Thursday, December 06, 2001

Who is to Blame for Viruses?

You catch a virus from an email that someone sends to you. It then forwards an email out to everyone in your address book listing "your" favorite pornographic sites. Or it damages all of your system files and you lose all of the important documents on your hard drive. Or it destroys all of the picture and music files on your computer, including the ones in the powerpoint presentation that you were going to use at a trade show the next morning to potential clients for your small business.

You spend time and money trying to recover from the damage inflicted, and as you do so, you ask yourself who is to blame. Is it the person who wrote the virus? Is it the parents and teachers of those who released the damaging software into the internet? Is it yourself? Is it the writer of the email program that you use, or the operating system? Is it the intelligence industry, which stands by quietly while such things happen. Is it the legal community which should be righting wrongs that such actions can bring? Is it the government that could regulate many aspects of the internet, as if it were a utility like electrical service?

The answer might be that the responsibility is with all of the above.

Releasing a virus is an act of terroism. Innocent people are inflicted with the harm caused by its release, no matter how noble or misguided the intention was on the part of the person who wrote and set free the software. There's an open source community of software developers who are addressing their political concerns with big business by joining together and working to develop better software than the large corporations. Their attention is focused upon helping others, rather than doing harm. There are people who develop viruses to show off their skills, or to educate people - and these folks don't grasp that the fear, uncertainty and doubt that they are spreading is more harmful than helpful, and that recognition can also be won by writing software that benefits people.

There are teenagers who have virtually unlimited, and unsupervised, access to the internet. Parents have a responsibility to communicate with their children, and to talk with them about what they are doing when they might be spending time learning about phreaking and hacking, and traveling around the world wide web. It's easy for a young adult to apply different rules of behavoir regarding their online activity than their offworld reality because it isn't physically before them, and the implications of their actions online may not seem as immediate or near as what they experience away from the computer screen.

One of the best defenses for viruses is common sense. You receive an email from someone you don't know, which has an attachment. Do you open it? Some people do. You receive an email from someone who you do know, but it has a message and subject line that the person you know probably wouldn't have written. Do you open the attachment? Do you send an email to the sender first, asking about the email? You run a computer, but don't have antivirus software, or haven't updated the antivirus software on a regular basis. Why not? You use an email program that a lot of people say is a target for virus writers, but you don't learn about the safest way of using the program. Isn't that a little like not locking the doors of your car in an area that seems to be in the news regularly as a place where cars are stolen?

Some software does have a reputation for being a target of virus writers. You might have an expectation that they would try to write safer software. Or that they might release patches when problems arise? Or that they would let people know about the safest computing habits to develop when there are people creating problems with malicious programs? Why wouldn't they? Is there a hidden agenda? Or, might they just claim that they are a target only because they have the most popular software? Or that additional security creates additional complexity in software, and that too much complexity makes it too difficult for the average computer user to compute? For instance, an operating system where there is an administrator login that a person would use to install new software and diagnose problems, and a separate login for everyday use where there are restrictions, such as the inability to install new programs or run programs that affect important parts of the operating system and cause damage to the computer. While that's more complex, it's also a lot safer.

Should the intelligence community be educating consumers on best security practices for using a computer? Should they point out security flaws to the manufacturers of software that contain security weaknesses? Should they recommend safer email clients that might have less features, but offer significantly more security? Should they host online or offline educational programs, and build web pages that help people learn about how they can be more secure while traveling on the world wide web? Should internet service providers offer filtered email to clients who want it?

What kinds of lawsuits should happen because of viruses? Virus writers can cause millions of dollars worth of damages. Can civil lawsuits help curb damages? People who write viruses rarely have the monetary resources to address the costs that their virus may cause. Should the software manufacturers be held responsible? In some situations, where there was a vulnerability that was known about, and nothing was done to fix the problem or to warn people, that might seem to be the best response. Should efforts be made to influence lawmakers to impose civil and criminal sanctions against virus writers? Should someone who is found guilty of releasing a harmful virus be kept away from computers? Can law making efforts spearheaded by attorneys be aimed at educational efforts to teach young uses about ethics? These are all possible responses by the legal community.

What role does government have to play? How open to their constituents are they? How aware of this problem? Do they have regular meetings where people can talk to them? Do they have an email address, and an internet site where they keep those they represent informed of their actions? Do they ask for feedback on certain issues? Legislative efforts don't have to be aimed at regulating the internet to the point where the regulations severly limits its use. It can also impose some regulation upon responsibility when it comes to writing software. It can also introduce ideas about online ethics and education to communities.

There are many steps that can be taken by many people to help curb problems caused by viruses, and to help influence those who would release viruses to pursue more positive activities. An interesting article on the subject entitled "Viruses and Worms: More Than a Technical Problem" addresses some of the questions I've asked above. We would enjoy hearing other possible solutions or thoughts on the subject.
- William Slawski

No comments: