Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Your Rights Online

Author Makes Symbian Virus Code Available 49

Posted by Hemos from the learn-from-mistakes dept.
putko writes "The NY Times (registration required) has a story about a Brazilian software expert whose posted the code for his Bluetooth virus on his website. The article has a general anti-free-exchange-of-information tone to it. Security firms call him bad. Nokia is concerned. Here's his homepage (in Portuguese), so let's not unnecessarily DDoS him: The most irritating bit of all this is that the guy writes the thing, distributes it, gives it a name (eponymous) and then the stupid virus firms go and butcher it -- e.g. "Lasco.A". What's so wrong with "Velasco" already? The guy clearly wants it to be named after himself."
This discussion has been archived. No new comments can be posted.

Author Makes Symbian Virus Code Available More

Author Makes Symbian Virus Code Available

Comments Filter:

  • Yeah (Score:1, Insightful)

    by Anonymous Coward
    Because as we all know, nothing takes away encouragement from a virus writer like giving him exactly what he wants. \sic

    • Re:Yeah (Score:1, Funny)

      by Anonymous Coward
      I didn't know that. Got anything to back it up with?

      • Re:Yeah (Score:2, Informative)

        by Damhna ( 56361 )
        I'll back it up.
        It is the explicit (and logical) intention of AV comapanies not to name rogues in the fashion the author desires.

        Symantec's Policy is as folloes
        Virus names consist of a Prefix, a Name, and often a Suffix.

        * The Prefix denotes the platform on which the virus replicates or the type of virus. A DOS virus usually does not contain a Prefix.
        * The Name is the family name of the virus.
        * The Suffix may not always exist. Suffixes distinguish among variants of the same family and are usually numbers d
        • The infamous "Bagle" virus actually has the string "beagle" in it.

          The infamous "netsky" viruses were released by a group calling itself "Sky Net".

          It's a real nightmare for sysadmins trying to figure out if their software blocks a certain threat, when each A/V vendor picks their own name. Many of those names are selected independently, and it's understandable that they don't want to change their names after they've released their updates. So, the obvious solution is to have the virus-writers come up wi

          • It has long been the practice that the first AV company to get the submission chooses the name and the others are supposed to fall in line. Things sometimes break a little faster than hoped though.

            I remember Bagle/Beagle well , I believe Sophos called it one name and Symantec the other. I do empathise , it is incredibly frustrating to get high level alerts from different vendors about apparently different rogues , all within the space of a few hours.

            I recall one company even decided to try to coem onboa

  • I'm confused (Score:5, Insightful)

    by bwalling ( 195998 ) on Tuesday January 25, 2005 @08:41AM (#11466820) Homepage
    This posting seems rather sympathetic to this guy. Free exchange of information? Your credit cards are information - should I freely exchange those with everyone? So, not all information should be exchanged. Why should we be so nice to his website? He's not being so nice to our cell phones. And who cares what the name of the virus is? It's not like he discovered a new comet or something positive.

    There's something to be said for being open and free, but there's also taking it too far.

    • Re:I'm confused (Score:3, Insightful)

      by tka ( 548076 )
      Yep, even though one might think of it as a positive thing to expose security problems in software, I don't. One should first contact the company about this. And then after a while, depending on what the company response was, release it. The security problem might not be due to originally bad design or lack of interest in security.. In which case the company should suffer from it.

      But now, we, the customers suffer from it.

    • I don't think there should be any debate here (Score:5, Interesting)

      by orasio ( 188021 ) on Tuesday January 25, 2005 @09:16AM (#11467115) Homepage
      The guy discovered a fundamental flaw, and is showing the need for a fix, forcing a fix, probably. That is actually a good thing. The guy is a good guy, and gets fixed something that is broken.
      If he were a bad guy, he would be playing with your credit card, or even worse, shutting the hell up, and letting someone else discover the vulnerability, and using it.

      Maybe you think he should have contacted the responsible firms first, but that's too delicate, he could even end up with legal trouble because of that (think.. extortion) .
      This way he will probably get the vulnerability fixed, and bluetooth users are the ones who benefit.
      I don't believe it's taking it too far.

      • letting someone else discover the vulnerability, and using it.

        Now no one has to figure it out, they just have to do it how he told them to do it. It's certainly a lot easier to exploit when you tell the whole world how to do it.

        • Re:I don't think there should be any debate here (Score:4, Insightful)

          by hummassa ( 157160 ) on Tuesday January 25, 2005 @09:36AM (#11467267) Homepage Journal
          But this is the only way to tell the companies: fix this or the whole world will know how to exploit it.

        • Re:I don't think there should be any debate here (Score:4, Insightful)

          by orasio ( 188021 ) on Tuesday January 25, 2005 @09:50AM (#11467377) Homepage
          Please! try thinking!
          Just because nice guys refrain from discovering vulnerabilities, it doesn't mean the bad guys will!!
          The guy is just trying to force the hole to be closed.
          The situation before this guy was that your phone was vulnerable, and you were ignorant. The situation now is that your phone is vulnerable, and you are aware of it, and probably won't buy another vulnerable bluetooth device until it's fixed.
          I don't understand why you prefer the first scenario. It's actually possible to write vulnerability-free software. It is way too expensive, but maybe it should be required.
          If people keep thinking that holes whuld just be overlooked instead of fixed, there will never be any value on providing secure software.

          • The situation before this guy was that your phone was vulnerable, and you were ignorant. The situation now is that your phone is vulnerable, and you are aware of it, and probably won't buy another vulnerable bluetooth device until it's fixed.

            Who are you kidding? The situation before was that my phone was vulnerable, and that only one guy knew anything about it. Now, everyone knows all about it, including people who will use it to create viruses. The odds are now higher that I will get a form of this vi

            • It seems the debate is split mostly along the line of whether or not the dude in question should have released the code. Correct me if I'm wrong, but both sides seem to agree that knowing about a vulnerability and keeping silent is bad. The dividing point is what and how much information do you release about what you know about this vulnerability?

              On the one hand, releasing the full exploit code is probably pretty damned irresponsible. Now any idiot that can tweak a line of code or two can roll their own S

            • Who are you kidding? The situation before was that my phone was vulnerable, and that only one guy knew anything about it.

              Pleaaase!!
              What makes you think that only one guy knew anything about it?
              That's just what _you_ know.
              I believe, given most new technologies, it only takes some knowledge, and much effort, to find exploitable vulnerabilities, if you have something to gain from it. The guy is _one_ of the people who knew the vulnerability.
              After this, your next phone will have one vulnerability less. If it
          • Except for this:
            It's actually possible to write vulnerability-free software. It is way too expensive, but maybe it should be required.

            You can prove that a non-trivial program has an error, but you can't prove that it has not (Dijkstra?)
            • Using an imperative language, that's true.

              In functional languages, like Haskell, it would be easier to prove the program does what you want.

              I think Hugs can help you derive error-free programs (I never attended the error free programming workshop, but that's what they claim).

              You can always argue that the compiler is written in C or ASM, but you can get pretty close to error-free, at least with a much higher confidence.
      • If jackasses like him weren't exploiting security holes, there wouldn't be a need to find them. It's rather sad that the current state of computing is analogous to having to put bars on bulletproof windows just to avoid having some asshat break in.
        • He isn't exactly exploiting security holes, he is showing a possible exploit, a danger that was already there, in your analogy, he is shouting that, even though you have bulletproof windows, you left the door open.
          • He isn't exactly exploiting security holes, he is showing a possible exploit, a danger that was already there, in your analogy, he is shouting that, even though you have bulletproof windows, you left the door open.

            Yes, but in a city of 20,000 homes, one open door isn't likely to have a burglar find it. However, if some dickhead puts up a neon sign saying "this guy's door is open, someone could easily rob him", the the odds that a burglar find it go way up. And, really, what benefit was there in putting
            • Maybe we shouldn't argue about an analogy, it's useless, you know? (anyway, it's not one open door, it's more like "XXX brand locks are damn easy to poke!!, here's how: ...")

              The problem here is that he can't just talk to the companies, and say he has an exploit.

              If he mailed the companies and said that they should release a fix or else he releases the exploit, that's extortion.
              If he just tells them of the exploit, and expects that they do the right thing, e would be putting his trust on the wrong entity, a
              • I wonder if it would be considered extortion if it were phrased as "Release a fix because I'm releasing the details as such-and-such later date.
                • No. That's not extortion. There was no demand of money. Intent matters.

                  Consider these statements;

                  A. "May want to your fence, I'm getting a mastiff next month."
                  B. "If you don't fix your fence, I'm going to sic a mastiff on your cat."
                  C. "$500, or I'm going to kill your cat".

                  "A" is an informative statement, reminding a neighbor of his responsibility to maintain his fence.
                  "B" is a threat of violence. It effectivly promises a dead cat for a failure to do as told.
                  "C" is extortion.

                  Replace "fence" with "product
          • I almost never lock my door. The crime rate where I live is very low, and many people leave their doors unlocked. When you have to lock your door to avoid burglaries, you have a crime problem.

  • jealousy (Score:3, Insightful)

    by St. Arbirix ( 218306 ) <matthew...townsend@@@gmail...com> on Tuesday January 25, 2005 @08:51AM (#11466896) Homepage Journal
    The A/V companies got mad that they didn't think of the virus first.

    What good is antivirus software if it can't protect against all viruses? How better to protect against them to have written them yourself?

    -1 flamebait

  • Why Lasco.A...? (Score:3, Informative)

    by Grab ( 126025 ) on Tuesday January 25, 2005 @09:01AM (#11466978) Homepage
    Simple. You need the ".A" to indicate it's the first of its type. Since this dumbass has released the virus code to the world, you can bet there's going to be a ".B", ".C", etc.. In fact I doubt one alphabet will be enough to count them all.

    As for using this guy's name, why would we want a virus writer and distributor to become famous?

    Grab.

  • Malware routinely gets renamed (Score:4, Informative)

    by babbage ( 61057 ) <cdeversNO@SPAMcis.usouthal.edu> on Tuesday January 25, 2005 @10:40AM (#11467885) Homepage Journal
    The most irritating bit of all this is that the guy writes the thing, distributes it, gives it a name (eponymous) and then the stupid virus firms go and butcher it -- e.g. "Lasco.A". What's so wrong with "Velasco" already? The guy clearly wants it to be named after himself."

    It's not much of a leap to assert that most malware is, on some level, a form of ego tripping, and most malware authors, much like the authors of any other software, would like to see their work spread far and wide.

    Hence, antivirus companies always change the name.

    Whether or not a virus had a name to begin with, each vendor will select a name of their own for it to deprive the author of that fame. Why encourage them, you know?

    But there's the other bit of ego -- each vendor will select a name of their own. For a prominent attack, one of these names will make it into he wider media, and being the vendor that named it is itself an ego boost for that company.

    So, all of this naming nonsense is just a stupid dickwaving ego contest. We'd almost be better off if we did like the National Weather Service and named each year's outbreaks in advance, before any of them are spotted in the wild, just to neutralize the stupid games that go on over what this junk gets called. Not that that'll ever happen, of course...

  • I wonder... (Score:3, Insightful)

    by IndiJ ( 842721 ) on Tuesday January 25, 2005 @12:21PM (#11469179) Homepage

    You know, my gut reaction on reading the article as posted was, "What a goddamn piece of bullshit flamebait - who cares whether or not the guy doesn't get to name the virus he created?"

    But then I thought about it. Regardless of what it is, it is something that this Brazilian dude wrote. It's his intellectual property. He should have the right to name it. For the antivirus companies to tag it with their own name is equivalent to WalMart getting a box of "Home on the range" DVD's, ripping the covers off and selling them as "WalMart presents: The Disney cow movie!".

    And before anyone offers any arguments about "not wanting to encourage virus-writers", let me say: bullshit. It doesn't matter whether it's a program, a novel, a song or a painting ... or a virus - intellectual property is intellectual property. Even people in jail own the copyrights on their goddam prison tatoos. Even Osama bin Laden [msn.com] has his copyrights. The laws are quite clear on this.

    So... yeah. Velasco it is.

    • As much as I hate IP and as much as I detest software that can wreck havoc on my phone, I have to agree with you. Let's say the owner of a publishing company is a devout Satanist, and has every Christian book sent to the stores purposely defaced. The authors would sue the publisher for every cent he had, and then possibly burn him at the stake later.


      Why allow AV companies to do something society prohibits in all other lines of work?

      • If the defacements were noted as not being from the original author, and no duplicates were made, what would the legal ground be?

        Granted, the IP in this actual case would be copied, so you have a point apart from the analogy.
        • If the defacements were noted as not being from the original author, and no duplicates were made, what would the legal ground be?

          Copyrighted work is protected from defacement. An analogy to the analogy would if I took a TV show and overdubbed the dialog with my own. In fact, the author could insist that the store not display his books at all, and be in the right.

          • Why can't I take a TV show and overdub it, as long as I don't make copies? As for the second statement, if the author didn't want their work displayed, they should have never sold the works (or sold them under a restrictive contract agreement). You can't have your cake and eat it too.

            If I'm wrong, could you cite the relevant case law or legal code? I'm interested.
    • I totally agree. It's just the sort of rotten stunt that Micro$hit would pull.

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close