40Hex Number 12 Volume 3 Issue 3 File 006 This article is being written for 40-hex, because I believe communication is the key to helping computing obtain its maximum potential. I do not agree with all of the philosophies of many virus writers. This article does not endorse the views of anyone other than myself :), and does not endorse any other material that will appear in this or any other issue of 40-hex. Many of the ideas expressed in this article appeared in one of my submissions to Computer Underground Digest. I'm writing this because I've had some good honest conversations with some of the Phalcon/Skism people, and I appreciate them listening to my views (even though they don't agree with them all). Again, I am not going to get into this "not all viruses are meant to be destructive, not everyone who calls a virus exchange BBS will use viruses for evil purposes, some anti-virus product developers lie to scare the users" business. I agree with all of this, and if you don't, then you will have to find that out for yourself. Virus writers already know this is true. If you are not a virus writer, and really don't know what is going on, and are reading this magazine thinking that we need laws to shut these guys down, you should do some investigation on your own and find out what is really going on in the virus arena. These arguments only cloud the issues, and the issue here is "What is going on?". I can't tell you everything that is going on because I don't know, but I tell you this much: Something's happening here....What it is ain't exactly clear... Computer viruses are programs but they are also more than 'just programs'. I did an in-depth study of virus exchange BBS and found that the viruses themselves did not have a signifant impact on the users. It was more a case of certain attitudes having impact, and of the (necessary) reaction on the part of security personnel and a-v product developers having impact. By necessary action, I mean that each time a virus writer releases a virus to a virus exchange BBS (losing control over it) or releases it code in a magazine, people get scared. Developers then have to put detection for that virus in their scanners. Updates cost money. Some of this has changed since my study. More viruses are being found in the wild. Some of this is due to their intentional release, their availability on virus exchange BBS. Still, the majority of the problem is not the distribution of the viruses but the fostering of some of the attitudes. On the positive side, we see some people finally calling for "responsible" action. Only time will tell how long it lasts. To me, the P/S E-Mail virus site was a very bad choice on the part of the administrators and I am glad it is gone. Still, it was better than some situations which actively encourage using viruses to cause damage. We don't yet live in that ideal world where we can trust other people to act nice. People want to say they can't help what someone else does with a virus if they give it to them, but by exercising some common sense and responsibility, they -can- help. It's not so much to ask considering the future of cyberspace and it's freedoms are at stake here. If people keep going like they are now, soon we will have laws that say we CANNOT give certain code to anyone. Don't believe it? Read on. When I talked about laws in the Fido Virus echos, virus writers told me there is NO way there will be any laws against virus exchange BBS, anywhere, ever. Free Speech. WRONG. Do you think I just pull this stuff out of thin air? It's not illegal to have such BBS in America. Not yet. They are illegal in other countries. Specifically, the Dutch law (art.350a (3), 350b (2) Sr.) addresses the distribution of computer viruses. "Any person who intentionally or unlawfully makes available or distributes any information (data) which is meant tto do damage by replicating itself in an automated system shall be liable to a term of imprisonment not exceeding four years or a fine of 100,000 guilders." In Sweden, it's starting to sound more like this: Anyone, who, without authorization - erases, modifies, or destructs electronically or similarly saved or data, or anyone who, creates, promotes, offers, makes available, or circulates in any way means destined for unauthorized deletion, modification, or destruction of such data, will, if a complaint is filed, receive imprisonment for up to three years, a fine, or if there is considerable damage, five years sentence. Is that clear enough? It is against the law in Holland to INTENTIONALLY (i.e. on purpose, i.e. if you put it online, you knew you put it there) to make available ANY data (program) that can do damage..specifically a replicating program. That means virus. And don't forget that magic word, "extradition". The Swiss laws are in draft stage. Now, a lot of virus writers say they can't be held responsible for a virus doing damage if they don't mean for it to escape, or if someone else uses it. Wrong again. The law of negligence allows victims of accidental injury to sue to obtain compensation for losses caused by another's negligence. But, it's even more applicable if you consider the aspect of torts. You can have what is called an intentional tort (which is what lawyers use to refer to suits that try to get dollars for damages, such as libel, fraud). In these kinds of cases, you may think just because you didn't mean for your virus to 'escape' you are not legally responsible (forgetting about ethics for a minute. A lot of virus writers seem to think if its not illegal to do xyz, xyz is therefore ok to do. So lets put ethics aside and look at legalities). You are indeed legally responsible because all that is necessary to establish intentional torts is that you -intended- to do the act (write the virus) that caused the harm. The law of negligence allows victims of accidental injuries to sue for compensation due to negligence. This of course refers to U.S. law, and is not in any way a complete reference, but you can get the general idea. You don't just have free rein. But, the law is not the solution, in my opinion. However, you can force it to become the solution if you do not take responsibility for your actions. If you keep making these viruses available indiscrimately, you are creating LAWS, just as surely as if you had written the law with your own hand. Stop to think for a moment of the implications of this. The Dutch enacted laws as the abuse of computerized equipment increased. While some laws already existed that addressed computer crime, it became clear that some intentional damage was being done that was slipping through the loopholes in the law. Something must be going on that caused them to react so strongly, to specifically include virus exchange bulletin boards in this legislation. What was going on? Malicious damage. Incitement. Actions that helped people to do damage. What is this "incitement"? Incitement. That is a term that is getting a lot of publicity now, with Mike Elansky held on $500,000 bail for distributing a text file on his BBS. The file contained the following text: ! Note to Law-enforcement type people: ! ! This file is intended to promote ! ! general havoc and *ANARCHY*, and ! ! since your going to be the first ! ! assholes up against the wall.. there ! ! isnt a damn thing you can do about ! ! it, pigs! ! It may be distasteful to some people, but the kind of information included in the file was the same 'anarchy' type information you can get at your local library. Does it merit a young man being locked up with an almost impossible bail? It's no worse than a lot of the graffitti you can find in Manhattan, or LA, and it's no worse than you can hear on a lot of albums. To me personally, it's just silliness. I know the fellow who wrote the file, and I don't find him to be a threatening anarchist. He's a fine person, who wrote the above as a parody-spoof. It is not much different than the things you hear in the halls at most high schools these days. I'm not saying it's a desireable manner of expressing dissatisfaciton with the system, but its *NOT* the devil incarnate. Someone had it on their BBS, someone downloaded it, and now, the BBS sysop is in jail for it. Something's happening here... Fear. People are afraid. They are chasing the shadowy ghost, and imagine it is 'the virus writer' or 'the hacker'. Well, virus writers and hackers may do some of these things, but the majority of them do not. the publicity. Why? Because they want it. And, what happens when they want it, and get it? More fear. The real ghost is ignorance and fear, not the virus writer or hacker. On the other hand there ARE some very malicious people out there. And, maybe to protect people from them, we will need laws. The way it stands right now, no one knows who is malicious and who is not because everyone is hiding behind the "law". This will change, very soon, if people do not stop thinking they can just do whatever they like because its "legal". Laws are established when new situations come about, and some people are pushing the envelope here. One thing that is happening is that people are afraid to say something is wrong. We all have to stop being afraid to say something is WRONG. It is WRONG to destroy or damage data of other people. It's WRONG to encourage people to do it. and, if you can't figure out what encourages people, then you had better figure it out soon, because we don't have much time left. I say you better figure it out fast because right now, people are up in arms about computer viruses. They have every right in the world to expect they shouldn't have to be on guard against any 'toys' that happen to escape. They certainly deserve to be protected from people who malicious release, or -irresponsibly release- viruses. They should not have to learn every in and out of DOS to protect themselves. For most people, computers are work. They are not just hack-o-matik machines waiting to be explored. No one has the right to destroy other people's information. Just like we don't want the government or other people to just do whatever they feel like with -our- information, we have to respect other people's rights to -their- information. It isn't working. There are still people who are doing malicious things with viruses. In talking with a lot of virus writers, I've pretty much gotten the same story. After a while, it's just not fun to do it anymore, and they evolve into learning more about code in general. They no longer upload it to unsuspecting people. Most of them don't even use virus exchange BBS, because there is just not any point. You can only get excited over FF/FN so many times, and sooner or later you move on to other things. But there is still a problem. Newcomers to the virus scene pass thru the same stages; they release their viruses either through incompetence or purposeful maliciousness, to 'prove' themselves. It's almost like a rite of passage. It is this group, the intentionally malicious, that are drawing all of the attention. It is this group that forced the hand of the Dutch government. It is this group, malicious virus writers and hackers that are drawing the attention of the the Legislators and Judiciary in the United States, Canada, and now Switzerland. Consider that we are living in a truly global society. The laws cannot forever be bound by traditional territorial borders. Think of the implications for the future. Being held hostage by one's freedoms tends to make one rethink their "Rights". ------- -- SGordon@Dockmaster.ncsc.mil / vfr@netcom.com bbs: 219-273-2431 fidonet 1:227/190 / virnet 9:10/0 p.o. box 11417 south bend, in 46624 *if you don't expect too much from me then you might not be let down* ---- I originally had a huge response for this, but I found that a majority of my arguments were more aimed at the point of view she was explaining, rather then her viewpoint. The bottom line is, laws that regulate information are horrible. If it happens, it is unenforcible. I do not believe that virus writers should be 'nice', or politically correct, and I dont ever plan on removing virus source from 40Hex. Another problem with her article is the part about virus writers doing whatever they like just because it is 'legal'. The point is, because it IS legal, we can write viruses. People also break the law and distribute viruses. It is NOT wrong to write a virus. By any morality. It is wrong to use it on someone else's computer illegally. For the most part I agree with Sara Gordon. Before you go about saying she is a narc, and she did this, and she did that, just ask yourself what have you done about virus legislation. If it is equal to zero, zilch, nada, etc., then you should at least give her the credit of doing something to help the underground, despite the rumors. I don't care whether you trust Sara Gordon, but realize that in this issue she is definately fighting the legislation.