Is ‘Ethical Malware’ an Oxymoron or a Best Practice?

Every community has its heroes, and here in the world of Linux there’s no doubt that Linus Torvalds is one of them.

Linus featured more prominently than usual in the Linux blogosphere over the past week, in fact, and not just because he released version 2.6.32 of the Linux kernel.

No indeed! Exciting though a new release may be, an even bigger discussion on the Linux blogs last week was of a very different nature. An Obama-ish nature, you might say, or an Al Gore-ish one.

Yes, there was serious discussion of the possibility of a Nobel Peace Prize for our favorite Finn!

‘One of the Largest International Efforts’

The idea apparently arose in the Linux community surrounding Portland, Ore., where Linus himself resides.

“Linux is one of the largest cooperative international efforts ever undertaken,” wrote Keith Lofstrom in a letter published on a Ridenbaugh Press blog. “It inspired Ubuntu, One Laptop Per Child, and many other global projects.

“Linux conquered the supercomputer space, the server space, the embedded computer space — by peaceful means!” Lofstrom went on. “Linux helped sequence the human genome, helps protect the world computer infrastructure from viral attack, and is now the pathway for millions to learn computer programming and participate in new international efforts.”

Linus or Stallman?

More than 20 comments greeted the suggestion there before it was picked up on Slashdot, causing a small stampede of some 500 or so more.

Linus “would definitely be more deserving of a Nobel Peace Prize [than] a couple of the last recipients that come to mind….,” wrote cayenne8 on Slashdot, for example. “He actually has put something tangible together, and overseen it for years, as opposed to someone nominated recently before he had even done anything.”

On the other hand, “the whole movement in which Linux blossomed was by and large Stallman’s creation and initiative,” noted MightyMartian. “Even though he’s a bit loopy and can be a major prick, if anyone deserves it, it’s Stallman.”

‘Yes!’

Similar thoughts could be heard amid the din at Linux Girl’s favorite blogo-bar, the Punchy Penguin.

“Should Linus get a Nobel Prize? Yes!” enthused Slashdot blogger yagu. “Linus created something that touches and affects everyone in technology and, implicitly, beyond.

“Linus has had a business and pragmatic sense about the Linux ‘project,’ and without his TLC I find it difficult to think too many others would have accomplished the same thing with the same dramatic impact,” yagu told LinuxInsider.

‘Not THAT Award’

On the other hand: “Excuse me while I say, what?” countered Slashdot blogger hairyfeet. “I always thought the peace prize should go to those that really suffered and struggled to make the world a better place, like the writers that risked the Soviet Gulag to speak out on human rights, or toiled in the slums like Mother Teresa.

“Linux is nice, but come on, let’s get serious here,” hairyfeet added. “Risking prison or working in disease-ridden slums vs. writing software? If you want to give Linus an award, I’m all for it. Just not THAT award, okay?”

As for the Stallman possibility?

“Apples and oranges,” yagu asserted. “Stallman’s contributions stagger and awe. Stallman’s diplomacy does not — sometimes it’s also about being a nice guy.”

A Shared Option?

Then again: “I think it would be both more interesting and more accurate to see Linus and Richard Stallman share a prize,” Slashdot blogger Barbara Hudson told LinuxInsider.

“Without the GPL and the gnu toolchain, Linux would probably be in a very different space right now, especially with respect to the corporate-sponsored code contributions to the kernel,” she explained.

“The resulting photo op would just be a bonus :-),” Hudson added.

‘A Package of Malware’

At what perhaps might be considered the opposite end of the spectrum from thoughts of Nobel Peace Prizes was another hot discussion that spread to several blogs last week.

This one, by contrast, focused on malware and ethics.

“I was fed up with the general consensus that Linux is oh-so-secure and has no malware,” wrote buchner.johannes in a question for Ask Slashdot. “After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects.”

‘Putting In Something Really Evil’

The malware does not exploit any security holes, Buchner noted — “only loose security configurations and mindless execution of unverified downloads.”

Nevertheless, “now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware,” he wrote.

Is it ethically acceptable to release such grayware? That was the next topic at hand, not just on Slashdot but on LXer, on eWeek Europe and beyond.

‘Bring It On!’

“Yeah — pfft. Bring it on!” wrote d0nk3y on LXer, for example. “The more exposure the better. Any holes will be fixed. End of story. And linux remains more secure.”

Similarly: “Just imagine how many stories there would be if it were news everytime a ‘developer’ decided to write malware for Windows,” chimed in bigg. “Linux must be secure if this is worthy of a story.”

Worthy indeed, in Linux Girl’s estimation. She headed back to the bar for some more insight — can malware be ethical?

‘Your Ethical Compass Is Broken’

“I believe that if you have to ask the question, your ethical compass is already broken,” Hudson asserted. “When you’ve been in this business long enough, you’ll have received your share of offers to break into computers or write programs that would cross a line.”

Wanting to demonstrate a system’s insecurity “is not an excuse, any more than walking into my unlocked home without being invited would be,” Hudson added.

In fact, the Morris Worm “was also not supposed to be harmful,” she pointed out. “The end result was a criminal record, a (US)$10k fine, 3 years probation, and 400 hours community service.”

There’s always a better way “that is unquestionably ethical, and won’t give you chaffed wrists from the handcuffs,” Hudson concluded.

‘Malware Is Never Ethical’

“Malware is never ethical,” blogger Robert Pogson agreed. “A man’s PC is his castle, and no one should sneak software into it without invitation.”

Historically, “all kinds of evil have been done in the name of fixing things: The Holocaust, The Crusades, The Inquisition,” Pogson told LinuxInsider. “Why can we not learn from our mistakes?

“Fix the bugs in our software and malware will be gone,” he said. “We can start with eliminating that other OS, which has an open-door policy for malware.”

‘No Such Thing’

Similarly, “there is no such thing as ethical malware,” hairyfeet concurred. “To even suggest it is like saying someone has a ‘nice’ STD, because malware does NOT have ethics, and neither do the black hats or the script kiddies.”

If such software is “released into the wild, it WILL be picked up by black hats, script kiddies, and anybody else that wants to add a Linux payload to their malware-infected Web sites,” he added.

On the other hand, testing with a known exploit “is a good thing and should be standard practice,” Chris Travers, a Slashdot blogger who works on the LedgerSMB project, told LinuxInsider.

Fix First, Announce Later

Of course, it has to be handled well. “On the LedgerSMB project, we have a policy of releasing full information on all security problems (enough to exploit them) after fixes are available,” he explained. In other words, “we fix first, then we explain how the vulnerability works.”

The proper solution “is to start by addressing the vendors and letting them know how this needs to be fixed,” he recommended. “After a reasonable amount of time, the malware could be released and a public announcement made.”

There are several reasons to provide full disclosure, he added.

Specifically, “some network security scanners are modified to include these vulnerabilities, allowing system administrators to know if their systems are vulnerable,” Travers noted. “This works better if the proper information is provided publicly.”

‘The Option to Be Safe’

In addition, full disclosure “provides reasonable pressure for folks to fix the problems,” he added. “With security problems, one has to assume that if the good guys know of a problem, so do the bad guys.”

In fact, “there already is malware for Linux that you can install yourself or have installed for you if you leave ssh ports open to the Net without secure passwords,” Montreal consultant and Slashdot blogger Gerhard Mack told LinuxInsider.

“What we don’t have to deal with are Web pages doing driveby downloads that install rootkits,” he said. “The advantage of Linux “is that you have the option to be safe.”