Skip to main content

The Temperature At Which Code Burns

I grew up with my mother's Commodore VIC-20 in the living room. By the time I was five years old, not only did I have a Performa 430 of my very own, but I'd taught myself how the system worked well enough that the teachers at my elementary school called me over the campus IT specialist to fix their computers -- a trend that continued well into high school. At the age of 15 I was reverse-engineering websites and building my own based on the tricks I learned from individual page sources.

I also did some reprehensible stuff that I'm not going to specify due to the fact that none of it was even remotely legal and I haven't been prosecuted for any of it, which is a track record I intend to keep. After a couple of close calls and a dose of maturity, I brought my own experiences as The Jerk On The Other Side Of The Keyboard to my career working for the good guys. After all, who could be better suited to point out potential vulnerabilities in web apps and software than someone who used to exploit them?

These days, I'm an old lady sitting in her ergonomic desk chair cheering for all the others who've traded in their black hats for grey, at the very least. I haven't kept up with the constantly evolving tech world as much as I used to. I don't need to; there are plenty out there who are much more prolific and involved than I ever was, doing better work than I could ever imagine. I am content here on the sidelines, just following the stories as they happen instead of taking an active role in them.

Imagine my joy when 23-year-old Marcus Hutchins, known on Twitter as MalwareTechBlog, quite literally saved the world from the WannaCry worm just a couple of months ago. All he had to do was register a domain contained in the malicious program's source code, triggering a "kill switch" that stopped the infection dead in its tracks. It was an example of the current generation who'd grown up with far more sophisticated technology than I using their powers for good, stepping up to the same plate I'd stepped down from. We are in excellent hands, I thought, with a sense of pride weighing in just under that of a mother watching her child graduate.

A couple of nights ago, I found myself reading The Virus Underground, an article published in the New York Times back in 2004 by Clive Thompson that would prove to be unexpectedly prescient in its discussion of the legal and moral grey area surrounding code authors and whether they should be held accountable if the code they make available to others for educational purposes is then used for those that are decidedly not.

I was pleased to think that now, 13 years after the article was written, we live in a society of GitHub and Stack Overflow, where code can be easily shared and discussed, a digital version of the Socratic method. It's common knowledge that mixing enough rat poison into a cake will kill the person who eats it. It doesn't mean those of us with that knowledge are murderers, or that an author who writes about such an M.O. is responsible, should the events be imitated in the real world.

Then Hutchins was arrested by the US government. His "crime?" Authoring a hooking engine that was then lifted by an unassociated third party to use in the Kronos malware, which was then sold on the black market along with instructions on its use.

There is no evidence that Hutchins was the one behind the final version of Kronos. There is no evidence that he was the person who put it up for sale. The only evidence in existence is that he wrote something that was later blended with somebody else's code by someone very much not him:
But because Hutchins created something that was eventually used for nefarious purposes -- once again, by a third party -- he sits in a jail cell.

Ask yourself if, then, we should arrest everyone who's ever contributed to a cryptography or hacking reference book. If we should burn every copy of each of the aforementioned volumes, just in case. If anyone who has them sitting on their shelves should be thrown in jail because they might use them for the wrong reasons, or author something that someone else will misuse.

If that's the case, then hey, law enforcement agencies: here's just a few of many more reasons for you to show up at my door and drag me off in handcuffs, too. I'll put on a nice pot of tea when you get here.

By this logic, we can say so long to GitHub and Stack Overflow, farewell to computer science classes being offered on college campuses, auf wiedersehen to effective antivirus software -- because many of the threats that the antivirus program running on your computer right now defends you against are included thanks to multiple white hats who have identified vulnerabilities and notified the appropriate parties to get hotfixes and definition updates pushed out.

Anyone who writes a piece of code that could be used for malicious purposes and posts it, free of charge, in a publicly viewable location, does not do it because they want that code to be unleashed upon the world. The very minute code like that becomes easily available on the internet, those aforementioned defenses start building up. In-house software and security testing can only detect so much; there is no piece of code, let alone an entire, functioning application, that is 100% free of bugs or vulnerabilities, and there never will be.

But you know what gets it anywhere close? Discussion. Knowledge-sharing. Blasting it as loudly as you can to anyone who will listen when a potential landmine is found. The continued prosecution of white and grey hats for innocently pointing out flaws and disasters-to-be will put an end to that alert system; then it will be only the "bad guys" tapping away at their keyboards to let us know the hard way when a lapse is found, because the rest of us will be too afraid to share our findings.

Thankfully, the widespread sentiment is that the case against Hutchins is sufficiently weak, and that he is not the criminal mastermind that the United States government has accused him of being. Maybe the Feds are still sore about the ease with which hackers and security experts at DefCon this year broke into US voting machines. Maybe, given the current administration's attitude towards anyone not of sufficiently "American" pedigree, they're looking for an easy scapegoat. 

What is certain is that even if the case against him is dropped, simply arresting him under such flimsy pretenses sets a dangerous precedent for anyone else who has ever been curious or bored enough to experiment with code, who might just turn out to be the next superhero the world needs for the next malware attack.


Popular posts from this blog

A Beginner's Guide to CPPCon 2017

When we last left our heroine, she was just stating that although she'd be accompanying Ben to Seattle for his talk at CPPCon 2017, she wouldn't be attending the actual conference...

There were a few reasons I didn't intend to go. For one thing, I'm very much a C++ novice, just wading my way through the beginning of my education. I assumed that there would be nothing there for me, and although the conference is quite reasonably priced -- less than $1k for a whole week of content! -- I was unsure as to whether it would be a waste of money for my skill level. Plus, there's that pesky impostor syndrome that sneaks up on me with a less-than-friendly reminder that I'm highly unintelligent and that should I dare darken their doorstep I would be swiftly exposed as the fraud I really am.

Indeed, I had planned a whole week of excursions and exploration in Washington State when Ben invited me to dinner with him and a few colleagues from the conference.

My experience as a…

The First Anniversary

This weekend marks one year of many more to come spent with the most incredible man I've ever met. I always wanted to have a cute and clever love story to tell, and I'm ecstatic to say that in him I have found a better tale than any romantic comedy writer could come up with.

My previous marriage was over with the exception of some paperwork to be filed and fees to be paid. I had finally reached a point in my life where I felt I was really better off alone, taking myself on dates to the luxury movie theater, going to my favorite restaurants, spending time with myself doing the things I wanted to do.

One of those things was jumping into the world of programming. Things hadn't worked out with the guy I'd been sort-of-seeing, but to his credit, he made me believe that I was indeed smart enough to learn to code. He'd always mention his boss, Ben Deane, and what a great resource he and his frequent engineering talks were for the novice programmer. "When Ben Deane ta…

A CPPNow Travel Guide

Disclaimer: This blog focuses more on the travel and community aspects of CPPNow rather than the technical side -- if you're looking for the latter, there are (or will soon be) many trip reports written by people far more intelligent than I who cover this. I feel that the atmosphere and inclusiveness of a conference is just as important as how good the content is; if you disagree, this is not the blog for you.

Last year I put together The Beginner's Guide to CPPCon detailing my unexpected but incredibly pleasant adventures in Bellevue. I figured that would be my last report until CPPCon 2018, but life has a funny way of surprising you, in the form of more C++ conferences.

I'd heard of CPPNow -- formerly known as BoostCon -- from Ben, who attended the 2017 conference, but I didn't know much about it other than it featured much more advanced C++ content than CPPCon. When I asked if I should attend, he inadvertently scared me off of it by telling me I probably wouldn'…