The Temperature At Which Code Burns

I grew up with my mother's Commodore VIC-20 in the living room. By the time I was five years old, not only did I have a Performa 430 of my very own, but I'd taught myself how the system worked well enough that the teachers at my elementary school called me over the campus IT specialist to fix their computers -- a trend that continued well into high school. At the age of 15 I was reverse-engineering websites and building my own based on the tricks I learned from individual page sources.

I also did some reprehensible stuff that I'm not going to specify due to the fact that none of it was even remotely legal and I haven't been prosecuted for any of it, which is a track record I intend to keep. After a couple of close calls and a dose of maturity, I brought my own experiences as The Jerk On The Other Side Of The Keyboard to my career working for the good guys. After all, who could be better suited to point out potential vulnerabilities in web apps and software than someone who used to exploit them?

These days, I'm an old lady sitting in her ergonomic desk chair cheering for all the others who've traded in their black hats for grey, at the very least. I haven't kept up with the constantly evolving tech world as much as I used to. I don't need to; there are plenty out there who are much more prolific and involved than I ever was, doing better work than I could ever imagine. I am content here on the sidelines, just following the stories as they happen instead of taking an active role in them.

Imagine my joy when 23-year-old Marcus Hutchins, known on Twitter as MalwareTechBlog, quite literally saved the world from the WannaCry worm just a couple of months ago. All he had to do was register a domain contained in the malicious program's source code, triggering a "kill switch" that stopped the infection dead in its tracks. It was an example of the current generation who'd grown up with far more sophisticated technology than I using their powers for good, stepping up to the same plate I'd stepped down from. We are in excellent hands, I thought, with a sense of pride weighing in just under that of a mother watching her child graduate.

A couple of nights ago, I found myself reading The Virus Underground, an article published in the New York Times back in 2004 by Clive Thompson that would prove to be unexpectedly prescient in its discussion of the legal and moral grey area surrounding code authors and whether they should be held accountable if the code they make available to others for educational purposes is then used for those that are decidedly not.

I was pleased to think that now, 13 years after the article was written, we live in a society of GitHub and Stack Overflow, where code can be easily shared and discussed, a digital version of the Socratic method. It's common knowledge that mixing enough rat poison into a cake will kill the person who eats it. It doesn't mean those of us with that knowledge are murderers, or that an author who writes about such an M.O. is responsible, should the events be imitated in the real world.

Then Hutchins was arrested by the US government. His "crime?" Authoring a hooking engine that was then lifted by an unassociated third party to use in the Kronos malware, which was then sold on the black market along with instructions on its use.

There is no evidence that Hutchins was the one behind the final version of Kronos. There is no evidence that he was the person who put it up for sale. The only evidence in existence is that he wrote something that was later blended with somebody else's code by someone very much not him:
But because Hutchins created something that was eventually used for nefarious purposes -- once again, by a third party -- he sits in a jail cell.

Ask yourself if, then, we should arrest everyone who's ever contributed to a cryptography or hacking reference book. If we should burn every copy of each of the aforementioned volumes, just in case. If anyone who has them sitting on their shelves should be thrown in jail because they might use them for the wrong reasons, or author something that someone else will misuse.

If that's the case, then hey, law enforcement agencies: here's just a few of many more reasons for you to show up at my door and drag me off in handcuffs, too. I'll put on a nice pot of tea when you get here.

By this logic, we can say so long to GitHub and Stack Overflow, farewell to computer science classes being offered on college campuses, auf wiedersehen to effective antivirus software -- because many of the threats that the antivirus program running on your computer right now defends you against are included thanks to multiple white hats who have identified vulnerabilities and notified the appropriate parties to get hotfixes and definition updates pushed out.

Anyone who writes a piece of code that could be used for malicious purposes and posts it, free of charge, in a publicly viewable location, does not do it because they want that code to be unleashed upon the world. The very minute code like that becomes easily available on the internet, those aforementioned defenses start building up. In-house software and security testing can only detect so much; there is no piece of code, let alone an entire, functioning application, that is 100% free of bugs or vulnerabilities, and there never will be.

But you know what gets it anywhere close? Discussion. Knowledge-sharing. Blasting it as loudly as you can to anyone who will listen when a potential landmine is found. The continued prosecution of white and grey hats for innocently pointing out flaws and disasters-to-be will put an end to that alert system; then it will be only the "bad guys" tapping away at their keyboards to let us know the hard way when a lapse is found, because the rest of us will be too afraid to share our findings.

Thankfully, the widespread sentiment is that the case against Hutchins is sufficiently weak, and that he is not the criminal mastermind that the United States government has accused him of being. Maybe the Feds are still sore about the ease with which hackers and security experts at DefCon this year broke into US voting machines. Maybe, given the current administration's attitude towards anyone not of sufficiently "American" pedigree, they're looking for an easy scapegoat. 

What is certain is that even if the case against him is dropped, simply arresting him under such flimsy pretenses sets a dangerous precedent for anyone else who has ever been curious or bored enough to experiment with code, who might just turn out to be the next superhero the world needs for the next malware attack.

No comments:

Post a Comment

So? Whaddya think?