Immunizing the Internet

jonny4001 writes "The Harvard Law Review has published a student-written article that argues that hackers, worms, and viruses are good for network security and that the law and public policy should encourage 'beneficial' hacking. From the article: 'Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"

PDF WARNING!

[Maelwryth]

The link is directly to a .pdf file. This [66.102.7.104] should link to the Google html cache.

Re:Student from where ?

[OverlordQ]

Taking 2 seconds to view their hompages tells you this:

The Harvard Law Review is a student-run organization whose primary purpose is to publish a journal of legal scholarship. ... The organization is formally independent of the Harvard Law School.

What's with people being lazy? Or is it just an attempt at some karma whorage?

Re:Does this work for offline crime?

[skiman1979]

Well all those crimes hurt people/corporations. "Ethical hacking" is capable of occurring without causing damages. If I find a hole in a system for a remote code execution exploit, run code that simply displays a console message on a server, then determine how to fix the hole and inform the system administrator, that seems harmless. It allows the admin to find out about the hole and fix it. Now if I were to run code that roots the box and turns it into a spam bot sending millions of spam emails out wasting large amounts of bandwidth, or code to steal company data, that's another story. Should I be penalized if I go to your house, find out how to break into it, and tell you what I found?

Re:open source hacking

[smoker2]

How about here ? [sectools.org]

Parallels in Biological Systems

[D.A. Zollinger]

From another perspective, the author's ideas have some merit. In biological systems, it is only after one has been infected and their immune system fights off a disease that they are impervious to repeat infections. In this way entire societies build up resistances to deadly diseases. For example, Jared Diamond believes 95% of Native Americans were killed off by diseases carried by European settlers who were largely immune to said diseases. (link) [wikipedia.org]

In a way, as different portions of the computer systems and software are attacked, the flaws that allow for such attacks are, in general, corrected. Problems identified in one attack can be applied to other areas, and as such, can affect system-wide changes toward a better system (think buffer overruns), as well as more security-minded design (think security developments in IE7 and Vista).

I'm not advocating that the world governments should let virus writers and crackers have free reign of the Internet. A balanced response would allow for leniency for those who have no malice in their intentions. Of course, this is difficult to prove, and from personal experience, I have yet to meet a virus writer with purely altruistic intentions. Also there are corporate interests to deal with as well. How embarrassing must it have been for Symantic to have their flagship product meant to help secure a computer be the source of insecurity? While Symantic handled the situation extremely well, many other companies do not have a large security minded staff on hand to deal with security problems. For them it is easier to accuse the attacker than acknowledge a problem they cannot deal with.

Re:Full disclosure is a necessary evil

[Anonymous Coward]

Exactly, but there is a time and a place for full disclosure, and the situation is easily complicated. Even just the act of disclosure is uncertain. Publish to widely and be accused of helping hackers. Publish too narrowly, and be accused of not informing the public. Its a messy job.

Get the terminology right...!

[welshwaterloo]

Yeesh.. from the article:

Even old-fashioned e-mail worms, which rely primarily on user ignorance, can spread to hundreds of thousands of computers.

Now, I always thought a worm is "self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers."

Geez people - if you can't cromulize your terminology, I have little faith in your article..

Re:The well is poisoned.

[Dagmar d'Surreal]

Doing an expensive audit after an intrusion is the cost of not having enough security in the first place. If you got hacked, you got hacked. It's true that it doesn't matter whether or not anything else was done with respect to the follow-up audit.

Having someone come forward and say "you've got a rather specific problem that needs fixing and here's a way to maybe fix it" and then going and doing your damnedest to ruin their career and/or put that person in jail is simply needlessly shooting the messenger.

Having someone break into your network and steal all your company's secrets and go sell them to a competitor without you knowing about it is called "a complete @#$@% disaster" and is usually the end of your company.

Generally, I would want the first group to get to my company before the second group does, since there's a chance my job would actually remain afterwards.

Re:taken from the 'Bantown manifesto'

[tomhudson]

Your original premise has a few flaws:

The entire Internet is a single, uninterrupted deterministic state machine.

No, its not. Its neither single, nor uninterrupted, nor deterministic.

Its not a single state machine, because its not a single machine. By definition, the Internet is a collection of machines.

If you tried to push that analogy in any other field, the BS quotient would set alarms off immediately. For example, if you tried to say that people are a single person because all their interactions are connected, people would go, "yeah, whatever ..."

Its not an uninterrupted state machine, nor a deterministic state machine

As an aggregate of hosts, it literally ceases to exist in its current form as individual hosts drop off or connect. The fashion in which this happens is far from deterministic, since its under the control of all sorts of people - from the bubble-gum-chewing pop-tart-wannabe on myspace to the parv stalking same. Since the individual components actions are non-deterministic, the Internet is non-deterministic. Noboday can determine, even with a snapshot of the WHOLE Internet at point T in time, what will be happening at T+5 seconds.

Your argument, on the other hand, is a good example of GIGO - start with a flawed premise, produce a flawed result.

You even make my point when you state this:

If you download and execute my code, you have done so willingly.

... that the actions of the Internet cannot be predetermined because the the presence of you - a human being, who does not work in a deterministic fashion.

... and since YOU have added people to the equation in your argument, then I am allowed to add the argument that your statement about "willingly" requires informed consent. Informed consent requires full knowledge aforehand, not what you get when someone tries to do an anal probe on a server.

Your last argument also makes the point that people are the true owners of the net - when you say "OUR" machine - and people have the right to say how they want their property to be used, even in public spaces. If you don't believe that, please give everyone your address - I'm sure someone will be happy to rob you when you're in public, then present your own arguments as justification that you gave implicit permission by your very presence in public.