Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!wuarchive!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: hartley@AIC.NRL.Navy.Mil
Newsgroups: comp.virus
Subject: Re: Antivirus viruses
Message-ID: <0011.9008231338.AA20624@ubu.cert.sei.cmu.edu>
Date: 22 Aug 90 18:03:07 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 58
Approved: krvw@sei.cmu.edu


    I think there are situations in which the release of such viruses
would be both ethical and desirable.

    I can think of at least one precedent from the medical profession
- - the Saulk (sp?) vaccine (the primary polio vaccine in the US).  This
vaccine is a live, contagious, virus. Any Physician who administers it
is releasing a virus into the population. This is considered an
advantage. Contagion is not considered a problem because:

1 - The virus is beneficial (it blocks a much more virulent virus)

2 - It is intended that the entire population be inoculated anyway.

    The computer analog of such a transmissible live attenuated virus
would be a version of a highly destructive virus from which the
destructive code has been removed. The vaccine would spread to exactly
the population susceptible to the original virus, because it would
spread by the same mechanism and would be stopped by the same
protective software. It would then compete with the virulent virus by
means of of its shared self recognition site.

To be effective such a vaccine would have to reach a target machine
before the virulent strain. This can be insured in two ways.

a - by making the vaccine spread more rapidly than its target. Small
    increases (which could result simply from the removal of the
    destructive payload) might be sufficient. Regardless of how fast
    it spreads, however, the vaccine will sill arrive too late for
    some machines.

b - Give the vaccine a head start by distributing it widely by means other
    than contagion. E.g by distributing it as part of a package of
    anti-viral tools.

Possible objections:

A - The vaccine would lull people into a false sense of security.
Response - The people who don't have conventional anti-viral software (which
    would stop both the target virus and the vaccine) have a false sense
    of security already.

B - The vaccine will inevitably contain bugs which will harm some users.
Response - So does the polio vaccine. Through mutation into virulent forms and
    unusually susceptible individuals, the polio vaccine does (rarely) cause
    disease. People die from it. This is considered acceptable because
    the vaccine reduces the total probability of disease.

C - If this is allowed there will be a flood of "beneficial" viruses.
Response - I am not suggesting that every hacker (in either the prejorative
    sense of the word or not) be given license to go out and release his own
    vaccine to any virus he sees fit. Unilateral release of a virus is
    unconscionable and should be illegal. But with proper review and testing
    through a "computer FDA", use of live vaccines Should not be dismissed
    out of hand.

The above is not the official position             Ralph Hartley
of any organization of more than one member.       hartley@aic.nrl.navy.mil