Clive Thompson's written a lyrical and evocative article profiling several (mostly European) virus-writers, coders who write and post proof-of-concept malware to demonstrate security flaws in Microsoft products.
Benny, clean-cut and wide-eyed, has been writing viruses for five years, making him a veteran in the field at age 21. "The main thing that I'm most proud of, and that no one else can say, is that I always come up with a new idea," he said, ushering me into a bedroom so neat that it looked as if he'd stacked his magazines using a ruler and level. "Each worm shows something different, something new that hadn't been done before by anyone."
Benny — that's his handle, not his real name — is most famous for having written a virus that infected Windows 2000 two weeks before Windows 2000 was released. He'd met a Microsoft employee months earlier who boasted that the new operating system would be "more secure than ever"; Benny wrote (but says he didn't release) the virus specifically to humiliate the company. "Microsoft," he said with a laugh, "wasn't enthusiastic." He also wrote Leviathan, the first virus to use "multithreading," a technique that makes the computer execute several commands at once, like a juggler handling multiple balls. It greatly speeds up the pace at which viruses can spread. Benny published that invention in his group's zine, and now many of the most virulent bugs have adopted the technique, including last summer's infamous Sobig.F.
Clive touches on, and dismisses the free-speech arguments for publishing malware code (interestingly, he does so without any quotes from legal scholars and impact litigators who work on First Amendment issues, and so ends up eliding the nuance in the argument and presenting a somewhat blunted picture of the issue) and only lightly touches on the far more important notion of legitimate security research.
If, as Schneier says, "Any person can create a security system so clever s/he can't think of a way to defeat it," then the only experimental methodology for evaluating the relative security of a system is publishing its details and inviting proof of its flaws — proof readily embodied in malware.
Codebreakers and worm-writers are the only mechanism we know about for reliably strengthening systems, and the idea that they should refrain from publishing their research in order to keep us safe is fundamentally flawed, since it depends on the idea that malicious people will never be clever enough to independently reproduce their techniques, and that the public is better served by remaining ignorant of the potential risks in the systems they've bought than by being exposed to the evidence of the rampant flaws in those systems.
This notion falls flat when considered in light of the real world. If a developer was building condos whose doors could all be unlocked with an unbent paper-clip, this line of reasoning demands that the person(s) who discover this should keep mum about it, in the hopes that no bad guy ever catches on. In the real world, the best answer is usually to scream about this to high heaven, so that the bad developer can't silence you and cover his ass, and so that his customers can get their locks fixed.
