[ISN] Should virus writers be allowed to post harmful code on the Web?

From: InfoSec News (isnat_private)
Date: Sat Apr 13 2002 - 00:57:19 PDT

  • Next message: InfoSec News: "[ISN] Filtering Out Terrorists?"

    Guest Editorial
    by Sarah Gordon 
    May 2002
    While most computer viruses are spread deliberately and actively,
    others are distributed more passively, through virus exchange Web
    sites. Many virus writers support exchange sites, and often cite
    research or the constitutional right to free speech as a reason to let
    these sites exist. Those who use the sites explain that they don't
    intend to harm, but to provide information that will help researchers
    better understand how viruses proliferate (and perhaps how they can be
    stopped). These arguments, however, fall apart under scrutiny.
    It's true that the scientific community encourages research, but only
    when it's conducted within the ethical boundaries of a given
    discipline. It's unethical to make viruses available for (relatively)  
    anonymous distribution to persons of unknown ability or motive. It's
    also bad science. How a virus replicates isn't hard to understand; in
    fact it's fairly common knowledge among researchers. We don't need to
    see the replication mechanism to figure out what makes viruses "work."  
    The argument doesn't hold up once you understand that viruses are, for
    the most part, trivial programming exercises.
    The United States Constitution protects free speech, but virus writing
    and subsequent distribution aren't pure speech. Rather, they're speech
    plus action. The U.S. Supreme Court has recognized that speech and
    action, while closely intertwined, aren't one and the same. Thus, the
    act of putting virus code on the Internet isn't necessarily protected.
    Many virus writers contend that they're simply sharing information and
    can't be held responsible for the damage caused by their virus if
    someone else uses it to do harm. However, this isn't entirely
    accurate. Existing U.S. laws let victims of accidental injury seek
    compensation for losses caused by another's negligence. These laws
    become even more applicable when you consider the damage that can be
    done, whether negligible or intentional. Hence, virus writers may in
    fact be legally responsible—even if they abdicate moral
    So, what is the answer? Should it be illegal to place virus code on a
    Web site? Would this help solve the problem? While some voices have
    argued for a stronger legal remedy, research I've conducted over the
    last decade (at www.badguys.org/papers.htm) has shown that fear of the
    law isn't a major deterrent for many virus writers. While most virus
    writers understand that it's unacceptable to deliberately hurt
    someone, they don't make the connection that, by creating and/or
    deploying viruses, they're harming people.
    Herein lies our greatest challenge, one that isn't simply limited to
    malicious code. The virtual environment tends to make us depersonalize
    an interaction. Have you ever written something in email or in a chat
    room that you would never say in person? If so, you've seen first hand
    that computers tend to depersonalize interactions, altering the way in
    which we communicate.
    We can counter depersonalization through education and policy. In this
    way, we can shape a world-view of acceptable and unacceptable
    cyberspace behavior. Education is likely to be far more effective than
    the law in the long term.
    We have already made some significant strides. For instance, some
    software developers state clearly in their licensure that their
    packages may not be distributed from any sites that permit virus
    distribution. Likewise, some ISPs now have acceptable-use policies
    that forbid the distribution of viruses. And the acceptability of
    publicly available viruses has dropped in some populations of young,
    technically savvy people. Virus distribution may not be illegal, but
    more and more people are agreeing that it isn't right.
    This is an ongoing battle. We need to continue to let service
    providers know that allowing viruses to be placed on Web sites for
    educational purposes is unacceptable. We need to encourage educators
    to teach which behaviors are acceptable and which are not in the realm
    of computer use. And these lessons should start as soon as children
    become aware of computers.
    I've been listening to both sides of this argument for more than ten
    years now. I have concluded that people need to stop thinking they can
    do whatever they want simply because it's not illegal. Many things
    aren't illegal, but that doesn't make them responsible or morally
    right. Making viruses publicly available on the World Wide Web for
    research or educational purposes? That's nonsense. Call it your
    constitutional right, but the truth is that it's morally wrong.
    Sarah Gordon is senior research fellow at Symantec Security Response,
    and technical director of the European Institute for Computer
    Antivirus research.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Sat Apr 13 2002 - 04:25:46 PDT