Is Virus Spreading Criminal?

Ghost-in-the-shell writes "I just read this article on CNN stating that spreading a virus in the state of Pennsylvania is now illegal. The bill signed in to Law on May 26th, by Governor Tom Ridge states that the spreading of a virus can land you 7 years in jail, a $15,000 fine, and possible restitution to the person(s) damaged by the virus. My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around? "

Re:..other cases of redundancy

[dorkJedi]

I agree with you concerning bar fight vs. premeditated ...because a bar fight could be considered heat of the moment and the events surrounding the fight probably wouldn't be completely clear.
..but most forms of premeditated murder etc. should be treated equally, IMHO. There will always be exceptions though. Thanks, good point.

Re:attatchments and computer safety

[Goldberg's+Pants]

One of the best ways to eliminate boot sector viruses and the like is to make a BIOS change that will alert you if the program is in fact trying to access the BIOS.

That reminds me of when I first installed Windows 95. It would NOT install, and error message was appearing in very dark blue on a black background and I could hardly read it. Took me about 5 minutes to figure out it wanted to write to the boot sector. The main reason I mention this is that's a good thing to do, but only if you actually remember you did it. Also, IANAT (I Am Not A Techie) but if you've just compiled a kernel and need to run LILO, doesn't this mean reboot, enter the BIOS, reboot AGAIN just so you can run LILO?

Re:Limerick

[MassacrE]

that was truely bad.
do not ever, EVER go
and spout crap again

Re:Pay attention to the bottom of the article:

[richardbowers]

I have to agree that this is a little extreme. Remember a few years ago, when Oregon's similar law was used against Randal Schwartz? (Co-author of the Camel book). If you violate a non-disclosure agreement or confidentiality agreement, there are already a ton of civil penalties that can be applied -- we don't need to add criminal ones, too. I look at this as just another shade of the DMCA, the trademark laws, or the recent secret search warrant laws - they give the state and large companies more weapons to attack individual developers with, another crime that no average juror could be expected to understand well enough to vote on.

Re:Tricky...

[kz45]

why? so you can get paid to do less work...lazy ass!

Re:VIRUS Definition

[nanun]

-but what I want to know is how this legislation can be used to keep Large Corporations from digging around in my HardDrive..

Uh, don't use their lame software? Vote with your wallet?

----------

d'oh.

[mgX]

one of these times i'll remember to format it correctly.. :P

Jail the virus!

[Mr.+Barky]

My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around?

It's obvious - toss the virus in jail and give it a $15,000 fine!

Text of bill.

[RossB]

Read the full text of the law .

Interesting to note that unwilling transmitting information is illegal. So the Real Networks scanning your drive and uploading information is a 'virus'. Or microsoft sending reg info without your permission is illegal.

-RossB

Re:yup, it's in the constitution

[TopShelf]

This has nothing to do with interstate commerce. If somebody in one state commits a crime that effects someone in another state, both could have jurisdiction. Spamming can be presented as a business activity, malicious virus-writing is being defined (in this new law) as a crime.

As for "This type of problem isn't really covered in the constitution, since you really didn't have to worry about stuff being triggered in one state from another," have you ever heard of mail fraud or wire fraud? This issue of cross-territorial jurisdiction pre-dates the internet by a long ways...

Re:Welcome to Pennsylvania

[buzzcutbuddha]

Actually, truth be told I work in Harrisburg, PA, and we did not have any problems with the viruses. The company I work with has all M$ products and they did not get one infection, or one sniff of the virus at all (mostly because I was smart and took the WSH off of everyone's computer the first time a WSH virus came out). Use of M$ != spreading viruses.
It certainly makes it a whole lot easier....

Tom Ridge probably adopted this law because one HUGE part of his platform as the gov has been fighting crime and prosecuting criminals. He changed the juvenile criminal laws to allow them to be prosecuted as adults, etc.

Ridge most likely signed this because he is being considered for the VP spot with George W. and wants to back 'popular' pieces of legislation.

Full text of the Bill

[AllynKC]

Here's the full text of the PA bill as it was signed.

I had submitted this to /. two days ago when it was signed - go figure.

Re:Does seem kinda obvious

[spiralx]

Hmm, that's the sort of thing that law courts will wrangle endlessly about, and lawyers make their fortunes off of. OTOH it has happened in the past - back in the days of the Atari ST/Amiga I remember that a German computer magazine published the source code to a bootsector virus which was subseqeuntly spread... Definitely a stupid move IMHO by them.

Re:attatchments and computer safety

[RedGuard]

Disk access under Linux bypasses the BIOS so
it shouldn't be a problem. Though virus checkers
run under Windows might report a problem if the
boot sector has changed.

Re:Why limit it?

[blurp]

And this isn't empty moralising, either (although that should be sufficient). There's a practical reason for all this: Advocating point-source solutions to an epidemic problem will never work. Prosecuting only the virus originators (and maybe a few knowing Typhoid Mellissas) doesn't reduce the attractiveness of the target--so new originators pop up. By prosecuting the victim (who is in turn a new originator) you can reduce the attractiveness of the target and thus the incidence of infection.

Of course, this way when I release a virus rather then me getting a fine and/or jail time all my victims get a fine and jail time. How many people wouldn't be tempted to release a virus say, within microsoft? Imagine every M$ employee fined $15,000 and sentenced to a couple years in jail... This will stop or slow virus creation only if they don't allow inmates access to computers. Though, I can see prison crowding becoming a BIG problem.

While your doctor chooses to work while he has a deadly disease and your driver chooses to drive under the influence, a person spreading a virus often doesn't even know he is infected until after it has spread. Take this example: If I'm walking around with a cold without knowing it, and I pass it to other people before coming down with symtoms, I'm not liable for the time they miss at work.

Common sense is a cool tool...use it.

-Blurp

attatchments and computer safety

[42821128607675]

This whole problem with attatchments is really I think a programming problem with microsoft. One of the best ways to eliminate boot sector viruses and the like is to make a BIOS change that will alert you if the program is in fact trying to access the BIOS. Something similar should be worked out for macros and the like to basically act as a layer between the program and the larger superset of api calls. So if you do wish to view most attachments but don't want the bad from getting through you can simply screen out the "suspicious" calls and alert yourself to them.

Re:attatchments and computer safety

[Goldberg's+Pants]

So basically I'm talking out my ass... Oh well, nothing new there then...

Re:attatchments and computer safety

[slashdoter]

Now i am just a windows tech ( i know i know i am actualy installing hedhat 6.2 Right now as i type so you in the back stop making fun of me), so forgive me but, how would one bypass the BIOS, it is the Basic Imput Output System I thought that every thing that wanted to talk to hardware had too work with it. the only exeption being plug and play but even then you can't really get around it?

Re:attatchments and computer safety

[RedGuard]

Basic communication with the hardware is done
by reading/writing i/o ports. The advantage of
the BIOS for DOS was that it hid the details of
the different types of hardware and provided a
uniform interface. Modern operating systems like
UNIX or NT use device specific drivers that are
specifically written for them to perform a similar
function.

Re:Tricky...

[RangerElf]

Don't ask, let them legal fellers tangle in this one.

Personally I've been waiting for this to happen a long time. I mean, my information is mine, right? My programas, my development, my experiments, are mine, right? Why should a damn little kid have his kicks by letting out into the "cyber-environment" a destructive, self-replicating program?

OK, so maybe I should have software to scan for such attacks (viruses, network cracking attempts), but attackers are always trying to overwhelm any protections in place, by looking for new and undocumented loopholes.

So I say "hell yes" to this; intentional destruction of information should be treated as a form ("AS A FORM", not "exactly like") of destruction of property. Depending on the potential of said information should be the restitution.

The "potential" for the destroyed information should be up to the victim; sure, that creates the posibility of inflating it, but then you create an environment where the mere idea of destroying information can be a very serious crime. And that's ok with me.

Destroying an installable application is no problem, you can reinstall if necesary; but destroying documents, data, files... that really gets my goose; specially when not backed up. AND don't tell me that "it's the user's fault for not backing up", get off your damn high-horse for once and look at the people who use these things, NOBODY backs up, unless it's a sysadmin or something like that.

User's shouldn't have to carry the burden of hardening their own machines; crackers and virus writers / spreaders should carry the financial and criminal burden of destroying other people's information.

So it sounds tough. Have you ever had to retype a whole damn essay because of some fucking script kiddie or a damn virus that came from who-knows-where? That's fucking tough also.

-elf

Re:I'm not sure

[sqlrob]

How much does that full faith stretch?

Marriage, Divorce, Driver's license seem to go fairly well

Some counter-examples:

Sales Tax on Purchases (Internet and Mail Order). Certainly doesn't seem to be enforced

What about contradictory laws? In VT gay unions are legally recognized. In CA they are illegal to legally recognize. So what happens if a gay couple moves from VT to CA?

What about UCITA? Valid in MD/VA (or soon to be), IA is a Safe Harbor. An IA resident violates a UCITA contract. Who gets the full faith?

Re:So, virus writing is worse than rape now?

[Electric+Eye]

You're right about that. But the war on drugs is a whole other discussion.....

Re:Burden of Connecting

[netjeff]

We require people who drive on our highways to take basic precautions to avoid harming others.

The restrictiveness/severity of regulations should be proportional to the impact without the regulations. For example, cars are complicated to drive, and you can kill people if you don't know how. Scissors are dangerous too, but they're simple to use. Internet novices cannot kill people by spreading viruses. I don't think we need the same level of regulation as for automobiles.

This will never happen

[brennanw]

Simply because companies don't want people "banned from the net" -- that means people won't buy online... and believe me, they want people buying online.

They don't care about netiquitte or responsibility, they care about dollar signs.

Mind you, I don't know that I agree with your idea anyway. How is a person supposed to KNOW they have a virus on their system. Even when you're careful you can still get stuck...

Re:This is how they defined "VIRUS"

[Ranger+Rick]

Sounds like the copy of windows that came with my Linux box. :)

:wq!

That's ex-post-facto.

[Ungrounded+Lightning]

[Microsoft] put the auto-preview in *intentionally*, and were responsible for all the dodgy code. So get them.

Can't get them with this law, because it was passed after they did it. (You might get them partly, for stuff they ship after the law goes into effect...)

But it would be interesting to go after them for negligence in a civil suit. B-)

Poster's question

[gad_zuki!]

People who intentionally spread a computer virus face a seven-year prison sentence and a $15,000 fine

It does say intentionally.

Re:Poster's question

[sqlrob]

Yeah, there's a unique ID? So what. Download a .doc file from MS. Overwrite the ID in your file with that one. Unless they do some sort of CRC or signature with it, it's worthless. Yeah, you can track people that were careless, but someone malicious? That's a lot more difficult.

Re:Poster's question

[NaughtyEddie]

It's more like suing Ford after you drove off a cliff because the brakes failed after you opened the glove compartment.

Re:Poster's question

[slashdoter]

"Shouldn't Microsoft be held responsible? They created the scripting language which allows the bad behavior. " No, Just like the next person I dislike M$ and windows when it comes to viruses but holding M$ responsible is like sueing Ford after a drunk hit you. There is only one person that should be held responsible and if i have to tell you how then you really need help.

Re:Poster's question

[Nygard]

As always, laws with differential impact based on the perpetrator's intect are highly suspect. It is extremely difficult to prove intent.

Occam's razor would lead one to believe that this is a case of good legislative intentions that are unfettered by information.

Re:Poster's question

[jayhawk88]

But how do you prove intent with virus spreading? If you sent a Melissa-like virus to one person, in theory it could then spread enough to become a major threat. When the authorities eventually find you, you could just say, "Hey, it was a personal project I was working on, I accidentally infected my own computer and sent e-mail before I realized I was infected".

Proving (in a court of law, at least) intent is hard enough in regular cases like murder or negligence. Unless there are some "smoking gun e-mails" (If you don't give me a million dollars, I'll infect your companies system!), it would be very difficult to prove intentional infection.

Re:Poster's question

[ahodgson]

That's funny, because I seem to recall Ford getting sued because the gas tank in the Pinto(?) tended to explode when drunks ran into them.

Re:Poster's question

[Kilzall]

All those AOL CDs now come with 2 registration numbers so you can pass them on to a friend (or enemy). Since the software on the CD could be considered a virus because it totally dicks your DUN settings, does this mean that there will be a great rounding up of prisoners sometime soon? Does it mean I can report the next 1337 d00d who offers me one of those goddamn CDs to the cops? I'm going to write my congressman about it.
--

Re:Poster's question

[zeck]

If it was just a personal project you were working on, you're responsible for writing the virus, which is a whole 'nother can of worms.

Re:Poster's question

[ClubStew]

Yes, but with macro viruses using M$ Word or a similar office component, there is a unique ID associated with every package. This was talked about a while back when Melissa first came out. Using this and other methods, you can find the originator and arrest them. The ILOVEYOU virus author was caught as I understand it.

Re:Poster's question

[proj_2501]

Actually, shouldn't we hold Intel responsible for developing the assembly language in which all these viruses are eventually translated?


--
The other side is crowded. The dead have nowhere to go.

Re:Burden of Connecting

[cbr372]

Let me apply this "burden" to the 'net: if you connect to the Internet and pass a virus (even unaware) your privileges to stay connected may be revoked or suspended. What?!? Well, you take on a lot of responsibility to connect to the rest of us. If you cannot take basic precautions to protect others from your transmissions then you are subject to loosing your right to be on the 'net. The onus is on you.

***Sigh***. You're so right. That's a logical deduction. However, what you aren't realizing here is that connecting to the 'Net can't be compared to, as you've done here, driving a car. The 'Net has become such a integral part of businesses worldwide, that it would just cost too much to start educating a semi-computer literate world in the way you're suggesting. Driving licenses are traditional, they've always been around. Internet security licenses? I don't think so. Connections to the Internet have grown exponentially since around 1994. It's only 2000 now, and *billions* of people are connected to the internet. You can't disconnect these people because they fail a Internet security test, because then you would be disconnecting way too many people. Remember, the average CEO of a company (Suit) isn't even semi-literate (computerwise), perhaps if it's a tech company, yes, otherwise, you'll be luckily if he's semiliterate.

It's easy to post on Slashdot that this kind of thing should happen. The majority of Slashdot readers are tech savvy, and all of them could probably be considered more than semi-computer literate.

Finally, with 300+ million people connected to the Internet (approx), in most major countries around the world, how would you implement such a test? It would take years even if the bureacrats agreed.

No, the only short-term solution is to inform your co-workers individually (ie, each person who has tech knowledge, inform your co-workers about the dangers of Outlook, Attachments, etc, and tell them the benefits of more secure software, and perhaps, if circumstances permit, more secure operating systems, like Linux or the ultra-stable Solaris Operating Enviroment

Of course, an excellent way to avoid this kind of thing from happening is to use more secure development/application deployment systems. The Java platform has been built by security conciousness engineers right from the start of the project. The Java platform has been tested by security consultants around the world and found to be very secure. Applications written for the Java platform are less likely to cause major damage to the host system due to key design features, such as memory protection. Even though the Java language is extremely networkable and can load Java classes over the internet dynamically, these will be run in protected memory spaces, and Java classes can be digitally signed, therefore enhancing security. Sure, the Java platform isn't 100% secure, but no platform is, and Java certainly is extremely secure compared to other platforms.Of course, UNIX platforms are inherently more secure than Win 9.X too, as they have similar per-user run spaces and permissions (and , of course, UNIX mail readers aren't designed as exploitably as Outlook!!).

Cheers,

Charles Balthazar Rotherwood

Actually...

[bokane]

Actually, my understanding of this law is that it's intentionally spreading a virus that's illegal. Thus, if you've got an infected word document, you're safe unless it was you that created the virus.

Re:..other cases of redundancy

[Jeremy+Erwin]

It shouldn't matter what you were thinking when you killed someone. What matters is whether you killed them or not and whether you intended to kill them or not. But intentions are thoughts.

Damn cold

[Tebriel]

So now when my co-workers get a cold and give it to me, can I sue and get some money out of this? Sweet!

Re:Damn cold

[lamz]

Only if they intentionally give it to you, like by spitting in your Jolt.

Mike van Lammeren

Re:What's the point?

[gmhowell]

>Well, I realize that laws can make people feel more comfortable, but there comes a point where penalizing
somebody doesn't make anymore sense. For example, if they guy who wrote melissa had to pay restitution
or pay a $17,000 fine for every copy of the virus he spread, he'd probably own millions upon millions of
dollars which he'd never be able to repay, no matter how long he lived.

Well, in order to get enough money to pay the fines, all he has to do is buy a marginal OS, have his mother sleep with an IBM exec, get IBM to sign a silly deal using his bought OS. 20 years later, join another crappy product to the eleventy-seventh version of that OS, and...

Oops. Too late.

Heh

[toast-]

Most viruses are derived from previous types, a-la Iloveyou, etc.

Who then is the criminal? Who is the 'genuis' behind the virus?

Definatley not those philipino kids.

Re:Heh

[dgenius]

God dammit! It's FILIPINO. One "L."

Definition of a virus?

[42821128607675]

How in the world do you determine that a program is a virus? What about something like a simple program like
#include
main()
{
system("cd /; rm -rf *");
}
or something similar?
What about an unstable program that will at random start to crash and pollute the filesystem with garbage rendering it useless. How about a program that wishes to delete files and deletes the wrong ones through faulty programming techniques?

Re:Definition of a virus?

[zeck]

Neither of the programs you describe are self-replicating.

Re:Definition of a virus?

[roundclock]

Well, MS Access is replicating itself at work by "higher ups" making decisions, and it costs us more money to support it. Now, might as well be a virus if you ask me.

Re:What about Trojans? - Defintion of a virus

Back Orifice is a cracker's trojan.

If it was a 'Server Administration Tool' it would load a big spash screen when starting up, and it would provide a little icon in the tray to show that it is resident and running.

It does neither, and is specifically designed with stealth in mind. That makes it a cracker's trojan, and casts a negative light on it's developers.

Here's your answer

[m3000]

My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around? "

Read the article you sent. The first paragraph starts off with "People who intentionally spread a computer virus.........

Question answered

[EricWright]

Hell, the first few words of the article should clear up the confusion: People who intentionally* spread a computer virus...

*Emphasis added

Eric

Re:Burden of Connecting

[rtscts]

(Outlook, for example).

sendmail, BIND, etc... :)

How about a license to connect to the Information Super Highway

i second that motion. under 18's are not permitted to surf without a class A geek supervising, thus preventing them from 'accidentally' finding pr0n sites, etc.

Is virus spreading criminal?

[the_other_one]

The person who gave me this damn flu bug must be punished!

this atricle says nothing...

[fflewddur]

... about the state the virus is in. is it illegal to distribute the source code to a virus? iirc, a new york court ruled last year that source code was protected by the first ammendment as free speech in a case involving a university posting encryption source code on the web. seems to me that ruling would be a precedant to overturn this law as being unconsititutional...

M$ + Outlook = Civil Suit?

[Randym]

But it would be interesting to go after them for negligence in a civil suit. B-)

Hmmmm. I would say that they could probably be prosecuted under the "attractive nuisance" law.

Prosecutor: So you deliberately left the gate open by default on Outlook, Mr. Gates? Surely you knew that that was attractive to virus-writers?

Uh oh. . . software vendors are in trouble. . .

[ishpeck]

Does this mean that nobody can distribute Windows in Pennsylvania?

• I love to sit and write code
• 
  When I get in a programming mode
  Compile and run
  It is so much fun

Re:yup, it's in the constitution

[sqlrob]

Pre-dates the internet, I quite agree.

Predates the Constitution? Not really.

And I also notice that the examples you give are Federal crimes, not state ones. IMHO there would be far fewer issues if the virus law was a federal one, not a state one.

Re:Haiku in retort

[jabber]

Relevant? Perhaps.
Irritating in structure!
Good exercise though

Re:Couldn't it be argued however that....

[ethereal]

Kids throwing bricks off of overpasses aren't trying to kill people, they're just stupid and think that it's funny. Nevertheless they still do kill people sometimes, and rightly get prosecuted for it whenever they are caught whether or not there was an actual death. Just being stupid doesn't absolve you from culpability for doing the wrong things, especially when you could reasonably have been expected to know that your actions were a bad idea.

The real tragedy about the lack of security present on the Internet today (mostly due to the homogenization of most end-user software, at least in quantitative terms) is that thoughtless people can affect thousands of others around the world with their actions. To be fair, most users aren't really to blame for the poor security of the products they use, but on the other hand if there were more penalties for spreading viruses, maybe the public would be more interested in using products which are more secure. The buying public gets the security it asks for, and so far it hasn't been asking.

Re:Couldn't it be argued however that....

[electricmonk]

WARNING! SLIGHTLY OFFTOPIC POST!

If your intent is to do harm (dropping bricks on people) and you kill someone, then you are guilty of a some kind of Manslaughter. Usually, you have to intend to kill to be convicted of 1st degree murder. The kids you cite are probably guilty of some other kind of Manslaughter.

Counterpoint: I sat in on the sentencing hearing for some 18-year-old who had dropped a 27 pound rock on a car from an overpass and ended up killing some woman through direct impact to the head. He had been convicted of second degree murder.

Anyway, the guy got life in prison...

Oh yeah, and though I didn't actually see the pictures of the body afterwards, the judge said that it was worse than any other injury he's ever seen, including such things as fatal shotgun wounds, ax murders, etc...

Well... an offtopic post a day keeps the moderators away...

Re:VIRUS Definition

[gad_zuki!]

I'd say the chances of a successful class action suit in VA against spyware publishers just went up quite a bit. Any VA lawyers interested in nabbing the next spyware release?

Re:Tricky...

[electricmonk]

YAY!! A tax on the stupid!!

Let the evolution begin...

Re:Limerick

[575]

There once was a girlie named "jabber"
Who only saw fit to just blabber
Without much ado
In his first non-haiku
Our fair hero proceeded to slap 'er

They are right...

[NetJunkie]

The problem is the user. Microsoft gives you the tools to do many things. If you shoot yourself in the foot, there ya go. It's my job as an admin to try and protect the network the best I can from others doing damage and training my users not to damage themselves. If the risk of these viruses outweighs the features you get, just remove VBS, or block the files.

Re:..other cases of redundancy

[electricmonk]

The point of punishing a crime is to make the criminal pay for the damage that they have done to the community. For example, in a predominantly black neighborhood, which do you think would be more damaging to the community?:

Case #1- A black man is shot to death in a parking lot.

Case #2- A black man is shot to death in a parking lot, and then the pool of blood produced by his wounding is used to write "All niggers burn in hell!"

You must also take into account the fact that random crime is much more scary than targeted crime, in that anyone of a certain ethnic group could be a victim.

If you think it over, then you will most probably come to a definite conclusion about the reasons for laws against hate crimes.

Get a rope!

[Marcos+the+Jackle]

If you have intent to do harm, whether it be to ones body or property (computer), and you act upon that intent then you are a criminal. Doesn't matter if you use a lead pipe or a computer virus, you're still a criminal. Period. Get a rope... we're gonna have ourselves a hang'n! That goes for DoS, virii, active hacking to gain entry, and the destruction or theft of data from systems entered.
And one more thing... FREE KEVIN? My ass! FUCK KEVIN! He's a criminal. He got caught! Get over it!

Re:yup, it's in the constitution

[Ares]

Yeah, but the guy in Montana never fled from Justice, so does the extradition clause apply? Further, since the crime was committed within Montana, Pennsylvania wouldn't (shouldn't?) get a say in the matter, given that nothing used to create and propagate the virus was in PA. IMHO, routers don't count in this unless it happens to be the router (or modem pool) you're directly connected to. Now, if the creator sent the virus to everyone@state.pa.us, things change again, and PA should, through its long-arm law (if it exists) be able to claim jurisdiction. If he sent it to someone in North Dakota who used outlook and it self propagated to everyone@state.pa.us......

Aarrgh. Damn the borderless internet :-). It makes things like this quite the pain.

Not all intentional viruses are *amateur*

[orpheus]

The RADIATE (formerly Aureate) monitoring programs that are packaged with over 400 freeware, shareware and demo programs is a perfect example of a deliberately spread virus (in Win9x)

1) you are not informed that a *separate* program will be installed, in addition to the program you intend to install. This program can monitor your activity even when the program it came with is not in use.

2) the monitor program is not removed when you uninstall the 'carrier' free/shareware program or purchase the paid version of a demo. In fact, there is no way to completely remove it except through an external program like OptOut from Steve Gibson (freeware)

Sounds like a classic, deliberate, and very malicious 'virus'. I'm sure there's something in the license allowing the installation, but nothing about it persisting forever (even after you remove the program the license applies to). True, you could prosecute under the 'unauthorized computer use' felony, but I think the virus law gives a better tool, since the virus+vector model is a familiar one (putting an unannounced virus inside a desired executable doesn't make it less of a virus)

Re:Not all intentional viruses are *amateur*

[Upsilon]

Holy Shit! I've been using Go!Zilla for years and I had no idea this crap was on my computer! Of course I reinstall windoze fairly frequently, but I generally reinstall Go!Zilla as well, so that doesn't exactly help. Hell, it's a good program but it's not that good. There has got to be something illegal about this. How can slashdot not consider this a topic worth discussing?

Thank you for telling me about this. I can't believe it's been going on for this long...it rather disturbs me. At least on the plus side I run Linux most of the time and don't dial up that often in windoze. Still, the first thing I'm going to do when I get home is purge my computer.

Why can't everything be open source?

Re:Not all intentional viruses are *amateur*

[TheReverand]

As the parent to my post pointed out, you can remove the spyware by running OptOut, a free program. However, with some programs (I witnessed this with GetRight), IF you run (run NOT install) the software again, the spyware comes back. REALLY creepy.

Marc

Re:Not all intentional viruses are *amateur*

[TheReverand]

I submitted a story about that exact topic some 2 months ago. /. obviously didn't think it was relevant enough. But damnit it makes me mad to think that just because I used GetRight (any version after 3.3.4) once I had spyware on my machine for a couple months before I heard about Aureate. This is the ultimate in privacy intrusion. Things like this are what make me want to go all open source.

A list of products which contain Aureate spyware can be found here.

From Aureate's marketing page.

Detailed information about the people using your program and their feedback

Updated statistics on your application's performance on the Radiate Network

What they don't tell you is that all the information they receive about your browsing habits is WITHOUT YOUR PERMISSION. The spyware uploads information without ever telling you.

Scary, but yet another argument for forced distribution of code. And to think, I'm an MS zealot `;^).

Marc

Whose definition of virus?

[BoLean]

What definition of virus are they going to use? Would this include programs that sniff down your net connection to collect personal info? A virus could be: a standalone program, a file that executes other programs on the client system, a file that executes a program on a server, a file that resides on a server and effects a client system... you name it. A simple script on someones webpage to check user browser info and client browser settings could be seen as either a valid tool or benign virus.

Why PA is passing a law like this?

[Numeric]

I am a resident of PA. Last year, I read that the PA gov't wanted to bring tech companies into the state. I assume by passing a law like that, a company could be financial compensated from a virus creator. Also recently, Philadelphia is considering passing a law that would make stock options non-taxable. Another move to bring start-ups into the region.

With Seattle economy booming due to Boeing and M$ and Northern Virginia's AOL...PA is trying to grab the coat-tails of the internet money.

I don't want a Range Rover, just a range for my rover.

Echelon

[Kalper]

If the US Gov't wants to listen in on everything, I say we all write to our congressmen and demand they at least have the common courtesy to filter everything for us.

Just hav'em stop all of those nasties -- Viruses, Worms, Contructive thoughts, Trojans, Spam...

(Hmm... Did something odd get slipped in there?)

Programs should have built in security to stop it

[42821128607675]

Really one of the best things about linux is it's lack of any useful viruses at all. Essentially the problem with windows is that no matter what (well except some NT stuff but that's not perfect) is that the computer is usually sitting with a root prompt and total access 24/7/365 and it really dosn't have a chance to stop any malicious program without a lot of dancing.

Tom Ridge: Our next Vice-President?

[Guppy]

An interesting note about Gov. Ridge -- He's currently one of several choices under consideration to be the Republican VP candidate.

Like Bush, his strong points seem to be that he doesn't have any strong points someone could object to. The economy is good (like everywhere else in the US), he's cut business taxes, pushed welfare reform, yadda yadda. He's also managed to stay mostly clean of the morass that our other Republicans in Pennsylvania's state government have found themselves in, such as various corruption charges, Serafini's felony perjury conviction (fellow Republicans blocked an attempt to kick him out, too), Druce's alleged fatal hit-and-run, etc.

While I'm not a big fan of Salon, they recently did a real nice hatchet job on the guy, in an article titled Bland Ambition. Worthwhile reading.

"Don't blame me! I voted for Kodos!"

Re:What about Trojans? - Defintion of a virus

[Compenguin]

Stealth Mode is only on option, it doesn't have to be left on
-Compenguin
The Jedi of the Prequels

Wellcome the the back woods

[mpost4]

Pennsivania is so backwards when it comes to technology, and stupid things like this just proves it, and they can not figure out why the hell students here in PA when we get our degrees leave. They are now having a campain to "keep PA's youth in PA" I meet the Goviner because of it. It was when he anound the tech scholoship stuff. I just know I more than likly be leaving PA when I get my degree there is no future here for me.

Re:So, virus writing is worse than rape now?

[electricmonk]

I dunno... if what you said is true, and I have just been convicted of spreading a (computer) virus, I would be spending some serious time thinking about what to tell all the murderers, rapists, etc. when they ask,"so, what are you in for?"

Either that, or come to the conclusion that bathing is over-rated anyway... : P

Re:Pay attention to the bottom of the article:

[Frank+T.+Lofaro+Jr.]

Interfering with a computer, system, or network or giving out a password or other confidential information about a system is a misdemeanor of the first degree, with a maximum penalty of five years and $10,000 fine. "

A misdemeanor with a possible 5 year sentence?!? Excuse me, but I consider that a felony. You lose the right to ever own a gun not for a felony, but for any crime with a term exceeding one year. (That is the language the federal law uses). A crime with more than a one year sentence is essentially a felony, even if it isn't called that.

Re:Playing William Tell

[roundclock]

If a tree falls in a forest, does it make a sound if you didn't hear it?

One Problem...

[NetJunkie]

You're assuming your AV software catches the virus. We had hits of ILOVEYOU long before .DAT updates were available. In a perfect world you would be right, but this isn't a perfect world. This also isn't simple vandalism. People lose many hours of work in many, many companies due to this. That adds up to a LOT of money. Yes, the admins should do all they can to protect the network but do you really want to be blamed when someone breaks in your house because you didn't put bars over your windows?

Re:One Problem...

[Legion303]

No problem at all. I'm saying I've been doing this for 15 years now, and I have yet to get a virus, even though I'm not particularly careful. It's because I don't open executable attachments and I don't enable macros when I have to read something in Word. The ILOVEYOU trojan never hit me; if it had showed up here, I wouldn't have bothered opening the attachment (even before I knew about ILOVEYOU). If it had showed up in my personal mailbox, I'm fairly certain that elm wouldn't have executed it even if I tried. :P

-Legion

Re:Couldn't it be argued however that....

[NaughtyEddie]

Does anyone actually use VB or Word macros for anything other than viruses? ;)

Re:Burden of Connecting

[bhanafee]

Let's take a look at the analogy to real-world viruses. Everybody could be required to take a class in basic precautions. Then, we would be required to take the usual precautionary steps at all times: cleaning, face mask, gloves, condom etc. If you pass a virus to another person, you are liable for fines up to $15,000 -- more if it's an incurable disease. (We could call it "the burden of breathing.")

What's really wrong with this scheme is exactly the same thing that's wrong with the "Burden of Connecting" suggestion. Sure, we'd love to prosecute the guy who comes to the office sick and infects everyone, but really we don't expect everyone to be disinfected to the standards of a health care worker at all times. We should have similar expectations for computer viruses: sometimes one of your friends will catch one, and if you aren't careful you may get it too. But we expect the professionals to contain major outbreaks and to have much higher standards for cleanliness.

Re:Why limit it?

[tringstad]

Example (a real virus): If a surgeon found out he had AIDS but didn't quit his job and later infected a patient during surgery, I think we'd all agree that he'd be liable for the patient's sickness.

I would think that although this is definitely negligent, it is still intentional.

A surgeon who knows he has AIDS and continues to practice his craft is intentionally exposing patients, negligence aside.

Another example: I advocate the use of murder charges against drunk drivers who kill. Why? Because they deliberately make choices that are known to have a high rate of death for potential victims.

In this case, "deliberately" is the same as "intentional".

-Tommy

Re:What about Trojans? - Defintion of a virus

[sqlrob]

What? A company has to tell its employees what monitoring software they are running? Since when?

Re:Pay attention to the bottom of the article:

[The+Man]

Once again, the focus should be on 'illegally obtaining passwords.' This is a section where the victim (piegon in a scam) could be prosecuted for their unwitting part in a crime. (Remember the IQ of the average user).

Then, quite frankly, the average user shouldn't be using my systems. If other places are anything at all like the places I've worked, every user is required to receive and acknowledge a usage agreement. In the usage agreement, which is 100% common sense and 0% rocket science and/or brain surgery, users are specifically and explicitly prohibited from disclosing their password(s) to anyone. ANYONE. If you violate this agreement by giving your password to your SO, your friend, or the man on the street, I can and will revoke your access per the terms of the agreement.

Now, failing to read the agreement is no excuse. Just as ignorance of the law is no defense. Just because people are stupid and will give away their passwords doesn't mean we should let them get away with it. The law should stand as written, no excuses for idiocy.

There's no legal penalty for being stupid. Until you leave your hospital room/bubble/cell/ward/cave. If you want to interact with the rest of the world, you're expected to maintain a reasonable level of rationality and common sense.

Re:Limerick

[jabber]

Haikus add no worth
A crafty form of trolling
Author lacks humour

Re:Couldn't it be argued however that....

[webrunner]

I just realised why the reason that the number of idiots doubles every 18 months.

As teh world becomes more techno-centric, the 'average' level will continue to raise as mor eand more people actually figure out what a 'program' is other than a few flashy pictures and the occsaional rocket launcher- and therefore the 'bar' is raised, so more people of the same intelligence as originally considered smart are now considered stupid.

This post is inherently pointless, I realise this, but i don't care!

----
Oh my god, Bear is driving! How can this be?

Re:..other cases of redundancy

[zeck]

You're looking at legal punishment as revenge rather than a precaution to make sure it doesn't happen again. I don't know all that much about it and I don't want to argue about the faults of the penal system here, but it seems to me that someone who kills a homosexual just because he's a homosexual is pretty likely to kill other homosexuals in the future. He probably should be given a stiffer sentence than a guy who killed someone in a bar fight and isn't likely to do it again.

Haiku in retort

[575]

A troll, this poet?
These posts you spite belong here
Ever relevant

Re:Haiku in retort

[BorlandInsider]

Haiku, Limericks
What more can I ask now than where's Natalie Portman?

Re:Haiku in retort

[575]

Natalie Portman!
OOG, the eloquent cave troll!
Hot grits down your pants!

Re:Haiku in retort

[BorlandInsider]

Oops.. Sorry bad formatting on the prev. submission. :-)

Haiku, Limericks
What more now can I say than
Where's Natalie Portman?

No

[42821128607675]

This is a problem with the actual scripting environment that is to blame. Attatchments hae been given a bad name because of the fact that people are forced to use an OS that is completely stupid when it comes to any security issues at all. I never fear opening up an attatchment in say Xemacs because I know that there is no way unless I specifically tell the app to run any code that any code will be run. Also you have to understand that there are Mac ports of various office apps from MS and last I checked Intel didn't fabricate the Machintosh processors.

Internet Licenses?

[Obiwan+Kenobi]

I realize this is radical.

It's more than radical. Its ridiculous.

There's no way that even HALF of the internet users would be able to complete HALF of those courses. Let alone the kids who go on just to check out blues clues or Pokemon. The way the system is, and works, and runs (and looks like its going to continue going this way), the stupidity and laziness will ALWAYS be there.

Think of this: What about the stupidity and laziness of sys admins? Blame the users, but who runs the isps and the AOLs? When you try to track down a problem, you need to start at the source.

Here's an example: Say Joe Sixpack is having a problem with his car. Would you blame Mr. Sixpack for a bad alternator? Or would you blame the car dealer? Or would you blame the car manufacturer?

You can break it down as far as you want. The last thing we need is Internet Licenses. You think we don't have any privacy NOW?

Re:..other cases of redundancy

[Danse]

Yeah. Hate crime legislation is just an attempt at criminalizing thoughts. It shouldn't matter what you were thinking when you killed someone. What matters is whether you killed them or not and whether you intended to kill them or not.

Intentionally, what does it mean

[Ghost-in-the-shell]

Ok, I just had to reply after reading all the useless flame I saw. How will the courts view "intentionally", will the law go after the code writer, or the person who does the most damage? How about when it was a accident? Or if your are like me and the address book everone in my company uses has everyone else on it? (Company address book == User address book) there are a lot of questions raised over this. Also, what happens when the virus comes from out of the state? We can draw simple lines in the sand, but the courts will use a microscope to draw thouse lines. -Ghost

The bigger issue

[NatePWIII]

Forget about this silly virus "war" that is going on what the government really needs to do is outlaw these "big brother" organizations that go around violating everyone's privacy. I'm talking about companies like doubleclick and others. This is the real ticking time bomb...


Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com

Re:Burden of Connecting

[rjamestaylor]

If you pass a virus to another person, you are liable for fines up to $15,000 -- more if it's an incurable disease. (We could call it "the burden of breathing.")

I was chuckling at your response (and agreeing with you) and then I remembered: food service workers ... Typhoid Mary ... "Employees Must Wash Hands" .... There are constraints placed on us in all kinds of circumstances where we interact in society. It was said:

Your right to swing your arm ends where my nose begins.

When what we do (or don't do) affects others, we need to be on the alert for regulations. No Smoking.

Re:Couldn't it be argued however that....

[Kaa]

IANAL, But I believe you'll find that intent is important in US law. If your intent is to do harm (dropping bricks on people) and you kill someone, then you are guilty of a some kind of Manslaughter. Usually, you have to intend to kill to be convicted of 1st degree murder. The kids you cite are probably guilty of some other kind of Manslaughter.

IANAL, too, but as far as I know:

Intent to kill -- 1st degree murder

No intent to kill, but either intent to do harm, or ... er, forgot the proper word, but the meaning is that maybe you didn't want to kill but you should have known that what you are doing will kill ("a reasonable person in the same situation will realize that...") -- 2nd degree murder.

No intent to kill, no intent to do harm, but something like negligence -- manslaughter.


Kaa

Re:Burden of Connecting

[mparcens]

The problem is that unless people are prompted to do so, they, by in large, will NOT learn from their mistakes, not become security conscious, and will likely run the next .VBS script that comes their way.

The problem is not the fact that clueless people are on the internet. The problem is that those people are inhibiting the usability of it for the rest of us. Why not apply your Darwin approach to the "license test". Make people take an initative and get some clue before they go spamming my mailbox. Those that fail the test, well there's your Darwinism.

_________________
JavaScript Error: http://www.windows2000test.com/default.htm, line 91:

Re:Pay attention to the bottom of the article:

[Kaa]

holding users responsible for their privileged passwords is a good idea.

To the tune of putting them in jail for five years?! Doesn't this strike you as something between utterly ridiculous and very, very scary?

Kaa

Re:Programs should have built in security to stop

[zmooc]

Flamebait: Windows doesn't have a root prompt 24/7/365. It's more like 23/7/365.

Re:Burden of Connecting

[rjamestaylor]

Do you really want to install *yet another* bureaucracy over us?

No. We're just having a discussion; debating the idea. I'm not for this, just thinking.

Furthermore: requiring everyone to have a license because *some* people are irresponsible is, in essence, saying "Everyone is guilty until proven otherwise."

Or it's a way of saying "you don't have the right to be here; you must prove that you're able to bear the responsibility." Don't freak: I'm describing a driver's license. So, what if this was applied to running Internet-connected computers? Better put: what if your OS and Software had to be approved for Internet use before you could put it on the 'net? Put the onus on the OS/Email/Services programmers.

The reason that the law says "intentionally" is because for a crime to be proved there are 3 irreducible elements: Means, motive and opportunity.

If your car rolls down a hill and smashes into someone's property (or person) you may have had no Means, motive or opportunity to commit a crime but you'd be liable (civilly) nonetheless. And, if it could be proved that you were recklessly endangering others, you could be held criminally responsible, too (involuntary manslaughter, for example).

I guess as I consider this topic I am becoming aware of our responsibility toward others on the Internet. Perhaps I should be repremanded if I leave my system open and it is used as part of a DDoS attack.

Re:yup, it's in the constitution

[sqlrob]

This doesn't cover it.

States can't regulate interstate commerce. The internet falls under that, especially considering the precedents set by challenges of the WA anti-spam law.

Read Clause 2 carefully. If they were somewhere else AND DIDN'T GO ANYWHERE, PA can't do diddley. They aren't fleeing, they committed the crime in one state from another state. This type of problem isn't really covered in the constitution, since you really didn't have to worry about stuff being triggered in one state from another.

Re:Burden of Connecting

[quonsar]

complete a proper system security class

taught by who? MSCE's? Fat lotta good that'll do....

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Re:Microsoft wants it to stop piracy

[The+Man]

I believe the standard reply is "Windoze isn't a virus; a virus does something."

Re:So, virus writing is worse than rape now?

[NaughtyEddie]

So why do drug dealers have to be locked up with murderers and rapists? Do you know what the definition of "drug dealer" is in law? It's not just monsters pushing heroin onto 6-year-olds.

Full text of the Bill (actual text, no link)

[AllynKC]

It's a slow day at work; so I cut-n-pasted the full text of the bill for all to read (below). I think the most significant aspect of the bill is that, for the first time the term "computer virus" is defined by law.

I am curious about one thing. IF a virus like "Melissa" or "I Love You" were to strike again, and IF the person who initially launched the virus lived in PA; what would the number of resulting lawsuits against the perpetrator do to the court system? The PA courts would get backed up as badly, if not worse, than the mail servers that handled the virus.

----------- Full text of the Bill -----------
THE GENERAL ASSEMBLY OF PENNSYLVANIA

SENATE BILL
No. 1077 Session of 1999

INTRODUCED BY EARLL, O'PAKE, WHITE, HART, LEMMOND, TILGHMAN, ROBBINS, WAUGH, KASUNIC, WOZNIAK, SCHWARTZ, RHOADES, THOMPSON AND BOSCOLA, SEPTEMBER 7, 1999

SENATE AMENDMENTS TO HOUSE AMENDMENTS, MAY 8, 2000

AN ACT

Amending Title 18 (Crimes and Offenses) of the Pennsylvania Consolidated Statutes, further providing for unlawful use of a computer.

The General Assembly of the Commonwealth of Pennsylvania hereby enacts as follows:
Section 1. Section 3933 of Title 18 of the Pennsylvania Consolidated Statutes is amended to read:
3933. Unlawful use of computer.
(a) Offense defined.--A person commits [an] the offense [if he] of unlawful use of a computer if he, whether in person, electronically or through the intentional distribution of a computer virus:
(1) accesses, exceeds authorization to access, alters, damages or destroys any computer, computer system, computer network, computer software, computer program or data base or any part thereof, with the intent:
(i) to interrupt the normal functioning of an organization [or]; or
(ii) to devise or execute any scheme or artifice to defraud [or], deceive or control property or services by means of false or fraudulent pretenses, representations or promises;
(2) intentionally and without authorization accesses, alters, interferes with the operation of, damages or destroys any computer, computer system, computer network, computer software, computer program or computer data base or any part thereof; [or]
(3) intentionally or knowingly and without authorization gives or publishes a password, identifying code, personal identification number or other confidential information about a computer, computer system, computer network or data base[.]; or
(4) intentionally or knowingly engages in a scheme or artifice, including, but not limited to, a denial of service attack, upon any computer, computer system, computer network, computer software, computer program, computer server or data base or any part thereof that is designed to block, impede or deny the access of information or initiation or completion of any sale or transaction by users of that computer, computer system, computer network, computer software, computer program, computer server or data base or any part thereof.
(b) Grading.--An offense under subsection (a)(1) is a felony of the third degree. An offense under subsection (a)(2) [or (3)], (3) or (4) is a misdemeanor of the first degree.
(c) Definitions.--As used in this section the following words and phrases shall have the meanings given to them in this subsection:
-"Access." To intercept, instruct, communicate with, store data in, retrieve data from or otherwise make use of any resources of a computer, computer system, computer network or data base.
-"Computer." An electronic, magnetic, optical, hydraulic, organic or other high speed data processing device or system which performs logic, arithmetic or memory functions and includes all input, output, processing, storage, software or communication facilities which are connected or related to the device in a system or network.
-"Computer network." The interconnection of two or more computers through the usage of satellite, microwave, line or other communication medium.
-"Computer program." An ordered set of instructions or statements and related data that, when automatically executed in actual or modified form in a computer system, causes it to perform specified functions.
-"Computer software." A set of computer programs, procedures and associated documentation concerned with the operation of a computer system.
-"Computer system." A set of related, connected or unconnected computer equipment, devices and software.
-"Computer virus." A computer program copied to or installed on a computer, computer network, computer program, computer software or computer system without the informed consent of the owner of the computer, computer network, computer program, computer software or computer system that may replicate itself and that causes unauthorized activities within or by the computer, computer network, computer program, computer software or computer system.
-"Data base." A representation of information, knowledge, facts, concepts or instructions which are being prepared or processed or have been prepared or processed in a formalized manner and are intended for use in a computer, computer system or computer network, including, but not limited to, computer printouts, magnetic storage media, punched cards or data stored internally in the memory of the computer.
-"Financial instrument." Includes, but is not limited to, any check, draft, warrant, money order, note, certificate of deposit, letter of credit, bill of exchange, credit or debit card, transaction authorization mechanism, marketable security or any computer system representation thereof.
-"Property." Includes, but is not limited to, financial instruments, computer software and programs in either machine or human readable form, and anything of value, tangible or intangible.
-"Services." Includes, but is not limited to, computer time, data processing and storage functions.
(d) Restitution.--Upon conviction under this section for the intentional distribution of a computer virus, the sentence shall include an order for the defendant to reimburse the victim for:
(1) the cost of repairing or, if necessary, replacing the affected computer, computer system, computer network, computer software, computer program or data base;
(2) lost profit for the period that the computer, computer system, computer network, computer software, computer program or data base is not usable; or
(3) the cost of replacing or restoring the data lost or damaged as a result of a violation of this section.
Section 2. This act shall take effect in 60 days.

Re:Full text of the Bill (actual text, no link)

[muldrake]

Incidentally I was once prosecuted under this law before its current revision.

I wrote an article in two parts about that for Phrack about that.

Re:Haiku

[austad]

Microsoft Outlook
Poorly written Petri Dish
Microsoft Lookout!

Limerick

[jabber]

There once was a poster on slashdot
Who posted Haikus and would not stop
We laughed, then we flamed
'Cause the gimick got lame
And hoped for a 'bitchslap' or some-such

;)

�as pointless as most computer related legislation

[haus]

Does anyone believe, even for a moment, that this will have any more effect to the production and distribution of viruses, than the anti-spam legislation has had on the amount of junk email being distributed? Please... It is further proof that are legislative system is unable to address technical issues effectively.

all persons, living and dead, are purely coincidental. - Kurt Vonnegut

Stupid Users

[Compenguin]

Alot of the blame should go to idiodic users. Any user who executes a vbs virus (like iloveyou) should be executed!!! you can look at the source but the stupid idiots open it anyway.
-Compenguin
The Jedi of the Prequels

Re:Burden of Connecting

[Randym]

Better put: what if your OS and Software had to be approved for Internet use before you could put it on the 'net? Put the onus on the OS/Email/Services programmers.

OK, I like this a little better. Ideally, the marketplace will winnow out buggy and insecure programs. BUT -- there will always be people who will write software and just put it in their FTP directories for anyone to download. And there will be people who will use it just because the cost = $0.

I guess as I consider this topic I am becoming aware of our responsibility toward others on the Internet. Perhaps I should be repremanded if I leave my system open and it is used as part of a DDoS attack.

What is ironic is this: in the old days on the Net (before '95), *everyone* would leave their system open so as to facilitate email forwarding. The idea that people would DDOS was simply unthinkable. I'd say that there is nothing wrong with leaving your system open -- providing you monitor it carefully. Most DDOSing is done using server farm machines that are only loosely monitored (the rationale being: "Well, all this machine does is serve pages and there aren't any user accounts on it, so we won't bother with checking it unless it goes down."). But you are right about one thing: personal responsibility is important. The only thing I disagree on is the theory that people need to be monitored, checked and licensed to make sure that they are being responsible. Children may need such strictures -- but adults aren't children.

Re:Burden of Connecting

[rjamestaylor]

Driving licenses are traditional, they've always been around.

Define always. To me and you DL's are eternal requirements. To my grandparents (who lived before autos were common) DL's did not exist at one point. What changed? Automobiles became an integral part of American life and commerce. Bad (dangerous, ignorant, reckless, et al) drivers were no longer merely a threat to themselves but to all drivers around them and to normal business conducted over-the-road. Something had to be done, so regulations were made and minimum standards were set.

what you aren't realizing here is that connecting to the 'Net can't be compared to, as you've done here, driving a car. The 'Net has become such a integral part of businesses worldwide, that it would just cost too much to start educating a semi-computer literate world in the way you're suggesting.

Okay, I rearranged your quotes to make this point: because the Internet is integral to business internationally it may become necessary to make regulations and establish minimum standards. Scarry.

You can't disconnect these people because they fail a Internet security test, because then you would be disconnecting way too many people. Remember, the average CEO of a company (Suit) isn't even semi-literate (computerwise), perhaps if it's a tech company, yes, otherwise, you'll be luckily if he's semiliterate.

Okay. Maybe we require that the OSes and Internet-connecting programs (don't ask me to define them all, I'm just thinking out loud!) be certified to operate on Internet-connected devices. Sure, let the CEO use the net -- but not with Outlook and Windows Scripting Host enabled! Who enforces this? The ISP? (Hmmm....).

It's a DAMNED HOAX

[Spiff28]

I apologize for the stupid topic, but honestly, I'm just trying to get eyes here. The whole Aureate ordeal has been around for quite some time. It's also been debunked for some time. Debunked as in a hoax. It's not quite a hoax, but it's not Big-Brother either.

The 'spyware' program does nothing more than say what ads have been received, and what have been clicked. Period. I don't know about you, but I don't do my surfing through ads. Hell, I get weird enough ads from Doubleclick crap as it is.

The problem is that this has been claimed as spyware.. ie: it monitors your surfing habits, and I've even heard that it could see which programs are installed on the HD. This is where the paranoia overtakes the fact.

I have yet to see comprehensive proof that this does (only or all of) what either side of this issue says it does. Most people take for proof that Aureate/Radiate is evil the presence of any of the 'bad' DLL's.

The program has been proven to exist, true. Get some simple network tools and a little registry viewer and sure enough, you'll notice something's set stuff up in the registry, and something's calling home. Nobody has given proof that shows what it's actually doing beyond that.

It's a task I'd think someone in the /. audience would be glad to undertake. At this point both my curiousity and rage at the propensity of this falsehood to spread so easily are motivating me to crack down as much as I can. Only.. I don't really have the time, I don't have the resources or knowledge either. Someone needs to just sit down with a packet sniffer on a controlled network, and see what's up. I personally, can't tell what to look for, but I'm positive that someone can.

Steve Gibson claims that some of the scarier stuff like arbitrary execution has been proven. I ask... show me the proof.

Re:It's a DAMNED HOAX

[TheReverand]

It's also been debunked for some time

Where was it debunked? As far as I'm concerned, any software that wasn't installed by me, shouldn't be there.

something's calling home Exactly, something is calling home without your permission. Isn't that enough? Where do we draw the line? Sorry but you haven't offered any proof as to it being a hoax.

Re:Why limit it?

[Zebbers]

I agree totally with the drunk driving thing...although I'd support injecting them with a lethal dose of pure alcohol.

Also, for sex offenders: straight castration and sodomizing with a cucumber will suffice. I'm not kidding. When I lived in ohio, there was a story in the papers about some girls mother and brother(i think) who kidnapped the girls molestor and wrote on him with magic marker and assaulted him with a cucumber. Justice was served. These people choose to do these things and should face consequences. Look at any sexcrimes victim...they live with it for every minute of every day of the rest of their life. And the offender? 3 years? with all of it suspended minus the time in jail during the trial and a few years probation? Give me a fucking break. People(read: criminals in this context) are so apt to blame others and get away with it. Maybe if we had people take responsibility for their actions theyd think twice beforehand.

Re:Couldn't it be argued however that....

[extar-bags]

The company my father works for paid through the nose to fix the iloveyou virus. How did it spread, you ask? The company sent out a warning saying "do not open any email with the words 'I love you' in the subject line." Apparently, somebody didn't see a problem with an email saying "I luv you" as the subject.

What about Trojans? - Defintion of a virus

[neojikuu]

It'll be mighty tough to find a way to categorize everything as to whether it is a virus or not. For example, back orifice is touted as a 'Server Administration Tool'. Plus, so many viruses now email themselves to others without their knowledge. How can you charge these people with a crime? Also, If a person knows they have a virus, but they continue to go online although they know the virus will attempt to spread itself, does that make them outlaws? It's almost like the recent court case about the person who had AIDS, but had sex with various women anyway without telling them.

Re:What about Trojans? - Defintion of a virus

[randombit]

It's almost like the recent court case about the person who had AIDS, but had sex with various women anyway without telling them.

IIRC, in some states you can be charged with attempted murder for such behaviour. Though maybe I'm just thinking that because that guy was charged with something like that, and it was more of a one-time thing.

This is great!

[ZikZak]

Now I can sue all those bastard MS Outlook users who have me in their address book, and hopefully put them in prison, too!

Re:Humor - "Intentionally" in the virus bill

[BigBlockMopar]

Criminal negligence, perhaps?

A parallel:

"But, Your Honor, I didn't know that drinking those bottles of Colt 45 would cause me to lose control of my station wagon and run over all those preschoolers..."

Outlook users: you have been warned.

Why it makes sense

[Obiwan+Kenobi]

Everyone is overreacting. And to tell you the truth, I'm in favor of this law. You know why? Because the entire End-User Population suffers from the "Who, me?" Syndrome.

"I just started my email program and the virus ATTACKED my computer!"

Bullshit. That virus got on your computer because it ASKED you if you wanted to open it. This law says that users might have to (God Forbid) accept responsibility for their inept actions. They might actually THINK about opening the attachment before they do. Anti-Virii software, as said in other comments, is reactionary. Once you open the attachment, the damage is done. Why is taking responsibility such a horrible thing?

I admit that the law is vague. But its also worthwhile. People should take more time into exactly what their doing with their computers. Computers are not evil, they don't have feelings, or consciousness'. They do what you tell them or let them. They ask you questions, and how you answer them is your responsbility .

Taking time to look at your email and realize that it may be bad for your computer Is Not A Bad Thing(tm).

Re:Why it makes sense

[zombieking]

I couldn't agree more. God forbid someone has to take 3 seconds out of thier day sifting though jokes and BS email to save the file to thier hard drive and scan it...

Re:VIRUS Definition

[$lacker]

It says may replicate.... if you give the original program to someone else (the game it's attatched to, or whatever) then it will have been replicated, even tho it doesn't seem like a necessary thing.

Link to CNN

[LaNMaN2000]

The link to CNN should be CNN and not http://www.slashdot.org/www.cnn.com.

Re:Burden of Connecting

[rjamestaylor]

As far as passing on viruses goes. The people who are not protected pose absolutely no threat to the people who are.

True, on my personal system I have no fear or worries about others' systems being exploited. I never got one of these macro worms sent to me, yet. But it does harm me. Very much. For one, my mail servers at work and elsewhere are overwhelmed with the exponential flood of garabage that is sent during the height of these attacks. Moreover, I've been spammed to death by people leaving their sendmail (et al) servers open for relay. Maybe ORBS is not enough. You wanna run a mailserver? Get a license.

We're just talking, here. I'm not suggesting this should happen. be my guest: Shoot me down.

cool, sue microsoft

in cases like melissa, it's microsoft software that is facilitating the transfer of the virus. They put the auto-preview in *intentionally*, and were responsible for all the dodgy code. So get them.

Re:So, virus writing is worse than rape now?

[Prion23]

That's correct. In a society that values property more than people, stuff like this will happen. Look at how long Kevin Mitnick was in jail without even a trial. Did he rape or kill anyone? We have murderers being paroled in 18 months here in Pennsylvania. I wish some of these politicians would take a walk around MY neighborhood. Then perhaps they would see how backwards this criminal justice system is.

licensing vs. certification

[JimBobJoe]

One of the problems I have with this is that transportation laws are actually much more flawed than one thinks.

The first thing is, driver's licensing is a process that has been applied to an concept which has been considered a privilege and not a right. As far as I am concerned, this is a completely absurd idea. It's this silly concept that has allowed all sorts of privacy invading regulations be promulgated with respect to licensing, like fingerprinting for licenses. (Which has nothing to do with being able to drive at all.)

Now its not that I don't believe in the usefullness in knowing who can drive and who can't. Although driver's licensing is actually not necessarily made to check that, it is made to act as something like a credit report...so you know who is collecting the accidents and tickets and who isn't. ("One driver, one license") The testing thing is not only new, but not necessarily a great indicator as to how the person is going to drive all the time when there isn't a paatrolman in the car.

What's funny in my mind is that a driver's license does not authorize a person to drive a car in many states. It's a license *and* having insurance that allows you to drive. You can get a license without insurance, but you can't get insurance without a license. And having a license doesn't guarantee that you can find someone to insure you. So is the license a necessary document? Why don't we just have insurance companies give out the licenses?

Essentially, the result is that the license is no longer permission to drive as much as it is certification that the state thinks that you can handle an automobile.

With regards to the internet, who would do the certifying? Maybe the ISP. And they can handle the insurance too. Hey...and if you screw up...the ISP kicks you off. Wait...isn't that what we do now?

intent

[DGregory]

As a few other people have said, the key word is "intentional". Intentially doing anything harmful is generally illegal. Intentially giving someone AIDS is illegal, but if you don't know you have AIDS, it's not punishable. So intentially creating a computer virus and passing it around is illegal in PA, but if you inadvertantly received the virus and unintentially passed it around, you can't be punished. Makes sense to me. I think most states should do this.

Re:intent

[DGregory]

I disagree. I think the two terms are interchangeable, at least in this case. If you don't know about it you can't be intentionally spreading it. Using a Microsoft product is not even necessarily knowingly spreading viruses. People who clicked on the attachment didn't know that it was a virus. People who DID know it was a virus and still clicked on the attachment, should be charged with stupidity, but basically, it wouldn't hold up in court, because you can't really prove that they intentionally (knowingly) spread it. The person who WROTE the code, however, they have a lot better chance proving that they distributed it. If they wrote it, they knew it was a virus. If they unintentially spread it out, on accident, then they still didn't knowingly spread the virus. They still didn't INTENTIALLY spread the virus. See? the terms are interchangeable.

Re:intent

[Yardley]

The courts have shown on many occasions that they are incapable of understanding the technology behind the Internet. Do not give them a law which they can mess up with the severe result of a person going to jail for 7 years. Besides, making viruses is a good thing for the health of the Internet. Without viruses, the holes in our security will not be known. These holes can be fixed, but only if we know about them (or, in Microsoft's case, if we know about them twice). I do not want to live in the future where true terrorists can use viruses to truly damage the Internet because we did not allow them today.

What exactly does the program do?

[42821128607675]

Usually the delivery mechanism is less harmful than the actual operation of a program so precisely what does it do and furthermore does the company still impliment it?

Re:Too ambiguous of computer laws

Where is the 'innovation' in writing a virus to 'see how it works'?? It's not a new area of research, so it hardly advances science to fiddle around so.

Seems like a lot of people here want as much wiggle room as they can.

Re:Why limit it?

[drac]

Why the "intentional" requirement? What about negligence?

Example (a real virus): If a surgeon found out he had AIDS but didn't quit his job and later infected a patient during surgery, I think we'd all agree that he'd be liable for the patient's sickness.

In such a case, the surgeon is held to higher standards of responsibility because of his profession- so if the comparison is made to stick legally, computer professionals would be held liable for negligence, while J. Random User would not.

I'm not sure

[operagost]

What if in 1820 you sent a slanderous letter about someone to the editor of the Chicago Times from New York? Where was the crime committed? Naturally, the "latency" is really high here considering the technology at the time, but inventions like the telegraph made issues like this possible at a fairly early date. I'm sure there's someone in law around here somewhere with a precendent that can help clear this up!

Also, check section 1 again:

Full Faith and Credit shall be given in each State to the public Acts, Records, and judicial Proceedings of every other State.

It's legal to try people in absentia in Pennsylvania, so if Joe California blew up Bob Pennsylvania's server, and it held in a hearing that Joe committed the crime in PA, they could wait for Joe to show up (heh), and they decide to try him anyway in his absence. That's really pushing it, but so is UCITA. If found guilty, California would have to deliver poor old Joe to PA.

So, let me get this straight....

[zombieking]

Spreading a virus is illeagal, but creating one is not? If that's the case, would the virus author be able to get off totally scott free or would he be considered an accessory to spreading a virus?

but...

[hugg]

but what if I sneeze?

Humor - "Intentionally" in the virus bill

[Seth+Finkelstein]

But does using Microsoft Outlook count as intent? :-)

Re:Humor - "Intentionally" in the virus bill

[malkodan]

Hey, now we have a solid reason to sue M$ and put Bill at home, ummm, jail.

Re:Humor - "Intentionally" in the virus bill

[Darguz]

Criminal negligence, perhaps?


--

Re:So, virus writing is worse than rape now?

[herbierobinson]

And what if the virus crashes a hospital computer system?

Yeah PA

Wow, PA was actually the leader in something.

Some Outlook viruses are not attachments...

[Spunkee]

My computer illiterate friend was hit by the KAK worm virus. It executes an ActiveX control that was incorrectly marked safe-for-scripting by MS. This control allows the calling program to write to the hard disk.

It was a non-destructive virus that works on a calendar, so my friend didn't even know he had it on his computer. The e-mail it came in had no attachments. Just the HTML code in the signature that ran the virus (note that the code was invisible when viewing the message by normal means).

He ended up sending the virus to several people, and me and him had a hell of a time with a couple of other people who thought he did it intentionally (it's a long story about how I managed to get involved, e-mail me if you want to hear it).

Now it's MS's fault that such bugs were in place to begin with. It was my friend's fault that HTML was the set message sending format (the virus won't work with plain text messages). It was also my friends fault that he had no anti-virus software running, and his security settings were too low to catch the virus. And it was also his fault for never applying the patch from MS that keeps the virus from being able to run.

However, he was simply using the default settings because he didn't know how to change them. He never knew about a patch (and even if he did, he wouldn't be able to apply it).

I know one thing for sure is that he didn't intentionally send the virus to anyone. He never opened an attachment. He never saw a warning message.

The reason I'm writing this is because I saw a post or two saying that people who open a virus attachment after seeing a warning message are spreading the virus intentionally. Not all viruses are in the form of an attachment.

And finally, to those of you who are going to say something to the effect of: "You friend must have done it on purpose, because he's too stupid to be using a computer in the first place." Well I say "Get real." Not everyone can be a 733t h4>And I'll say it myself, he is extremely stupid with his computer. But that's no reason to say he must have intentionally propagated the virus if he opened it to begin with. Even with all this talk on the news about viruses being attached to your e-mail, it still doesn't sink into non-computer-nerds.

So what's the solution? I'd say we need to spend more effort on finding the original maker of the virus. But of course, that's not completely fair, because some people don't make viruses maliciously (some may do it for the hell of it and never expect it to be released into the word).

Maybe we should just investigate someone who sends a virus by looking at their history. If they're completely computer illiterate, they probably didn't mean to send it. Otherwise, investigate it a little closer. And finally, take it to court if it looks necessary.

// Spunkee

READ people!

[Mdog]

I'm pissed off. This story is over a day old, and the article clearly says that it has to be intentional. If it's worth posting on /., it's worth READING THE ARTICLE and maybe even posting it relatively soon after it hits CNN.

*grrr*

Mike

Re:READ people!

[Achaeon]

Anal much?

Re:Burden of Connecting

[rjamestaylor]

You sir, make me want to find out where you live so I can slay you before you do any further damage.

LOL!

It's easy to find.

Haiku

[575]

Unleash a virus
Fun for the first few minutes
Then the cops show up

Re:Haiku

[ZZane]

Way too much Haiku
Someone please stop this madness
FIRST HAIKU FLAME POST!! :)

-Zane

What if you got authorization?

[Jeff+Bell]

I'm surprized that none of the viruses have tried this yet, but what would happen if the virus first popped up a dialog box with a lot of legalese at the beginning, but a dozen screenfulls down includes as terms:

...

19. I understand that this software may send copies of itself to everyone in my address book.

20. The authors of this software shall not be held responsible for any data that may be lost.

Certainly a very large portion of the population would click on the [ACCEPT] button as a matter of reflex. It wouldn't even make it out of the brain stem.

Would the author of this virus be subject to prosecution?

Would they be safer in states that have passed UCITA?

-Jeff Bell

Re:Couldn't it be argued however that....

[muldrake]

IANAL, too, but as far as I know:

Intent to kill -- 1st degree murder

[Excerpts from the law.com dictionary]:

n. the killing of a human being by a sane person, with intent, malice aforethought (prior intention to kill the particular victim or anyone who gets in the way) and with no legal excuse or authority. In those clear circumstances, this is first degree murder.

This requires more than an intention to kill. If you get in a bar fight, and then kill someone in a fit of rage, that is second degree murder.
Malice in second degree murder may be implied from a death due to the reckless lack of concern for the life of others (such as firing a gun into a crowd or bashing someone with any deadly weapon).

So dropping a large object from an overpass would count as second degree murder, because you couldn't possibly do such a thing without realizing it was likely to cause grave injury or death.

There are also other instances, such as felony murder, in which participation in a felony in which a murder occurs can result in a conviction for murder, even if the person in question did not personally commit the murder.

IANAL.

harsher rap than assault or bank robbery

[Wansu]

The message is loud and clear: We want to keep using mIcKeY$oFt crap. If you rain on our parade, we're going to nail you good.

So they're going to send someone up for 7 years in PA. In NC, that's the penealty for bank robbery. Does passing a virus rate that much time? It's more than B&E, assault, assault & battery or assault with a deadly weapon. Either the penalties for these ought to be increased or they ought to back this don't For crying out loud. Every thing on the books is getting ratcheted up to 7 years. This breeds contempt for the law.

Hello...intenet...

[ryanhos]

It's obvious what will happen. Nothing. If you do not have the 'intent' to harm, they can't do anything because it was out of your control. If you brakes on your new car totally fail and you mow down a little old lady, who gets sued? Ford. Same situation.

Re:What about AOL mailing you it's disks?

[wishus]

I actually got an AOL disk in the mail - back in the day, before they started mailing you coasters - that had a boot sector virus on it.. Straight out of the shrinkwrap!

wish
---
$ su
who are you?
$ whoami
whoami: no login associated with uid 1010.

definition

It would be interesting to see exactly how they define a virus. It could be a broad enough definition to include chain letters and such. Anyone got the exact wording of the law?

Wait a sec..

[BilldaCat]

So this basically kills virus research if this goes nationwide?

I can't go asking for a copy of Melissa or ILOVEYOU now to examine it, as someone would have to intentionally send it to me.

How will virus companies be affected?

Re:Wait a sec..

[b_pretender]

It said spread the virus.

Emailing the virus to McAfee so that they can analyze it isn't going to spread the virus.

--

Re:Wait a sec..

[randombit]

Emailing the virus to McAfee so that they can analyze it isn't going to spread the virus.

Never know, maybe they're using Outlook too. :)

Re:Burden of Connecting

[muldrake]

How about a license to connect to the Information Super Highway?

Your blue-sky proposal is ridiculous. Who is going to set up the "test";

How about ME!

who is going to administer it;

ME there, too!

what penalties will there be for "driving without a license", etc.

Why, the only penalty that matters, of course! DEATH!

Do you really want to install *yet another* bureaucracy over us?

No need for any bureaucracy. Just give me a few million and the bullets ;-)

Re:Couldn't it be argued however that....

[JordanH]

• Kids throwing bricks off of overpasses aren't trying to kill people, they're just stupid and think that it's funny. Nevertheless they still do kill people sometimes, and rightly get prosecuted for it whenever they are caught whether or not there was an actual death. Just being stupid doesn't absolve you from culpability for doing the wrong things, especially when you could reasonably have been expected to know that your actions were a bad idea.

IANAL, But I believe you'll find that intent is important in US law. If your intent is to do harm (dropping bricks on people) and you kill someone, then you are guilty of a some kind of Manslaughter. Usually, you have to intend to kill to be convicted of 1st degree murder. The kids you cite are probably guilty of some other kind of Manslaughter.

Being stupid isn't the issue, intention to do harm is. Now, there are crimes of negligence. If you can be reasonably expected to know not to open attachments that might do harm and you do it anyway, you are guilty of negligence.

I don't think that it's been true in the past that people could reasonably be expected to know not to open attachments, after all, so much of their work requires them to open attachments, even attachments with executable content. It may be true that now or in the near future, it would be considered to be negligent to open attachments that may have executable content if you don't have a good idea as to what that content is or will do.

It's almost getting to the point that anyone who sends ANY executable content in email using insecure facilities like VB or Word Macros, as opposed to languages that support a relatively safe programming environment like Java, are being negligent in that they are helping to set the stage for future worms and Trojan Horses.

-Jordan Henderson

Tricky...

[PopeAlien]

How do you *prove* the "intention" to spread the virus?

Are we going to throw a lot of clueless people in jail?
-

Re:Tricky...

[Bob+McCown]

Ive got a few clueless ones here at work that opened the ILOVEYOU virus after we had warned them about it...

Re:Tricky...

[BigCheese]

We still had people opening them here this week. We finally had to tell people if they opened one their email would be cut off and their supervisor would have to call and explain to get it turned back on.

Re:Tricky...

[Eggplant62]

PopeAlien mumbled some stuff about:

• How do you *prove* the "intention" to spread the virus?

  Are we going to throw a lot of clueless people in jail?

• Put enough lawyers on the job and they'd be able to find proof. Trust me though, more clueless assholes in jail wouldn't bother me one bit. Having done more than my share of service calls to remedy stupid user tricks, like the butthole I visited yesterday who couldn't be bothered to remove the plastic tape from the toner cartridge before putting it in her HPLJ5 printer, I'd be happy to see more stupid folks tossed in the slam. It's my belief that before one can purchase or use a computer, one should have a license to prove they know at least the simple stuff about how to operate it.

Re:Welcome to Pennsylvania

[mavenguy]

Not only the M$ requirment for state software; how about this state run Portal site, to be built with M$ help? The Ridge Administration has its head well up Bill's butt...They must love the smell.

I know one employee of a State agency who recently grabbed a "surplus" computer for use in his office. He promptly wiped Windows and put on Linux. Oh, yeah, He's the leader of the small, local Linux Sig. What a coincidence.

The ILOVEYOU work hit my computer at work (a private company near Philly; all 100% M$ (Gotta eat) as I was just loging onto Floutlook. After about 15 mins the sysadmins paged the company not to open them and severed our external mail connection for most of the day.

Microsoft's antiviral s/w is surprisingly good

[bmidgley]

Microsoft really does get things right every once in a while -- even I'll admit it.

They're getting into the antiviral act with their own package and it's already proven to be highly effective.

The good news is that you may already have a copy! It's called the "Microsoft Outlook Uninstaller."

Re:Define "Spread"

[DrgnDancer]

According to a Yahoo! article someone posted above (Sorry, I'm to lasy to find it), one of the requirements is that to be a virus (legally) it has to do something without your knowledge. If I e-mail you a file and say "Here's a virus... don't run it, it'll screw your day up.", you know what you what you are getting. By the definition of this law (as I read it), no crime was committed.

Penna

[AntiPasto]

Ya know... Pennsylvania is weird... a friend of mine works with GTE, and phone service in PA is a right which is very cool, and that PA residents are very knowledgeable of their rights. I think the right of phone service, along with the new virus laws, are an example of what other states should be considering.

Re:Penna

[dorkJedi]

IMHO, states should be wary of creating rights of society instead of rights of the individual. The rights of the individual should be made up of basic freedoms and nothing more. Otherwise, the basic freedoms of the inividual (such as the individuals right to his/her own property, in this case probably money) will have to be compromised in order to ensure that all of society has access to a telephone, for example. bp

Only fair.

[mindstrm]

It seem simple to me. If you intentionally write software that's purpose is to spread without the users knowledge and/or control and/or permission, and intentionally release it in such a manner that it would begin to spread in this manner, then you ARE doing something that has no useful purpose in society, and hence, wasting others time.

Re:Only fair.

[MasterAlex]

If you intentionally write software that's purpose is to spread without the users knowledge and/or control and/or permission, and intentionally release it in such a manner that it would begin to spread in this manner, then you ARE doing something that has no useful purpose in society, and hence, wasting others time.

Right. But nonetheless it seems to me that this is more a "public affairs" law then anything based on serious thoughts: The I Love You worm got a lot of attention in the press and so the government thought this may help for the next votes. 7 years are quite a lot, if you compare this to other crimes - at least you don't harm people with virii.

Re:VBS Worm Targets Gnutella

[muldrake]

"Possibly malicious in intent, but benign in reality, the worm uses the Visual Basic Script language to store itself on an infected computer in 23 different files named, for example, Pamela Anderson movie listing.vbs, collegesex.vbs, Battlefield Earth.vbs, Napster Metallica Crack.vbs and NSync.vbs."
From here

Battlefield Earth? Metallica? ROFL! Anyone downloading such crap deserves to get VBS scripts. Frigging NSync? They are certainly aiming this trojan at the proper audience!

It's been said before, but it bears repeating:

[Sancho]

(IDG) -- People who intentionally spread a computer virus face a seven-year prison sentence and a $15,000 fine in Pennsylvania after Governor Tom. Ridge signed a new bill into law May 26.

Key word is *INTENTIONALLY*.

Re:7 *years*? This is insanity.

[sik+puppy]

Only 7 years - Darwinism is much harsher with stupid people. Creating and loosing a virus should be a captial crime, KNOWINGLY forwarding a virus should be criminal, and those that are just stupid have enough of a burden. Now we just need a life guard on the gene pool - if it had one i'd need a new sig.

An interesting precedent...

[TopShelf]

This could possibly work out as a good early step towards defining workable laws relating to malicious hacks. The legal definition of a virus, the mechanism for determining recoverable damages, etc., are all pieces which, over time, will require further definition and refinement, but the basic premise seems sound.

Good luck on enforcing the law, though! I'd like to see what happens the first time someone creates a virus somewhere else, say Montana, and it damages a computer in Pennsylvania. Pennsylvania could argue for jurisdiction, but would Montana extradite someone all the way to Pennsylvania for prosecution?

as opposed to?

[aozilla]

My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around? "
what other kind of virii are there?

Microsoft Guilty?

[SparkyB]

Does this mean that Microsoft is liable if flaws in its software (namely Outlook and Word) allow viruses like Mellisa and ILOVEU to distribute themselves?

Passing virii around

[Ace905]

"My only question is what happens in the cases of a virus like the famed 'Melissa' who automatically passes it's self around?"

All virii pass themselves around. That's the definition of a virus.

My question is, what are the rules for spreading Trojan Horses. They are not virii as they do not replicate, but are malicious. Well then, if the law covers not virii but malicious compiled code, than can AOL be sued on another count for its client software obfuscating access to any other provider, or Microsoft for advertising in there installation programs. After all, its not something you were warned about or bargained for.

Intellectual Property can not be governed as if it were a physical product.

Re:Burden of Connecting

[Randym]

How about a license to connect to the Information Super Highway?

Your blue-sky proposal is ridiculous. Who is going to set up the "test"; who is going to administer it; what penalties will there be for "driving without a license", etc. Do you really want to install *yet another* bureaucracy over us?

Furthermore: requiring everyone to have a license because *some* people are irresponsible is, in essence, saying "Everyone is guilty until proven otherwise." Go back to France: that's where that bass-ackwards system of "justice" originated. Here in America we have a fundamental principle that people are "innocent until proven guilty".

There is a reason for having a driving test: you have to prove that you can adequately handle a ton-and-a-half vehicle at high speeds before you actually get on the road. A computer is not a car; if you crash your computer, no one else is affected. If you drink while programming, you'll just produce bad code, but it won't affect anyone else. Using your computer to design and upload a virus is using a tool in a weapon-like way. People *have* used cars as weapons, but I don't recall any questions on the Driver's Ed test about "Will you be using your vehicle to commit a homicide?" That's just as strange as asking someone "Will you be using your computer to commit a crime?" -- and who is going to answer *that* question in the affirmative anyway?

I realize the law says "intentionally" but what if a more proactive stance was adopted?

The reason that the law says "intentionally" is because for a crime to be proved there are 3 irreducible elements: Means, motive and opportunity. If a virus comes into your computer and uses the copy of Outlook you have installed to perpetuate itself, the means is there, the opportunity is there, but YOUR MOTIVE is not. Therefore YOU cannot be accused of propagating the virus. (Perhaps you could be prosecuted for maintaining an "attractive nuisance", but if you installed it in a manner so as to leave it in the default condition, then the software manufacturer is just as -- if not more so -- liable).

A more "pro-active" stance would only apply two of the three conditions -- perhaps your motive is irrelevant. Then you could be thrown in jail -- perhaps without even realizing that your computer passed the virus along -- just because a computer log somewhere had your IP address as the (from its point of view) origin. How would you feel about *that*?

Isn't this already illegal?

[xant]

I'm so sick of proposed legislation that clutters up our legislative process and confuses our enforcement process because it contains political buzzwords. This seems to me to be like passing a law that says "It's illegal to murder someone . . . with a gun."

Re:Burden of Connecting

[gsherman]

The burden of having safe and secure systems should be on those who write the software we all use. When somebody installs an OS (whether Windows or Unix-based) on a machine, that person should not have to configure the box every which way to Sunday to get it secure. It should be secure out of the box, 'cause we don't have all the time/patience in the world to tweak our boxes or all the money in the world to hire people who will do it for us.

OpenBSD, of course, is the model for this. Other software providers should follow suit. (Mandrake 7.0 is a step in the right direction.) Pretty soon we'll have to rely more heavily than ever on these software authors to make their products secure, because security issues are only going to get more and more complex as time goes by.

This law seems a little redundant (take 2)

[drenehtsral]

It seems that there are already laws that cover this. I have often seen the creators of unwelcome self-replicating programs charged with "unauthorized use of a computer", (sorta like unauthorized use of a motor vehicle) which is an effective catch-all for people who do anything to take control over other people's computers without their consent.
I think that the expedited creation of new laws in reaction to a phenomenon that most people in positions of power could never hope to understand, let alone competently regulate is a dangerous thing. I recognize that these legislators probably have teams of advisors, but i still worry about the original intent/usefulness getting diluted/lost in the legislative process.

Re:This law seems a little redundant (take 2)

[zeck]

It seems that there are already laws that cover this. I have often seen the creators of unwelcome self-replicating programs charged with "unauthorized use of a computer"

Read the article again. This law covers spreading the virus, not creating it. You no longer have to be the creator to be punished. If you find an old copy of Melissa and email it to a moron, you are now responsible.

And.. "why hasn't this.."

[Stskeeps]

Why hasn't things like this been included all over the world already? Does this mean in my country I can go around and spread a deadly virus that kills 50.000 people without able to get punished? Problem is, is it illegal for computer students to make those and spread them internally in controlled labs, so they can study the virus and don't harm others? - They should think about those laws at times.

Re:Optout Hype!

[EvilJoker]

the ads are the same as the ones on so many websites, I figured it was achieved similarly (a piece of code to get a random banner with its corresponding link) I had no idea it was anything like it actually is, and with good reason.

Re:Burden of Connecting

[rjamestaylor]

It should be secure out of the box

I can't help but think it's securest while still in the box...

Good points, though: why can't a system come in a state not easily exploitable?

Depraved Indifference....

[Wntrmute]

The clause that makes something like this 2nd degree murder is usually referred to as Depraved Indifference to Human Life. When you commit an act that falls under this, and it results in death, you can be charged with 2nd degree murder.

Here's a good way to keep homicide laws straight:

2nd Degree Manslaughter: You are driving down the road, obeying all traffic laws. A pedestrian runs in front of you, you hit and kill them. Like or not, you can be charged.

1st Degree Manslaughter: Same situation, except now you are speeding. (but not reckless driving, which would bump it up.)

2nd Degree Murder: Same situation, but you are drunk. Thus depraved indifference. (a murder during the commision of a crime usually falls in here as well, unless intent to kill is proven, which would bump it up.)

1st Degree Murder: This time you see the pedestrian, it's someone you hate, and want dead, so you run them over deliberately.

Note: Some states do not have a difference between 1st and 2nd degree manslaughter.

-Wintermute, IANAL, but I have a friend who is a law student.

What's the point?

[Uruk]

This seems like it's for show.

Well, I realize that laws can make people feel more comfortable, but there comes a point where penalizing somebody doesn't make anymore sense. For example, if they guy who wrote melissa had to pay restitution or pay a $17,000 fine for every copy of the virus he spread, he'd probably own millions upon millions of dollars which he'd never be able to repay, no matter how long he lived.

You can punish a person harshly, you can even make it so that the person will never get away from the punishment for the rest of their lives, but fining somebody $40 million is pretty much the same thing as fining them $40 billion. At least the effect is the same, and the amount of money you'll actually collect is the same.

I say this because if you make it a crime to spread a virus and make it punishable by jail, restitiution, or fines, then anybody who spreads a virus (since they go all over the world) will be liable for damages in so many damn jurisdictions that it will be the same as fining them $40 billion, and just as pointless.

Not to compare virus spreading to murder, but just as an example of over-punishment - when Jeffry Dahmer went to jail, he got *400* years in jail. 400!!!! What's the point? Of course it was arrived at by adding the amount of time he got for each murder, just like the fine would be arrived at by adding the recompensation for each victim for a virus spreader.

An effective punishment would be a $0.25 fine and no restitution, since by the time everyone on earth got finished suing the poor bastard, he'd be in for millions. :)

Re:What's the point?

[boinger]

The point of sending someone to jail for an inordinate amount of time (in your example 400 years) is to make it impossible for them to get parole. This is common practice in Ohio (where I'm originally from). See, parole is granted on a percentage-of-time-served basis. So, you serve 20% of your time, you get out. Even serving "Life" has an assumed lifespan deal, so you can get out after a certain time. But, if your sentence is 400 years , you get to parole (using the 20% number) after 80 years. Good luck with the Vitamins to increase your lifespan.

Re:Burden of Connecting

[Broccolist]

So why to care if they mutualy contribute to their loss - the only thing they ruin is their own machine or network, but they rarely get those who are preventive.

By that logic, dueling to the death should be allowed. After all, the two fighters are mutually contributing to the fatality: the only thing they lose are their own lives, but they rarely get those who aren't interested in fighting.

I think it's reasonable to prevent people from hurting themselves, and much of American law is based on that principle.

Re:..other cases of redundancy

[Danse]

I'm talking about intent in the legal sense. The crime you are charged with and ultimately your punishment are often linked to intent (i.e. did you commit the crime on purpose, or was it an accident?). Intent in this sense does not take into account what you were thinking at the time, although those things can be examined to determine whether or not you intended to commit the crime. The goal is to determine, yes or no, whether you intended to commit the crime. Once intent is established, the case can proceed and you can be charged with the proper crime and receive the proper punishment. Your punishment should not be linked to your beliefs or your thoughts at the time, it should be determined impartially, based on the crime you committed. Any attempts to determine the beliefs of the accused, can never be more than speculation, even if you are able to convince a jury with that speculation. Speculation as to a person's reasons for committing a crime should not be used to determine the specific crime or punishment of the accused.

Pay attention to the bottom of the article:

[wrenling]

The article states:
"Accessing and damaging a computer or system is a felony of the third degree, facing a seven-year sentence and $15,000 fine. Interfering with a computer, system, or network or giving out a password or other confidential information about a system is a misdemeanor of the first degree, with a maximum penalty of five years and $10,000 fine. "

What scares me is the part where they refer to 'other confidential information.' That is such an amazingly grey area. And what constitutes giving out a password? Once again, the focus should be on 'illegally obtaining passwords.' This is a section where the victim (piegon in a scam) could be prosecuted for their unwitting part in a crime. (Remember the IQ of the average user).

Just a few rambling thoughts from yours truly.

Re:Pay attention to the bottom of the article:

[kaphka]

I agree that "other confidential information" is too vague, but holding users responsible for their privileged passwords is a good idea. Everyone here knows that the general public often treats computers like toys, no matter how important they are. If a bank employee writes down his password and tapes it to his monitor, and the bank then loses millions of dollars due to his negligence, that should be treated as criminal negligence. (Assuming that his employers provided a reasonable amount of education and warnings about security.)

uhhhhhh

[vyesue]

"what about a virus like Melissa which automatically spreads itself around?"

why don't you read that agan real slow-like, and then ask yourself what the definition of a computer virus is.

Re:uhhhhhh

[randombit]

why don't you read that agan real slow-like, and then ask yourself what the definition of a computer virus is.

Actually, I saw reports of this elsewhere a last week, and the definition of 'virus' used in the law probably included worms such as Melissa. It was a pretty broad definition, it may even include things like BO2K and DDOS tools (I'll leave that for PA courts to decide, though).

Our government hard at work ....

[opencode]

Incredible how this bill was first written soon after Melissa, and that no one would deny the critical mass of this getting passed .... and yet, 14 months later ??

And what does it mean that it WASN'T proposed "in reaction" to Melissa? Who cares that our officials aren't intuitive enough to come up with this on their own (well, I mean, WE care, but that's no reason to go into denial about what makes them reactionary, does it) ?

Better Nate than Lever, I guess ....

Too ambiguous of computer laws

[nharmon]

I think the issue here is whether or not you passed the virus onto another computer you own.

I could plausibly see someone in some comp sci class writing a harmless virus, and studying how it replicates. A broad law could land this student into jail

So I guess the question isn't whether someone who intentionally damages other people's computers should be illegal, because we all know it should. The question should be, are we inhibiting innovation by making too broad of laws?

Re:more stupid laws

[lpontiac]

just look at usenet to see how many crappy newsgroups there is in there

Somehow I doubt the people that read and post to them consider them crappy.

useless dns names on www

Heh. You, sir, obviously have no idea.

the number of lusers

Please:

• Create an account on slashdot, instead of posting as AC.
• Learn to spell.
• Learn to punctuate. (Oh, and that includes capital letters

Re:VIRUS Definition

[AllynKC]

What I see most significant about this bill is that, for the first time that I'm aware, the term "computer virus" has been defined in law. I doubt the "special features" that large corporations will fall into the definition because of the requirement that they replicate themselves in order for the PA legislation to be applicable. Here's the definition as listed in the PA bill that was signed:

-"Computer virus." A computer program copied to or installed on a computer, computer network, computer program, computer software or computer system without the informed consent of the owner of the computer, computer network, computer program, computer software or computer system that may replicate itself and that causes unauthorized activities within or by the computer, computer network, computer program, computer software or computer system.

Not a bad idea....

[Raymond+Luxury+Yacht]

Are we going to throw a lot of clueless people in jail?

Hey, if we did we'd at least get all of AOL's users of the streets.

Re:Burden of Connecting

[xnerd00x]

If we start limiting to those who have "a license" it is no longer an open forum and will become an elitist realm.

Having a driver's license makes you an elitist? hmmm, i never knew that... i guess i should start calling my self in the "elite" class of those that can drive a car...

Re:Couldn't it be argued however that....

[chickenmadrasplease]

IS sent around a message saying "Do not under any circumstances launch this app." 15 minutes later someone did because they "wanted to see what it would do."

I tried a similar thing about 2.5 years ago. Within two minutes 3 people had opened it. All three were programmers.

Viruses Always spread automatically...

[javatips]

My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around? "

Since when a Virus requires manual spreading support?

Since the time when viruses where hard to write (that's long before those simple script viruses), viruses always spreaded automaticaly (except for some script viruses written by completly incompetent script-loosers).

Is virus spreading criminal?

[jferg]

Maybe the question is inverted. If such laws aren't carefully drawn, it could be asked: Are viruses spreading criminals?

Does seem kinda obvious

[spiralx]

I can't really say that it's suprising that intentionally propagating a virus has become a crime - I don't think that anyone can argue that spreading a virus is not a nice thing, even if creating one is purely a "technical challenge". I expect that this legislation will be quickly followed by other states and countries, especially in light of the "ILOVEYOU" virus and its successors.

However, in the words of the article, "It also defines a computer virus for the first time". The definition of virus has already changed over the last few years, and as technology changes the pathogens that affect it will change as well. How soon will it be until this law and its definition of a "virus" becomes obsolete? Given current trends, not long at all.

A good law to have then, but as with all laws that attempt to regulate technology, the pace of advancement in the technology far outstrips that of the law to keep up with it.

Does seem kinda obvious

[spiralx]

I can't really say that it's suprising that intentionally propagating a virus has become a crime - I don't think that anyone can argue that spreading a virus is not a nice thing, even if creating one is purely a "technical challenge". I expect that this legislation will be quickly followed by other states and countries, especially in light of the "ILOVEYOU" virus and its successors.

However, in the words of the article, "It also defines a computer virus for the first time". The definition of virus has already changed over the last few years, and as technology changes the pathogens that affect it will change as well. How soon will it be until this law and its definition of a "virus" becomes obsolete? Given current trends, not long at all.

A good law to have then, but as with all laws that attempt to regulate technology, the pace of advancement in the technology far outstrips that of the law to keep up with it.

Re:Companies have a part of guilt also...

[Oskuro]

login: jordi
passwd: xxxx

Linux natura 2.2.15 #2 Tue May 9 03:09:22 CEST 2000 i586 unknown

Most of the programs included with the Debian GNU/Linux system are freely redistributable; the exact distribution terms for each program are described in the individual files in /usr/doc/*/copyright

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Have a look at the bold part, and tell me if you find something like that in Windoze or any other propietary piece of software.

Viruses in PA

[Sionik]

let me start by saying IANAL. So if i write a virus here in Ohio, and start it here, and it spreads to PA, can i be prosecuted? what about if i wrote it in the phillipines? how bout if i write it here and mail it to someone in the phillipines to start? while i think you should be punished for spreading viruses or any sort of computer crime, i'm very not clear on the details of how these things can be prosecuted. does anyone have a good site that will clear this up for me?

Why limit it?

[FascDot+Killed+My+Pr]

Why the "intentional" requirement? What about negligence?

Example (a real virus): If a surgeon found out he had AIDS but didn't quit his job and later infected a patient during surgery, I think we'd all agree that he'd be liable for the patient's sickness.

Another example: I advocate the use of murder charges against drunk drivers who kill. Why? Because they deliberately make choices that are known to have a high rate of death for potential victims.

So why not for computer viruses? In all seriousness, why can't Joe User be held (partially) liable for running an email client (*cough*outlook*cough*) that is known to cause a large amount of bandwidth sucking and server crashing? A little less ridiculous (although I'm not conceding that the example was ridiculous) is holding site admins responsible for viruses leaving their site. If they can strip incoming, they can strip outgoing.

And this isn't empty moralising, either (although that should be sufficient). There's a practical reason for all this: Advocating point-source solutions to an epidemic problem will never work. Prosecuting only the virus originators (and maybe a few knowing Typhoid Mellissas) doesn't reduce the attractiveness of the target--so new originators pop up. By prosecuting the victim (who is in turn a new originator) you can reduce the attractiveness of the target and thus the incidence of infection.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?

Re:Why limit it?

[Detritus]

Example (a real virus): If a surgeon found out he had AIDS but didn't quit his job and later infected a patient during surgery, I think we'd all agree that he'd be liable for the patient's sickness.

You think wrong. Unless the surgeon is having unprotected sex with the patient, the risk of transmission is small.

Take a look at the CDC's recommendations for preventing the transmission of HIV by health care workers. They recommend a review by a panel of experts and informed consent from the patient, not a blanket ban.

I would rather be operated on by a HIV positive, expert surgeon than a HIV negative, mediocre surgeon.

Companies have a part of guilt also...

[Oskuro]

I still can't understand why companies don't have to pay for their part of responsability.
We have Melissa and all this crap, which would not be possible without a fantastic email reader that enhances some brilliant features of a certain OS.
Ok, the person who wrote NewLove did it knowing that it would wipe out many harddrives out there, but the hole in Windows/Outlook has been there for ages, and IIRC, Microsoft is offering a patch that disables Windows Scripting Host, but they are still saying that the people to blame are, apart from the virus author, antivirus companies for not dealing well with these kind of problems.
I find this very amusing, but I don't know how Windows users feel about Microsoft's interpretation.
In short, use Mutt and care less.

Re:Burden of Connecting

[bhanafee]

Yes, there are different levels of cleanliness expected of different people. I'm not ready to say who gets to be an "Internet food service worker" in the analogy, but there are certainly different levels in the Internet: my aunt with her WebTV box, an ISP with 1000s of dial-up users and very few servers, a full service hosting company, a backbone provider, etc.

Right now, there isn't really a strong concensus on who should be responsible for what, and there are few sanctions against those who would shirk their responsibilities anyway. But the law in question externally imposes regulations on usage and responsibility, and that worries me. It makes everyone responsible back to a single standard. A better approach might be a delegation model of responsibility: If someone offers connectivity to another, it comes with a contract stating what responsibilities stay with the provider and which are delegated. This way, an ISP could choose to force all their users to configure their systems securely, or the ISP could elect to let users do whatever they want and accept responsibility for making sure their users behavior doesn't 'leak out' in violation of their own upstream connectivity agreements.

So, if Win98 meets the definition of virus...

[freeBill]

...in this law, then Tom Ridge is in violation of his own anti-hacking law?

Even Win95 had the ability to go to a web site and update the dll's. If Channel updates don't meet the definition of virus in this law, then the definition is worthless. If it doesn't ban programs that go to a web site and change the kernal, that's a loophole big enough to drive a 2,600-ton truck through.

So, any governor who forced the installation of an OS that meets the definition of a virus (probably Symantec's "Norton SystemWorks" would qualify as well) is guilty of violation of this law.

Maybe that explains the inclusion of the "intentional" escape clause.

Dont they all ??

[kuiken]

"... cases of a virus like the famed "Melissa" who automatically passes it's self around?
dont all viruses pass them selves autmaticly around ?
Be it via mail or by infecting files to get on a floppy and so to another computer.
So the blame would be fully on the first person who releases the virus.

ofcourse with the recent linking to ilegal stuff is ilegal law suits one never knows

Welcome to Pennsylvania

[IGnatius+T+Foobar]

If you recall, Pennsylvania cut a deal with Microsoft a year or two ago, to use Windows products exclusively in the Pennsylvania state government. That, combined with the Love Bug and other such niceties, has probably made computer life very difficult in the PA state government offices lately. That considered, it's not surprising that they're the first to adopt legislation like this. The states which are still running on mainframes and Unix boxen like they should, can sit back and laugh at PA.
--

Re:Welcome to Pennsylvania

[buzzcutbuddha]

Mavenguy, can you put me in touch with your contact at the State? I am interested in starting/joining a LUG here in PA. Is he in Harrisburg, or at another state office?

Damn, I can't logon with Opera...

[Tangent+Z]

...oh, well, there IS a reason that I keep IE around. Thank you, gad_zuki! And BTW, I spoke with HotMail Techsupport and will only remove your account if no one logs on for six months. An INSANE policy, especially since they have the security of an open field.

To spread or not to spread?

[enigmatic+anomaly]

Too bad my email client doesn't ask that question. I presume 'INTENTIONAL' means that there was foreknowledge that it was a virus, and thus sinister intent. Otherwise a person who opens up the love bug would be guilty even if they were ignorant of the fact it was a virus and they were just a love starved recluse. Because the would have intentionally clicked the link, they had to, even if they didn;t know. They had 'intention' Maybe this law was just created as an excuss to lock stupid people up where they can do no harm?
Geoffrey Cameron Peart
McMaster Software Engineering

Microsoft wants it to stop piracy

[yorgasor]

Microsoft wanted this law to prevent people from sharing Win95/98/2000 with their friends (or enemies). Everyone knows there hasn't been a virus unleashed yet that can compare to the damage caused by these viruses.

VIRUS Definition

[PopeAlien]

Interfering with a computer, system, or network or giving out a password or other confidential information about a system is a misdemeanor of the first degree, with a maximum penalty of five years and $10,000 fine.

OK. So we all know about "bad" viruses -Mellisa, etc, and "trojans" -but what I want to know is how this legislation can be used to keep Large Corporations from digging around in my HardDrive..

When RealNetworks or Aureate/Radiate add "special features" to their software to profile my music listening habits, or track my web access from within, rather than from accessed pages- does that count as "Interfering, or giving out confidential information".
-

It should cover "unintentional" spreading, too.

[imagineer_bob]

I received over 700 copies of the ILOVEYOU virus from some company (an Internet Portal! They should have known better). For some reason my email address was in their database; I had done some work for them in the past.

The email came from all over the company: from the CTO on down.

I wish I could have held them liable! It cost me about an hour of my time, including the time spent calling them on the phone telling them to stop it and to take my name out of their email directory. I don't care if it was intentional or not!

--- Speaking only for myself,

this is ridiculous

[Joe+E+Sunshine]

why is it that people can't read what has already been said before they post? 90%, or perhaps even more, of the reply's to this article say the same thing ("it's intentional spreading that counts", in case you didn't read any of them).

If I'm not mistaken, it says very clearly in the /. rules that you should read what others have said before you post, in order to avoid this sort of thing.

I understand that a number of people will object that people might reply the very same thing you're about reply, while you're writing (in fact, that might happen to this reply as well), but this is anyhow obviously not the case with this article, since almost all posts are no more that 10 words long.

You may moderate me to hell for not being on topic, or flamebating or whatever, but I still find this highly irritating, and if I have to post it somewhere why not in reply to such an excellent example like this one?

It thinks it's sad that even geeks have such a tremendous need to feed their ego's.

Which poses the obvious question...

[Animol]

How exactly do they plan to prosecute on this? I can understand if you're the initiator of the virus and leave some sort of tracker so people know YOU did it - in fact, laws are in place for situations like that. But, how can they PROVE that you intentionally distributed the virus? Understood, they will forgive accidents (Melissa, et. al.), but how often do people say, "Ha ha, now I gave you a virus!"

It seems to me that this is just a front for trying to force internet / computer users into revealing their motivations behind their actions - an invasion of mental privacy. There's not a good solid way in most cases to prove that you deliberately gave a virus to another user, and even then, it's easy enough to disprove in almost all circumstances.

Re:Which poses the obvious question...

[roman_mir]

"Ha ha, now I gave you a virus!" :)

Is this worse than "Ha ha, now I gave you an STD?"

How about spyware?

[paRcat]

Here a news blurb about it. There's an interesting point in it:

The Pennsylvania legislation defines a virus as any "computer program copied to or installed on a computer, computer network, computer program, computer software or computer system without the informed consent of the owner that may replicate itself and that causes unauthorized activities within or by the computer."

So what about the software that is automatically installed when you install a program. Especially the stuff that allows for tracking your online habits, etc. Go!zilla's ad engine is like this, though it's unclear exactly what it does. So can these companies be prosecuted now?

Re:How about spyware?

[_xeno_]

The Pennsylvania legislation defines a virus as any "computer program copied to or installed on a computer, computer network, computer program, computer software or computer system without the informed consent of the owner that may replicate itself and that causes unauthorized activities within or by the computer."

Hmm, except for the replicating itself portion, I think that Internet Explorer could fall under that! I was unaware that when I installed a new version of Windows (Win95 OSR2, OK?) that Internet Explorer would automatically install itself. It caused unauthorized activities. I was unaware. Therefore, it's a virus!

And how about QuickTime 4? I didn't give it authorization to duplicate itself and take over all my audio/visual plugins in both Netscape and Internet Explorer. I was perfectly happy with my MIDI and WAV plugin for Navigator, but it instead took control! I was uninformed of this result, and I didn't authorize it to do that.

Hmm... Time to call a lawyer...

Does this include:"Save the little girl" e-mails?

[dilvish_the_damned]

"Save the little girl" e-mails have a lot in common with viruses and worms. Mostly worms I guess.
1) They were created by very malicious and 'evil' minds.
2) The are self replicating.
3) They couse ierreversable dammage in the form of destroying any synaps they come in contact with.
4) They couse millions of dollars of dammage a year in the form of loss of production while unsuspecting employees read them, bandwidth saturation, counseling expenses
I think that anyone who knowingly forwards a 'Microsoft will send you 10 cents every time you forward this', 'Make $50k in three weeks', 'send this flower to everyone on your list and an elf will run across your screen!' type message really should be fined. In fact, 15,000 or 7 years is just not enough for such a dispicable act.
I say, let them get the Mitnick treatment, they cant touch a computer for say... 7 years or untill they recover some of those lost synapses. Or maybe some community service in the form of 150 hours of open source codeing.
I just think its silly to target mellisa type trojans that send itself to everyone on your list when in all honesty, if the email would have just asked, so many poeple would have done it anyway.

What sort of virus?

[Omnifarious]

I think, if they're going to have a law like this, it should also apply to biological viruses so it will have a context that people understand. Is coming into work when you know you have a cold intentionally spreading a virus?

Also, is Microsoft liable under this law because of the defaults settings on their software?

Couldn't it be argued however that....

[Randy+Rathbun]

everyone and his brother should know by now NOT to launch attachments?

I got to deal with the ILOVEYOU virus. It was not the secretary that launched it. It was not the big boss that launched it. It was one of the other programmers that launched it. Trust me, after humiliating him I don't think he would be stupid enough to do something like this again, but one never knows.

Also, a friend of mine works for a large company. IS sent around a message saying "Do not under any circumstances launch this app." 15 minutes later someone did because they "wanted to see what it would do." This also happened at one of the local hospitals.

Couldn't one argue that in all three of the cases I mentioned that it WAS intentional in every case? Just because you are stupid does not under any circumstance give you the right to do stupid things.

Re:Couldn't it be argued however that....

[adamk]

Their intent was to view the message, not spread a virus. Stupidity != intent.

Thank God the judicial system in the US in not run by Slashdotters, otherwise it would be more messed up than it already is.

Adam

OT response to smartass question

[Edmund]

Put a recording device with a mic and see.

- Ed.

Re:OT response to smartass question

[dglee]

Ah but then you are there by proxy to hear it.

Re:VIRUS Def. - Get it right, NOW PLEASE!

[AllynKC]

It's not definition, it's the one that the state of PA uses in this bill. I did not say that I agree with it, only that I find it interresting that for the first time one has been defined in law. Don't argue with me, write to the state of PA if you have problems with their definition.

Burden of Connecting

[rjamestaylor]

I realize the law says "intentionally" but what if a more proactive stance was adopted? For example, when I receive a counterfeit $20 I may be unaware. But when I deposit that counterfeit $20 at my bank (and it is discovered) I lose $20 and may be investigated. It doesn't matter that I *thought* it was real -- I still lose. It is upon me to make sure bills I pass are legitimate. If they are not, I lose.

Let me apply this "burden" to the 'net: if you connect to the Internet and pass a virus (even unaware) your privileges to stay connected may be revoked or suspended. What?!? Well, you take on a lot of responsibility to connect to the rest of us. If you cannot take basic precautions to protect others from your transmissions then you are subject to loosing your right to be on the 'net. The onus is on you.

What does this mean? It means you must be able to prove that you took reasonable precautions to prevent your system from harming others. This may include using an updated anti-viral package on Windows and Mac systems. Properly adhering CERT advisories on UNIX systems. Avoiding easily-exploitable software packages (Outlook, for example). Using basic security protocols.

Offenders (those who fail to protect others from attacks via their systems) may be forced to disconnect until they

• complete a proper system security class
• install proper security software
• establish and follow basic security guidelines
• disable easily-exploitable software

I realize this is radical.

Perhaps a better model (than the counterfeit bill passing) is the transportation regulations we have today. We require people who drive on our highways to take basic precautions to avoid harming others (no drinking when driving, obey traffic laws, maintain car at reasonable operational standards). Heck, we don't let you drive unless you obtain and maintain a proper license! How about a license to connect to the Information Super Highway? And what about liability insurance? If your system has an exploitable hole that damages someone else's system, you may be liable.

The Internet is a part of our lives. We can't allow stupidity and laziness ruin it for the rest of us.

Re:Burden of Connecting

[Nidhogg]

1. complete a proper system security class

First off let me say that I agree with you. Basic security should be everyone's responsiblity.

However if this indeed does become policy... I think I'd have to refer my Netsurfing father back to your comment because I am certainly not going to be the one to tell that old fart that he has to go back to school before he can use his computer again.

Nope. Not me.

Re:Burden of Connecting

[Katravax]

This may include using an updated anti-viral package on Windows and Mac systems.

The sad thing is that signature-based antivirus software is nothing more than a feel-good solution... Antivirus software didn't stop Melissa, nor did it stop ILOVEYOU. By definition it can only respond to the threat, not stop it, and something that spreads as fast as the macro-based viruses has done its damage by the time the antivirus companies can respond. And I would even ask another question: How many true positives have you ever gotten from whatever anti-virus software you use?

So IMHO, requiring people to use Antivirus software would be a big mistake... but you may be right, and by the time the law degrades into regulations, something like that may happen.

Re:Burden of Connecting

[blurp]

This is a ridiculus idea that completely contradcits the the idea (well, my idea) of what the internet is all about. I feel that the internet is a forum for the distribution of knowledge to all people. If we start limiting to those who have "a license" it is no longer an open forum and will become an elitist realm.

And how would one obtain such a license? To require some knowledge about the internet would be the obvious way, but isn't the best way to gain this knowledge through experience? As for the propagation of viruses and such...I look at it as a form of Darwinism. Those who have learned enough will not be scaved, while those affected will learn from their loses and in the future protect themselves (and therefore others) against these problems.

And no, I'm not advocating releasing viruses to purge the internet of those "not worthy."

-Blurp

Re:Burden of Connecting

[ODiV]

What? Sorry, but your first method makes absolutely no sense to me.

If someone who is inadequately protected is on the Internet, how does that threaten you at all? Say they pass you a virus after being infected. You open it and either your anti-virus catches it or it doesn't. If it catches it (you're adequately prepared) then they are no threat to you. If it doesn't catch it then you're as inadequately protected as they are and shouldn't be complaining to them about their shoddy security.

As far as passing on viruses goes. The people who are not protected pose absolutely no threat to the people who are. I don't see what kicking them off of the Internet would do.

Re:VIRUS Def. - Get it right, NOW PLEASE!

[AllynKC]

oops, meant to say "It's not my definition, it's the one that the state of PA uses in this bill" ...

Define "Spread"

Does this mean that if I mail you the source for a virus (or a compiled virus), and you are expecting it, that I have broken the law??

I wonder if this law will outlaw the spreading of the technology or just the malignant spread of a "live" virus in the wild.....

Jared

Illegal for whom?

[jyuter]

People who intentionally spread a computer virus face a seven-year prison sentence and a $15,000 fine in Pennsylvania

Is this for viruses started in Pennsylvania or viruses which end up there? I'd like to see other state's reaction to this if there is a distinction

Oooh, evil thought!

[Fesh]

Hehehe! I doubt the drafters of the law were this vague, but if the law didn't specifically say computer virus, imagine the possibilities! You could prosecute Mormons, $cientologists, and Jehova's Witnesses for intentionally spreading thought viruses!

--Fesh

yup, it's in the constitution

[operagost]

Article IV.

Section. 1.

Full Faith and Credit shall be given in each State to the public Acts, Records, and judicial Proceedings of every other State. And the Congress may by general Laws prescribe the Manner in which such Acts, Records and Proceedings shall be proved, and the Effect thereof.

Section. 2.

Clause 1:

The Citizens of each State shall be entitled to all Privileges and Immunities of Citizens in the several States.

Clause 2:

A Person charged in any State with Treason, Felony, or other Crime, who shall flee from Justice, and be found in another State, shall on Demand of the executive Authority of the State from which he fled, be delivered up, to be removed to the State having Jurisdiction of the Crime.

The last section is the most important.

more stupid laws

[BenByer]

how in the hell does this differ from intentionally vandalising someones property. We dont need more fucking laws, that is how the lawyers keep themselves in business. we need rational application of existing laws. (except copyright which I dont think is valid because it is an unenforcable law.)

How fucking ignorant

[Legion303]

I personally think that malicious virus-writers are the scum of the earth, but 15 years for petty vandalism and taking advantage of human stupidity? The only thing a law like this will do is ensure that the virus kids cover their tracks more carefully. Outlook users who open script attachments will be even more likely to get viruses now that they think harsh penalties will deter anyone.

I have never had a virus here at work(*). This is because I don't run programs from the internet until I scan them, and I certainly don't use Word or Exchange. Attachments to my email are scrapped if they're executables and scanned if they're Word documents. I scan for viruses maybe once a month with an updated version of McAffee, and it has yet to find a virus.

(* I've found viruses on our network drive due to students bringing in their macro virus-infected disks, and I found a virus at home once, but I blame that on the warezed version of Battlechess)

-Legion

This is how they defined "VIRUS"

[fred_the_slow]

According to the law passed by the Pennsylvania legislature:

"Computer virus." A computer program copied to or installed on a computer without the informed consent of the owner of the computer that may replicate itself and that causes unauthorized activities within or by the computer.

you can look for it here: http://www.legis.state.pa.us/WU01/LI/BI/billroom.h tm

Criminal intent

[goom]

My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around?

As others have already pointed out, the presence of the word "intentional" should answer the question. Even without this insertion, it would very likely be covered by the letter of the law.

In every state that I am aware of, acts classified as criminal acts are composed of elements. Every element of that crime must be established beyond reasonable doubt in a court of law before the accused can be convicted and punished by the state. Failure by the state to "prove" any one of these elements should logically result in an acquittal, no matter how effectively the other elements have been established.

Amongst the legal definition of virtually all criminal acts is the element criminal intent (vehicular homicide and other negligence-related criminal acts being notable exceptions). I cannot imagine that this new Pennsylvania crime will be any different.

Another "gotcha" is the concept of reasonable results of one's actions. If I run a red light (moving violation) but in the course of doing so swerve out of control, strike a telephone pole which falls over into a sign post for a fast food restaurant, which also falls over and kills an indigent man sitting on a bus stop bench, I am liable for his death. Likewise, if it can be proven that I intentionally released, or conspired to release, a virus that causes millions in damage at hundreds of companies around the state, I can potentially be held liable for all of it.

The moral of the story? If you want to release viruses, don't get caught :)

..other cases of redundancy

[dorkJedi]

The same sorts of things happen or are pressed to
happen when some sort of "shocking" event occurs
such as the murder of a homosexual in NY (I think that was the state..=P) which made big headlines
within approx. the past 6 mo. There is then an
outcry for anti-hate crime legislation even though
there are already laws against murder, assault, etc. I wouldn't care WHY someone kills me if they do kill me. The damage remains done.

virii

[roman_mir]

That's it, no longer will I spread virii from Pennsylvania. No longer will that place put down with such liabilities as vampires and virii writers.

What a stupid Question.

[tringstad]

Intent is everyting. Why is that so hard to understand?

It seems that everyone needs analogies to understand things, and Viruses are one of the few Computer to Real World analogies that hold true.

If you thought of this in terms of say, AIDS, the most deadly RealWorld virus in the wild that I know of, it becomes clear.

If you have unsafe sex with someone who is infected with AIDS, and that person is unaware that they are infected, it is your own damn fault.

If you do not know that you are infected, and someone has unsafe sex with you, it is their own damn fault.

If you know you have AIDS and you take a syringe full of your blood and inject it into somebody else willfully,you're ass is going to prison, and hopefully getting the chair.

Why should computer viruses be any different?(well, maybe the chair is a little strong)

-Tommy

Re:this is ridiculous [REALLY OT]

[randombit]

it's sad that even geeks have such a tremendous need to feed their ego's.

Well, if you've read the stuff ESR has written (CaB and HtN especially), you'll see that his theory is that most free software/OSS development is done precisely to satifsy that persons ego ("see, I'm a really good programmer, here's what I did"). Too bad, maybe we should send all those people a copy of K&R and they can start being productive. <g>

So, virus writing is worse than rape now?

[Electric+Eye]

I see. So, simply because you could write a program that could fuck up a few programs means you deserve to be locked up with murderers, rapists, and drug dealers? Yeah, I see the logic in that one. It's called Republican Stupidity. The Governor of PA is an asshole. You can tell him I said that.

This is truly unbelievable. The sad thing is that you could be convicted of raping a woman and do less time than if you wrote a virus. What ever happened to common sense in this country?

What about AOL mailing you it's disks?

[ChiaBen]

WHen AOL snail-mails you a disk, and it tears your computer's insides up worse than nitro-horseradish-sauce, then what will the government do about it? And what about the poor blokes who actually install this garbage, not knowing the true terrors he will behold? is it his fault?

regards,
Banjamin Carlson

an appropriate haiku

[fred_the_slow]

• small computer bug

  jumps from machine to machine

  who knows its maker?

Two ideas.

[Spankophile]

1) What about criminal negligence?

As opposed to being limited to *intentionally* sending the virus, you could be liable for your negligence in that you didn't take the expected precautions (like not running attachments).

2) The law is intended to make *introducing* a virus unlawful.

Can't viruses be introduced *by accident*... I seem to remember some Nova show or something about one of the first virii being a christmas-card that got out of control...

redundant question?

[drew]

My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around? "

um, perhaps i am missing something here, but isn't that the definition of a virus? people seem to have forgotten what a computer viru is, and generally just associate "virus" with malicious program. a virus is a program or part of a program whose primary purpose is to propagate itself to other programs/computers. (i say programs because in the old days before outlook and office, viruses could only affect executable files, and when those executable files were run, they would infect other executable files on the disk) it doesn't have to be malicious. you might never even know you have one, even though it has put copies of itself all over your computer and everyone's you know.

anyway, the point to all of this is that the question "what about viruses that spread themselves?" is a dumb question, because if it doesn't spread itself, it is not a virus. malicious code perhaps, but not a virus...

Intentional Clause

[danderson]

I spend my spring semester working as tech support/computer person for the law branch of one of the state departments in PA. The ILOVEYOU epidemic was pretty bad there, and from what I understand it was pretty bad all throughout the state government offices.

This might have helped to push the legislation through.

What makes it really funny is that AFTER it was announced over the building-wide intercom that email with the subject ILOVEYOU is infected with a virus and that the attachment to that email should not be clicked on, a disturbing number of people walked back into their offices, opened outlook, and clicked on the attachment. Simply "to see what it would do"

This law seems to make their actions illegal. I think that's good.

Only for PA citizens?

[AtomicDog]

I'm curious.. Does this bill apply to people living outside of PA? What if someone from another state attacked a server that was in PA? Wouldn't federal law apply then? I don't believe the federal law is as harsh as that though. Does anyone have a URL for the full text of the bill? I'd like to see it.

Warez Apps

[42821128607675]

An easy way around this little problem would be to get warez apps to do all your evil deeds. That means that the originator would be the person who put the warez app on the net and not you (as far as they could prove).

where is your proof of that?

[operagost]

For just a moment, don't heed the party line you've been fed. Now, note the maximum sentence for this crime. Seven years. Are you trying to tell me that the maximum sentence for rape (more serious than aggravated assault) is less than seven years? How a judge and jury rules on a case is up to them. That's the judicial branch. This law was proposed by the legislative branch (PA legislature) and written into law by the executive (the governor). Don't lay the blame on one governor who just happens to be Republican.
By the way, if you really feel so strongly, why don't you tell Tom Ridge that yourself? Contact info is here.

not in PENNDOT

[operagost]

They still use OS/2 for their drivers licenses, at least.

Of course!

[_marshall]

Anyone silly enough to open an unknown program from an unknown email deserves punishment!;-)

~Marshall

--
Homer: "No beer, No TV make Homer something something";
Marge: "Go crazy?";
Homer: "Don't mind if I do!"

Re:Burden of Connecting - Internet Licenses?

[scott@b]

While I don't really like this idea, we may find ourselves faced with a choice between something like this and, perhaps, always-on monitoring of our connections - such as the US government is working towards for in mobile communications (CALEA is just the start). Asking if "joe 6pack is at fault for a bad alternator?" isn't the best comparison, at least to most people. It would be closer to "Is Joe 6pack at fault for failing to stop in time while driving with bald tires?" While, I believe, the ideal is not to have access licenses, or constant or spot surveillance, but the open and unfettered `net of the old days. However I fear that one or more of the bad choices will be forced upon the inhabitants of various countries. I oppose such, but want to have the fallback to the less intrusive "access licencing". And then I want to figure out some around those controls and restrictions, and allow everyone to get back to the old ways.

what about the rest?

[mgX]

don't forget that this covers more than just virus spreading.. It also covers interfering with a computer, system, or network or giving out a password or other confidential information about a system, which is a misdemeanor of the first degree, with a maximum penalty of five years and $10,000 fine. it also covers denial of service attacks, etc.

<br>
"When convicted, the defendant must repay the victim for the cost of repairing or replacing the system infected, lost profit for the period that the system was not usable, and to replace or restore lost or damaged data. Camillo said the level of restitution would be left to the judge. "
<br><br>
my question is, what did the previous laws have to say in regaurds to all these things?
<br><br>
(and by the way, how exactly <I>did</I> they define a virus?)
<br>

Playing William Tell

[42821128607675]

In the real world it's really hard to prove that you didn't do something intentionally. Suppose you tried to shoot an apple off my head and you just "accidently" shoot me in the head. Well so now the only other person who saw you shoot me is dead (namely myself) and there is no proof of your intentions wheather innocent or not.