Should Virus Distribution be Illegal? 436
mccormi writes "In a guest editorial on Newarchitect Sarah Gordon looks at whether posting malicious code should be allowed and what steps could be taken to stop it. What's worrisome though is that restrictions on malicious code doesn't take into account who it's malicious against and what truly defines malicious." Note that she's not talking about actually infecting computers, but merely making the code available for others to examine (and for some of them, no doubt, to try to spread in the wild).
This could be bad... (Score:5, Insightful)
Code is like everything else (Score:1, Insightful)
Well... (Score:5, Insightful)
Of course not (Score:3, Insightful)
I don't like people who write viruses, I like getting them even less, however censoring the ability to post/review it is just another step in the slippery slope towards censorship of other things.
Re:Well... (Score:1, Insightful)
Know Your Adversary... (Score:2, Insightful)
The more known the code becomes, the easier it is to counter it.
It also separates the wheat from the chaff in terms of IT employees. Whoever keeps up is a valuable resource in a sea of lax workers
Re:Hmm. (Score:3, Insightful)
If this virus causes you problems with your computer the author cannot be held legally responsible.
Do you agree [Y/Yes]?
a matter of facilitation. (Score:3, Insightful)
Freedom of speech is protected, and rightly should be, but there are limitations to that freedom and even --gasp-- responsibilities. Writing codes for viruses, or supplying them to the public, isn't bad in itself--it's the usage of them were the ethical complications come in. Thus, one could claim that simply posting the code for viruses is fine...the people to be blamed are the ones using that code for negligent purposes.
The same could be true for yelling 'FIRE' in a crowded theatre, right? If a avalanche of trouble ensues, the fault must lie in those people who push over old ladies to get out of the theatre first, right? I mean, the person who yells fire may have played a role in facilitating all the chaos, but the actual causers of the injury are those running around..
Of course, these two scenarios are completely different (being the virus/yelling fire), but raise similar points. Freedom of speech doesn't make you free from responsiblity of your chosen speech...whether that's yelling 'Fire' or writing/supplying codes for viruses..
Free Speech + Action argument doesn't hold (Score:2, Insightful)
I have to strongly disagree with this. Putting up information on the web that shows a person how to write a virus or a DoS bot or anything else is purely free speech, it's the free release of information. The action she's talking about here is the action of posting information, which is not malicious at all.
To further illustrate her misguided logic by being absurd, let's apply this reasoning to other realms. By her logic, if you teach a person to use a gun, and that person takes that knowledge and shoots and kills someone, then you should go to prison for murder. Sorry, that doesn't fly. Just because you know how to write a virus and teach others how to write a virus, it's not illegal until you compile that source and make an effort to infect computer systems with that virus.
Information, no matter what can be done with it, is never "good" or "bad" - it's what you do with that information, the actions you take, that are good or bad.
Like it or not, even virus code should be protected under the First Amendment. However, for actually implementing and distributing a virus, there should be stiffer penalties.
What part of "Freedom of Speech" do you not get? (Score:3, Insightful)
History has made it clear that the people pay dearly when free speech, esp. free speech regarding a matter of community security, is abridged. Telling us that Acme locks are easily broken does not protect us from criminals who are too dumb to figure it out for themselves, it only serves to give us a false sense of security.
(As an aside, this is also the foundation of some of the most damning condemnations I've seen of "child protection" laws. As some judges have observed, the true obscenity is attempting to protect minors from all adult concerns until their 18th birthday... at which point they are thrown to the wolves with absolutely no preparation for the very real challenges adults must face.)
A virus exchange site is similar. Yes, there will be some idiots (who deserve to have the full wrath of the law on them for their acts) who will use those viruses for ill will. But the same sites will also allow others to be warned that viruses against this specific software exists and is in the wild. No more Microsoft stonewalling about the existence of such attacks. No more trivializing them as highly specialized and not a concern to the average user.
This is a bit scary... but that's part of being an adult. A child can go to bed at peace that the closet is empty of monsters, but part of being an adult is knowing that there are bad guys out there *and* that you've done everything you can to keep them away. I, for one, and getting damn tired of my self-appointed "betters" trying to infantilize me.
Re:Free Speech + Action argument doesn't hold (Score:2, Insightful)
No, that's wrong. If you teach someone to shoot a gun, and then they go and kill someone, it's true that you shouldn't be held responsible for that person's actions.
Her point is something different. If you give a loaded handgun to someone and they run out the door and shoot someone, you're an accessory...right? There's a difference between supplying someone with knowledge versus supplying them with a weapon.
So, if we teach someone how to program and they use that programming knowledge to write virus code, that's not our fault. However, if we give someone the code for a virus program and they simply release into the mainstream, I don't think many people would argue that we played a role in that destruction.
Its not distribution, it is use (Score:5, Insightful)
I can distribute instruction on how to turn a gun into a machine gun, that is legal.
I can legaly distrbute instructions on how to make drugs.
It is legal to distribute instructions on how to make bombs.
I can join a club that intends to destroy the current goverment.
I can legally plan a murder.
In all of the above situations, following though and doing the act in question is illegal. However knowing how to do it, and discussing it is not. However once it is done, not only is the act illegal, but possessing/doing the above turns it from a legal act to a conspirecy which makes the act a high crime.
But we are not even talking about the above situations where there are no legal reason to use that information. Instead we have:
I can buy and use lockpick.
I can own and shoot a gun
I can own and use a car.
I can drink alcohol
All of the above are legal, and have legal uses. all can be used illegally.
Likewise there is benifit from distributing the source code for a virus. Programers should study such things to understand how they work. Only through such understanding can we go the next step and write programs that prevent them from working. (This is an arms race, virus writters are getting better all the time, so we need to get better)
Define "virus" first - then let's talk (Score:5, Insightful)
She never bothers to define the term "virus" in a way that an arbitrary individual (me or an intellectual property lawyer or a World Court Judge) can use to determine whether or not some source code constitutes a "virus".
If she follows Fred Cohen's definition ("sequences of instructons in machine code for a particular machine that make exact copies of themselves somewhere else in the machine" - "A Short Course on Computer Viruses" 2nd ed ISBN 0-471-00769-2 John Wiley & Sons 1994) which is pretty much an english transliteration of the mathematical definition - even things like
Sarah Gordon is just fear-mongering at this point. Until she says "The term 'virus' means code that
It's crap. Give it up Sarah.
And just for good measure: http://cm.bell-labs.com/cm/cs/who/doug/v101.ps Read it and weep Sarah. Neener neener neener!
How is posting virus code speech + action? (Score:5, Insightful)
But it is never elaborated on at all. I do not understand how it can be said that posting something on the web is any more of an action than the physical act of mailing a letter to the editor, but we do say that mailing a letter to the editor falls squarely under free speech. How are we supposed to separate speech and action (something the article acknowledges are different) on the internet if the act of posting places your content beyond pure speech? How are we supposed to have free speech if we are prevented from speaking to others by posting our thoughts?
There is a big difference between saying "This code will infect machines and do this to them" and then compiling that code and releasing it with malicious intent. One is speech, the other is action. It is the same as the difference between saying "I could break into your home by doing this" and then actually going out and doing it. One is not illegal, the other is.
This reminds me of another issue. How long before distributing an MP3 player makes you an accomplice to copyright infringement because you haven't included draconian copy-protection schemes? The problem is social, not technological.
Re:This could be bad... (Score:2, Insightful)
By outlawing the distribution / posting of software deemed "malicious", it becomes only a matter of time until someone attempts to apply it to security tools such as nmap, ethereal, and any/all proof of concept exploits.
The distribution of "malicious" code should be regulated (or intentionally unregulated) much the same as file sharing should be: posting things for others should be legal ; using things for illegal and malicious acts should not .
The problem, though, is the impossibility of catching everyone who uses a "malicious program" once it has been posted. Much like peer-to-peer file sharing, once something is online, it is difficult or impossible to contain. Hence, a paradox: legislators intelligently see that the only way to truly stop these nuisances is to stop it at the source, the single point of failure; unfortunately, this seems to violate fair use and free speech principles. The only way to stop these nuisances is to trample on protected principles.
I, unfortunately, see no easy solution to this problem.
Define "malicious code"... (Score:2, Insightful)
How do you even begin to define malicious code? (Score:2, Insightful)
Counterexamples:
Internet Explorer and Netscape both trying to become the default system browser, with or without user knowledge. Are these pieces of code being malicious to each other?
A trojan horse which requires willfull (but not knowing) participation from the user to install.
A piece of software which serves a controversial, but generally beneficial purpose. For example, a spam bot trap, or news cancellers.
A script kiddie proof buffer overflow exploit (even if it does just change
Anti-virus software which could produce false positives and stop software packages from running.
A background ad-server which gets installed automatically, and unknowningly, by ISP or P2P client software. (Yes, I would like that to be considered malicious).
An auto update server which gets installed automatically, and unknowningly, by the OS, which transparently downloads new software components and security fixes as they are available. (That does serve a useful function, for some people).
Of course it should be illegal... (Score:2, Insightful)
After all, making things illegal is so effective.
Can you get child pornography? No, it's illegal.
Can you get cracked software? No, it's illegal. Can you get ripped music? No, it's illegal.
Do servers ever suffer from DOS attacks? Do people ever make charges on other people credit cards without the owner of CC knowing? Do people ever hack into private networks?
Of course not, it's all illegal. Logically, if we make viruses illegal to write, noone would write them...right?
Re:Hmm. (Score:4, Insightful)
Some people call it "ad ware" or "annoyance ware," but since I didn't want it, it reduces the effectiveness of my PC, and I wasn't alerted to its presence, I consider it a virus.
Can I sue the manufacturers for damages?
To restate the point... (Score:4, Insightful)
From the article:
It's true that the scientific community encourages research, but only when it's conducted within the ethical boundaries of a given discipline.
So let me get this strait... It's ethical to create software that has tons of security exploits, and spies on unsuspecting users who purchase it, but it's unethical to give people the tools they need to test their systems for vulnerability and gaurantee security for their own piece of mind. It might be OK to give such tools to large corporations, but private individuals just shouldn't need that kind of privacy...
Re:Hmm. (Score:3, Insightful)
Some programs by design can, if used improperly, cause a great deal of damage. Certainly, someone using a program to delete files can't exactly claim ignorance if the program actually DELETES the files they told it to.
So what if I download a program, and the eula specifically warns met that running the program will spread itself to 100 people and promptly wipe all accessible harddrives. That's what the program was SUPPOSED to do, and it specifically stated that in a document that by default almost nobody reads.
Outlook, or any email program for that matter, has features that allow you to forward messages to other people. So when someone receives a message, if an executable attachment is automatically run (because the email program allows that function), a message pops up explaining that the user's computer "will now send 100 copies of the current message to anyone/everyone it can find, then wipe the disk, press ok to continue"... and the idiot user presses ok without ever reading the message, who's to blame here?
Yes its a virus (or a worm if you would). Yes, its intent is malicious. But the user gave permission to execute it, just as if the user gave permission to erase his computer by using deltree
What's truely sad here, is a virus based on the previous model would probably spread just as well as your typical covert variety.
-Restil
Re:This could be bad... (Score:5, Insightful)
And you think the People in Charge (tm) have a problem with that?
Did you know that there is a company in Texas (I've forgotten their name) that has the copyright on a Standardized Municipal Code in use across the US and that they don't allow licensees (i.e., cities) to publish it. In many places, if you want to read your city's laws, you need to pay for a license or go down to city hall and read their copy. I swear I'm not making this up.
Ignorance of the law is no excuse. That'll be $20 for your copy.
Re:Hmm. (Score:3, Insightful)
Anyways, my intent was not to end the discussion by simply calling it "art". My point was, there -are- some reasons that distribution of virus code (note, I -do- say code and not executables) should not be made illegal, beyond the problem of "what constitutes malicious code" and "free speech". Virus code is -interesting-.
Beyond that though, I think this is very similar to the Anarchist's Cookbook argument...should writings detailing how to make bombs and other harmful objects be illegal to distribute? I certainly don't think so, it's way too much loss of freedom for an indeterminable amount of safety in my book. And we're possible talking real, physical harm to real people with that.
Re:Free Speech + Action argument doesn't hold (Score:1, Insightful)
You mean, like this? (Score:3, Insightful)
CodeRed.zip at Eeye.com [eeye.com]
and
CodeRedII.zip at Eeye.com [eeye.com]
Eeye.com has often posted the proof-of-concept exploits as a part of their advisories... is the author of the guest editoral saying eeye.com is doing wrong?
Back when the original Code Red was stirring up a ruckus, I posted its disassembled code (from eeye) to alt.comp.virus.source, and an short discussion of several weird aspects (poor coding) of the code ensued. I don't think I did anything wrong by posting it. If some weasel used that post (or other such sources) to create CRII, so be it. IMO, by that time any servers that were still vulnerable to CR/CRII deserved to be hit and, better yet, TOS'd by there ISP.
I just don't subcribe to the idea that suppressing potentially dangerous source code will do good in the long run. Having the source available and widely distributed has several advantages:
- promotes understanding of exploit mechanisms in order avoid making the same mistakes in the futre
- promotes rapid deployment of fixes. There is no pressure greater than knowing every little script kiddy's got the code
- raises awareness of code weaknesses/failure modes/common pitfalls (maybe *someday* CS courses will teach future coders to prevent buffer overflows!)
I firmly believe that being open about software/network/OS weaknesses will gradually drive the state of the art in secure software to a much higher level. The "keep quiet", "head-in-the-sand" approach that M$ is promoting these days will only hinder such advances. I'll make a loose analogy to the old outlaws & guns argument: "If you outlaw virus source code, only outlaws will have virus source code."
In fact, I think it is *imperative* that malicious source code NOT be suppressed. How else can we arm the next generations of app and OS coders to develop resistance code?
Re:That point of view is extremely dangerous (Score:5, Insightful)
For example, look at Napster - I dispute your argument that people wouldn't have broken those copyright laws anyway - how many people make copies of tapes for thier friends? It's simply that Napster allowed it on a SCALE that hadn't been seen before. And I'm somewhat of the argument that if the majority of people, when given the opportunity to break a law, would do so then we need to re-think the law. Especially when the result of breaking the law causes no direct harm to anyone.
However, rather than considering that we might want to re-think copyright law, into something more compatibile with modern technology, instead they simply drop even heavier bombs and try to legislate it out of existence.
This attitude toward speech is like the Victorian attitude toward sex - if you keep it in the dark where nobody can see it, we can all pretend it doesn't exist - but it still does. Keeping it in the open means that everyone knows it's there, and we can all talk about it. Yes, some people will abuse it - but I'd rather get hit by something I know about and can prepare for, than something which is kept secret and underground and that I don't even know about.
Re:That point of view is extremely dangerous (Score:2, Insightful)
First, we already have a lot of readily-available "dangerous" information, such as how to make napalm, pipe bombs, or homemade poisons. We have since before the advent of the internet. And I mean before 1969, not 1993. The information about how to kill one or several people is not hard to find, and never has been.
Second, cracking and counter-cracking technologies are running an arms race, where exploits run a smaller chance of causing damage as time goes by. Some of the counter-cracking measures may advance because of altruism, but they are significantly hastened when a proof-of-concept demonstration is released to "arbitrary" parties (i.e., security-minded software consumers--the general public). They cannot afford the perception of sitting still while their security measures are overtaken.
This is why your time-travel argument makes no sense, because you are deliberately speculating about an impossible scenario, one that does not exist in the world today or in a foreseeable future, and using it as a basis to restrict basic freedoms. Who's being dangerous now?
Re:Hmm. (Score:1, Insightful)
Actually, virus source code is also just telling you how to do those things and will only do those things if you take extra measures to make it do them, eg: compilation and execution. Go ahead, try and convince windows or linux or -insert os here- to execute asm source without compilation.
Re:I like the scientific analogy (Score:3, Insightful)
Here's something to keep in mind. You know how whenever an article comes up about unethical behavior by a corporation, someone always brings up the fudiciary responsibility thing? About how companies HAVE to make money, and they can be held liable if they don't do everything in their power to make money? Are you sure you want a company like that in charge of, well, anything? (Come to think of it, doesn't this mean if Symantec ISN'T driving sales of Norton AV by releasing viruses, they should be?)
Re:That point of view is extremely dangerous (Score:5, Insightful)
But you provide no evidence that of the two alternatives, yours is better. Your scenarios are for the most part equally applicable to the hiding case; instead of information spreading openly, it spreads covertly. Doesn't change much. You can't keep information from a determined person; people are just too smart.
I'd say that the post you are replying to is much better constructed as an argument, because it says why the alternative is better: The good guys can find it and learn from it. How is your proposal better? The bad guys still find it*. Now maybe the good guys don't. The "demented person" scenarios remain.
Step up a meta level. You're focusing too tightly on a small part of the problem, and missing the global implications.
I say that both revealing and hiding the information is dangerous. The danger comes from people, and therefore cannot be removed from the equation. (This is what you implicitly try to do, by hiding the information. The problem is, the information is not the danger.) But of the two alternatives, open discussion is clearly the preferable choice, both in theory, and in practice.
(*: Proof: Look at the real world. Happens all the time. This is undeniable.)
Code = Speech (Score:2, Insightful)
Re:That point of view is extremely dangerous (Score:3, Insightful)
The biggest problem with this line of thinking is that without the research being done on this stuff, there's no way to develop defenses. Someone is going to develop it eventually, and without the necessary defenses then everybody will be vulnerable. It's like you said, "because you cannot make the entire world's population obey an honor system."
Malicious code isn't (Score:2, Insightful)