Computer viruses are not a problem. At least, that is what one would believe if he or she listened to various security experts, lawyers, and anti-virus product developers. For instance, at a well-known conference held in the United States last year, one of the legal tracks was promoted as featuring information about viruses. Attendees at the session were informed that viruses were mainly a matter of a few guys in Bulgaria trying to outdo one another -- not a real problem.

The conference was supposed to deal with viruses in one of its "Legal Tracks". Nothing was mentioned about legal consequences of intentionally infecting someone's computer, or the problems of developing laws which really work in these complex situations. Not a word was mentioned about possible legal redress for people who may have been harmed in some way by a virus, or the problems of legally obtaining some form of satisfaction from virus writers who are in many cases not of legal age. No mention of the legislation being undertaken internationally (and in some cases perhaps hastily with little thought to the ramifications of such legislation!) to deal with the virus problem; no discussion of the problems of such legislation; no mention of even the few existing virus specific laws. There was no mention of the source code versus binary debate which usually comes into play during any serious discussion of laws which could affect the virus 'situation'. At the conference, which was designed to deal with ethical and technical issues, there was no mention of the fact that not all rights are positive rights; there was no word about moral rights, or ethical action and the place of legislation in this cyber-society. Viruses were glossed over as a minor annoyance. How accurate was this portrayal of the virus situation?

A prominent security expert recently told attendees at a technical conference "viruses are not really any problem. The real problem is jobs". It has become politically incorrect in some places to admit you are not in favor of viruses being written and/or distributed. When someone mentions "computer virus" what is your first reaction?

"Viruses are not a problem on the internet", according to self-proclaimed experts you can find in Usenet news forums. Yet, on July 24, 1994, a 12 part uuencoded file titled SEXOTICA, infected with a virus, was distributed over the Internet to unsuspecting users via the newsgroup alt.binaries.pictures.erotica. Any unsuspecting user who saved and uudecoded this file would be the unknowing posessor of a virus. Fortunately, it was not a very well written virus [Virus Bulletin, 94] and it is not predicted to cause a large amount of damage. Do you usually think to check for viruses in files you get from the Internet?

Virus FTP sites on the Internet are not uncommon; these sites present legal and ethical dilemmas for Internet services providers. Recently one such provider was questioned by some members of the anti-virus community for allowing viruses to be ftp'ed from their site. The following electronic mail was posted publicly on the Usenet comp.virus newsgroup:

(to the company)

It is now more than a month since xxxxxx and others alerted your service to the fact that your site was used for distribution of viruses and export-restricted cryptographic material, and still there is no action.

The most offending account belongs to user 'xxxxx'. It contains 40Hex, Crypt, and Nuke InfoJournal - underground magazines known to contain viruses. It also has links to another account (belonging to 'xxxxxx', which contains export-restricted cryptographic programs). The 'xxxxxxxx' account (ftp.xxxxxxxx.xxx:/pub/xxxxx) contains also the infamous KOH virus. [Skulason, 94]

The response from the provider illustrates the sort of dilemma viruses create for public access providers who obviously want to provide the best services for their customers:

Viruses and information relating to viruses are not, at this time, controlled code. We allow users to make available via anonymous FTP any and all data as long as it is legal, which viruses, viral source code, and newsletters published by virus groups are. It is not placed there by xxxxxxxx, and it's distribution is not necessarily endorsed by xxxxxxxx.

To assume that it IS endorsed would be to assume we also endorse Doom, GIF's of nude males and females, various programs, concerts, or any other of the hundreds of megs our users choose to make available through public FTP directories.

Making software using encryption available for download does not violate international cryptography laws, only the act of someone receiving them in another country is. If you have concrete proof this software is being distributed to users outside the US, and wish to press charges against those users (Difficult, considering you're not yourself in the US.) you are welcome to do so and xxxxxxx will assist in the prosecution of such illegal activities. But until then users who wish to make legal software available to Internet users are free to do so, from xxxxxxx.

Thank you,
xxxxxxx
[Skulason , 94]

Some public providers allow distribution of various counter-culture journals, with the condition that actual virus source code be removed prior to release of the publication from their site. In this way, freedom of "speech" and dialogue are supported, while the questionable virus code problem is eliminated.

The debate over the responsibilities of public access providers is growing. It is clear that legal does not mean "right" to all persons involved. Whether or not it is "right" for a commercial provider to allow itself to be used for virus distribution is a question each provider must answer for itself, at least for now. It is often the case that when a community does not police itself, it finds itself in the awkward position of having laws foisted upon it by a governmental body which is perhaps not in the best position to determine what (if any) law is actually necessary.

"They don't do much, and anyway, we have some anti-virus software!"

The scenario varies, but the common theme is that viruses really aren't 'that much of a problem'. To some extent this is true. Some viruses are relatively benign. Some viruses are not that much of a problem. However, a very disturbing trend seems to have developed in the scene surrounding viruses, and that is, users expecting software manufacturers to "solve the problem" in its entirety.

Computerworld, June 1993: "The majority of users regard antivirus software as a complete cure," according to Virginia Hockett, IT manager of 3M and alumna of the NSA. [Computerworld, 93]

Anti-virus software is certainly a good defense against viruses, but it is not the only defense. Likewise, workable, effective policies and procedures set in place are a good defense against viruses, and necessary to ensure damage control; they are, however, not the only defense. We need public discussion and dissemination of accurate information!

When we do see the public engaged in discussions, we often find them in less than full posession of factual information. We sometimes find them dashed to pieces by some defenders of the virus as God's gift to mankind or pseudo-intellectuals who sound as if they really know what they are talking about. We hear things like "Viruses never really did any harm to any individual, not in a real sense"; "Viruses have never even come close to causing a major disaster"; "Viruses don't cost anyone very much, they are just minor annoyances"; "One product is as good as another, the anti-virus guys are just out to make money -- they even WRITE and distribute viruses to rip off users"; "Not many people ever get a virus. Users cause more damage than viruses"; "It's my right to free speech, writing viruses. You can't take away my Constitutional Rights!". These are not the only minimization of the virus threat that we hear, but they are among the most common. Letting people know your feelings is one important thing you can do to help stop viruses; however, feelings alone are not quite enough. You need facts. With that in mind, we will take a look at some of these arguments in detail, and provide documentation which supports the position that viruses are in fact a problem.

News media seemed to gloat over the fizzle of Michelangelo in 1994, and while we certainly are happy that it was not a major cause of data loss, we question whether this means viruses are not a problem. The media seem to think they are not. The virus didn't go off on that day, and as we all know, because the media have told us so repeatedly, the days viruses can (and do) actually activate and/or do damage are limited to certain well publicised days of the year. The other 364 days of the year, it's only replicating, spreading, infecting, and preparing to do some form of damage, if it has any payload at all [Ducklin, 94].

One popular magazine featured an article recently on virus writers. Despite its relative lack of bias and attention to detail, it contained allegations commonly fostered by some virus distributors and uniformed sources, as well as factual errors [Sandler, 94].

Among the allegations:

• "Some of those same developers whisper that some academic virus researchers are actually creating the strains they claim to study."
• "Other denizens of this world claim that Vesselin Vladimirov Bontchev, currently a member of the University of Hamburg's Virus Test Center, is none other than the Dark Avenger himself.."
• (a consultant).."blames the antivirus software developers for priming the market with cash bounties"....
• "It is absolutely in their best interests to keep the viruses flowing".
• "Stitch together a picture of young, disaffected rebels, vicious and without remorse, describe them to a Harvard headshrinker..."

• "A virus replicates itself to overwrite other data."
• "In the virus community, the people who write viruses are called virogens."
• "Scanners are essentially useless."
• "By the time their work is discovered, they're long gone."

Dark Avenger boasted,"The American government can stop me from going to America, but they can't stop my viruses".

That statement was never made as a boast. The original interview made this clear.

"Tips from the virus writers" presented a "tip" from Dark Avenger, as if he "advised" users for this article. He never spoke to the author, and the "tip" was not given as advice, but as part of the aforementioned interview.

However, the most disturbing aspect of the article is its presentation of Dark Avenger as still writing and releasing computer viruses, although it is well known that he has not released a computer virus for over two years.

It remains to be seen if any clarifications and retractions are issued by the editors.

Security experts and the media are not the only ones who think viruses are not a problem. Some virus writers have had a common thread in some of their communications. Viruses are only a problem for lamers. Viruses only hurt the uninformed. Viruses only hurt those who deserve to be hurt. "They were asking for it. They had a computer for God's sake!". Some virus writers state that they are not responsible for their virus once it leaves their own computer, justifying the operation of virus exchange bulletin board systems. From these systems, knowing/willing persons can obtain computer viruses. Because the persons receiving the viruses know what they are getting, the viruses are not a problem from the standpoint of their creator. "I'm not saying viruses don't hurt people, but usually when they affect people, it's almost always the person's fault." (Sandler, 94]

Here are some of the arguments often used to support the claim that computer viruses are all hype, and not worth worrying about. Following the argument, we present the facts. The two do not always match up!

In 1993 the National Conference of Lawyers and Scientists/AAAS Conference on Legal, Ethical and Technical Aspects of Computer and Network Use and Abuse commissioned a paper dealing with computer viruses [AAAS, 93].

In 1994, the Journal of Science and Engineering Ethics named viruses as part of the Computer ethics issues it would explore [Journal of Science and Engineering Ethics, 94].

Sec 94's Curacao conference awarded the "Best Paper" award to a paper dealing with ethical implications of technology [IFIP, 94].

Virus Bulletin commissioned a paper on the issues surrounding ethics as related to virus writers themselves. [Virus Bulletin, 94].

Viruses -are- a recognised concern for people who are concerned with ethical behaviour and ethical models in science. Science and technology do not exist in a vacuum. Viruses are not solely an isolated technological phenomenon.

There are dozens more commercially released programs that could have given you a virus. [Gordon, 93]

We have our own overzealous moments, promoting sometimes the ultimate antivirus utility. Such a utility does not exist, but is referred to by some as TOAST -- "The Only Anti-virus System That....(insert outlandish claim here, i.e. that can protect you from all viruses, known and unknown, now and forever, amen)" [Peterson, 94]. The insistence of some that TOAST does exist hasn't helped our credibility. We must remember that we are part of a larger picture, and that what one of us does affects all of us.

We've also had a few product fiascos. According to a report in ACM Sigsoft's Software Engineering Notes volume 17, number 2, Norton Antivirus' special "Michelangelo fix" free program was more dangerous than the virus for many people. This was, according to author David Leslie, [Leslie, 92] a problem if a user had a hard drive with more than one partition. The media announced this free product during the "scare" but by and large neglected to announce the problem. We should not be afraid to admit our mistakes.

One aspect of the "own worst enemy syndrome" is the "wolf crying syndrome". While we don't see it much anymore, it is worth mentioning because of the impact it has had on the anti-virus world's credibility.

As you can see from earlier comments on the types of information being given out by the media, and other individuals, all of the information making the rounds about viruses is not accurate. In the past, anti-virus product developers have given some misleading information to the media regarding the potential threat of viruses; they have predicted scenarios close to Armegeddon when the facts dictated otherwise [Gordon, 94]. Hopefully, we are past this state and the wolf crying syndrome is a thing of the past.

Now, we come to the crux of the problem. The ethical dilemma. The Big Question that we have to answer if we are to begin addressing The Big Lies.

The question we must ask ourselves here is from whom do we want computer users to get information about viruses, and what do we do about all of the misinformation being circulated?

1. Everyone has a right to listen to whomever they choose.
2. The problem arises when the only sources, or the loudest sources, of information are the incorrect or misleading ones.
3. No source of information should be silenced.

Words are tools. Tools shape and build images. That is the point of communication -- to communicate ideas. Some communicators need to build strong cases, using not just facts, but appeal to the heart. There is nothing wrong with word play or emotionalism in communication as long as it is not dishonest. It is not wrong to talk about "what is right" or "honourable". It is wrong to lie. Facts should be represented accurately at all times. In the case of viruses, many people have ideas and opinions; they have the right to their opinion, and to express their opinion. They even have the right to convey misinformation in many cases; We as responsible persons, have a responsibility to see that the misinformation is balanced with correct information. Until now, the "misinformation proponents" have not been only those with the loudest voices"; in many cases they have been the only voices the general public has had to listen to.

People have a right to listen to whomever they choose; they also have a right to know the motives of the persons they are relying on for information, whether that reliance is passive or active. One problem, that of "new" participants in the public debate (sometimes old participants using a new identity) can be addressed by questioning motives. If a person is not a publicly known figure whose motives and affiliations are well known to the general public, it is a duty to question, respectfully, their qualifications and affiliations. We must be willing to state our motives and affiliations as well, and to question the motives of others. If someone is not willing to discuss their reason and motivation for for a particular opinion, it is a duty to question that opinion.

Opinions however, are not facts. Many times misinformation is presented as "fact", followed by "well, I am entitled to my opinion". There is a difference. We must be careful to make the distinction, and to make others aware of the distinction.

We should adhere to certain principles of ethical communication when attempting to use information to cast light on "The Big Lie". We have an obligation to seek out accurate information and make sure that the information we distribute is as factual as possible; we need to be accurate, fair, and just in our treatment of ideas and arguments; we must be willing to submit private motivations to public scrutiny, and we must be, finally, willing to tolerate dissent with respect. These four principles, outlined by Karl Wallace in "An Ethical Basis of Communication" [Wallace, 55] can help establish the facts about computer viruses in the minds of the public.

We must be careful to not try to silence what we view as "the opposition" but to engage in productive, public debate. By doing this we can also possibly help teach those who honestly believe the Big Lie and the little lies that grow from it. We have passed the time where we can deal with the virus problem as passive bystanders dependent on software to solve "the problem" for us. Let the facts speak for themselves.

1. AAAS/NCLS. The Use and Abuse of Computer Networks: Ethical, Legal and Technological Aspects, Preliminary Report. American Association for the Advancement of Science - American Bar Association Section of Science and Technology, National Conference. Beckman Science Institute. Irvine, California. 1994
2. Bontchev, 94. Bontchev, Vesselin. Future Trends in Virus Writing. Proceedings, 6th Annual Virus Bulletin Conference. Jersey. 1994
3. Castro, 91. Hey! Let's send a couple of billion to Wolfgang. Time Magazine., v. 138. September 23, 1991
4. Clark, 92. Clark, Don. Report in San Francisco Chronicle. March 1992
5. Computerworld, 92-93. Computerworld.
6. Ducklin, 94. Ducklin, Paul. Anti-virus education: Have we missed the boat? Proceedings. 6th Annual Virus Bulletin Conference. Jersey. 1994.
7. Forester and Morrison, 94. Tom Forester and Perry Morrison. Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing. MIT Press. 1994.
8. Gordon, 92. Gordon, Sara. Dedicated. Virus News International. 1992-93
9. Gordon, 93 Gordon, Sara. Inside the Mind of Dark Avenger. PC World, UK. August 1993
10. Gordon, 93. Gordon, Sara. Virus Exchange BBS: A Legal Crime?. Proceedings, AAAS/ABA/NCLS Conference "Legal, Ethical and Technological Aspects of Computer and Network Use and Abuse". Beckman Science Institute. Irvine, CA. 1993
11. Gordon, 94. Gordon, Sara. Technologically Enabled Crime: Shifting Paradigms for the Year 2000. SEC 94, TC/11. Curacao, NA. 1994
12. IFIP, 94. Proceedings, IFIP 94/TC11 Conference. Curacao, NA. 1994
13. Jordan, Glenn. Electronic mail correspondence. 1994. Used with permission.
14. Leslie, 92. David Leslie. in Software Engineering Notes, 92
15. McGaffey, 72. McGaffee, Ruth. Toward a More Realistic View of the Judicial Process in Relation to Freedom of Speech. Free Speech Yearbook, 1972. in Tedford, Makay and Jamison. 1987
16. Software Engineering Notes, 92. Nuclear Disaster Averted. Software Engineering Notes, vol. 17., no. 2. April 1992
17. Peterson, 94. Peterson, Padgett. Private e-mail conversation. 1994. Used with permission.
18. Readings for Speech Communication, 74. Spence v. Washington;. U.S. 405. 1974. Trustees of Indiana University. 1990.
19. Sandler, 94. Sandler, Corey. Virus, They Wrote. PC Computing. September, 1994
20. Skulason, 94. Skulason, Fredrik. V-Forum Correspondence with xxxxxxx. Comp.Virus Newsgroup, Usenet News. August 1994.
21. Slade, 92. Rob Slade. in Software Engineering Notes
22. Software Engineering Notes, 92. Software Engineering Notes;. pp 20-22. ACM Sigsoft. April 1992.
23. Spence, 74. in Readings for Speech Communication, 74.
24. Tedford, Makay and Jamison, 87. Tedford, Thomas; Makay, John; and Jamison, David. Perspectives on Freedom of Speech. Southern Illinois University Press. 1987
25. Tinker v. Des Moines Community School District, 69. Tinker v. Des Moines Independent Community School District. United States Reports, volume 393, page 503. 1969
26. United States v. O'Brien, 68. U. S. v. O'Brien. United States Reports, volume 391. page 367. 1968
27. Virus Bulletin, 94. Virus Bulletin. August 1994
28. Virus Bulletin Proceedings. 6th Annual Virus Bulletin Conference. Jersey. 1994
29. Virus Hits Hospital Computers;, Los Angeles Times, March 27, 1989
30. Virus News International, 93. News. S&S; International. 1993
31. Wallace, Karl. Karl Wallace. An Ethical Basis of Communication. in Tedford, Makay and Jamison. From The Speech Teacher, 1955