[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Viren-Programmier sehen sich als "Dienst an der Gemeinschaft"
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
Mal eine etwas andere Perspektive.
Für eine genauere Betrachtung sei nochmals das aktuelle Telepolis-Buch
über "Netzpiraten" empfohlen, in dem auch ein Text von mir über die
US-Cyberkriegsaktivitäten enthalten ist:
http://www.dpunkt.de/buecher/3-88229-188-5.html
Grüße, Ralf
http://www.wired.com/news/technology/0,1282,49483,00.html
By Michelle Delio
2:00 a.m. Jan. 7, 2002 PST
Although it may seem trite to fret about computer virus attacks when
compared with larger global security concerns, a seemingly endless
onslaught of virtual vermin plagued computer users in 2001.
"In 1999, we were catching one virus per hour," said Alex Shipp, chief
technology officer at Messagelabs, a security firm. "In 2000, it was
one every three minutes and now in 2001 it is one every 30 seconds,
and rising." Other antiviral companies have reported similar
statistics.
Anyone whose computer or network has been disrupted by a piece of
nasty code may be surprised to learn that some who create and release
worms and viruses look upon their work as performing community
service. Many virus writers say their "hobby" is a charitable donation
of their time as they provide skills to help others who are less
fortunate -- or at least less technically inclined - to learn about
computer security.
"Better that you find out about a hole in your system through my
virus, than through some unethical cracker smashing into your machine
and stealing all your so-called private data," said a worm writer who
asked only to be identified as CAT (for "Criminal and Anonymous
Terrorist").
They also contend that their malicious code helps to keep some
computer security experts employed. And some virus coders believe that
anonymously releasing worms is safer than reporting vulnerabilities to
the software manufacturers themselves. They fear that companies will
respond to a bug report with counter-charges of hacking.
"C'mon, none of the big software companies are going to press charges
against someone who reports a hole in their software," said Jeff
Vondell, a copyright lawyer. "But there's a definite and growing
attitude amongst some of my colleagues in other countries that in the
U.S., the big corporations write the laws.... The arrest of that
Russian programmer last summer certainly didn't help foster a feeling
of confidence in our legal system in other countries."
"Dmitri's (Sklyarov) case and that new U.S. law (the so-called Patriot
bill) that classifies hackers as terrorists has forced a lot of people
to think about whether it's safe to inform companies about security
holes," said a virus writer who wanted to be identified only as Perro.
"If they ask you how you found out, ask you to provide your research,
can they then arrest you for hacking into their product?" wondered
Perro. "Did you break their copyright when you looked at their program
code? Some people, especially outside the U.S., think it's now safer
to release a worm than make a bug report."
Sklyarov and his employer, Moscow-based ElcomSoft, were charged last
July with violating the Digital Millennium Copyright Act for selling a
program that allows users to disable copyright restrictions on Adobe's
e-book software. Sklyarov, who coded the eBook processor, was arrested
at a hackers' convention in the United States and imprisoned for
almost four weeks. The charges were later dropped.
Sklyarov's arrest was followed by protests from those who believe the
DMCA, a law that punishes anyone who distributes "any technology,
product, service, device, component or part" which bypasses
copy-protection mechanisms, will also be used against those who expose
security flaws.
"You (software manufacturers) declared war on us, and we have accepted
it," CAT said, in reference to the Sklyarov case. "We are called
criminals. We have been arrested for pinpointing vulnerabilities. So
how else we can get your attention but by releasing worms?"
But not everyone agrees with hackers' fears and rationalizations for
their activities.
"I have never heard of a company prosecuting someone who reported a
security hole to them, but they can report these problems anonymously
if they are worried," said Jerry Freese, intelligence officer at
Vigilinx, a security assessment firm. "They can also alert a trusted
member of the media or security community if action isn't taken. There
is nothing noble about wreaking havoc in the e-world, on what has
become a critical part of the economic and social structure."
According to Computer Economics, the Code Red worm alone cost an
estimated $2.6 billion in lost productivity and clean up.
Vondell noted that Sklyarov wasn't arrested for pointing out security
vulnerabilities, but for distributing a product that took advantage of
those vulnerabilities. But virus writers also correctly point out that
Sklyarov wasn't distributing the product; his employer was.
Other virus writers are merely young adults or teens who seem to think
that releasing a virus is nothing more than a modern version of a
prank phone call. They just get a kick out of writing self-replicating
code and watching how far it spreads.
Many virus writers said they write code out of anger, although they
maintain it's not directed at the people whose machines their code
infects. Still, they often consider their victims as laughably
ignorant for allowing their machines to get infected.
CAT pointed out that a significant amount of worms and viruses exploit
vulnerabilities that are already well known and patchable.
"Some (of these vulnerabilities) have even been known about for
years," CAT said. "And the biggest of them has been known for
centuries: 'Human Stupidity.'"
Virus writers often save their real venom for software developers,
governments that the writers feel favor "corporations over curiosity,"
and the antiviral firms who they say profit off their work but condemn
them as criminals.
"If we all decided to stop coding and releasing tomorrow, entire
industries would collapse," Perro said. "Admit it: None of you who
profits off our supposed bad deeds really want us to stop releasing
our babies into the world, do you?"
"There are responsible ways to alert people to problems, and
irresponsible ones," said Sarah Gordon, senior research fellow at
Symantec Security Response. "Creating a program that makes copies of
itself, and setting it loose to run amok amidst an unsuspecting
population is hardly responsible. It is not research, and it is not
acceptable in our society."
Russ Cooper, moderator of the NTBugTraq security mailing list,
suggested that virus writers who see themselves as educators might
consider "finding work that benefits the public in a positive way."
"Write a new game based on the premise of teaching the player all of
the different insecurities in their OS. Go to work for (software)
vendors as quality and assurance testers, or coders, working towards
preventing exploits," Cooper said.
While some security experts acknowledged the frustration they feel
when a user clicks on a virus-laden, e-mailed attachment "yet again,"
or doesn't stay current with security patches, they didn't feel that
releasing viruses was a valid response to the situation.
"Yes, you can get into an emotional state where you feel that users
are getting what they deserve," said Steven Silverman, a systems
administrator. "But we all know it's not fair to take advantage of
others' stupidity. I have a pretty shitty sense of balance, but I'm
trying hard to learn to skate. And, thankfully, the skilled skaters
don't try to knock me down when they see me wobbling by."
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.