Police hack?
I'd like to pose a follow-up question to Mikko Hyppönen in response to the interesting article “Should police be allowed to hack?” [Last Word, May 2007]. Let me be clear that I am in no way condoning hacking by law enforcement or otherwise, only posing a theoretical question about deontological ethics.

Consider the case of a large botnet to which anti-virus vendors have no “sample.” Let's assume that a sample is necessary for security software to detect the malware — and let's also assume that if left undetected the botnet will continue to grow and pose an increasing risk. Lastly, let us assume that the botnet is propagating in a worm-like manner by exploiting some vulnerability. In this case, is it ethically justified for a virus researcher to retrieve a sample from a compromised machine by exploiting the same hypothetical exploit that was used to propagate the malware? Does anything change if such behavior is legal in the researcher's home country?

Tareq Saade via email

Mikko Hyppönen responds: What we would do in such a case is that we would take machines with  that vulnerability online and let them get infected by the malware,  gaining access to a sample in the process. 

We definitely would not “hack” anyone else's machine to get a sample.  In fact, we've been in a position where we could have taken over an  existing botnet and been able to issue commands to all infected  machines — which means that we could instruct the bots to remove  themselves and to shut down the botnet. We didn't do even that — as  our lawyers warned such an act could be unauthorized use and illegal.


On risk analysis
Anthony Fama  wrote accurately  when he stated “Risk analysis in particular, is grossly misunderstood by IT professionals." [Opinion, August 2007]

IT pros are, for the most  part, not business continuity practitioners. Business continuity includes disaster recovery and focuses on risks to the organization, working out from the profit center, thus assuring all resources are protected. While I liked his example, as a risk-aware business continuity practitioner, my first question would be: is four hours an appropriate time? Do outages typically last three to four hours, or is power normally restored in an hour or less, or do outages last longer than four hours, in which case maybe (based on a number of factors) a generator is in order.

John Glenn, Certified Business Continuity Planner

Image spam
Thanks for the article on image spam [“Image spam drops again...,” scmagazine.com,  July 9]. The only remaining question is how do I stop them.  I'm on the line with Verizon DSL and they have no clue what I'm talking about, which I find amazing. 

Please tell me how to stop them. These people are ruining the internet as I am afraid to visit websites now.

Dean Gould, Corporate Search & Solutions, LLC

SC responds: Click on www.scmagazineus.com/
Editorial-Webcasts to hear about solutions to defend against image spam.


More Amero trial fallout
Kudos for your stance [“Folly in Connecticut,” scmagazineblogs.com, June 6 (teacher Julie Amero accused of exposing her class to internet porn)]. People so quickly want to “burn the witch” that they seldom stop to look at the facts.

Let's figure out what inexpensive fixes can be put into places in schools so that this doesn't happen again… rather than just run around trying to get the teacher fired.

Chandler Hall
posted on SC blog

The opinions expressed in these letters are not necessarily those of SC Magazine.