Viruses: good software gone bad

Ten years ago, computer security guru Fred Cohen made a revolutionary suggestion, one that inverted the roles of hardware and software. In traditional IS architectures, hardware persists while software is transient; the same processor executes instructions from many programs. This is why we say that software runs on hardware. Cohen suggested building an architecture around mobile programs, applications that would move around a network, recruiting and organizing hardware as needed. In this vision, the programs would endure while the hardware would come and go. In effect, the hardware would run on the software.

The primary function that Cohen saw for his mobile programs was ensuring reliable and efficient resource distribution. Most computers spend almost all their time doing nothing; Cohen’s theory stated that mobile programs could find and harvest this unused capacity. If you allowed them to copy themselves – an intrinsic part of the vision – they could distribute themselves in huge numbers throughout the whole universe of unused capacity, attacking very large problems with vast amounts of parallel processing.

Cohen, now a senior member of the technical staff at Sandia National Laboratories and a senior partner with Fred Cohen and Associates consultancy, also defined a set of situations – primarily where programs needed to interact with many databases – when it seemed to make sense for a program to send copies of itself to each database rather than have one master program sitting in a central location and sending requests. Cohen even wrote two Unix programs, both essentially bill-collection agents, to illustrate his concepts. After all, this is how the brain seems to work: Memories appear to persist even as individual neurons are born and die.

In retrospect, Cohen should have drawn on this biological connection and given his theory some name like “digital neurobiology.” If he had done so, he probably would have been fighting off potential investors. He was a virus specialist, however, (he even claims to have invented computer viruses) and that is what he called his mobile programs – viruses. From his point of view, the term was technically accurate. His articles came with titles like Harnessing the Subtle Power of Computer Viruses.

At that time, unfortunately, technology culture was in no frame of mind to burden itself with complicated distinctions between good viruses and bad viruses. Today, computer viruses are a nuisance, threatening the loss of a day or two of productivity, if that. In those days, it was not clear that the threats posed by viruses could not bring down a company altogether. When Cornell graduate student Robert Morris’s experiments with a virus got out of control, he was arrested, convicted, fined and booted out of college. At one point, Cohen himself briefly lost network privileges when an overzealous system administrator discovered the nature of his research. The idea of releasing viruses deliberately, for good reasons or bad, was simply beyond the pale, and Cohen’s ideas sank without a trace.

Then in the late ’90s a number of programs appeared that let users contribute unused computing resources to problems of public interest. The most famous is David Anderson’s SETI@home, which distributed the problem of examining radio telescope data for patterns that might indicate extraterrestrial intelligence. The concept caught on quickly, and today dozens of projects in science and medicine are soliciting volunteers (“Help solve the protein folding problem!”), while a number of companies, including one started by Anderson himself (Austin, Tex.-based United Devices Inc.), sell programs meant to carry what is now called “distributed” or “grid” computing into corporate networks and enterprise computing.

Nobody ever even breathes the term virus when discussing grid computing, but the concept has much in common with Cohen’s idea: Programs spread out through the landscape, looking for, recognizing and recruiting unused resources.

Of course grid computing clients are not autonomous – users authorize each contribution. But a number of researchers believe that as questions get more complicated and access devices simpler, queries will naturally become self-executing and autonomous. Recently two Dartmouth researchers, David Kotz and Robert S. Gray, predicted (in a paper called Mobile Code: The Future of the Internet) that in a few years nearly all major Internet sites will host some form of mobile agents – or as Cohen would have called them, viruses.