How to tell the good guys from the bad guys
The world is full of gray areas where it's difficult to tell right from wrong. As someone famous said not long ago, it all depends on what your definition of 'is' is. But shades of gray are seldom harder to distinguish than they are in information security.
A case in point: GateKeeper LLC, a Leesburg, Va., seller of policy-based antivirus software, recently announced virus-writing challenge contests. Programmers signed up to take their best shots at the company's E-Mail GateKeeper software, with a $10,000 prize going to the first virus author to break through.
The first contest was scheduled to run from April 16 to May 25, but a pair of programmers crashed the gate after 11 days to claim the prize money.
Not everyone approves of such contests.
'The competition is ill-advised and increases the problem rather than reducing it,' said Graham Cluley, senior technology consultant for Sophos Inc. of Wakefield, Mass., an antivirus rival. A contest is 'simply not an ethical or reliable means of testing software,' he said.
'We categorically reject the published notion that we are irresponsibly encouraging the spread of viruses,' company officials replied. The spread of viruses already is out of control, they said, and 'one could just as easily argue that it is also irresponsible to continue marketing products known to be ineffective in deterring new fast-moving, stealthy viruses.'
The issue parallels the full-disclosure debate that has been going on in the security community for the past year.
Some say that publicizing every vulnerability only encourages bad guys to exploit them. Others argue that this is the only way users can be sure they are getting the facts and to ensure that software vendors close the holes.
Both sides are at least a little bit right, but the trend has been a compromise toward more limited disclosure'giving vendors a chance to fix problems before they are publicized.
GateKeeper defended its contest, saying that writers are invited to attack only its product. It condemned competitors for 'a stagnation of ideas in the virus protection industry.' It complained of a 'bizarre symbiotic relationship between the virus writer and the virus protector,' in which protection depends on knowing the code signature of the virus.
Shane Kenny, president of SafeBrowse.
com Inc. of Kennesaw, Ga., one of the winners of the first contest, said he 'pursued the GateKeeper challenge to help in the development of a new weapon against an old enemy.'
He said his company does not condone the writing or spreading of viruses. Nevertheless, his company wrote a virus.
GateKeeper argued that the contest is harmless because if everyone used its product, no one would be harmed.
That's fine for GateKeeper's business, but it does not bode well for users who must employ a variety of methods to guard against viruses.
Users don't need the extra burden of virus authors sharpening their skills on behalf of GateKeeper.