Slashdot Mirror
Maker of Kournikova Gets Wrist Slapped Too
shelflife writes: "This story
says 'It is the first time in history that the maker of a computer virus has been tried in the Netherlands -- indeed one of the few times it has been done in the world. Hypponen knows only of one conviction. A man was sentenced to 18 months in jail in the U.K. in the early 1990s. The man served 11 months, said Hypponen.' but that can't be true. What about Robert Morris? Anyway, the requested sentence is amazingly light -- 240 hours of civil service." The really interesting part is that this kid wasn't even a programmer. He just downloaded a kit. Shows how far this Virus Craze has gone in the last few years.
May be he is guilty for spreading it?
If you read the article it says, "The fact that no damage claims have been filed with the prosecutor's office is one of the reasons the prosecutor isn't asking for heavier sentencing. However, the U.S. Federal Bureau of Investigation said in a fax to the prosecutor it identified 55 victims of the Kournikova worm with a total damage of $166,827. That claim wasn't specific enough, the prosecutor said."
That is exactly right. No one stepped up to claim damages.
In light of that the defense attorney attacked the prosecution.
In terms of right or wrong it is obvious that the right thing wasn't done. In terms of judicial process and law, it was a success.
Maybe there needs to a better way to determine losses during a virus/worm incident. Are there any standard formulas not based on Anti Virus company PR?
The only thing I could find was this:
http://www.vibert.ca/prevbus.htm
It breaks time down on support efforts and totals it.
Joy. Now we have script kiddie wannabes.
That's messed up he used a kit. What a hobo.
Interesting that he turned himself in - perhaps this does lend credence to the idea that he really didn't know what he was doing. Although, to be fair, if you download a worm creation kit, use it to create a worm, and then post it to Usenet, it seems unlikely that you wouldn't be aware of the potential consequences.
I think it's high time that this kind of thing happened. All these script kiddies with their DDOS and rootkit tools, virus kiddies and their kits, are able to do what they are doing because they don't have to suffer for it. Everyone else has to suffer instead. Situations like that are why we make laws in the first place.
I'm certainly against penalizing the authors of the kits, if they don't release viruses. We shouldn't do anything to people who alert us to security vulnerabilities, even to the extent of releasing an exploit, since this is often the only way to get companies to make a patch. But for those people who decide to use this information to steal the time and money of others to gratify their egos, the law is the proper recourse.
If you don't agree, that's fine. See how you feel after having to spend a weekend of your own time wiping and reinstalling the OS and applications on a machine or machines that have been hacked. Then, testing them and having to deploy new security procedures so that you can be live on Monday. It's not fun.
Finally someone in a computer-related trial gets a semi-fair sentencing. I'm suprised he didn't get $4,000,000,000 worth of jail time for all the "damages" he caused. I must admit, I'm a little suprised at the people who are not happy with the outcome of this trial..
---
evelakamatt
Anna K. never infested my email box the way Sircam has, but for some people it probably did.
I hope the court took into consideration:
- cumulative time (at sysadmin rates) spent cleaning off the virus
- long-distance and other comms. telling infectees, infected systems' admins that their systems are infected
- lost time due to disk-full errors etc.
What else?
The real loss / damage is that people are pissed off at each other for passing on a virus which someone else specifically designed for them to be able to pass on unknowingly.
Like switching the brake and clutch in city buses. Ha ha, what a riot. OK, so no one got killed, but Ha ha! Look at me! How'd you like the hospital treating your loved ones to be putting their resources toward cleaning off this scum rather than toward keeping records straight, making sure your parent / sibling / spouse / child doesn't get a medicine they're allergic to, etc?
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
Will the makers of Outlook go to court for actively helping the spread of the worm by deliberately insecure handling of attachments?
-- Ed Avis ed@membled.com
We at Micro$oft strive to give as much help and support to the budding young developers as possible. To this end we announce the Micro$oft Virus Developers Network (M$VDN). Join now, download our VDK 1.0 and recieve a FREE one month subscription to our developers resource center, where you can learn about new security holes and exploits as soon as we make them!
The really interesting part is that this kid wasn't even a programmer. He just downloaded a kit.
and
The defendant, Jan de Wit, turned himself in to the police in his hometown Sneek, Netherlands, on Feb. 14.
I would venture a guess to say that those are the reasons why he was given such a light sentance, and the fact that he was 20 years old. A little remorse goes a long way in the courts, and turning yourself in too usually helps to give a lighter sentance.
If God gave us curiosity
I was wondering how long it would take for the police to finally go after these low-lifes who seem to have nothing better to do with their time than cause other people aggravation. After having to deal with these script kiddies for quite some time, I think jail is the safest place for them. I know quite a few IT people who would love to hunt down these jerks and kill them (Jay and Silent Bob style hehe). I think that in addtion to putting these people in prison where they belong, they should also be fined for all the costs incurred by victims of these viruses.
Anyone who makes a "virus kit" or anything similar should also be imprisoned and fined. Figuring out how to breach security in software and letting the authors know so they can fix it is one thing, and its a good thing to do. But actually writing a program to exploit shortcomings in programs has nothing other than malice written all over it.
On the other hand... one could also make a case that people should be allowed to sue software manufacturers for costs incurred dealing with virii, etc. if the software company was indeed informed about the problem but took no corrective action to fix it. Of course, if they released a patch and you didn't bother to install it, or you didn't bother to install/set up the software correctly, that is and still should be your own fault.
In case of fire, do not use elevator. Use water!
... my buddy and I were reading about different poly-morphic and boot-sector viruses in the program F-Prot. We came across one that was written in Visual Basic - and laughed. Boy, have things changed!
Sure kids who program or release viruses should get their wrirsts slapped and do some community service. What gets me is these stupid figures for damages that get banded about. If companies really are losing much as they claim, why don't they just hire someone to install security patches when they become available, it's not exactly rocket science. In my view if you have some critical systems but don't bother to add security patches when they become available, you are equally to blame and should not be allowed to claim damages.
And here I was seeing "Kournikova" and "slapped" and thinking this article was going to be much more interesting (and perhaps have some pics!)
Got Rhinos?
It's a light sentence, as sentences go, but it makes the whole process, from putting it together to serving the sentence, more trouble than it's worth in entertainment.
The reason lame modern viruses get written is that it's really easy; you put in very little time, and then get to hear reports about how it spreads: very little effort, a little entertainment. If he'd known that it would take 250 hours of work, he probably wouldn't have bothered.
The same goes for hacking websites: people do it because it doesn't take any real effort. If it took 250 hours of boring work that you can't automate, people wouldn't bother.
I think that all viruses show how much the Internet relies on trust, and how easy it is to violate that trust. To me this is like removing stop signs at intersections, or disabling stop lights -- on the one hand, a thoughtless prank,
; on the other hand, a criminal act that costs countless money and time. I hope this kid has to do sysadmin work, install patches, and fight off other viruses as part of his community service.
...to the father of the beutiful tennis player?
"A man was sentenced to 18 months in jail in the U.K. in the early 1990s. The man served 11 months, said Hypponen.' but that can't be true. What about Robert Morris?"
Not to take away from RTM, but what about Kevin Mitnick?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
240 hours of community service is quite a bit, at least in my book.
Say you work a 40-hour week (days)...that pretty much only gives you weekends to devote to service. If you work 8 hours on saturday, it will take 30 weeks to complete the sentence.
Anybody want to give up 30 saturdays? I didn't think so.
The punishment is certainly less than what one might have expected, but I think this is a good trend, not a bad one. I'd much rather see these marginally troublesome white-collar criminals get easier sentences than ANY drunk driver or other violent criminal acts. So the virus is bad. Sure. Was there any loss of life? Was anyone maimed or psychologically traumatized (heh) over the incident? Hell - he didn't even try to steal information or money.
Punishments should fit the crime. What he did was not excusable, but a little perspective check is in order - especially after tuesday's events.
sedawkgrep
Is that a salami in my pants or am I just happy to be me?
Last few years? Hmm. Virus kits have been around for awhile now. Right now I am looking over the docs for IVP (Instant Virus Production Kit) 1.7 which has a time-stamp from 1992. It supported .COM/.EXE(MZ) infections, encryption, etc. If you look through a virus bestiary, all of these viruses begin with IVP.*. I remember seeing a "review" of the kit by a virus software company, calling it shoddy. So I guess Virus Kits are nothing new. Just thought I would mention it.
We should send a message to all clueless amateurs out there that go around "clicking" in virus making kits and creating Outlook viruses that force law abiding companies to close down their e-mail systems and loose thousands of dolars in revenues (imagine all those suffering employees that cannot send the latest joke to all their collegues).
If we don't act swiftly and decisively now, we risk having these "amateurs" playing around with Code Red Creation Kits.
I say hang the guy in Dam square in Amsterdam - that will show them!!!
I got that quote from ESR's page, and it may not be what you think it is :)
http://tuxedo.org/~esr/fortunes/rkba.html
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
In the name of all that's holy, don't let our marketing department hear about this!
The really interesting part is that this kid wasn't even a programmer.
The really interesting part is that he did not make the gun, just pointed it and pulled the trigger.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
The conviction in 1990 wasn't for creating a virus. I know, because I was network manager at one of the sites involved and was responsible for logging network activity which formed part of the evidence. In that case, the individual had found a vulnerability in the ICL 3980 mainframe series - in essence, root password changes were logged to a journal which was publicly readable. He had already taken over several machines in the UK before we were alerted, but as it happened he hadn't managed to root us because we were "slack" in our password changing and the root password hadn't actually been changed for many months. Other more diligant sites who changed the password weekly or monthly weren't so fortunate.
For a couple of weeks I created logs of his connections to our machine; they were traced back to a dial-up connection at one of the colleges in London. Once the evidence was in place, the authorities gave him (I quote the detective who interviewed me) "the wobbly door treatment" one evening, much to the amazement of his mother who was cooking dinner while her son was "playing" with his computer in his bedroom
At the time, the Computer Misuse Act was only just going through parliament and therefore he had to be charged under existing laws. The prosecution case was that modifying the magnetic fields on hard drives amounted to criminal damage, and it was for this that he was tried and convicted. He was sentenced to 12 months, with a further 6 months suspended. He came out after 11 months to an operator job with a company using ICL mainframes.
My next sig will be ready soon, but subscribers can beat the rush
Actually I'd rather they didn't mod me up. This entire thread has nothing to do with the origonal post. And you're an anonymous coward ... like our recent terrorists.
Get a name, log in, be somebody for a change.
~LoudMusic
No sig for you. YOU GET NO SIG!
Exactly. Risks are everywhere. There are risks associated with all choices people make. The idea is to minimize your risks if you want.
It's a balance. No one should be surprised at this point that running Windows and Office is riskier.
Outlook makes virus propagation so easy all you have to do is come up with a catchy subject line and the rest is a CS101 project.
Eighteen months in jail is nothing like getting your wrists slapped! That's a year and a half in confinement at a very dangerous place. It's a jail sentence, not a slap on the wrist.
What the hell is the matter with people who think they're entitled to take away people's freedom for causing a little economic damage? People are more important than money!
A lot of these hackers might learn their lesson through public humiliation and education. Jail does nothing to fix people, so why the hell resort to it except in hopeless cases?
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
The guy who got 18 months was a different person. That's what I get for not reading the story.
I think they should return the kid his computer. They should delete the viruses and let him keep his computer and data. Just because he released a virus shouln't be reason to seize his entire digital "assets".
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
Well, that just the reason why I use MacOS.
The change that you can get a virus is almost zero.
The funny part about this is, that all those viri (or scripts) don't work with Outlook express for Macintosh.
No automatic execution of scripts and/or programs like with Outlook and Outlook express for Windows.
That's one advantage of the MacOS platform.
I'm using Eudora Pro and never had one virus.
And I avoid using any M$ product at all.
That's the only way to make sure that the change that I will get a macro virus is almost zero.
The problem with M$ software that it is very simple to make a macro- or script viri or worm.
Not using this software is the best way of preventing spreading of worms and viri.
And of course, you should always use anti-virus software with windows.
And update it at least once a week.
didn't write a virus. It was a worm. It sought out vulnerabilities that were (at the time) unknown to the majority of internet users. It replicated and attempted to spread at such a rate it crippled the internet.
Desperation is a stinky cologne
Google lists a few. Looks pretty insecure to me.
Not convinced? How about doing a search for Outlook Express at Security Focus?
Or browse a few Crypto-Gram by Bruce Schneier. Good reading, IMHO.
Anyway, it's smartasses like you that make me want to whip together a Mac-based worm and call it anna.jpg. Enough dumbfucks would open it up to shut you up.
Well, contrary to your remark reality already proves that you are wrong.
There are about 56 viri for the Mac.
Almost all of them don't work anymore due to the fact that they aren't written correct and use obsolete API calls which aren't available anymore since MacOS 7.0.
Compare that with the almost +/- 60000 viri for windows pc's....
Second, most viri for the Mac are just stupid programmerglitches.
Like for instance the hypercardvirus.
None of the Outlook virues on Windows work for Outlook Express either. Anytime Outlook has auto-executed anything it's been considered a bug, and that is not how the Anna virus spread
Nope, it isn't a virus.
It is just a stupid script which is executed by Outlook when you double-click on it.
And that is just one of the biggest problems with Outleak.
I'm a sysadmin at a small company.
The only way to prevent that we receive any script- and/or
So, in front of the exchangeserver there is a mailserver with sendmail and some filtering software and anti-spam software (with a large database).
This seems to be the only way to secure an exchangeserver.
And it works all the time.
Since the "i love you" script we haven't had one virus.
...c'mon, where's the craftsmanship? Where's the pride in your work? When I wrote viruses, it was all about doing it yourself, accomplishing something. Now you don't even have to be a programmer, you just have to know how to point-and-click. I tell ya, when pride in craftsmanship goes down the toilet, there's nothing left.
"Make it ten--I am only a poor corrupt official."
--Captain Louis Renault (Claude Rains), Casablanca
What a fool ;)
My other car is first.
CmdrTaco appears to be one of those people out there who have a rather confused notion of how severe sentences actually are. This is the second posting about how 18 months in juvie or 240 hours of community service + a criminal record amounts to a slap on the wrist.
This is pretty dumb. Jail is boring, obnoxious, demeaning and occasionally dangerous, particularly for these type of people. A sentence of several months is not a slap on the wrist. Community service sounds about right.
I think it is a great thing that he is going to trial. It is time for everyone to stop seeing people such as Jan de Wit as innocent. He created something that caused companies problems. The fact that he used a creationkit to create the worm is beside the point. Everyone are responisble for their own actions, and everyone should be prepared to take ALL consekvenses that their actions may have... always!
If you look at most "new" viruses that are added to the databases of Antivirus products, you can see that they aren't actually new. Most of them are modified versions of some existing virus. So, if we get another case where someone modifies an existing virus to avoid detection by AV products, is he the creator of it? I say that he is the creator just as much as Jan de Wit is the creator of this worm.
I hope that he this guy gets a penalty. I hope that this will prevent some other people from creating viruses. Something else that is good about this case is that the creator of the kit, [K]alamar, stopped creating more kits (his name was in on Argentinan TV and this scared him).
Viruses are bad. Even though they fund an entire industri, I think everyone would be happier without them, even people in the industri. Bringing people that create or spread them to justice is a good start in the path toward a virusfree world.
Looks like the link you provided is indeed the case referred to in the article. The case I was involved in happened five years earlier in 1990 and I as far as I know, then and now, was the first time there was a conviction in court for a "computer misdemeanour". Just a coincidence that both perps ended up doing 11 months, I guess.
My next sig will be ready soon, but subscribers can beat the rush
For writing software that MIGHT be used to violate copyright law and therefore violates the DMCA, Dimitry Sklyarov gets the book thrown at him. Where the hell is the justice in that? Nothing that Mr. Sklyarov did was malicious, and yet his "crime" is treated far worse than those whose actions were deliberately intended to do damage. There is something seriously wrong with this picture.
IANAL... But I play one on
he is the black baron, or chris pyle. responsible for SMEG.
Anyway, the requested sentence is amazingly light -- 240 hours of civil service.
How often people say that a sentence is "amazingly light". I think that should be a crime punishable by whatever sentence the speaker/writer says is "amazingly light".
Just to remind people: at the trial, no evidence that this guy's activity had harmed anyone in any way was presented. Yes, viruses are bad; yes, he should be punished; but for a first offence, wouldn't probation and a fine be more appropriate? If he doesn't learn his lesson and offends again, OK, then throw the book at him.
Yes but Dimitry Sklyarov committed his crime under US law. The US has the highest incarceration rate in the world. The wristslapping in the last few days occured outside America, and hence, the sentancing is a little more level headed.