Truth About Computer Security Hysteria
How not to throw a product release partyRob Rosenberger, Vmyths co-founder
Saturday, 17 July 1999
CDC NOW ADMITS CIH snuck onto Back Orifice 2000 master CD-ROMs. This admission comes days after the hacker group's vehement denials. So much for my own doubts about the incident! Lord, save me from the irony of hackers distributing viruses by accident with their own hacking tools...
You may know BO2K's author as "DilDog," a hacker who discovered the elegant Res:// exploit in 1997. (Some trivia: Finjan tried to steal DilDog's thunder a year later.) In addition to authoring BO2K "from top to bottom, inside and out," DilDog also runs cDc's new bo2k.com website. I called him for comments about the virus snafu.
"We don't know exactly where it happened, but it happened," DilDog said. "It was one of those things where we ... used an untrusted machine, and it didn't take very long for something to creep in." cDc created master CD-ROMs at the last minute for the big BO2K release party and, in a rush, they failed to (1) check the computer for viruses and (2) sample a final product for viruses.
cDc members at first refused to believe they included CIH with BO2K. "There were people that had threatened to sabotage our [DEF CON release party] presentation," DilDog noted. The downloadable product itself passed a "strict" virus check — so cDc assumed somebody created an infected CD-ROM copy, possibly on purpose.
cDc's biggest blunder occurred when they labeled remaining masters as "Virus Free" without first sampling one for viruses. The picture at right [courtesy ZDNN] shows one of these CD-ROMs signed by bigwig "Count Zero" himself. Ouch.
DilDog sheepishly admitted cDc gave away every master. They didn't even keep one for posterity (another minor blunder), thereby making it impossible to confirm an infection on their own. "We're just waiting to see some of these virus-ridden CDs on eBay," he quipped. "They're probably going to become collectors' items." No doubt.
Who verified the infection, then? ISS superheroes snagged a master at the release party and confirmed CIH on it. "None of the antivirus companies" alerted cDc, but DilDog admitted the huge audience scrambled for every freebie thrown at them. Antivirus teams might have failed to obtain a master CD-ROM. Or ... perhaps antivirus vendors obtained one, noticed the virus, and treated it as a release party stunt. (I know I would.) Again, I suspect antivirus experts would see no overriding reason to tell cDc.
Did cDc give advance copies of BO2K to computer security vendors? DilDog says no: it would have "spoiled" the release party. Did they set aside one or two for security experts at the shindig? Again, no. However, some questions remain unanswered. One rumor says ISS tried to bribe cDc for an advance copy; another rumor says Network Associates offered a vacation in Fiji to anyone who obtained it for them. DilDog didn't lay these rumors to rest.
These bribery rumors might sound unethical to some people but they don't bother me. Why? First, cDc treats BO2K as an in-yer-face demo for Microsoft security problems. Second, whether you like them or not, cDc genuinely wants to raise the state of the art in computer security. The "big boys" sometimes offer jobs to hackers with genuine talent. Why should we treat bribes different from job offers?
These rumors, if true, could theoretically violate BO2K's copyright or cDc's non-disclosure agreements — but hey, antivirus vendors violate copyrights every day. They've urged users for over a decade to submit infected copyrighted executable files and documents. You can't debate bribery rumors until you decide on the limits of an "extenuating circumstance" in computer security.
Enough philosophical debate. Let's all learn a valuable lesson from cDc: they taught the world how not to throw a product release party!