-=( ---------------------------------------------------------------------- )=- -=( Natural Selection Issue #1 ------------------ Interview : Sarah Gordon )=- -=( ---------------------------------------------------------------------- )=- -=( 0 : Contents --------------------------------------------------------- )=- 1 : Background 2 : Questions and Answers -=( 1 : Background ------------------------------------------------------- )=- Sarah Gordon is most widely known as a researcher on the social aspects of the computer virus subculture due to the many papers she has written on the topic. She currently works for Symantec and holds positions on various virus related committees. There was some discussion in the group about presenting Sarah's answers as she had written them, or to provide (sic) marks as she does in her interviews. As we are not interested in misrepresenting people as unintelligent, we've set an example of good journalism and corrected the 18 obvious spelling mistakes (not that we're counting of course). -=( 2 : Questions and Answers -------------------------------------------- )=- Q. Remind us how human you are. What do you do in a normal day? Where do you go for vacation? What do you do for fun? A. My normal work day: I get up pretty early and read/reply to e-mails. Usually I will have around 100 of them that require attention any given morning. Of those 100, maybe 4 or 5 will require in-depth responses, looking things up, etc., so this whole process takes most of the morning. In between doing the e-mails, though, I usually am doing several other things (and these e-mails are on at least three screens with different accounts, concurrently). Anyway those "in - between" things include catching up on various forums, news, what is going on in the world (science, technology, security, psychology, ethics). Busy morning. I take a _lot_ of notes throughout the day. There are usually a few phone calls too, each week - with testers, writers, corporate people, educators. Lunch is usually a working lunch, but I do take a break in the afternoon for a shower and a walk around the block. By this time I've already been up and going about my work for 6 hours or so usually. Later afternoons will be taken up with reading papers, reviewing papers, and organizing research of various types, working on whatever papers I have in progress (I've just finished two - one on "cyberterrorism and the home user", and one on "cyberterrorism?", and have two in progress - one of these is "integration of virus and vulnerability information" and the other is yet unnamed. Also during this time I am doing some chats (not very often though), continuing with e-mail. I used to do lot of chats with virus writers and other people online - but I don't really have much time to do that anymore. I hope to have some time in the future to devote to this, but I will use IM, not IRC, probably. During this time I will also sometimes be looking at some software product, or translating some text from reviews in other languages so I can see what people have to say. My day usually starts about 7 and ends about 6 in the evening, although I have been trying to cut it down to a 9 hour day rather than 11. At the end of life, you won't be saying "oh, I wish I had spent more time on IRC" or "I sure wish I'd spent more time writing code". I think it will be more like "I wish I had just one more day with or . So, I am trying to be sure I spend my time each day now, rather than just let it pass by and when the work day ends, I try to close my office door (I work from home), and not go back in. I am doing pretty well at this; I just wish I had learned this earlier. I think this is maybe a result of being not physically well - it gives you time to re -evaluate and focus on what it is you really want to do with life. After my work day ends, I do my 'other work'. This can be work for EICAR or WildList Organization but not so much of that as I used to do because I've created processes to manage a lot of it for me. In addition to all this, I'm a professional counsellor and try to commit some time each week to keeping up with that. (Counsellor = therapist). I am not currently seeing any clients though, because its been a very busy work time and I have been travelling too much. I have done this work through my church, and am working nights and weekends to develop a program there that will provide counselling services to people in the community. Finally, I also sing in a band, which means one day a week there is a formal rehearsal, and at least 1 hour a day (usually more) I do vocalise exercises. My favourite things to sing are songs from musicals like Phantom of the Opera, or Celtic music. Also I write music. I don't often take a "real vacation", but when I do, I like to go to some isolated place with no tv, no radio, and definitely no computers :). My "normal day" when not working is like, get up, watch mystery science theatre, play with the dogs, rent some movie (I like Jacky Chan and (almost) any Arnold movie), go swimming, or snorkelling or take a walk on the beach...I was cycling until a couple weeks ago, when I fell off my bike - messed up my knee so I won't be doing that again for a while. Q. To get a background on your usage of computers, which programs do you use daily? Have you ever been hit by a computer virus? If so, please describe the experience. A. I got my first virus, Ping-Pong.B, long time ago - by accident. I didn't know I had it and no one would believe me. That's how I got started in all this. I had to take care of it myself. It came with a PC I bought, the first PC I had ever used, actually, Prior to that I used a Tandy Co-Co :). I've written about this ...on my WWW site is some story about it, as well as at www.virusbtn.com/magazine/archives/pdf/1995/199503.PDF It was frustrating mostly because no one would believe I had it - viruses were such a new thing in the early 90s. I have not gotten one (unintentionally, anyway) since then, though. I use a linux box with almost 0 apps. I'm pretty primitive :). Q. You are a member of the WildList Organisation and have also spent some time in other companies such as Central Command and Symantec. But not much is known about what your roles involved. Could you please enlighten us? A. Lots of things. At Command Software (not Central Command), I managed the live virus library, did all the replications of the viruses, analysis of any viruses that looked interesting (Concept, Laroux were two, but just the ones that got news). I did the same with IBM Research, managing the live ItW virus library, etc. I also was responsible for testing the products in house (in virus area, not QA), reproducing various types of tests, and for doing research to help define and develop scientific criteria and methods for doing tests, checking samples of things we missed to be sure they should be in a test set to begin with, etc... Writing papers, presenting various findings at conferences - all this is part of the job. Testing the digital immune system was the most fun, I think, of all the testing jobs. Then there is keeping the research on ethics, and virus and security up to date. This is very time consuming, and the part that requires the most travel. I don't actually enjoy the travel much. People think its great to travel all over the world - and it was at first. Now, I just am always happy to be home. For the WildList Org, my first task there was establishing an actual organization, and working to build it up - one of first the things I did to do that was replicate and create the first sample sets of ItW viruses, for testing, this is now used as a testing criteria by most good testers. I did that for a couple years. I designed and implemented the WWW site (which is really due for an overhaul and it should be getting one VERY soon!).. I developed an on-line reporting program that I had hoped to use, but it got dropped (literally, the computer it was on got dropped on the floor), and it was lost, so that never came about yet :). What else do I do...I do guest lectures sometimes, answer media queries, and work also with the various product managers to address product issues, read reviews - and this is just all the "virus" part of the day. This is much of the same that I do with Symantec now. I also do much of the same in the "security" side of things. (I was involved with security some time before the whole "virus" thing.) Q. Why are users so susceptible to "obviously suspicious" attachments in emails about Money, Love, and Anna Kournakova? Are they too curious, too fearless, too busy to notice, or just undereducated about the consequences of their actions? A. People want to do the right thing - and the right thing has historically been to read what someone sends you. It's really that simple. We live in a world that is based around people doing the right things. Unfortunately , as we are beginning to see in many areas of our lives, people do not do the right things. Q. Drawing from your experience with interviewing end-users who have been hit by computer viruses, what actual psychological effects do these occurrences stir within individuals, if any? A. Anger is a common experience. People can't understand why all their hard work has disappeared, and for some, this can be devastating. Its all well and good to say "should have backed up", but the fact is many people don't - and don't even know they should be doing it! Computers have been thrust upon and embraced by people with no real understanding/background in them - much like tvs, refrigerators, and other such items. We don't expect people to know how to maintain those, and the computer culture has created a lot of unrealistic expectations about what users should know how to do, or be expected to do. Its so easy for _you_ or _me_ to say "they should have backed up", but take a look at the people who are using computers to go about their work, and life. Do you really think "backing up data" is going to be very high in their radar? Do you think it should have to be? Hurt is another common emotion. People feel very personally violated when a virus infects their computer. "Why would someone do this to me!" is a question I get a lot. Then there is sometimes a feeling of helplessness, vulnerability, sometimes rage. It's not very nice, really, is it. Q. In one of your recent publications you mentioned that the public has become more wary of the virus writer, but more open to the hacker subculture. What sources helped you to reach that conclusion, and why do you think this has come about? A. Its come about because of the media portrayal of the subject, which is one of the resources from which I've drawn the conclusion. Media both influences and is influenced by culture. It's also come about from observing public exchanges, and from talking to lots of people. These too, I think, all have been influenced by media. Q. In USA Today, you wrote about viruses "These programs really are simple. I can understand how they would believe that this is stretching the limits of research, but the reality is, they're reinventing the wheel. Virus writing doesn't require a very high level of skill." SG: Comment: Wow, you've read a lot of what I have done! What sort of viruses are you referring to with this statement? Do you also believe this for the more complex assembly language viruses such as Hybris, and Zmist? A. Hmm.. I was referring to most of them - which are, despite using "new" techniques to their creator, are not demonstrating not already known by thousands of engineers worldwide who chose to use them for helpful rather than harmful purposes. The more complex viruses require more skill "per se", but in terms of "is this really some great new scientific discovery of how code can be used", the answer is no. Its like me when I started taking singing lessons. When I learned coloratura, it was like this whole new thing for me - and it is really complex and difficult to do. Except for people who have been studying singing for years. Q. In New Architect Mag, you wrote an article entitled "Distributing Viruses", stating "How a virus replicates isn't hard to understand; in fact it's fairly common knowledge among researchers." You also wrote "It's true that the scientific community encourages research, but only when it's conducted within the ethical boundaries of a given discipline." It seems that there is a divide between closed legitimate research (such as that in the antivirus world) and social research and development (such as the virus subculture). Would it be possible to close that gap by opening a legitimate path of research for people who are interested? A. I'm not sure I understand the question. What do you mean by "social research and development (such as the virus subculture). Thanks! (also, this article got edited a bit from what I wrote). If you could explain the question a bit more detail, that would be great. I _think_ you mean would it be a good idea to open up a path for people to work with viruses. If this is the question - there is path for that. I mean, people working in the industry obviously took that path :). Here is what I recommend: http://www.badguys.org/researchers.htm But maybe I don't fully understand your question..? Q. In your article "Generic Virus Writer Part 2" you indicated that the adult virus author tested was ethically lower developed than average for his age using the Kohlberg model of moral development. Looking at this model, the motivation for behaviour begins at self-interest, progresses to community values, and ends in a trust in higher ideals and authorities. However that model has come under fire due to the selective nature of the males tested (they were all well educated), and how females were excluded as their progression ended at the level of community values. Wouldn't this indicate that adult virus writing males are not necessarily under developed at all? A. There are strengths and weaknesses with any model. The strengths of this one include the fact that older and more advanced thinkers are on average more advanced in their moral development, and stage theory is pretty supported in all moral development theories. In the paper I talk about the cultural biases (Gilligan's work), but these don't really have much applicability (if any) to this particular work as there weren't any females to interview at the time, so the "all male" is probably actually a strength. The educational bias is probably more relevant, and it would have been interesting to see results of DIT on the subjects, but that wasn't possible. I suspect the findings would be pretty much the same, though. I'd be interested in doing followup work but qualifying the participants would be much more difficult now, I think. The adult virus writing males had generally not only answered the queries in ways that fit with "less ethically mature", but their lives in generally bore this out. Q. Few would argue that spreading viruses is morally wrong, but the question remains as to wether there is anything inherently wrong with the actual creation of viruses. Where do you stand on this issue? Should creators be treated the same as spreaders? A. One could argue that it is unethical in that it does not benefit the greater good, and I could make a strong academic argument against writing viruses if this were a debate of "ethics". But it isn't, and so here I'd say I personally do not think writing a computer virus is "evil", at the same time, I can think of more productive and less potentially harmful ways to exercise the same skillsets - after all, the "replication" part remains trivial and the "real programming" can be done without that part. It's just sexier to do it with it, so to speak, so people do it. As for how creators are treated, I think that depends what they do with their creation. If you write a self-replicating program that you don't allow to replicate, never give to anyone, never let out of your control, never user for harm, etc., that's a bit different from writing it and giving it to your friends, as you don't really know what they may do with it. That's irresponsible. It really depends on several factors, not just "creating". What you do that doesn't affect anyone else is (generally) your own business, don't you agree? Q. Where do you draw the line between malicious virus author, and a virus researcher/author such as Mark Ludwig, if at all? A. Mark is an interesting guy, and I find his work in areas other than viruses most interesting, and agree with some of it. However, making viruses available is not an idea we share in common. I don't think he's a malicious person when it comes to this stuff, though...we just have different views on it. Q. What is the goal of harsher laws against virus creation and distribution? Is it a punishment for acts committed, or are there realistic prospects for rehabilitation? A. Hard to say - I'm not involved with legislation and don't know what goals people might have. I'd imagine it would have a deterrent effect if it were applied closer to the event. I think its more punitive in nature, its not as if virus writers need some sort of "therapy" to get them out of their "habit". Its a choice, and when you choose to do things that hurt people or harm society, if those things are illegal (not all are), and you are found out, you will be held accountable. It's pretty simple - I've never thought virus writers needed rehabilitation or therapy (at least not for their virus writing :). Q. How accurate do you consider the billions of dollars lost to down-time each year, that is attributed to the larger virus outbreaks? Should these figures be used in calculating the virus writer sentences? A. I haven't reviewed the data, so can't say for sure, but it sounds rather high to me. I think accurate figures should be used but these are difficult to come by. Especially in some cases where the loss has caused someone to really be hurt (i.e. your grandma loses her photo album of digital photos of grandpa, and has no backup, the digital photos are gone forever and so is he)..this sort of thing would really hurt. Virus deletes your term paper, you worked four weeks on it, its due tomorrow (I know of a case where a Master's Thesis was deleted - it does happen). How do you quantify those things? You can't put a price tag on that. For business, its also difficult - I guess I'm glad I'm not involved in that sort of work. Q. With the threat of another war in the Gulf, do you think viruses could be used to positive ends by the military in any way? How? A. There are ways viruses could be used militarily, but I'm not going to go into detail about them :). The fact is, though, computer viruses really aren't a very good weapon of choice for these types of things. Q. Is it too far fetched to believe that someone will one day harbour viruses under their right to bear arms in the American Constitution? A. That's an interesting idea - but I can't imagine anyone would be so daft. Still, stranger things have happened, so someone could try this I suppose. Any competent weapons expert should be able to disarm this argument relatively quickly (pun intended :). Q. With the rapid discovery and implementation cycle of virus technology, what do you fear most as a "worst case scenario" arising from its misuse? A. I make it a practice to not talk about "worst case". Q. Conversely, what benefits from advances in virus technology and philosophy do you look forward to most? A. Ideally, people will stop releasing viruses, because these things are costing businesses and individuals lot of time and money. Its just so selfish to think that your right to release something you made supersedes someones right to go about their life in peace, and get on with whatever it is they are doing. I don't think viruses are any big deal technically though and have never seen anything done with one that couldn't be done more effectively, and more safely, without the self-replication. I've never seen one that made me go "wow, that is really something", since the very early days when I didn't know that much about computers. Now, philosophically, I think something very good could come out of all of this, and that is a re-examination of the issue of individual rights and responsibilities. When people start to consider the impact of their actions on others, then we make progress as a society. BTW, People talk about artificial life, artificial intelligence, and viruses, all in the same sentence. There's been some interesting work done by people like Tom Ray - granted - but this is a whole other area really than what we see of "viruses". Q. Where do you see your personal and professional lives progressing in the immediate future? What future projects of yours are there for us to look forward to? A. I've just completed a paper on Cyberterrorism which will be published later this month. I've gotten consent to put it on my web site after a few months, so it should be up there by Feb. 2003. Basically it takes issue with all the hype surrounding "cyberterrorism", and calls for people to examine things more holistically. I am also just completing a short paper on the integration of virus and vulnerability information, which is a new way of looking at things. I've started work on a new project to do with virus writers (maybe you can put a Call for Participation out for me later?). I'll be presenting those papers in the coming year and updating previous research. On the personal front, I hope to spend more time taking care of my husband (my number one priority), as this really brings me a lot of joy. I should be resuming my counselling work soon, and fulfilling some promises I made to develop a training program for counselors in a local church. -=( ---------------------------------------------------------------------- )=- -=( Natural Selection Issue #1 --------------- (c) 2002 Feathered Serpents )=- -=( ---------------------------------------------------------------------- )=-