AWCTTYPA@UIAMVS.BITNET ("David A. Lyons") (09/03/88)
[Sent to mcgurrin, Whitney, Fox, info-apple] >Organization: The MITRE Corp., Washington, D.C. >Date: Fri, 02 Sep 88 10:57:15 EDT >From: mcgurrin@mitre.arpa >Dave [Whitney], if the bill you mention would make virus *WRITING* >illegal I'm afraid I can't agree with you that I hope it passes. >[...] it should not be illegal in a free society to write any type of >code. Distributing it to unknowing recipients is a whole other story >[...] Brian Fox <bfox%vision@HUB.UCSB.EDU> writes: >I also disagree with making the writing of any type of code illegal. >This is akin to censorship, which I know the majority of us do not >agree with. I would be in favor of a bill making it illegal to write (1) malicious software and (2) viruses, whether they intentionally cause damage or not. Why? Because (1) any virus written is almost certain to slip out accidentally even if it isn't distirbuted on purpose, and (2) any virus will, sooner or later, cause damage even if it was intended to be harmless. I challenge anyone to present a scenario where a virus could spread with no possibility of causing damage. I am *not* in favor of any restrictions on what PEOPLE can write for EACH OTHER to read, but I believe a distinction needs to be made between writing stuff for people to read and writing stuff for machines to execute! If all PEOPLE automatically and flawlessly DID everything that message on a piece of paper TOLD them to do, then I'd be in favor or restrictions on human-to-human communication, too! Where would YOU (all of you) draw the line between what should be legal and what should be illegal, and why? 1. Writing a self-propogating computer program (a "virus") which is almost certain to escape and do damage to unsuspecting computer users; 2. Breeding a biological virus known to have incredible spreading power, one that is likely to escape and present a health hazard; 3. Intentionally releasing a computer virus; 4. Intentionally releasing a biological virus presenting a health hazard; 5. Intentionally doing direct damage to an innocent person's machine-readable data; 6. Intentionally doing direct damage to an innocent person; I tried to put these roughly in order or increasing ought-to-be- illegal-ness. If you believe some of these things should be legal, put them in order yourself and let me know why you draw the line where you do. [Brian, still:] >And besides, there is nothing wrong with "virus" code, it is the >heinous actions performed by a few of the (improperly named) >"viruses" that we despise so much. I think there IS something fundamentally wrong with viruses [see below]. What improperly-named viruses are you referring to? Any self-propogating code is a virus, right? CyberAIDS and Festering Hate are genuine viruses, and they are also malicious. >Note that there are also good purposes for self-propagating code, >such as amusement value (max headroom virus), and system-maintenence >(new-software-release-updater). I disagree. I don't want ANYTHING fiddling with any of my files unless I *know* that it's going to fiddle with my files. It's a waste of my time and disk space, and there is always a chance that something will go wrong (ex: during a DISK WRITE that is happening only because of the virus and on a disk I would not normally write to, there's a power fluctuation leaving my root block damaged). As a software developer, it's very important to me that I *keep* old versions of system software around for testing my products with older versions. If I want to use the latest system software, I'll BOOT it! >I dislike calling someone[']s file-deleter a "virus" program because >it gives that non-person undeserved respect. Any moron can delete >files; we certainly don't need some idiot to write a program to do it >for us. EXCUSE ME? >NO< virus or other software that fiddles with files or volumes without the user's permission earns its author any of MY respect. Exactly the opposite, in fact. >Brian Fox --David A. Lyons bitnet: awcttypa@uiamvs DAL Systems CompuServe: 72177,3233 P.O. Box 287 GEnie mail: D.LYONS2 North Liberty, IA 52317 AppleLinkPE: Dave Lyons
bfox%vision@HUB.UCSB.EDU (Brian Fox) (09/03/88)
I would be in favor of a bill making it illegal to write (1) malicious software and (2) viruses, whether they intentionally cause damage or not. Why? Because (1) any virus written is almost certain to slip out accidentally even if it isn't distirbuted on purpose, and (2) any virus will, sooner or later, cause damage even if it was intended to be harmless. I challenge anyone to present a scenario where a virus could spread with no possibility of causing damage. It is clear from your above comments that you have a phobia about computer software. I have to assume that this phobia is partly due to the word used to describe this particular computer software: "virus". You later state: Where would YOU (all of you) draw the line between what should be legal and what should be illegal, and why? 1. Writing a self-propogating computer program (a "virus") which is almost certain to escape and do damage to unsuspecting computer users; 2. Breeding a biological virus known to have incredible spreading power, one that is likely to escape and present a health hazard; I believe you were saying that both of these should be made illegal, and that they are presented in the order of least important to most important. Well, since we are now talking about biological entities that self-propagate, I would like to ask you a few questions. Would you be in favor of: 1. A fast-spreading biological anti-virus that was proven to destroy the (AIDS, common-cold) virus, without any side effects? 2. Preventing people from copulating and reproducing? Perhaps only citizens in good standing (those that don't write viruses) should be allowed to have babies? Viruses do not escape, they are deliberately placed somewhere. It is easy for you to avoid being bit by computer viruses; only purchase (or use) programs that you know the origin of, or, like myself, that you have the source code to. (Free Software Foundation plug: Note that if all software had the source code available, we wouldn't have this problem.) If we have to make something illegal (since we seem to think that will make a difference), let us make the deliberate destruction of personal property illegal (somehow, I thought that it already was), thereby making the unannounced placement of virus code into another piece of software illegal. I am not in favor of any legislation which prevents freedom of expression that does not harm/prevent another persons freedom of expression. Once we start doing this, we have removed freedom of speech. [Brian, still:] >And besides, there is nothing wrong with "virus" code, it is the >heinous actions performed by a few of the (improperly named) >"viruses" that we despise so much. I think there IS something fundamentally wrong with viruses [see below]. I couldn't find the [below] you were talking about. What is fundamentally wrong with self-propagating code? What improperly-named viruses are you referring to? Any self-propogating code is a virus, right? CyberAIDS and Festering Hate are genuine viruses, and they are also malicious. I strongly dislike giving the author(s) of the aforementioned `viruses' any recognition at all, since that is the only reason that the code exists. I don't think it is helping us to continue to mention these particular people/programs. >Note that there are also good purposes for self-propagating code, >such as amusement value (max headroom virus), and system-maintenence >(new-software-release-updater). I disagree. I don't want ANYTHING fiddling with any of my files unless I *know* that it's going to fiddle with my files. [...] As a software developer, it's very important to me that I *keep* old versions of system software around for testing my products with older versions. If I want to use the latest system software, I'll BOOT it! Fine. You will not subscribe to the service which provides automatic updates. That is your wont, and you are welcome to your own decisions on the matter. Please do not try to prevent me from availing myself of this service. >I dislike calling someone[']s file-deleter a "virus" program because >it gives that non-person undeserved respect. Any moron can delete >files; we certainly don't need some idiot to write a program to do it >for us. EXCUSE ME? >NO< virus or other software that fiddles with files or volumes without the user's permission earns its author any of MY respect. Exactly the opposite, in fact. One thing that I have noticed is that you apparently believe that a virus program must manipulate files in order to propagate. That is not true. If computers are attached via a network, then only one of the machines needs to be turned on for the virus to have a place to live. Since the machines are interconnected via the network, the virus can travel from place to place through wires, such as the phone line, ethernet, flat-ribbon, twisted-pair, etc. At any rate, I have thought of reasons why a self-propagating program might be useful, and I do not want any less-informed legislator making a decision as to whether or not I can use it for myself, my own network of machines, whatever. Brian Fox
blume@netmbx.UUCP (Heiko Blume) (09/06/88)
well, as with most other dangerous stuff it probably won't be illegal to create or have it, but it will be illegal to cause any harm to others with it. that's because also 'viruses' can be very helpful, for instance multi- processor systems like the connection machine (65536 cpu's) or networks tend to become unmanageable. how can you get the status of each node ?? especially in packet switched data networks like tymnet etc this is nearly impossible. i think writing a virus is not as risky as writing an operating system like unix or vms. -- Heiko Blume # DOMAIN: blume@netmbx.UUCP { BITNET: ( mixed } Seekorso 29 # BANG : ..!{backbone}!netmbx!blume D-1000 Berlin 22, West-Germany # Phone : (+49 30) 365 55 71 or ... 365 75 01 Telex : 183008 intro d # Fax : (+49 30) 882 50 65
AWCTTYPA@UIAMVS.BITNET ("David A. Lyons") (09/06/88)
>Date: Sat, 3 Sep 88 08:42:38 PDT >From: Brian Fox <bfox%vision@hub.ucsb.edu> >Subject: legality of writing viruses >It is clear from your above comments that you have a phobia about >computer software. I have to assume that this phobia is partly due >to the word used to describe this particular computer software: >"virus". "Phobia. n. 1. A persistent, abnormal, or illogical fear of a specific thing or situation. 2. A strong fear, disklike, or aversion." [American Heritage Dictionary, 2nd College Edition.] I have a strong dislike for self-propagating computer software (certainly not a phobia about software in general). I used the word "virus" because there are certain *limited* parallels between self-propagating computer software and biological viruses. "Virus" is easier to type than "self-propagating computer software," too. >You [Dave L] later state: > > Where would YOU (all of you) draw the line between what should be > legal and what should be illegal, and why? > > 1. Writing a self-prop[a]gating computer program (a "virus") which > is almost certain to escape and do damage to unsuspecting > computer users; > 2. Breeding a biological virus known to have incredible spreading > power, one that is likely to escape and present a health hazard; >I believe you were saying that both of these should be made >illegal, I am. >and that they are presented in the order of least important to most >important. Well, since we are now talking about biological entities >that self-propagate, I would like to ask you a few questions. Ready. >Would you be in favor of: > > 1. A fast-spreading biological anti-virus that was proven to destroy the > (AIDS, common-cold) virus, without any side effects? No, because (1) it could not be proven to my satisfaction that there would never be any side effects, and (2) there's no way to "recall" a virus once it's been released. (The two reasons taken *together* are why I wouldn't support it.) Instead, any cure for AIDS or the common cold should be developed as vaccine or pill or whatever so that individuals could be vaccinated or otherwise treated. This way the process could be halted if any need were found to halt it. (How would you TEST the virus on groups of people large enough to be sure there were no side-effects and STILL be able to recall it if you DID discover side-effects?!) > 2. Preventing people from copulating and reproducing? Perhaps only > citizens in good standing (those that don't write viruses) should > be allowed to have babies? No. If that is a reasonable extrapolation from my other comments, I don't see how. (Of course, virus writers would have trouble having kids from prison, and it would bother me for the writers of intentionally malicious ones there.) >Viruses do not escape, they are deliberately placed somewhere. It is >easy for you to avoid being bit by computer viruses; only purchase >(or use) programs that you know the origin of, or, like myself, that >you have the source code to. (Free Software Foundation plug: Note >that if all software had the source code available, we wouldn't have >this problem.) I have trouble forseeing a time when the source code to all the software I use is available at affordable prices. Also, viruses have been inadvertantly included in a commercial product in at least one instance. It could happen again--knowing the origin is not necessarily enough. What is the Software Foundation? (Or is it the Free Software Foundation? English is wonderfully ambiguous sometimes.) >If we have to make something illegal (since we seem to think that >will make a difference), let us make the deliberate destruction of >personal property illegal (somehow, I thought that it already was), >thereby making the unannounced placement of virus code into another >piece of software illegal. I'm *not* sure it would make a difference, but it might. At the very least it would give lawyers a definite solid offense to prosecute in the event someone *was* identified as the author of any widespread and damaging virus. (I bet anybody who has written a damaging virus has bragged to at LEAST one friend about it...you never know, maybe somebody will get turned in & there will be enough other supporting evidence.) (Of course, no law can make *past* acts illegal, so we're talking about laws that would make it easier to prosecute authors of future malicious self-propagating software, with no effect on current ones.) I'm not a lawyer, but I'm not sure all computer-stored information would count as "personal property" (consider software that's "licensed" rather than sold, for example). I have no idea whether there's a blanket law making destruction of [other people's] personal property illegal. >I am not in favor of any legislation which prevents freedom of >expression that does not harm/prevent another person[']s freedom of >expression. Once we start doing this, we have removed freedom of >speech. I'm a little fuzzy on how we get from freedom of speech to freetom-to- write self-propagating computer programs. I'll defend anyone's right to express themselves orally, in print, or whatever, but if they invent self-duplicating flyers that I need to spend time picking up out of my back yard, that's different, even if they don't kill the grass. If writing software *is* analogous to writing things for other people to read, then what about building machines? Should free speech imply that people have the right to build whatever machines they can, no matter what dangers are present? [Would I have the right to build a nitroglycerine(sp?) factory in my apartment building if I lived in an apartment?] If not, then what about software that *controls* machines? > I think there IS something fundamentally wrong with viruses [see > below]. > >I couldn't find the [below] you were talking about. What is fundamentally >wrong with self-propagating code? Sorry to be vague. Self-propagating code is fundamentally wrong because (1) it fiddles with the user's files, volumes, environment, or whatever without the user's knowledge or consent, and (2) there is no way to recall a piece of self-propagating code once it has become widespread. I believe there is always a better and more reliable way to accomplish the same thing by non-self-propagating means. > >Note that there are also good purposes for self-propagating code, > >such as amusement value (max headroom virus), and system-maintenence > >(new-software-release-updater). > > I [DAL] disagree. I don't want ANYTHING fiddling with any of my files > unless I *know* that it's going to fiddle with my files. [...] > > As a software developer, it's very important to me that I *keep* old > versions of system software around for testing my products with > older versions. If I want to use the latest system software, I'll > BOOT it! > >Fine. You will not subscribe to the service which provides automatic >updates. That is your wont, and you are welcome to your own decisions >on the matter. Please do not try to prevent me from availing myself >of this service. I believe I misinterpreted your meaning. I certainly support and use such things as "Installer" on the Macintosh to install system software updates. This is *not* SELF-propagating code. It does not produce copies of itself; instead, the installation program copies the newer system software where it's supposed to go, and that's it. The new copy of the system software won't continue the propagation. I remain opposed to SELF-propagating installation of system software if it would ever update any version of a system file without my explicit permission. > EXCUSE ME? [DAL] >NO< virus or other software that fiddles with files > or volumes without the user's permission earns its author any of MY > respect. Exactly the opposite, in fact. >One thing that I have noticed is that you apparently believe that a >virus program must manipulate files in order to propagate. That is >not true. If computers are attached via a network, then only one of >the machines needs to be turned on for the virus to have a place to >live. Since the machines are interconnected via the network, the >virus can travel from place to place through wires, such as the phone >line, ethernet, flat-ribbon, twisted-pair, etc. I realize non disk-based viruses are possible, and I will extend my statement to cover them: I don't want any SELF-propagating code anywhere in my system, no matter how it spreads. [Beside the point, but I suspect most network-based propagation would still be done through the file system.] >At any rate, I have thought of reasons why a self-propagating program >might be useful, and I do not want any less-informed legislator >making a decision as to whether or not I can use it for myself, my >own network of machines, whatever. I'm not sure I'd want to trust legislators on this either. I'm not even sure I could draft a piece of legislation that I'd vote for myself. I support your right to do whatever you want on your own system *if* you can be *sure* that it's not going to get out into other people's systems! Not an easy thing to guarantee. I can't think of a situation where self-propagating code would have an advantage over traditional things like installing patches at boot time, and using batch files to copy new system software to all appropriate locations on a network. >Brian Fox --David A. Lyons bitnet: awcttypa@uiamvs DAL Systems CompuServe: 72177,3233 P.O. Box 287 GEnie mail: D.LYONS2 North Liberty, IA 52317 AppleLinkPE: Dave Lyons