http://www.newarchitectmag.com/documents/s=2444/new1018047974653/index.html Guest Editorial by Sarah Gordon May 2002 While most computer viruses are spread deliberately and actively, others are distributed more passively, through virus exchange Web sites. Many virus writers support exchange sites, and often cite research or the constitutional right to free speech as a reason to let these sites exist. Those who use the sites explain that they don't intend to harm, but to provide information that will help researchers better understand how viruses proliferate (and perhaps how they can be stopped). These arguments, however, fall apart under scrutiny. It's true that the scientific community encourages research, but only when it's conducted within the ethical boundaries of a given discipline. It's unethical to make viruses available for (relatively) anonymous distribution to persons of unknown ability or motive. It's also bad science. How a virus replicates isn't hard to understand; in fact it's fairly common knowledge among researchers. We don't need to see the replication mechanism to figure out what makes viruses "work." The argument doesn't hold up once you understand that viruses are, for the most part, trivial programming exercises. The United States Constitution protects free speech, but virus writing and subsequent distribution aren't pure speech. Rather, they're speech plus action. The U.S. Supreme Court has recognized that speech and action, while closely intertwined, aren't one and the same. Thus, the act of putting virus code on the Internet isn't necessarily protected. Many virus writers contend that they're simply sharing information and can't be held responsible for the damage caused by their virus if someone else uses it to do harm. However, this isn't entirely accurate. Existing U.S. laws let victims of accidental injury seek compensation for losses caused by another's negligence. These laws become even more applicable when you consider the damage that can be done, whether negligible or intentional. Hence, virus writers may in fact be legally responsible—even if they abdicate moral responsibility. consequences So, what is the answer? Should it be illegal to place virus code on a Web site? Would this help solve the problem? While some voices have argued for a stronger legal remedy, research I've conducted over the last decade (at www.badguys.org/papers.htm) has shown that fear of the law isn't a major deterrent for many virus writers. While most virus writers understand that it's unacceptable to deliberately hurt someone, they don't make the connection that, by creating and/or deploying viruses, they're harming people. Herein lies our greatest challenge, one that isn't simply limited to malicious code. The virtual environment tends to make us depersonalize an interaction. Have you ever written something in email or in a chat room that you would never say in person? If so, you've seen first hand that computers tend to depersonalize interactions, altering the way in which we communicate. We can counter depersonalization through education and policy. In this way, we can shape a world-view of acceptable and unacceptable cyberspace behavior. Education is likely to be far more effective than the law in the long term. We have already made some significant strides. For instance, some software developers state clearly in their licensure that their packages may not be distributed from any sites that permit virus distribution. Likewise, some ISPs now have acceptable-use policies that forbid the distribution of viruses. And the acceptability of publicly available viruses has dropped in some populations of young, technically savvy people. Virus distribution may not be illegal, but more and more people are agreeing that it isn't right. actions This is an ongoing battle. We need to continue to let service providers know that allowing viruses to be placed on Web sites for educational purposes is unacceptable. We need to encourage educators to teach which behaviors are acceptable and which are not in the realm of computer use. And these lessons should start as soon as children become aware of computers. I've been listening to both sides of this argument for more than ten years now. I have concluded that people need to stop thinking they can do whatever they want simply because it's not illegal. Many things aren't illegal, but that doesn't make them responsible or morally right. Making viruses publicly available on the World Wide Web for research or educational purposes? That's nonsense. Call it your constitutional right, but the truth is that it's morally wrong. Sarah Gordon is senior research fellow at Symantec Security Response, and technical director of the European Institute for Computer Antivirus research. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat Apr 13 2002 - 04:25:46 PDT