Worm attack

Thing is, on one level he's right. He's being used as a scapegoat since they didn't catch the real creator. But that does not change the fact that his code DID cause thousands of dollars in damage.

I don't have a non-sarcastic opinion on his punishment.

He could be set as a precedent for verdicts that follow concerning internet sabotage. But as for this case in particular, the penalty that is to be meted out should bring into consideration not only the facts, ie, the recoded virus caused severe damage to internet security, but also whether the boy's intention is really to cause the damage.

Anyway, a society that operates in close connection with the safety of the internet needs a cyberlaw immediately. To take an intolerable stand toward this young man who could have a bright future and to treat him as a scapegoat in an instrumental way, does not in every way appeal to people. The imperative now is, however, not to focus on some particular people who have sabotaged and are sabotaging internet, but to be devoted immediately to the making of a piece of systematic cyberlaw.

"If builders build buildings the way programmers wrote programs, the first woodpecker that came along would destroy civilization".

Punishing the virus writers is a little like punishing the woodpecker; sure it makes you feel better, and sure the virus writers should have known better, but it doesn't really help solve the problem.

What code-puppies uncover through experimenting today, far more malicious attackers would probably exploit to more devastating effect in the future.

The war between virus and immunity is a natural part of the evolutionary process, both biologically and technologically.

Best Regards,

rosborne
What you seem to be doing is blaming the victim not the culprit. Would you blame the victim of a shooting rather than the shooter for not getting out of the way of the bullet.

AU,

I think you're over generalizing. I don't blame victims of shootings. But I do recognize the complicity of the software in its own instability.

Like it or not, it's a nasty world out there, and things will break, either through accident or intention if you don't take efforts to protect them.

These viruses/worms aren't hard to write. It's not like it takes a Phd in theoretical progamming to do it. Kids are writing these things in their free time, and dreaming about impressing their friends with the effects they can cause. And I don't think it's wise for the stability of global technology to rest on the emotional stability of hoards of bored teenagers.

As the Manager of an Internet/Systems Research and Development group for a large software manufacturere, my team and I find ourselves at the forefront of these battles all the time. My particular responsibility is not to punish individuals, but to assure the stability of our systems. Likewise, due to the similarity of technology, our internal stability is analagous to, and linked with, the stability and evolution of the global technology grid.

Industry and consumers have to take a little bit of responsibility for their own choices. And if they/we choose to buy unstable software, and build our technology with unstable software, just because it's cheaper or easier to use, then ultimately we will pay the price of our choice (instability).

That's all that is happening now.

Best Regards,

So unstable software is the problem? I should pay more for it. I should also live in a fortress instead of a house, but the economics just don't work for me. I guess this means I blame the burgler or armed robber instead of the householder. It's an attitude, I guess.

rosborne979
I am no software expert in fact most of the functions of computor are still a mystery to me. However, I can't seem to shake the feeling that since the opportunity to commit a crime, and that is what it is, is readily available it is to be expected. A criminal act is still a criminal act and is never justified.

Sometimes I think the understandable irritation techies feel when they see ridiculously simple exploits go unpatched gets in the way of the simple realization that the criminal and victim do not share culpability. Despite the fact that the victim could prevent the crime.

The same argument could be leveled about any crime, the "victimless" notion of cybercrimes sometimes numbs us to the philosophical implications.

It's easy to think of malicious crackers as an inevitability and focus on the practical methods of protection. This is because they are rarely caught or punished.

While on a practical level it's true that awareness and knowledge is the fence at the top of the cliff we shouldn't acquit those who are pushing people off.

It does not take a Phd to commit rape either, and rape can also be construed as preventable ("what? You didn't wear your electroshock chastity belt today? tsk tsk" "You went outside? Sheesh, you had it coming then."). Even if the common sense to secure our digital infrastructure is a valid point impunity for criminal predators would be folly.

I should clarify... I'm not saying that we shouldn't punish/dissuade people for malicious behavior. Go ahead. I'm just saying that it won't solve the problem.

We have criminals in the world, but we also have locks for our doors. It's a balance.

Right now, software security is out of balance with its destabilizing element. This is where we get the most benefit for our effort. Global economies can not simply trust the criminal element not to act. It's unrealistic.

Best Regards,

For practical purposes I agree. I have long been accustomed to taking care of my own security as the law is no help when it comes to cyber crimes under $10,000 dollars.

But maybe this should change?

While sometimes software makers clearly do not do enough to prevent these kinds of things, it remains a fact that there is no software which doesn't have, well, "bugs." That's a given. This justifies what exactly?

I suppose I didn't answer AU's real question; sorry about that. AU asked "what punishment", not how to fix the general problem.

It's just my opinion, but in cases like this where teen vandals can cause multi-million, to perhaps billions of dollars worth of damage, I think it's going to be hard finding a punishment which reflects the severity of the result.

Kids make bad decisions. Sometimes they burn down the house even though they know they shouldn't be playing with matches.

I suppose you have to punish based on the motivation, rather than the result. To me there's a difference between a terrorist who writes a worm to knock out a power grid which wrecks an air traffic control system and crashes a bunch of planes, and the same worm which comes from a kid who is showing off to his friends how he can write a worm (not anticipating how bad things can get).

Vandals should be treated like vandals, and terrorists like terrorists. It's the motivation which makes the difference.

Meanwhile, the air traffic control system crashes in either case. And that's what is really more of a concern to me.

Best Regards,

Very interesting post, Ros.

rosborne979


The people teen or otherwise who commit this sabotage and that is what it is. Are not the innocents that you characterize? They are very computer literate and know full well the potential damage they are causing. The penalty has to be severe enough to make others think before they act. A slap on the wrist will not do.

au,

One of the complicating factors is that the people who write viruses don't really HAVE TO do anything. They make something that does.

In some cases viruses were not even intentional. It's overused as an example but one devastating virus was actually a program a coder wrote to REMOVE VIRUSES!!

Do you think that these guys think that they get caught and have to pay the consequences? I don't think so. Therefor perhaps they don't care about the possible punishment for their behavior?!?

Yeh, this can get very complicated. Viruses/Worms are very easy to write, but their effect is not easy to predict because nobody has ever seen an open environment like this before. Viruses are just programs, nothing mysterious. People with a little coding skill and very little wisdom can unleash them without much effort and do a lot of damage.

And to further complicate matters, what if someone wrote a virus to invade your machine and SPAM all your friends with ads? It's only a matter of time before it happens. SPAM is already clogging Email boxes and Email servers and costing lots of money to control. But maybe it's free speech. Should it be a crime?

The slammer virus didn't really do much damage, it only overloaded systems (which is damage in itself). But what if a virus didn't do any damage at all, just spread itself, would that be a crime?

rosborne979
If the system becomes overloaded and restricts commerce costing thousands of dollars in lost time I would call it a crime not free speech

Most spam is already a crime. They are already exploiting servers to send SPAM.

When a spammer uses one of my servers to send out spam he is using my resources and bandwidth.

This is not free speech, it is illegal.