(tye)Re: Immoral?

Replies are listed 'Best First'.
Re: (tye)Re: Immoral? by andreychek (Parson) on Jun 27, 2001 at 19:55 UTC
I do agree -- having a Perl virus developed may be hazardous. However, I also feel there are two sides of the story. Virii have been a problem for some time, and have been developed in all sorts of languages. There are already PHP viruses. With that in mind, it would seem likely that eventually, someone would write a virus in Perl, it's just a matter of when. I don't feel that security by "ignoring it and hoping it goes away" would be a good long term solution. Is there anything that could ever be done to prevent a Perl virus from running? I don't really know. However, I would much rather have this opportunity to discuss the matter with the reasonable, intelligent people who frequent this site (not to be confused with "reasonably intelligent people", found at various other sites ;-), then run around trying to clean up the mess after it happens in the future, and THEN having this discussion :-) So opening things wide open -- is there anything that could be done with Perl to prevent a Perl virus from doing damage? It seems extremely difficult, and I don't know any other language that has figured out a way around this. But if any language could develop a system to aid in prevention, it would be Perl! tye, I'm not dissagreeing with you per-se. I suppose that I just feel that since it's going to happen anyway, that perhaps it would be easier to attempt to deal with the issue now. I'm just glad it was a monk offering code up for review, and not one of my users trying it out on my system. But perhaps this should be a non-public discussion -- I'll leave that up to you guys :-) -Eric Update: BTW, is there a system for non-public discussion on this site? Password protected forums, forums that require a particular level, etc? Update 2: After seeing lemming's post, I changed all referenced of "virii" to "viruses", which is apparently the correct usage. Thanks Lemming :-)	[reply]
Re: Re: (tye)Re: Immoral? by enoch (Chaplain) on Jun 27, 2001 at 20:08 UTC
Is there anything that could ever be done to prevent a Perl virus from running? Well, I would like to offer my suggestions. Make an unprivileged user and call it "scriptGuy" or something Remove all of that users privileges everywhere, and I mean *EVERYWHERE. Begin restoring privileges to that user on a need-by-need basis until it becomes a semi-usable account Run all* scripts as that user Never run code found in the wild without understanding it or, at least, trusting the source from which it came Now, this discussion is going to easily turn into a general discussion on computer security (i.e. shut off ftp and telnet, use ipchains, etc., etc.). But, that might not be such a bad discussion to have. Jeremy	[reply]
(tye)Re2: Immoral? by tye (Sage) on Jun 27, 2001 at 20:00 UTC
To clarify, discussing viruses and even producing a virus can be important research. Releasing the code to the world as part of the research is a big mistake in my book. It is the inclusion of the code that I object to, especially in a public place such as this. And I'm not claiming that hiding this one bit of code will stop the creation of viruses. I am worried that not hiding it could cause the creation of a virus. That is, speed up the creation of a virus or increase the number of such viruses. This is not a security measure. This is a moral decision to not contribute to the creation of a virus. Sure, think about it and talk about it, but don't hand out seeds to the world. Sure, some virus will probably come along eventually but I don't want to have had a hand in its developoment! (updated) - tye (but my friends call me "Tye")	[reply]
Re: (tye)Re: Immoral? by virtualsue (Vicar) on Jun 28, 2001 at 13:40 UTC
I waited a day to see if I felt the same way about what you have said - I do. On the one hand you casually dismiss the very idea with a handwave ('I don't find this particularly interesting') and yet you want it removed because you think it promotes the creation of "malware". That isn't interesting? Hmmmm, well, why teach anyone to program, then? You never know how the potential miscreants might use that skill later on! I have always believed that attempts to hide knowledge from others are far worse than what someone might do with that knowledge. The dirtbags of this world often depend on the ignorance and naivete of others in order to accomplish their dirty deeds. I see that tachyon has been pressured into removing the code. I wish he would restore it. I don't see that there is any need for censorship of anything put in this forum that was part of an honest attempt to discuss a Perl issue.	[reply]
Re: (tye)Re: Immoral? by enoch (Chaplain) on Jun 27, 2001 at 19:59 UTC
I do find releasing malware seeds to the world to be exactly that. I don't know. To me, that seems akin to the old mantra "security through obscurity." That is, the "don't-talk-about-it-so-people-won't-think-about-it" kind of mentality always seems to backfire. I, for one, am intrigued by this post; but certainly not in a malicious sense. I am interested because in order to solve problems (if we would want to classify this as such), you must identify the problem and provide proof of concept, which is what tachyon did. To me, the real discussion should now become "how providing solutions to this problem". We should discuss making sure non-privileged users (or lowest neccesary priveleged users) are running Perl scripts. We should talk about verifying code found "in the wild" before running it, etc. Then, after coming up with a way to prevent this sorta thing from happening, we can return to the original problem and see if we can get around the solution we came up with. Do you disagree with BugTraq? They often talk about and provide proofs of concept for code and techniques that could easily be maliciously employed. In the end, to me, this could be turned into a very valuable discussion. Granted, the code could be modified in such a way to only provide proof of concept rather than executing that concept at all. But, I find nothing wrong with it. Jeremy	[reply]
(tye)Re3: Immoral? by tye (Sage) on Jun 27, 2001 at 20:18 UTC
When I've seen malwarish code distributed by security resources, it has always been at least one of these: Already in the wild Solutions to thwart it are already available The code has been very carefully modified to introduce several subtle bugs It is intentionally very vague, intentionally leaving out some key ideas required to make it work It is a reaction to some other organization not dealing with a security issue in a manner that was considered acceptable by the distributor of the malware And this last item I find close to the concept that "cracking is good because it gets people to increase their security". Although I think that you can do some very careful cracking to bring home a point about a lack of security, I find it immoral to do damage while doing that. And handing out tools that can be used by others who probably don't agree with me on that is not a good idea in my book. I never said "don't talk about it". I don't find the working code very interesting. The concept is simple enough that I don't think the working code adds much to it. To stop such a virus you need to prevent/detect modifications to files. The details about how the modifications are done are mostly irrelevant and concentrating too much on them gets you a solution that isn't robust anyway. It is like untainting variables by trying to think up which characters you want to exclude. You are bound to miss some. Instead, specify which characters that you know aren't going to be a problem. For a virus, you need to figure out ways that scripts can be modified safely and how to prevent/detect all other modification, not just the modification methods highlighted by a proof of concept. - tye (but my friends call me "Tye")	[reply]
Re: (tye)Re: Immoral? by srawls (Friar) on Jun 27, 2001 at 20:13 UTC
While I don't find researching malware to be immoral, I do find releasing malware seeds to the world to be exactly that. I must disagree. Morality (to me at least) depends on intent. You said above that researching malware is not immoral, well, if someone is doing that research to make a virus with mal-intent, I find that immoral. But, in tachyon's case, if he is researching inorder to help, well I don't think that's immoral. Tachyon certainly did not 'release malware seeds to the world' so that the world would be worse off, he did it for quite the opposite reason. It's really a phillosophy here that I'm arguing over. It comes down to this: does the end justify the means or do the means justify the end? Personally, I believe the latter to be the case. I don't know if a non-trivial virus can be written in Perl. I don't really want to find out. Again, I must humbly disagree. If we can maturely discuss these issues, then mabey we can find a way to stop a perl virus. Your argument is one for ignorance, believing that ignorance is bliss. Well, it may be, but not after someone makes a perl virus and your faced with it anyway. I say it is much better to find out now, in a controlled enviornment; where we all are intellegent people with good intents. The 15 year old, freshman programmer, Stephen Rawls	[reply]
(tye)Re4: Immoral? by tye (Sage) on Jun 27, 2001 at 20:25 UTC
I don't claim that tachyon's intent was to encourage the production of malware. I claim that what he did is likely to do that and so is an immoral act. Whether his intend was immoral is a different question. He seemed to have moral qualms about the act. I wish he had listened more to his conscience. (: Again, I'm not saying we should avoid discussing it. - tye (but my friends call me "Tye")	[reply]
Re: (tye)Re4: Immoral? by srawls (Friar) on Jun 28, 2001 at 05:54 UTC
I don't claim that tachyon's intent was to encourage the production of malware. I claim that what he did is likely to do that and so is an immoral act. That is where we differ than (and that's a good thing, the world would certainly be worse off if everyone thought exactly like I do). The problem I have with your argument is that it relies on the actions of others to determine if someone's actions are moral. What if (as others have suggested) tachyon had posted this in a private fourum, where we would be assured that only a few people would have access to it, and these people would be trustworthy. In this situation it is now not likely to cause the production of malware. The only differences about this situation are outside circumstances. A philosopher once said "There can be no good actions without good intent," and that is what my point is. I believe that the only thing to determine morality is intent. Let's say someone is naive, now this someone does something with good intent, but because she didn't know any better it caused harm. Now most people would say that what she did was likely to cause harm, and your argument deems that as an immoral act. But I say if she intended good, than it was a good act (or a morral act). NOTE: A few times I have said things about moral actions, I didn't mean that if someone has good intent, it is moral (even though I typed that : ) ), I meant that it is not immoral, meaning it is either morral or amorral. I chose brevity both so my point could be more clearly expressed and that my fingers could relax a bit : ) I hope you get the idea though. The 15 year old, freshman programmer, Stephen Rawls	[reply]
(tye)Re5: Immoral? by tye (Sage) on Jun 28, 2001 at 10:56 UTC