Wednesday, December 29, 2004

viruses and disclosure

let me make this perfectly clear - i do not support the indiscriminate sharing of viral materials...

you should not share viruses, source code, etc. with people you don't know you can trust (both competence and ethics-wise) and you should not ask for such materials from people you have no reason to expect trust from...

the argument for not sharing materials with people you don't know you can trust should be obvious... they might do something bad or stupid with the materials you give them... the argument against asking is that it legitimizes the sharing of materials in situations where it deserves no legitimacy...

there are some misguided notions that the full disclosure policy that works so well for vulnerabilities would be equally well applied to viruses... lets examine that more closely...

a vulnerability, ultimately, is a mistake... whether it's a mistake in the design or in the implementation doesn't matter, it's a mistake that in an ideal world could have been avoided and in the real world can (hopefully) be fixed... full disclosure of vulnerabilities benefits us in a variety of ways...
  1. first and foremost it places pressure on the people/organization responsible to fix the problem in a more timely manner than they may have otherwise been inclined to do.
  2. it helps us learn more about the mistake so that in the future we might better avoid it or similar mistakes.
  3. it helps us identify when a program or system no longer meets our expectations of trustworthiness if/when an unacceptable number of vulnerabilities are uncovered or not enough is done to rectify them.


viruses, on the other hand, are not mistakes nor do they depend on mistakes (though some particular viruses may depend on particular vulnerabilities)... the ability to support viral infection is inherent to ALL general purpose computing platforms... it cannot be fixed or avoided - and since it cannot be fixed or avoided, it cannot be used as a discriminating factor when judging the quality of the platform or organization (the fact that windows has more viruses than linux has more to do with the number of windows users there are and the nature of those users than with the fact that windows is garbage)... none of the benefits we receive from full disclosure of vulnerabilities are achievable in the virus realm... what is achievable is
  1. a state where it is easier for people learning to write and spread viruses to get their hands on examples.
  2. a state where it is easier for people who wish to use existing viruses as weapons of vengeance to get their hands on viruses.
  3. a state where it is easier for novices to get their hands on samples even though they don't have sufficient competence with viruses to deal with them safely.


as such, sharing viruses with people you don't know you can trust cannot be considered to be responsible handling of viral materials and is to be discouraged... instead, one should only share such materials with people one knows one can trust (who in turn do the same - leading to a 'web of trust') and only request such materials from those who you can reasonably expect will trust you...