 This meeting was held in exciting Las Vegas, Nevada from July 9th through the 11th, 1999. This is video tape number 26. Virus is on and off the internet. You're starting to get a little close to each other. Out of the virus community, I think lags quite a bit behind as far as how long they've been around actually developing. For those of you who don't know, in talking about information exchange and availability, back in 1992 when the hacking community was in real full swing for a long time, the virus-riding community was just kind of getting started with a little fight on our bulletin board systems and virus-riding networks. But people were doing a really good job of learning new things. But the ability of information just wasn't so widespread as it was in the hacking community because the virus-riders weren't yet, for the most part, on the internet or the summer starting to be. We've got people here representing a wide-range position, and I'm going to read a little bit what other people have said about these positions before asking each panelist to answer some questions. And now what I'm going to let you do is ask questions of all these people and then maybe we'll ask questions of you. The goal is kind of to get a perspective of what everybody thinks about the issues and look at the different perspectives and get away from a lot of the stereotypes that we have in these kind of discussions. So with that, I'm going to introduce the first person. I'll go on an email message that I'm using with permission from a former editorial about magazine dealing with viruses. Now wait a minute, this is Ron. This is the second guy. Here's the first guy. We all know that only scum release viruses on the internet. Only scum the rat virus and put it out there infecting people. So with that, I'll introduce my scummy guest here, the attitude adjuster. Could you help clap for him? Because he's a good guy. Thank you. Thank you. He's going to be taking a position that people need to have their attitudes adjusted and he's just a guy to do it. My next guest here is representing the point sort of that the bug track and NT bug track people generally seem to take. I don't know how close it will be because they're not actually here to represent themselves. Has anybody seen our phone? No. You said he would be here, but I guess he couldn't make it. He's still sleeping. Maybe he's still sleeping. What I've always said about this particular position is that we know what happens when people of inferior ethics or inferior integrity are allowed to moderate nailingness. These bug track and NT bug track guys are no better than cyber terrorists who will stop at nothing to accomplish their goals. Now, before you all think, I didn't say this. This was said by somebody else, not me, but this fellow, Richard, is here to represent the position of the bug track and NT bug track moderators, which he's somewhat familiar with having read lots of emails that they've sent working with us in a project to start having communications between antivirus community and general security community. The next position that will be represented. Thank you. Oh, yeah. Clap for him, too. He's really sweet. The next position here is what's been said about this position is that these close-minded antivirus product developers want to keep all of the cool information for themselves. They do not want the world, the community, the users at large to get information about viruses. They want to control the information only they can save you. And here representing the antivirus community is my colleague, Tau, who works for NAI, but is here representing himself. He is not here representing his company, and what he will present is his own opinion and should not be construed for that of any organization, of any type, blah, blah, blah, you know the deal. This is Tau. And finally, we have the position on the end which was said that these guys all should be in jail. This sort of thing is illegal and immoral, and anybody who does it should be put in jail. We should make a martyr out of some of these virus writers and distributors and then see how far they'll go to protect this kind of precious information. So representing the position that all the virus writers or even thought about writing a virus should be put in jail, stopped for replicating, disconnected from all communicators and computers is John. Let's hear it for John. Come on, John, here he is. Again, this is may or may not be his real position in making these clothes or not exactly what their real positions are. And if you haven't noticed, I don't have a real position. I just like to hear what everybody says and just think about it. And so if any of you have questions about any of these actors and don't get a chance to ask questions, please come talk to me. We're writing a paper on this topic of the two colliding words for virus bulletin conference will be in Vancouver, so I'm really interested to discuss with anybody. So the first question, oh yeah, viruses are irresponsible, unethical damaging, should be illegal no matter what. We should give law enforcement some real teeth to arrest these guys and put them in jail because they don't belong in the face of this earth. With that in mind, I'd like to ask what do you think about the public availability of viruses and virus source code on BBSs and FTP sites? And I'd like to ask that each panelist will have two minutes to answer that question and start with my friend Mr. Adjester. Okay, can I take this out of here? Yeah, alright. Availability of viruses on public websites and FTP sites. Well, first of all, I really don't care if they give the law enforcement more teeth to put us in jail or lock us up and throw away the key. The fundamental act of expression I see in virus programming is something that sure they can make a law against it but nobody's going to stop. The people that they're going to stop are not the people that are the problem. As far as the public availability, there's nothing out there that's publicly available that's really anything to be all that afraid of. The stuff that is out there to be afraid of is to be afraid of for a week until the NAI guys who ever get their hands on it and ooh, they update their signatures, they can scan for it. Yeah, yeah. The range of ultra-high effectiveness in time is not necessarily very long. The AV guys get their hands on it and your great new technique is useless. Regardless though, the availability really doesn't bother me. I'd rather see the information out there. I'd rather see the guy that he wants to learn a little bit more about viruses and how they work to get his hands on it. At the same time, I want the researchers to be able to get their hands on too. Don't mind everybody's seeing the techniques. I don't think wanton destruction is necessarily all that bad. And if the publicly available sites cause some people to do some wanton destruction, well, whoever got their data destroyed too bad didn't take good precautions. I think... Thank you very much, but it's your turn. Oh, damn. We'll go on to the next representation. I don't know if you want to represent a moderated nail in this position here or your own position, so could you please kind of state what position you're taking here? Well, I think it's pretty close to my genuine position, which is that the availability of viruses is kind of a good thing and kind of a bad thing, which is very kind of lukewarm. I think the main thing with having these vast virus collections online is that they are such a waste of bandwidth. Every virus is pretty much a one-off of find first, find next, file out and then close. You're done, find the next. There were actually very few viruses out there which seemed to do anything new. The viruses, which I did think, had some good points about being online with Melissa. That was kind of interesting to see what was going on. Concept, the first XO virus which has temporarily slipped my mind. Those things, because they were new, there was some interest in actually getting a hold of them and having people being able to take a look at them. In particular for Melissa, for example, rather than wait round for any antivirus vendor to fix the problem for us, we simply went in and patched the mail server. Suddenly Melissa wasn't really such a big deal. Certainly not in my organization. So, I think there's a middle ground. It's just the sheer boredom factor. I don't see why any of you would want to go out and download another 10,000 viruses. I don't take two minutes, but that's really all I'm going to say. It's boring. Okay, thank you. And now our antivirus expert. Could you please comment on the public availability of virus source code and virus executables on bulletin boards, FTP sites and websites? Yes, we could guess I'm against the public availability of virus and virus source codes for several reasons. The main reason is I still have to find, well, say a good virus, say a virus that doesn't destroy anything involuntarily and while making those viruses public-available, those people who are irresponsible say kids, say people who try to damage someone are able to pull off a virus and place some tricks to their teacher, and maybe this gets out of hand. Remember, virus, when once unleashed, and if it works, most don't really work, it replicates uncontrollably. And if a virus is online, put online, or being distributed, well, it takes us only a quarter of an hour to add a detection removal, and until finally the definition updates are distributed within the company, this could take up to one month because of company internal procedures of quality assurance. So by putting them online, you're threatening the larger companies until they have the real protection in place. For a couple of viruses like, for example, Melissa, it was possible to patch a mail server, but it is easily, it would be fairly easy to have a virus for this is not possible, and then releasing it or its full source code would be pretty irresponsible. Thank you very much. He's an A.B. guy, but he's just clapping into... Thank you. Thank you. And finally, fourth panelist. I understand that you believe anybody who even thinks about writing a virus should be put in jail for the rest of their lives. So if you could please present your rationale and state whether or not this is really what you... or irrational, as that may be, and state whether or not this is your real position or whether you're taking this position because you've heard people take it and you want to make sure people understand what's going on out there in conversations about disclosure and availability of information. This is not my real position, however. I can argue it because I can argue either end of the spectrum and there are valid reasons for all of it. For example, here, as Richard said, his company was able to take online information and help themselves. At the same time, the internet has become a vital part of our everyday life, business and personal. I won't say it's as important as the telephone, but it's damn close. Viruses also have some malicious code undermining the reliability of the internet and we are rapidly reaching the point whereby none of us will be able to connect to it if we have anything to lose. People who abuse the internet, who do things that harm others must be stopped. Otherwise, the internet within a year or two will not be usable by any of us. The only way to do this is to keep them from doing it. You pass laws. If you find someone who does it, if you can get the laws to apply, which is a totally different problem with international laws, you must make examples of these people. Everyone you catch punish them severely. I say put them in jail but I've got to qualify that by saying there can't be an internet hookup in the cell. We count on these people to continue. They must be stopped. Thank you very much, John. I bet you guys never thought you'd be clapping for somebody who's saying these people must be stopped, huh? This is beautiful. Okay, so the next thing you're going to look at is the posting of Viruses code to mailing this like bug track and NT bug track. I've been having some conversations with Alphan and you know scuba about this. And I think that the positions are really written in stone as far as what's the right thing to do, what really benefits the users, what people really need. I have e-mail from some members of the antivirus community. Hi, you're here. Come on out. Alphan, you made it. You know what I'm going to do? I'm actually going to go back to the last question and I don't know how to answer it. It's only fine. No, we want to know what you think about this because it's all kind of ties in. We were discussing the public availability of viruses and virus source code, not to mailing lists like you moderated in the store, but to virus birds, FTP sites, word wide websites. Could you give us about two minutes of your impressions of the public availability of viruses and websites, FTP sites? My impression is that it's always going to happen regardless of opinion. So, you know, trying to say it's right or wrong is definitely not going to change anything or how it's done. So you might as well accept that fact imperfectly. So you might as well accept that fact and, you know, just deal with it. It's going to be there. It's going to happen. People are going to write about it. She's going to publish them. They're going to trade in. So that's pretty much it. That's pretty short and to the point. The next question, and you came just in time for it, is what do you think about the posting of computer viruses to the mailing lists like Buntrack and IntiBuntrack? And we'll again have about two minutes. I've gotten to know from some antivirus developers who tell me that the supposed security experts do not have a clue about how the virus writers think or work or how to do this step and they should leave it to us. The experts. They shouldn't post this. They should never allow this kind of posting to happen. On the other hand, I have e-mail from system administrators that tell me these sorts of posts are essential for them to do their job. They really need this information. They want this information and by that they're going to have this information. So if we could just take about two minutes each and I think we'll start down here this time with your impression of the posting of virus source code to moderated mailing lists like Buntrack and IntiBuntrack. Do we have to jail all of them on this one? Or can I just talk in general? No, you don't have to be worried about it. Put them in jail, that's all right. Just as a lot of system administrators may voluntarily and reasonably look to these moderated lists for sources of information, many, many, many other types, script kiddies on down, look to them for more information. By posting actual source code you're not only making this information readily available but since the list is supposed to be a good guy list you're actually endorsing it. This is next to distributing it as a free discount in PCMag is about the worst thing you could do and again it must be stopped at all costs. Thank you. Could we have the impression of the antivirus developer and could you comment on the comment sign aid of people who think that this information should be kept just for the antivirus community? Yeah, well, the main ground is here, virus has got nothing to do with those mailing lists. They haven't, well, they don't really have the issue. Viruses are not well, vaccine and operating systems to be exploited and to be fixed. Viruses use features of operating systems of programs so there is nothing to fix by those lists and as an administrator if you would have to look at each of 500 viruses a month trying to fix down the system for yourself you would end up doing nothing else. Now I'm a little bit out of this. One of the most important things about publishing a source code especially in such lists if you then use the source code to play around with to compile it then you probably create a new variant of this virus. Because of the very antivirus software works each slight modification adds in a new variant that may prevent the antivirus software from fixing that problem immediately. So it is more or less dangerous that especially in such lists where the script-kidding reading this get those informations leaked out as it doesn't really help anyone. If you want to help anyone then the information for example for Melissa would be enough to filter for a certain X line in the message header. Very interesting, thank you. Now since I'm from this area you can go ahead and play the role of the... Richard can go ahead instead of playing the role of the moderator of Meminist and tell the audience what you think about the publication of the source code on the moderator of Meminist. Does it help you as an administrator to do your job? Do you think it's useful or do you think it causes new handling good? I actually think that the publication of code on Meminist has a place, but a very limited place when it comes to viruses. For example the publication of and again we'll come back to Melissa because it's new was kinda useful because it was all over the place and it was in the wild and it was one of the copy of Melissa. Well, you probably just check your mail at one point and it worked pretty well. So when it's new and it's got something new to say I actually don't have much of a problem with these things appearing on the list. The times that I do have a problem are when it's new it's not spreading in the wild so nobody's actually getting this and it's just like at that point it's just a way of getting it out there. So I think it comes down to responsible disclosure and when something's causing a real problem we can actually get the information out there but when something is kind of existing only in code form wide-bending it out there is just gonna make life worse. Viruses works people trust computer programs they don't generally work because they're some super-secret trickery. If you don't download this thing and run it you're probably in pretty good shape. There is no new exploit than viruses. It's the same old, same old time and time again. That said, when there's some new interesting factor then at that point yes I don't have any problem with those things going out but I hate to see bug track cut it up with my 1000 UPS MPC viruses which I made today all on my own with my mom watching that I wouldn't want to say. Thank you very much. Your position in the publication of virus source code on bug track please. Sure. Let's see. We have an opinion that policy viruses gives code to hackers. I guess the posting of exploits and vulnerabilities that's the same so how is that any different? Do not stick your head in the sand. It does not help and it does not work. Then we have admins who now have the time to examine viruses how come they have the time to examine security exploits and vulnerabilities. If it's only if they have the time some of them do is part of their job. Obviously you can make the point that that's the security vendor's job to examine viruses and publish security scanners and IDS's but there's many admins that will do well with the source but at least do it to the point where they have enough knowledge to make sure the stuff that the vendors are selling them are not snake oil. I agree. Publishing every day every single virus is not going to help at all. The idea that you mentioned that viruses exploit the same hole is completely correct most of the time. That's why we have a private email and the difference between the virus community and as we call them security experts is that when an expert gets published and watched back most of the time it gets fixed from the vendor who will seek a patch whereas with the antivirus vendors you have never seen a patch. You spend so many years releasing scanners for viruses that exploit the same hole really yet Microsoft or maybe there's no solution whatsoever. I'd like to know do you have a response to that? Yes, I think we have a response to that over here so before we go on down here to Mr. Jester to respond directly on this I mentioned before there's a major difference between an exploit being posted on a list like Backtrack because an administrator could use actually this exploit to then really check if the vendor has fixed it and exploits vulnerabilities buffer overflows don't work in programs viruses don't exploit anything they use bloody feature of the operating system or of the application they are running with there is nothing to fix from that side the only way to fix that would be to use another software. Yes, please. Let's come back to small power here How many of you use Microsoft Word and Excel? I do. How many of you have used that application in Microsoft and Excel? A couple. How many of you have used the feature to create a file from Visual Basic Microsoft? So how many people do you actually need that feature to be turned on by default all the time? Can we produce a pass from Microsoft or Visual Basic to be turned up by default and only unless you change your history key that feature is enabled? They could. That's because you don't expect it. Yes, and finally attitude adjuster if we could hear your opinion on the publication of virus source codes to the moderated mailing list what do you think about that? Sure. First of all, to the moderators of the mailing list I got to feel sorry for the possible bullshit civil and criminal prosecution that could come of doing that because I fully support the publication of virus source code on full disclosure mailing lists. I would not feel that I think every virus not every but most viruses do exploit one kind of operating system flaw and that is a combination of user trust and user stupidity. Which are essentially the same thing. Some viruses actually do exploit real-worlds and operating systems though and not to say those holes couldn't be exploited in and of themselves by an individual to penetrate a host or whatever but if a virus is using a penetration technique it's just as valid if that virus is using an exploit as if it's just a standalone exploit and I can see the utility in posting that just for that utility. I take kind of the opposite view of my colleagues besides you the AV AV position on the same thing I don't mind viruses that maybe have novel or hard to defeat techniques being posted to full disclosure mailing lists just because that causes them to replicate more. If they're harder to fix it's going to be a longer time between the day that virus is released and the day that virus is no longer a threat to the measures out there in the field helping to erode the user's trust in the computer. I think a lot of institutions are using computers for things that they really shouldn't be using them for when they don't know how they work, what they're capable of. We put our data in this thing and now the data is gone. Let's follow this data to your own. Hey, it's T. Hey, Mr. T. Thanks, Medjy. I think that's a T and a L. Yeah, T. I don't really have a lot more to throw out. Those mailing list modulators have when they publish that source code in their list have some big brass balls to some extent because I really wouldn't want a torn of lawyers jumping around with anything like that. That's vile. Let's put all the lawyers in jail. I guess this does bring up the point that lately there's been a lot of attention as far as viruses and virus writers with arrests and servers being seized and a lot of attention from various authorities looking into the whole virus-riding subculture. And with that in mind I'd like to first ask the audience a question and ask the panelists how many people that are here think that just writing viruses is a cool thing today or do you think that's just a cool thing today? I think that's a cool thing to do to keep Microsoft in check, would you say? Keep stupidity in check. Can I ask a question to the guy who thinks that keeping Microsoft in check, do you think it's working? I think there were two different questions though. She asked about writing viruses and not distributing them. Yes, about writing viruses. It's a cool thing to do and it's really interesting and you're really learning a lot from me. I'm just curious, who thinks that? Not very many people. Few people do. I'd like to ask the panel for their impressions on just writing viruses in general. I'm interested in this because I talk a lot of people that like viruses. It's an interesting topic everybody. I mean there are these press people here on the island and they know who writes viruses and want to do it. So if the people on the panel could just kind of say what do you think about writing viruses? It's a cool thing to do and also what do you think about just putting them up there and letting them go? Yes, sort of missing with Mr. Attitude Register. Well, it's not going to sound like the position I should be on necessarily, but this is some of me coming through and not the position. Yeah, I think viruses are pretty cool and I think writing viruses is pretty cool and I think sitting around with PSMPC and checking out new court viruses and being a Michael Lewis puppy is garbage but say he's not cool. I think it's just a pain in the ass. I think that you do not learn all about programming computers and computer science from writing viruses. That's a bunch of bullshit. You learn about how to write viruses when you write viruses. You can take viruses to do so many other things though and I know somebody out there yelling out what's an agent? An intelligent agent and a virus are not all that different in my opinion and making intelligent viruses that do intelligent things is where it gets really cool. A virus that calls home to mom and upgrades its own payload or viruses that are slowly penetrating a network and coming back up through the firewall or stuff like that. Taking viruses to do more than just the act of a virus which is not that complicated when I can code self-replicating code. Yes, but make it do something cool. I think that's a real problem. There's not enough viruses doing stuff that's cool. As far as it's writing I don't mind. Go make a writer. I have a question for you. The programs could do things that are really cool so if you're going to go to a program to do things really cool I'll put the replication in. What's the point? I think the replication is kind of the hook. That's really what takes it from just being this is made to oh wow it's cool. It's spreading over this land. It's eating everything. It's getting a lot of attention to our group. That's what they know. The virus download is so light. You see. Yeah, there you go. Gee, why is my dialogue connection going so slow? Why did my card drive repartition itself? The one thing that I do need to qualify and this is me coming out I really do think that computer viruses can cross the threshold of life. I really think especially with macro viruses just because the machine language assembly language viruses are so brittle. You change one bit they're broken, they're dead. But we're going to see these macro and high level viruses running into each other, combining making new amalgamated life forms and the problem is open-ended. It's going to be really interesting to see what happens. Yeah, I have just a couple of minutes here before something else scheduled that everybody's looking forward to. So I'm going to just take a couple of questions I think we've heard from our virus writer. We're here in the yellow circle on his shirt. What's the effect? Are you afraid? Okay. The conservative side of the antivirus industry and the security industry persisting and confusing prosecution and prevention. Why does the conservative side of the antivirus and security industry insist on confusing prosecution with prevention? John, you want to take that one? You want to take that one? Basically 30 seconds. First off, it's the only tool they have. Second of, they're not the ones doing it. They want it stopped. They go to their lawyers. Their lawyers go to the authorities that's what the authorities have to do. Next question. Sunglasses. I wanted to ask a question that kind of shows us right. Is somebody going to be doing it one way or the other? I'm just going to start telling you that you make a lot of people really, really stupid and very easy to try to do the ones who aren't going to be caught or are going to do that stuff. So then you guys like your sheep. You want to make a lot of people cheat. You try to watch your neck. You like sheep up here. Do you want to end? I just want to say, I think the nature of a lot of the public using computers today is they want to be sheep. And that maybe the industry isn't forcing that way, but gosh, it's so easy to be a sheep. Also, another point is with Melissa, for example, who was so widely distributed over the news that it actually helped to educate people on viruses. So the wide distribution of that information in the end ended up helping people even though it was so, it wasn't really damaging, but it got so distributed. I found your logic a little bit strange actually. I'd like to make an analogy. Given that we cannot capture murderers, does that mean we shouldn't try and suppress murder? You know, because we're just given a hard time to the guys who are stupid and get murdered? Well, and for the sheep factor, to come with a virus, you don't need to know how a virus is written. These are entirely different things, writing a virus and defeating it. It's like building a house and knocking it down. We're going to stop now. If anybody has questions for any of us, we'll be around this next demonstration and we'll be happy to answer questions. Sorry, I couldn't get to all of you. Thank you very much for coming. Bye. Actually, ladies and gentlemen, ladies and gentlemen, if I have your attention, if these guys could be kind enough maybe to be able to make an invention hauler outside, I've got a poll to answer questions for you. We've actually got to ask all of you. I know this is your last stop. You have to buy a beer and not come on. And those are outputs. We actually need to clear the auditorium for about 15 minutes for the CDC presentation. Thank you very much.