Re: Get your computer viruses here!

[Nick FitzGerald <nick () virus-l demon co uk>]

val smith (top-posting to Jason Geffner):

> Maybe nothing good has ever come out of malware except for some good
> researchers / analysts. Definitly requires more  research on my part.

Many/most/all of whom would have ended up doing something similar 
anyway as its largely a mindset thing...

> The idea of software protections came of of copyright needs sure, however
> one could argue that advances in that field do sometimes come from malcode
> authors.  ...

Which is a "good thing" why?

Competent copy-protection system developers would devise their own ever 
more difficult to crack protections on their own (at least as long as 
the money made their spending their time on it worthwhile).  That's the 
way things work.  That they could rip ideas from essentially public 
domain, initially malware-specific code is just a bonus to them (though 
potentially exposes them to patent and other liabilities if they don't 
do the appropriate due-diligence on the code/idea they're ripping).

Suggesting that you making samples available might improve the work of 
the anti-piracy/DRM/etc folk is hardly going to win plaudits for your 
project either...

> And to Randy re biological viruses, no I was making the argument that
> sometimes good things can come out of something considered to ONLY be bad.

Yes, a well-understood point, _in the NATURAL realm_.  I'd have thought 
the point here though is that although some "good stuff" has come from, 
and it seems likely we'll continue to see more such "advances", have 
you ever seen a free-for-all biological virus "analysis and 
experimentation" lab?  Nope -- because of the risks of allowing the 
less-than-highly-capable access to such material, it is kept in 
extremely strictly controlled environments and locations.  Computer 
viruses and other malware are not as dangerous as their bilogical 
counterparts, but responsible access should still be practiced.

> Also you'll noticed i put "new" in quotes. I know its not really a new idea
> although maybe someone could enlighten me as to a previous project that
> tried to profice a shared analsys experience that wasn't limited to "vetted"
> researchers.  ...

Investigate the history of VX in general -- you'll find that many such 
operations have "justified" themselves on the basis that they are 
"strictly for educational purposes" and the like.  All nonsense of 
course, just as yours is.

> ...  I guess I don't feel like I can make the decision as to who is
> vetted and who isnt. If I did then perhaps I would be "playing God" in my
> kingdom as a previous poster suggested.

So it's better that you just let all and sundry in to do whatever they 
want, benefit however they can and so on?

In short, you are admitting that you have no scruples for, faced with 
what you clearly recognize as a moral dilemma, you decide to solve it 
by ignoring it.  The ethically principled solution to your dilemma -- 
should I do this reposnibly or not?, the responsible approach means 
playing God, I don't want to play God -- is, of course, to NOT proceed 
with the project, but that's not the approach you took, so we know you 
are not ethically principled.

Your bio says you have over ten years compsec experience, yet you 
display the ethics of a "normal" 10-12 year old.  I'm glad I'm not one 
of your former customers or employers...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.