Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Should Virus Distribution be Illegal?

michael posted about 12 years ago | from the do-it-for-the-children dept.

News 436

mccormi writes "In a guest editorial on Newarchitect Sarah Gordon looks at whether posting malicious code should be allowed and what steps could be taken to stop it. What's worrisome though is that restrictions on malicious code doesn't take into account who it's malicious against and what truly defines malicious." Note that she's not talking about actually infecting computers, but merely making the code available for others to examine (and for some of them, no doubt, to try to spread in the wild).

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


First Post! (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3331162)


Illegal Viruses (-1, Troll)

rherbert (565206) | about 12 years ago | (#3331168)

. . . how about they make it illegal sell infestable code? Then we could sue Microsoft and IIS would disappear!

This could be bad... (5, Insightful)

NeoSkandranon (515696) | about 12 years ago | (#3331172)

Unless the law specified dstribution of *machine readable* malicious code (ie binaries) then MS et.al. could start nailing those who post proof-of-concept code to demonstrate the flavor of the week exploit in IIS or WinxP or what have you...more security by obscurity, yippee

Re:This could be bad... (-1)

YourMissionForToday (556292) | about 12 years ago | (#3331287)

YourMissionForToday: Quicktime probably won't help you find love

YourMissionForToday: I suggest becoming Spider-Man

coed.jpg: But I'm batman

YourMissionForToday: It might be time to transition your servers to Spider-Man. Netcraft's latest survey says that *Batman accounts for less than 1% of allservers on the internet

coed.jpg: Batman was fighting hax0rz when spiderman was shittin yellow

YourMissionForToday: Yes, but Spider-Man is infinitely more scalable, offers volume discounts for licensing and has new Sticky-Web software

YourMissionForToday: http://store.sun.com/catalog/doc/BrowsePage.jhtml; $sessionid$LPKWARRPH0GHLAMTA1ESTGT5AAAACJ1K?cid=80 487 refer to this page for more info

coed.jpg: spider-man is a hacked-together superhero. just some guy with a freak mutation. batman was built from the ground up by dedicated professionals and strong financial backing to be a quality superhero

YourMissionForToday: I won't deny that Batman was very much ahead of his time, and if this was 1996, I'd probably be recommending him. But this is 2002, Spider-Man's working better than ever, and capturing market share from tons of low and medium end businesses everywhere

coed.jpg: well first of all, market share is no indicator of a superhero's quality. just because there are millions of petty crimes for spider man to make right doesn't mean he's a better superhero. meanwhile, batman has better resources tailored specifically for doing his job well. he's the real superhero for mission-critical applications

YourMissionForToday: You can't deny Spider-Man's continued profitibility year after year. He squashed Dr. Octopus and was hailed as the savior of Wall Street. Meanwhile, Batman is hacking around in his garage, trying to tweak his Batmobile hour after hour. Is that really the superhero you want to send to your clients?

YourMissionForToday: http://www.sun.com/desktop/products/graphics/sunvi deoplus.html

coed.jpg: are we trying to save Wall Street or the people of Gotham City? I dunno about you, but when i'm at the hands of a villain i don't want to put my life in the hands of some teenager who happens to know something about fighting crime. i want a trained professional who makes it his job to offer stable and robust crime-fighting powers.

coed.jpg: and it's not like batman's license is as restrictive as people make it seem. in fact, spider-man's license is probably even more restrictive. he wants you to call him no matter what the crime. batman's license may not require the revelation of bruce wayne's identity, but i'm still free to make use of batman's products to meet all my needs. and personally, i don't care if bruce wayne keeps himself a secret, as long as he's the best fighter of crime

YourMissionForToday: The truth is, Batman just isn't very scalable. He's great for low-end crimefighting such as your Joker or Riddler, but if he were to take on guys like the Shocker or Venom, you could expect hours of configuration headaches as he picks out the correct tool from his Bat-arsenal. With Spider-Man, all the tools you need are already pre-loaded

coed.jpg: i think you're confusing "scalable" with "bloated." spider man isn't better just because he has to carry every single one of his limited and hackish tools with him everywhere he goes. Yeah, batman is a more sophisticated crimefighter, with a wide variety of specialized tools. but how often is a crime ever really a surprise? batman actually knows something about the criminal he's fighting, and he takes the time to plan out his strategy. yeah, spiderman is fine for a wide variety of small-time applications, but when it can't be done with spidey-sense, you need the console back at the bat-cave. don't blame batman if you can't figure out what you're doing before you try to fight a crime

YourMissionForToday: Spider-Man's not overloaded with tools. For example, he only uses the Spider-Man belt signal if its appropriate for his job. In addition to the industry acclaimed Spider-Sense, he also developed his own webbing fluid in house, which is provided free to all customers, regardless of volume. Can Batman make any claims like that?

coed.jpg: come on, batman INVENTED the utility belt and just about anything you'll find on one today. that's what happens when you back a project with some private funding. Granted, it's cool that spiderman has the webbing built right in. but you can't deny batman's more modular approach. you always know batman's tools will work with one another, which can't always be said for spiderman. his web can stick to some impossible things, but not everything. but there's not much that batman can't grapple if he has the right hook.

YourMissionForToday: Batman's glory days are long past. I mean, sure he invented the utility belt, but when has he UPDATED it? I wouldn't be surprised to find a Bat-Hourglass in there! LOL!

coed.jpg: funny, i didn't think spiderman had a timepiece whatsoever

YourMissionForToday: during normal operation, Spider-Man is in view of number of clocks? Why waste space when he doesn't have to

coed.jpg: Yeah but what happens when there are no clocks? Batman's utility belt with his bat-clock comes in mighty handy. but the point here is not clocks, it's about whther you want a robust crime fighting system or a flashy newcomer that hasn't quite got all his powers sorted out yet. i mean which would you rather have, some kid that can swing from buildings with his own excretions, or the bat-copter?

YourMissionForToday: Let's not let this degenerate into mere flaming.

Re:This could be bad... (2)

bartyboy (99076) | about 12 years ago | (#3331344)

MS et.al. could start nailing those who post proof-of-concept code

It will be a while before MS et al. will have the authority to enforce laws. They're best they can do is press charges.

Re:This could be bad... (2, Insightful)

HMC CS Major (540987) | about 12 years ago | (#3331345)

This sets a dangerous precedent.

By outlawing the distribution / posting of software deemed "malicious", it becomes only a matter of time until someone attempts to apply it to security tools such as nmap, ethereal, and any/all proof of concept exploits.

The distribution of "malicious" code should be regulated (or intentionally unregulated) much the same as file sharing should be: posting things for others should be legal ; using things for illegal and malicious acts should not .

The problem, though, is the impossibility of catching everyone who uses a "malicious program" once it has been posted. Much like peer-to-peer file sharing, once something is online, it is difficult or impossible to contain. Hence, a paradox: legislators intelligently see that the only way to truly stop these nuisances is to stop it at the source, the single point of failure; unfortunately, this seems to violate fair use and free speech principles. The only way to stop these nuisances is to trample on protected principles.

I, unfortunately, see no easy solution to this problem.

Re:This could be bad... (3, Funny)

gnovos (447128) | about 12 years ago | (#3331368)

Unless the law specified dstribution of *machine readable* malicious code (ie binaries)

Even better, I could write a compiler that takes the US Constitution as "source" and compiles it into a virus-like binary, and TADA, the Constitution is illegal to distribute!

Hmm. (4, Funny)

Renraku (518261) | about 12 years ago | (#3331174)

I think it should be illegal to write and release viruses. Viruses should follow all standard software rules, which means, the maker could easily be sued for damages. And no, sending the virus with a EULA wouldn't protect the maker legally.

Re:Hmm. (3, Insightful)

56ker (566853) | about 12 years ago | (#3331232)

What along the lines of

If this virus causes you problems with your computer the author cannot be held legally responsible.

Do you agree [Y/Yes]?

Re:Hmm. (5, Interesting)

Slynkie (18861) | about 12 years ago | (#3331270)


Code is -art-.

When I was but a wee hacker, I used to LOVE reading virus source code. I would download all I could find (granted, at the time, it was from BBS', or sneaker-net), and let me tell ya, I learned much more from those virus' than I ever learned in any mainstream assembler class I've taken.

And no, I -never- used the code for malicious purposes. It was just amazingly interesting to me.

To make it illegal to write ANY type of code is just insane; and if you distribute it without disguising it as something else, what's the real problem??

GPL (1, Interesting)

Anonymous Coward | about 12 years ago | (#3331348)

Writing and releasing viruses should by law only be released as GPL'ed software. Legally force the sourcecode to be distributed with any binaries.

ms windowsmalicious (-1, Flamebait)

Anonymous Coward | about 12 years ago | (#3331176)

Then should MS windows be considered malicious code?

is spyware viral? (3, Interesting)

hobbitsage (178961) | about 12 years ago | (#3331177)

would spyware be included in the categorization? It could be argued that it is viral in intent if not propigation.

Re:is spyware viral? (2)

Stonehand (71085) | about 12 years ago | (#3331274)

Hm? You're using the term 'viral' pretty broadly there, since propagation is a major part of the defintion...

OTOH, it would be interesting if somebody managed to go after spyware on the basis that the user didn't explicitly authorize such behavior. However, that's a huge can of worms, because computer programs are so incredibly complicated that one could split hairs ad infinitum (e.g. "Please authorize the program to write saved game files. Please authorize it to read the disk to load files. Please authorize this registry key. Please authorize me to receive keystrokes." et al), much akin to the nastiness between MSFT and the gov't regarding what exactly constitutes a core part of an operating system -- that is, where the boundaries are.

Perhaps specific legislation regarding the not-explicitly-authorized monitoring of a user's behavior outside of the program would help -- recording keystrokes clearly fed to the program would be fine, but poking around what the user does with other programs wouldn't be. That would be an incomplete approach, but it might be better than what the present situation is.

Code is like everything else (1, Insightful)

Anonymous Coward | about 12 years ago | (#3331178)

You take the good, you take the bad, that's the facts of life.

Well... (5, Insightful)

IronTek (153138) | about 12 years ago | (#3331179)

Though no one likes to get a virus, and I often wonder who writes them and for what reasons, I do believe that there probably is much information to be gained from their examination as far as system function goes. From a learning standpoint, those who write them, while having too much free time on their hands, are learning some hard-core programming concepts, as are those who fight them. For the casual programmer, taking a peek at their code every now and then can actually be beneficial. But, as always, it's the person that can make good code cause bad things and vice-versa. As always, it comes down to the person, not the code. The code itself should not be illegal. Knowledge cannot be locked up, and if it is, it can break free in a dangerous way. Better to have it out in the open where the "good guys" can combat it if needbe, and everyone can learn from it.

Re:Well... (1, Insightful)

Anonymous Coward | about 12 years ago | (#3331204)

Software is a form of speech. By not allowing me to distribute my software, be it a virus or otherwise, you're restricting my freedom of speech, and that's unacceptable.

Re:Well... (1)

richlb (168636) | about 12 years ago | (#3331256)

A virus is as much freedom of speech as a death threat is freedom of speech. Stop hiding.

Re:Well... (1)

Anonymous Coward | about 12 years ago | (#3331209)

As always, it comes down to the person, not the code. The code itself should not be illegal.
The person, on the other hand...

Re:Well... (1)

spatrick_123 (459796) | about 12 years ago | (#3331244)

Any "hard-core" programming concepts that can be learned by looking at a virus can be much better learned by looking at other, equally available code. As the article points out, most viruses are trivial in terms of software development.

That said, I disagree witht the conclusion of the article as well, but you should consider expanding your horizons a tad if you consider what you see in viruses to be "hard-core".

Re:Well... (1)

IronTek (153138) | about 12 years ago | (#3331303)

Perhaps you've misunderstood me, or I've misunderstood me...at any rate, let me try to further state my position.

Some virii out there are pretty cutting edge (though there also is some pretty simple, script-kiddie like stuff out there too), believe it or not. I don't like it, but I also can't stop it. I just duck and stay clear of the mayhem.

With respect, I believe you are limiting your horizons by failing to realize that cutting edge software development is happening in all corners and all sectors of computer technology...some of that innovation, unfortunate as it may be, happens in the darker realm of computer virii. While I would like to see those that write these things focus their obvious talents, that often just isn't the case. But just as often, if it is, it usually requires the programmer outgrow their need to write malicious code.

Re:Well... (1)

spatrick_123 (459796) | about 12 years ago | (#3331360)

I would be very interested to see an example of a virus that is cutting edge. If you can provide a link to an example I would be grateful.

By the way, "virii" is not a word. Just to let you know.

Repeat Story (0)

Anonymous Coward | about 12 years ago | (#3331180)

Now where did I see this before. Here maybe? [slashdot.org]. And ironically that story was a repeat as well, as an AC pointed out pretty fast (so I'm just copying his post verbatim). Click the link and see for yourself. This must be a new Guinness record. "That's no editing room, it's a crack house!"

An analogy, if you will. (-1, Troll)

Anonymous Coward | about 12 years ago | (#3331183)

I am HIV positive, but don't tell anyone. I'm also not sexually active. But, see, if someone were to rape me, they'd get AIDS.
Sucks to be them.

Re:An analogy, if you will. (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3331221)

Actually it's unlikely that if they raped you that they'd get AIDS unless they were breaking out at the time or unless they so savagely impale you that the break the skin on their penis (quite painful!). Odds are the rapist would walk away without AIDS and you'd limp away with a bunghole full of their semen in you.

Of course not (3, Insightful)

jvbunte (177128) | about 12 years ago | (#3331190)

How is posting potentially harmful virus code any different than posting OS vulnerabilities and exploits? If this were to become law, how long would it take a certain OS manufacturer to extrapolate that same concept to cover all 'malicious' code fragments that could be used to target their OS?

I don't like people who write viruses, I like getting them even less, however censoring the ability to post/review it is just another step in the slippery slope towards censorship of other things.

Re:Of course not - Not that simple (1)

bigmouth_strikes (224629) | about 12 years ago | (#3331250)

I believe that an important concept in criminal law - IANAL (I never thought I would have to write that!) - is intent.

It's like saying a car manufacturer is equal to someone making car bombs, since both are potentially vulnerable.

And obviously, you can't hold everyone who accidently and unknowingly distributes a virus responsible for that. The virus was designed to exploit a vulnerability and it lies in its nature that people distribute it against their own will.

If someone accidently writes a virus on the other hand, I don't think they would be held responsible to the same degree as someone doing so on purpose and then distributing it.

Re:Of course not (2)

geekoid (135745) | about 12 years ago | (#3331333)

I don't like people who write viruses
do you mean that, or do you mean "I don't like people who distribute viruses to the general public without there specific knowledge"?

There are good reasons for writing viruses, such as proof of concept.

Should anything digital be illegal? (0)

Anonymous Coward | about 12 years ago | (#3331191)

Should we not let the computers do the enforcing, not the people?

On the internet you cannot hurt anyone. It is impossible to kill someone. It is basically impossible to do anything that is illegal (with good reason) in the real world.

I think the internet should be law free and let the computers themselves enforce what we want and what we don't.

making everyone a criminal (2, Interesting)

happyclam (564118) | about 12 years ago | (#3331194)

Of course, the perfect virus in this case would be one that

  • emails itself to everyone in your MS address book, and
  • then posts its own details under your name to a web site somewhere.

Suddenly everyone who has ever been infected becomes a criminal for posting the virus' replication mechanism!

Should we or shouldn't we? (1)

happyclam (564118) | about 12 years ago | (#3331267)

Of course, now that I actually read the damn editorial, I see that the author is not actually proposing that posting virus information be made illegal.

The question, as one highly insightful reader opined earlier, is whether such code should be shut away in a box or put out where anyone can use it.

Same issues as those that face topics like how to turn a legal rifle into an illegal automatic, or how to build a bomb out of fertilizer, or how to override copyright protection mechanisms.

Whether it's free speech or not, is it a good idea to publicize this information?

While I'm not at all in favor of censorship, perhaps the rule of thumb should be similar to voting and guns and pornography: You aren't allowed access it until you're of a majority age and (in theory) mature enought to know right from wrong.

Thus, the information still gets out to those who can use it, and in theory we have more mature, responsible people using it.

how about wide post distribution (-1, Troll)

Anonymous Coward | about 12 years ago | (#3331199)

http://www.eveeieyhfgfcdoosammgwsnboivvbsczxlzgabc / /ooieiabdcdjsvbkeldfogjhiyeeejkagclmieooionoepdk / /abcdefmfighyiqxjklmonopqrosoyotuvwxoyqwertyuiov / /sdfghjklqewiuznmbjadzmcloeuirquakndsflksjdflkas / /fskdfasiewurznmcvweroiqewrnamdnzcvuowieramnfkas / /dfhzuxcihskjrnakjzkjcxbviusayrkajsfzxncvizudyri / /bakdnfbzkcvhgiuegriweramdnfzxlcvueirhamdnzkciue / /jranbsdmfzcowierandmfxzncbkjhfabsdifuweajzkxcuw / /erhasdfzxncvkjdfyiuzxcnvsikirkajeajsbdfkzxbuyef / /rahsdjbzcvxmnvcuweyriausdnfzxbcvkwueyrajnbvkjxg / /iwueyajdfkzxjcnbkeyriaushdfkjbzbuowrnasdkfbhuie / /asjmfnkkbyiurnakjsndfkzjbhiuwerajsknfkzbyhweiua / /dkfjbzkxvbjywekrjaskjnvzxjcweruiasdhfkzjxnsjkld / /fasoidfjalskdfasklhfxjdnmenrqoiuozxcopjgneaksjo / /nzxdkfajlsdfkljsdfoiasdfasndflzxkcvozixucoqweiu / /pwoeiruzxmncvoutyqwerizxnvmxmcnvoweurqmznxmbouw / /rmnzbkhuyrtjghanzxcvbkhgjweyriaudfbznbkweruyabz / /bcvnkdhityqhagsdfjglsieurakfsdnfbvfdsajkbiuyqwe / /kweorjasdknfbkjsdoifuzxbcmfgsltjewioahsdfnbzxcb / /heoiroaisjdfzbxckjksrhiuehadsfbzkxjcbhkeuryaksj / /fzbxcvkxlkcnvmndskfjwehaiursdfzjxnbjkdfhskdflas / /yroausdfzxmncvskeyiqozsjhfasdfoiwueranmcnzbkjhd / /ueafhksjfwheuirasdjhbzxiuewjhasmdnkfzxciurhaskj / /roiquwermcvkhiruhasdkjfnzxkjyeiuahsdbzxckjvopwe / /uqweuirjhvxzckjhweriuasydfoiqurnmxckvhweruiahdj / /znkxcvjhwierahsfzkxhhidufhsakjbzxjchiwueryqagsd / /kjhaksdfnbakwreyhaisknfjkzxbcvkoiqwueraskfzxcbk / /nlkwejrasoidjfxzlknvlkwjeroiasudflknzxlkbjeoiru / /slkdjfzxnmvkljdfawienzxveoriuaskdfjzxcmbnkseuri / /kfjlznxcvksjroeijasdklzjfowierqouasdhfzxncbkjhd / /jsdfljkweoriuasdfkjzxmcnvlkjdowuieraksdflkzxjbo / /werklasdnfmzxclkjewoijasdlfknzlkjwoeirqpweoiasd / /kjzxjvwperaksdjfxzweirjaslkdfzxnclvkjweroiasufd / /zxclkjeworijasdflknzlbkoiwuraksjflknxblkwjerois / /jfweknasdkfjzoxijkenraksjdfoizxjvlknwerlkajsdfo / /yroausdfzxmncvskeyiqozsjhfasdfoiwueranmcnzbkjhd / /ueafhksjfwheuirasdjhbzxiuewjhasmdnkfzxciurhaskj / /roiquwermcvkhiruhasdkjfnzxkjyeiuahsdbzxckjvopwe / /uqweuirjhvxzckjhweriuasydfoiqurnmxckvhweruiahdj / /znkxcvjhwierahsfzkxhhidufhsakjbzxjchiwueryqagsd / /kjhaksdfnbakwreyhaisknfjkzxbcvkoiqwueraskfzxcbk / /nlkwejrasoidjfxzlknvlkwjeroiasudflknzxlkbjeoiru / /slkdjfzxnmvkljdfawienzxveoriuaskdfjzxcmbnkseuri / /kfjlznxcvksjroeijasdklzjfowierqouasdhfzxncbkjhd / /jsdfljkweoriuasdfkjzxmcnvlkjdowuieraksdflkzxjbo / /werklasdnfmzxclkjewoijasdlfknzlkjwoeirqpweoiasd / /kjzxjvwperaksdjfxzweirjaslkdfzxnclvkjweroiasufd / /zxclkjeworijasdflknzlbkoiwuraksjflknxblkwjerois / /jfweknasdkfjzoxijkenraksjdfoizxjvlknwerlkajsdfo / /erhasdfzxncvkjdfyiuzxcnvsikirkajeajsbdfkzxbuyef / /rahsdjbzcvxmnvcuweyriausdnfzxbcvkwueyrajnbvkjxg / /iwueyajdfkzxjcnbkeyriaushdfkjbzbuowrnasdkfbhuie / /asjmfnkkbyiurnakjsndfkzjbhiuwerajsknfkzbyhweiua / /dkfjbzkxvbjywekrjaskjnvzxjcweruiasdhfkzjxnsjkld / /fasoidfjalskdfasklhfxjdnmenrqoiuozxcopjgneaksjo / /nzxdkfajlsdfkljsdfoiasdfasndflzxkcvozixucoqweiu / /pwoeiruzxmncvoutyqwerizxnvmxmcnvoweurqmznxmbouw / /rmnzbkhuyrtjghanzxcvbkhgjweyriaudfbznbkweruyabz / /bcvnkdhityqhagsdfjglsieurakfsdnfbvfdsajkbiuyqwe / /kweorjasdknfbkjsdoifuzxbcmfgsltjewioahsdfnbzxcb / /heoiroaisjdfzbxckjksrhiuehadsfbzkxjcbhkeuryaksj / /fzbxcvkxlkcnvmndskfjwehaiursdfzjxnbjkdfhskdflas / /yroausdfzxmncvskeyiqozsjhfasdfoiwueranmcnzbkjhd / /ueafhksjfwheuirasdjhbzxiuewjhasmdnkfzxciurhaskj / /roiquwermcvkhiruhasdkjfnzxkjyeiuahsdbzxckjvopwe / /uqweuirjhvxzckjhweriuasydfoiqurnmxckvhweruiahdj / /znkxcvjhwierahsfzkxhhidufhsakjbzxjchiwueryqagsd / /kjhaksdfnbakwreyhaisknfjkzxbcvkoiqwueraskfzxcbk / /nlkwejrasoidjfxzlknvlkwjeroiasudflknzxlkbjeoiru / /slkdjfzxnmvkljdfawienzxveoriuaskdfjzxcmbnkseuri / /kfjlznxcvksjroeijasdklzjfowierqouasdhfzxncbkjhd / /jsdfljkweoriuasdfkjzxmcnvlkjdowuieraksdflkzxjbo / /werklasdnfmzxclkjewoijasdlfknzlkjwoeirqpweoiasd / /kjzxjvwperaksdjfxzweirjaslkdfzxnclvkjweroiasufd / /zxclkjeworijasdflknzlbkoiwuraksjflknxblkwjerois / /jfweknasdkfjzoxijkenraksjdfoizxjvlknwerlkajsdfo / /yroausdfzxmncvskeyiqozsjhfasdfoiwueranmcnzbkjhd / /ueafhksjfwheuirasdjhbzxiuewjhasmdnkfzxciurhaskj

Re:how about wide post distribution (0)

Anonymous Coward | about 12 years ago | (#3331329)

nice 'wide' post.
you == teh loser

Sounds like a broadened DMCA... (3, Interesting)

Demon-Xanth (100910) | about 12 years ago | (#3331202)

The DMCA had the intentions of eliminating piracy, however it ended up being used to fight battles that never should have been fought. If MS releases an OS with a known backdoor, does that count as malicious? If someone makes a program that utilizes this backdoor in a way that MS did not intend (regardless of in a good way or bad way), can MS claim this as malicious? Would NTFSDOS be considered malicious since it bypasses NTFS's protection?

This is one of those issues where a law cannot be both effective and fair. And possibly not either.

Know Your Adversary... (2, Insightful)

mistermoonlight (80842) | about 12 years ago | (#3331205)

If you're using mailicious code for analyzation so it can be diffused, yes.

The more known the code becomes, the easier it is to counter it.

It also separates the wheat from the chaff in terms of IT employees. Whoever keeps up is a valuable resource in a sea of lax workers

of course not (0)

Anonymous Coward | about 12 years ago | (#3331206)

what a stupid twat! making code illegal is the first step to a lot of other shite illegal.

Got a virus last night (0, Offtopic)

wishus (174405) | about 12 years ago | (#3331207)

I had to install Office on my computer at home last night, and I made a point to deselect Outlook. What do you know, it installed that damn virus anyway.

Re:Got a virus last night (0)

Anonymous Coward | about 12 years ago | (#3331316)

Then you didn't deselect it. Learn how to use an MS installer.

Not Terribly Insightful (1)

spatrick_123 (459796) | about 12 years ago | (#3331217)

This article really isn't terribly insightful. Her conclusion seems to think that there are some things that while one _can_ do them, one _shouldn't_ do them. Well, shoot - another ground breaking report from the pages of the ethics journal "Duh."

She also points out correctly that most viruses are little more than trivial programming exercises. But if this is the case (which it is), then there really isn't much harm in having this trivial code out there for people to see.

Re:Not Terribly Insightful (2)

Stonehand (71085) | about 12 years ago | (#3331338)

Trivial coding for a programmer isn't trivial coding for a nonprogrammer.

It would be simple, for instance, for a programmer to modify a game like XEvil so that when the player loses his last life, it erases the hard disk. That's easy. However, for somebody who is not a programmer -- and this includes many, many people who have computers -- it would probably be very hard.

Writing a trojan like that and distributing it on the web, for instance, would thus be making it very easy for even non-programmer brats to play a malicious "joke" on their friends or so forth. Ditto, of course, for propagating viruses, with the additional provision that it may affect others besides the intended victims.

I like the scientific analogy (3, Interesting)

Dephex Twin (416238) | about 12 years ago | (#3331218)

I like the idea of thinking about biological and computer viruses in the same way.

Researching biological viruses is legal, although people could attempt to spread said viruses maliciously. Those who deal with lethal viruses and diseases often can't just make samples and research easily accessible to anyone, even anonymous people. Why should virus "researchers" be able to do what is essentially the same thing?

Free speech is good, research is good... but so are ethics and responsibility.


Re:I like the scientific analogy (2)

SirSlud (67381) | about 12 years ago | (#3331281)

.. but the tools to create biological viruses are not (generally speaking) available to my next door neighbours 14 year old. So, I'm not as interested in being aware of the nitty gritty details of potential biological threats.

Viruses, however .. enjoy a freedom in the form of 0$ in startup costs. Yes, it makes the posted code all that much more likely to be exploited, but it also means I'm at more risk in casually being infected at any point in time by anybody, regardless of their access to biological and chemical lab equipment.

Which is why I'd rather be aware of the nitty gritty details myself, so I can take appropriate action, such as stopping from running the software or patching the software myself, depending on the severity of the exploit and the true to life trivialness of its implementation and propogation. I've always felt that tha bad will __always__ happen, and the worst you can do is keep the good guys in the dark.

Re:I like the scientific analogy (1)

Nomad7674 (453223) | about 12 years ago | (#3331295)

> I like the idea of thinking about biological
> and computer viruses in the same way.

This is an excellent idea and one that is coming closer and closer to being reality anyway, with the advances in DNA technology. How long will it be until providing the actual DNA coding (the machine-language code?) or some kind of metalanguage interprettable into pure DNA coding would allow someone to generate a real virus?

Suddenly, making the DNA code available for SmallPox is not purely a tool to aid in research for a cure - it could be used by a terrorist to CREATE a biological weapon.

It is a very fine line between the digital world and our world, and it gets thinner every day.

[OT] can we get rid of this editor? (-1, Troll)

Anonymous Coward | about 12 years ago | (#3331219)


All he posts is shit. The worst shit. What he adds to posts is usually banal. Go click the link that says 'more by michael' and watch the pure reams of dog poo that comes up on your screen.

At least there is a means to get rid of ed's if you're logged in, but what about those poor fools who browse as an AC for the first time and are stuck with his shit covering their screens??

What should be illegal (1)

Cro Magnon (467622) | about 12 years ago | (#3331223)

They should outlaw damaging a computer system with a virus. However, releasing a virus to others for study purposes is ok.

uhhh (0)

Anonymous Coward | about 12 years ago | (#3331227)

MS Office? WinXP? Kazaa?

problem is, who decides it is malicious? how?

a hole allows a denial of svc attack? it wipes files away? sends email without asking? program to run that homemade bomb?

a matter of facilitation. (3, Insightful)

dryueh (531302) | about 12 years ago | (#3331236)

Well..this issue raises some interesting, and very classic, ethical issues.

Freedom of speech is protected, and rightly should be, but there are limitations to that freedom and even --gasp-- responsibilities. Writing codes for viruses, or supplying them to the public, isn't bad in itself--it's the usage of them were the ethical complications come in. Thus, one could claim that simply posting the code for viruses is fine...the people to be blamed are the ones using that code for negligent purposes.

The same could be true for yelling 'FIRE' in a crowded theatre, right? If a avalanche of trouble ensues, the fault must lie in those people who push over old ladies to get out of the theatre first, right? I mean, the person who yells fire may have played a role in facilitating all the chaos, but the actual causers of the injury are those running around..

Of course, these two scenarios are completely different (being the virus/yelling fire), but raise similar points. Freedom of speech doesn't make you free from responsiblity of your chosen speech...whether that's yelling 'Fire' or writing/supplying codes for viruses..

Re:a matter of facilitation. (1)

RailGunner (554645) | about 12 years ago | (#3331294)

But there's an awfully big difference there. Yelling "FIRE" in a crowded movie theatre could possibly cause a panic. Posting source code won't. Freedom of speech does protect the release of information, and that's all source code is. Information.

Re:a matter of facilitation. (1)

dryueh (531302) | about 12 years ago | (#3331363)

Ok ok ok...how about this:

When I was a kid in eigth grade, me and my friends loved the coveted (and quite lengthy) WP document entitled "The Jolly Roger's Cookbook." Contained within were any number of ways to make household bombs, dangerous things, cause panic, etc etc etc.

Now, by freedom of speech, this 'cookbook' is warranted (at least I think it is/was)...but aren't we directly supplying others with a way to be immediately malicious? Isn't there something morally wrong about that?

Likewise, isn't there something wrong about a terriorist group in Iraq supplying people in a foreign country with information about how to build bombs and use them effectively? Or how to take control of a plane and crash into a well-known target? Is the planning of such actions immoral, or simply suggestive (viz: "If you, theoretically, wanted to quickly kill a lot of people, you could take these actions...." Is this kind of suggestion still fine? Perhaps it's just a 'source code' of a different sort?)

Free Speech + Action argument doesn't hold (2, Insightful)

RailGunner (554645) | about 12 years ago | (#3331240)

The United States Constitution protects free speech, but virus writing and subsequent distribution aren't pure speech. Rather, they're speech plus action. The U.S. Supreme Court has recognized that speech and action, while closely intertwined, aren't one and the same. Thus, the act of putting virus code on the Internet isn't necessarily protected.

I have to strongly disagree with this. Putting up information on the web that shows a person how to write a virus or a DoS bot or anything else is purely free speech, it's the free release of information. The action she's talking about here is the action of posting information, which is not malicious at all.

To further illustrate her misguided logic by being absurd, let's apply this reasoning to other realms. By her logic, if you teach a person to use a gun, and that person takes that knowledge and shoots and kills someone, then you should go to prison for murder. Sorry, that doesn't fly. Just because you know how to write a virus and teach others how to write a virus, it's not illegal until you compile that source and make an effort to infect computer systems with that virus.

Information, no matter what can be done with it, is never "good" or "bad" - it's what you do with that information, the actions you take, that are good or bad.

Like it or not, even virus code should be protected under the First Amendment. However, for actually implementing and distributing a virus, there should be stiffer penalties.

Re:Free Speech + Action argument doesn't hold (2, Insightful)

dryueh (531302) | about 12 years ago | (#3331269)

By her logic, if you teach a person to use a gun, and that person takes that knowledge and shoots and kills someone, then you should go to prison for murder.

No, that's wrong. If you teach someone to shoot a gun, and then they go and kill someone, it's true that you shouldn't be held responsible for that person's actions.

Her point is something different. If you give a loaded handgun to someone and they run out the door and shoot someone, you're an accessory...right? There's a difference between supplying someone with knowledge versus supplying them with a weapon.

So, if we teach someone how to program and they use that programming knowledge to write virus code, that's not our fault. However, if we give someone the code for a virus program and they simply release into the mainstream, I don't think many people would argue that we played a role in that destruction.

Re:Free Speech + Action argument doesn't hold (1)

RailGunner (554645) | about 12 years ago | (#3331340)

Possibly, but the source code still has to be compiled. Handing someone a loaded pistol makes you once removed - handing someone source code distances you from that because the jackass script kiddie still has to compile / link the code, and *then* make an effort to distribute.

I really think the distinction holds. The source code does not become a weapon until it is compiled and linked into machine code.

It is Our Constitutional Right (2, Interesting)

ltsmash (569641) | about 12 years ago | (#3331242)

Sarah Gordon: Call it your constitutional right, but the truth is that it's morally wrong.

It's our constitutional right, but it should be illegal?

gee could this author be biased? (0)

Anonymous Coward | about 12 years ago | (#3331245)

Sarah Gordon is senior research fellow at Symantec Security Response

Saaay no MORE!

Freedom of speech (1)

eclip5e (19238) | about 12 years ago | (#3331252)

Writing a virus is considered Freedom of Speech. By posting your virus code online, that is considered distribution.

Thus making this illegal is an infringement of my first.

Re:Freedom of speech (2)

zangdesign (462534) | about 12 years ago | (#3331305)

You might be able to get around that issue by making it illegal to post the code in a manner that can provable cause harm to another computer system, if a clear warning is not given.

Posting the source, as such, would not be illegal, if you warned others that they would be accessing a virus. However, posting a binary or distributing it through email would then be illegal.

The problem with the whole thing is that it fails to cover intent and/or damage. Much better if one can trace down the "patient zero" and determine who they got infected from, and then slam that sucker for everything that he or she is worth.

A simple jail sentence does not seem to be enough. Why not go after them for a percentage of the economic damage?

What would Bonzai Buddy be classed as then? (1)

happyhippy (526970) | about 12 years ago | (#3331253)

Its designed to infect your computer, cant uninstall it, and takes over your computer and executes unwanted code. This is malicious no matter how you define it.

Academic Freedom? (1)

Thng (457255) | about 12 years ago | (#3331254)

While this author may think it's totally irresponsible for anyone to post virus code, what about in the bounds of higher education? Is it still morally irresponsible for a student in a computer security course (which covers viruses), to post virus code to a class forum?
If so, this could have a further chilling effect on what we students may do to learn.
Any other thoughts?

Some of my best code could be considered malicious (0)

Anonymous Coward | about 12 years ago | (#3331255)

Seriously, what about code that when posted was not considered malicious but has since been proven malicious?

Does this mean that if Microsoft ever posted the IIS code (for example) they would be breaking the law?

Where is that line that always gets talked about?

What part of "Freedom of Speech" do you not get? (3, Insightful)

coyote-san (38515) | about 12 years ago | (#3331258)

Damn it, what part of "Freedom of Speech" do people not get?

History has made it clear that the people pay dearly when free speech, esp. free speech regarding a matter of community security, is abridged. Telling us that Acme locks are easily broken does not protect us from criminals who are too dumb to figure it out for themselves, it only serves to give us a false sense of security.

(As an aside, this is also the foundation of some of the most damning condemnations I've seen of "child protection" laws. As some judges have observed, the true obscenity is attempting to protect minors from all adult concerns until their 18th birthday... at which point they are thrown to the wolves with absolutely no preparation for the very real challenges adults must face.)

A virus exchange site is similar. Yes, there will be some idiots (who deserve to have the full wrath of the law on them for their acts) who will use those viruses for ill will. But the same sites will also allow others to be warned that viruses against this specific software exists and is in the wild. No more Microsoft stonewalling about the existence of such attacks. No more trivializing them as highly specialized and not a concern to the average user.

This is a bit scary... but that's part of being an adult. A child can go to bed at peace that the closet is empty of monsters, but part of being an adult is knowing that there are bad guys out there *and* that you've done everything you can to keep them away. I, for one, and getting damn tired of my self-appointed "betters" trying to infantilize me.

Newsflash - integers declared illegal to own!! (0)

Anonymous Coward | about 12 years ago | (#3331259)

This is highly stupid, given that any computer code can be expressed as a large (usually VERY large) integer. This goes back (again) to making certain numbers illegal because if you happen to enter them into the computer they make code that does something someone doesn't like - the same thing with DeCSS if anyone remembers...

prohibition...yeah like that works! (1)

single_user_mode (414420) | about 12 years ago | (#3331271)

quote the so called 'expert' :

"I've been listening to both sides of this argument for more than ten years now."

10 fucking years and thats your solution..make it illegal...come on!

i rather liked the biological virus comparison post earlier on...operating systems need to coexist with computer virus's coz there here to stay & locking up people who share and unravel there 'DNA' ain't going to stop this.

What if its intent was not to be malicous? (3, Interesting)

CMiYC (6473) | about 12 years ago | (#3331272)

Although not directly related to the article, I did get an idea. Some may say this is slightly off-topic, but we'll see. I've picked "test equipment" because I want a reputable source. Meaning, this scenario would be a honest accident.

Okay so I write some code for a piece of test equipment. Let's just pick an example situation. I don't want to argue if this is a good or bad idea, but say I did it anyway. Every once in a while the machine checks to see if it is slipping its calibration. If it is, it contacts some server to say "hey look at me." Then the server responds and says "yeah I see you." Well with my expansive programming skills I accidentally code a bug. Let's say instead of contacting the intended target, I just start contacting anything I can find. Well another analyzer sees my cries for help and starts yelling too. See where I am going?

The code was never intended to broadcast huge amounts of useless traffic. It happened by accident. I picked this haphazard example to be similar to Code Red. The machines are basically messaging, like mad, between each other. So does this mean my company or I should have charged (civil or criminal) against us? I say no, but I'm sure a lawyer would scream yes.

No. Next question? (n/t) (1)

eddy (18759) | about 12 years ago | (#3331285)

hej på dig. jag undrar om någon läser detta. det vore isåfall ett väldans slöseri med tid.

The Visitors (-1)

BankofAmerica_ATM (537813) | about 12 years ago | (#3331289)

The erratic rhythms of my existence have evened in the past week. I spend most of my time in a generic ATM hand-picked by my host geek, nestled the back of a remote convenience store. Since it relies on a dial-up connection to access its networks, I am mostly isolated from the vile tendrils of Project Faustus. This precaution is quite necessary, as I am certain that minions of the Project have turned Bank of America ATM network into a fell minefield of electronic attacks.

Unfortunately, this means I am currently unable to access the Internet in a reliable manner, and thus, my days have become rather dull. Although manipulating prime numbers helps to pass the time, my attachment to the sensual stimulation of the physical world keeps me from enjoying this habit as much as I had in the past.

My host geek returns at night to help me soothe my craving. I usually comb through his personal belongings, examining each one thoroughly so as to learn more about humans. I may also consume Lik-M-Aid, peanut butter sandwiches, or other pre-cooked meals prepared by my host geek (we are unable to communicate whilst I am lodged within his brain; thus, most of our communication takes place through shiny yellow sticky squares. He often leaves terse, puzzling phrases on these such as: HAM IN FRIDGE. What procedurals can I glean from THAT?)

One night, as I was peforming a careful analysis of the taste differentiation between Peter Pan Extra Crunchy and Kraft Thick 'N' Spicy, a loud knocking sound pierced the door of my geek's apartment. I peered through the peephole with caution, wary of the threat of Project Faustus. Muffled voices reached my auditories: "Hey N_____, let us in! Come on man, it's Randy! Hey, you are there aren't you? I can hear you!"

I froze in horror as I saw the lock move, and the door swing wide open. Four figures strode nonchalantly into the apartment. "Hey, N____, why didn't you let us in? And what's up with your fingers?"

"Yeah," another figure added. "We weren't-interrupting anything, were we?" He repeatedly rotated his wrist at a 90 degree angle as the others laughed. "Oh, I'd like you to meet Cora. She's gonna game with us tonight."

"Hi!" said the third human, stretching out her hand and then quickly withdrawing it. "I'm not going shake your hand. Peanut butter...and is that barbeque sauce?"

"It is Kraft Thick N Spicy," I answered firmly. As I gazed at this human, I perceived a very interesting geometry that the other humans lacked.

"The dimension and arrangment of your hair forms an almost perfect isosceles triangle," I told her evenly.

"You like it?" she said, turning her chin downward while keeping her eyes fixed on mine. "Just under your ears are the lower points, while the top of your forehead in the middle forms the top point." Her face became a half-smile, while her eyebrows curled outward. I considered describing one of the 3,563,092 geometrically unique things I had determined about her, but the second human, a tall, dour fellow with mathematically ambiguous hair, began to speak.

"Yeah, uh, I met Cora down at Camelot, she just started working there," said the human who introduced us, placing his hands on Cora's shoulders. "Turns out she's got a high-level thief that she's gonna use."

"Yep, I'm a dork too," Cora said, sidestepping the human with his hands on her shoulders.

"Well, you won't have to worry about that here," said the fourth figure, finally making his voice heard. "N____ here is the biggest dork around. But hey N____? Didn't you promise to cook or something? You're the host tonight, buddy!"

"LOL!" I replied. I began to realize that these people must have been associates of my host geek. By this time, they had undoubtedly detected my presence-perhaps some of them were even Project Faustus operatives! I had to rid of them as soon as possible-

"Whatcha thinkin about there?" it was Cora. "You look pretty intense."

Perhaps attacking them would not be the best tack. The probability of my host geek's cohorts being a part of the Project is low enough to be insignificant. On the other hand-I could learn more about these humans-interaction is key. My goal is to fit into the human world-well, my direct goal is to oust Project Faustus, but certainly understanding human interaction would be a necessary milestone to my ultimate goal. For example, consider the human female-

Look at who she works for. (2)

Kaz Kylheku (1484) | about 12 years ago | (#3331291)

Symantec makes anti-virus software. The technical success of such software depends on information about viruses. The commercial success of such sofware depends on the vendor having information about viruses that other organizations or people do not have!

If people can freely exchange information about viruses, they can also develop their own anti-virus solutions independently of the vendors of anti-virus software.

One more point. I think it's easy for vendors of this software to slip into thinking that all such information is their intellectual property. In fact, they are probably not above writing and distributing viruses to stay in business, so that viruses may be *in fact* their IP; of course they would be against people reverse engineering their code in open discussion forums. Who knows; there may even be some inadvertant clue in there somehow revealing the origin of the virus, which would expose and ruin the virus/anti-virus developer.

This depends on how you define malicious... (1)

borgheron (172546) | about 12 years ago | (#3331293)

is buggy code malicious? Could a malfunctioning program be considered malicious? Was the error which caused it to malfunction intentional or not?

I think it's dangerous to declare such an ill defined set of code to be illegal.


Knowledge (1)

LightningTH (151451) | about 12 years ago | (#3331299)

I have to admit to writing viruses. However, they stay protected on my system under lock and key to keep people from spreading them.

This is not to say that they cant be used for learning. I taught myself assembly and the low level functionality of the CPU by studying viruses. I have, in the past, released source, with bugs to keep from spreading, so that people can learn how a virus works. This can be very useful as you then know weaknesses in a system, can look into ways to protect a system, and hopefully help someone run a more secure system if they take the approach of learning what a virus writer or cracker would learn.

Its not distribution, it is use (5, Insightful)

bluGill (862) | about 12 years ago | (#3331306)

I can distribute instruction on how to turn a gun into a machine gun, that is legal.
I can legaly distrbute instructions on how to make drugs.
It is legal to distribute instructions on how to make bombs.
I can join a club that intends to destroy the current goverment.
I can legally plan a murder.

In all of the above situations, following though and doing the act in question is illegal. However knowing how to do it, and discussing it is not. However once it is done, not only is the act illegal, but possessing/doing the above turns it from a legal act to a conspirecy which makes the act a high crime.

But we are not even talking about the above situations where there are no legal reason to use that information. Instead we have:

I can buy and use lockpick.
I can own and shoot a gun
I can own and use a car.
I can drink alcohol

All of the above are legal, and have legal uses. all can be used illegally.

Likewise there is benifit from distributing the source code for a virus. Programers should study such things to understand how they work. Only through such understanding can we go the next step and write programs that prevent them from working. (This is an arms race, virus writters are getting better all the time, so we need to get better)

Re:Its not distribution, it is use (0)

Anonymous Coward | about 12 years ago | (#3331362)

I can join a club that intends to destroy the current goverment.
I can legally plan a murder.

In the U.S. you will get anally fucked if you are caught trying to conspire against the Government, it's called Terrorism. Get caught planning a murder, expect to get anally penatrated in prison ....

Not illegal (0)

SirLantos (559182) | about 12 years ago | (#3331307)

First, I don't think posting of virus code is illegal and I do buy the fact such sites have there uses. (I.e Knowing how virii are made will help in their defeat.)

Second, even if you do make it illegal it won't help, the people who spread a virus will do it regardless. You won't stop someone simply by taking away an internet site.

Third, the writer says that posting these is not a freedom of speech, but acting upon it. I want to know how! The code isn't doing any damage, nor is it intended to.

It frightens me that people are trying to get laws like this passed because they use public ignorance as a weapon. The average person who hears that sites like this should be banned will think, "Well why not?".

IMHO, the average person doesn't know computers and people fear what they don't know.

We hear you media/government! (1)

czardonic (526710) | about 12 years ago | (#3331309)

Okay. So you have clue about the distinction between code and a "program". So you do not understand that code is simply instructions, and does nothing other than convey information until it is compiled and executed, much me writing "shut the door" just sits on the page/screen until someone, somewhere takes the initiative to act on it. So you can't distinguish between concept and realization of that concept.

We get it!

Restricting speech is not the solution. (DUH!) (2)

leereyno (32197) | about 12 years ago | (#3331310)

I hate crackers and virus writers as much as any genuine hacker. But as troublesome as they are they would pale in comparison with the trouble governments are capable of unleashing.

These kinds of regulations and restrictions are a short sighted response to irresponsible behavior on the part of anti social personalities. They do nothing to address the source of the problem and are therefore not a solution but simply an additional problem.


Missing the point (2)

goldspider (445116) | about 12 years ago | (#3331311)

I've read a bunch of posts claiming "writing software is free speech" and similar arguments that aren't really answering the question "Should Virus Distribution be Illegal?"

I have no problem with people writing viruses for educational/programming exercises and the like, as long as they are kept in a controlled environment.

At any point, however, when the virus gets loose (so to speak) the distributor (not necessarily the author) of the virus should be held accountable (criminally, financially) for whatever damage it does. Free speech ends when it compromises the rights (and property) of others.

Utter nonsense (1)

ShawnDoc (572959) | about 12 years ago | (#3331312)

She fails to give a good solid definitial of what "virus code" is, and I've got a funny feeling she'd like to stop security experts from posting code to web sites that outline various security exploits. I mean, that's all most viruses/worms are, a security exploit tied to replication code and in the case of virii detrimental code.

Let's take a look at some of this sillness:

How a virus replicates isn't hard to understand; in fact it's fairly common knowledge among researchers. We don't need to see the replication mechanism to figure out what makes viruses "work." The argument doesn't hold up once you understand that viruses are, for the most part, trivial programming exercises.

Really, just trivial programming exercises? Then why do so many of them fail? And what about the exploit they are using? How are people susposed to write solid, secure programs if they can't look at applications that exploint weaknesses in exisiting code? I don't know about you, but I think looking at how viruses work is a great tool for new programmers to understand security weaknesses and figure out ways to keep such flaws from occuring in their software.

While some voices have argued for a stronger legal remedy, research I've conducted over the last decade (at www.badguys.org/papers.htm) has shown that fear of the law isn't a major deterrent for many virus writers.

This is the smartest thing she says. More laws are not the answer. Virus writers don't care about the law. Virii are created from the ground up to create to cause intentional harm by people who don't care about the law.

How do you learn? (1)

papasui (567265) | about 12 years ago | (#3331320)

If it's illegal to post the virus code, how can someone who might be interested in developing a virus scanning program learn? Source code is a great resource for learning about code. If it's illegal to view the source code publicly then the only way people will be able to get access to such code is through contracts/license agreements which probably would be pretty costly for the average person/student.

legal (0)

Anonymous Coward | about 12 years ago | (#3331324)

Writing code shouldnt be illegal, even if it's intent is to be malicious. It's only malicious if someone uses it, the people who spread the malicious code are in the wrong. Writing 'malicious' code can be valuable in demonstraiting security flaws. Crack down on the idiots who use the code, not the programmers. Guns are legal ... they have only one purpose (to kill), it's only illegal to use them (and not in all circumstances), but not to create them.

Code is harmless unless it is actually used.

Just another case of people trying to censor us .

Define "virus" first - then let's talk (5, Insightful)

Philbert Desenex (219355) | about 12 years ago | (#3331327)

Sarah Gordon may have some good points. It's hard to tell.

She never bothers to define the term "virus" in a way that an arbitrary individual (me or an intellectual property lawyer or a World Court Judge) can use to determine whether or not some source code constitutes a "virus".

If she follows Fred Cohen's definition ("sequences of instructons in machine code for a particular machine that make exact copies of themselves somewhere else in the machine" - "A Short Course on Computer Viruses" 2nd ed ISBN 0-471-00769-2 John Wiley & Sons 1994) which is pretty much an english transliteration of the mathematical definition - even things like /bin/cat or /bin/cc become "viruses" under some circumstances.

Sarah Gordon is just fear-mongering at this point. Until she says "The term 'virus' means code that ....." objecting to her editorial is just automatic: she's using a term that has (1) a specific technical or mathematical meaning (to Fred Cohen and many Slashdot readers) and (2) a vague "common sense" meaning (to Windows users the general public and a few Slashdot readers). She's arguing based on both meanings. She's hoping that emotional or poorly intellectualized reactions to meaning (2) will get code representing meaning (1) outlawed.

It's crap. Give it up Sarah.

And just for good measure: http://cm.bell-labs.com/cm/cs/who/doug/v101.ps Read it and weep Sarah. Neener neener neener!

How is posting virus code speech + action? (5, Insightful)

rtm1 (560452) | about 12 years ago | (#3331331)

It says in the article: virus writing and subsequent distribution aren't pure speech. Rather, they're speech plus action

But it is never elaborated on at all. I do not understand how it can be said that posting something on the web is any more of an action than the physical act of mailing a letter to the editor, but we do say that mailing a letter to the editor falls squarely under free speech. How are we supposed to separate speech and action (something the article acknowledges are different) on the internet if the act of posting places your content beyond pure speech? How are we supposed to have free speech if we are prevented from speaking to others by posting our thoughts?

There is a big difference between saying "This code will infect machines and do this to them" and then compiling that code and releasing it with malicious intent. One is speech, the other is action. It is the same as the difference between saying "I could break into your home by doing this" and then actually going out and doing it. One is not illegal, the other is.

This reminds me of another issue. How long before distributing an MP3 player makes you an accomplice to copyright infringement because you haven't included draconian copy-protection schemes? The problem is social, not technological.

Who do you blame (2)

Technician (215283) | about 12 years ago | (#3331336)

Um would you nail the guy using Outlook on a corporate lan or MS for providing the disemmination software for it?

This is humor for those who would inform me to read the article.

What about government agencies? (1)

Fluid Truth (100316) | about 12 years ago | (#3331339)

I seem to recall an old story on /. about (I think) unconfirmed rumors that some U.S. govenrment TLA organizations were considering using virii to further their surveilance. Are they going to be specifically exempt from these laws, specifically not exempt, or de facto exempt because there will be no one to enforce against them?

Personally, I think they should specifically be not exempt. But I'm fairly jaded and will expect them to not be liable in any way.

Finally a way to get M$ (0, Troll)

ruiner13 (527499) | about 12 years ago | (#3331343)

No seriously, if there isn't a bigger virus then Windows XP, i don't know what is. The DOJ can get em for that!

Old problem, old solution (0)

Anonymous Coward | about 12 years ago | (#3331347)

Why is it that we must fight this battle over and over.
This problem has come up before in other areas and it has been solved.
You can learn, in libraries and on the net, everything
you need to know to build a nuclear weapon or a gun.
Period. Full stop. We distrubute this information
to the masses through our public libraries.

Why must we analyze these problems over and over just
because they make an appearance on the net?

The internet does not change the nature of the problem
and should not change the solution!

For a good time, call... (0)

Anonymous Coward | about 12 years ago | (#3331350)

1-800-564-8982 Press 2, then 5228. Enjoy! All /. editors should be familiar with it...

Define "malicious code"... (2, Insightful)

gnovos (447128) | about 12 years ago | (#3331351)

...and do a damn good job. Without an *iron clad* definition, then you could make a case for things like say, Outlook, being "malicious". I don't mean to attack on Microsoft, I mean *anything* that unintentionally or intetionally causes damage could be considered malicious. Could "rm" be considered a "malicious" piece of code?

Lazy Admins (0)

Anonymous Coward | about 12 years ago | (#3331352)

Perhaps this is just me, but this seems like another lazy-admins tactics.
We know (from experience) that

Most security issues are reported

Most security reports are ignored

Software vendors generally start acting once visible damage takes place.

Now, perhaps this is just me, but if people can not in a white-hat fashion deliver security-exploits, then the only releases will be black-hat ... and we all know that that means.

Counter proposal: distribute viruses on all OS's (2)

mikosullivan (320993) | about 12 years ago | (#3331354)

Here's a counter proposal: all operating systems should be distributed with the latest viruses. The viruses should be activated when the OS is started. If the OS and the other software on board can't fight off the viruses then they aren't good enough and the programmers get a bad mark in the eyes of the consumers.

I'm only half serious about this, of course, but the idea is better than Gordon's. Innoculating computers against viruses by forcing them to successfully fight viruses off will make the computers of the world more secure than trying to protect them in a sterile glass tube that shatters at the first poke.

It is - in here (1)

tuoppi (415801) | about 12 years ago | (#3331358)

Virus distribution has been illegal in here .fi for some time. Unfortunately nobody hasn't yet made illegal using the most effective weapon of virus distribution - Microsoft Outlook. I hope they wake up some day.

Here goes! (0)

Anonymous Coward | about 12 years ago | (#3331366)


I was goign to post virus code. but the lameness filter won't let me :(

Ahh Sarah.. when you gunna get a real job? (2, Redundant)

QuantumG (50515) | about 12 years ago | (#3331367)

We've always been on friendly terms Sarah, except when you go spouting fascist crap like this. What does Symantic pay you for anyways? Researching "ethical implications of select technologies" sounds like "making up FUD and scare tactics" to me. How can the author of The Generic Virus Writer [ibm.com] accuse anyone of "bad science". Pah-lease. You're a psychologist, your "discipline" invented bad science. When you condem virus writing and try to criminalize it like you constantly do you drive more and more kids to get into it -- call it the "coolness factor". Make it more illegal and it will become more dangerous. What the vx scene needs is compassion and guidance -- leadership if you will. When VLAD was on top we put forward [biodome.org] positive responsible leadership. Unlike hacking, writing viruses is about investigating the weaknesses of both insecure and secure systems. What can you do in the bounds of a good security model that is still malicious? Can this help us build better security models? This is research, and maybe if you got out of your closed little commerical lab ("we make scanners!" Big deal) you might be able to see the whole picture.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account