I can't help it if my code's read, says researcher

NEWS A security researcher whose code was probably used as the basis for the recent SQL Slammer worm says that such sample code has "an important and beneficial role" in Internet security, and that he has decided to continue publishing it. David Litchfield of NGS Software has acknowledged that "proof of concept" code he wrote to demonstrate a flaw in Microsoft's SQL software was probably used as a "template" for SQL Slammer, also known as Sapphire, which shut down corporate networks, Web sites and even cash machines and airport computer systems two weeks ago. Last week he said in an email to the Bugtraq security mailing list that he was reconsidering the practice of releasing such code to the public. "In the light that someone has taken my code and put portions of it to nefarious purposes, I have to question the benefit of publishing sample code," he wrote. "A massive failure of the emergency services computers such as 911/999 could result in someone's death -- and I don't want to feel that I've contributed to that." On Tuesday, however, Litchfield said he had decided that the publication of sample code is necessary to keep networks and computers secure, arguing that secrecy is really no protection. His comments will not be welcomed by some in the security and antivirus communities, who see proof-of-concept publication as giving virus writers a helping hand. Litchfield said that this argument doesn't hold water, as it is a simple matter for a skilled virus writer to target a vulnerable program, even without sample code. Once a program has been patched, the virus writer can compare the patched software to the original software and quickly determine what the vulnerabilities are and how to exploit them. "Such people, and there are thousands of them, do not need proof of concept code or advisories so even in their absence exploits, worms and virii will still be written and used," Litchfield said in an email. Even though the software has been patched, a large number of computers are still likely to be vulnerable, as was the case with Slammer -- the bug exploited by the worm was patched several months earlier. The real risk is in notifying software vendors that a hole has been discovered in their software, Litchfield argued. Once a vendor has patched a vulnerability, it becomes public knowledge that the vulnerability existed in the first place. "Had NGS Software kept the hole to themselves... it could have been that no one would have ever known (it existed). We end up in this Catch-22 situation," Litchfield wrote. Publicly available sample code allows players such as system administrators, security scanner makers and intrusion detection equipment makers to update their products more quickly, Litchfield said. "In the interests of levelling the playing field it is necessary to publish full details," he wrote. He also said that the sample code helps developers learn from the mistakes of others. Not all security experts agree with Litchfield's assessment, particularly those in the business of protecting customers from viruses. "In the case of publishing example viruses or code which could be used easily in viruses, we would view that as a bad thing," said Graham Cluley, senior technology consultant with Sophos Anti-Virus. "We don't feel it's terribly useful." He said that Sophos routinely shares the source code of new viruses with other antivirus vendors, but would balk at publishing this information to the public. "That level of responsibility seems more appropriate to me than a free-for-all on the Internet," Cluley said. CNET News.com's Robert Lemos contributed to this report.

---