Murphy's Law: Sometimes, an Open-Source Virus is Just a Virus

Posted 09/23/2009 at 9:37am | by David Murphy

25

Comments

Print

The phrase "open-source" is such a sexy term.

It's so hip and fresh. Open-source singlehandedly represents the latest and greatest thinking in the modern-day technological movement. Drop it into a conversation and you're suddenly talking like a futurist. Throw it into a company's strategic roadmap and suddenly we've created innovation and depth. Suggest that virus-makers are embracing open-source, and you've got the attention (and clicks) of Web geeks worldwide.

Wait a minute. Open-source viruses?  How does that work?

If you think about the actual definition of open-source for a moment, you'll wind up being as confused as I am about this latest bit of fad reporting to pass around the Web. According to an article from CNET, virus-makers are apparently transforming their wares into open-source projects and using the power of the group to achieve advancements in virus deployment, nasty features, and scanner obfuscation.

That's all well and good (for the virus-makers), but that's as open-source a situation as an apple is an orange. What's being described is an example of collaboration and communication based around a common or to-be developed piece of code. That sounds like open-source--an apple and an orange are both pieces of fruit, after all. But that's not really open-source because we're ignoring the critical elements that help define what open-source software truly is. Virus-makers aren't going open-source in the slightest. They're spinning derivative works from older viruses and developing free code while holding hands and singing the Pirates of the Caribbean song, but that's it. And it's hardly a new fad.

Since the beginning of geek time, the more nefarious members of the technology world have worked together to try and create newer means for achieving their less-than-upstanding desires. This notion of collaboration can be as simple as taking an older crack and retrofitting it for newer editions of a program, or as far-ranging and complicated as the operation of an entire distribution network for stolen CD images. Are either of these examples of open-source?  No.

What makes a software project open-source is not the fact that people are teaming up during its creation. Open-source software conforms to a specific set of tenets for creation and distribution. In essence, the definition of open-source centers on the licensing issues that permit one to take code, modify code, and release code under a similar license for others to play around with. The licensing elements are critical to the open-source equation: They allow for one to meaningful contribute to a communal work without running afoul of the normal copyright law that protects all software code. Well, almost all.

The code for viruses, by their very nature, cannot be copyrighted. Or, at least, I have yet to read about a virus creator suing another code-monkey for violating his or her ability to independently build and release malware--if this ever comes up in the courts, please let me know. I'll be the one in the front row with the popcorn.

I jest, but it's a lot like calling the police to complain that someone stole your bag of cocaine. You might be able to get some sort of legal retribution against said thief, but that doesn't mean that your activities are in any way afforded the same legal protections as the types of property or possessions the law was designed to protect. Even if a virus maker wanted to craft a particular bit of software around the GPL, the absence of the underlying copyright function would render the whole point moot--not to mention that the inability (or lack of desire) to offer up the source code to all interested participants (like, say, law enforcement) would render said license void on its face. And those are just the two examples I can come up with off the top of my head. There are plenty more.

Is this a stupid semantics debate?  Yes and no. Given the vitriol that can accompany the ages-old "open-source is not free" discussion, I don't think it's that far-fetched to call an "open-source virus" exactly what it is: a public domain program, at best. Reserving the correct phrase for its correct usage minimizes confusion and, more importantly, helps hold off the eventual transformation of "open source" into the next big synonym for "community-driven."  It also gives us a chance to ponder what a closed-source virus program would look like.

And, of course, what would happen if someone listed one of those on The Pirate Bay.

David Murphy (@ Acererak) is a technology journalist and former Maximum PC editor. He writes weekly columns about the wide world of open-source as well as weekly roundups of awesome, freebie software. Befriend him on Twitter, especially if you have an awesome app or game you're dying to recommend!