Insane Reality issue #7 - (c)opyright 1995 Immortal Riot File 003 % Viral-morality % ------------------ This article is suppose to be covering the topic "viral-morality". Viral-morality you may say with a big "hmmmmm" afterwards? Well, it's not exactly about if it's moral or not to write viruses, if it's unethical to distrubute virus-source code or anything like that. Or maybe it is? Hehe, It's though another write-up which ncludes quite a great deal of interesting questions and covers a few cool topics. It was written by a guy calling himself Rob Slade. What I figured he's some sort of teacher/AV-person all mixed together who don't know where he belongs. But honestly, I haven't bothered doing any kind of research about this person, except that he seems to have written a book called "Robert Slade's Guide to Computer Viruses", but greets to him, whoever he might be. Comments, complaints and all that are ofcourse added by me in good old IR tradition. Even though some of the stuff added has nothing to do with his text I didn't care to remove it. Deal with it or go fuck your boyfriend in his ass, suck his dick and wake up the next morning with pubic hair between your teeth and dry cum in your right nostril. - The Unforgiven. RS> Rob Slade TU> The Unforgiven ------------------------------------------------------------------------- From "Rob Slade, Social Convener to the Net" () Newsgroups: comp.virus Subject: Viral morality Date: 21 Mar 1995 21:52:48 -0000 ------------------------------------------------------------------------- VIRETHIC Viral Morality: A Call for Discussion RS> "Computer ethics" has been an ongoing study in the technical world. On the one hand is the study of the ethical, moral, or proper use of computers. On the other, is the study of computer crime and vandalism. Lately, I have noted a rather desperate interest in courses or training in computer ethics, as well as an increase in the frequency and depth of discussions regarding the ethics of virus writing. I would like to address this latter topic, specifically. TU> It's fine to discuss moral with me since the definition of the word 'moral' is very vague indeed. Therefor, the first thing to discuss is by who's definition we are defining it. To fatten up this meaningless ramble I looked this stuff up in a very old english word-book. Moral = "concerning principles of right and wrong". We've also good words such as "moralist", which I'm sure Rob himself would have refered himself as :). "Person who points out morals and who practises or teaches morality". (See also: Weenie). Jokes aside. We still haven't got by who's definition we're discussing this issue about. Right and wrong from the law, by God, or in the mind of the average braindead Joe Blow? First lets start with the law. If we only had to define moral such as "If it's forbidden by the law, it's unmoral to do it" we wouldn't have anything to talk about because viruswriting isn't considered a crime in most countries. So luckily, morality cannot be definied all that easy. To put things straight I do not think everything forbidden by the law is alright to do because it's (you guessed it) legal. I don't find it morally right if I ditch a girl one minute after I fucked her the very first time, took her virginity, crushed her heart and left her life a in misery. Still it wouldn't be a crime and hell yea, I've been there. People do by their own definition of morality unmoral things. The example above might perhaps be a case of sense-moral, but that's not the topic for this article. But my point here is that even if all viruswriters find it morally wrong to write viruses, it still wouldn't solve the so-called virus problems. Face it, people feel different every day and one day when you're really pissed about something you screw morality. Big deal? So the problems might have decreased an inch or two if we all thought it was unmoral but that's pretty much about it. This kinda leads us to another question - would the viruswriting decrease if it all sudden got forbidden by the law? Hmm, I believe I wrote about this very issue in IR#5 and my opinion is that forbidding viruswriting would result in an outbreak of viruses done as an objection against the law. This would increase the infections rather than decreasing it. A whole bunch of people believing in freedom of speech would probably start writing computer viruses. Wow. That would be quite cool. Uh. But we ain't talking laws here, but morality, so let's go on. Then how about following Gods' message of what's right and what's wrong? Which God? Jesus, Allah or Satan? This is a topic I really would like to discuss for hours, but that would maybe upset some religious dweebs out there. If you feel like you belong of one of those idiots believing in the bible I just have to ask you "How can a non-existing thing define a word used by human beings?". Hmmm. Well - it's alright to believe whatever you want and even follow the so-called word of God but the fact still remain that religion is abused. Therefor people calling themself the messenger of God cannot be trusted when they're teaching you certain standards of what's right or wrong because like all other person they're greedy and will use your belief against you to make their own lifes better. Talking about greed by the way. I stated in the "Deep corner's discussion about all between heaven and hell" (a non-virus related article that I typed up confused as you can expect from a mid-teenager), that: "Greed is really your WORST enemy." Maybe I still think so and I might still dream and have faith in something better and maybe I'm just as confused or just don't know what to think. If I was confused by the way, I might just ask you what I ment with the text from a very lame virus I wrote called Human-Greed saying "Do you believe" and "Life is limited, love is forever...", but since I'm not confused, I rather not :-). And to continue screwing and messing things altogheter I decided to include these indeed very interesting words. "Image there's no heaven. It's easy if you try. No hell below us. Above us only sky. Imagine all the people, living for today.. Imagine there's no countries. It isn't hard to do. Nothing to kill or die for, and no religion too. Imagine all the people, living life in peace... Imagine no possessions, I wonder if you can. No need for hunger, a brotherhood of man. Imagine all the people, sharing all the world..." Hmm, now exactly how can I relate that text to this article? Maybe I can't and honestly I won't care if I don't succes either. However, one thing is clear and if you don't know what that is I'm not going to tell you either, go figure... :-). So, we screw religion as well since that wouldn't give us any definition whatsoever. How about the society? In most people's mind, viruswriting is considered evil. Gee, I wonder why that would be? Maybe because the anti-virus crowd are talking shit about us scaring people away from viruses? Or maybe because people like us write destructive viruses with the intention to infect as many computers as fast as possible and to destroy important data? Or maybe because people who don't know shit about computers are forced to use them on daily basis and blames their failure on viruses? Ofcourse we know there is a lot of reason why the word computer-viruses sounds evil to most people and the above listed examples is only a few of them. So - if we wan't to change the general attitude about viruses, we just don't have to make the viruses useful and easy-to-use, we also have to control the media. That is ofcourse impossible since all viruswriters like freedom fighters have to be anonymous and therefor cannot stand up against the media and such scums without being a victim. The above expressed opinions should not be seen as an attack against groups like VLAD and Phalcon/Skism in their attempts to write harmless and non- destructive-viruses with harmless payloads. They're free to try, but will hardly succeed. No hard feelings guys, we just (again) share different opinions :). MM> "Fuck You TU, you're just been to damn political correct nowadays!" - "With all due respect dear MM, we represent a new age of computer terrorism and therefor we don't only have to respect other opinions, but we must also cooperate with the believers' of them. That way, you can call us politicans, too." So for short the definition morality does really vary depending on with who you're discussing the subject with. It's an just an opinion and it's lovely when people have different opinions and beliefs. Therefor - when I talk about morality and use that word lateron in this article I will refer to my own standard of morality. RS> One problem with current discussions and literature regarding the ethics of virus writing and distribution is the lack of dialogue between two opposing camps. This paper is not intended to present any final answer, nor to add to the literature in the field, but to open the field for comment. My purpose in writing this is to provide an initial overview and to elicit feedback from any and all concerned with the topic. TU> First off all I don't think there is a lack of communication between viruswriters and people working to secure computers. We've for example a very own newsgroup on internet. Uh, that was sarcastic by the way if you didn't understand that :). Comp.virus is moderated and therefor highly censored. In this case the AV-persons are to blame for decreasing the communication between the two opposing camps. But that's just one media used by us digital knights. IRC isn't censored for example. Not that AV-guys spend too much time on IRC talking with viruswriters but if they want to they are free to do so. I would like to send my best regards to Mikko (Hermanni) Hypponones and Richard (Rilo) Loerakker who I've often seen on #virus for being able to communicate with us without starting a major fight. Oh, I just found out that Rob Slade hopefully will enjoy reading this feedback because it was exactly what he was hoping for. Sorry guys, to please the other side was never my intention :). You know, sometimes things "just like that (pooph!)" happens. And what I've heard is that noone really can be held responsible for things which 'just-accidentely' happens. It's called fate and by all means it's suppose to happen even though the fact it's evil, dumb, unlogical and painful. Nevertheless, it's fate. Right Linda? RS> For those of traditional moral stance, the current situation is discouraging. Peter Denning's "Computers Under Attack" (cf. BKDENING.RVW) has a very thorough survey of the field, but it provides little in the way of answers or hope. Deborah Johnson's work "Computer Ethics" (cf. BKCMPETH.RVW) is pre-eminent in the field, but serves only to clarify the problem. Sarah Gordon's interviews with computer students show responses typical of almost all such studies. The base attitude appears to be, "If I find it interesting, and I can do it, why do you say I shouldn't?" TU> I havn't read any of the books named above, and won't read them either. But I do however know about Sarahs' work and it's actually in most cases really good. In the article she send to 40hex (issue #12) she wrote... "A lot of virus writers seem to think if its not illegal to do xyz, xyz is therefore ok to do. " I don't agree Sarah on this one. I won't just write viruses because it's legal. It's not wrong in my definition of what moral is all about to do so. I won't go into talking motivation here (again) since that is such a stupid question, but one thing is clear, viruswriters' won't just write viruses because it's legal to write them, they do it for other reasons. Furthermore she wrote (and I quote) "This query is directly relevant to discussions of the morality of virus writing." Oh, and the question was "Where's the harm?". My reply is that there is no harm in the writing itself, it's no harm in releasing the source-code as pure information about low-level programming to a virus-exchange BBS (even though she refers it as 'losing control over it'), but it might however harm someone if you infect a computer system with a virus. Is it wrong to deliberatly infect a computer-system with a destructive virus? Well, perhaps it is but that won't stop me and other viruswriters often described by totally insane people as malicious. Ofcourse, not all viruswriters share my opinion concerning this and a lot of viruswriters I've talked with tell me this is morally wrong. As with pretty much about everything, I can (and will) use a self-experied example.. I personally did infect a governmental-institution with a highly destructive virus. It trashed some of theirs harddrive but I doubt they lost any really important information. The computers I infected was free-to-use by people who had no computer at home and really needed to use computers to print out different documents, finding jobs on and so forth. They were used by a lot of personal friends of mine, for example. Woops. (Just hoping they won't read this :)). The virus didn't really harm the users or the data since the data easily could have been replace from backups. But what really harmed them was that the service of using computers for free was removed. You now have to tell them in advance that you wanted to borrow them and for how long. Then they might be nice and let you use it. While using it they will watch you like scared-off maniacs seeing that you wouldn't access DOS (it was normally blocked) and do something they didn't know about because that would be dangerous and could harm the computers. They were well aware of the fact that their computers had been hit repeatedly times by one or more 'vandals' and they really wanted someone hanged. It was never my intention that people wouldn't be allowed to use their computers and I cannot be held responsible for them making that decision. It was all their fault and this silly decision resulted in some harm. The office was totally messy for some weeks and it was indeed a very chaotic place to work at. A few month later, they still had that silly "please- apply to use the computers" system because they were really scared of getting 'under siege' again. Still, this wasn't my fucking fault. You don't agree me? Well, that is not my problem. It's kinda the same issue with cleaners corrupting files. Is it the fault of the virus or the scanning software? The "who-are-to-be-held-responsible" is an open issue and feel free to leave me feedback concerning this very interesting question. It wasn't for nothing I wrote the text saying "I'm guilty, but the society is to blame" in IR#6 (Non-destructive-Viruses and Payloads), it actually had a meaning. However around that time I didn't think about much about what I wrote, it was just a cool quotation from Monty Python. Hmm, ofcourse I'm now hoping that I didn't mean anything with the text from another payload I wrote (also for IR#6) saying "Come to daddy little girl and I will help you to grow up.." :-). (Fuck off Blonde, I'm not a child-abuser :-)). Anyhow, I wouldn't be suprised if I got a question from a reporter asking how I could make such a horrible thing that is "making life harder for the poor unemployment" without feeling sorry for it. Well, like I said above you feel different everyday, and when you feel bad you screw morality. Today I feel really good and find no point in infecting other peoples software but at the time I spread the virus it felt alright or even good to do so. Let me think, that wasn't really an answer, to let's try again.. "It was for me a challenge to infect them. They tried to teach me how to use computers and I hate learning from idiots. If they would succeed in detecting/removing the virus before it would trash their harddrives they would get my respect, if they didn't they wouldn't". That did sound good now didn't it? Well, there is many reason why I did it. Another reason at that time was Linda who quite brutally blackended my mind. I thought it was funny to relese detailed information about her in a virus. They could easily have contacted her since she lives no more than 1000 meters from that place. Could she point me out as the writer of it? Would they even contact her? Or was they even smart enough to figure a virus had infected their system? Those are question that I wanted to have answered, but to this day, still haven't. What a shame. RS> The proponents of security-breaking activities often question the traditional ethical position by asking, "Where's the harm?" This query is directly relevant to discussions of the morality of virus writing. I should begin by defining two generally opposed groups in this area. First is the "antivirus", or "AV", research community. Many, though not all, of the members of this group would be involved in producing antiviral software. All would study viral programs with a view to eliminating viral programs in the normal computing environment. They take a rather paranoid, and almost obsessive, position with regard to the sharing and distribution of viral code. (They would rejoin this last by pointing out that it isn't paranoia if someone is *really* out to get you.) TU> Here I have another interesting point. Many virus writers are not out to create chaos and destruction with their programs, they just distribute information about viruses. They see it as it's all up to the reciever of the information how s/he will use it. That's not too bad now is it? Information is knowledge. Knowledge is power. And if someone is kind enough to share his knowledge, should that really be classified as bad? I quote Nick Brown of Strasbourg, France who sent a message to Crypt #33 (published by Gerge C. Smith a.k.a Urnst Kouch). "For example, I've written a stealth-beating integrity checker which would not have been possible without Mark Ludwig's explanations of virus source code." In this case Mark Ludwig supplied information which often is classified as "bad" to whoever had an interest in programming and viruses. The knowledge Nick Brown gained by studying Marks' code helped him doing anti-virus software. The problem here is that most anti-virus persons never share any information whatsoever. You might disagree me? Well, when I'm refering to sharing, I'm talking about giving away virus-source code, nothing else. Ofcourse, some from the "other side" do indeed share certain kind of information to everyone who are interested (ie. making the info public). And again, as a perfect example of this take Richard Loerakker. He has indeed shared information (just dig further in this issue, and you'll get my point) about anti-virus research. That's great, still he wouldn't give away virus-source code to me. Ah well, bummer, I respect that decision. Anyways, it's a known fact that they (AVers) won't give away virus-source code to everyone who's asking for it but they won't even give away information to persons who are planning to do something good with the information gained. It's really sickening too see small-minded person keeping information for themself because they're scared of many things. "Will the person use the virus-source code to make viruses himself?", is probably a stupid question many AV-persons has asked themself. If the person in question really was out to get virus-source code to learn from and then create viruses himself wouldn't the natural choice be to call one of many VX-boards worldwide or just get some example codes from a ftp-site? Ofcourse it would be and the AVers knows it but maybe they see it as a matter of principle not to share 'their' information or maybe they don't want to have any competition thereby forcing users to use their product as the only protection against viruses. It's sick to see idiots claiming that it's their information and because it's their information they won't share it. How did a virus source-code, a viruswriting tutorial or a virus-zine all sudden became theirs? Isn't it up to the writer of the virus/tuturial/zine in question to decide who is worthy having the information they created? Anyways, if a person has a keen interest in viruses who are to tell him that that's bad and he shouldn't have an interest in that? RS> The AV community is not really opposed to the writing of viral programs. It is seen as a trivial, and therefore pointless, exercise; but not necessarily evil, in itself. The communication of viral program code is also a normal professional and academic activity, as long as it is limited, done for a stated purpose, and the recipients are known. It is the unregulated exchange of virus code and source, providing open access to anyone with a computer and a modem, that is upsetting. The opposing group is therefore described as the virus exchange community, or "vx" for short. (This designation was first used by Sarah Gordon.) TU> If I remember right, the term "vx" has been used since the days of "The Virus eXchange" in Sophia years and years back. Maybe Sarah copyrighted that catchy term, or maybe Rob mixed things up? However, when Rob claims that Anti-virus persons won't care if we write viruses because it's for them trivial? I think they won't care too much about viruses because that would simply drive them insane. They don't have any capacity to trace/press lawsuits against every viruswriter, so they do the only thing they can do: Ingores it. By ignoring it, it doesn't mean they won't care however. They do care about us, they just can't tell anyone when they've been defeated by the large number of people writing viruses. To prove my point here, you just have to look back in the "virus-history. Didn't Frisk (Fridkri Skulasson - author of F-Prot) traced the writer of Den Zuk? Didn't Dr Alan Solomon with the help of NSY (New Scotland Yard) busted the ARCV and The Black Baron from England? Didn't Mikael Winterkvist & Mikael Larsson worked hard for about 10 month to bust Demoralized Youth, The Beta Boys, Line Noise and ten swedish so-called VX-boards some years back? Sure they did and all this information can be gained by reading the previous issues of Insane Reality. Rob Slades said they won't care, I say they do care. Ok, point proven, let's continue the infite bitching :). RS> For the purposes of this paper, therefore, references to "virus writing", "virus exchange" or "vx" will mean the uncontrolled or unregulated exchange or provision of access to virus source and object code. TU> Well, trying to control information is always hard, so in my opinion, there's no such thing as controlled information. Trusts can be broken, resulting in private information becomes public. An example of this is when Rock Steady gave Aristotle NED. (NED stands for 'NuKE Encryption Device' - a polymorphic engine written by Nowhere Man in 1992). This information was thought to be controlled for a time (until it was finished), but that failed. And remember.. There's a lot who deserves the name Judas out there, or to put it in another way 'Natural Born Betrayars' :). RS> (This does not necessarily mean deliberate distribution of infected programs by such means as infecting a legitimate program and then posting it, without warning, to a bulletin board system. "Trojanizing" of normal software or malicious invasion of systems is certainly happening in some areas, but it is not needed in the current computing situation. TU> Atleast, he didn't say that it was the same thing to infect a computer-system and to upload information to a vx-board. Some stupid people thing these actions are the same because after you've given the sourcecode away you cannot control the distribution of it. That did sound pretty unlogical didn't it? Well, add "...and since a virus goal is to spread, that is what other people will use it for", and you'll understand how those dorks thinks. A virus is programmed to replicate, urm, that even kinda defines the term 'virus' :). But it is a decision for the programmer to make if he wants his virus to infect other people's computer. If he wrote the virus to spread he will "trojanize" other software, else he might just send it away to a vx-board. There is a huge difference between those two things and if you still consider those two things the same, you better go back to school. We already know this is the truth, and that people write viruses for different purposes (educational, challenged, blackmailing, spreading, destroying, publicity, you name it.. we do it!). RS> While there is debate over the relative contribution of "natural spread" and virus exchange to the current virus problem, it is known that code made available only as openly published material does eventually infect machines in the normal computing environment. The term vx does not, therefore, require any imputation of sinister motives or hidden activity for the purposes of this discussion.) TU> Well, if I understand him right, he's saying that viruses uploaded to vx-boards eventually ends up in the wild? If that is what he's saying I must disagree him. Most of all 'in-the-wild' viruses aren't first given away to the vx-boards and spread from there. A virus which infects computers worldwide is normally spread by the writer or a friend of him doing it for him. If one first send away the virus to a vx-board the AVers will scan it within notime and that naturally enough prevents the virus to replicate (People actually use scanners alright). I have a few examples (Desperado, Scitzo, Taipan, Junkie, Manzon) and could give out detailed information about how they spread, but it should be clear even for the most retarded person to realize that :-). RS> There are some grey areas between these two poles. Some people have both written antiviral software *and* contributed to viral spread. Given, however, that one could expect a continuum of opinion, those in the middle are remarkably few. Either you are for virus exchange, or against it. TU> This is a good point. The 'truth' is not always black or white, but somehow gray. There's some dual edged swords out there, but also people like myself and a few other people in the pure (black?) vx-community that sometimes also can be classified gray. To name a few examples, Dark Avenger wrote an Eddie- Doctor, I wrote a Petra remover and Stormbringer wrote a SMEG killer. My point is that if you've an interest in viruswriting, you also have an interest in anti-virus products/writing. And why shouldn't it be vice-versa? How did the AVers first start? Didn't viruses facinate them at all? I think so.. RS> One other, separate, group should be noted. Viral programs are often cited as an example of "artificial life", and the research community in that field, both professional and amateur, have a legitimate interest in viral programming. TU> I won't classify viruses as a life-form, maybe as an art-form, but that is something different :-). A virus won't learn, it ain't smart, and it doesn't think. A virus isn't a lifeform by my definition of what a life is. Viruses can't drink, fuck or even breath. They do what they're programmed to do, and nothing else. It's sad to see people that you could think were on a lsd-trip thinking of a virus as a lifeform. You can call Mark Ludwig whatever you want, but I stick with defining him as an "asshole-dreaming- unlogical-dreams". RS> Work in the a-life field, however, does not justify unregulated code and source exchange. For one thing, current viral programs "in the wild" (those which are to be found in normal home and business computers, as opposed to those which exist only in a research or laboratory environment) have only the most tenuous claim to artificial life. Common viral programs are simplistic snippets of code without anything like the complexity of the simplest known natural life forms. In addition, those who really do work in the artificial life area will be well aware that it does carry possible dangers, and that research should be subject to controls similar to those imposed on biological and genetic study. TU> I mainly agree on Rob here, but there's however a few vague things I would like to comment. The true "A.L" reserchers is a minority of "viruswriters", and since their viruses won't escape into the wild it's kinda overdoing it to discuss this since those "reserchers" share nothing in common with the "vx-underground". However, since I'm an open-minded individual, I can as well discuss things that I don't agree upon or have no interest in at all. (Gee, I don't quite understand why people classify me as evil?) In my opinion viruses cannot be classified as A.L, but maybe they can someday somewhere in time. It's in my opinion way to early even to bother about this.. But how about A.I.? Artificial Intelligence could be implemented into a virus but if it (the virus code) serves a good purpose (i.e. they can do something 'normal' A.I. cannot) isn't to me very obvious. So - if you have any knowledge about this, feel free to contact me about it, I won't be bothered typing up a lot of stuff I don't know shit about (well, atleast I admit it). RS> The most common argument for virus-writing tends to boil down to, "You can't stop me." Many promote virus writing on the grounds of freedom of speech, a rather curious position in light of the incoherence of the arguments. (The most vocal of these tend to be Americans, who frequently cite "First Amendment Rights". This refers to the first amendment to the U.S. Constitution, which Americans tend to see as some universal law, rather than an arbitrary political document, however desirable.) TU> Hmm, I wonder if Rob know that not only the oh-so-holy-fucked-up-USA got laws about freedom? Places like Europe (who for your information Rob is more than one country even though The European Union is trying to make it into one), for example! Every country in the west has got equal laws concerning this and without any 'country-brag' Sweden got the world's most liberate laws about these kinda things! And gee, doesn't viruswriters exist all around that globe and why wouldn't we refer to that law as well? Again, this is not a law-issue and viruswriters won't just write viruses because it's legal. It's legal to write a word-processor as well, and if you ask Microsoft if they made MS-Word because it was legal they would think you're insane. Well, alright, it might be silly to compare those things since it's you won't make any economical profit for writing a virus, but fact remains; we won't just write viruses because it's legal. RS> Rights, though, carry with them a weight of responsibility. TU> Who're we to be responsible for? We can't be held responsible if someone uses our code for something we didn't approve on. You think so? Well, I'm not going to ramble on about definitions and what a good sense of responsibility is all about, I couldn't really care less. What if I'm consider myself as a normal responsible guy, and Rob disagree me. Well, that's his problem. This also mean that I don't personally give a fuck if someone uses one of my viruses for evil purposes. Actually I would be quite happy with it. I bet scums that call themselves moralists would consider that irresponsible, but I don't, so let's go on. RS> As is often quoted, your "right" to swing your fist ceases at the end of my nose. You have a "right" to free speech--so long as you are responsible and do not perpetrate fraud. You have a "right" to study whatever you like--so long as you are responsible enough not to carry out experiments in poison with human subjects. No PC is an island--at least, not where viral programs are concerned. Therefore, your "right" to study, write and distribute viral programs carries the responsibility to ensure that your creations do not--ever--run on machines where they are not authorized. TU> With this knowledge, we can classify viruswriters into two categories. Responsible writers and irresponsible writers. Yay. Just too bad for little Rob that nearly noone belongs to the last mentioned category. (Except for a cool programmer from Norway who denied me contributions for this issue.. Bummer!) Anyhow, now we're at the "who-are-to-be-held-responsible" issue again, aren't we? Let's say I wrote a virus which I know was dangerous if it would leak out. But I also know it wouldn't since my system was a close system (I never copied anything to other people), and I sure as hell wouldn't be all that crazy to give it away - not even to my best friend. Well, then imagine if someone one rainy day stole my computer and sold it to someone else (not knowing it was stolen). The theif had ofcourse not removed the virus from the system (since he wasn't aware of it, duh), and the customer later started a software-copying-club which resulted in the virus leaked out in the wild and caused a major panic all over the world. Is that my fault? Would I be classified as a computer-terrorist motivated by hate because I was a total in-real-life-failure out seeking revenge? Ok, it's pretty unlikely this would happen, but consider the spread of Tequila and let's assume they didn't infect their fathers computer on purpose. Then who are to blame? But ah well, I assume this wasn't what Rob was talking about he just classiify the vx-underground as not-very-responsible. Well, that's his opinion and opinions does really vary. I stick to mine, but respect his (shitty) opinion. One can always hope that he respect mine as well. RS> One of the most confusing aspects of the "exchange/no exchange" debate is the concept of the "good" virus. There is nothing inherently evil in the concept of reproduction. (Dangerous, yes.) In fact, the very earliest experiment with self-reproducing programs was the Xerox Worm of Shoch and Hupp. This was designed to spawn "segments" of the central program on other machines in the network, thus bringing the power of many processors to bear on a single problem. Thus, in theory, viral programming could represent the same level of advanced technology in software that parallel processing represents in hardware. TU> So what if the first worms was programmed by professionals who wanted something useful done? What if there's people who think viruses are good? What if Masud wrote a virus to compress files? What if Stormbringer wrote a self-replicating-encryption-device, I mean, 'SO?'. The majority of viruses is not designed to perform one useful task. They're mainly programmed to replicate and that's in most people's opinion not good. Some viruses also destroy a lot by trashing the HD. That's not too good either. Good-viruses is a non-issue (read IR#6), and I find it quite amusing that people really are conserned about this issue. RS> That's the theory. And it is promoted by no less eminent a researcher than Dr. Fred Cohen, who did seminal work on the security-breaking class of viral programs in a thesis, in 1984, and dissertation, in 1986. Unfortunately, the theory founders on some rather hard facts. There are three questions to ask of a new, inherently dangerous, technology. Has it a useful application? Can it fulfil that application better than current technologies? And, can the danger, either inherently, or effectively, be controlled? To date, no one has answered those three questions. TU> Well, I won't be bothering too much about question 1, but the replication code in the so called good-viruses we've seen served no purpose really. Diet (which Masud used for compression) was already invented, Stormbringers IDEA-encryption-virus could have been done with a normal TSR. I.e. in those cases, they couldn't acomplish the tasks better by selfreplication. However, it's possible to control the spread of a computer-virus. For example, check the label on the HD and let it just replicate on those machines with that very special label. (Creativity could probably solve question no 3). RS> While a variety of uses have been proposed for viral programs, there are none which are not effectively being done by other means. No viral programs have, indeed, been seen to be as effective as normal systems. Operating system upgrades could not guarantee universal coverage. Network management tasks could not promise reliable feedback. Automated utilities would confuse novice level users, who never run utilities anyway. The most useful function is still that proposed by Shoch and Hupp--and their programs were not, strictly speaking, viral. (Vesselin Bontchev's examination of this question is the most detailed to date, and is required reading for all who want to join the debate. His proposals, while demonstrating good ideas for safety and control, are still primarily an advanced automated distribution system. The necessity for viral functions in this regard is still unproven.) TU> I really like reading "The Weasels" write-ups, but since they're all easy to get your hands on I won't be bothering to quote them here and to reply to him as well. My best sugesstion is like Rob's that you should read them, too. RS> Those in the vx camp will point to two current viral programs which, they say, do have useful functions. One of these programs produces compressed executable files, thus saving disk space, while the other performs encryption on files. TU> The first one sounds like Masud's virus which used the Diet algorithm, while the other one is Stormbringer's. (Information about them described above). One could probably list a lot of viruses which in some people's opinion could be considered "good". There's a few viruses which removes other viruses. There's viruses that includes fancy payloads that makes you laugh (that's good). There's viruses that knocks down VSAFE from memory, and that could perhaps also be considered good? I havn't yet seen one good virus though because all these things could have been done with normal programs. RS> However, both of these functions are provided by other programs--from which, indeed, code was stolen for those two "good" virals. TU> Well, Masud did really steal the code of Diet, but I bet he could have developed an own algorithm as well. Why he chose to use Diet is for me (with an evil mind) quite obvious. Now all AV-programs also had to scan inside diet-compressed files, making the scanning a lot slower. (Before it could just ignore those files..). One quite cool idea conserning viruses making scanner-software slower would be to combine (Pklite?)Compression/Polymorphism & Mid-File infections. Wow. Just too bad I can't write one of those myself.. However, since a friend of Stormbringer (King of Hearts) implemented the IDEA (International Data Encryption Algorithm) in a program, one cannot call that code-theft. Stormbringer as well could easily have done the same thing since he seems to be a kinda-expert on those things. RS> Neither of the viral programs are as easy to use or control as the original programs, and both have bugs which must place them firmly in the malware grouping, for nuisance value, if nothing else. TU> As a matter of fact, Stormbringer's program would only infect by the request of the user making it very easy to control! It wouldn't leak out! However, it did indeed bug. For example, I started to write a book some while back, (on normal-papers), typed it in to ascii-format and tried his GV v1.01 (Good-Virus v1.01) on it. It wouldn't decrypt it even though I entered the right password (I know I did so because it didn't delete my file). Now that's not good, but I don't blame him :-), I could have well used a ordinary runtime encryption program for that task. For your information by the way the book was non-viral-related and somehow just confusing and crazy. I will give it out when the world is ready for it, but not before that time :-). RS> Currently, therefore, the utility of viral programs is very much unproven. This would, though, mean only that they are neutral, were it not for the lack of any demonstrable control. Methods of control have been discussed primarily by Fred Cohen, but even he remains unconvincing. The mechanisms generally are limited to environmental checks which can either fail, or be easily cut out of the program. Some have proposed "hunter" virals, to go after programs which "turn rogue", but a program which is corrupted will behave in unpredictable ways and a hunter program would likely consume a lot of resources, fail, or (most likely) both. (Cohen frequently cites viral "programs which have been running since 1986 with no ill effects" and speaks of a VCE (viral computing environment). There are two points to be noted here. One is that Cohen has not yet described his viral programs in anything like the detail he put into his earlier work, so there can be no independent assessment of his claims. The second point is that the very term, VCE, implies that a viral computing environment is substantially different, and should be kept separate, from the "normal" computing environment as it is currently known. A VCE may very well be a powerful entity, but it is still an unknown and unproven concept.) TU> Yeah, Yeah, whatever.. RS> Computer viral programs have an inherent danger: that of reproduction and spread. If you study explosives, and pass along that knowledge, you also have to pass along the materials before there is any risk of a blast. TU> This isn't very true. What if I tell a moron exactly how to write a virus, but don't give out any source code? Then, he can also write a virus! The same goes with explosives. Okay, I'm not the Conzouler-kinda-expert-guy on this topic but some bombs are easily made and any normal person can get the material for making one. However I don't have to build bombs since we already got dynamites. Want to buy? Contact me about it, I bet Rob would wet his pants if he knew. RS> Even then, the materials do not multiply themselves: when exhausted, another supply must be found. The same is *not* true of viral programs. These entities are *designed* to reproduce. And, unlike the study of dangerous animals, or even germ warfare, viral programs are built to reproduce, multiply and spread without the aid of a skilled, or even aware, operator. If you are careless with a deadly animal or weapon, it is still only a single danger in a localized area. If you are careless with a computer virus, it can spread world-wide. TU> Now we are blowing things up, saying that viruses are (in some cases) worse than bombs is overdoing it. It's silly to compare such things, and beside this fact, he's wrong as well. A Nuclear bomb causes danger in more than a local-area and for a very long time. It will create different new viruses, mutating spreading, and killing for a very long time, indeed. RS> We do not use computers because they are smart. Computers *aren't* smart. Sometimes we use them because they can do calculations very quickly, but even this is only a special case of the real value of computers. Computers always do the same thing in the same way. They are repeatable. They are, in this manner, reliable. Even a computer error can be useful to us--so long as it always happens the same way. TU> Yeah, I know for fact computer's aren't smart and all this facts listened above, your point being? RS> Consider, then, the computer virus. In order to reproduce without the informed assistance of the user, the virus must be, in the computer sense, transparent. It must operate without alerting the operator, or interfering with the operator's interaction with the computer. If the virus even posts a notice ("Hi! I am infecting object X!"), it has a nuisance value and is, therefore, not good. (Vesselin Bontchev notes that even such a notice, by possibly delaying a process, may have grave consequences far beyond annoyance.) If, however, the virus does *not* notify the operator, then the operator is not aware of some additional code in the machine. This extra code will have an unknown, and inherently unknowable, effect on the computer. The operations of the computer are, therefore, no longer repeatable. This is a Bad Thing (TM). TU> Well, If a virus activates a visible activation routine like printing a rude message, the operator can simply just remove it and the problems should be solved. However, the person who're responsible for the computer-sucurity (like an operator) should not let a virus infect his computers in the first place. It's all his fault really. If he doesn't find the virus, well - then the virus can really spread which should be considered a victory to the viruswriter. If the virus doesn't get noticed because it activates no payload, makes no program hang and just sits there then where's the harm? Isn't it often so that if we don't know something, we have no problem with it either? RS> Some will protest that I have overblown the danger of both the notification messages and the possibility of conflicts. The point that I am trying to make is that you cannot predict the harm which may arise from interference either with the operator or the programs. TU> Well, viruses have existed during the last decade and if no AVers have had a single report concerning a non-destructive virus that has damaged or harmed something with just its presence I really doubt there's a danger. RS> Software is digital, and is subject to catastrophic collapse without prior warning. For those without a background in computer risk assessment, an excellent overview for the non-professional is found in Lauren Wiener's "Digital Woes" (cf. BKDGTLWO.RVW). An intriguing compilation of the types of things that can go wrong is to be found in Peter Neumann's "Computer Related Risks" (cf. BKCMRLRS.RVW). At the very least, as Sarah Gordon points out, the virus is an autonomous agent, making decisions and carrying out activities according to it's own internal constructs and the intention of its programmer. This is very likely not in correspondence with your own intention, and is therefore an invasion of privacy. TU> Since Rob named no concrete example of what could go wrong, I won't comment that either. However, I don't find it an invasion in someone's privacy if he gets infected with a virus. (Unless the virus collects information from the HD and emails it away, ofcos). However, one of my strongest beliefs is the belief in private right and consider people has the right to privacy. Another thing I believe in is information freedom. If I found virus-writing in any way what-so-ever to be an invasion of privacy, I would have to consider real hard which of my beliefs was most important to me. Would I write viruses without spreading in the wild, but distribute the source code as information? Well, honestly, I don't know, but I don't agree Rob on this one so I really don't have to consider it either. Viruses won't collect/distribute private files, they will only alter them. If you can't deal with it, well, don't buy a computer! RS> A number of virus writers will object that their creations simply are not harmful. TU> I never said my viruses won't do any harm, they do indeed make some harm since I code them destructive. If I make a 100% compatible virus (which however might be considered impossible), it's harmful. RS> Not only is it impossible to guarantee that your virus will not conflict with existing systems, you also cannot guarantee that a given system will not conflict with your virus. Almost all file infecting viral programs will interfere with applications which have an internal integrity checksum or a non-standard loader, and will cause those applications to fail. (An example of this is that Windows programs infected with DOS viral programs always fail to load.) TU> Sure thing. Viruses can't be compatible on everything and they just might hang the system once in a while. But if they do, atleast they'll notice it and can remove it. No real damage done. RS> The "Ohio" virus (a prior version of Den Zuk) was not intended to carry any destructive payload, but an unusual interaction with a certain network operating system caused fatal disk corruption. Since both Ohio and Den Zuk are examples of the often proposed "virus hunter virus", it should be clear that the concept of using a viral program to hunt down and disinfect other viral programs is not a good one. TU> Yeah, Yeah, he could as well has written down all buggy viruses out there saying "if one of those hangs a PC-server in a big company, that could result in the company being bancrupted". . Furthermore, I never said that viruses which removes other viruses of the same time is good. They just get rid of the competition. RS> Historically, and statistically, virus exchange people have been careless and incompetent programmers. TU> Yeah, maybe so, viruswriter's are hobby-programmers, we won't make any profit of it and viruses are free to use so what can the users possible expect? ;). So what if we don't test our viruses on all availabe configurations, that's not the really the point. The point is that they should be capable of spreading themself and they do. RS> Remember that we are talking vx, here, and those viral programs which have been released into the wild. There may be, carefully hidden in the desk of a virus writer, the "perfect" and harmless virus. If so, we haven't seen it yet. The majority have obvious bugs, sloppy coding and derivative programming. Less than one percent are interesting for *any* reason; only a handful have unique styles of algorithms. And even these last have programming pathologies. TU> Well, I don't consider viruses to be sloppy (in the meaning of unoptimized, right?) coded. A few viruses has though obvious bugs, but they'll most likely be corrected in the viruswriter's next virus, so no worries. And if Rob doesn't consider viruses interesting, well, that's just his opinion. Not everyone think viruses isn't interesting and are they not allowed to think so because he think different? RS> There are two other reasons often given to justify virus exchange. The first is generally described as experimentation and education. The second is described as antiviral research, or, more commonly, assessment of antiviral programs. These arguments *do* have some validity, and should be examined. Ultimately, though, the reality fails to support the claim. TU> Viruswriters also experiment for educational-purposes but we call it learning. We also write anti-virus software if we find no other solution of how to protect ourself against our own creations. We don't wanna be no Frankenstein either :). This by itself is enough reasons to write and study viruses. We won't need any other (if even the above listed) reasons to write them. We don't have to be acknowledged by so called "decent folks" to write viruses. They think it's bad, we think not and noone are in the posession to say what's wrong or what's not. RS> The call for experimentation is somewhat tied to the argument for a "good" virus. Current viral technology may be crude and ridiculous, but how can it be improved if there isn't any work or sharing of results? Quite true. The vx community, however, have obviously not read or noted any programming journals or texts. Discussions of programming and algorithms are supported by well- annotated code fragments. You don't present a whole program to discuss a specific function any more than you send an entire car with a manual on auto repair. You certainly don't use encoded or "DEBUG script" object code: that has no explanatory value at all. TU> Well, if you have an idea you would like to present isn't it better to give a complete example of a program to show how it works rather so the reciever of the information can start immediately to test things out? I think so. RS> And I have yet to see, in the vx materials, any discussion of legitimate and positive uses for viral technology, any discussion of control technology, or any discussion directed at ensuring that viral programs do not create conflicts. TU> I can't give no answer why other groups hasn't released any discussion article about positive uses for viral-techology, but I can however answer why I havn't. I find no point in making viruses good. Viruses do, however show some flaws in the information-society. Some just might consider that good. If I by trashing HDs and creating chaos with my viruses, I might alert people that they shouldn't rely too much on computers and on the same time notify them the value of information. They won't (most likely) not presure information before the information is gone. By doing this, I teach them computer-security the hard way. RS> In regard to education, it is true that a study of viral programs is related to a knowledge of operating system internals, as well as assembly language programming. However, viral study *requires* such knowledge, rather than providing it. Giving someone a virus and expecting them to learn from it is akin to "teaching" a surgeon by handing him a scalpel and pointing at a patient. Even the vx "old guard" are beginning to realize this. Viral programs use normal computer functions. If you understand computers, a virus is trivial. If you don't, well ... TU> Well, I don't think anyone everyone with decent computer-skills do understand how computer-viruses works. To understand viruses, you have to know the operating-system very well, you have to know assembly language and you also have to know file (or other media on where virus itsert itself) formats. Calling everyone not knowing the above named things "A person who doesn't understand computers" is wrong. They won't just understand viruses. For understanding viruses, you have to understand computers, but not vice versa. RS> As far as virus exchange tutorials go, well, let me put it this way. I am a teacher. Many of you will also know that I review technical books on a daily basis. Some are great, enough are good, many are bad and some are just plain awful. Only a few are worse, in terms of tutorial effectiveness, than vx "zines" (electronic periodicals). TU> Well, with the chapter above he just did attack nearly every vx-group in existence. We don't write technical tutorials for idiots, we write them for people who are interested in viruses but don't yet know where or how to start. We don't want morons in the scene, if it's too difficult for people reading them, the message is clear "Don't start!". RS> Recently, someone who makes his living pushing virus source code promoted a collection of viral programs by suggesting you could test antiviral programs with it. This, superficially, sounds like a good idea--if you don't know what *real* software testing is like. TU> How many viruses a program can find/remove is somehow informative to how good the product is for the customer who wants to use the program only for scanning. However, such a test simply isn't enough, but nevertheless, it's how most AV-tests are done. I don't know who the described person is, but atleast it sounds like a good business-idea if you want to fool morons. RS> What do we know about the quality of this "zoo" (set of virus samples)? What do we know about the structure, organization, documentation and so forth? TU> What do we need to know about the above named things? Most customers won't really care about that at all since the majority of people using AV-programs only use the scanning parts. If they're easy to use (such as F-Prot), they're feeling comfortable with using such a product. Most people won't really give a fuck how well written the program documentation is, how well the code is optimized, how the companies structure look like, etc. I'm not saying that the name named things is umimportant, they are, of course. All that I'm saying is that it's a dirty world and if you find a good business idea, why not use it even though it means (to some extend) fooling your buyers. RS> How many duplicates are there? Of course, we *do* want duplicates in some cases; we want every possible variation on polymorphs. (For Tremor, that works out to almost six billion files.) But then, this collection was on a CD-ROM. What a pity. The most successful viral programs are boot sector infectors, and you need to have real, infected disks to truly test for them. At a minimum, you'd want all seven "common" disk formats, in both system and non-system versions. That's fourteen disks--for *each* BSI. [* Boot sector infector- ED *] TU> Yeah, it's hard to test products.. So, why not just thrust experts such as Vesselin? His tests are good. If they'll be in the future as well is though not very clear since he's now working for F-Prot. RS> For all the length of this piece, it is still only an overview. And, for all it's length, it probably hasn't convinced anyone. Ethics education (it used to be called "values education"), in whatever form and however presented, has very little to show that it works. There are various theories and models of moral training, the most sophisticated probably being Lawrence Kohlberg's "Moral Development" schema. All, though, basically boil down to sitting around talking about ethical dilemmas. They may develop debating skills and rhetorical sophistry, but there is no evidence to suggest that any of these programs leads to any significant change in behaviour. While Kohlberg's model of moral development has the most detailed construction, its utility is questionable. His system is not so much one of values education as of values measurement. It is, therefore, a guideline for evaluating other ethical training methods rather than a means of instruction and change. Moral development is a six stage structure, assessing the type of reasoning which goes into ethical choices. The stages range from "fear of punishment" to "internal ethical principles". There is great difficulty, however, in determining the "stage" of a given individual. Most ethical discussions will be judged as having reasoning at all of stages three, four and five. This entire document, for example, could be dismissed as being level one reasoning since it mentions the possibility of the danger of virus distribution and could therefore be seen as a "fear of punishment" (negative consequences) on my part. On the other hand, most of Kohlberg's proponents dismiss level six, since even a psychopath could be said to be acting from internal principles. Kohlberg, himself, has stated that he does not know if anyone consistently acts from stage six reasoning. Probably the major reason for this is that modern society has no fundamental moral foundation. The most widely cited (and Johnson gives an excellent critique of it) is utilitarianism--"the greatest good for the greatest number". Leaving aside the difficulties of assessing such a measure, utilitarianism, along with all the other modern "humanistic" philosophies, has nothing to support itself. Why is "the greatest good for the greatest number" to be chosen over "what *I* want"? An alternative is deontology; ethical principles derived from the concept of duty. (Ironically, this philosophy, while arguably superior to utilitarianism, is limited to Kohlberg's stage four almost by definition.) Again, however, there is no underpinning to the concept of duty, itself. Ironically, the much maligned "Judeo-Christian Ethic" did have such a foundation for moral standards--God. The theistic universe may yet have the last laugh over the mechanical universe of B. F. Skinner's "Beyond Freedom and Dignity". Maybe Jesus *is* the answer--or there may be no answer. TU> Jesus is no, never has been and never will be an answer to anything since he doesn't exist. I am not saying that noone named Jesus never lived "Once upon a cross", but he sure as hell wasn't God and if he lived two-thousand years ago he's gone, dead and spending his time togheter with his father in a warm place known as Hell. That might however mean that he's still around us somewhere. (Australia is hot, right Qark?) Well, I don't know, and I won't debate about religion, again). Bibliography Bontchev, "Are `Good' Viruses Still a Bad Idea?", Proceedings of the EICAR '94 Conference, pp.25-47, also ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip Clarkson, "Windows Hothouse", 1994, 0-201-62669-1, U$34.95/C$44.95 - lots of artificial life fun with Visual C++ Cohen, "It's Alive!", 1994, 0-471-00860-5, U$39.95 - an intriguing, provoking and practical exploration of computer programs as "artificial life", but somewhat narrow Denning, ed., "Computers Under Attack", 1990, 0-201-53067-8 - collection of essays roughly related to security, also "the net" Ermann/Williams/Gutierrez, "Computers, ethics and society" - textbook for computer ethics course: not great Gordon, "Technologically Enabled Crime", 1994 Forester/Morrison, "Computer Ethics", 1994, 0-262-56073-9 - lots of great stories, but short on analytical depth Johnson, "Computer Ethics", 1994, 0-13-290339-3 - the basic work in the field, thorough coverage and good discussion starter Levy, "Artificial Life", 1992, 0-679-73489-8, U$13.00/C$17.00 - an interesting wander through fields studying artificial life but no strong points Neumann, "Computer-Related Risks", 1994, 0-201-55805-X, U$24.75 - exhaustive examples from the RISKS-FORUM Digest of potential technological perils Slade, "Robert Slade's Guide to Computer Viruses", 1994, 0-387-94311-0/3-540-94311-0, U$29.95 - chapter seven looks at the computer virus and society Thro, "Artificial Life Explorer's Kit", 1993, 0-672-30301-9, U$24.95/C$31.95 - good fun, but little analysis Wiener, "Digital Woes", 1993, 0-201-62609-8, U$22.95/C$29.95 - excellent introduction to the risks of software (A fuller bibliography on values education readings is available for those demonstrating a willingness to put some effort into it, since, frankly, it's a really disappointing field. Sarah Gordon's "Generic Virus Writer" paper has significant resources here.) copyright Robert M. Slade, 1995 Permission is granted to post this file, in full, on any system. ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" (US contact 1-800-SPRINGER) ================================================================== ============== Final-Comments by TU> I wrote this text ages ago and if something is wrong, well.. blame the time-gap, not me :-). I didn't bother to read it (even once), which means that I only did write the damn thing :-). Hope it was as boring to read that it was to write.... Take care, and yea, don't forget: Moral does never lead to anything good, so better just do the same with moral as you does with everything else: Screw it! :) ___ The Unforgiven ___