• PC World
• » Security

Fred Cohen is an early developer of some of the virus defense techniques behind antivirus software. In 1983 he coined the term "computer virus" in a research paper. In the early 1990s, he developed security protocols to audit and protect Internet servers and systems that are still used in more than three-quarters of computers. We asked him about some issues surrounding viruses.

PCWorld.com: Did you imagine when you were researching viruses in the 1980s the extent of the damage that viruses would cause?

Fred Cohen: Oh yeah. I've sort of been surprised by the lack of innovation in virus writers. There is a lot of potential for things that I wrote about in the late eighties that haven't been realized, largely because [virus writers] haven't really become very sophisticated yet.

PCW: What kinds of things?

FC: More sophisticated viruses would ... have much longer delays before causing damage [and] a much subtler ability to implant themselves. There are more complex interactions that they could have with systems, much better evolution ... so that the process of detection and cure [would be] much worse.

But the benevolent side of viruses has not been explored as much as I thought it would be either, [such as] the notion that you create sets of viruses that reproduce in order to accomplish things, like doing large-scale, distributed computation--which is one of the areas where [virus programs are] at least somewhat useful--and the notion of having the overall computing environment evolve, rather than be designed every step of the way.

PCW: So how far away are we from seeing viruses that are seriously destructive and undetectable?

FC: It's always possible to detect the presence of a virus, but there's no program you can write that will detect all of them perfectly. In terms of being damaging, viruses have been pretty darn damaging. But ... they're not very subtle, so they kill the host that they're infecting too soon ... the virus can't spread very far.

PCW: Antivirus vendors such as Symantec and McAfee seem very sure that they have the virus problem under control. Do you think that's true?

FC: When they say "under control," what I think they mean is ... [it's] in the sense that the Centers for Disease Control has biological disease under control. We get plagues, people get sick, people die, but as a society we're not falling over.

On the other hand ... the Internet and computing speed [are faster] and the communication rate is higher, so a lot more damage can be done in the amount of time it takes for [antivirus vendors] to detect [a virus] and respond. And in that sense, they don't really have it under control because the diseases are faster and worse, and the amount of time that it takes to respond is larger and larger. But in [general], a virus that spreads wildly throughout the world does get detected. They find a reasonable cure reasonably fast, and they can cure it.

PCW: There is talk of producing legislation that would make it illegal to post or write malicious code.

FC: First, the definition of malicious is open to question. What one person thinks is malicious, another person might think is beneficial.

PCW: Well, it would be a definition after the fact. If a code is posted and it's spread and it causes damage, then it would be termed malicious code at that point.

FC: So [Microsoft] Windows would definitely meet that requirement. Things break in Windows and you lose your data, so there's harm after the fact.

I'm not a big fan of restricting what people are able to publish. I think freedom of expression is an important thing. But I also think that when people scream "Fire!" in crowded buildings, they are probably liable for the harm that results.

PCW: Do you think there is a matching responsibility on the part of systems to be more secure? Should there be some kind of liability held, for instance, by Internet service providers that host Web sites where malicious code is posted or that help spread viruses?

FC: Well, there is the principle of due diligence. People who aren't up to the standards and practice of their industry are susceptible to various kinds of liability.... But one of the problems is that the current standards of due care [with regard to the Internet] are poor.

PCW: So how should the virus problem be tackled? Is there any way to discourage virus writers from writing viruses or unleashing them?

FC: The real solution is to use technologies that are less susceptible to viruses.

PCW: But isn't it unrealistic to expect people to not use any program that might be vulnerable?

FC: What's unrealistic is the notion that in order to view a picture on a Web site I need to have that Web site download an untrusted program [like Java] onto my computer. Laziness, poorly educated programmers, and people who choose money over the well-being of their customers have rushed out with whatever they can throw [together]. And people are buying [it] because they don't know there's a better choice.

PCW: Is it possible to create programs that are not vulnerable to viruses?

FC: Sure. They're called limited functionality [programs]. There are word processors that don't have macros and can't get viruses; there are spreadsheets that can't support viruses; there are e-mail systems that can't get viruses.... And you can disable a lot of [vulnerable] functions. I run Netscape and I have various things disabled, like JavaScript. No, I can't see the dancing elephants. But you know what? I don't miss them.

PCW: But there's no incentive for companies to create products that would not be vulnerable.

FC: If things get so bad that people can't stand it anymore, then they'll [have to]. But it has to get pretty darn bad.

• See more like this:
• virus,
• Cohen,
• liability