Forgot your password?
typodupeerror
News

Finns Outlaw Virus Writing 173

Posted by Hemos
from the don't-even-think-bad-thoughts dept.
Ecyrd pointed out that the Finnish Parliment has ratified an amendment making viruses illegal. It's actually not just illegal to use them - distributing them is illegal as well. The most interesting part of the legislation is that apparently isn't just using them - writing them is also a crime.
This discussion has been archived. No new comments can be posted.

Finns Outlaw Virus Writing

Comments Filter:
  • > the Bill cites the offence as a catch-all "Causing danger to data processing systems"

    Oh-oh. Keep that coffee cup away from your keyboard!

  • if so, then, a type such as:

    fork();
    fork();

    would make me a criminal :)

    Stupid law, and I thought my country's politicians
    had a clue.
  • 1) Yes, distributing a virus to unknowing recipients should be illegal. But shouldn't this already be covered under civil suits, electronic sabotage, etc.? I don't know the Finnish law, but it seems as though this sort of legislation should be redundant. It certainly would be here - we didn't need a new federal law to lock up Mr. Melissa. 2) Banning the _writing_ of a virus? Come on now. I bet you that the average Finnish legislator probably couldn't give you an adequate definition of what is and what is not a virus. I wrote many MS-DOS viruses in my high school days - gave a few to a VX BBS (which I regret now - I explicitly labeled them as viruses, and naively thought they would only be in the hands of the "responsible"), but most of them were just personal creations I made for the fun of it, and never distributed to anyone. Banning the writing of any computer program is simply absurd. Of course, all (or most) of us know this. But how can we communicate it to a legislature, and to the general public which elects them?
  • it was given a 1 because all posts from non-ac's without excessive karma (either way) is scored a 1 unless moderated otherwise
  • Could Microsoft could be charged under this law for there release of Windows 98?
  • To reiterate the catch-all: "Causing danger to data processing systems." How does one define "danger"? Does it mean "causing unexpected bahavior, interruption of use, or corruption of documents"? If so, then Microsoft distributes the biggest virus on the planet - it's called WINDOWS. And you even have to pay for it!
  • Perhaps I should have just looked it up [2600.com] :-)
    Ed Cummings (Bernie S.) has been in prison since the spring of 1995 and is the first person to have been imprisoned without bail for something as harmless as possession of a modified Radio Shack tone dialer. He is also being charged with possession of a computer (no joke) and software which could be used to modify a cellular phone. This case is significant in that if successful in prosecuting him, the government would be able to prosecute almost any one of us because the tones and the information in his possession are very easy to get ahold of.
    This is 2600's interpretation. Text from the indictment:
    VIOLATIONS: 18 U.S.C. S1029(a)(5) (Possession of modified telecommunication instruments - 2 counts) 18 U.S.C. S1029(a)(6) (Possession of hardware and software used for altering telecommunications instruments - 1 count)
    ...
    COUNT THREE

    THE GRAND JURY CHARGES THAT:

    On or about March 15, 1995, at Villanova, in the Eastern District of Pennsylvania, defendant EDWARD E. CUMMINGS, knowingly and with intent to defraud did possess and have custody and control of hardware and software, that is an IBM "Think Pad" laptop computer and computer disks, used for altering and modifying telecommunications instruments to obtain unauthorized access to telecommunications service. In violation of Title 18, United States Code, Section 1029(a)(6).

    What software that was isn't clear:
    The government had found data on a commercial diskette in Bernie S.'s possession which they say was related to cellular fraud in California. While Bernie says he has no idea what it is they're referring to, the odds of a jury being able to understand how someone could have a diskette and not be held accountable for every bit of data on it seemed uncomfortably slim.

    --
  • I'll admit that calling the origional B.O. a "legit remote admin tool" would be a little bit of a streach, but BO2K is as legit as you get.

    Yes, it does have certain features that go beyond just nessesity. This is because the people who built it are hackers in the true sense of the word (and probably in the other sense of the word too, but that's beside the point).

    Go, download BO2K, try it out, compare it to the other remote admin tools. IMHO it's the best one out there, and it looks and acts just as professional as the others. Just because it's well designed and featurefull doesn't make it a malicous trojan.

  • The plural for "virus" is viruses.

    Yes, take a look at tchrist's explanation, What's the Plural of `Virus'? [perl.com].

  • Microsoft has declared that BackOrifice 2000 (BO2K) [bo2k.com] is a virus and I guess most anti virus programs have updated their definitions accordingly.

    The authors of BO2K on the other hand have clearly stated their intention to provide a system management tool. They even point out the potential danger when not properly handled and when combined with the security hole provided by the MS-Word macro language.

    The question is who decides. Maybe now big companies like Microsoft have one more weapon to crush small competitors writing power tools.

  • Yikes. How do you manage to run windoze? ;)

    Or maybe Italy will be the next source of all the geeks (on knowlegable grounds)... strategic move to take over the world.. I dunno :)
  • by jks (269) on Thursday September 23, 1999 @05:10AM (#1664910) Homepage
    The Government's proposal is available on the Parliament's [eduskunta.fi] WWW site: click here [eduskunta.fi]. The URL is monstrous, and I'm afraid it may not be valid forever. However, if you speak Finnish, you should be able to find it by the code "HE 4/1999", or simply by searching for the text "virus".

    Since Finnish is not yet one of the major languages of the world, here's my translation of the relevant section of the new law. I'm not a lawyer or a professional translator, and I'm especially ignorant of English legalese--my apologies for the inevitable errors here. Also, this is only the version proposed by the Government, and the law that was actually approved may be different.

    Endangering data processing

    Who, with intent to harm data processing or the functioning of a data or telecommunications system,

    1) produces or makes available a computer program or a series of program commands designed to endanger data processing or the functioning of a data or telecommunications system or to damage the data or programs included in such a system, or distributes such a computer program or series of program commands, or

    2) makes available instructions to produce a computer program or a series of program commands that paragraph 1 applies to, or distributes such instructions,

    must be sentenced, unless the act is punishable more or equally severely by other law, of endangering data processing to a fine or at most two years of imprisonment.

    Malicious intent is the most important point; the program can be anything harmful, not just a virus in the technical sense. Also, a guide to writing viruses will qualify.
  • Depending on how they defined virus this law comes awfully close to saying that certain ideas are illegal. Remember that a source for an encryption program was ruled protected speech here in the US, so this law would fall under prior restraint here.

    Once again, legislators try to prohibit ideas and information, instead of making their irresponsible or malicious use illegal.

    This assumes that no beneficial use for viruses will ever be found -- e.g. security patches that automatically spread and install themselves, or techniques similar to vaccinations where benign viruses are spread to train computer immune systems to attack damaging ones. Not a real issue today, but do we want to assume that it will *never* be an issue?
  • "trojan virii"?

    Er, trojans and viruses are two different things. Also, most viruses aren't harmless programs as you seem to think.
  • It's a case of someone thinking they were clever.

    If virus were a Latin word (which I'm not sure it is), then the plural would most likely be 'viri'

    However, it sounds a lot more clever and exotic if you put an extra i at the end. I mean there's few enough words that end in one i, but two makes it truly exotic, so whoever came up with the word must be the cleverest person ever.

    There's a lot of this kind of crap in language. Sometimes it works in reverse. How often have you heard of 3 things being back-to-back? That's just plain stupid. 3 things can be consecutive, ie. one after another, but they can't really be back-to-back.
  • What they are saying is that whether you knowingly or unknowingly distribute a file with a virus you are liable for the damage that it causes.

    Through college I worked my way out of the MIS department of a large company (and into research with another). Most of the people there were computer capable, but not literate. They didn't understand scanning drives, they didn't understand what infected files were and ultimately, they didn't care - until it affected them. It took us almost a year in one case to clean the entire system (child companies in the SW and overseas provided additional problems). We would clean the Servers, and then boom, once again the same files would appear as infected as before. We had to go to over 400 PCs at our location 600 about a 30 miles away, and create simplistic documentation for several other plants, offices and hundreds of field reps to follow. Old virus software detected the problem, informed people of the potential hazzards, but because these things were deemed "mission critical," people stupidly continued to distribute them, download them, work with them, etc...

    Blatantly ignoring a problem nearly crippled our company. Even though the people were uneducated about viruses, they made no effort to report problems, viewing this problem as one that would just "go away," like a cold or the flu...

    It is vitally important (especially the way the internet is expanding) that people make an effort to take responsibility in cleaning their files, machines and so on.
  • People in other countries watch American TV? Must be some new kind of torture..

    Besides, neither of the two examples you listed had anything to do with the media. I'm sure a few people outside of the States consider that awful show with Chuck Norris to be some kind of documentary but I, for one, am not buying it.

  • by Suydam (881)
    I think this is too reactionary. ..but only if they plan to strictly enforce the law against distributing them.

    Think about it. If it's illegal to distribute virii, then it'll be much more difficult for anti-virus software producers to get copies of the virus in order to write an antidote.

  • yes, true, ulterior motives indeed. Like experimentation: alife, mobile agents, data mining. Many, many new apps are arising soonly from the virus base. Too bad none from the finns?
  • by iceT (68610) on Thursday September 23, 1999 @04:21AM (#1664919)
    Wow! I hope they mean INTENTIONALLY transmitting them is illegal...

    Otherwise, over 50% of my company will be arrested...! (not me, of course...)
  • AC said: And I'm interested in nitro-glycerin and fertilizer bombs. Does that mean I shoudl be able to play with them?

    Yes, it does. If everybody who wants to play with explosives, weapons, and other dangerous things do, then they won't live to reproduce and spread their idiocy through the gene pool. That's why I'm against gun control, but don't wish to own a gun.

  • by Ray Dassen (3291) on Thursday September 23, 1999 @04:22AM (#1664921) Homepage
    Isn't this something for YRO? While I despise virus writers as much as the next guy, I find the idea of being forbidden to code something in the privacy of your own system very chilling, in the order of surpressing knowledge/censorship/dystopia.
  • Much as I enjoy both your work and the classical tounges, I have to disagree. English may have descended from the Indo-European family, and much of its vocabulary may have evolved from the Latin, but it has also aquired many characteristics of the trade languages insofar as terms in the English language are indiscrimanently purloined, mangled, and reapplied at a recent rate which makes semantic drift inversely analogous to continental. The same thought can be applied to the grammar. I think the word for for this is, unfortunatly, "postmodern". I will call the multiple virus virii. Those who create them do so and at this time I cannot think of a higher authority.

    scogan@(for the moment)gmx.de
  • How will they enforce this law? How will they track down the virus writer?
    Some questions for thought.
  • I agree...enforcing many aspects of this law will be very difficult. However, tracking down the virus writer has already proven to be possile, and exciting for the media ... remember the Melissa virus? That guy was tracked down like a dog.

  • How can people be allowed to make laws regarding something they know nothing about. Are politicians being advised by professional programmers or sys admins or anyone else who might understand what's going on? It seems like politicians are not tech heads.
  • ...That come from Microsoft? Would those be illegal also? ;)
  • [asb@pingviini asb]$ cat > c.c
    #include
    int main() {
    fork();
    fork();
    return 0;
    }
    [asb@pingviini asb]$ gcc c.c
    [asb@pingviini asb]$ ./a.out
    [asb@pingviini asb]$


    Hmm. Are you sure this counts as a DOS attack?

  • Ok, so i'm a finn and I can't put my viruses on a finn website. Boohoo, I'll just put them on a geocities website. My plan for a new goverment, is that everyone in a disicion making department must take a test on what they are trying to regulate. Uf they don't pass the test, they don't get to vote.
  • Hmmh, does this mean that I was wrong moving from Finland to Netherlands?

    I knew this guy who had >5000 bagged specimens on a public website (until they shut him down.)

    I guess this is just one more example of how the lawmakers act out of fear generated by their ignorance. A scared politician is a very scary thing(tm).
  • "The decisive second reading of the Bill cites the offence as a catch-all "Causing danger to data processing systems". Under the terms of the new law this will be punishable by fines or by prison terms of up to two years. It is hoped to get the amendment into law as quickly as possible."

    Maybe Linus moved to the U.S. because he peered into the future and knew this was coming.. Or, ah, maybe not.. Soo! Is it just me, or could just about any program "cause danger to data processing systems"? Does this thing have a provision for whether or not it was even intentional!? I mean, what if what you have is a program with a bug in it? Even if you didn't mean for the program to have a bug, before you even get it through the debugger you've committed a crime! At least, that's how it appears from that article. If I were Finnish, I'd be moving out of the country or giving up the idea of becoming a programmer. Ha!

  • In Germany writing virii is illegal for YEARS now. Any activity damaging a computer or data medium is punishable with up to 5 years of jail time.
  • So, is playing core wars [ucla.edu] now illegal? Sometimes writing malignant programs attempting evolution on one's computer (or network!) is a great way to learn about logic, memory protection, and security. If one cannot experiment in their own room on their computer legally, there will be either secrecy or a bunch of mouse pushers come next decade.
  • First, I think that has already been said, but is worthy of mention again, it will make hurt anti-virus companies trying to get copies of the latest virii.

    Second, many people just write virii for fun to to test their programming skills. This would be hurtful to the Programming community.

    Third, I know the first amendment dosen't apply outside of the US, but, this is still a violation of freedom of speech.

    Fourth, how about the source code to a virus? It in and of itself isn't harmful, you have to compile it and execute it for t to do anything. I guess they actually outlawed the compilation of virii, not writing them.

    Fifth, define `Data Processing Systems'?

    That's my 1/50 of $1.00 US
    JM
  • So the Finns have effectively outlawed all Micro$lop products, then!!! Hurray! :)

    Think about it with this handy comparision guide...

    Virus:
    Spreads itself across your hard disk, and tries to make itself impossible to remove.

    Micro$lop
    Internet Destroyer 4.0

    Virus:
    Appropriates HDD space unnecessarily

    Micro$lop
    Turd '97

    Virus:
    Causes system crashes

    Micro$lop
    Win *

    Virus:
    Causes loss of data

    Micro$lop
    M$ Orifice 2000

    Virus:
    Can be a security risk

    Micro$lop
    SAM files

    So Linus was the first; now the Finnish government is giving Bill a hard time :)

  • It's not really a long article, folks. Check out this excerpt, and note specifically the last line:

    The law stretches a net to catch those writing, making available, or spreading computer viruses. This effectively means for example that anyone who keeps a virus program on their website that is available for downloading by visitors would become liable under the law. Liability for punishment is not limited to cases in which actual harm or hindrance is caused to data systems, or where the data or files of the infected system are corrupted or destroyed in the process. The intention to harm becomes the primary criteria for bringing charges,


    The AV community WILL NOT BE HARMED by this. They may be put out of business, but even that seems unlikely. "The intention to bring harm is the primary criteria[sic] for bringing charges". Please folks, what Finland is doing isn't really bad for anyone except those Finns who want to do bad bad things with virii!

    This needent go under YRO, since it is just another way to help slow "cyber crime" in Finland. Note also that downloadable code is just as bad, so don't put links to files. As long as you're an innocent, you're fine. Pleeeaaase read the article...it clears everything up.

    Regards,
    -efisher
    ---
  • by Lucius Lucanius (61758) on Thursday September 23, 1999 @05:20AM (#1664937)
    HELSINKI (Reuters).

    In a surprise move, an arrest warrant was issued by the Finnish police to capture Linus Torvalds under the nation's new "anti virus" law.

    "The law states that any program that causes danger to data processing systems and is freely available for download by visitors is a virus," said Lt. Hakk Daeta. "The linux kernel poses a danger to Windows, which is a widely used data processing system. Many legal scholars have testified to this. And after Torvalds blatantly put out this virus, millions of PCs have been affected. He must be stopped."

    Meanwhile, rumors persisted that Torvalds was seen on the Jerry Springer show, on an episode titled "My PC is too sexy". A man who appeared on the show wearing a paper bag over his head made the suspicious statement that "I am innocent. I just showed how it must be pronounced. It is lin-nucks, not line-ux."

    Police are still searching.
  • Core wars is about writing programs in redcode that attack each other. This is different from a virus which straps onto another program and replicates, often killing the host in the process, much like a virus that would attack a human. Okay, perhaps there is a fine line between these two, but here are some major differences between redcode programs and real programs:

    1) redcode isn't a real machine language (or at least I don't know of any chips that understand redcode), so a virus-like program in redcode can't damage anything.

    2) most real computers don't have 10000 or so bytes of circular memory.

    3) if a redcode program could be ported to a real computer, it would simply crash the machine or be halted by the OS for violating memory protection.

    4) most modern computers don't have instruction sets that include "mov 0 1" and the like -- making it difficult to port even the simplest of recode programs, the imp.
  • What is wrong with computer virii? They are completely valid, and even subjects for scientific study. They are a learning mechanism also. They are intriguing and pose interesting questions. Will they outlaw genetic algorithms next? Maybe they'll outlaw sex because it is used in porn.
  • My plan for a new goverment, is that everyone in a disicion making department must take a test on what they are trying to regulate. Uf they don't pass the test, they don't get to vote.

    I want something similiar. I want the "enlightened democracy" where everyone that wants to vote (for parliament, etc.) need to go through a test - to show that they know what they're voting at. 50 or so questions about what diffrent parties want. If you get more than 75% correct, you may vote. If not, you may go home and rehurse, and come back and take the test again.

    The point is - nobody is going to be *excluded*. There should not be "right" and "wrong" meanings. The point is that people should know what they're voting at.



    --

  • BO is considered a virus by many but isn't. It's a program. But the question is, would a Finnish Court see BO as a virus?

    The "many" includes certain producers of anti-virus software.

    More intertesting is that the produces of NetBus (in the neighbouring country of Sweden) are considering legal action against anti-virus producers. For blacklisting their product for reasons which appear to have more to do with anti-competative behaviour.

    NetBus does not use the kind of inuendo which would give BO an image problem regardless of anything else.

  • Actually, I think a lot of responsible users and administrators are opposed to any stealth remote administration tools.

    Until they get users who fiddle, moan and kill tasks they don't recognise.

    If BackOrfice is intended as a useful tool, and not a tool for thugs and criminals, it should leave an obvious traceable footprint on any machine it is running on. Like a bitmap of a big friendly animal of some sort displayed on the screen, or an icon on the system tray.

    Unless you give total control to the admin over what kind of trace it uses you will just upset users. They will say things like "What's this c*** on my desktop".
    There's also the question of how you then make the process unkillable under an OS which dosn't support process ownership.
    If it isn't running when it's needed, maybe the random Luser has decided to start killing things they don't recoginse before picking up the phone, then it's not much use as a remote admin tool.

  • Whether they can run in a stealthy fashion, and wether they were specificially designed to run as such, as a primary design objective, makes a lot of difference.

    Is there a way to create a process which is visible in the Windows task manager, but cannot be killed by the user. Including in a "low resources" situation?

  • I'll admit that calling the origional B.O. a "legit remote admin tool" would be a little bit of a streach, but BO2K is as legit as you get.

    The only real problems are some of the names and terms associated with the product :)

    Yes, it does have certain features that go beyond just nessesity.

    Though one admins "unnecessary" is another admins "essential". Though there are some apparent omissions in the bundled client. e.g. sending commands to a group of clients, scheduling of commands, etc, etc.

    it looks and acts just as professional as the others

    IMHO professionalism is lacking in the client slash screen, the product name, the legacy plugin name. None of this makes any difference to the programs functionality, just that they make it difficult to avoid upsetting managment types.

  • If the intention of the BackOrifice creators was to create a systems management tool, why did they do it in such a way that the tool itself is unmanagable? Why doesn't it appear clearly in the system tray, leave obvious traces that it has been installed, and make it obvious to the computer's user that it is present? It seems to me that those are several critera for any useful systems management tools.

    Becuase in the situations where remote admin tools are appropriate LAN workstations the configuation of a machine is the business of the administrator rather than the end user. The worst kind of end user in such a situation is one who thinks he or she knows what they are doing. Having a program which is easily visible increases the risk of end user "fiddling".

  • BackOrifice has a command to freeze your computer, which is obviously malevolent.

    Not obvious actually, the freeze command could be useful when a workstation is being misused. Though
    it might be better if it could send a screen dump to the client at the same time.

  • Once again, legislators try to prohibit ideas and information, instead of making their irresponsible or malicious use illegal.

    The area where clues are especially lacking are the Windows remote admin programs where the same program can be used legitimatly or maliciously.
    IMHO the most likely result of MS and anti-virus companies herassing free/shareware versions of these type of programs will be "Warez" versions of fully commercial programs being used maliciously. (Since these won't be on anyone's blacklist.)

    This assumes that no beneficial use for viruses will ever be found -- e.g. security patches that automatically spread and install themselves,

    Potentially useful with the likes of Windows which lacks such a facility inbuilt.

  • Back the the first point - we see the government trying to protect its people by banning "something" - specifically, in this case, viral code. Why this, and not many of the other "things" that are (primarly) harmful? The obvious selection - firearms. Why not ban guns? Or biological weapons facilities (most industrialized "1st world" companies have them, in some capacity)?

    Nearly 80 years ago a "First World" country came up with the idea of banning alcoholic beverages. The results were
    a) More alcoholics.
    b) Organised crime.

    As for banning firearms only one country AFAIK ever tried this, Japan. They reversed this policy when it became obvious that not having them was a poor protection against another countries (the USA) military which had them.

    Learning from history does not appear to be something polticians do well.

  • Vandal: "I wasn't vandalizing his car, your Honor, I spray-painted it as an expression of my artistic individuality."

    The problem comes when the law regards someone customising their own car (or an organisation putting their logo on their fleet vehicles) as being exactly the same as the "vandal".

    Which is the kind of possibility. e.g. "This software update uses methods like a virus to spread, you can't use it", "You can't use this remote admin program on your LAN, `cos your users can't see that it's running" which are cropping up here.

  • The problem with outlawing, say, the writing of books on making bombs is that it's entirely too close to outlawing THINKING about making bombs. And as we continue to outlaw more and more kinds of thought..

    As if this will actually stop any terroist making a bomb.
    I remember reading somewhere that in the order of 1 million people know the supposed secrets in constructing a fusion bomb...
  • Hmm...I guess nobody can post info on encryption or decryption algorithms because they can be used to avoid or break the law. Also I guess bugtraq lists cannot be on the web because they can be used to break the law. Whoops...there goes Packet Storm (well, it's not on a Finnish server luckily).

    This is so stupid. Thought crime. Really stupid. How about banning the manufacture and dispersal knowledge in general? Knowledge is very dangerous. Led to guns and bombs and such. We should ban all knowledge. In fact, the ISPs are a party to this evil activity. We should shut down the net and live in caves.
  • Both. People who want to sound like they're more 1337 use virii...and I use it because it saves 2 keystrokes...
  • This new law raises intersting topic for debate. Here, we see that the government has banned the production and distribution of "something" that has, traditionally, been used for malicious and/or damaging purposes. Fairly straightforward.

    However, upon closer inspection, we find an inherant flaw - what constitues the now "illegal" viral code? A somewhat sesible definition of a virus, can be found at "whatis.com/virus.htm [whatis.com]". The key point in any defintition seems to be : "A virus is a piece of programming code inserted into other programming to cause some unexpected and, for the victim, usually undesirable event.". Again, decent enough.

    However, what about "software patches" ? Upgrade packs, the (in)famous Microsoft "Service Packs [microsoft.com]", and the like? Generally speaking, the user doesn't really have any clue how, or what, these are doing - beyond "fixing broken things". These patches insert their code into the parent program, usually modify the behaviour of the program in some way, and sometimes result unexpected results (option removed, feature added, etc..). That's all the criteria of a virus, right there. Should these be illegal also?

    Back the the first point - we see the government trying to protect its people by banning "something" - specifically, in this case, viral code. Why this, and not many of the other "things" that are (primarly) harmful? The obvious selection - firearms. Why not ban guns? Or biological weapons facilities (most industrialized "1st world" companies have them, in some capacity)?

    If we'd like to get a little paranoid/"Evil Future Governement" about it, we could go as far as to speculate that the government can (and will) start to ban all manner of things it considers "bad for you". Meat? Cow Milk? Free Speech? Ah, the wonders of Totalitarian government.

    By now, many of you might be thinking "man, this isn't the x-files, our government won't go THAT far". Yes, you're probably right.. of course, you don't code viruses...
    .------------ - - -
    | big bad mr. frosty
    `------------ - - -
  • Actually, Windows can crash your computer a whole lot faster, Melissa wasn't a virus, it was a worm. It didn't harm anybody/anything (s/e-mail servers). OTOH, Windows can crash 85% of all computer. So while Melissa was clogging e-mail servers, Windows was crashing those same servers.

    That's my 1/50 of $1.00 US
    JM
  • windows is not a virus. A virus actually does what it was intended to do, usually quite fast and efficient.
  • strictly speaking it would be viri..
  • If distributing virii is illegal, people will eventually have to stop using Windoze... ;) After all, by copying anything from a Windoze box, you run the risk of distributing an unknown virus... ;) Come to think of it - it's coming from Finland, where Linus comes from... A conspiracy??? ;)

  • AC said: And I'm interested in nitro-glycerin and fertilizer bombs. Does that mean I shoudl be able to play with them?

    Yes, it does. If everybody who wants to play with explosives, weapons, and other dangerous things do, then they won't live to reproduce and spread their idiocy through the gene pool.

    Or they might get very rich and establish a prize fund for people making notable acomplishments.
    Like a certain Mr Nobel did...
  • It looks like the subject is any program that endangers data systems. Ergo this also covers exploits and intrusion software.

    True.
    The direct result is that if I download/keep intrusion/exploits on my computer in order to develop security fixes for them or test if my machine is vulnerable I am a criminal.

    False. The proposed law I read (I didn't go looking for the passed law, but I'm assuming it didn't change for worse) specifically and strongly emphasizes malicious intent. Writing and distributing exploit software is allowed as long as you haven't got malicious intent. Even writing and distributing viruses could be considered legal, if the prosecution cannot prove that you had malicious intent (or IRL: if you cannot prove that you didn't have malicious intent when spreading that virus you are considered a criminal you probably are).

    So, let me summarize: you are allowed to do pretty much everything you were allowed to do before this law passed (even write viruses to find out if you can), but as soon as you distribute something that is clearly a virus or malicious program or instructions to write those things, you can pretty much bet on it that unless you can clearly state to the investigating police or the court that you didn't have malicious intent when doing so, you are a criminal as far as the Finnish justice system goes. This may sound harsh, but the truth is that the police won't investigate a thing until something bad happens, so you don't have to worry about the police even if you develop and distribute software that searches for vulnerabilities, as long as you clearly state that the software is for enhancing security, not for compromising it.

    I believe that to find out how this law works in practice, we need a case or two going all the way up to the supreme court. I trust that if/when that happens that Slashdot will be there to tell you stupid Americans how we handle things here in Finland (we handle things the right way, Slashdot just reports them the wrong way (I'm serious)).

    Oh, just to let you know, I think that the passed law is A Good Thing, even though it doesn't allow us to sue a certain William Henry G. for distributing software that obviously is harmful to computers, unless we can prove that he had malicious intent.

    - HoppQ - Now where's that Babelfish for legalese?

    PS. I don't think that all Americans are stupid. Neither are all Finns. Those Americans who name their kids William Henry even though they know for certain that he will end up called Bill are idiots. Bill isn't even a proper name if you ask my opinion (so better not ask).
  • IANAL but unless I am way off, you would have nothing to worry about. The law is directed against the intent to do damage by way of virus, trojan, etc. rather than the mechanism itself. Trojanning to get around a balky OS seems completely acceptable IMHO.
  • by Anonymous Coward
    This summer I was approached by my project leader and told that in order to do the neat little things on our embedded system that we need to do, we have to write a virus (really more like a trojan horse, the details of which I can't discuss, sorry [NDA]). Now, we're the makers of the embedded hardware and the software that runs it. Acording to this article, I would have been arrested just for doing my job! This also means that Finland cannot purchase any new versions of our product because it intentionally contains a non-destructive trojan horse! How rediculous is that? Somebody needs to get slap happy with the clue stick. I'm getting tired of beaurocrats making decissions based on a common wealth of ignorance. Just because some program is masqueraiding as another program does NOT mean that it is malicious in nature. In this case, the trojan horse approach is a saving grace! There would have been no feasable way of doing the same process without tricking the embedded OS into thinking that our program (trojan-horse) was something that it was not. The OS just wasn't designed that way.
  • produces or makes available a computer program or a series of program commands designed to endanger data processing

    Hmm. Could that be a loophole? What about a virus intended merely to spread, not actually to mangle everyone's data - a payload-free virus. Which would generally tend to spread more easily than a malicious one.

    (Of course, many viruses can cause damage without intending to do so, generally because the writer is a bit crap at it.)

    makes available instructions to produce a computer program

    This is, of course, a lot more worrying, as it affects not only the writing of viruses but the writing of anti-virus software. But then, sometimes the AV companies behave at least as dodgily as virus writers. ;-)


    --


  • Just because people think Back Orifice = Virus, or Back Orifice = trojan, or even that Back Orifice = rootkit, I thought I should explain that it is none of the three. It posseses none of the characteristics of a virus, trojan or rootkit. (It can be PART of a trojan, it can be used to implement a rootkit) In reality it's only a remote control system, not unlike PCAnywhere. It just happens to be stealthy.

  • Actually, if memory serves, and if what I read was true, all Americans who own a computer, a modem, and a communication program are guilty of the same crime they put Bernie S away for. What was it again?
    --
  • by arivanov (12034) on Thursday September 23, 1999 @07:19AM (#1664976) Homepage
    The cite does not post the full document. From what is posted it is actually much more reactionary than you expect.

    It looks like the subject is any program that endangers data systems. Ergo this also covers exploits and intrusion software.

    The direct result is that if I download/keep intrusion/exploits on my computer in order to develop security fixes for them or test if my machine is vulnerable I am a criminal.

    This also renders rootshell, insecure.org and bugtraq illegal for hosting and potentially reading (don't you love netscrape and IE for saving cached copies on your machine ;-) in finland.

    Overall the information is rather scarce but this seems to be even worse then the recent AU censorship showdown.
  • by Tom Christiansen (54829) <tchrist@perl.com> on Thursday September 23, 1999 @06:20AM (#1664977) Homepage
    Virus is a second declension noun (-us, -i, -o, -um, -o; -i, -orum, -is, -os, -is), so technically, its Latin plural would be viri, not virii
    Actually, it's rather more complicated than that. You're thinking of 2nd declension masculines. Virus was one of the rare 2nd decl neuters, like vulgus, cetus, and pelagus. These rarae aves did not inflect by changing -us to -i; they were irregular at best, and generally invariant. Virus was also not a count noun, but a mass noun.

    It's even possible that virus pertained not to the second but to the fourth declension, which would change the matter as well.

    The word becomes invariant in most modern languages, but for some reason, English elected these viruses rather than *these virus as one might otherwise expect from the modern Romance tongues.

    You can read Far More Than Everything You Ever Wanted to Know about The Plural of Viruses [perl.com] if you'd like.

  • So, you are right, we Finnish programmers really should move to a country where you can't walk in the wrong street without getting shot (and it's possible to buy guns from nearest grocery store), where exporting and importing crypto is illegal, where everyone doesn't have a right to get social security or homes, where public swearing (in front of women and children) is forbidden in some places, where you must be married to live in same rental apartment with a woman, where only rich people can have any kind of justice or security, where people are lawfully murdered by the goverment, where politics are more like a joke......

    Well, these were just a few (only slightly exaggerated) points which popped to my so-empty mind...and yes, I know there are some opposite points too. So does one idiotic law matter? It may suck, but not THAT much...

    But most importantly, neither would I now be studying nor possibly would Linus (I'm not sure how rich his parents are) have gotten his master's degree, if we had lived in certain-other-country where studying CS costs about $10,000 a year more...

    Back to the matter; putting the idiots in the parliament to take an exam in computer security before voting might have been a good idea... And yes, this isn't the first idiotic law they've made...

    There's also one common reason for some of such laws; the police can't get a search warrant for crimes that can only get less than 6 months of jail.

    Well, don't mind my rant...

  • I can't think of a country that meets all of those criteria; perhaps you could reveal where this mystery country is? I can't think of any country that's all of the following: full of danger and homelessness, has laws that prohibit unwed persons from sharing a dwelling, a lack of free speech, where citizens aren't afforded any government care for their health, housing or food, AND where crypto laws are similar to those of the United States. Is this country you speak of in Europe? Maybe Asia? I'm glad I don't live there.


    --
  • by Anonymous Coward
    Calm down.

    The article very clearly says:
    "The intention to harm becomes the primary criteria for bringing charges". The primary criteria. I also verified this from the finnish (paper) version.

    It is not enough to bring up charges if you just distribute a virus, there must be proof of intention to harm. Before this law, you could've spread a nasty virus to every single PC in Finland, but if the authorities found it a couple of days before the activation date and all the viruses were killed, you could have walked out with no charges.

    Kinda like if someone's threatening to kill you, and the police tells you to call back when you're dead, because there is no law making anything else than murder illegal.

  • the latin word "virus"(which translates to venom) has a plural case of "viri." the English word "virus" (derived from the latin but not the same word) has a plural case "viruses" BTW the latin word for man is "vir" whose plural is also "viri"
  • Thanks much, of course, for the Kudos. I got marked redundant, which wasn't true when I was writing the post, only after it showed up. But oh well.

    I think the "Intent to do harm" phrase is not regarding the virus code itself, but rather the mindset of the creator. This is, of course, much harder to prove than the former case, but it makes a whole lot more sense. My guess is that there was never a plan to punish people for having malicious code on their machines *unless* it was freely available for download or they intended to use it in a naughty, naughty way. This negates the worry that an AV researcher's code will cause them to be convicted, since I think lots of people here are slightly misreading the article. Malicious code is fine to have on your computer, as long as you don't distribute it and don't intend to use it to do harm to a machine that is not yours!

    Intent is always a hard thing to prove, which is why so many murders get reduced to manslaughter on the bargaining table: the DA can never be sure he's going to convince a jury. The same trouble will show up here, I believe, and we'll probably see a few cases where the perpetrator gets a plea bargain, simply because the evidence of intent is not present, but it is frighteningly clear that that was the intent (from a handle like "My_ViRuZ_WiLL_oWN_yOO" or something along those lines.)

    Anyway, some people may think that this is a rights violation against the Finnish people, but I can't agree. Of course I'm one of those "gun control nuts" as well.

    Regards, and I'm sorry if this strikes you as a rant,

    -efisher
    ---
  • Don't get too cocky just because you run linux. Ever downloaded a binary (perhaps an rpm) and installed it? or maybe run someone else's binary as a user, then done an "su"?

    unless you're really damn cautious, you are vulnerable.

    and since a good rule of thumb is that anyone with an account on a 'nix-ish box can probably get root some way or another, you have to be more careful than you'd think...
  • by Anonymous Coward
    As you said, but I will say more succinctly:

    The purpose of the law is so that if and when a virus writer is caught, s/he can be squeezed so hard that his/her eyeballs pop. Not to indiscriminately prosecute the victims of the virus for inadvertantly spreading it.

    Sounds good to me.

    Children used to get spankings for the old-days equivalent of virus-writing.
  • Kudos to gleam for actually reading the source article before posting an opinion! (I don't have time to list all the counter examples. You know who you are.)

    That said, I agree about the intent of the law but must respectfully disagree on its likely effect. "Intent to do harm" is one of the crucial deciding factors. I expect the lawmakers are not entirely clueless and intend to apply this to the person/entity (potentially) being prosecuted, and not just to the virus itself. Even so, the Finnish AV community will have to jump through unaccustomed hoops in order to avoid prosecution.

    How will an Finnish AV researcher make a new virus, or information about a new virus technique, available to other AV researchers and reasonably expect the information will not also be used for harm by anyone at any time? Claiming ignorance may be a good defense for the casual computer user, but how could an AV researcher claim to be ignorant of the potential harm or potential misuse?

  • Strictly speaking it would be viri..
    Nope: it was not a 2nd decl masculine. It was more like "vulgus", "pelagus", or "cetus", which were 2nd decl neuters. It may even have been a 4th decl neuter. See this article [perl.com] on the matter.
  • Slight exaggeration doesn't even -begin- to cover what you said in the first paragraph if you are talking about the U.S. heh. More like some things blown wildly out of proportion and others total fabrications. :) Makes me wonder what sort of things most people -really- think about the U.S., since I know a lot of total -fools- who think we still ride horses to school/work in Texas. Gaahh! The idiocy.

    My making light (that is, making humorous [!?] comments) about the subject is my usual style of reaction with regards to something so patently ridiculous as that law seems to be from what that article suggested. To be honest, I wouldn't move or give up programming, I'd try to get the law changed. At any rate, if that article is indeed accurate as far as that goes, "suck" doesn't even -begin- to describe that law.

    And yeah, even though your comments in your first paragraph were a little "off", every country has a good number of incredibly stupid laws, past and present (ugh.. CDA.. blah!).

  • What a bunch of wankers. The Finnish government passes a law which makes it easier to prosecute the miscreants who write and distribute malicious code, and you all whine about it. Laws exist to prevent the evil minority (murderers, rapists, thieves, arsonists, etc.) from harming the innocent majority. The next time some asshole vandalizes your car, how happy would you be if the judge let him go because jailing him would violate his civil liberties and deny him his freedom of expression?

    Vandal: "I wasn't vandalizing his car, your Honor, I spray-painted it as an expression of my artistic individuality."

    Judge: "Case dismissed."

    Every human endeavor can be justified by someone. Yes, there might be some legitimate reason to write a program which formats the hard drives of complete strangers, but I'm sure the Unibomber felt justified, too. I know, it is very popular to bleat about any percieved limitation of human rights, but can't you resist the temptation once in a while and use your brain instead?

    Remember that to the Iraqi government, one of their nationals who wrote a program which attacked all *.gov addresses would be a freedom fighter. To us, he would be a terrorist. No, I really don't care that someone sits in the privacy of their own home and write virii with incredibly destructive potential. I guess it is good intellectual exercise. However, if that virii gets distributed, intentionally or otherwise, then the author should face the consequences.

    'But your Honor, I didn't mean for the super-toxin I formulated in my kitchen to escape into the outside world and poison millions of children. I designed it to kill rats in my cellar. Honest!"

    "Case dismissed."

    And do you know what? Even if the Finnish law does criminalize the mere writing of virii or trojan horses, I don't care, either. It is against the law to build bombs in your basement, as well. "But I need the intellectual exercise! My cerebral cortex was getting flabby!" Read a fucking book. The library is full of 'em.

    Lastly, no one will KNOW that you are secretly concocting virii or trojan horses in your basement if you don't distribute them. If you are breaking the law and are such a dork that you are publicizing the offense, you deserve what happens to you. "But it is my RIGHT to distribute the fruits of my intellectual endeavors!" Or: "It is for educational purposes only!" Yeah, right. And the links to cracks on www.astalavista.box.sk aren't really intended to be used by anyone. How about putting a bowl of poisoned Snickers in a busy shopping mall. Put a big sign above it that says "DO NOT EAT - DEATH WILL RESULT IMMEDIATELY." Put it in multiple languages. I'm sure the judge will be lenient when you explain that it wasn't YOUR fault that anybody died. You were merely the distributor, and you DID put a disclaimer!

  • What about a potentially valuable tool like Back Orifice or even Microsoft's remote registry editor?

    BO is considered a virus by many but isn't. It's a program. But the question is, would a Finnish Court see BO as a virus?

    What the world doesn't need is knee-jerk reactions from people who aren't knowledgable enough about the topic.

    I conclude that the Finnish Gov't doesn't understand the problem and has crafted a typical, beaurocratically inept response to a problem.

    The protect of a computer system is the responsibility of the sysadmin/user.
  • And most of the other "remote administration tools" for Windows can hide using similar meathods (well, mabie not acting as an explorer.exe thread, but then that's just a Neat Trick(TM))

  • Helsinki News Service: "Man yells fire in crowded theatre, dozens trampled. Government responds by banning use of word 'fire'."

    Seriously, my first introduction to virus protections came at a PCUG meeting. The speaker was explaining how to protect yourself against virii. He proceeded to write a virus in ten lines of DOS batch file code. Then he tried to infect the demo computer with it. It failed of course, but seeing exactly how a virus worked was very helpful.

    Question is, what possibly criminal act was he committing?
  • You've completely missed my point. My point is that in the mainstream the term "virus" has been used for trojan horse "programs" or whatever you want to call it. How are these terms defined, and how can this definition keep coders clear if they have a nasty bug in their code.
    Don't bother responding, I already have the answer.
  • This is great actually. Now, when I move to cyber-Helsinki I won't have to worry about cyber-STDs and what not!

    ~Caliban
  • the latin word "virus"(which translates to venom) has a plural case of "viri." the English word "virus" (derived from the latin but not the same word) has a plural case "viruses"
    Please supply a classical citation of your assertion. There is no neuter 2nd decl -us noun that goes to -i in the plural. They are all (four) of them irregular.

    I have a classical citation that shows virus being invariant in the genitive. I challenge you to produce any classical instance of virus in the plural.

  • by Kitsune Sushi (87987) on Thursday September 23, 1999 @08:37AM (#1665007)

    Ha! At least I qualify my statements. I never claimed to be some "big expert" in Finnish law.. not like you apparently are in American law.

    "In Finland, judges are allowed and _expected_ to use common sense; not a common thing in the States."

    That's the ignorant thing I've ever heard in my life (well, not really, but it has some ranking there).. The Judicial Branch of the U.S. government is actually one of the best places to look for intelligent decisions. Can you even begin to /imagine/ all of the idiotic laws the U.S. would have if the Judicial Branch didn't rule against them? Ha! Of course, it seems interesting that the people with the most "well-researched" opinions on American law (or the U.S. in general) can't even speak proper English.

    The stuff in between is even less worthy of remark..

    "But you're american, and there this kind of thing would surely happen. - USA created Bill, Finland created Linus -"

    How in the hell does that register in someone's brain? Is Linus the leader of the Finns? heh. Besides, Linus isn't all that remarkable if you don't consider his programming ability. If not for Richard Stallman (or is he Finnish too? yeah right) Linus wouldn't have had a GCC to play with, would never have thought of something like the GPL (if you disagree on /that/ point, perhaps you should do more research on how their political viewpoints differ as far as software is concerned), and it's really doubtful he'd have put together an entire OS by himself without the help of the FSF. By then we'd all be using some flavor of BSD, anyway. heh! As much as I love Linus, all he is is a really good hacker. We have Stallman to thank for the current state of affairs in the software community, for it was his philosophy, whether you agree with it or not, that set it all into motion. And he's.. oh no! American! He's even an atheist. Scary.

    At any rate, the U.S. has many people living in it. Rating an entire country by one person is biggotry of the highest order. I'm moving to Canada.. permanently.. as soon as possible. Why? Because I don't think Canada sucks just because I hate Alanis Morisette. heh!

  • Alot of the lame trojan virii out there are just regular programs that do funky-ass stuff when you execute them. Does that classify as a virus? They're technically just programs where the does not know the effects of it. When the user is stupid enough to execute something he/she doesn't know the effects of, does that still make it a virus? Most of this I've been assuming is media misrepresentation of the term 'virus'.
  • And how will virus researchers identify techniques to look for with their scanning software if they can't write viruii to test their ideas in a sandbox?

    It's as bad as the suggestion to outlaw using software in a manner for which it was not intended, which stops administrators from securing their systems from criminals.

    This is very poorly thought out.

    --
  • remember the Melissa virus? That guy was tracked down like a dog.

    If I recall correctly, they managed to track him because he had used MS Word (with it's little namestamp "bug") to generate the macro, and they could relate that to an identical namestamp on a document he had posted publicly. This isn't going to help for non-macro virii, and in any case, is there anyone out there that DOESN'T patch that off these days?

  • Hmm, what worries me is the "no actual damage need be done" part. I think that regualtion of behavior was based on _impact_ to society.

    I think all governments would do better to strike laws that regulate non-harmful behavior than to make up laws against behavior that is potentially harmful. Intent is difficult to judge at times. Damage is pretty clear.

    That said, my remaining question is: Was it actually legal there to cause harm not _danger_ to data processing systems. Why did they feel the need to pass this law?
  • by substrate (2628)
    This sounds too far reaching. If distribution is illegal then what happens to valid research? Somebody needs to write anti-virus software. What about accidental distribution? If I accidently infect some computers in my workplace and have a troglodyte for a boss could he accuse me of breaking the law and have me carted away? Sure, when it comes to court I'd probably be exonerated but in the mean time my reputation will have been damaged.

    Virus distribution should be illegal in the same way vandalism is. You can carry around rocks and bricks without breaking the law, use those rocks and bricks for vandalism and you do break the law.

    I really feel a bit strange about this. I think anybody who writes a virus for the purposes of infecting anybody should be locked up, but from an intellectual point of view they're very interesting.
  • Isn't this partially why we (well, most of us) run an alternative OS, so that virii are not a worry?

    So you see .fi, you don't have to really outlaw virii, just outlaw Windows and the virus problem disapears, afterall, only root can truly screw a linux system over...
  • It will be very interesting to see the definitions set to test if a bit of code or program is a virus or not.

    Seeing as any code fragment could be incorporated into a virus will this effectively outlaw coding?

    To quote from the article

    the Bill cites the offence as a catch-all "Causing danger to data processing systems".
    Now call me paranoyed but this seemes a little too general... Will this also be extended to bugs in opperating systems that cause 'danger to data processing systems'?

    LES..

  • The idea is that when you have written virii and sent them out to get all the innocent WIN9X users the governament will only have to prove you wrote them - not necessarily that you lauched them. Or if you have a group and one member is only writing code for the virii he can be prosecuted too.

    Executive Summary: No-one will be behind your door to examine your hard disk without some other evidence against you.

    --
    Pirkka

  • Does this also apply to Macro Viruses/Virii ?

    There wouldn't be a problem with virii if the dam virus writers would just keep the bloody things ONLY on their systems.
  • I must say that, being a Finn, and having read the original article as well as the legislation proposal in Finnish, you are exactly correct in your interpretation. Seems to me like some 90% or so of the articles for this topic are written based on false assumptions or misunderstanding of what the proposed change to law is about, or actually says.

    I did not read the entire proposal in Finish, but it has a quite long discussion about viruses and worms and the current state. There is also a mention that the Netherlands, Italy, Switzerland and Russia have existing legislation about viruses or which can be applied to viruses used for malicious purposes.
  • Except, to get the virus FROM Finland ONTO geocities, you need to 1) write the virus, then 2) transmit the virus.
    Thats illegal under the new law. Its not just storing the virus, its writing/spreading/storing the virus which is illegal. To get round this law, you need to fly to the US/UK/Anywhere, write the virus, upload it somewhere, then go back home.

    Actually, what happens if someone outside finland stores in on a free homepage service based in finland (are there any? I dont know of any, but I assume there are)?

    Are the webspace providers liable?
    --
    David Taylor
    davidt-sd@xfiles.nildram.spam.co.uk
    [To e-mail me: s/\.spam//]
  • The concept is admirable, but as with so many worthy concepts when the parliamentarians get a hold of things, the end result isn't normally worth a jot.

    The phrase quoted in the article, "Causing danger to data processing systems" - is that too vague to be meaningful or too ill-defined to be useful?

    The trouble with clauses like that is that they have to be very loosely defined otherwise loopholes will appear all over the shop, but by defining things loosely you'll make charges tough to stick. QED.

    When is a virus not a virus? As has been pointed out, anti-virus software might be a little tricky to write. More though, obviously there's an element of intent to this, but we've all written silly mistakes which have had unfortunate repercussions - do they count?

    I'm on (like many other /.ers I imagine) the BUGTRAQ mailing list, while it doesn't distribute virii it does tell you how to replicate potentially damaging security flaws, does having those mails on my system count?

    Nice idea, though, we shouldn't necessarily chastise them too much for trying!
  • I just live here, but all the texts I've seen have been in Finnish. Admittedly in Finnish that sometimes is almost as hard to understand as Latin, legalese being the same everywhere. :-)
  • The problem with outlawing, say, the writing of books on making bombs is that it's entirely too close to outlawing THINKING about making bombs. And as we continue to outlaw more and more kinds of thought...

    Don't answer your door when they knock at midnight.
  • by Anonymous Coward

    I don't have any comments on the subject at hand, i just want to comment their news value.

    I happen to live in Finland at the moment and well, im a regular slashdotter. And yes, im a bit amazed to see 2 news headlines about Finland. Well, im not amazed because of the amount of headlines but because of the topics! Man, who reports this stuff ? HPY has been creating this virtual Helsinki for years and making virus distribution & writing them has been a headline aint so new thing at all. IT Media has been talking about this for quite some time now.

    Btw, Nokia has prototypes of those 'cellphone-digitv-browser' thingies allready. Someone with a good scanner should post those pics. (Check out last Tietoviikko!)

  • This is not new in Europe. The Netherlands has some quite tough laws on even possessing virii since the early ninety's.

Facts are stubborn, but statistics are more pliable.

Working...