Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: InfoSec News (isnc4i.org)
Date: Sat Apr 13 2002 - 02:57:19 CDT
by Sarah Gordon
While most computer viruses are spread deliberately and actively,
others are distributed more passively, through virus exchange Web
sites. Many virus writers support exchange sites, and often cite
research or the constitutional right to free speech as a reason to let
these sites exist. Those who use the sites explain that they don't
intend to harm, but to provide information that will help researchers
better understand how viruses proliferate (and perhaps how they can be
stopped). These arguments, however, fall apart under scrutiny.
It's true that the scientific community encourages research, but only
when it's conducted within the ethical boundaries of a given
discipline. It's unethical to make viruses available for (relatively)
anonymous distribution to persons of unknown ability or motive. It's
also bad science. How a virus replicates isn't hard to understand; in
fact it's fairly common knowledge among researchers. We don't need to
see the replication mechanism to figure out what makes viruses "work."
The argument doesn't hold up once you understand that viruses are, for
the most part, trivial programming exercises.
The United States Constitution protects free speech, but virus writing
and subsequent distribution aren't pure speech. Rather, they're speech
plus action. The U.S. Supreme Court has recognized that speech and
action, while closely intertwined, aren't one and the same. Thus, the
act of putting virus code on the Internet isn't necessarily protected.
Many virus writers contend that they're simply sharing information and
can't be held responsible for the damage caused by their virus if
someone else uses it to do harm. However, this isn't entirely
accurate. Existing U.S. laws let victims of accidental injury seek
compensation for losses caused by another's negligence. These laws
become even more applicable when you consider the damage that can be
done, whether negligible or intentional. Hence, virus writers may in
fact be legally responsible—even if they abdicate moral
So, what is the answer? Should it be illegal to place virus code on a
Web site? Would this help solve the problem? While some voices have
argued for a stronger legal remedy, research I've conducted over the
last decade (at www.badguys.org/papers.htm) has shown that fear of the
law isn't a major deterrent for many virus writers. While most virus
writers understand that it's unacceptable to deliberately hurt
someone, they don't make the connection that, by creating and/or
deploying viruses, they're harming people.
Herein lies our greatest challenge, one that isn't simply limited to
malicious code. The virtual environment tends to make us depersonalize
an interaction. Have you ever written something in email or in a chat
room that you would never say in person? If so, you've seen first hand
that computers tend to depersonalize interactions, altering the way in
which we communicate.
We can counter depersonalization through education and policy. In this
way, we can shape a world-view of acceptable and unacceptable
cyberspace behavior. Education is likely to be far more effective than
the law in the long term.
We have already made some significant strides. For instance, some
software developers state clearly in their licensure that their
packages may not be distributed from any sites that permit virus
distribution. Likewise, some ISPs now have acceptable-use policies
that forbid the distribution of viruses. And the acceptability of
publicly available viruses has dropped in some populations of young,
technically savvy people. Virus distribution may not be illegal, but
more and more people are agreeing that it isn't right.
This is an ongoing battle. We need to continue to let service
providers know that allowing viruses to be placed on Web sites for
educational purposes is unacceptable. We need to encourage educators
to teach which behaviors are acceptable and which are not in the realm
of computer use. And these lessons should start as soon as children
become aware of computers.
I've been listening to both sides of this argument for more than ten
years now. I have concluded that people need to stop thinking they can
do whatever they want simply because it's not illegal. Many things
aren't illegal, but that doesn't make them responsible or morally
right. Making viruses publicly available on the World Wide Web for
research or educational purposes? That's nonsense. Call it your
constitutional right, but the truth is that it's morally wrong.
Sarah Gordon is senior research fellow at Symantec Security Response,
and technical director of the European Institute for Computer
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn' in the BODY
of the mail.