Buffy The Vampire Slayer

Somewhere in Belgium, a 19-year-old woman known on the Internet as Gigabyte is writing computer viruses and worms.

She has written 17 so far, including one that scrambles MP3 music files and another named Buffy that causes quotes from TV’s "Buffy the Vampire Slayer" to pop up on computer screens.

But Gigabyte says she’s never released a virus or worm on the Internet. Instead, she submits them to antivirus software companies as "proof-of-concept" efforts.

In other words, just to show she could do it.

Gigabyte’s efforts show that the shadowy side of the Internet is more complex than many understand. Rather than a straightforward battleground between those who would wreak havoc on the Internet and corporate and government defenders, there are significant numbers of skilled programmers on the fence, capable of helping either side for reasons of their own.

Ben Breuninger of Mound recently pleaded guilty to hacking a national lab.Jeff WheelerStar TribuneIn some cases, these freelance code writers function as something of an unpaid security force for software companies, pointing out new ways malicious code could be written, or pointing out software flaws or Internet vulnerabilities.

In other situations, the coders threaten the software companies with exposure if flaws are not publicly reported and promptly corrected. Companies that suffer such treatment typically consider the coders to be little more than hackers.

"It’s very common for companies to get e-mails about software vulnerabilities," said John Pescatore, vice president for Internet security at the Connecticut technology consulting firm Gartner. "Large software companies get five to 10 per month. About half of the time they don’t prove to be true vulnerabilities, but the others often turn out to be true."

Academic interest

H.D. Moore, a computer security consultant in San Antonio, said many of these programmers take almost an academic interest in worm and virus development. They are motivated by "the challenge of one-upping their friends and researching new techniques for automated propagation and system infection. They don’t necessarily want attention, nor do they really want their code splattered across the Internet where the malicious folks could reuse it."

Without mentioning Gigabyte by name, software company Symantec Corp., which specializes in antivirus programs, has tacitly complimented her by including several of her viruses on its Web page list of Internet threats, and by adjusting its Norton antivirus software to block them.

Gigabyte, a Belgian citizen who has seven computers and lives with her grandparents, said her own interest in computer viruses began when she watched the movie "The Net." Virus writing, she said, polishes her programming skills.

"I really love to travel, and it’s an interesting idea to know that such a virus could travel much further and faster than I ever could," said Gigabyte, a second-year college student who would like a career in computer networks or security.

Gigabyte, who was contacted by the Star Tribune via e-mail, declined to disclose her name, saying she has received e-mailed threats.

Gigabyte is something of a celebrity on the Web. Technology sites often write about her efforts, partly because of her skills and partly because she is a woman in a male-dominated field.

Once she taunted an antivirus company technology consultant by writing a combination virus and worm program, called W32/Coconut-A, that contained a game in which coconuts were thrown at an image of the consultant’s head.

Little sympathy

Gigabyte has little sympathy for Internet users who accidentally launch viruses by clicking an e-mail attachment, behavior she considers ignorant. And she says antivirus companies give people a false sense of security.

"What if someone is the first to receive a new, undetected virus or worm ? Their antivirus software won’t help them then," she said.

Antivirus software companies seem resigned to dealing with Gigabyte and others like her.

"As long as we have computers, we will have people who want to exploit them," said Sarah Gordon, a senior research fellow at Symantec and the firm’s unofficial liaison to people who write viruses.

"People who toy with viruses see themselves in a wide variety of roles — some give the excuse that they are doing legitimate research, others play at being ’bad guys’ and think it’s cool to be on the rebellious side," said Gordon, who at Symantec and IBM conducted surveys among members of the Internet underground and built relationships with some of its members.

"Many times the younger ones can’t conceptualize the impact that their action, writing a virus, could have in the real world if the virus gets loose. They treat it like a big game."

Pointing out flaws

Last November, a 21-year-old programmer in the Netherlands, Thijs Bosschert, tried to start a discussion with Yahoo and MSN Hotmail about software flaws, then upped the stakes when the companies didn’t respond.

Bosschert said flaws in the Yahoo and MSN Hotmail free e-mail services allowed him unrestricted access to the e-mail of their users. He sent the two companies e-mail warnings, hoping for an acknowledgment and a promise that the flaws would be corrected. After getting no response, Bosschert published the e-mail flaws and ways to exploit them on a Web page.

"It was mainly published to show the flawed service, that multiple sites have the same big problem which should be fixed," said Bosschert, a Grootebroek, Netherlands, college dropout who works as a technician for an Internet service provider.

Paul Luehr, an assistant U.S. attorney who prosecutes many of the federal cyber-crime cases in Minnesota, said "the law is in a state of flux" regarding the publishing of hacking techniques on the Internet. Some courts have treated the information as constitutionally protected free speech, while others have considered the posting of such information a violation of trade secret or intellectual property laws, he said.

MSN, a unit of Microsoft, said it acted last November to repair the vulnerability Bosschert described. MSN spokeswoman Erika Schrader added that "it is not always possible to respond directly" to people warning of flaws in MSN’s service.

Yahoo didn’t respond to an inquiry about Bosschert.

Other big-name software companies sometimes go beyond heeding the warnings of independent researchers, rewarding them by hiring them to search for additional flaws. But the relationships can be easily fractured.

"The problem arises when a small percentage of the researchers can’t decide whether they want to be hackers or businessmen," said Mary Ann Davidson, chief security officer for computer database firm Oracle in Redwood Shores, Calif.

Davidson said freelancers often don’t realize the amount of work involved in correcting a large software program and testing it for errors.

"Our software runs on 20 different operating systems, sometimes in multiple versions. We’re happy to make software patches for our customers, but we can’t do it in five days, and maybe not in 30 days. And we can’t go public with the exploit until we’ve fixed it for every one of our customers," she said.

Jan Reilink, a computer security expert with the Dutch Security Information Network, an informal group of professionals, sees other reasons for companies to be slow or nonresponsive in dealing with outsiders.

They "don’t want to admit the flaw, don’t want to encourage the person who found it, are unsure about the flaw and its impact or don’t have time to respond properly within the set time frame," Reilink said. And, in the worst case, "they don’t care."