Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Virus Spreading Criminal?

Posted by CmdrTaco on from the oh-dear dept.

Ghost-in-the-shell writes "I just read this article on CNN stating that spreading a virus in the state of Pennsylvania is now illegal. The bill signed in to Law on May 26th, by Governor Tom Ridge states that the spreading of a virus can land you 7 years in jail, a $15,000 fine, and possible restitution to the person(s) damaged by the virus. My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around? "

18 of 270 comments (clear)

  1. Text of bill. by RossB · · Score: 3

    Read the full text of the law .

    Interesting to note that unwilling transmitting information is illegal. So the Real Networks scanning your drive and uploading information is a 'virus'. Or microsoft sending reg info without your permission is illegal.

    -RossB

  2. Poster's question by gad_zuki! · · Score: 5

    People who intentionally spread a computer virus face a seven-year prison sentence and a $15,000 fine

    It does say intentionally.

  3. Not all intentional viruses are *amateur* by orpheus · · Score: 5

    The RADIATE (formerly Aureate) monitoring programs that are packaged with over 400 freeware, shareware and demo programs is a perfect example of a deliberately spread virus (in Win9x)

    1) you are not informed that a *separate* program will be installed, in addition to the program you intend to install. This program can monitor your activity even when the program it came with is not in use.

    2) the monitor program is not removed when you uninstall the 'carrier' free/shareware program or purchase the paid version of a demo. In fact, there is no way to completely remove it except through an external program like OptOut from Steve Gibson (freeware)

    Sounds like a classic, deliberate, and very malicious 'virus'. I'm sure there's something in the license allowing the installation, but nothing about it persisting forever (even after you remove the program the license applies to). True, you could prosecute under the 'unauthorized computer use' felony, but I think the virus law gives a better tool, since the virus+vector model is a familiar one (putting an unannounced virus inside a desired executable doesn't make it less of a virus)

    --

    If you can go to bed, knowing you did a valuable thing today, you're very lucky. If you can't... it's not bedtime

  4. Whose definition of virus? by BoLean · · Score: 3

    What definition of virus are they going to use? Would this include programs that sniff down your net connection to collect personal info? A virus could be: a standalone program, a file that executes other programs on the client system, a file that executes a program on a server, a file that resides on a server and effects a client system... you name it. A simple script on someones webpage to check user browser info and client browser settings could be seen as either a valid tool or benign virus.

  5. It's a DAMNED HOAX by Spiff28 · · Score: 3
    I apologize for the stupid topic, but honestly, I'm just trying to get eyes here. The whole Aureate ordeal has been around for quite some time. It's also been debunked for some time. Debunked as in a hoax. It's not quite a hoax, but it's not Big-Brother either.

    The 'spyware' program does nothing more than say what ads have been received, and what have been clicked. Period. I don't know about you, but I don't do my surfing through ads. Hell, I get weird enough ads from Doubleclick crap as it is.

    The problem is that this has been claimed as spyware.. ie: it monitors your surfing habits, and I've even heard that it could see which programs are installed on the HD. This is where the paranoia overtakes the fact.

    I have yet to see comprehensive proof that this does (only or all of) what either side of this issue says it does. Most people take for proof that Aureate/Radiate is evil the presence of any of the 'bad' DLL's.

    The program has been proven to exist, true. Get some simple network tools and a little registry viewer and sure enough, you'll notice something's set stuff up in the registry, and something's calling home. Nobody has given proof that shows what it's actually doing beyond that.

    It's a task I'd think someone in the /. audience would be glad to undertake. At this point both my curiousity and rage at the propensity of this falsehood to spread so easily are motivating me to crack down as much as I can. Only.. I don't really have the time, I don't have the resources or knowledge either. Someone needs to just sit down with a packet sniffer on a controlled network, and see what's up. I personally, can't tell what to look for, but I'm positive that someone can.

    Steve Gibson claims that some of the scarier stuff like arbitrary execution has been proven. I ask... show me the proof.

  6. What if you got authorization? by Jeff+Bell · · Score: 5
    I'm surprized that none of the viruses have tried this yet, but what would happen if the virus first popped up a dialog box with a lot of legalese at the beginning, but a dozen screenfulls down includes as terms:

    ...

    19. I understand that this software may send copies of itself to everyone in my address book.

    20. The authors of this software shall not be held responsible for any data that may be lost.

    Certainly a very large portion of the population would click on the [ACCEPT] button as a matter of reflex. It wouldn't even make it out of the brain stem.

    Would the author of this virus be subject to prosecution?

    Would they be safer in states that have passed UCITA?

    -Jeff Bell

  7. This law seems a little redundant (take 2) by drenehtsral · · Score: 3

    It seems that there are already laws that cover this. I have often seen the creators of unwelcome self-replicating programs charged with "unauthorized use of a computer", (sorta like unauthorized use of a motor vehicle) which is an effective catch-all for people who do anything to take control over other people's computers without their consent.
    I think that the expedited creation of new laws in reaction to a phenomenon that most people in positions of power could never hope to understand, let alone competently regulate is a dangerous thing. I recognize that these legislators probably have teams of advisors, but i still worry about the original intent/usefulness getting diluted/lost in the legislative process.

    --

    ---
    Play Six Pack Man. I
  8. What's the point? by Uruk · · Score: 3

    This seems like it's for show.

    Well, I realize that laws can make people feel more comfortable, but there comes a point where penalizing somebody doesn't make anymore sense. For example, if they guy who wrote melissa had to pay restitution or pay a $17,000 fine for every copy of the virus he spread, he'd probably own millions upon millions of dollars which he'd never be able to repay, no matter how long he lived.

    You can punish a person harshly, you can even make it so that the person will never get away from the punishment for the rest of their lives, but fining somebody $40 million is pretty much the same thing as fining them $40 billion. At least the effect is the same, and the amount of money you'll actually collect is the same.

    I say this because if you make it a crime to spread a virus and make it punishable by jail, restitiution, or fines, then anybody who spreads a virus (since they go all over the world) will be liable for damages in so many damn jurisdictions that it will be the same as fining them $40 billion, and just as pointless.

    Not to compare virus spreading to murder, but just as an example of over-punishment - when Jeffry Dahmer went to jail, he got *400* years in jail. 400!!!! What's the point? Of course it was arrived at by adding the amount of time he got for each murder, just like the fine would be arrived at by adding the recompensation for each victim for a virus spreader.

    An effective punishment would be a $0.25 fine and no restitution, since by the time everyone on earth got finished suing the poor bastard, he'd be in for millions. :)

    --
    -- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
  9. Pay attention to the bottom of the article: by wrenling · · Score: 4

    The article states:
    "Accessing and damaging a computer or system is a felony of the third degree, facing a seven-year sentence and $15,000 fine. Interfering with a computer, system, or network or giving out a password or other confidential information about a system is a misdemeanor of the first degree, with a maximum penalty of five years and $10,000 fine. "

    What scares me is the part where they refer to 'other confidential information.' That is such an amazingly grey area. And what constitutes giving out a password? Once again, the focus should be on 'illegally obtaining passwords.' This is a section where the victim (piegon in a scam) could be prosecuted for their unwitting part in a crime. (Remember the IQ of the average user).

    Just a few rambling thoughts from yours truly.

    --
    Check out Magic Firesheep!
  10. Why limit it? by FascDot+Killed+My+Pr · · Score: 3

    Why the "intentional" requirement? What about negligence?

    Example (a real virus): If a surgeon found out he had AIDS but didn't quit his job and later infected a patient during surgery, I think we'd all agree that he'd be liable for the patient's sickness.

    Another example: I advocate the use of murder charges against drunk drivers who kill. Why? Because they deliberately make choices that are known to have a high rate of death for potential victims.

    So why not for computer viruses? In all seriousness, why can't Joe User be held (partially) liable for running an email client (*cough*outlook*cough*) that is known to cause a large amount of bandwidth sucking and server crashing? A little less ridiculous (although I'm not conceding that the example was ridiculous) is holding site admins responsible for viruses leaving their site. If they can strip incoming, they can strip outgoing.

    And this isn't empty moralising, either (although that should be sufficient). There's a practical reason for all this: Advocating point-source solutions to an epidemic problem will never work. Prosecuting only the virus originators (and maybe a few knowing Typhoid Mellissas) doesn't reduce the attractiveness of the target--so new originators pop up. By prosecuting the victim (who is in turn a new originator) you can reduce the attractiveness of the target and thus the incidence of infection.
    --
    Have Exchange users? Want to run Linux? Can't afford OpenMail?

    --
    Linux MAPI Server!
    http://www.openone.com/software/MailOne/
    (Exchange Migration HOWTO coming soon)
  11. Welcome to Pennsylvania by IGnatius+T+Foobar · · Score: 4

    If you recall, Pennsylvania cut a deal with Microsoft a year or two ago, to use Windows products exclusively in the Pennsylvania state government. That, combined with the Love Bug and other such niceties, has probably made computer life very difficult in the PA state government offices lately. That considered, it's not surprising that they're the first to adopt legislation like this. The states which are still running on mainframes and Unix boxen like they should, can sit back and laugh at PA.
    --

    --
    Tired of FB/Google censorship? Visit UNCENSORED!
  12. Microsoft wants it to stop piracy by yorgasor · · Score: 3

    Microsoft wanted this law to prevent people from sharing Win95/98/2000 with their friends (or enemies). Everyone knows there hasn't been a virus unleashed yet that can compare to the damage caused by these viruses.

    --
    Looking for a computer support specialist for your small business? Check out
  13. VIRUS Definition by PopeAlien · · Score: 5

    Interfering with a computer, system, or network or giving out a password or other confidential information about a system is a misdemeanor of the first degree, with a maximum penalty of five years and $10,000 fine.

    OK. So we all know about "bad" viruses -Mellisa, etc, and "trojans" -but what I want to know is how this legislation can be used to keep Large Corporations from digging around in my HardDrive..

    When RealNetworks or Aureate/Radiate add "special features" to their software to profile my music listening habits, or track my web access from within, rather than from accessed pages- does that count as "Interfering, or giving out confidential information".
    -

    --
    air and light and time and space
  14. How about spyware? by paRcat · · Score: 3

    Here a news blurb about it. There's an interesting point in it:

    The Pennsylvania legislation defines a virus as any "computer program copied to or installed on a computer, computer network, computer program, computer software or computer system without the informed consent of the owner that may replicate itself and that causes unauthorized activities within or by the computer."

    So what about the software that is automatically installed when you install a program. Especially the stuff that allows for tracking your online habits, etc. Go!zilla's ad engine is like this, though it's unclear exactly what it does. So can these companies be prosecuted now?

  15. Couldn't it be argued however that.... by Randy+Rathbun · · Score: 5

    everyone and his brother should know by now NOT to launch attachments?

    I got to deal with the ILOVEYOU virus. It was not the secretary that launched it. It was not the big boss that launched it. It was one of the other programmers that launched it. Trust me, after humiliating him I don't think he would be stupid enough to do something like this again, but one never knows.

    Also, a friend of mine works for a large company. IS sent around a message saying "Do not under any circumstances launch this app." 15 minutes later someone did because they "wanted to see what it would do." This also happened at one of the local hospitals.

    Couldn't one argue that in all three of the cases I mentioned that it WAS intentional in every case? Just because you are stupid does not under any circumstance give you the right to do stupid things.

  16. Burden of Connecting by rjamestaylor · · Score: 4
    I realize the law says "intentionally" but what if a more proactive stance was adopted? For example, when I receive a counterfeit $20 I may be unaware. But when I deposit that counterfeit $20 at my bank (and it is discovered) I lose $20 and may be investigated. It doesn't matter that I *thought* it was real -- I still lose. It is upon me to make sure bills I pass are legitimate. If they are not, I lose.

    Let me apply this "burden" to the 'net: if you connect to the Internet and pass a virus (even unaware) your privileges to stay connected may be revoked or suspended. What?!? Well, you take on a lot of responsibility to connect to the rest of us. If you cannot take basic precautions to protect others from your transmissions then you are subject to loosing your right to be on the 'net. The onus is on you.

    What does this mean? It means you must be able to prove that you took reasonable precautions to prevent your system from harming others. This may include using an updated anti-viral package on Windows and Mac systems. Properly adhering CERT advisories on UNIX systems. Avoiding easily-exploitable software packages (Outlook, for example). Using basic security protocols.

    Offenders (those who fail to protect others from attacks via their systems) may be forced to disconnect until they

    • complete a proper system security class
    • install proper security software
    • establish and follow basic security guidelines
    • disable easily-exploitable software

    I realize this is radical.

    Perhaps a better model (than the counterfeit bill passing) is the transportation regulations we have today. We require people who drive on our highways to take basic precautions to avoid harming others (no drinking when driving, obey traffic laws, maintain car at reasonable operational standards). Heck, we don't let you drive unless you obtain and maintain a proper license! How about a license to connect to the Information Super Highway? And what about liability insurance? If your system has an exploitable hole that damages someone else's system, you may be liable.

    The Internet is a part of our lives. We can't allow stupidity and laziness ruin it for the rest of us.

    --
    -- @rjamestaylor on Ello
  17. yup, it's in the constitution by operagost · · Score: 3
    Article IV.

    Section. 1.

    Full Faith and Credit shall be given in each State to the public Acts, Records, and judicial Proceedings of every other State. And the Congress may by general Laws prescribe the Manner in which such Acts, Records and Proceedings shall be proved, and the Effect thereof.

    Section. 2.

    Clause 1:

    The Citizens of each State shall be entitled to all Privileges and Immunities of Citizens in the several States.

    Clause 2:

    A Person charged in any State with Treason, Felony, or other Crime, who shall flee from Justice, and be found in another State, shall on Demand of the executive Authority of the State from which he fled, be delivered up, to be removed to the State having Jurisdiction of the Crime.

    The last section is the most important.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
  18. So, virus writing is worse than rape now? by Electric+Eye · · Score: 3

    I see. So, simply because you could write a program that could fuck up a few programs means you deserve to be locked up with murderers, rapists, and drug dealers? Yeah, I see the logic in that one. It's called Republican Stupidity. The Governor of PA is an asshole. You can tell him I said that.

    This is truly unbelievable. The sad thing is that you could be convicted of raping a woman and do less time than if you wrote a virus. What ever happened to common sense in this country?