What is Ethical?
If one of my college professors stumbled across this post she'd probably have a heart attack, since she taught an entire course on ethics. Yet it seemed like the most appropriate title for this post.
Over years the years, how many countless inventions have improved mankind, yet have introduced a negative side effect? The gun provides a means to hunt and defend more efficiently, yet it also provides a means to kill with ease. The plane decreased travel times, then someone thought to attach a bomb and fly over a target. Water is a basic necessity to life and even it has been used for evil.
Now according to Kurt Wismer the inventors of these (we'll leave water out of this since I don't want to start a religious debate) should feel responsible when they are used for evil. That means that the Wright Brothers should have felt shame every time a bomb was dropped from a plane. I can't help but feel that's more than a little preposterous.
This all stems from a post by Kaspersky researcher, Roel Schouwenberg, discussing the lack of ethics in certain researchers. It seems that Roel finds it irresponsible for PolyPack to be considered valid research, especially research coming from academia. Dave Maynor responded to the post with his own write-up and that prompted Kurt's response.
So what is PolyPack? It's a research project out of the University of Michigan which has created a frontend that allows you to submit binaries for testing. These binaries are packed with 10 different packers and tested against 10 AV Engines. I happen to think that this is a great project that serves to highlights the many shortcomings of signature based AV detection. I'm also not the only one that feels this way as the paper was selected to be presented at WOOT '09.
So what's the unethical part of this research project? If it's about the use of packers to bypass AV, then I have something to share with Kurt and Roel. That's not a secret! It's fairly well known... it was mentioned in PaulDotCom podcast #125 and I'm also pretty sure I've heard HD Moore mention it during a metasploit training session. So what's left? They haven't released some super secret l33t h4X0r script that will cause every computer in the world to simultaneously self destruct nor have they reprogrammed our TiVos to record nothing but soap operas. There's only one possible answer left, and it's the conclusion that Maynor reached... they're making signature based AV look bad.
So in the end, I pose the title of this post as a question to everyone. What is ethical? Is it ethical to release research that may be used for evil? Or is it more unethical to sit on that research and keep it private, waiting for the bad guys to stumble upon it for themselves? Although in this case, the bad guys are probably well aware of packers and this becomes somewhat of a moot point, in the end if they were really desperate they could even pack their binaries themselves and upload them to VirusTotal to see ho well they do.
So again I'll attempt to close out this article. What is ethical? Personally I think sharing your research and working towards the betterment of technology is ethical and that sitting back and waiting for the bad guys to beat you to the punch is highly unethical.