Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
News

Why Worm Writers Stay Free 373

savaget writes "There is an interesting Wired article explaining why worm writers are getting scott free despite their destructive deeds." Nothing really new: overworked law officials, bragging worm writers, you do the math ;) I still find it amazing. The bandwidth wasted by a successful worm is gigantic. To say nothing of time and disk space.
This discussion has been archived. No new comments can be posted.

Why Worm Writers Stay Free

Comments Filter:
  • by ergo98 ( 9391 ) on Thursday December 27, 2001 @10:59AM (#2754898) Homepage Journal

    SirCam contains this text in its code: "SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico."
    Smith has a hunch that the author of SirCam is or was in Cuitzeo, and is probably a student. Cuitzeo is located 16 miles from Morelia City, which boasts a large university.

    Talk about a blinding flash of the glaringly obvious...

  • Why don't these people put their worms to work doing somethign constructive? A SETI/RC5/whatever else you can do distribured worm would waste even more bandwidth, but at least it would have a purpose beyond just screwing things up.
    • by arrow ( 9545 )
      It has been done. I can't remember off the top of my head which one, but I cleaned up a virus infection about a year ago that installed the distributed.net client.

      Its gotten bad enough that Symantec has posted a KB article on it, here [symantec.com].

      Distributed.net also has a trojans page here [distributed.net].

      ---
      www.symetrix.net
    • If you want to write a "constructive" virus, let me make a suggestion:

      Target the mail-spamers. Go looking for the popular spam-blaster software and alter it to send 100,000 e-mails an hour to the Whitehouse. Locate 10,000,000 e-mail addresses in a file and randomize the domain and username. Alter the body-text of the out-going message to delete all telephone numbers, e-mail addresses, URLs, etc, and add a message including the senders real e-mail address, phone number, and whatever else personal info can be gleaned from their system configuration. Send pro-terrorism rants instead of adverts and make sure the FBI is on the list of recipients.

      I mean, if you are going to cobble together a few dozen lines of VBS, why not make it do something USEFUL?
  • by Hatechall ( 541378 ) on Thursday December 27, 2001 @11:06AM (#2754926) Homepage
    Because all the spare law enforcement officials are giving me traffic tickets.

    Rolling stop my ass.
  • by Christianfreak ( 100697 ) on Thursday December 27, 2001 @11:07AM (#2754927) Homepage Journal
    "Forget that it may be problematic to extradite the individual, or that they may be young, or claim to be doing 'research.' We need to catch them, and place them in a position whereby they are seen for what they are -- a terrorist," Cooper said. "The cost to our businesses, not to mention our way of life, is simply too high to not pursue these individuals."


    This is the sort of thing that really pisses me off. Not to say that virus writers don't do damage or even that they are not criminals but how can you compare a computer glitch to killing 3000+ people? These virus writers are kids with too much time on their hands, they aren't terrorists! The solution isn't to toss them in jail or throw away the key, the solution is to get them to do something useful with their skills and then to use products that don't have so many security problems. </rant>
    • Well said. Just my thoughts...

      As one reader in an earlier post, people who write bad and insecure code have an equal hand in security compromises.

      Most of the worms and virii are being coded by teenagers or kids who just do not have an idea as to what they are doing.

      Think of this, why are people allowing their systems to be compromised again and again? A hack is a different thing, a worm/virus is a different thing. When there are so many different worms/virii, it cannot all be squarely blamed on the creators. The makers of the softwares should own up responsibility for writing bad code.

      Why aren't other operating systems as vulnerable as the Win* platform? It is not like there are not enough people willing to write worms in Linux or FreeBSD. It is just that it is not that easy to.

      Most of these people are kids, for God's sake!

      Writing a computer worm to show off to your friends is akin to showing off your driving skills. It is just a means of getting recognized by the peers. These people should just be taught that writing bad code is harmful. To compare it to heinous crimes and huge losses is just plain stupid.

      If it also causes harm, that is largely because of the immaturity of the technologies. If sysadmins regularly patched up their softwares, and if programmers wrote secure code, the effect of these worms will steadily decline.

      But how many admins bother to administer the latest patch? And how many software companies bother to get out good code? It is plain stupidity to blame it all one some poor nerd out there.
    • by geophile ( 16995 ) <(jao) (at) (geophile.com)> on Thursday December 27, 2001 @11:30AM (#2755007) Homepage
      Your posting says that virus writers aren't terrorists because what they do doesn't compare to killing 3000+ people. Then your sig compares Bill Gates to Hitler.
      • Thank you for cathing that, I rarly ever read sigs! HAHA, wish I had some mod points!
      • Not that I fully agree either, but one possible defense: just how many man-years has Gates' commitment to insecure OSes and ruthless trouncing of all would-be competitors cost?
      • That sig may compare Gates to Hitler, but only in ideaology. It doesn't say Bill should be treated like a war criminal. Indeed, there are many people that think like Hitler, but they havn't acted on the urge to go kill thousands of people.

        I happen to like a web page that compares Margret Sanger's ideaology with the Aryan ideology. It doesn't say she should be(have been) hanged for crimes against humanity (because she didn't personally commit any).
        • I happen to like a web page that compares Margret Sanger's ideaology with the Aryan ideology. It doesn't say she should be(have been) hanged for crimes against humanity (because she didn't personally commit any).

          Wow. Before now, I wasn't sure what a libruhl Freeper sounded like. Here's a link [nyu.edu], in case anyone is wondering why this fucking clown thinks someone who was persecuted and prosecuted for spreading information about preventing STDs and unwanted pregnancies is the moral equivalent of a Nazi sympathizer.

          If you have a problem with Nazi supporters in the US, you need to look to the right and not to the left. It sure as hell wasn't wobblies, unionists, and labor activists who bankrolled that monster. Think bankers and industrialists, and particularly think the Bushes.

      • Well in defense of my sig, its meant to be humorous and ironic. Besides war criminals and terrorists are too different things.
    • by dillon_rinker ( 17944 ) on Thursday December 27, 2001 @11:32AM (#2755011) Homepage
      Terrorism doesn't necessarily imply killing people. The classical terrorist (ie, the one that exists mainly in poli-sci courses) blows up generators, water plants, radio towers, etc in an effort to destroy the public's trust in the government's ability to protect them. Someone who targets civilian infrastructure meets the threshold for being a terrorists. There's obviously a gradation; those who target large numbers of civilians are also terrorists (duh) but that doesn't mean that someone who blows up an empty building isn't a terrorist.

      Furthermore, I would argue that you don't need to have political objectives to be classified as a terrorist. If I blew up a generator station because I think it'd be cool to see, I think it would be valid to classify me as a terrorist. This gets kind of tricky, because it'd be easy to categorize an arsonist as a terrorist, or a vandal, but I digress.

      Anyway, the obvious analogy is that someone who targets information infrastructure (ie worm writers targeting email servers) is a terrorist. And don't argue that the analogy doesn't hold simply because there's no no permanent damage simply because it can be repaired. That's like arguing pulverizing every cubic inch of a building isn't permanent damage because it can be rebuilt. Don't argue that there's no real costs associated with worm attacks - do you think net admins work for free? (If so, I've got a job for you :) I'll grant that most costs are overrated.

      Counterpoint - if blowing up a building is terrorism, why not burning it down? Should arson be considered terrorism? What about insurance fraud - if I burn down my old barn for the insurance money am I a terrorist? What about vandals? There's a continuum of crimes against property, as well as crimes against people; where do we put "terrorism" on that continuum? We must be cautious in verbiage used to define "terrorism"
      in the law, lest the crime be placed further down the continuum than we want.

      Counter-counter-point - arsonists rarely burn down every building on the internet; worm-writers at the very least have in their minds the idea that they could take out every email server on the internet (basically a DOS attack) or every workstation with the targeted OS(s) by wiping their drives after re-launching.

      C
      • TERRORrism (Score:4, Insightful)

        by markj02 ( 544487 ) on Thursday December 27, 2001 @04:07PM (#2756003)
        Terrorism implies creating terror. I'm sorry, but most people are simply not scared by the prospect of finding a virus attachment in their E-mail: it is both common and easily dealt with.
    • The problem is half the time they are not kids with skills. They just download a exploit [done for research] adn use it [for fun].

      How many of the attacks where kids are involved were actually invented and written by kids?

      Besides yes it is terroism since its mischief on the grand scale. Like it or not the internet is a mass communication medium and its a "way of life" for some people [some == growing].

      That's like taking down the entire california telephone network and claiming "I'm bored". Not only is that dangerous [no 911 calls] but its disruptive to literally millions of people.

      Tom
    • by Ami Ganguli ( 921 ) on Thursday December 27, 2001 @12:13PM (#2755156) Homepage

      Over the last few months the word "terrorist" has lost all meaning. I also heard the other day that child pornographers were being called terrorists. And of course the Isrealis, Palestinians, and Americans are terrorists, depending on who you ask. I'm sure the people who set fires around Sydney were terrorists too. Nowadays a terrorist is anybody you don't like.

      The old definition of terrorist was somebody who used terror as a tool to some political ends. Basically, if you can't defeat your enemy in a head-on attack, you choose an easy target calculated to demoralize the enemy.

      It's too bad, because 'terrorist' really was a useful word. Now that it's being used so broadly there's no concise way to talk about 'classic' terrorists.

    • The solution isn't to toss them in jail or throw away the key, the solution is to get them to do something useful with their skills and then to use products that don't have so many security problems.

      Great idea! Take a kid who obviously has no respect for other's property, and hand him the keys to your enterprise system! By the time he's done, all the backdoors, security holes, and other problems will be patched, except for your script kiddie's backdoors. Then, shoot the script kiddie. No known security holes, and one less 1337 haxor - everyone wins!

      The one flaw in your plan is that the folks that make these worms are, for the most part, social backwards (no respect for others' property or lost time, and usually from a middle-class background, so they don't know how to really work for a living), and don't have a great set of computer skills, outside of those needed to find holes. It's a bit easier to find and exploit holes then it is to find and patch those holes, so the assholes will always have the advantage.

      Personally, I like the Kevin Mitnick treatment - put 'em in jail for a while, away from computers, then put them on probation, again without access to computers. If you are too socially retarded to play the game right, then you'll have to sit on the sidelines. Too bad these kids are privileged enough that their parents could hire lawyers, and parents are brainwashed into thinking that computers are necessary for their kid's education...

  • by saint10 ( 248611 ) on Thursday December 27, 2001 @11:07AM (#2754929)
    A multi-billion dollar industry was created by writers of malware; anti-virus, tripwire, IDSes. Why would any large security company want malware authors to be caught?
    • by ackthpt ( 218170 ) on Thursday December 27, 2001 @12:24PM (#2755193) Homepage Journal
      Ages ago, there was something of a scandal in the news when a prominent anti-virus company CEO warned of a doomsday of a new virus or worm making the rounds. Of course, sheep bought the software, but nothing much materialized and the CEO resigned in disgrace after being accused of trying to create a market by scaring people, some people went so far as to suggest the particular company was actually the orgin of virii and worms. Wish I could remember who that was, maybe this is article alludes to it [vmyths.com] (the Michelangelo virus)
  • *gulp* (Score:4, Insightful)

    by hiryuu ( 125210 ) on Thursday December 27, 2001 @11:09AM (#2754933)
    "We need to catch them, and place them in a position whereby they are seen for what they are -- a terrorist," Cooper said. "The cost to our businesses, not to mention our way of life, is simply too high to not pursue these individuals."

    Terrorists? Virus writers are terrorists? Keep it up, boys, and the word will lose all meaning and everyone will be desensitized to what it really means. Sheesh.

    Obviously the legal system doesn't see them as such, yet, from the details of the article.

    • Re:*gulp* (Score:4, Interesting)

      by Silver222 ( 452093 ) on Thursday December 27, 2001 @11:13AM (#2754947)
      Everyone is a terroist now. The meaning of the word has been so diluted because everyone with an agenda to push labels people they don't like as a terrorists.


      Pretty soon you won't be able to sneeze in a subway car without someone accusing you of biological warfare.

    • What's scarier than that is legislation designed to target and punish terrorists (or "suspected terrorists" - remember, kids, a trial is for deciding punishment, not guilt!). The more people who get classified as terrorists, the more people potentially deprived of civil liberties.

      Gah.
    • The disconnect, as I see it, is between what these worms have the perceived potential to do and what they actually do. Which is, actually, the case with much potential terrorist acts.

      Two popular (among gov't theorists) scenarios are a terrorist poisoning a reservoir, or piloting a cropduster loaded with biological agents over a city. Yet neither of those seems to have yet happened. Likewise, if nukes are so "easy" to obtain on the black market, why haven't we seen any suicide bombers with them yet?

      Now, consider a worm designed to, say, sniff out the settings (including passwords) needed to gain root-level remote access to a large, typically insecure company's network. Perception: the hacker could, say, add himself to the company's payroll, with money going to a Caribbean or Swiss bank account, or just transfer much of the company's liquid assets to same, and that's just the easy stuff (not counting corporate espionage or, for companies with a lot of intellectual property, copying the IP - say, stealing the Windows source code with intent to post to the world). Reality: these programs almost never go beyond mere defacement or disablement of the systems, and spreading themselves; deeper hacking would require personal involvement and actual malice that the script kiddies usually lack (for example: even if one had complete access to Microsoft's networks, it would take ages to gather and document for public release even a mere majority of the Windows source code).
  • by Adversive ( 159469 ) <adversive@@@adversive...net> on Thursday December 27, 2001 @11:14AM (#2754951)
    I answer Webmaster e-mail for Velocitus Internet Services [velocitus.net] and I typically receive about 150-200 SirCam virus e-mails every day.

    As SirCam virus e-mails average 250kb per message, each month we pass over a gigabyte of bandwidth on this crap.

    I wonder if its possible to approximate how many dollars worth of bandwidth and lost productivity have been lost to these kinds of worms. I don't see why the authors shouldn't be prosecuted more harshly. This is just large-scale vandalism that raises the prices for everyone else to make up for it.

    • As SirCam virus e-mails average 250kb per message, each month we pass over a gigabyte of bandwidth on this crap.

      Hmmm. You've probably got T3 or better pipe, but lets say you only have a T1 (1.5 Mbps). A GB takes a only a couple of minutes of your monthly bandwidth capacity. You're incensed at this? You're going to devote major efforts to stop it? If so, you don't have enough to do to keep you busy with business mission-critical work there. Less than 1% of bandwidth capacity is just noise.

      Of course, destructive worms are a much different matter, and where worms destroy systems and data causing lost productivity, overtime, and business losses I agree with you, somewhat. But clueless choices to use Microsoft software are where the blame really should be placed in such circumstances. The worm/virus writers are just opportunists preying on fundamentally insecure Microsoft based systems. And that's your fault.
    • I typically receive about 150-200 SirCam virus e-mails every day.

      Gosh, at this point, I'd really look into installing a good AV filtering gateway. You won't cut bandwidth in, but at least you won't be passing the stuff on.

      Oh yeah, the guy who told you kick off Windows users? He was right, too...

  • Because the Internet is a global network, authors of these worms come from all over the world, and thus there is no consitency on how they are dealt with according to local laws or lack thereof. The ramifications of such worms are not well understood by local law makers and law enforcement officials. It's quite possible that some worms could be authored by individuals or groups outside the US in which there is almost no law or order. I doubt we can justify bombing a country because of prolific worm propogation.

    So, while some sit pondering on how to prosecute the authors of such worms, doesn't it make more sense to focus efforts on preventing the problems that worms cause by eliminating the well known, published ways that the past 4 or 5 recent worms have propogated? How many email worms need to take place before people realize that the worm authors are only half guilty? End users need education. Applications (read Outlook) need to provide better ability for users to limit functionality to core functions unless otherwise needed.

    Catching the new virus writers and discovering their techniques is and always will be a game of "whack-a-mole". You slam the hammer down, only to find another one pops up in a "security-hole" somewhere else.
  • Form a posse? (Score:3, Interesting)

    by Nikau ( 531995 ) on Thursday December 27, 2001 @11:22AM (#2754976) Homepage
    OK, maybe "posse" isn't the correct term. But in the article it says that most of the information leading to an arrest of worm writers comes from people who happen to see the worm writers bragging, etc.

    So what I'm wondering is if anyone has bothered to form an organization to do exactly that, maybe along the line of CyberAngels [cyberangels.com]. Let's face it, the people who write these useless things, although they definitely aren't terrorists, are wasting other peoples' bandwidth, resources, and precious time. And they do deserve to be punished. But what's stopping the slew of arrests is a lack of manpower. Law enforcement officials can't be everywhere, they have their limits.

    So what I'm suggesting is something based off of CyberAngels. The people volunteering there track down stalkers, harassers, child pornographers, and other "cybercrimes" that go beyond the Internet and into your personal life. They do good work. My idea then, is much the same. Get people with the necessary skills, who understand the net, understand the technology, and make use of those skills to help track down all those worm writers, script kiddies, and the like.

    Personally, I think it may work. Anyone have any thoughts?

    • OK, several points:

      • Virus, Trojan, and Work authors (who disseminate their software into the open net) are criminals. The are not terrorists, as nothing they do comes anywhere close to instilling terror. They are vandals, perhaps even "mass vandals" if there is such a word, but terrorists they are only in Newspeak.
      • They should be punished for their crimes, and the punishment should fit the severity of the crime. For the record, no amount of monetary damage comes anywhere close to equalling the atrocity of a single act of violent rape or murder. Keep that in mind when pondering sentences.
      • If these worm authors really are doing billions and billions of dollars of damage here in the cosmic fugue, then perhaps the corporations so affected should put a few thousandths of a cent on the dollar where their mouths are, and put a bounty on the perps head. Say, oh, I dunno, $25,000,000 US?
      • Of course, the real damage done isn't anywhere close to the same order of magnitude as that which is claimed, which is probably one reason why a $25M bounty is seen as exhorbitantly expensive, rather than a bargain. Go figure.
      • If one more person equates terrorism with blatently non-terroristic acts, such as voicing a dissenting, perhaps unpopular opinion or committing acts of vandalism (electronic or otherwise) which clearly do not instill "terror" in their victims (except perhaps the terror of one incompetent system administrator about to loose their job and, I'm sorry, that doesn't count as widespread terror by any sane definition) I will personally bitchslap their ass to kingdom come.
    • It's an interesting concept, (and a strikingly Libertarian one actually... Who needs police when you have a posse?).

      Anyway, It reminds me about the old days(well early nineties anyway) of IRC when I used to op on one of the more family channels and occasionally some a/s/l retard would come in asking for cyber or whatever. (Click name F2 - kick F3 - kick ban F4 kick ban winnuke!).

      It sometimes came to the ops attention that there where "kiddie pr0n" people on the networks and sometimes they would DCC this crap to kids and the like. There where also a bunch of kids who would invoke the whole ping / dcc flood etc nightmare on newbies and stuff.

      After a while a whole bunch of the more technically literate among us started to fight back, invading pr0n channels, gathering evidence, and getting offenders server banned etc. On one occassion it lead to a raid by some US cops on a particularly bad offender leading to some apparently nasty child abuse being uncovered.

      None the less we where told to refrain from vigilante behaviour by the server ops, and for me that spelt the death of IRC as since we felt obliged to do as we where told, it only left the assholes with the weapons to do the attacking

      I do not intend an analogy with gun laws, since when human life is concerned , I feel it's best left to real cops, but with the sort of "emotional" damage that malicious skript kiddies and pr0nsters can do, sometimes fighting back really seems the thing to do.

      Think snort add in that DoS's back!(maybe)
  • I don't blame the worm writers. Blaming them is like blaming the rain. Rain is a feature of our planet and worms and viruses are a feature of Microsoft software. Writing a Word template, no matter how complex or unusual, is not a crime. Releasing email clients and operating systems that blow up or do really weird things when they encounter Word templates ... that's questionable.
    • I don't blame the enemy. Building a large metal cylinder, no matter how complex or unusual, is not a crime. Building a truck or a building that blows up or does really weird things when they encounter shells from said metal cylinder ... that's questionable.

      See how stupid it sounds when you give it a real world analogy? This is the same logic that says that if your house is unlocked then it's legal to rob it. If people were made to defend themselves from every threat then there'd be no need for police or defence forces. The sad thing is that some people believe this "Well, they were vulnerable, they were asking for it. They should have been more careful! Not my fault."

      Now, I agree that Microsoft needs to focus more strongly on security but people who write malicous code are still criminals, not terrorists but still criminals.

      • Yes it sounds like blaming the victim, but there is a subtle difference that makes the unlocked house analogy a bad one.

        In the case of laying some responsibility at the feet of the OS writer and the System Administrators, in the first case it is their job to make sure that their product is reasonably secure. In the second case it is part of their job to keep up with the security patches and make sure that the corporate systems are reasonably secure.

        In the case of the people who wrote the OS or software that gets compromised again and again, a better analogy might be to compare them to a bunch of builders who build houses with no locks or faulty locks that fail to keep people out.

        In the second case, you might compare the system administrator to someone who bought the house and then didn't take any action when the lock recall went out (or he didn't install it becase installing the new lock makes the toilet stop flushing...) In many cases he does this even though he lives in a hood known for its high level of break-ins and robberies.

        When it's your job to make sure the company's network is reasonably secure and the same attacks against holes that were announced months ago work again and again to compromise that security, I'd say you're not doing your job very well. Excuses may be made, like "The fix breaks 14 other things" or "We didn't have time to test it on all the company platforms." In the first case I'd say the vendor is at fault and if they can't fix the problem to your satisfaction maybe you should consider a new vendor. In the second case, I might want to send some blame the way of the CIO/CEO as the department is obviously underfunded or the corporate infrastructure is badly designed.

  • Contrary to popular belief, _nobody_ dies when someone releases a worm. Sure, the Internet gets slowed down, a headache is made for all kinds of computer people, but outside of the Internet, nobody dies. Production doesn't stop in our factories, our banks and credit cards keep making debt for people, the hospitals don't keel over.

    The world is just not that dependant on the Internet, and never will be. Worms are definitely annoying, but they aren't hurting anyone physically, ever.
    • Following that train of thought...

      We don't need to punish those that embezzle from the banks, companies, etc. Nobody dies. Production doesn't stop in our factories, our banks and credit cards keep making debt for people, the hospitals don't keel over.

      The worm writers steal resources from companies, universities, governments, etc. when they have to deal with tracking down and eliminate the worm. This is valuable time that could be used working on other issues. Just like with embezzlement, there is cost to people involved.

      btw: People make debt for themselves.
  • Riddler? (Score:5, Funny)

    by Monkey-Man ( 145523 ) on Thursday December 27, 2001 @11:34AM (#2755027) Homepage
    "Cyber criminals are like idiot Hansel and Gretels, scattering electronic breadcrumbs that lead straight to them," said retired New York City detective Pete Angonasta. "You just don't see this sort of behavior in other criminals. I've never seen a burglar leaving cute notes crediting the crime to himself. "

    This detective must have never watched the old Batman shows.
  • Punishment? (Score:3, Insightful)

    by Darth RadaR ( 221648 ) on Thursday December 27, 2001 @11:42AM (#2755046) Journal
    But even when writers are caught and brought to trial, the legal system often doesn't know what to do with them.

    Pah! I know what to do with them. Charge the writer of a virus/worm for time the Admin puts in to fix or block their poisoned program. If the virus/worm writer doesn't have the money, then the Admin will charge through violence to where one hit upside the virus/worm writer's skull with a 2"x4" will be exchangable to 15 minutes of the Admin's time that could have been better spent.

    Sorry to rant, but virus/worm copycats^Wwriters really get on my nerves, especially when I could be spending that time doing something with my friends, instead of telling sendmail to block out the latest "Melissa" clones.

  • Though I think those responsible for writing these need to share some responsibility, particulaly if they are the ones who released it, or if they wrote it intending to release it...

    I, personally, don't ever feel anger towards those who wrote these. 99% of them spread due to the sheer ignorance of the masses.

    Or rather, if someone in the company opens a virus attachment, and it spreads, I don't say 'damn virus'.. I get mad at the employee. There is NO EXCUSE for not understanding what to open.
  • Why do worm writers stay free? Maybe they've accumulated enough hotel points on their credit cards.
  • But their high profiles seemingly do not make virus writers easier to apprehend. Virtually

    all captured coders either confessed or were arrested only after techies discovered their
    identities and informed authorities.


    I don't know... Maybe it's just my imagination...

    Just seeing 'informed' and 'authorities' together just made me picture a Hippo and an Aligator dancing. Those two words just don;t go together well.

  • by drew_kime ( 303965 ) on Thursday December 27, 2001 @11:48AM (#2755065) Journal
    "If someone left their front door unlocked ... " Gah, I am so sick of hearing that analogy every time someone talks about computer security. Phisical theft and defacement is not the same as digital. So what would be a better analogy?

    Imagine if someone went to a photographer and had some "personal" photos taken for their spouse. And that the photographer made poster-size prints and put them in the front window with a sign saying, "Please don't look at these."

    Would you prosecute the 13-year-old kid who came by and looked at them? How about if he took picutres of the posters and put them up on his web site? The originals are still "secure" in the studio's safe. How can you blame the photographer?

    If current computer law (UCITA, DMCA) were applied to this situation, the 13-year-old would be in jail and the photographer would be suing me for telling you that the posters were available.
    • Imagine if someone went to a photographer and had some "personal" photos taken for their spouse. And that the photographer made poster-size prints and put them in the front window with a sign saying, "Please don't look at these."

      That is a very different situation. There is a difference between leaving something to be seen in a very public place and computer crime. The closer analogy to someone breaking into a computer is someone sneeking into a tree in someones backyard and looking through the partially open window and spying on them. Then again you'd probably think that it's their fault for leaving the blinds slightly open. An unprotected computer is not the same thing as a something intentionally made public.

    • Imagine if someone went to a photographer and had some "personal" photos taken for their spouse. And that the photographer made poster-size prints and put them in the front window with a sign saying, "Please don't look at these."

      Would you prosecute the 13-year-old kid who came by and looked at them? How about if he took picutres of the posters and put them up on his web site? The originals are still "secure" in the studio's safe. How can you blame the photographer?


      Your analogy only makes sense if cracking a site requires a passive activity such as accidentally visiting a URL or attempting to connect via FTP. Unfortunately, most cracking involves active malicious intent by the perpetrators which doesn't jibe with your analogy.

      A better analogy would be if the photographer had the pictures in a drawer marked
      CONFIDENTIAL NUDE PICTURES! DO NOT OPEN.
      and some teenager felt that he/she couldn't resist looking at the pictures. The teenager is still in the wrong but one can also blame the photographer for not taking better precautions which means both parties are at fault which is the case in most cases of cracking websites.
    • Your new metaphor vapid on so many levels.

      You imply that digital data has no intrinsic worth, and therefore can't be stolen. What century are you living in? Future generations will view your analogy as hopelessly anachronistic, something like stories your grandpa tells today about one-room schoolhouses.

      And as for the substance of your analogy - "a guy takes nude pix of his wife and puts them up in his window with a sign saying don't look at these" - how does this utterly absurd statement clear things up for you better than the "if you leave your front door unlocked" one? Do you even know what your point is?
      • You imply that digital data has no intrinsic worth, and therefore can't be stolen.

        This is exactly the mindset I was criticizing. I didn't say or imply that digital data has no intrinsic worth. I said that its worth had to be calculated differently from the worth of phsical goods.

        Theft of physical goods deprives the rightful owner of their use. Copying of digital goods does not deprive anyone of their use, but in fact greatly increases the number of people who may potentially use them. This could, of course, possibly reduce the value of the digital goods. Certain information is only valuable when it is not widely known. This is why Digital Rights Managment is so important to the RIAA and MPAA.

        The point of the analogy, since you seem to have missed it, is that the customer pays someone for a product, and the provider doesn't take steps to ensure that the product is secure. The fact that EULA's have not been tested in court is the only reason software producers continue to believe this is acceptable.
    • Actually, there is a relevant legal theory for this kind of insecurity. Take, for example, a swimming pool with no fence around it, in a neighborhood with lots of young kids. The pool tempts some kids to try to swim - but, for those who don't know how to swim, it can drown them. The legalese name is "attractive nuisance", and the owner of the pool can be held criminally negligent for not putting up even minimal security (say, a solid wood fence to obscure the pool from public view, or a chain link fence with a locked gate that at least prevents kids from getting at it without nontrivial effort).

      Now imagine if, instead of being posted in the windows, the photos were in a drawer with a big-lettered sign - big enough to be readable from the street, through the open door the sign faces - that says "Nude pix! Do not open!". I suspect the same legal theory could apply, especially if the kid were to sustain any injury as a result. (The way the world is going, forever destroying one's ability to blindly trust big institutions might almost count as "injury". ^_-)

      I know this applies in California, USA, at the least; does anyone know if it applies elsewhere?
  • Misplaced blame (Score:3, Interesting)

    by ryanvm ( 247662 ) on Thursday December 27, 2001 @11:50AM (#2755076)
    I really liked the analogy a previous poster in a different thread had come up with:

    Virus/worm authors are like cockroaches. Sure it sucks to have to deal with them, but it's your own damn fault. And prosecuting is pointless - there's a million more where the last one came from.

    Most current viruses are NOT very sophisticated. They exploit wide-open security holes in unpatched operating systems that were produced by careless vendors. It's like getting pissed at people walking into your house at all hours of the night. Yes, they shouldn't be doing it - but if you were locking your doors it wouldn't be a problem.

    My point is that the blame should not fall entirely on the virus/worm authors. It should be evenly distributed between the vendor (for being negligent with regard to security); the system admin (for the same); and the virus author.
  • by Philbert Desenex ( 219355 ) on Thursday December 27, 2001 @11:55AM (#2755092) Homepage

    First, the "WiReD" article confuses worm - a program or process that propagates itself to a different computer, usually via some networking protocol, and chainmail - an email message that requires human intervention to automatically send out more email messages, usually containing the same or slightly evolved chainmail. WiReD should straighten up its vocabulary on this issue, they do no service to anyone confusing the two.

    Second, the techniques used by both chainmail and worms are all used by legitimate scripts, programs and emails. How does law enforcement propose to declare one email message a crime, and another legitimate? And I don't mean "Let's ask some expert like Graham Cluely."

    Sure an IIS worm like Code Red usually uses some initial exploit, like overflowing a buffer in an IIS module or service or plug-in or whatever the MSFT lingo is, but Nimda used a variety of techniques built in to IIS, "shares" and Outlook. The variety of Outlook worms (Anna Kournikova, Nude Housewife, etc etc) and even the CHRISTMA EXE chainmail of 1987 [ncl.ac.uk] used entirely legitimate techniques built in to Outlook and other email viewers. The 1988 Internet Worm used both legitimate techniques (BSD "r" commands that didn't require a password) and exploits like "fingerd" buffer overflows. How do we define the crime - "I didn't authorize this use of Outlook" really doesn't amount to a way to decide whether or not a particular program committed a crime. Similary, worms like x.c [jammed.com] get telnet servers to crash in particular ways when they spread. Gee whiz, a network server process crashes! That's news, for sure. I guess that hasn't happened to me since yesterday. How do we make one instance of a crashed program a crime, and another instance into a bug report?

  • Does anybody have any figures? how much bandwith is used up during a worm attack such as nimbda?
  • by tswinzig ( 210999 ) on Thursday December 27, 2001 @12:00PM (#2755110) Journal
    "We need to catch them, and place them in a position whereby they are seen for what they are -- a terrorist," Cooper said.

    Since some people are confused, let's look it up in the dictionary [dictionary.com].

    terrorist
    n. One that engages in acts or an act of terrorism.

    terrorism
    n. The unlawful use or threatened use of force or violence by a person or an organized group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons.


    Now, I do agree that a skilled person could use computer viruses for the purposes of terrorism, as defined above. But clearly 99% of viruses do not fall into the category of terrorism, and therefore calling their creators terrorists is quite a stretch. Most of them are smart young people with no common sense, no direction, and a distorted sense of right and wrong ... a.k.a. criminals.

    I'm sure Russ Cooper [mailto] is more interested in getting his site linked from wired, and knows mentioning the buzzword 'terrorist' is sure to get a soundbyte.
  • Just a hunch, but I think this [slashdot.org] is probably a related issue. If the Corps don't care about their servers being 0wn3d by 1337 h4x0rz, why should they care about them being owned by email virii and other worms? And if the victims of a crime don't care, why should law enforcement?

    One thing about Corps, they're generally consistent. Of course, that's generally, not always [computerworld.com].

  • Illegal software (Score:5, Interesting)

    by CaptainSuperBoy ( 17170 ) on Thursday December 27, 2001 @01:02PM (#2755296) Homepage Journal
    I am of the belief that there is practically no piece of software that should be illegal. This includes viruses, worms, spamware and other software with no redeeming qualities. It's one of those slippery slope problems where you're banning certain types of speech, but it could easily get murky as to what was a worm or a virus. Some security software has just as much legitimate use as it has potential for misuse.

    The only rational solution, as is the case with other "banning the tool vs. banning the act" problems, is to ban the act of dissemminating virii or worms maliciously. Banning certain types of software is an ill-conceived notion, just like banning certain guns.

    Those who believe that software (in the US at least) is constitutionally protected speech may want to think twice if they believe virus writers should be prosecuted. Judging software based on its purpose is probably impossible - is deCSS a tool for piracy or for interoperability? Depending on who you ask, you will get 2 different answers. Is back orifice a security tool or a hacking tool? Is it a virus? Should the writers be prosecuted?

    Virus/worm software does have redeeming educational value, however little.. it's useful for exposing vulnerabilities, even if it only shows that the end user is stupid.

    So even though virii, worms, spamware etc. are a pain in the ass, I do support your right to create any type of software you like. The other alternative, banning classes of software, is actually more dangerous.

    Note this has nothing to do with my view on copyright. Of course if you infringe someone else's copyright in your software you are breaking the law.
    • I can't agree with this. Banning a class of software does make sense, just as it makes sense banning something so dangerous it should not be open to those who don't know how to use it properly. Certain actions do not always classify as free speech, especially if they damage something.

      Is a computer program that one created to do something damaging really free speech? Okay, lets say they add a political message to the virus, which flashes the political message over and over on the computer screen. This isn't quite free speech - its vandalism. If I used spray paint to put my political views on the side of one's car to make a point - I'd get tried for vandalism and no free speech argument would protect me. For the virus, you've taken over someone's computer and temporarily vandalized it. The spraypaint on the car and the virus can both be removed, returning the item to original condition, but damage was still done.

      So lets take this further. Lets say I write a virus with a political message that "capitalism is evil" with a destructive payload that erases all the non-freeware programs. Now this virus makes its way to a water treatment plant, and screws up computer-operated water handling system. The erased program causes the pump to go to its defualt mode, which causes several hundred thousand gallons of sewage (read e-coli contaminated) to be forced into the clean water tank. Several people get sick and some elderly and children die. I've now used a tool, with no real benefit to others (except those who know how to use it to look for security holes) as my method of free speech. Should I be tried for terrorism or manslaughter? You bet! Whether or not this scenario could happen, it is possible, and therefore, it suggests that the tool should be banned, or at least restricted in access.

      Some tools are meant to be restricted for a reason, because when used improperly they can cause huge amounts of damage. Therefore we ban their use except to those authorized (and trustworthy) enough to use them. Certain biological techniques have been voluntarily banned due to their danger they could cause to humanity in general. I'm not talking about cloning, but some very complicated retrovirus techniques which created a cold virus that creates cancer. The Austrialian lab that created this realized what it had done, destroyed all the work, and asked the few other researchers to drop this line of research until controls could be put in place. The ban was accepted, and it makes perfect sense.

      Virus programs do nothing constructuve except find security holes. So it makes sense for computer security experts to use them in controlled settings, but to make them available to the public does not make sense.

      All that being said, the technology and know-how is already out there, so one can't put the genie back in the bottle in regards to viruses. However, we can ban their use in the public when damage is caused by them, provided we actually enforce the law. If we don't enforce it, then we shouldn't even bother passing the law.
      • I'm going to try to respond point by point.

        If I used spray paint to put my political views on the side of one's car to make a point - I'd get tried for vandalism and no free speech argument would protect me. For the virus, you've taken over someone's computer and temporarily vandalized it.

        This doesn't go against my philosophy - your act of vandalism has broken the law, irregardless of whatever message you've spray-painted. My act of infecting a university's servers with a destructive worm would be theft of service, regardless of which worm I used, or who wrote the worm. The act of writing the worm, by whoever did it, may or may not have been with malicious intent. Really, there's no objective way to tell or prove one way or another. Is it malicious of OS writers to make an OS with raw socket access? I don't think it's malicious to create a computer with open hardware standards, that can be programmed to do evil at the lowest level. At what point in the tool does the responsibility end?

        Lets say I write a virus with a political message that "capitalism is evil" with a destructive payload that erases all the non-freeware programs... it is possible, and therefore, it suggests that the tool should be banned, or at least restricted in access.

        You may have misunderstood my "software as speech" point. I wasn't talking about including political speech in software, or using software as a way to get attention - just that I and many others consider software code to be protected speech. This means it is afforded many protections under the constitution, including protection from being banned based on content. If I post the code to my virus onto my web site, nothing in the law should prevent me from doing that.

        Your point that potentially destructive software should be banned or restricted is a dangerous view. Are you in favor of export controls on encryption? I'm assuming you're here in the US, where controls have been relaxed but not yet eliminated due to the mistaken view that banning strong encryption will somehow empower intelligence and law enforcement agencies. This is exactly what I'm talking about - encryption is considered by most to be a necessity for security, and by some to be a national security risk. But above all, an encryption algorithm should be considered protected speech.

        Some tools are meant to be restricted for a reason, because when used improperly they can cause huge amounts of damage.

        I suspect we disagree on gun control, too. I won't get into that, except to say that I was once strongly in favor of radical gun control. I've now realized that the more legislation, and the more "banning" there is, the less responsible people become. We need people who feel responsible for their own actions, not laws. And that is a MUCH bigger debate, which goes to the root of our corporate society.

        Once I realized my hypocrisy in guns vs. encryption vs. virus/worm/spamware I came to see that it's really the same topic, and I am for the act, as opposed to the tool, being punished.

        Certain biological techniques have been voluntarily banned due to their danger they could cause to humanity in general.

        I don't think this is the case here. It would do more harm than good to prevent knowledge of security flaws, and demonstrations of them, from disseminating. If people feared for their freedom, they wouldn't expose security holes. As we've seen recently, when companies aren't FORCED to issue patches they tend to ignore gaping holes in their software.

        Voluntarily is also the key word here. It's usually a good thing when the scientific community voluntarily decides to drop something, and we do need to see more of this. Human cloning and bio-weapon research are two areas that could use more scientists who actually thought about ethics. Is banning whole classes of scientific research the best way to progress, though? The church also banned research when it felt threatened..

        Virus programs do nothing constructuve except find security holes. So it makes sense for computer security experts to use them in controlled settings, but to make them available to the public does not make sense.

        However, the ONLY way to get companies to respond is exactly what you said - full disclosure is the only way to go. Security by obscurity (what you describe) keeps knowledge of flaws in the hands of the few, who have enough resources to find them (e.g. the NSA, companies, and yes, you can't rule out terrorists).

        However, we can ban their use in the public when damage is caused by them

        Well that is exactly what I support! Maybe we don't disagree as much as I thought..
  • CmdrTaco writes:

    The bandwidth wasted by a successful worm is gigantic. To say nothing of time and disk space.

    if you've ever been on the receiving end of a round-the-clock DDoS attack from irc packet kiddies, you know about wasted bandwidth. worms seem to be a mere drop on the bucket.

    the only difference is - worms are indiscriminant; they walk their way thru IP blocks no matter who owns them. so big ISPs get their panties in a bunch and can use their muscle to bargain for the FBI's time. irc revenge DDoS is usually directed towards EFNet servers at the handful of ISPs who are brave enough to still be operating one.

    but, these two issues are related. the machines infected with the worms (which expose massive exploits) are usually taken over as zombies for nefarious bidding (such as the aforementioned DDoS).

    perhaps then we can roll in responsibility for the DDoS to the charges against the worm writers? then the cost of bandwidth soars astronomically and can probably justify more significant prosecution. (and hey, maybe get a little bit of 'official' attention to this problem (DDoS) that's been going on for years).

  • ...and the next Internet worm I write will have the following string "Made by JonKatz, Bill Gates, and George Bush".

    Strings inside code could be used as evidence, but they are not very serious evidence, not more serious than a papernote left by a burglar saying "I wasn't!". After all, we don't want incrimination to be that easy.
  • First off, many of them are smart enough to not put their name and address in the worm/virus. (Suprise! if youre smart enough to write this you might have a tiny bit of common sense.) Second, most are from outside the country, WHERE THE US GOVT. HAS NO JURISDICTION. Read that closely everyone, the FBI cannot go into china and arrest someone. and many countries are getting sick of the free-raid mentality that the US govt has had lately. Would you let your neighbor constantly search your house for problems? maybe at first, but when your neighbor starts taking your things because they look suspicious or sren;t allowed in his home... then you start to get pissed.

    The people in our Govt are the problem and the terrorists. They try and generate fear in the public about what these worms can do!

    I say we leave it to a team of geeks to find these people, and then bludgeon them with rubber hoses and soap in socks.. 3 months in prison wont stop them but the fear of getting their ass kicked by a few pissed IS/IT people will.
  • by ansonyumo ( 210802 ) on Thursday December 27, 2001 @04:05PM (#2755997)
    Free as in beer
    Free as in software
    Free as in worm author
  • If IIS, IE, and Outlook didn't have such gaping holes and weren't so market dominant, worms and viruses wouldn't be very destructive.

    Worms and viruses are the equivalent of teenagers skateboarding in a China shop. Sure, technically, if they knock something over, they are responsible. But why the hell did the shop keeper allow skateboards in the shop in the first place?

    It would be a sweet deal for Internet businesses to be able to have all their security-related costs to the public. But the people who should pay for Internet security are the ones benefitting from Internet business--the merchants and infrastructure providers. Putting this responsibility on the public amounts to a huge corporate welfare check for Microsoft and Internet businesses, who get to keep making profits without bearing the cost of security.

    • Where did you get your values?

      There is nothing technical about the skateboarder's responsibility for something being broken by his/her own actions. Does the owner need to post a no skateboarding sign, or can we as a society rely on common sense.

      We, as a society, have relied on the common sense model for a very long time. What has changed in our society, that people don't think that they are responsible for their own actions?

      Yes, people shoud do a better job in writing their software. That does not excuse those that are writing the viruses and the worms.
  • IMNSHO the most annoying aspect of those worms is the poor quality of the code. Total ignorance.

    It's enough to take a quick look at my server's logs to see a bunch of attempts to exploit IIS holes in Apache! This alone makes me wanna put them behind bars...

    For God's sake, all they have to do is check the server type and thus spare lots of bandwidth. A real coder would do that.

    Apparently VB aware script kiddies wouldn't...
  • The bandwidth wasted by a successful worm is gigantic. To say nothing of time and disk space.

    In terms of bandwidth/time/storage space, which is worse for the net as a whole, then? Is it successful worms, or is it really the spam?

    I think it's the spam... and since I've never been directly affected by a successful worm, I most certainly would rather see spammers get jailtime rather than worm writers, if I had to choose one or the other.

    Both would certainly be acceptable.

  • Punish the script kiddies? Why? Damage? What damage? A few million dollars here, a few million there, it's only money!

    Let's get our priorities straight! Now that Sklyarov guy, there's a dangerous criminal! His ultra-dangerous Adobe-buster is cyber-terrorism at it's worst! That must be why Skylarov has spent more time in jail than all the script kiddies in the world combined. And people think our government doesn't have any sense of priority! Way to go DOJ!
  • The other half is because people have ignorantly abrogated their responsibility for prosecuting their own loss.

    If just ONE of those companies that "lost billions" had prosecuted the perp themselves, we wouldn't be having this discussion.

    But no, we sit here and decry how "law enforcement is overworked" to do all the prosecuting for us. And in those places where medical service is also government provided? Gee, the same discussion, how "medical providers are overworked".

    Maybe the pattern this obvious to me is obvious to others. Has anyone who claims to have lost money gone after a virus writer? Anyone? Any company? Any organization?

    The negative effects of abrogating your physical security [jpfo.org] to "law enforcement" is well known. There is very little argument that even the best firewall does not eliminate the requirement that individual PC's and servers be individually hardened.

    Yet with all this emphasis on distributed defense, there is not a distributed offence against these virus writers?

    Bob-

GREAT MOMENTS IN HISTORY (#7): April 2, 1751 Issac Newton becomes discouraged when he falls up a flight of stairs.

Working...