/~~~~~~\    ***********                        ***********
  ~\(  * *   )/~ ***********                        ***********
    ( \___/  )   ***     ***                        ***
     \______/    *********** ***          ***   *** *******
    @/       \@  ***     *** ***          ***   *** ***
                 ***     *** ***          ***   *** ***********
                 ***     *** ***           *** ***  ***********  |\__/|
                             ******** ***   *****               /      \
                             ******** ***    ***             ~\(  0 0   )/~
                                      ***                      ( /---\  )
                                      ***                       \______/
                                      ***                      @/      \@
                                      ***

Alive - Volume II, Issue 1 - July, 1995

Alive, Copyright 1995 by Suzana Stojakovic-Celustka. This magazine may be archived and reproduced without charge throughout Cyberspace under the condition that it is left in its entirety. Send submissions, comments, subscription requests, etc. to celustka@sun.felk.cvut.cz.


Table of Contents

Alive is Here!

Dear Readers!

This is a very special issue of Alive. It appears a whole year after the last issue. Yes, I was promising to new and old Alivers new Alive coming "next week" since last Christmas, but for this or that reason it was always delayed. Why such a long pause between two numbers? Well, your editor has had (again) some problems in real life. Anyway, it seems that bad times are over (at least I hope so) and this number proves that. I can't promise when will new issue of Alive be published, but let's hope that will be at least one more issue till the end of this year. And, of course, enjoy reading this number.

The main themes remain the same: computer viruses, artificial life, artificial intelligence in all aspects - theoretical, philosophical, technical, ethical, legal, etc. The aim is to offer good information about above topics and also the information which is not likely to be found on other similar forums.

About this issue

The first article "Impact of Computer Viruses on European Companies" is an interesting survey of Harald Roy, MBA student on French University. The aim of project is to establish the model of risk-exposure, quantifying possible financial losses in European companies caused by computer viruses. The article is actually request for help and it contains questionnaire for collecting data for this survey.

The second article "Risk Analysis in Selection of the Best Anti-Viral Protection" is my project which is somewhat similar to the previous one. However, it concerns more the possible financial losses due to incomplete and/or not objective information about anti-viral products. The article also contains the questionnaire to collect data for accurate risk analysis.

Rob Slade's article "Viral Morality: A Call for Discussion", as well as accompanying interview, are continuation of Grand Debate about Beneficial Viruses and Artificial Life, started in Alive Vol I Issue 1. Mr Slade's article is complex study which touches many problems, not only those of computer ethics. The interview gives more information about Rob Slade himself and explains some topics from his text in more details.

The concept of self-reproduction is not used only in writing computer viruses. Cosmologists use it too in new theory of our Universe. The review of Andrei Linde's article "The Self-Reproducing Inflationary Universe", originally appearing in Scientific American, gives an overview of basics of this interesting (and optimistic) theory.

And for the end - an interesting book. It is review (or better to say my impressions) of Charles Hinton's Scientific Stories. The book is somewhat peculiar. It wasn't easy for reading, but also not easy to forget. It wasn't easy to write about it, especially having in mind excellent foreword written by Jorge Luis Borges for the edition Franco Maria Ricci Editore, Parma and Milan, 1979. Maybe it will not be easy to read what I wrote about it. Anyway, I will be glad to hear about your impressions, either of book or my text.

About contributions and subscriptions

Preferred form of contributions are short articles or previews. Comments on contributions will be deeply appreciated, but will be published only if they have a convenient form. This is not a place for polemics or blames, so please don't send your comments if you have nothing constructive to say. The preferred form of code examples is pseudo-code. The code of existing viruses which somebody could consider beneficial will not be published here. Send your contributions and comments to celustka@sun.felk.cvut.cz.

Where can you find Alive

The magazine is available for anonymous ftp from following sites: Gophers: WWW: Other places: Any offer from other sites will be appreciated.

Acknowledgements

There are many people who helped me to publish this issue. I am sorry that I can't mention all names (the list would be to long), but here is at least incomplete list:

Firstly, I would like to thank to professors, administrative personnel and my colleagues on Computer Department of Faculty of Electrical Engineering, Czech Technical University in Prague, for their support.

I would like also to thank to the readers of Alive for their comments and good wishes. I hope that this issue as well as next ones will meet their expectations.

Special thanks to Harald Roy and Rob Slade for their appearance and contributions in this number.

Many thanks to TECHS (to Sara, Tim, Jon1, Jon2, Roberto, Wallace...and all others... - a very special group of anti-virus/security researchers, who are not only good experts but also wonderful people and good friends) for staying with me in bad moments.

Special thanks to Jivko Koltchev for his encouragement and understanding.

Also many thanks to Yaron Goland and Jon David for improving my English (and having hard time with it) in the article about risk analysis and the review of Scientific Stories.

About Editor

The editor is (still) a Ph.D student on Computer Department, Faculty of Electrical Engineering, Czech Technical University in Prague. Also, resident and working in Zagreb, Croatia.

Dear readers, enjoy the reading and make your copy of Alive really alive: SPREAD IT WIDELY!

Life is like topography, Hobbes.
There are summits of happiness and success...
flat stretches of boring routine...
and valleys of frustration and failure...

- Calvin & Hobbes -

Impact of Computer Viruses on European Companies

by Harald Roy


Request for Help

I would like to ask the Readers of Alive for some help and advice for my MBA-thesis. Thank you very much in advance !!

Here is some information about me and my project:

I am a student of Business Administration. I did a Bachelor Degree in Germany (University of Bayreuth in Germany) and then entered a French University (Grande Ecole) in order to do a Master's degree in European Business. That is a three years program, which takes place in three different countries and focuses most of all on the European context. My university is the E.A.P. (Ecole Europeenne des Affaires - European School of Management), which is funded by the Chamber of Commerce and Industry of Paris. E.A.P. has centers in Paris, Oxford, Berlin and Madrid. I have spent my last year in Oxford (in local E.A.P. center). This year I am in Madrid and my next (and final) year will take place in Paris. As a logical conclusion I have to write my thesis on a European topic.

My Thesis Impact of Computer Viruses on European Companies:

Introduction

My thesis is not written from a technical or informatic point of view, but tries to see things from the angle of Business Administration, or to be more exact: in terms of Financial Analysis and as a matter of Human Resources.

Some simplified explanation about these two areas:

Human Resources used to be called Personnel Department before. This has changed as the areas of activity of "Personnel" have grown and do not simply treat the issue of selection/recruitment any more. Human Resources (=HR) is as well responsible for career planning, social benefits and training. I want to focus on the training aspect with regards to Information Security. To be more precise that means: what training does a new employee receive, are the changes in technology matched up with the training or not, etc.

Financial Analysis is a sub-division of the Finance Area. Whether Finance in itself is only responsible for collecting and presenting financial data (such as sales, costs, investments etc.), Financial Analysis (=FA) goes into further details. Its task is to find out if the company is profitable, efficient or if it is maximizing its profits. One of FA's principal tools is cost analysis.

Basic setting (assumption)

Companies have been under enormous pressure during the last years, due to a growing competition and due to the recession that has hit Europe (although now it is beginning to disappear). According to some sources (Economist, Capital) the first European country to "make it out of the crisis" was the United Kingdom at the end of 1993., largely due to a strong pound and expanding financial sector. The next one to follow was Germany during 1994. with comparatively low inflation rates, a healthy GNP-growth and at the very moment a very strong currency. Germany is expected in the EU to pull the other EU-countries with it, although the current currency turmoil might delay that process for up to a year.

Currently (it started depending on the country about 2 years ago ) a "modernization" of computer equipment can be observed throughout companies of all sizes as a tool of increasing productivity and competitiveness and of decreasing costs. Companies are beginning heavily to rely on Information technology, exploiting the existing means of communication. In many cases the money for the hardware is granted, but as soon as it comes to "less" important topics such as Information Security or training of personnel, funds are scarce. As European companies opt for modern technologies without preparing the people for it, the discrepancy which results from this behavior can lead to a considerable risk-exposure (from a financial point of view) for the company.

Target group

I am focusing on middle/upper management in European companies. They are the ones who heavily depend on the usage of a PC and provide information (recommendations) for top management on how to act. Due to their high involvement in the company's business, they usually know very well how to handle the different programs, but have little idea about the technology or alike behind it. In common language they are generally referred to as USERs.

I am referring to a USER, as a person, who gets a PC installed at work and the MIS-department installs the software the company owns in his computer. I have never met or heard of larger companies, who let their employees choose the software they want (and this stands for anti-viral products, if existing, as well).

As a second group I am trying to get the managers of the "Management Information Systems"- Department. Regarding MIS managers what I want to find out is their particular view of the problem of computer viruses, how they consider the implantation of training concerning the subject (->HR), also an outlook upon usage of Information Technology. As well I want to find out about their role in the company, as still MIS managers are likely to be regarded as "someone apart" (Ernst & Young survey, U.S.A 09/94)

Idea

My idea is to investigate the current level of Information Technology used (in Europe) and find out about managers' particular concerns (awareness) about computer viruses. Based on the above mentioned data I want to present a "statistic" of risk-exposure (divided by countries and sectors) and project possible financial losses due to the findings. My idea of the risk-exposure model is to try to quantify possible losses, taking as a base certain levels of salary (local bureau of census information) and combine that with the results of my questionnaire.

I assume that a person who shares information between his private PC and PC at work and with his work-mates, having little idea about viruses and using no protection tool, is very likely to become a victim of an infection sooner or later. Furthermore a recommendation for the implantation of training on MIS matters is to be made.

Methodology

a.) theoretical

I have managed to get a lot of information about Information Security Auditing and General Security issues, as well as in depth reports about hacking and writing of viruses and its future development. For the U.S.A there exists a survey (carried out by Ernst & Young in 1994.) about losses due to bad Information Security, but for Europe nothing similar is available (at least not that I know).

sources & references:

b.) practical

I have launched a survey in Spain, France, Germany and the United Kingdom interviewing managers of my target group through a one-page questionnaire I have designed. Apart from that I have arranged an interview with the MIS manager of CITIBANK Spain. In addition to that I am trying to get in touch with big Auditing Companies, who might be interested in my thesis and help me by giving me access to their client data-bases and general advice (but this is just a hope at the moment).

Time plan: (simple version)

Everything has to be finished by May 1996 , so that leaves still more or less a year to go.

a.) preparation period: January to April 1995

b.) practical phase May to September 1995 c.) writing phase October(95) to May 1996

General comments

Apart from all what I have just written now, I would like to point out, that during all the period mentioned above I will be as well occupied with other issues. That means that I either have classes at university or I am working during an internship. Unfortunately I cannot take off a semester just for writing my thesis, as my university does not permit such behavior.

Help needed

Any comment or advice is highly welcome !!!!

Also:

Contact address: 100451.2341@COMPUSERVE.COM

My questionnaire

The idea is simply to rate the likelihood of a virus infection due to the results of the questionnaire. I am simplifying things here, but it can be assumed that the only safe PC is a PC that does not get any external information, which in reality is hardly ever feasible.

I have sent my questionnaire to E.A.P. - students in the United Kingdom, France, Germany and here in Spain. Each year we have to do a 3-month internship. So they are interviewing their managers for me. Based on the fact that they know their managers and vice versa, I am anticipating quite honest answers due to the personal relationship between the interviewer and the interviewee. 

                               QUESTIONNAIRE:

-----------------------------------------------------------------------------
STATISTICAL QUESTIONS
1. field of activity of your company
   state SIC number ______
2. number of employees of your company (on site)
   O less than 50  O  50 to 100    O 100 to 200    O more than 200
3. your age
   O below 30      O 30 to 40      O 40 to 50      O above 50
4. your nationality
   O English       O French        O German        O Spanish       O other
5. your position
   O middle management     O upper management      O top management
-----------------------------------------------------------------------------
MAIN QUESTIONS
1. Do you share your PC with others ?              
   O yes   O no    O sometimes
2. Do you work with a network ?
   O yes   O no    O sometimes     O do not know
3. Do you exchange information between your PC at work and external PCs,
   which do not belong to the company ? (private PC, friend's PC, etc.)
   O yes   O no    O sometimes
4. Do you exchange information with work mates on diskette ? 
   O yes   O no    O sometimes
5. Do you exchange information via modem ?
   O yes   O no    O sometimes     O do not know
6. How do you personally asses the danger of virus infection at your          
   workplace ?
   O unlikely      O possible      O very likely           O do not know 
7. Did you receive training on data-security or any virus related topic ?
   O yes   O no
8. How often do you back-up your important files ?
   O never   O more than once a week   O once a week   O less than once a     
                                                          week
9. Has your PC been checked for computer viruses during the last month ?
   O yes   O no    O do not know
10.Have you experienced a virus infection in your PC at work ?
   O yes, many     O yes, some     O no    O do not know
11.Did you observe virus infections in other PCs in your company ?
   O yes, many     O yes, some     O no    O do not know
12.a. Do you have any anti-virus software installed on your computer ?
      O yes   O no    O do not know
(if the answer is NO or DO NOT KNOW skip the rest of the questions)
-----------------------------------------------------------------------------
12.b. How old (approximately) is your virus-software ? (i.e. date of release)
      (or when was the software updated the last time ?)      O do not know
      O less than 3 months ago  O 3 to 6 months O more than 6 months ago
12.c. Was the functioning of the software explained to you ?
      O yes, very good        O yes, a bit    O no
12.d. Did it already help to prevent an infection by a computer virus ?
      O yes   O no    O do not know

You are a champion in the art of living if you reach only sixty-five percent of your goals.

- Maxwell Maltz -
(Thoughts to Live By)

Risk Analysis in Selection of the Best Anti-Viral Protection

by Suzana Stojakovic-Celustka


This project is intended to determine the risks present in selecting anti-viral tools. Computer users often have problems making the right decision about the selection of the most appropriate protective tool. One of the problems is how to obtain complete and objective information about the anti-viral product. The decision done on the basis of incomplete information might be wrong for a particular environment. Some risk always exists and it could be useful to know how to decrease it.

This article presents the principles of risk analysis. The calculation of risk in selection of anti-viral protection is very simple. Everybody can perform it without special mathematical knowledge (except that of summation and multiplication). However, the calculation is based on the values of parameters in two tables which are not known in advance. The readers of Alive are asked to help in the estimation of those parameters. The questionnaire at the end of this text should provide the data necessary for the estimation.

The Principles of Risk Analysis

Making decision, in general, means to select one possibility from a set of alternatives. The simplest case is when a choice assures a single result e, i.e.: e = f(d). In that case a decision is made to obtain a result with the highest benefit. More often the result is dependent on some parameter a about which only partial information exists, i.e. e = f(d,a). In that case the decision is made in a condition of uncertainty.

What are the average user's alternatives in choosing an anti-viral tool? Possible alternatives are:

Making a decision depends on a partially known parameter ak, which is in this case the effectiveness of the chosen protection tool. On the basis of all possible alternatives a table of losses can be composed:

(Note: This table as well as two following tables are composed according to the author's opinion. The purpose of the tables presented here is to demonstrate the principles of risk analysis.) 

    L(ak,dr)| d1    d2   d3   d4
    -----------------------------
         a1 |  3     4    2    1
         a2 |  5     6    5    4
         a3 |  8     8    9   10

    Table 1. The table of possible losses
(The values in the Table 1. may be expressed also in particular monetary units, e.g. US$)

In the beginning a parameter ak can be considered a complete unknown. To determine its possible values it is necessary to obtain additional information. In this case it is the information about a particular type of product. The sources of such information, xi, may be:

Probability values for parameter ak on the basis of information found in source xi can be as shown in following table: 
    P(ak/xi) |   x1     x2    x3    x4    x5
    -----------------------------------------
       a1    |   0     0.3   0.6   0.5   0.2
       a2    |  0.2    0.4   0.7   0.6   0.3
       a3    |  0.5    0.6   0.8   0.7   0.5

    Table 2. The table of probability values for parameter ak
The values in this table should represent the measures of accuracy of information about anti-viral product obtained from given source. As it is an extremely difficult task to obtain reliable data for this Table, for the statistical purposes an alternative approach has chosen. It was assumed that the parameters represent the measure of user's confidence in particular source of information. For example, the P(a3/x4) = 0.7 means the following: the user has asked anti-virus expert (x4) for the opinion about effectiveness of particular anti-viral product and got the answer that it is ineffective (a3). The user believes in that information 70 % (70/100 = 0.7) and has 30 % of suspicion, because of various reasons.

After getting the information about anti-viral tool the user can choose different strategies Sj for decision making. Some of them are shown bellow: 

        | x1    x2   x3   x4   x5
    -----------------------------
     S1 | d1    d1   d1   d1   d1
     S2 | d1    d2   d3   d3   d4
     S3 | d3    d1   d4   d2   d4
     S4 | d2    d4   d4   d4   d4
    ...................etc...

    Table 3. The table of possible strategies Sj
Some strategies are obviously bad, some are good. Each chosen strategy has its own risk. The total risk for each strategy can be calculated as the average value of losses for the chosen strategy. R(Sj|ak) denotes the risk of strategy Sj given the particular parameter ak (effectiveness of an anti-viral tool). For example: 
R(S1|a1) = sum [L(a1,dr)*P(a1/xi)] = L(a1,d1)*P(a1/x1) + L(a1,d1)*P(a1/x2) +

           + L(a1,d1)*P(a1/x3) + L(a1,d1)*P(a1/x4) + L(a1,d1)*P(a1/x5) =
           
           = 3*0 + 3*0.3 + 3*0.6 + 3*0.5 + 3*0.2 =

           = 0 + 0.9 + 1.8 + 1.5 + 0.6 = 4.8

R(S2|a1) = sum [L(a1,dr)*P(a1/xi)] = L(a1,d1)*P(a1/x1) + L(a1,d2)*P(a1/x2) +

           + L(a1,d3)*P(a1/x3) + L(a1,d3)*P(a1/x4) + L(a1,d4)*P(a1/x5) =
 
           = 3*0 + 4*0.3 + 2*0.6 + 2*0.5 + 1*0.2 =

           = 0 + 1.2 + 1.2 + 1 + 0.2 = 3.6

...etc...
It is important to find the optimal strategy, i.e. the one for which risk R(Sj|ak) is smallest.

Questionnaire

In the risk analysis it is important to find reliable values for the parameters in Table 1 and Table 2. The values in Table 1 are characteristic of user's system and depend on the user's knowledge of system and the desired degree of protection. The values in Table 2 represent the measure of user's confidence in information about anti-viral product obtained from given source.

Completed questionnaires will be deeply appreciated, as well as any opinions and suggestions about the usability and possible improvements of this risk analysis. Please contact me at: celustka@sun.felk.cvut.cz with the subject: Alive - Risk Analysis.

Thank you in advance! 

-----------------------------------------------------------------------------
General questions:

1. Have you experienced any computer virus attack on your computer system?

   ___ Yes  ___ No

2. Are you the person who decides what anti-viral protection to use on your
   computer system?

   ___ Yes  ___ No

   (Skip the rest if your answers to the first two questions are "No".)

3. Where is the computer system you are responsible for located?

   ___ at your home  ___ at your company  ___ on the other place

4. What is your computer system configuration? (briefly describe)

   ________________________________________________________________________

   ________________________________________________________________________

   ________________________________________________________________________

5. Are you satisfied with the quality of information about anti-viral
   products provided by the media?

   ___ Yes  ___ No  ___ Do not know
   
-----------------------------------------------------------------------------
Questions for the Table 2.

6. What is your primary source of information when choosing an anti-viral
   product?

   ___ advertisement  ___ review of product in a magazine

   ___ UseNet news group / CIS Forum / or other on-line discussion group

   ___ testing results from an AV evaluator/evaluating center

   ___ recommendation of an anti-virus expert

   ___ manufacturer's documentation  ___ other 

7. Please use the following assumptions in answering this question:
   1. You want to choose an anti-viral tool
   2. You have chosen the source of information to help you in your selection
   3. You expect to choose a very effective anti-viral product on the
      basis of given information.
   
   Please measure your trust in the particular source of information. The     
   measure should be expressed as:

   5 - very reliable source (corresponds to the choice of very effective 
                             anti-viral product as expected)
   3 - reliable source (corresponds to the choice of an effective anti-viral  
                        product, but not as effective as expected)
   1 - unreliable source (corresponds to the choice of an ineffective anti-
                          viral product rather than a very effective one)

   ___ advertisement  ___ review of product in a magazine

   ___ UseNet news group / CIS Forum / or other on-line discussion group

   ___ testing results from an AV evaluator/evaluating center

   ___ recommendation of an anti-virus expert

   ___ manufacturer's documentation  ___ other

-----------------------------------------------------------------------------
Questions for the Table 1.

8. Which of these is your preferred anti-viral tool?

   ___ scanner  ___ behavior blocker  ___ integrity checker 

   --- AV package (combination of different tools)  ___ other tool(s)

   ___ do not know

9. Estimate the minimum and maximum monetary damage you are likely to suffer
   if your computer system is successfully infected by a computer virus. 
   It is assumed that your computer system is not protected against computer
   viruses.(Please express monetary amounts in US$)
  
   _________ minimal  ______________ maximal

10. Please use the following assumptions in answering this question:
    1. You have chosen a particular anti-viral tool.
    2. You expect it to be very effective.

   Could you give the approximate estimation of the minimal and maximal loss
   on your computer system due to possible viral attack if chosen anti-viral
   tool appears to be:
   
   very effective (as expected) _________ minimal  ______________ maximal  

   effective, but not optimally _________ minimal  ______________ maximal
   
   ineffective                  _________ minimal  ______________ maximal

   (The loss should be expressed in US$)

No decision should be final
except your decision to live
creatively.

- Maxwell Maltz -
(Thoughts to Live By)

Viral Morality: A Call for Discussion

by Rob Slade


"Computer ethics" has been an ongoing study in the technical world. On the one hand is the study of the ethical, moral, or proper use of computers. On the other, is the study of computer crime and vandalism. Lately, I have noted a rather desperate interest in courses or training in computer ethics, as well as an increase in the frequency and depth of discussions regarding the ethics of virus writing. I would like to address this latter topic, specifically.

One problem with current discussions and literature regarding the ethics of virus writing and distribution is the lack of dialogue between two opposing camps. This paper is not intended to present any final answer, nor to add to the literature in the field, but to open the field for comment. My purpose in writing this is to provide an initial overview and to elicit feedback from any and all concerned with the topic.

For those of traditional moral stance, the current situation is discouraging. Peter Denning's Computers Under Attack (cf. BKDENING.RVW) has a very thorough survey of the field, but it provides little in the way of answers or hope. Deborah Johnson's work Computer Ethics (cf. BKCMPETH.RVW) is pre-eminent in the field, but serves only to clarify the problem. Sarah Gordon's interviews with computer students show responses typical of almost all such studies. The base attitude appears to be, "If I find it interesting, and I can do it, why do you say I shouldn't?"

The proponents of security-breaking activities often question the traditional ethical position by asking, "Where's the harm?" This query is directly relevant to discussions of the morality of virus writing.

I should begin by defining two generally opposed groups in this area. First is the "antivirus", or "AV", research community. Many, though not all, of the members of this group would be involved in producing antiviral software. All would study viral programs with a view to eliminating viral programs in the normal computing environment. They take a rather paranoid, and almost obsessive, position with regard to the sharing and distribution of viral code. (They would rejoin this last by pointing out that it isn't paranoia if someone is really out to get you.)

The AV community is not really opposed to the writing of viral programs. It is seen as a trivial, and therefore pointless, exercise; but not necessarily evil, in itself. The communication of viral program code is also a normal professional and academic activity, as long as it is limited, done for a stated purpose, and the recipients are known. It is the unregulated exchange of virus code and source, providing open access to anyone with a computer and a modem, that is upsetting. The opposing group is therefore described as the virus exchange community, or "vx" for short. (This designation was first used by Sarah Gordon.) For the purposes of this paper, therefore, references to "virus writing", "virus exchange" or "vx" will mean the uncontrolled or unregulated exchange or provision of access to virus source and object code.

(This does not necessarily mean deliberate distribution of infected programs by such means as infecting a legitimate program and then posting it, without warning, to a bulletin board system. "Trojanizing" of normal software or malicious invasion of systems is certainly happening in some areas, but it is not needed in the current computing situation. While there is debate over the relative contribution of "natural spread" and virus exchange to the current virus problem, it is known that code made available only as openly published material does eventually infect machines in the normal computing environment. The term vx does not, therefore, require any imputation of sinister motives or hidden activity for the purposes of this discussion.)

There are some grey areas between these two poles. Some people have both written antiviral software and contributed to viral spread. Given, however, that one could expect a continuum of opinion, those in the middle are remarkably few. Either you are for virus exchange, or against it.

One other, separate, group should be noted. Viral programs are often cited as an example of "artificial life", and the research community in that field, both professional and amateur, have a legitimate interest in viral programming. Work in the a-life field, however, does not justify unregulated code and source exchange. For one thing, current viral programs "in the wild" (those which are to be found in normal home and business computers, as opposed to those which exist only in a research or laboratory environment) have only the most tenuous claim to artificial life. Common viral programs are simplistic snippets of code without anything like the complexity of the simplest known natural life forms. In addition, those who really do work in the artificial life area will be well aware that it does carry possible dangers, and that research should be subject to controls similar to those imposed on biological and genetic study.

The most common argument for virus-writing tends to boil down to, "You can't stop me." Many promote virus writing on the grounds of freedom of speech, a rather curious position in light of the incoherence of the arguments. (The most vocal of these tend to be Americans, who frequently cite "First Amendment Rights". This refers to the first amendment to the U.S. Constitution, which Americans tend to see as some universal law, rather than an arbitrary political document, however desirable.)

Rights, though, carry with them a weight of responsibility. As is often quoted, your "right" to swing your fist ceases at the end of my nose. You have a "right" to free speech - so long as you are responsible and do not perpetrate fraud. You have a "right" to study whatever you like - so long as you are responsible enough not to carry out experiments in poison with human subjects. No PC is an island - at least, not where viral programs are concerned. Therefore, your "right" to study, write and distribute viral programs carries the responsibility to ensure that your creations do-not -ever-run on machines where they are not authorized.

One of the most confusing aspects of the "exchange/no exchange" debate is the concept of the "good" virus. There is nothing inherently evil in the concept of reproduction. (Dangerous, yes.) In fact, the very earliest experiment with self-reproducing programs was the Xerox Worm of Shoch and Hupp. This was designed to spawn "segments" of the central program on other machines in the network, thus bringing the power of many processors to bear on a single problem. Thus, in theory, viral programming could represent the same level of advanced technology in software that parallel processing represents in hardware.

That's the theory. And it is promoted by no less eminent a researcher than Dr.Fred Cohen, who did seminal work on the security-breaking class of viral programs in a thesis, in 1984, and dissertation, in 1986. Unfortunately, the theory founders on some rather hard facts.

There are three questions to ask of a new, inherently dangerous, technology. Has it a useful application? Can it fulfil that application better than current technologies? And, can the danger, either inherently, or effectively, be controlled?

To date, no one has answered those three questions. While a variety of uses have been proposed for viral programs, there are none which are not effectively being done by other means. No viral programs have, indeed, been seen to be as effective as normal systems. Operating system upgrades could not guarantee universal coverage. Network management tasks could not promise reliable feedback. Automated utilities would confuse novice level users, who never run utilities anyway. The most useful function is still that proposed by Shoch and Hupp - and their programs were not, strictly speaking, viral.

(Vesselin Bontchev's examination [1] of this question is the most detailed to date, and is required reading for all who want to join the debate. His proposals, while demonstrating good ideas for safety and control, are still primarily an advanced automated distribution system. The necessity for viral functions in this regard is still unproven.)

Those in the vx camp will point to two current viral programs which, they say, do have useful functions. One of these programs produces compressed executable files, thus saving disk space, while the other performs encryption on files. However, both of these functions are provided by other programs - from which, indeed, code was stolen for those two "good" virals. Neither of the viral programs are as easy to use or control as the original programs, and both have bugs which must place them firmly in the malware grouping, for nuisance value, if nothing else.

Currently, therefore, the utility of viral programs is very much unproven. This would, though, mean only that they are neutral, were it not for the lack of any demonstrable control. Methods of control have been discussed primarily by Fred Cohen, but even he remains unconvincing. The mechanisms generally are limited to environmental checks which can either fail, or be easily cut out of the program. Some have proposed "hunter" virals, to go after programs which "turn rogue", but a program which is corrupted will behave in unpredictable ways and a hunter program would likely consume a lot of resources, fail, or (most likely) both.

(Cohen frequently cites viral "programs which have been running since 1986 with no ill effects" and speaks of a VCE (viral computing environment). There are two points to be noted here. One is that Cohen has not yet described his viral programs in anything like the detail he put into his earlier work, so there can be no independent assessment of his claims. The second point is that the very term, VCE, implies that a viral computing environment is substantially different, and should be kept separate, from the "normal" computing environment as it is currently known. A VCE may very well be a powerful entity, but it is still an unknown and unproven concept.)

Computer viral programs have an inherent danger: that of reproduction and spread. If you study explosives, and pass along that knowledge, you also have to pass along the materials before there is any risk of a blast. Even then, the materials do not multiply themselves: when exhausted, another supply must be found. The same is not true of viral programs. These entities are designed to reproduce. And, unlike the study of dangerous animals, or even germ warfare, viral programs are built to reproduce, multiply and spread without the aid of a skilled, or even aware, operator. If you are careless with a deadly animal or weapon, it is still only a single danger in a localized area. If you are careless with a computer virus, it can spread world-wide.

We do not use computers because they are smart. Computers aren't smart. Sometimes we use them because they can do calculations very quickly, but even this is only a special case of the real value of computers. Computers always do the same thing in the same way. They are repeatable. They are, in this manner, reliable. Even a computer error can be useful to us - so long as it always happens the same way.

Consider, then, the computer virus. In order to reproduce without the informed assistance of the user, the virus must be, in the computer sense, transparent. It must operate without alerting the operator, or interfering with the operator's interaction with the computer. If the virus even posts a notice ("Hi! I am infecting object X!"), it has a nuisance value and is, therefore,not good. (Vesselin Bontchev notes that even such a notice, by possibly delaying a process, may have grave consequences far beyond annoyance.)

If, however, the virus does not notify the operator, then the operator is not aware of some additional code in the machine. This extra code will have an unknown, and inherently unknowable, effect on the computer. The operations of the computer are, therefore, no longer repeatable. This is a Bad Thing (TM).

Some will protest that I have overblown the danger of both the notification messages and the possibility of conflicts. The point that I am trying to make is that you cannot predict the harm which may arise from interference either with the operator or the programs. Software is digital, and is subject to catastrophic collapse without prior warning. For those without a background in computer risk assessment, an excellent overview for the non-professional is found in Lauren Wiener's Digital Woes (cf. BKDGTLWO.RVW). An intriguing compilation of the types of things that can go wrong is to be found in Peter Neumann's Computer Related Risks (cf. BKCMRLRS.RVW). At the very least, as Sarah Gordon points out, the virus is an autonomous agent, making decisions and carrying out activities according to it's own internal constructs and the intention of its programmer. This is very likely not in correspondence with your own intention, and is therefore an invasion of privacy.

A number of virus writers will object that their creations simply are not harmful. Not only is it impossible to guarantee that your virus will not conflict with existing systems, you also cannot guarantee that a given system will not conflict with your virus. Almost all file infecting viral programs will interfere with applications which have an internal integrity checksum or a non-standard loader, and will cause those applications to fail. (An example of this is that Windows programs infected with DOS viral programs always fail to load.) The "Ohio" virus (a prior version of Den Zuk) was not intended to carry any destructive payload, but an unusual interaction with a certain network operating system caused fatal disk corruption. Since both Ohio and Den Zuk are examples of the often proposed "virus hunter virus", it should be clear that the concept of using a viral program to hunt down and disinfect other viral programs is not a good one.

Historically, and statistically, virus exchange people have been careless and incompetent programmers. Remember that we are talking about vx, here, and those viral programs which have been released into the wild. There may be, carefully hidden in the desk of a virus writer, the "perfect" and harmless virus. If so, we haven't seen it yet. The majority have obvious bugs, sloppy coding and derivative programming. Less than one percent are interesting for any reason; only a handful have unique styles of algorithms. And even these last have programming pathologies.

There are two other reasons often given to justify virus exchange. The first is generally described as experimentation and education. The second is described as antiviral research, or, more commonly, assessment of antiviral programs. These arguments do have some validity, and should be examined. Ultimately, though, the reality fails to support the claim.

The call for experimentation is somewhat tied to the argument for a "good" virus. Current viral technology may be crude and ridiculous, but how can it be improved if there isn't any work or sharing of results? Quite true. The vx community, however, have obviously not read or noted any programming journals or texts. Discussions of programming and algorithms are supported by well- annotated code fragments. You don't present a whole program to discuss a specific function any more than you send an entire car with a manual on auto repair. You certainly don't use encoded or "DEBUG script" object code: that has no explanatory value at all.

And I have yet to see, in the vx materials, any discussion of legitimate and positive uses for viral technology, any discussion of control technology, or any discussion directed at ensuring that viral programs do not create conflicts.

In regard to education, it is true that a study of viral programs is related to a knowledge of operating system internals, as well as assembly language programming. However, viral study requires such knowledge, rather than providing it. Giving someone a virus and expecting them to learn from it is akin to "teaching" a surgeon by handing him a scalpel and pointing at a patient. Even the vx "old guard" are beginning to realize this. Viral programs use normal computer functions. If you understand computers, a virus is trivial. If you don't, well ...

As far as virus exchange tutorials go, well, let me put it this way. I am a teacher. Many of you will also know that I review technical books on a daily basis. Some are great, enough are good, many are bad and some are just plain awful. Only a few are worse, in terms of tutorial effectiveness, than vx "zines" (electronic periodicals).

Recently, someone who makes his living pushing virus source code promoted a collection of viral programs by suggesting you could test antiviral programs with it. This, superficially, sounds like a good idea - if you don't know what real software testing is like. What do we know about the quality of this "zoo" (set of virus samples)? What do we know about the structure, organization, documentation and so forth? How many duplicates are there? Of course, we do want duplicates in some cases; we want every possible variation on polymorphs. (For Tremor, that works out to almost six billion files.) But then, this collection was on a CD-ROM. What a pity. The most successful viral programs are boot sector infectors, and you need to have real, infected disks to truly test for them. At a minimum, you'd want all seven "common" disk formats, in both system and non-system versions. That's fourteen disks - for each BSI.

For all the length of this piece, it is still only an overview. And, for all it's length, it probably hasn't convinced anyone. Ethics education (it used to be called "values education"), in whatever form and however presented, has very little to show that it works. There are various theories and models of moral training, the most sophisticated probably being Lawrence Kohlberg's "Moral Development" schema. All, though, basically boil down to sitting around talking about ethical dilemmas. They may develop debating skills and rhetorical sophistry, but there is no evidence to suggest that any of these programs leads to any significant change in behavior.

While Kohlberg's model of moral development has the most detailed construction, its utility is questionable. His system is not so much one of values education as of values measurement. It is, therefore, a guideline for evaluating other ethical training methods rather than a means of instruction and change. Moral development is a six stage structure, assessing the type of reasoning which goes into ethical choices. The stages range from "fear of punishment" to "internal ethical principles". There is great difficulty, however, in determining the "stage" of a given individual. Most ethical discussions will be judged as having reasoning at all of stages three, four and five. This entire document, for example, could be dismissed as being level one reasoning since it mentions the possibility of the danger of virus distribution and could therefore be seen as a "fear of punishment" (negative consequences) on my part. On the other hand, most of Kohlberg's proponents dismiss level six, since even a psychopath could be said to be acting from internal principles. Kohlberg, himself, has stated that he does not know if anyone consistently acts from stage six reasoning.

Probably the major reason for this is that modern society has no fundamental moral foundation. The most widely cited (and Johnson gives an excellent critique of it) is utilitarianism - "the greatest good for the greatest number". Leaving aside the difficulties of assessing such a measure, utilitarianism, along with all the other modern "humanistic" philosophies, has nothing to support itself. Why is "the greatest good for the greatest number" to be chosen over "what I want"? An alternative is deontology; ethical principles derived from the concept of duty. (Ironically, this philosophy, while arguably superior to utilitarianism, is limited to Kohlberg's stage four almost by definition.) Again, however, there is no underpinning to the concept of duty, itself.

Ironically, the much maligned "Judeo-Christian Ethic" did have such a foundation for moral standards - God. The theistic universe may yet have the last laugh over the mechanical universe of B. F. Skinner's "Beyond Freedom and Dignity". Maybe Jesus is the answer - or there may be no answer.

Bibliography

[1] Bontchev, "Are `Good' Viruses Still a Bad Idea?", Proceedings of the EICAR '94 Conference, pp.25-47, also ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip

[2] Clarkson, Windows Hothouse, 1994, 0-201-62669-1, U$34.95/C$44.95 - lots of artificial life fun with Visual C++

[3] Cohen, It's Alive!, 1994, 0-471-00860-5, U$39.95 - an intriguing, provoking and practical exploration of computer programs as "artificial life", but somewhat narrow

[4] Denning, ed., Computers Under Attack, 1990, 0-201-53067-8 - collection of essays roughly related to security, also "the net"

[5] Ermann/Williams/Gutierrez, Computers, ethics and society - textbook for computer ethics course: not great

[6] Gordon, "Technologically Enabled Crime", 1994

[7] Forester/Morrison, Computer Ethics, 1994, 0-262-56073-9 - lots of great stories, but short on analytical depth

[8] Johnson, Computer Ethics, 1994, 0-13-290339-3 - the basic work in the field, thorough coverage and good discussion starter

[9] Levy, Artificial Life, 1992, 0-679-73489-8, U$13.00/C$17.00 - an interesting wander through fields studying artificial life but no strong points

[10] Neumann, Computer-Related Risks, 1994, 0-201-55805-X, U$24.75 - exhaustive examples from the RISKS-FORUM Digest of potential technological perils

[11] Slade, Robert Slade's Guide to Computer Viruses, 1994, 0-387-94311-0/3-540-94311-0, U$29.95 - chapter seven looks at the computer virus and society

[12] Thro, Artificial Life Explorer's Kit, 1993, 0-672-30301-9, U$24.95/C$31.95 - good fun, but little analysis

[13] Wiener, Digital Woes, 1993, 0-201-62609-8, U$22.95/C$29.95 - excellent introduction to the risks of software

(A fuller bibliography on values education readings is available for those demonstrating a willingness to put some effort into it, since, frankly, it's a really disappointing field. Sarah Gordon's "Generic Virus Writer" paper has significant resources here.)

copyright Robert M. Slade, 1995. Permission is granted to post this file, in full, on any system.

Editors note: cf. BKDENING.RVW, cf. BKCMPETH.RVW, cf. BKDGTLWO.RVW, cf. BKCMRLRS.RVW mentioned in the text refer to the reviews of Denning's, Johnson's, Weiner's and Neumann's books in the bibliography. The full reviews are to be found at the archive site x2ftp.oulu.fi in /pub/books/slade. The contact e-mail address for those who want to send contributions for Mr Slade's discussion about viral morality is roberts@mukluk.decus.ca

Eternity lies in the good we leave behind us.

- Maxwell Maltz -
(Thoughts to Live By)

Interview: Rob Slade - Social Convener to the Net

Rob Slade, the author of previous article and guest of Alive in this issue, is a data communications and security specialist from Vancouver, British Columbia, Canada. His first love was teaching, and he got into computers because of an interest in what they could do in improving the education process in the public school system. He still has links with the education system in British Columbia with both grade school and the college system, and writes and speaks for the computer educators in the province. He has a B.Sc. from the University of British Columbia, a M.S. from the University of Oregon (in Computer and Information Science Education) and a Diploma of Christian Studies from Regent College in Vancouver. He is the founder of the DECUS (Digital Equipment Computer Users' Society), Canada Education and Training SIG (Special Interest Group). He is also the founder of the DECUS Canada Communications SIG and DECUS Canada Security SIG.

Rob Slade has both formal training in data communications and exploration with the BBS and network community, and has done communications training for a number of the international commercial seminar firms. His technical jobs have involved everything from support of terminal emulation programs to satellite communications. He considers communications technology to be the most interesting of the various computer fields.

His research into computer viral programs started when they first appeared as a major problem "in the wild". Acting initially as the unofficial archivist for the budding research community, he has since become known for "Mr. Slade's lists" of antiviral software vendors, antiviral reviews, antiviral BBSes and virus books. One of the working group for the VIRUS-L FAQ [Frequently Asked Questions], he is best known for a series of review and tutorial articles which have recently been published as Robert Slade's Guide to Computer Viruses.

He is more widely known for his series of daily technical book reviews which appear on appropriate newsgroups and mailing lists, including alt.books.reviews, rec.arts.books.reviews, the *.books.technical groups and topics related to the individual titles...etc...

However, it is the time to let Mr Slade to say something himself...

A: Why did you get interested in computer viruses and could you describe shortly your work?

RS: My first exposure was the flurry of messages surrounding the Lehigh virus and then the Jerusalem (Israeli, as it was then known) virus in the fall of 1987. I started collecting postings related to viral reports, as I was interested in what it had to say about the operating systems and functions. For a time I was the unofficial "archivist" for this material, before VIRUS-L started up.

I kept on archiving the virus material. In 1990, I noticed an increasing call for assessments of antiviral software, and started doing reviews. The list I had to collect in order to find out who made AV [Anti Virus] software became the CONTACTS.LST, the first of what Fred Cohen called "Mr. Slade's lists". It was followed by the quick reference list of antiviral software reviews. In 1991, just before work got started on the FAQ [Virus-L Frequently Asked Questions], I started writing a tutorial column on viral programs. My involvement with Fidonet, when I started to post the columns to the VIRUS and VIRUS_INFO echoes, became the basis of the AVBBS list. Ironically enough, when I went to turn all of this into Robert Slade's Guide to Computer Viruses (and that title was not my idea, blame Springer-Verlag), the work I had to do on the book meant I had to stop doing active virus research. I hope to be able to get some more done this year, but my financial situation is not hopeful.

A: What did you write in your book?

RS: I tried to write a practical book for the average user or manager who wants to know what is happening, and to get some protection. As far as possible, it is written in "plain language", and tries to define the terms clearly so that people don't have to be experts to begin with. In fact, I stated outright in the Preface that the one group it is not intended for is the virus research community.

I included reviews of all the virus related books I could find (plus a couple of general security ones and some fiction). There are also a large number of software reviews of MS-DOS antivirals, Atari antivirals and MS-DOS general security. I am, in fact, trying to get materials together for an updated version, and have just sent out a general call for review copies.

A: What are the aims of your call for discussion about viral morality?

RS:

  1. To clear the air about the confusion regarding virus exchange as opposed to legitimate research into artificial life and "good" virii.
  2. To promote discussion between vx and AV people.
  3. To promote discussion of computer ethics overall.
A: Let's make some clarifications of the terms used in your article first. What do you mean by "normal computer environment"?

RS: Mostly I mean a normal working environment, as opposed to a research lab or other specialized situation. Fred Cohen also refers to a "viral computing environment", and sometimes I am opposing normal (Von Neumann) architecture to the VCE.

A: What are "normal computer functions" ?

RS: Copying (Input/Output), storing, decisions based on accessible data and predetermined programming, calculations, the basics.

A: You say - "Operating system upgrades could not guarantee universal coverage." What is "universal coverage"?

RS: I use "universal coverage" here to refer to the fact that everyone who wants the upgrade should be able to have access to it. This does not address any concerns about copyright or payment. Since a viral program does not have centralized distribution and control, then those who had not received the upgrade could not request it from a central location. If there was centralized control, then there is no significant difference between this and "normal", non-viral, distribution.

A: Why do you think that the concept of reproduction is dangerous?

RS: Reproduction is only really dangerous in terms of filling up memory and disk space on a given machine, so I suppose it is reproduction and spread that holds the inherent danger. A program which continues to make copies of itself, and to spread to other machines, is going to have an unknown effect on subsequent machines/programs/systems, and that effect is much more likely to be damaging than to be helpful. Playing with viral programs is most akin to playing with genetic research: if it gets away from you, you have no idea where it is going to end up or what it will do. In fact, viral programs have a greater risk of running wild than do biological organisms, since the computer "ecosystem" is much simpler. Having computers "get sick" and crash is much less severe than having people get sick and die, but it is demonstrably simpler to create a computer virus than to create a viable biological organism. Logically, therefore, every virus is potentially dangerous.

With the exception of "system" and companion viral programs (and I only except them because I haven't thoroughly studied them), every known viral program "in the wild" creates some kind of problem for the normal, average, everyday computer environment. Historically and statistically, therefore, every virus released into the wild has been actually dangerous.

These considerations are only necessary in the "normal" computing environment. Research on computer viral programs is not a problem if the research area is isolated from the "real world" to avoid release. Indeed, Fred Cohen's idea of a viral computing environment is a very exciting one, and I'd love to do some work on it. It is likely, however, that programs from the current computing environment would not run in a VCE, and programs meant for a VCE would not run under current architectures. That kind of VCE would be inherently safe, but it isn't the type of work that seems to be going on right now.

A: Are the polemics about "good" vs "bad" viruses possibly arising because of lack of good and unique definition of computer virus?

RS: Got it in one. I think this is the heart of many disagreements about whether a "good" virus is possible or not. Fred Cohen, for example, defines the terms in a way which allows a lot of theory to be developed and looked at with the tools of logic and number theory. It does not, however,translate well into the "real world".

A: What do you mean by "real world"?

RS: The world inhabited by real computers and the average "Joe (or Jane) User", who doesn't really care about Turing machines, but does care about getting this report done by five o'clock.

A: How do you define computer virus?

RS: My definition, which is not accepted by everyone, is that a computer virus is a program which is written (intended) to copy and spread itself (to other systems) without the knowing (informed) assistance of the user.

A: How do you define worm and what relation do you see between the two?

RS: I accept the definition of a worm as a reproductive/parasitic program which spreads without specifically attaching or associating itself with a given program, particularly over networks and/or mail links. However, I see this as a distinction without a difference. By my definition, a worm is a specialized type of virus.

A: What do you think are the basic "technical" reasons against virus writing?

RS: In brief:

A: Do you think that is possible to obtain absolute controllability of anything?

RS: No. But I'm not a fatalist.

A: Assuming that major population of computer viruses is PC/DOS population, do you think that this fact says possibly something about inherent (technical) weaknesses of such a configuration?

RS: Actually, while I agree that PCs have weak security, viral programs can spread on any platform: they don't use any special functions. Fred Cohen did work on several platforms. Also, David Chess [from IBM Watson Research Center] has an interesting take on this: he says that the PC platform is very secure - you have to convince the owner/user to run a program of yours or a subsequent generation, and that tactic has worked very well. In addition, I think the number of viral programs has more to do with the number of machines available, rather than any inherent strength or weakness of the platform.

A: Are worms (or breaking techniques) pointing to the vulnerabilities in today distributed systems?

RS: Generally, no. Everyone in data security knows that the major weaknesses are bad passwords and social engineering. Again, I don't think that viral programs have anything additional to point out here.

A: What is your idea of a good testing of anti-virus software?

RS: I test every package of antiviral software as a whole, and as it would appear to the naive (novice and uninformed) user. This is because, while most computer users have heard of a computer virus, the majority do not have a realistic idea of what a virus is or how it works. Almost every article on viral programs which I have seen in the news media has presented an inaccurate and warped view, so it is important to assess not only how many viral variants an antiviral product can identify, but in what the documentation says, and how well the installation procedure protects against a possible pre-existing infection.

A: What is your opinion about exchange/sale of ("malicious" PC/DOS) virus collections to legitimate evaluators/evaluating centers/producers of antiviral products or researchers?

RS: I am interpreting your question as referring to virus writing and exchange (vx) groups and individuals offering their viral programs for sale, or for trade in exchange for other code which they don't have, to av developers, researchers or evaluators. As a reviewer, I would not buy such code or make such trades. I am providing a service, at my own expense and to my own cost, and I simply could not afford to pay money for the garbage that most such offers are made on. I would not provide virus code to anyone who I was not absolutely certain would keep it to themselves, or to other like minded AV researchers. Those who produce the best antiviral software hold similar opinions, and the argument that they "benefit" from the activities of vx groups is utter nonsense. There are a number of companies who do "buy" or "give rewards for" antiviral code. I find their activities to be shameful, their products to be mediocre at best, and I would not provide them with any viral code from my own collection, pitiful as it is.

I am speaking of the situation as it currently exists. The discussion of the possibility of "good" viral programs or artificial life is not at issue here since current vx groups have not, to date, produced anything which benefits either objective.

A: Why people are willing to reject the concept of beneficial viruses or artificial life in general?

RS: For those who are actively involved in antiviral research and development, the issue is not so much one of professional bias, as some vxers argue, as the daily realization that the current situation has almost nothing to do with artificial life or "good" virii. Artificial life and artificial intelligence have been studied for years, and, while we can now get some use out of expert systems and certain graphical algorithms, it will be a long and arduous task to create anything like real life or intelligence. Those who are working in the virus field are simply too busy to have time to spend in this pursuit. (Maybe if vxers would stop releasing virii, AV people would have the time to look into it.)

A: Regarding ethical reasons against virus writing do you think that is possible to suggest unique ethical model for human behavior?

RS: It certainly wouldn't be easy. People in this century are not used to thinking of ethics or morality as anything other than an academic and philosophical discussion.

A: Isn't it easier to concentrate to legal aspects, e.g. to establish appropriate laws in existent legislative system(s)?

RS: Easy answers to difficult problems are almost always wrong. In general, laws are safeguards against minor breakdowns of social morality. When the network of social ethics does not exist, laws are useless. In any case, the law in Canada makes virus "release" illegal - but that hasn't eliminated the problem.

A: Isn't the question of morality of virus writing somewhat exaggerated? After all there are more important problems in the world - poverty, hunger, wars, drugs abuse, etc. Isn't that just another way to avoid discussions about real (more important) problems?

RS: There are lots of real and important problems in the world. I have addressed only one, because it is an area in which I have specialized knowledge. It also touches on other problems such as that of ignorance, confused thinking, and lack of ethical considerations in technical topics. I am not ignoring other problems, but, as Edmound Burke said, the only thing necessary for the triumph of evil is for good men to do nothing. Or to put it in religious terms (which seems to make many people so violently upset that they lose all rationality):

"Mortal man," [God] said, "tell your people what happens when I bring war to a land. The people of that country choose one of their number to be a watchman. When he sees the enemy approaching, he sounds the alarm to warn everyone. If someone hears it but pays no attention and the enemy comes and kills him, then he is to blame for his own death. His death is his own fault, because he paid no attention to the warning. If he had paid attention, he could have escaped. If, however, the watchman sees the enemy coming and does not sound the alarm, the enemy will come and kill those sinners, but I will hold the watchman responsible for their death."
Ezekiel 33: 2-6

One of the greatest goals for all of us
is to be wiser every day.

- Maxwell Maltz -
(Thoughts to Live By)

Interesting Article

The Self - Reproducing Inflationary Universe
by Andrei Linde

(Scientific American, November, 1994. issue)

Reading this article, I was amazed how the concept of self - reproduction was incorporated in the theory of our Universe. It seems that, if Andrei Linde and his colleagues are right, this new version of the inflationary theory which describes the Universe as a self - generating fractal that sprouts other inflationary universes, might replace the idea that our Universe was a single fireball created in the Big Bang. It is really an interesting and exciting vision of Cosmos.

However, this review is intended rather to provide the brief summary of original article for the readers of Alive than to comment the theory itself.

Few Words About the Author

Andrei Linde is one of the originators of inflationary theory. After graduating from Moscow University, he received his Ph.D at the P.N. Lebedev Physics Institute in Moscow (Russia), where he began probing the connections between particle physics and cosmology. He became a professor of physics at Stanford University (U.S.A.) in 1990.

Big Bang Theory

The inflationary model has not been arbitrarily proposed by cosmologists, first in Russia and later in U.S.A. They tried to solve some of the problems left by the old Big Bang idea.

The Big Bang theory says that the Universe was created about 15 billion years ago from a cosmological singularity - a state in which the temperature and density were infinitely high (which actually means that the current laws of physics did not apply then). As the Universe expanded, it gradually cooled. The main evidence in establishing the Big Bang theory as the preeminent theory of cosmology was the discovery of microwave background radiation in 1965. (by Arno A. Penzias and Robert W. Wilson of Bell Laboratories). It is considered that this radiation is remainder of initial cosmic fire. The Big Bang theory also explains the abundances of hydrogen, helium and other elements in the Universe.

However, the further development of the theory left several complicated problems uncovered, the most intriguing being those of very existence of the Big Bang and the timing of expansion. One could ask what arose first: the Universe or the laws determining its evolution? How could all the different parts of Universe synchronize the beginning of their expansion? Who gave the initial command?..etc..

There is also a problem of the flatness of space. General theory of relativity suggests that space may be very curved, but observations show that our Universe is flat. The results of observations differ from theoretical expectations by more than 60 orders of magnitude. A similar difference between theory and observations concerns the size of the Universe. An important problem is concerning the distribution of matter in the Universe. The Universe seems to be homogeneous on large scales, but it incorporates important deviations from homogeneity as stars and galaxies...

These and other problems led cosmologists to search solutions in different models of our Universe.

The Inflationary Theory

The inflationary theory states that the Universe went through a stage of inflation. During that time the Cosmos became exponentially large within an infinitesimal fraction of a second. At the end of that period, the Universe continued its evolution according to the Big Bang model. Recent versions of inflationary theory say that instead of being an expanding ball of fire the Universe is a huge growing fractal which consists of many inflating balls producing new inflating balls, which in turn are producing more inflating balls, ad infinitum.

Quantum Scalar Fields and Expansion of the Universe

Quantum scalar fields are not the matter of everyday life. Nevertheless, they play a crucial role in cosmology as well as in particle physics, providing a mechanism that generates the rapid inflation of the Universe.

The theory says that scalar fields fill the Universe and mark their presence by affecting properties of elementary particles. If a scalar field interacts with the W and Z particles (which are responsible for the weak force) they become heavy. Particles that do not interact with the scalar field, such as photons (which mediate the electromagnetic force), remain light. To describe elementary particle physics, physicists begin with the theory in which all particles initially are light and in which no fundamental difference between weak and electromagnetic interactions exists. This difference arises only later, when the Universe expands and becomes filled by various scalar fields. The process by which the fundamental forces separate is called symmetry breaking.

The particular value of the scalar field that appears in the Universe is determined by the position of the minimum of its potential energy. According to Einstein's theory of gravity, the energy of the scalar field might have caused the Universe to expand very rapidly. The expansion slowed down when the scalar field reached the minimum of its potential energy. The scalar field began to oscillate near that minimum. As the scalar field oscillated, it lost energy, giving it up in the form of elementary particles. These particles interacted with one another and eventually settled down to some equilibrium temperature. From this time on, the standard Big Bang theory is able to describe the evolution of the Universe.

Chaotic Inflation

Andrei Linde realized in 1985. that inflation is a naturally emerging feature in many theories of elementary particles, including the simplest model of the scalar field. There is no need for quantum gravity effects, phase transitions, supercooling or even the standard assumption that the Universe originally was hot. One just considers all possible kinds and values of scalar field in the early Universe and then checks to see if any of them leads to inflation. Those places where inflation does not occur remain small. Those domains where inflation takes place become large and dominate the total volume of the Universe. The disturbances in the scalar field (quantum fluctuations) cause the density perturbations in the Universe that are crucial for the subsequent formation of galaxies. Because the quantum scalar fields can take arbitrary values in the early Universe, this scenario is called chaotic inflation.

Predictions of Inflationary Theory

Inflationary theory predicts that the Universe should be extremely flat and so far observational data are consistent with this prediction.

Density perturbations produced during inflation affect the distribution of matter in the Universe. Furthermore, they may be accompanied by gravitational waves. Both density perturbations and gravitational waves make their imprint on the microwave background radiation. They render the temperature of this radiation slightly different in various places in the universe. This nonuniformity was found by COBE (Cosmic Background Explorer) satellite.

Theory of Self - Reproducing Inflationary Universe

One can visualize quantum fluctuations of the scalar field in an inflationary Universe as waves. They first moved in all possible directions and then froze on top of one another. Each frozen wave slightly increased the scalar field in some parts of the Universe and decreased it in others. Those places of the Universe (which are extremely rare) where newly frozen waves persistently increased the scalar field could be very important, because such rare domains of the Universe where the field "jumps" high enough begin exponentially expanding with ever increasing speed. The higher the scalar field "jumps", the faster the Universe expands. Very soon those rare domains will acquire a much greater volume than other domains.

From this theory it follows that if the Universe contains at least one inflationary domain of a sufficiently large size, it begins unceasingly producing new inflationary domains. Inflation in each particular point may end quickly, but many other places will continue to expand. In essence, one inflationary Universe sprouts other inflationary "bubbles", which in turn produce other inflationary "bubbles". This process keeps going as a chain reaction, producing a fractallike pattern of Universe.

In this scenario the Universe as a whole is immortal. Each particular part of the Universe may stem from a singularity somewhere in the past, and it may end up in a singularity somewhere in the future. It is interesting that this theory does not exclude the Big Bang model. In fact, the Big Bang model is a part of the inflationary model.

Realistic Models and Implications

The simplest inflationary model consider only one scalar field which has only one minimum of its potential energy. Realistic models of elementary particles consider many kinds of scalar fields. The potential energy of these scalar fields may have several different minima. This condition means that the same theory, as a result, may give different laws of low - energy physics. Such complexities in the scalar field mean that after inflation the Universe may become divided into exponentially large domains that have different laws of low - energy physics.

If this model is correct, then physics alone cannot provide a complete explanation for all properties of our portion of the Universe. The same physical theory may yield large parts of the Universe that have diverse properties. In some inflationary models, quantum fluctuations are so strong that even the number of dimensions of space and time can change. According to this scenario, we find ourselves inside a four - dimensional domain with our kind of physical laws, not because domains with different dimensionality and with alternative properties are impossible or improbable, but simply because our kind of life cannot exist in other domains.

Critics and Conclusions

The main objection to the article is that the author left a little space to the explanation of the model of self - reproducing inflationary Universe itself, talking more about the problems of Big Bang theory, history and basics of inflationary theory. This review tried to follow the way Andrei Linde originally presented the subject.

Compliments go to excellent graphics accompanying the text. Illustrations are results of computer simulations performed by Andrei Linde and his son Dmitri on one of Silicon Graphics' (Los Angeles, U.S.A.) most powerful computers. Those computer simulations left the open question about possibility to create the Universe in laboratory instead on the screen of a computer, although such a notion is highly speculative. Considering possible consequences of such an attempt (which puts the cosmologists in the position of God) and summarizing the experience of simulating self - reproducing Universe, Linde asks ingeniously: "Is it conceivable that our own Universe was created by a physicist - hacker?"

The evolution of inflationary theory has given rise to a completely new cosmological paradigm which differs considerably from the old Big Bang theory and even from the first versions of the inflationary scenario. In it the Universe appears to be both chaotic and homogeneous, expanding and stationary. Our cosmic "home" grows, fluctuates and eternally reproduces itself in all possible forms, as if adjusting itself for all possible types of life that it can support. It is possible that understanding all the properties of our region of the Universe will require, besides a knowledge of physics, a deep investigation of our own nature, perhaps even including the nature of our consciousness.

One can draw some optimism from this theory, the optimism which is very important nowadays, considering the problems of the world we are living on. The model of self - reproducing inflationary Universe states that even if human race would be foolish enough to destroy itself (and possibly this planet) there will ever be other places in the Universe where life will emerge again and again, in all its possible forms...

Editor's note: Stephen W. Hawking's book A Brief History of Time was used as a help in writing this review. Also, I would like to thank to Mladen Matev, Ph.D student on Department of Physics & Astronomy, University of Tennessee, Knoxville, U.S.A, for his valuable comments.

What really interests me is whether
God had any choice in the creation
of the world.

- Albert Einstein -

Interesting Book

Scientific Stories
(A Plane World; What is the Fourth Dimension?; The Persian King)
by Charles Howard Hinton

This peculiar book was written more than hundred years ago. The author, Charles Howard Hinton, was a mysterious person, an English eccentric, who is mostly forgotten and omitted in biographic reviews. His name is mentioned only occasionally in a few esoteric publications (such as Ouspensky's Tertium Organum, 1920). There are indications that Herbert G. Wells might have known Hinton's work when writing his much better known The Time Machine (1895). The short note written by the publisher of the first edition of Scientific Stories (1888) says that the author left the manuscript shortly before leaving England, going to a "far and unknown fate". It seems that the book is Hinton's last message to the world, before leaving it. His further destiny is mystery - suicide or escape to fourth dimension?

Hinton was somewhat obsessed with exploring the fourth dimension. He had a little shop in London where he offered various toys (very cheap) composed of wooden pieces. Every piece had specific shape, color and its own peculiar name. With those pieces one could make pyramids, cylinders, cubes, prisms, etc. according to predefined rules. Moving different parts of so composed figure one would actually perform mental exercises to understand the fourth dimension.

First two stories in the book are also intended to be mental exercises. The story about the Persian King is a complex story with elements from philosophy, mathematics and ethics. All three stories are allegories. They have a hidden meaning and Hinton did not leave any clue for it.

The allegories are usually used for teaching or explaining ideas. The lesson I have learned from these three stories was not the one I expected. Actually, I do not know now what I was really expected, but I certainly did not expect that I will find so many parallels with contemporary problems in artificial intelligence and artificial life research. It is the reason why I would like to recommend this book as a good reading to everybody interested in artificial life or artificial intelligence subjects.

A Plane World

The story about a two - dimensional world is Hinton's attempt to help the reader's imagination accept four-dimensional world. The description of Plane World is very detailed, rich with carefully designed diagrams. Nevertheless, it is not easy to follow the author's narration, because the reader has to completely abandon her conception of a three-dimensional world.

Hinton introduces the reader step by step into the two-dimensional world, explaining first some physical truths about Plane World. Later he determines its position in the Universe ("...at the place where sunbeams falling on the Earth in January die and unify with the darkness..."). That world is the bubble on whose surface cosmic dust formed "continents" where two-dimensional people live. Hinton describes in detail those "plane people", their characteristics, living habits, emotions, the way on which their homes are built, their vehicles, their science, etc.

The story about Plane World ends suddenly with the presentation of some basic physical laws on the way the "plane people" perceive them. At that moment the reader is supposed to be already part of the Plane World, seeing it from the perspective of "plane people".

What is the Fourth Dimension?

This very short text represents the logical conclusion of the previous story about Plane World. If the reader leaves three-dimensional perception and accepts two-dimensional reasoning, it should be easy to transfer to the four- dimensional world. However, Hinton does not ask the reader to make that transition. He rather warns about dangers of uncontrolled insight in "higher realities". He admits the importance of future development of science, but also emphasizes the importance of preserving mental stability .

One may ask why contemplation about two-dimensional or four-dimensional worlds is relevant to the modern study of artificial life or artificial intelligence. Both disciplines leave some questions open, such as: What is really alive? What is intelligent behavior? Hinton actually says that there are no limits for (intelligent) life. We are only limited by our perception and willingness to accept realities different from the one we know.

Hinton did not have powerful "toys" such as the computers of today. Computer simulations,computer animation or virtual reality are much more powerful tools today than his wooden toys hundred years ago. One can make whole worlds inside the computer. Yet, Hinton's warning about the importance of keeping mental stability in the researching of new "worlds" is still valid. Exploration of "different realities" goes much faster today than in time Hinton wrote his stories. It means that the dangers of uncontrolled insights in "new dimensions" are greater today. Mental stability of explorers may be seriously endangered without adequate control. The warning can be applied not only in the fields of artificial life and artificial intelligence, but also on everything happening in "brave new world" which we call Cyberspace.

The Persian King

This story has the style of the stories from 1001 Nights, but it is actually a parable about life, creation and morality.

The Persian King, hunting with his courtiers, comes to a narrow ravine. Only he succeeds in passing to the other side. He enters a mysterious valley. There he meets Demiurge, the Creator of Life. Then the story begins...

It would not be fair to potential readers of Hinton's book to tell the story here. It is enough to say that the King learns from Demiurge how to start life in the empty valley where he finds only two apathetic children in the beginning. However, the method of the valley revival is interesting. The King has to learn complicated and difficult technique of suffering the pain, so the habitants of the valley could have enough pleasure to allow them to be alive and to rebuild a normal life in the valley. The basis of the method is the fact that the beings with the ability to create follow the pleasure and avoid the pain in their deeds. If the amounts of pain and pleasure are the same they become apathetic and cannot do anything.

The underlying philosophy is that everything in the Universe, every particle, has the ability to feel pain and pleasure and nothing can move if the pleasure is equal to the pain. Life and movement can exist only if the Creator of Life makes an imbalance between pain and pleasure, taking the pain on himself.

In some of its parts, this story is written in a way which reminds modern reader of particular computer games or artificial life simulations. The story gives a lot of material to think about. For example, what is a life? What is the main initiator of life? Is the imbalance between pleasure and pain really so important? What would happen if creators of "worlds" inside the computer could feel the pain of their "creations"? Would it bring to the new models of human behavior? Could such simulations improve the quality of everyday life? Is it possible for human beings to learn how to not hurt each others? ...etc...

The book Scientific Stories does not give many answers and leaves many questions. The author, Charles Howard Hinton, has for many years been in an other dimension, and we cannot ask him for the answers even if they existed. The only thing to do is to read the book and try to find some answers by ourselves and for ourselves.

It might be somewhat difficult to find Scientific Stories, but I hope that a little searching through the bookshelves with esoteric or fiction literature will bring this excellent book to you. Enjoy the reading!

Let us forget the lapse of time,
let us forget the conflict of opinions.
Let us make our appeal to the infinite,
and take up our positions there.

- Chuang Tzu - 

              ____________________________________________________
             /                /    |                              |
            /         |\__/| /     |      THAT'S ALL FOLKS !!     |
       /~~~~~~\      /      \      |  NEW "ALIVE" IS COMING NEXT  |
    ~\(  * *   )/~~\(  0 0   )/~   |      HOST TO YOU SOON !!     |
      (   O    )    (   O    )     |______________________________|
       \______/      \______/
      @/       \@   @/      \@

last modified September 01, 1995