http://www.wired.com/news/technology/0,1282,49483,00.html By Michelle Delio 2:00 a.m. Jan. 7, 2002 PST Although it may seem trite to fret about computer virus attacks when compared with larger global security concerns, a seemingly endless onslaught of virtual vermin plagued computer users in 2001. "In 1999, we were catching one virus per hour," said Alex Shipp, chief technology officer at Messagelabs, a security firm. "In 2000, it was one every three minutes and now in 2001 it is one every 30 seconds, and rising." Other antiviral companies have reported similar statistics. Anyone whose computer or network has been disrupted by a piece of nasty code may be surprised to learn that some who create and release worms and viruses look upon their work as performing community service. Many virus writers say their "hobby" is a charitable donation of their time as they provide skills to help others who are less fortunate -- or at least less technically inclined - to learn about computer security. "Better that you find out about a hole in your system through my virus, than through some unethical cracker smashing into your machine and stealing all your so-called private data," said a worm writer who asked only to be identified as CAT (for "Criminal and Anonymous Terrorist"). They also contend that their malicious code helps to keep some computer security experts employed. And some virus coders believe that anonymously releasing worms is safer than reporting vulnerabilities to the software manufacturers themselves. They fear that companies will respond to a bug report with counter-charges of hacking. "C'mon, none of the big software companies are going to press charges against someone who reports a hole in their software," said Jeff Vondell, a copyright lawyer. "But there's a definite and growing attitude amongst some of my colleagues in other countries that in the U.S., the big corporations write the laws.... The arrest of that Russian programmer last summer certainly didn't help foster a feeling of confidence in our legal system in other countries." "Dmitri's (Sklyarov) case and that new U.S. law (the so-called Patriot bill) that classifies hackers as terrorists has forced a lot of people to think about whether it's safe to inform companies about security holes," said a virus writer who wanted to be identified only as Perro. "If they ask you how you found out, ask you to provide your research, can they then arrest you for hacking into their product?" wondered Perro. "Did you break their copyright when you looked at their program code? Some people, especially outside the U.S., think it's now safer to release a worm than make a bug report." Sklyarov and his employer, Moscow-based ElcomSoft, were charged last July with violating the Digital Millennium Copyright Act for selling a program that allows users to disable copyright restrictions on Adobe's e-book software. Sklyarov, who coded the eBook processor, was arrested at a hackers' convention in the United States and imprisoned for almost four weeks. The charges were later dropped. Sklyarov's arrest was followed by protests from those who believe the DMCA, a law that punishes anyone who distributes "any technology, product, service, device, component or part" which bypasses copy-protection mechanisms, will also be used against those who expose security flaws. "You (software manufacturers) declared war on us, and we have accepted it," CAT said, in reference to the Sklyarov case. "We are called criminals. We have been arrested for pinpointing vulnerabilities. So how else we can get your attention but by releasing worms?" But not everyone agrees with hackers' fears and rationalizations for their activities. "I have never heard of a company prosecuting someone who reported a security hole to them, but they can report these problems anonymously if they are worried," said Jerry Freese, intelligence officer at Vigilinx, a security assessment firm. "They can also alert a trusted member of the media or security community if action isn't taken. There is nothing noble about wreaking havoc in the e-world, on what has become a critical part of the economic and social structure." According to Computer Economics, the Code Red worm alone cost an estimated $2.6 billion in lost productivity and clean up. Vondell noted that Sklyarov wasn't arrested for pointing out security vulnerabilities, but for distributing a product that took advantage of those vulnerabilities. But virus writers also correctly point out that Sklyarov wasn't distributing the product; his employer was. Other virus writers are merely young adults or teens who seem to think that releasing a virus is nothing more than a modern version of a prank phone call. They just get a kick out of writing self-replicating code and watching how far it spreads. Many virus writers said they write code out of anger, although they maintain it's not directed at the people whose machines their code infects. Still, they often consider their victims as laughably ignorant for allowing their machines to get infected. CAT pointed out that a significant amount of worms and viruses exploit vulnerabilities that are already well known and patchable. "Some (of these vulnerabilities) have even been known about for years," CAT said. "And the biggest of them has been known for centuries: 'Human Stupidity.'" Virus writers often save their real venom for software developers, governments that the writers feel favor "corporations over curiosity," and the antiviral firms who they say profit off their work but condemn them as criminals. "If we all decided to stop coding and releasing tomorrow, entire industries would collapse," Perro said. "Admit it: None of you who profits off our supposed bad deeds really want us to stop releasing our babies into the world, do you?" "There are responsible ways to alert people to problems, and irresponsible ones," said Sarah Gordon, senior research fellow at Symantec Security Response. "Creating a program that makes copies of itself, and setting it loose to run amok amidst an unsuspecting population is hardly responsible. It is not research, and it is not acceptable in our society." Russ Cooper, moderator of the NTBugTraq security mailing list, suggested that virus writers who see themselves as educators might consider "finding work that benefits the public in a positive way." "Write a new game based on the premise of teaching the player all of the different insecurities in their OS. Go to work for (software) vendors as quality and assurance testers, or coders, working towards preventing exploits," Cooper said. While some security experts acknowledged the frustration they feel when a user clicks on a virus-laden, e-mailed attachment "yet again," or doesn't stay current with security patches, they didn't feel that releasing viruses was a valid response to the situation. "Yes, you can get into an emotional state where you feel that users are getting what they deserve," said Steven Silverman, a systems administrator. "But we all know it's not fair to take advantage of others' stupidity. I have a pretty shitty sense of balance, but I'm trying hard to learn to skate. And, thankfully, the skilled skaters don't try to knock me down when they see me wobbling by." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 05:55:30 PST