Sumana sent me a great article called “Fight Virus With Virus,” where by “great” I mean “horrendously ill-advised.” Basically, Paul Boutin argues that instead of offering cash rewards for the capture of virus writers, the (ostensible) good guys should write viral programs that attack the malignant viruses with their own methods.
You may recall last fall, during the heyday of Blaster, when some idiot attempted to build a “good worm” that would fix the problem Blaster exploits. I’m sure it came as a shock, to people who weren’t paying attention, when it only made the problem worse. Boutin makes that worm (“Nachi”) a key point of his proposal. “Ingenious!” he says. “There was only one problem: Nachi overloaded networks with traffic, just like Blaster had.”
Casting it in those terms makes it seem like the traffic problem was a minor side effect, something that could have been fixed with a little careful programming. In fact, it’s a big glaring fundamental flaw. Boutin’s argument is equivalent to saying “there’s only one problem with water: it’s wet.”
The fact is that it no longer matters what, if any, payload a virus carries. The Denial-of-Service attacks that MyDoom and Blaster were supposed to create failed, because it was easy to figure out what they were doing and take countermeasures. It’s self-evident that it’s very easy to protect a single target when you know it will be attacked, and very difficult to defend millions of targets when the time of attack is unknown. The problem isn’t the end goal of a single instance of the virus, it’s their collective method of replication–which, in an increasing number of cases, is the end goal.
Boutin proposes that the hypothetical antivirus would “[spread] itself slowly and carefully to prevent traffic jams.” But programs that are allowed to grow unchecked are impossible to control, because they grow unchecked. Even writing a program that, say, replicates itself no more than once a week would mean only a minor delay on its growth pattern. Self-replicating programs grow exponentially, and restrictions would only divide that growth factor by a constant. People who know about complexity theory know that no matter how many fractions you put in front of an exponential variable, it’s still exponential; whether or not its curve stretches horizontally near the origin very quickly ceases to matter.
The heart of the virus / antivirus problem is an ethical one: it is wrong to alter any system without its owner’s informed consent, regardless of your intentions. It’s wrong to take over a system to use it for a DOS attack. It’s equally wrong to take over a system as part of a plan to stop that attack. This is a fundamental principle for the “white hats” to whom Boutin is trying to appeal.
(An aside: Microsoft will probably soon begin including the ability for Windows to patch itself automatically, which I’m gonna go ahead and say now will be exploited, and badly. I’m not really an outright MS-basher, but I don’t think the folks in Redmond have ever really been considered white hats, either.)
Boutin actually states the best available solution to the whole problem in his article, before going on to ignore it. “As the Washington Post reported yesterday, protecting yourself is easy,” he writes. “Install some anti-virus software and set it to automatically update itself (the default for most programs).” Actually, it’s not that easy, it’s not cheap, and many people can’t be bothered to do it. And yes, it sucks that their apathy screws up the entire Internet for the rest of us.
But as democracy is to government, so self-protection is to countervirus measures: the apathy of the many causes problems for all, yet it’s the least bad solution available. Increasingly complex tools are subject to increasing numbers of flaws, and will be so as long as they continue to increase in complexity (according to Moore’s Law, that’s forever). The right to repair those flaws rests solely with the owner of any particular instance of a tool; no matter how much one wants to, taking those rights for one’s own is wrong. Malignant programs can make computers into monsters, but as somebody who knew a little about computers once said, there is no silver bullet.