ESTABLISHING ETHICS

IN THE
COMPUTER VIRUS ARENA

Paul W. Ferguson, Jr.

September, 1992

ABSTRACT
The introduction of the computer into our already complex
arsenal of tools has opened a door to a world in which the limits
are seemingly boundless. The possibilities of electronic
information and data exchange alone are enough to boggle the mind.
However, with the computer's acceptance and its growing
implementation, a debate has arisen concerning the manner in which
it is being utilized.
Today, we have a virtual stone wall separating two basic
trains of thought. On one hand, there are those who wish to make
all computer information and resources publicly available, regardless
of impact or damage afforded to unwitting users. On the other hand,
we have computer professionals, advocates and users who think
potentially damaging information should be more effectively managed
and controlled, disallowing damaging code to escape into the public
domain.
THE GRASSROOTS MOVEMENT OF COMPUTER ETHICS
Perhaps the birthplace of computer ethics was the at
Massachusetts Institute of Technology. The addition of a discarded
Lincoln Labs TX-0 in 1958 created a more personal and casual
brotherhood in the computing environment at MIT. It was soon after
this machine was introduced that many of the more inquiring minds
attending the university became enthralled with it's presence [1].
"There was no one moment when it started to dawn on the TX-0 hackers
that by devoting their technical abilities to computing with a
devotion rarely seen outside of monasteries they were the vanguard
of a daring symbiosis between man and machine", wrote Steven Levy, in
his landmark book, "Hackers: Heroes of the Computer Revolution".
This devotion to the computer led to their version of what they dubbed
"The Hacker Ethic". This "ethic" had became an honor code that
outlined ground rules for the usage of the computer resources and has
survived to this day as the foundation of what is honorable in the
computer community. Although it has been twisted and mired in its
journey into the 1990's, its inception was sincere and beneficial to
those who created it during the early days. Levy outlined five
platform values that comprised the Hacker Ethic:
"Access to computers - and anything which might teach you something
about the way the world works -- should be unlimited and total.
Always yield to the Hands-On Imperative!"

As Steven Levy outlines in his book, this was the primary

basis for computer hacker values in the early days of computerdom.
Hackers, as defined in the above statement, have always felt that
whatever environment exists, they should be afforded the freedom to
optimize it. Whether it is reprogramming an existing operating
system or establishing their own set of behavioral protocols, it is
the freedom that they seek to define their own desirable environment.
"All information should be free."
The principle idea is that if you do not know how to obtain
the information, how could you benefit or pose a threat to others who
may utilize the same resources? The primary ideal that all
information should be free has landed many of its advocates in
unprecedented litigation. Is it appropriate that anyone has the right
to examine your credit report? Or your E-Mail? Or your medical
history? These ultimately fall into the category of "information",
by this definition.
"Mistrust Authority -- Promote Decentralization."
This is an ethical factor that is still adhered to rather
strictly by hacker purists. In its beginnings, authority figures in
the computer community were inept or simply did not exist. Most
could not afford them the computing freedom they demanded. This
problem still exists and unfortunately the boundary between what
constitutes an acceptable computer ethic and activities that pose
a threat to the computer community is more complex than ever. We
have as many or more inept system administrators in the present
day computer network world.
"Hackers should be judged by their hacking, not bogus criteria such
as degrees, age, race or position."
An ethic that is perhaps one of the least threatening to
other computer enthusiasts. It is also one of the most respectable
values, considering what the true sense of hacking really is.
"You can create art and beauty on a computer."
The early hackers spent substantial resources and time
developing fractals and other display-specific tricks that were
indicative of that era. Development and extensive enhancements of
the SPACE WAR program on the early PDPs at MIT is legendary.
In the simplest sense, the early computer pioneers were
rebels in their own right -- they wanted no one to restrict their
ability to get computer time or make necessary enhancements or
adjustments to the system as they saw fit. Such is our computer
world today, to many who take it very seriously. However, one
key factor has been added -- to avoid inflicting damage. In the
strictest interpretation, it correlates to never intentionally
damaging any information that you access. Or propagating
damaging programs into an unsuspecting public domain. A true
hacker is someone who thirsts for knowledge and wishes to make
the information available to others who may not have the good
fortune or skill to acquire it otherwise.
Without getting too in-depth into the development and
progress of computers in our environment, we should address what

we have experienced in the past few years with computer viruses

and how they have affected our domain. The decision that
remains concerns our code of ethical and moral computer conduct.
COMPUTER ETHICS AND COMPUTER VIRUSES
What impact did computer viruses have on ethics in the
computer community? With the explosion of the number of computer
viruses, this remains an unanswered question. In the years since
viruses first appeared in the MS/PC-DOS computing environment,
they have grown in both numbers and complexity at an alarming
rate. They have become not only commonplace, but also extremely
difficult to defend against. The virus creators have designed,
compiled and released encrypting viruses, multipartite viruses,
stealth viruses and viruses employing encryption techniques
so bizarre that it warrants immediate concern. The scope of the
problem has grown to the point where computer users are desperate
for answers to their questions and solutions to the computer
virus dilemma.
The computer ethics situation at present is as distorted
and convoluted as it could have ever been imagined. Some of the
more disturbing activities in the virus information channels
recently, have been irresponsible postings of source code, DEBUG
scripts of live viruses and overall disregard of computer ethics
and morals. To complicate matters, virus exchange BBSs have
cropped up where viruses and virus source code are freely
exchanged. The people who engage in these activities have
successfully shown their disregard for the remainder of the
computing public. Perhaps these individuals have not given ample
thought to the consequences of their actions. By allowing live
computer viruses to freely filter into the public domain,
they are ultimately responsible for any damage inflicted, either
directly or indirectly, due to their negligence or disregard.
Perhaps they do not care. In any event, it is time for us to
reclaim control of our computing environment and establish a set
of guidelines that define what is unacceptable behavior. We
should be able to gate the damaging material that is passed
amongst those who effectively abuse the privilege. A privilege,
mind you, not a right.

INHERENT RIGHTS vs. ACQUIRED PRIVILEGES

There has evolved the question of where do we draw the line
between the free exchange of ideals and information and disallowing
damaging code to be freely exchanged to all requesters? Although
the line has not been defined, several important factors should be
considered. When considering each alternative, the "greater good"
syndrome consistently comes into play. And a myriad of questions
surface with its contemplation. Who makes these "greater good"
decisions, anyway? Is this a case of 1st Amendment rights versus
control of damaging or potentially damaging information or code?
Can legislation be enacted to absolve system administrators and forum
moderators of the burden of making ethical and morality decisions and
being inundated with charges of inhibiting someone else's rights?

These questions are only the tip of the proverbial iceberg.

Each question has it's validity and weaknesses. To use particular
examples, unfortunate instances of computer virus source code, and
even more damaging -- DEBUG scripts, readily able to be reassembled
by even the most neophyte computer user, have been posted in the
FidoNet public virus conference forums, and even more questionable
practices have been witnessed on other publicly accessible networks.
To those who posted them, it may have been an innocent act on their
part to make the information available to others in a public forum.
For whatever reason, posting of code that has the ability to
replicate (or even destroy) on an unsuspecting user's system is,
in my opinion, inherently wrong. And the assistance in propagating
it is equally guilty. Many of the virus authors and couriers hold
the belief that what they dabble and propagate is completely legal
and beneficial. Actually, they are only half right. There are
currently no laws that specifically target computer virus
distribution. The legislation that does exist, dates back to the
Computer Fraud and Abuse Act (1986) and is rather outdated.
The CFAA does not address certain topics that have become an issue
in recent years.
Several bills have been introduced into legislation that
would, indeed, have made it a criminal offense to propagate computer
viruses in a fashion that would endanger the public. In a recent
attempt to enhance the existing law, Senator Patrick Leahy (D-Ver.)
spearheaded an effort to enact an addendum to the existing CFAA [2].
Language contained within the bill (S 1322) specifically addressed
computer abusers; those which intentionally introduce computer
viruses or damaging code to systems. The proposed law would have
provided an avenue to prosecute those who never gained access to
a remote system, in the conventional sense. Misdemeanors would have
been punishable by up to one year in prison and a $5,000 fine.
Felonies would carry a maximum fine of $250,000 and a prison term
of up to five years. The bill was killed and never made it
into law.
Are there any measures in place to effectively deal with the
distribution of potentially damaging information? Yes and no.
Computer professionals around the world have independently
established casual associations of virus researchers when it became
apparent that the virus problem was something that would not resolve
itself. More recently, formal and professional organizations have
been formed that deal specifically with computer virus research,
user education and antivirus product development. This cannot
resolve the overall problem.
MAKING THE TOUGH DECISIONS
Many view virus creators as angst-ridden computer users with
an axe to grind. Many see them as rebellious teenagers wishing to
leave their graffiti on whatever computer resources they can access.
Whatever the reason, a set of moral and ethical standards need to be
created that dictate what is unacceptable behavior in the computer
community. Underground computer virus creation groups have avowed
to continue writing and distributing viruses with disregard. Is this
a protected activity under the First Amendment? Or is it just
reckless endangerment to the computer community at large? The

"greater good" rationale dictates making every effort on our part

to protect unsuspecting computer users and formulate a logical
method for stemming the flow of damaging code into the public domain.
If we sit idly by, the problem will only worsen. We may eventually
find ourselves the victims of our own procrastination.
____________________________________________________________________
[1] HACKERS - Heroes of the Computer Revolution; Steven Levy; Anchor
Press/Doubleday, 1984, ISBN 0-385-19195-2
[2] Proposed addendum to the Computer Fraud and Abuse Act (CFAA);
Margaret M. Seaborn; Government Computer News, August 5, 1991
Paul Ferguson
Network Integrator
Centreville, Virginia USA
fergp@sytex.com

| "Government, even in its best state,

| is but a necessary evil; in its worst
| state, an intolerable one."
|
- Thomas Paine, Common Sense

I love my country, but I fear its government.