Robert Hansen (RSnake / ha.ckers.org / SecTheory) created a little challenge (pun intended) a couple of days ago titled "The Diminutive XSS worm replication contest":
The diminutive XSS worm replication contest is a week long contest to get some good samples of the smallest amount of code necessary for XSS worm propagation. I’m not interested in payloads for this contest, but rather, the actual methods of propagation themselves. We’ve seen the live worm code and all of it is muddied by obfuscation, individual site issues, and the payload itself. I’d rather think cleanly about the most efficient method for propagation where every character matters.
Kurt Wismer (anti-virus rants blog) thinks this is a lousy idea:
yes, folks... robert hansen (aka rsnake), the founder and ceo of sectheory, felt it would be a good idea to hold a contest to see who could create the smallest xss worm... ok, so there's no money changing hands this time, but that doesn't mean the winner isn't getting rewarded - there are absolutely rewards to be had for the winner of a contest like this and that's a big problem because lots of people want rewards and this kind of contest will make people think about and create xss worms when they wouldn't have before...
Here's where Kurt diverges from simply highlighting nominal arguments of the potential for misuse of the contest derivatives. He suggests that RSnake is being unethical and is encouraging this contest not for academic purposes, but rather to reap personal gain from it:
would you trust your security to a person who makes or made malware? how about a person or company that intentionally motivates others to do so? why do you suppose the anti-virus industry works so hard to fight the conspiracy theories that suggest they are the cause of the viruses? at the very least mr. hansen is playing fast and loose with the publics trust and ultimately harming security in the process, but there's a more insidious angle too...
while the worms he's soliciting from others are supposed to be merely proof of concept, the fact of the matter is that proof of concept worms can still cause problems (the recent orkut worm was a proof of concept)... moreover, although the winner of the contest doesn't get any money, at the end of the day there will almost certainly be a windfall for mr. hansen - after all, what do you suppose happens when you're one of the few experts on some relatively obscure type of threat and that threat is artificially made more popular? well, demand for your services goes up of course... this is precisely the type of shady marketing model i described before where the people who stand to gain the most out of a problem becoming worse directly contribute to that problem becoming worse... it made greg hoglund and jamie butler household names in security circles, and it made john mcafee (pariah though he may be) a millionaire...
I think the following exchange in the comments section of the contest forum offers an interesting position from RSnake's perspective:
Re: Diminutive XSS Worm Replication ContestPosted by: Gareth Heyes (IP Logged)Date: January 04, 2008 04:56PM
@rsnake
This contest is just asking for trouble :)
Are there any legal issues for creating such a worm in the uk?
------------------------------------------------------------------------------------------------------------
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake (IP Logged)Date: January 04, 2008 05:11PM
@Gareth Heyes - perhaps, but trouble is my middle name. So is danger. Actually I have like 40 middle names it turns out. ;) No, I'm not worried, this is academic - it won't work anywhere without modification of variables, and has no payload. The goal is to understand worm propagation and get to the underlying important pieces of code.
I'm not in the UK and am not a lawyer so I can't comment on the laws. I'm not suggesting anyone should try to weaponize the code (they could already do that with the existing worm code if they wanted anyway).
So, we've got Wismer's perspective and (indirectly) RSnake's.
What's yours? Do you think holding a contest to build a POC for a worm a good idea? Do the benefits of research and understanding the potential attacks so one can defend against them outweigh the potential for malicious use? Do you think there are, or will be, legal ramifications from these sorts of activities?
/Hoff