Tuesday, October 2, 2012

Choose your own fail

Week one, a chance to learn what my second Cybersecurity course is going to be like. Wanting to get started on the right foot, I decided to work through their Flash driven module. Yeah, yeah, yadda, yadda... until page three had a mini survey for me. Select an answer and get their "expert’s feedback."
1. Creating malicious code is freedom of expression, demonstrating programming talent and innovation.
  Yes. Usually, virus developers have very high IQs. It takes a lot of skill and intelligence to exploit multiple levels of security in computer systems.  
  Yes. Launching viruses or malicious code is not a crime if it is done by hackers to test their abilities and if it doesn’t cause any damage.  
  No. Creating malicious code is unethical irrespective of whether monetary damages are caused and is a punishable offense.  

I find the “expert’s feedback” extremely close-minded and wrong. My selection was the second option, feeling it was the best of three bad choices.

The feedback is “Not really. Launching malicious code is unethical and unlawful even if it does not cause any damage. It is still a breach of privacy and security.”

I interpreted “Launching viruses or malicious code” as including the use by penetration testers and grey hat researchers. These users of malicious code utilize it against systems being tested for vulnerabilities or systems set up for the purpose of being targeted. Also, malicious code may be utilized by law enforcement agents acting under warrant.

The primary reason I selected that answer was through process of elimination. Specifically, I excluded the “correct” answer immediately, which the system called the third.

There is such an extreme prejudice included in this answer that there is no way I would ever select it. First, malicious code is a too vague term to be able to apply any absolutes about the ethical nature of its creation. Coders are malicious, but code, especially the individual blocks, are just tools.

I have personally developed a background keystroke logger as in intellectual exercise. The experience was valuable and the knowledge gained is helpful. I never deployed it, and the development was not unethical. The techniques that I learned in the exercise can now be used to develop legitimate, non-malicious tools like a system-wide hot-key tool like AutoHotKey. The same techniques and code blocks that would build a web snooping implant also can make a parental monitoring tool. Anti-virus tools hook functions, inject DLLs, monitor network activities, consist of rootkits, and the list goes on and on. Honestly, the only difference between an antivirus tool and malware is the method of delivery and the intentions of the distributors.

No comments:

Post a Comment