Re: [ISN] Should virus writers be allowed to post harmful code on the Web?

From: InfoSec News (isnat_private)
Date: Tue Apr 16 2002 - 00:31:17 PDT

  • Next message: InfoSec News: "[ISN] Survival in an Insecure World"

    Forwarded from: John Q. Public <tpublicat_private>
    On Sat, 13 Apr 2002, InfoSec News wrote:
    |Guest Editorial
    |by Sarah Gordon 
    |May 2002
    [snip all over, only commented quotes are retained]
    |It's true that the scientific community encourages research, but only
    |when it's conducted within the ethical boundaries of a given
    |discipline. It's unethical to make viruses available for (relatively)  
    |anonymous distribution to persons of unknown ability or motive. It's
    |also bad science. How a virus replicates isn't hard to understand; in
    |fact it's fairly common knowledge among researchers. We don't need to
    |see the replication mechanism to figure out what makes viruses "work."  
    |The argument doesn't hold up once you understand that viruses are, for
    |the most part, trivial programming exercises.
    That last sentence is what sparked my need to respond.  Very early in
    this opinion you shoot yourself in the foot...  If it's so obviously
    simple to create malicious programs of nature to offend other people,
    why is it so horrendous to publish them?
    I was nearly turned away from reading all the way through because I
    have strong opinions that knowledge and information are hardly to
    blame for the actions of the people who abuse it.
    I can only assume that newspapers published similar articles by people
    with opinions against the introduction of automobiles, due to their
    ability to wreak major destruction.  (crashing into a school house,
    tearing up crops, causing a stink we still battle today...)  Any
    well-versed mechanic could defend it by saying it was trivial for a
    person to develop his own version of a horseless carraige and cause
    havok as well, but it's solely up to the operator and not the machine.
    The point I get at here is that you appear to have done both: complain
    about the problem and defend it, albeit very briefly, in the same
    |The United States Constitution protects free speech, but virus writing
    |and subsequent distribution aren't pure speech. Rather, they're speech
    |plus action. The U.S. Supreme Court has recognized that speech and
    |action, while closely intertwined, aren't one and the same. Thus, the
    |act of putting virus code on the Internet isn't necessarily protected.
    Good find, I'd be curious to see this used against malicious code in
    the future.  (If it's been used already, please let me know, as I
    believe it would be precedent and meaningful in many cases)
    |So, what is the answer? Should it be illegal to place virus code on a
    |Web site? Would this help solve the problem? While some voices have
    |argued for a stronger legal remedy, research I've conducted over the
    |last decade (at has shown that fear of the
    |law isn't a major deterrent for many virus writers. While most virus
    |writers understand that it's unacceptable to deliberately hurt
    |someone, they don't make the connection that, by creating and/or
    |deploying viruses, they're harming people.
    This is certainly a hot topic, with high-ranking folks taking on the
    challenge of trying to come up with an acceptable standard for all on
    the act of reporting vulnerabilities to the world at large.  Once
    again, I have formed the perception you're only taking advantage of a
    current event topic to encourage some sort of chaste restraint of
    |Herein lies our greatest challenge, one that isn't simply limited to
    |malicious code. The virtual environment tends to make us depersonalize
    |an interaction. Have you ever written something in email or in a chat
    |room that you would never say in person? If so, you've seen first hand
    |that computers tend to depersonalize interactions, altering the way in
    |which we communicate.
    I get the impression from this essay that you clearly have an opinion
    on how the world should work, but it was published in a particular
    place because of the assumed context and examples you used.
    The moral of your ethical delima (pun intended :) can be -- and
    probably has been -- misunderstood as a debate about virus code
    instead of simply a more noble standard for society.  Or have I
    completely misunderstood by assuming this has nothing to do with virus
    code and/or malicious programs?
    |This is an ongoing battle. We need to continue to let service
    |providers know that allowing viruses to be placed on Web sites for
    |educational purposes is unacceptable. We need to encourage educators
    |to teach which behaviors are acceptable and which are not in the realm
    |of computer use. And these lessons should start as soon as children
    |become aware of computers.
    Hmm, re-edit:
      This is an ongoing battle. We need to continue to let curators know
      that allowing guns to be placed in museums for educational purposes is
    [ NOTE!  This is NOT to start any debate about gun issues, but it outlines
    an example that many folks with opinions are familiar with.  </disclaimer> ]
    I wholeheartedly agree with the remaining two sentences, not only for
    computer crime, gun control, drug use, safe sex, money management,
    respect for person and property...  (yes, I'm a father :)
    |I've been listening to both sides of this argument for more than ten
    |years now. I have concluded that people need to stop thinking they can
    |do whatever they want simply because it's not illegal. Many things
    |aren't illegal, but that doesn't make them responsible or morally
    |right. Making viruses publicly available on the World Wide Web for
    |research or educational purposes? That's nonsense. Call it your
    |constitutional right, but the truth is that it's morally wrong.
    Sorry, Sarah, the world doesn't work like that.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 04:39:05 PDT