 -=( ---------------------------------------------------------------------- )=-
 -=( Natural Selection Issue #1 ------------------ Interview : Sarah Gordon )=-
 -=( ---------------------------------------------------------------------- )=-

 -=( 0 : Contents --------------------------------------------------------- )=-

 1 : Background
 2 : Questions and Answers

 -=( 1 : Background ------------------------------------------------------- )=-

 Sarah Gordon is most widely known as a researcher on the social aspects of the
 computer virus subculture due to the many papers she has written on the topic.
 She currently works for Symantec and holds positions on various virus  related
 committees.

 There was some discussion in the group about presenting Sarah's answers as she
 had written them, or to provide (sic) marks as she does in her interviews.  As
 we are not interested in misrepresenting people as unintelligent, we've set an
 example of good journalism and corrected the 18 obvious spelling mistakes (not
 that we're counting of course).

 -=( 2 : Questions and Answers -------------------------------------------- )=-

 Q. Remind us how human you are.  What do you do in a normal day?  Where do you
    go for vacation?  What do  you do for fun?

 A. My normal work day:

    I get up pretty early and read/reply to e-mails. Usually I will have around
    100 of them that require attention any given morning. Of those 100, maybe 4
    or 5  will require  in-depth responses,  looking things  up, etc.,  so this
    whole process  takes most  of the  morning. In  between doing  the e-mails,
    though, I usually am doing several  other things (and these e-mails are  on
    at  least three  screens with  different accounts,  concurrently).   Anyway
    those "in -  between" things include  catching up on  various forums, news,
    what is going on in  the world (science, technology, security,  psychology,
    ethics). Busy morning. I  take a _lot_ of  notes throughout the day.  There
    are usually  a few  phone calls  too, each  week -  with testers,  writers,
    corporate people, educators.   Lunch is usually  a working lunch,  but I do
    take a break in the afternoon for a shower and a walk around the block.  By
    this time I've already been  up and going about my  work for 6 hours or  so
    usually.

    Later afternoons will  be taken up  with reading papers,  reviewing papers,
    and organizing research of various types, working on whatever papers I have
    in progress (I've just finished two  - one on "cyberterrorism and the  home
    user", and  one on  "cyberterrorism?", and  have two  in progress  - one of
    these is "integration of virus and vulnerability information" and the other
    is yet  unnamed. Also  during this  time I  am  doing  some chats (not very
    often though),  continuing with  e-mail.  I  used to  do lot  of chats with
    virus writers and other people online  - but I don't really have  much time
    to do that  anymore. I hope  to have some  time in the  future to devote to
    this, but I will  use IM, not IRC,  probably. During this time  I will also
    sometimes be  looking at  some software  product, or  translating some text
    from reviews in other languages so I can see what people have to say.

    My day usually starts about 7 and  ends about 6 in the evening, although  I
    have been trying to cut it down to a 9 hour day rather than 11.  At the end
    of life, you won't be saying "oh, I  wish I had spent more time on IRC"  or
    "I sure wish  I'd spent more  time writing code".  I think it  will be more
    like "I wish I had just  one more day with <important person>  or <activity
    of real lasting value>.  So,  I am trying to be  sure I spend my time  each
    day now, rather than just let it pass by and when the work day ends, I  try
    to close my office door (I work from home), and not go back in. I am  doing
    pretty well at this; I just wish I had learned this earlier.  I think  this
    is maybe a result of  being not physically well -  it gives you time to  re
    -evaluate and focus on what it is you really want to do with life.

    After my work day ends, I do my 'other work'. This can be work for EICAR or
    WildList Organization but not so much of that as I used to do because  I've
    created processes to manage  a lot of it  for me. In addition  to all this,
    I'm a  professional counsellor and try  to commit  some time  each week  to
    keeping up with  that. (Counsellor = therapist). I am  not currently seeing
    any clients though, because its been a very busy work time and I have  been
    travelling too much.   I have  done this  work through  my church,  and  am
    working nights and  weekends to develop  a program there  that will provide
    counselling services to people in the community.

    Finally, I  also sing  in a  band, which  means one  day a  week there is a
    formal rehearsal, and at  least 1 hour a  day (usually more) I  do vocalise
    exercises. My favourite things to sing are songs from musicals like Phantom
    of the Opera, or  Celtic music.  Also I  write music. I don't  often take a
    "real vacation", but when I do, I like to go to some isolated place with no
    tv, no radio, and definitely no computers :).

    My "normal day"  when not working  is like, get  up, watch mystery  science
    theatre,  play  with the  dogs,  rent some  movie  (I like  Jacky  Chan and
    (almost) any Arnold movie),  go swimming, or snorkelling or take a walk  on
    the beach...I was cycling until a couple weeks ago, when I fell off my bike
    - messed up my knee so I won't be doing that again for a while.


 Q. To get a background on your  usage of computers, which programs do you  use
    daily?  Have  you ever   been hit  by a   computer virus?   If so,   please
    describe the experience.

 A. I got my first  virus, Ping-Pong.B, long time  ago - by accident.  I didn't
    know I had it and no one would believe me. That's how I got started in  all
    this. I had to  take care of it  myself.  It came with  a PC I bought,  the
    first PC I had ever used, actually, Prior to that I used a Tandy Co-Co  :).
    I've written about this ...on my WWW  site is some story about it, as  well
    as at www.virusbtn.com/magazine/archives/pdf/1995/199503.PDF

    It was frustrating mostly because no  one would believe I had it  - viruses
    were  such  a  new  thing  in  the  early  90s.  I  have  not  gotten   one
    (unintentionally, anyway) since then, though.

    I use a linux box with almost 0 apps. I'm pretty primitive :).

 Q. You are a member of the WildList Organisation and have also spent some time
    in other companies such as Central  Command and Symantec.  But not much  is
    known about what your roles involved.  Could you please enlighten us?

 A. Lots of things.  At Command Software  (not Central Command),  I managed the
    live virus library,  did all the  replications of the  viruses, analysis of
    any viruses that looked interesting (Concept, Laroux were two, but just the
    ones that got news).  I did the same  with IBM Research, managing  the live
    ItW virus library, etc. I also was responsible for testing the products  in
    house (in virus area, not QA), reproducing various types of tests, and  for
    doing research to help define  and develop scientific criteria and  methods
    for doing  tests, checking  samples of  things we  missed to  be sure  they
    should be in a test set to begin with, etc...

    Writing papers, presenting  various findings at  conferences - all  this is
    part of  the job.  Testing the  digital immune  system was  the most fun, I
    think, of  all the  testing jobs.  Then there  is keeping  the research  on
    ethics, and virus and security up to date. This is very time consuming, and
    the part that requires the most  travel. I don't actually enjoy the  travel
    much.  People think its great to travel all over the world - and it was  at
    first. Now, I just  am always happy to  be home.  For the  WildList Org, my
    first task there  was establishing an  actual organization, and  working to
    build it up - one  of first the things I  did to do that was  replicate and
    create the first sample sets of ItW viruses, for testing, this is now  used
    as a testing criteria by most good testers. I did that for a couple  years.
    I  designed  and implemented  the  WWW site  (which  is really  due  for an
    overhaul and it should be getting one VERY soon!)..

    I developed an on-line  reporting program that I  had hoped to use,  but it
    got dropped (literally, the computer it  was on got dropped on the  floor),
    and it was lost, so that never came about yet :). What else do I do...I  do
    guest lectures  sometimes, answer  media queries,  and work  also with  the
    various product managers to address product issues, read reviews - and this
    is just all the "virus" part of the  day.  This is much of the same that  I
    do with Symantec now.

    I also  do much  of the  same in  the "security"  side of  things.  (I  was
    involved with security some time before the whole "virus" thing.)


 Q. Why  are  users so  susceptible  to "obviously  suspicious"  attachments in
    emails about Money, Love, and  Anna Kournakova?  Are they too  curious, too
    fearless, too busy to notice, or just undereducated about the  consequences
    of their actions?

 A. People want to do  the right thing -  and the right thing  has historically
    been to read what someone sends you. It's really that simple. We live in  a
    world that is based around  people doing the right things.  Unfortunately ,
    as we are beginning to see in many areas of our lives, people do not do the
    right things.


 Q. Drawing from your experience with interviewing end-users who have been  hit
    by computer viruses, what actual psychological effects do these occurrences
    stir within individuals, if any?

 A. Anger is a  common experience. People  can't understand why  all their hard
    work has disappeared, and for some,  this can be devastating. Its all  well
    and good to say "should have backed up", but the fact is many people  don't
    - and don't even know they  should be doing it! Computers have  been thrust
    upon and embraced by people with no real  understanding/background in  them
    -  much like  tvs, refrigerators,  and other  such items.  We don't  expect
    people to know how to maintain those, and the computer culture has  created
    a lot of unrealistic expectations about  what users should know how to  do,
    or be expected  to do. Its  so easy for  _you_ or _me_  to say "they should
    have backed up", but take a look  at the people who are using computers  to
    go about their  work, and life.  Do you really  think "backing up  data" is
    going to be very high  in their radar? Do you  think it should have to  be?
    Hurt is another common emotion. People feel very personally violated when a
    virus infects  their computer.  "Why would  someone do  this to  me!" is  a
    question I get a lot.  Then there is sometimes a feeling of   helplessness,
    vulnerability, sometimes rage.  It's not very nice, really, is it.


 Q. In one of your recent publications you mentioned that the public has become
    more wary  of the  virus writer,  but more  open to  the hacker subculture.
    What sources helped you to reach that conclusion, and why do you think this
    has come about?

 A. Its come about because of the media portrayal of the subject, which is  one
    of  the  resources  from  which  I've  drawn  the  conclusion.  Media  both
    influences  and  is  influenced  by  culture.  It's  also  come  about from
    observing public exchanges, and from talking to lots of people. These  too,
    I think, all have been influenced by media.


 Q. In USA Today, you wrote about viruses "These programs really are simple.  I
    can understand how they would believe that this is stretching the limits of
    research, but the reality is, they're reinventing the wheel.  Virus writing
    doesn't require a very high level of skill."

    SG: Comment: Wow, you've read a lot of what I have done!

    What sort of viruses are you referring to with this statement?  Do you also
    believe this for the more complex assembly language viruses such as Hybris,
    and Zmist?

 A. Hmm.. I  was referring  to most  of them  - which  are, despite using "new"
    techniques to  their creator,  are not  demonstrating not  already known by
    thousands of engineers worldwide who  chose to use them for  helpful rather
    than harmful  purposes. The  more complex  viruses require  more skill "per
    se", but in terms of "is this really some great new scientific discovery of
    how code can be used", the answer is no. Its like me when I started  taking
    singing lessons.  When I  learned coloratura,  it was  like this  whole new
    thing for me  - and it  is really complex  and difficult to  do. Except for
    people who have been studying singing for years.


 Q. In New Architect Mag, you wrote an article entitled "Distributing Viruses",
    stating "How  a virus  replicates isn't  hard to  understand; in  fact it's
    fairly common knowledge among researchers."  You also wrote "It's true that
    the scientific community encourages research,  but only when it's conducted
    within the ethical boundaries of a given discipline."

    It seems that there is a divide between closed legitimate research (such as
    that in the antivirus world)  and social research and development  (such as
    the virus subculture).  Would it be possible to close that gap by opening a
    legitimate path of research for people who are interested?

 A. I'm  not  sure I  understand  the question.  What  do you  mean  by "social
    research and  development (such  as the  virus subculture).  Thanks! (also,
    this article got edited a bit from what I wrote). If you could explain  the
    question a bit more detail, that  would be great. I _think_ you  mean would
    it be a good  idea to open up  a path for people  to work with viruses.  If
    this is the question  - there is path  for that. I mean,  people working in
    the  industry  obviously took  that  path :).  Here  is what  I  recommend:
    http://www.badguys.org/researchers.htm  But maybe I don't fully  understand
    your question..?


 Q. In your article "Generic Virus Writer Part 2" you indicated that the  adult
    virus author tested was ethically lower developed than average for his  age
    using the Kohlberg model of moral development.  Looking at this model,  the
    motivation for behaviour begins  at self-interest, progresses to  community
    values, and ends in a trust in higher ideals and authorities.

    However that model has come under  fire due to the selective nature  of the
    males tested (they were all  well educated), and how females  were excluded
    as their  progression ended  at the   level of  community values.  Wouldn't
    this indicate  that adult  virus writing  males are  not necessarily  under
    developed at all?

 A. There are strengths  and weaknesses with  any model. The  strengths of this
    one include the fact that older  and more advanced thinkers are on  average
    more  advanced  in their  moral  development, and  stage  theory is  pretty
    supported in all moral development theories. In the paper I talk about  the
    cultural  biases  (Gilligan's  work),  but  these  don't  really  have much
    applicability (if any) to this particular work as there weren't any females
    to  interview  at  the time,  so  the  "all male"  is  probably  actually a
    strength. The educational bias is probably more relevant, and it would have
    been interesting to  see results of  DIT on the  subjects, but that  wasn't
    possible. I  suspect the  findings would  be pretty  much the same, though.
    I'd be interested  in doing followup  work but qualifying  the participants
    would be much more  difficult now, I think.  The adult virus writing  males
    had generally not  only answered the  queries in ways  that fit with  "less
    ethically mature", but their lives in generally bore this out.


 Q. Few would argue that spreading  viruses is morally wrong, but  the question
    remains as  to wether  there is  anything inherently  wrong with the actual
    creation of viruses.  Where do you stand on this issue?  Should creators be
    treated the same as spreaders?

 A. One  could argue  that it  is unethical  in that  it does  not benefit  the
    greater good, and I could  make a strong academic argument  against writing
    viruses if this were  a debate of "ethics".  But it isn't, and  so here I'd
    say I personally do  not think writing a  computer virus is "evil",  at the
    same time, I can think of more productive and less potentially harmful ways
    to exercise the same skillsets - after all, the "replication" part  remains
    trivial and the "real programming" can be done without that part. It's just
    sexier to do it with it, so to speak, so people do it. As for how  creators
    are treated, I think that depends what they do with their creation.

    If you write a self-replicating program that you don't allow to  replicate,
    never give to anyone, never let  out of your control, never user  for harm,
    etc., that's a bit different from writing it and giving it to your friends,
    as you don't really know what they may do with it. That's irresponsible. It
    really depends on several factors,  not just "creating".  What you  do that
    doesn't affect  anyone else  is (generally)  your own  business, don't  you
    agree?


 Q. Where do  you draw  the line  between malicious  virus author,  and a virus
    researcher/author such as Mark Ludwig, if at all?

 A. Mark is an interesting guy, and I find his work in areas other than viruses
    most  interesting,  and agree  with  some of  it.  However, making  viruses
    available is not an idea we share in common. I don't think he's a malicious
    person when it comes to  this stuff, though...we just have  different views
    on it.


 Q. What is the goal of  harsher laws against virus creation  and distribution?
    Is it a punishment for acts committed, or are there realistic prospects for
    rehabilitation?

 A. Hard to say - I'm not  involved with legislation and don't know  what goals
    people might have. I'd imagine it would have a deterrent effect if it  were
    applied closer to the event.  I think its more punitive in nature, its  not
    as if virus writers  need some sort of  "therapy" to get them  out of their
    "habit". Its a choice, and when you choose to do things that hurt people or
    harm society, if those things are illegal (not all are), and you are  found
    out, you will be held accountable. It's pretty simple - I've never  thought
    virus writers  needed rehabilitation  or therapy  (at least  not for  their
    virus writing :).


 Q. How accurate  do you  consider the   billions of  dollars lost to down-time
    each year, that is attributed to the larger virus outbreaks?  Should  these
    figures be used in calculating the virus writer sentences?

 A. I haven't reviewed the  data, so can't say  for sure, but it  sounds rather
    high  to  me.   I  think  accurate figures  should  be used  but  these are
    difficult to come by.  Especially in some cases  where the loss has  caused
    someone to  really be  hurt (i.e.  your grandma  loses her  photo album  of
    digital photos of grandpa, and has  no backup, the digital photos are  gone
    forever and so is he)..this sort of thing would really hurt. Virus  deletes
    your term paper, you worked four weeks on it, its due tomorrow (I know of a
    case where  a Master's  Thesis was  deleted -  it does  happen). How do you
    quantify those things? You can't put a price tag on that. For business, its
    also difficult - I guess I'm glad I'm not involved in that sort of work.

 Q. With the threat of another war  in the Gulf, do you think viruses  could be
    used to positive ends by the military in any way?  How?

 A. There are ways viruses  could be used militarily,  but I'm not going  to go
    into detail  about them  :). The  fact is,  though, computer viruses really
    aren't a very good weapon of choice for these types of things.


 Q. Is it too far fetched to believe that someone will one day harbour  viruses
    under their right to bear arms in the American Constitution?

 A. That's an interesting idea - but  I can't imagine anyone would be  so daft.
    Still, stranger things have happened, so someone could try this I  suppose.
    Any  competent  weapons expert  should  be able  to  disarm  this  argument
    relatively quickly (pun intended :).


 Q. With the rapid discovery and implementation cycle of virus technology, what
    do you fear most as a "worst case scenario" arising from its misuse?

 A. I make it a practice to not talk about "worst case".


 Q. Conversely,  what benefits from advances in virus technology and philosophy
    do you look forward to most?

 A. Ideally,  people  will stop  releasing  viruses, because  these  things are
    costing  businesses and  individuals lot  of time  and money.  Its just  so
    selfish to think that your  right to release something you  made supersedes
    someones right to go about their life in peace, and get on with whatever it
    is they  are doing.  I don't  think viruses  are any  big deal  technically
    though and have  never seen anything  done with one  that couldn't be  done
    more effectively, and more safely, without the self-replication. I've never
    seen one that made  me go "wow, that  is really something", since  the very
    early days when I didn't know that much about computers.

    Now, philosophically, I think something very good could come out of all  of
    this, and that is  a re-examination of the  issue of individual rights  and
    responsibilities. When people start to consider the impact of their actions
    on others, then we make progress as a society.

    BTW,  People  talk  about  artificial  life,  artificial  intelligence, and
    viruses, all in the same sentence. There's been some interesting work  done
    by people like Tom Ray  - granted - but this  is a whole other area  really
    than what we see of "viruses".


 Q. Where do you  see your personal and  professional lives progressing in  the
    immediate future?   What future  projects  of  yours are  there for   us to
    look forward to?

 A. I've just completed a paper on Cyberterrorism which will be published later
    this month.  I've gotten  consent to  put it  on my  web site  after a  few
    months, so it  should be up  there by Feb.  2003. Basically it  takes issue
    with all  the hype  surrounding "cyberterrorism",  and calls  for people to
    examine things more holistically. I  am also just completing a  short paper
    on the integration of virus  and vulnerability information, which is  a new
    way of looking  at things. I've  started work on  a new project  to do with
    virus  writers  (maybe  you can  put a  Call for  Participation out  for me
    later?).  I'll be presenting those  papers in the coming year  and updating
    previous research. On the personal front, I hope to spend more time  taking
    care of my husband (my number one priority), as this really brings me a lot
    of joy. I should be resuming  my counselling work soon, and fulfilling some
    promises I made  to develop a  training program for  counselors in a  local
    church.

 -=( ---------------------------------------------------------------------- )=-
 -=( Natural Selection Issue #1 --------------- (c) 2002 Feathered Serpents )=-
 -=( ---------------------------------------------------------------------- )=-
