delicate, he could even end up with legal trouble because of that (think.. extortion) .
This way he will probably get the vulnerability fixed, and bluetooth users are the ones who benefit.
I don't believe it's taking it too far.

Re:I don't think there should be any debate here

[hummassa]

But this is the only way to tell the companies: fix this or the whole world will know how to exploit it.

Re:I don't think there should be any debate here

[orasio]

Please! try thinking!
Just because nice guys refrain from discovering vulnerabilities, it doesn't mean the bad guys will!!
The guy is just trying to force the hole to be closed.
The situation before this guy was that your phone was vulnerable, and you were ignorant. The situation now is that your phone is vulnerable, and you are aware of it, and probably won't buy another vulnerable bluetooth device until it's fixed.
I don't understand why you prefer the first scenario. It's actually possible to write vulnerability-free software. It is way too expensive, but maybe it should be required.
If people keep thinking that holes whuld just be overlooked instead of fixed, there will never be any value on providing secure software.

Malware routinely gets renamed

[babbage]

The most irritating bit of all this is that the guy writes the thing, distributes it, gives it a name (eponymous) and then the stupid virus firms go and butcher it -- e.g. "Lasco.A". What's so wrong with "Velasco" already? The guy clearly wants it to be named after himself."

It's not much of a leap to assert that most malware is, on some level, a form of ego tripping, and most malware authors, much like the authors of any other software, would like to see their work spread far and wide.

Hence, antivirus companies always change the name.

Whether or not a virus had a name to begin with, each vendor will select a name of their own for it to deprive the author of that fame. Why encourage them, you know?

But there's the other bit of ego -- each vendor will select a name of their own. For a prominent attack, one of these names will make it into he wider media, and being the vendor that named it is itself an ego boost for that company.

So, all of this naming nonsense is just a stupid dickwaving ego contest. We'd almost be better off if we did like the National Weather Service and named each year's outbreaks in advance, before any of them are spotted in the wild, just to neutralize the stupid games that go on over what this junk gets called. Not that that'll ever happen, of course...

I wonder...

[IndiJ]

You know, my gut reaction on reading the article as posted was, "What a goddamn piece of bullshit flamebait - who cares whether or not the guy doesn't get to name the virus he created?"

But then I thought about it. Regardless of what it is, it is something that this Brazilian dude wrote. It's his intellectual property. He should have the right to name it. For the antivirus companies to tag it with their own name is equivalent to WalMart getting a box of "Home on the range" DVD's, ripping the covers off and selling them as "WalMart presents: The Disney cow movie!".

And before anyone offers any arguments about "not wanting to encourage virus-writers", let me say: bullshit. It doesn't matter whether it's a program, a novel, a song or a painting ... or a virus - intellectual property is intellectual property. Even people in jail own the copyrights on their goddam prison tatoos. Even Osama bin Laden has his copyrights. The laws are quite clear on this.

So... yeah. Velasco it is.