Страница 30 из 89
Vorgon is still angry about life. His next worm, he wrote, will try to specifically target the people who wouldn't hire him. It will have a "spidering" engine that crawls Web-page links, trying to find likely e-mail addresses for human-resource managers, "like ca-[email protected] /* */, for example." Then it will send them a fake resume infected with the worm. (He hasn't yet decided on a pay-load, and he hasn't ruled out a destructive one.) "This is a revenge worm," he explained-for "not hiring me, and hiring some loser is not even half the programmer I am."
Many people might wonder why virus writers aren't simply rounded up and arrested for producing their creations. But in most countries, writing viruses is not illegal. Indeed, in the United States some legal scholars argue that it is protected as free speech. Software is a type of language, and writing a program is akin to writing a recipe for beef stew. It is merely a bunch of instructions for the computer to follow, in the same way that a recipe is a set of instructions for a cook to follow.
A virus or worm becomes illegal only when it is activated- when someone sends it to a victim and starts it spreading in the wild, and it does measurable damage to computer systems. The top malware authors are acutely aware of this distinction. Most every virus-writer Web site includes a disclaimer stating that it exists purely for educational purposes, and that if a visitor downloads a virus to spread, the responsibility is entirely the visitor's. Be
Virus writers argue that they shouldn't be held accountable for other people's actions. They are merely pursuing an interest in writing self-replicating computer code. "I'm not responsible for people who do silly things and distribute them among their friends," Be
One of the youngest virus writers I visited was Stephen Math-ieson, a sixteen-year-old in Detroit whose screen name is Kefi. He also belongs to PhiletOast3r's Ready Rangers Liberation Front. A year ago, Mathieson became a
Someone did in fact steal it, because pretty soon Mathieson heard reports of it being spotted in the wild. To this day, he does not know who circulated Evion. But he suspects it was probably a random troublemaker, a script kiddie who swiped it from his site. "The kids," he said, shaking his head, "just cut and paste."
Quite aside from the strangeness of listening to a sixteen-year-old complain about "the kids," Mathieson's rhetoric glosses over a charged ethical and legal debate. It is tempting to wonder if the leading malware authors are lying-whether they do in fact circulate their worms on the sly, obsessed with a desire to see whether they will really work. While security officials say that may occasionally happen, they also say the top virus writers are quite likely telling the truth. "If you're writing important virus code, you're probably well trained," says David Perry, global director of education for Trend Micro, an antivirus company. "You know a number of tricks to write good code, but you don't want to go to prison. You have an income and stuff. It takes someone unaware of the consequences to release a virus."
But worm authors are hardly absolved of blame. By putting their code freely on the Web, virus writers essentially dangle temptation in front of every disgruntled teenager who goes online looking for a way to rebel. A cynic might say that malware authors rely on clueless script kiddies the same way that a drug dealer uses thirteen-year-olds to carry illegal goods-passing the liability off to a hapless mule.
"You've got several levels here," says Marc Rogers, a former police officer who now researches computer forensics at Purdue University. "You've got the guys who write it, and they know they shouldn't release it because it's illegal. So they put it out there knowing that some script kiddie who wants to feel like a big shot in the virus underground will put it out. They know these neophytes will jump on it. So they're gri
Sarah Gordon of Symantec also says the authors are ethically naive. "If you're going to say it's an artistic statement, there are more responsible ways to be artistic than to create code that costs people millions," she says. Critics like Reitinger, the Microsoft security chief, are even harsher. "To me, it's online arson," he says. "Launching a virus is no different from burning down a building. There are people who would never toss a Molotov cocktail into a warehouse, but they wouldn't think for a second about launching a virus."
What makes this issue particularly fuzzy is the nature of computer code. It skews the traditional intellectual question about studying dangerous topics. Academics who research nuclear-fission techniques, for example, worry that their research could help a terrorist make a weapon. Many publish their findings anyway, believing that the mere knowledge of how fission works won't help Al Qaeda get access to uranium or rocket parts.
But computer code is a different type of knowledge. The code for a virus is itself the weapon. You could read it in the same way you read a book, to help educate yourself about malware. Or you could set it ru
Some academics have pondered whether virus authors could be charged under conspiracy laws. Creating a virus, they theorize, might be considered a form of abetting a crime by providing materials. Ken Dunham, the head of "malicious code intelligence" for iDefense, a computer security company, notes that there are certainly many examples of virus authors assisting newcomers. He has been in chat rooms, he says, "where I can see people saying, 'How can I find vulnerable hosts?' And another guy says, 'Oh, go here, you can use this tool.' They're helping each other out."
There are virus writers who appreciate these complexities. But they are certain that the viruses they write count as protected speech. They insist they have a right to explore their interests. Indeed, a number of them say they are making the world a better place, because they openly expose the weaknesses of computer systems. When PhiletOast3r or Mario or Mathieson finishes a new virus, they say, they will immediately e-mail a copy of it to antivirus companies. That way, they explained, the companies can program their software to recognize and delete the virus should some script kiddie ever release it into the wild. This is further proof that they mean no harm with their hobby, as Mathieson pointed out. On the contrary, he said, their virus-writing strengthens the "immune system" of the Internet.