Date: 10 Mar 93 14:27:01 EST From: Crypt_Newsletter <70743.1711@COMPUSERVE.COM> Subject: File 6--Response: virus-writing contest What is the danger of Mark Ludwig's international virus-writing contest? Well, according to contest rules, the winning virus code is destined for publication in the second installment of "The Little Black Book" series. "Oh, terrible, terrible!," wail anti-virus software developers throughout the land. "More virus code in the hands of anyone who wants it! These miscreants and electronic sociopaths are already making computing untrustworthy enough!" Bunk. Publishing any or all of the code collected in Mark Ludwig's contest won't make any difference. Why? Because there already exists more well-commented virus source code in general circulation than any one person has time to analyze. Taxpayers can download it by the megabyte from the Bureau of Public Dept.'s bulletin board system 24 hours-a-day, no strings attached. Or if you feel the need to be more "elyte," more "politically correct," it can be had from the favorite whipping boy of the anti-virus community - shhshhh - your friendly, neighborhood virus exchange sysop. Beating on Mark Ludwig for his virus-writing contest, then, strikes me as stupid. It's hypocritical, too, because as some involved in virus research know, a great many of the working samples of viruses found on virus exchange BBS's come attached to "sacrificial goat" files bearing the trademark of a number of anti-virus vendors. You can find extremely detailed virus disassemblies on virus exchanges, too. Not so surprisingly, some of these are composed by the same anti-virus researchers who whine in electronic publications like Virus-L Digest about the unrestricted flow of viruses and their source code. So if the virus-writing contest is dangerous because it subverts the control of "sensitive" information, the anti-virus community lost that battle a while ago, soundly beaten by a large number from its own rank. Next, do security specialists have something to learn from virus programmers or sponsors of virus-writing contests? Yes, indeed. For example, about a year ago I wrote a couple of stories on the Michelangelo phenomenon for a daily newspaper. In the course of my research I tried to dig up a few books to recommend to sophisticated readers. Mark Ludwig's "Little Black Book" was the only one I could find that wasn't either horribly wooden or written for someone with the attention span of a very small child. I endorsed it in the pages of a daily newspaper. The sky did not fall. The region's computers weren't besieged by a horde of Ludwig viruses. In addition, a number of computer security workers within different arms of the U.S. government already consult virus programmers on various security problems. When I asked one of them why, he replied that he didn't want to be backed into relying on the anti-virus community for advice, advice he saw as too self-serving. That leaves the question of how to distinguish between "benign" and "malevolent" virus programmers. Hmmmmm. That's a tough one, because the picture's more complex than that. Unless you buy the idea that virus programmers either write disk-corruptors set to go off with a bang on weird holidays or make them for courses like Patrick Toulme's "Virus 101," you're stuck coming up with an answer. You might decide to go with the popular stereotypes of young men with too much pent up hostility or unemployed programmers from politically and economically uncool locales like Russia, Bulgaria and China. But that dog won't hunt if you think of Fred Cohen. Or you can try to describe them as "groups" like NuKe, TridenT or Phalcon/Skism. And THAT leaves out a great many loners who collect viruses like stamps and occasionally need to come up with a fresh one as barter for that new, rare "tunnelling, polymorphic full stealth" beauty from Outer Slobovia. These guys could care less whether any virus they have gets into the wild. In fact, they probably would like to see less of that - keeps the collection more unique, more "valuable," you see. Clearly none of these are an answer. So try asking a better question. George Smith edits the Crypt Newsletter which has published virus source code. Downloaded From P-80 International Information Systems 304-744-2253