Transparency is not always best

Publishing source codes of viruses and other exploits may help companies understand their enemies better, but it will worsen their security situation in the long run.
Written by Munir Kotadia, Contributor
Publishing the source codes of viruses and other exploits increases security by helping companies to prepare for the worst, according to the editor of one such site. But this view is strongly disputed by antivirus companies and security experts.

French Web site K-otik is infamous for posting source codes that could be used to exploit vulnerabilities in products that include Cisco's IOS, Microsoft's Windows and Linux.

Chaouki Bekrar, K-otik's chief editor and himself a security consultant, said professionals contribute to the site because they believe that by making exploit codes freely available, administrators are on a level playing field with the hacking and cracking community: "The bad guys have time to seek the newest exploits on forums, IRC channels and private Web sites, but security experts and administrators do not. By making exploits public, security experts and administrators have the same weapons used by crackers, this is the only way to stay secure and up-to-date," he said.

But this claim is ridiculed by Raimund Genes, president of European operations at antivirus company Trend Micro, who said that sites like K-otik help people without computer skills to build and distribute malicious code: "There was a 16-year-old in the Netherlands who loaded a virus construction kit in South America and he made a virus called Anna Kournikova and it spread all over the world. The boy went to the police and pleaded guilty because he wasn't aware what he was creating," he said.

Genes said in many ways, malware sites are worse than Web sites that tell people how to make explosives: "When you look for instructions to build a bomb on the Internet, you still have to go to the pharmacy and buy certain chemicals; but with malware published on a Web site, you need nothing -- except possibly a compiler," he said.

But K-otik's Bekrar lays the blame firmly at the feet of software developers who continue to produce flawed applications: "Sites that publish attack codes and exploits are not irresponsible, they are realists. Finding vulnerabilities and publishing exploits is not the cause of the problem, it's a consequence of insecurity," he said.

K-otik is not breaking any laws because it does not incite people to go and commit a crime, said Struan Robertson, a specialist in e-commerce law and editor of out-law.com.

"In the US it would most likely be argued as a free speech right. In the UK we don't have the same free speech principle, but we do have a law that deals with incitement to commit crimes. However, it's unlikely that would be used in these circumstances because there have been no similar cases -- you would have to show that the people behind K-otik intended an offence to be committed," he said.

The U.K.'s Computer Misuse Act of 1990, which deals with hacking and viruses, is "very narrow and hopelessly out of date," said Robertson, "There are methods of committing crimes that were not possible in the 198's when it was being created," he added.

However, this law could be updated in the near future because a group of U.K. MPs are holding a public hearing in the House of Commons on 29 April to discuss suggested revisions to the Act in the hope of bringing it up to date.

Editorial standards