Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!cs.utexas.edu!asuvax!ukma!cs.widener.edu!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: spaf@cs.purdue.edu (Gene Spafford) Newsgroups: comp.virus Subject: Re: Research viruses Message-ID: <0001.9103201343.AA20555@ubu.cert.sei.cmu.edu> Date: 16 Mar 91 02:20:27 GMT Sender: Virus Discussion List Lines: 35 Approved: krvw@sei.cmu.edu Research ethics are fairly well defined in other fields, and can be extended to computer viruses with a little thought. For instance, a researcher working on flu virus strains would be ethically (and legally) responsible for a mutated virus escaping into the population at large. Saying "I'm sorry -- I didn't mean for it to happen" is not an excuse. Good intentions do not substitute for taking precautions. Research on (computer) viruses that escape into the general population are clearly unethical because they affect subjects who have not given their informed consent to be part of the "experiment," and there is no way to end the "experiment." Also, there is no valid control for the experiment (e.g., "What would be the results in a similar population for the null hypothesis?"). Worse, most people "experimenting" doen't understand the basics of good scientific method. Research by writing viruses to see what happens is akin to throwing chemicals in a test tube to see if it explodes. Proper experimental research procedure requires that you establish a hypothesis that can be tested, establish a test with controls, and then analyze your test results with respect to the hypothesis. Some of the people who claim they are doing "research" in viruses and related areas are doing no such thing. I have refereed papers for professional forums that show a surprising lack of understanding of the basic principles of science or ethics -- then these individuals complain they are being "conspired against" because they can't get their work published. Sad. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu phone: (317) 494-7825