Several news outlets are reporting that TippingPoint researchers have cracked the “kracken” botnet and have actually been able to commandeer at least a part of it. The researchers are now faced with an ethical dilemma – whether or not to use their control ability to automatically fix the infected computers. This is by no means the first time someone has had to make this decision, and it’s not the first time that they’ve reluctantly found themselves faced with almost this exact argument against doing so:

The most interesting of points that Dave brought up is the corner case of what happens if we accidentally crash the target system? What if that target system is responsible for someone’s life support? Yes the system is already infected with a SPAM delivering zombie capable of receiving arbitrary updates from malicious actors, but at least for now it’s running and carrying out the rest of it’s functionality.

Now the life support issue is a bit sensationalist, but it can be treated as simply a way of demonstrating his argument – that making an unauthorized change to someone else’s machine, no matter how well intentioned, has it’s risks and therefore should not be done. I also have a hunch, which has been confirmed by quotes in computerworld, that it is not so much the moral distaste for changing someone else’s machine as much as the legal liability which has scared of management. (As a parenthetical note, I would like to take a moment to lament the sad state we find ourselves in here in America where the word legal has almost universally replaced the word ethical).

While I don’t think that legal liability should trump all other concerns in matters such as this, it certainly plays a part. For that reason, automatically cleansing the machines may be impractical since I’m sure TippingPoint wants to stay on the right side of the law. However, if I’ve learned anything about engineering ethics, it’s to always try and find a technical method of avoiding the ethical dilemma in the first place. In this case, how about using the control they have to simply direct all the infected computers to a webpage which explains (in the simplest terms possible) that the person is infected and how to clean their machine, as well as a link to the MS patch which would prevent reinfection. That should satisfy all parties.