Maker of Kournikova Gets Wrist Slapped Too

← Back to Stories (view on slashdot.org)

Maker of Kournikova Gets Wrist Slapped Too

Posted by CmdrTaco on Saturday September 15, 2001 @03:37AM from the no-surprise-here dept.

shelflife writes: "This story says 'It is the first time in history that the maker of a computer virus has been tried in the Netherlands -- indeed one of the few times it has been done in the world. Hypponen knows only of one conviction. A man was sentenced to 18 months in jail in the U.K. in the early 1990s. The man served 11 months, said Hypponen.' but that can't be true. What about Robert Morris? Anyway, the requested sentence is amazingly light -- 240 hours of civil service." The really interesting part is that this kid wasn't even a programmer. He just downloaded a kit. Shows how far this Virus Craze has gone in the last few years.

35 of 167 comments (clear)

Min score:

Reason:

Sort:

Interesting that he turned himself in. by strags · 2001-09-15 03:47 · Score: 2, Interesting

Interesting that he turned himself in - perhaps this does lend credence to the idea that he really didn't know what he was doing. Although, to be fair, if you download a worm creation kit, use it to create a worm, and then post it to Usenet, it seems unlikely that you wouldn't be aware of the potential consequences.
Good.. by evel+aka+matt · 2001-09-15 03:49 · Score: 2, Insightful

Finally someone in a computer-related trial gets a semi-fair sentencing. I'm suprised he didn't get $4,000,000,000 worth of jail time for all the "damages" he caused. I must admit, I'm a little suprised at the people who are not happy with the outcome of this trial..

---
evelakamatt
1. Re:Good.. by Spruitje · 2001-09-15 09:59 · Score: 2, Interesting
  
  Finally someone in a computer-related trial gets a semi-fair sentencing. I'm suprised he didn't get $4,000,000,000 worth of jail time for all the "damages" he caused.
  
  Contrary to the US it is not common that people are compensated above Fl 50.000 (that's around $ 22.000) in the Netherlands.
  If a waitress spill some coffee on in a restaurant the normal compensation is that the restaurant pays the bill of the dry cleaner.
  Contrary to the US we at least have some common sense and it isn't done to sue somebody for a mistake (and it is almost impossible).
  You will find that this is the case in most parts of Europe.
Couldn't do it alone... by Ed+Avis · 2001-09-15 03:51 · Score: 3, Troll

Will the makers of Outlook go to court for actively helping the spread of the worm by deliberately insecure handling of attachments?

--
-- Ed Avis ed@membled.com
1. Re:Couldn't do it alone... by pgrote · 2001-09-15 03:55 · Score: 2, Insightful
  
  I guess I am really tired of hearing people say this.
  
  Yes, Outlook is prone to leaving gaping holes to run these things through, but let's not blame the responsibility.
  
  Someone, an IT Manager, a Network Administrator, a tech, has made the decision that their company, group or department will use Outlook. That is where the blame rests.
  
  No one puts a gun to their head and forces them to use Outlook. No one. Someone makes the final decision.
  
  In that decision there may be mitigating factors such as software investments, training costs, etc. so if they find themselves in a situation where they feel Outlook is their best decision they then need to protect themselves.
  
  After the first Outlook specific virus everyone should have realized this simple fact: anit-virus products exist for a reason.
  
  A good anti-virus product will override your email and not allow it to happen. Automated updates to DAT files can be handled locally or over the internet.
  
  There is no use in blaming Microsoft. You blame the people who handle IT for the organization.
2. Re:Couldn't do it alone... by Ed+Avis · 2001-09-15 04:08 · Score: 2
  
  I agree. Microsoft should not be held responsible for writing the Outlook program; the fault is with those stupid enough to run it. The same principle should be applied to the person who wrote the Kournikova worm.
  
  --
  -- Ed Avis ed@membled.com
3. Re:Couldn't do it alone... by thrig · 2001-09-15 04:18 · Score: 2
  
  How many people factor the expense of mandatory anti-virus software into their calculations when choosing Outlook?
  
  What if IT says "hell no" but management forces the Microsoft solution on them. Do you still blame IT?
  
  What about schools and ISP's where clients just start using the bundled Outlook Express because it came with the computer, forcing the overworked sysadmins to divert time and money to installing centralized anti-virus software on the mail hosts, because there's no way in hell that anti-virus software is going to be installed properly configured on all the client machines?
  
  I say boycott Microsoft until they fix the negligent product design that brought us the anti-virus market.
4. Re:Couldn't do it alone... by tswinzig · 2001-09-15 05:48 · Score: 2
  
  Will the makers of Outlook go to court for actively helping the spread of the worm by deliberately insecure handling of attachments?
  
  Yes, but only if we also take God to court, for making people so stupid.
  
  --
  
  "And like that ... he's gone."
5. Re:Couldn't do it alone... by Ed+Avis · 2001-09-15 09:43 · Score: 2, Insightful
  
  The biggest security problem is failing to distinguish between opening a file and _executing_ a program. Remember when the standard line was, you cannot get a virus just from reading a message? That is still true, but Outlook (and Windows as a whole) deliberately blurs the line between reading information and executing code, so it's possible for users to become infected just by choosing to 'open' a document. Really Windows should have two different actions, 'open' and 'execute', but given that it doesn't, Outlook should at least make some effort to figure out those file types that are likely to execute code when run (.exe .com .bat .pif .cmd, maybe others) and warn about them. It's been a while since I used it ('Outlook 98 copyright 1997 Microsoft Corp.') but judging by the spread of worms it doesn't seem to have improved.
  
  Another factor contributing to the confusion between files and executables is the 'user-friendly' hiding of extensions, as used by Loveletter (loveletter.TXT.vbs, or something like that). And of course there is no excuse for basic errors like buffer overruns - a few such bugs are forgivable in ordinary applications, but an Internet mail client really needs more care in design.
  
  Finally, these weaknesses have often been pointed out and exploited for several years now. Yet Micrsoft never seems to do anything about them (apart from some kludge to drop all .exe attachments at the mail server). So it's hard not to class that as in some way 'deliberate'.
  
  --
  -- Ed Avis ed@membled.com
Reasoning... by Telek · 2001-09-15 03:55 · Score: 3, Insightful

The really interesting part is that this kid wasn't even a programmer. He just downloaded a kit.

and

The defendant, Jan de Wit, turned himself in to the police in his hometown Sneek, Netherlands, on Feb. 14.

I would venture a guess to say that those are the reasons why he was given such a light sentance, and the fact that he was 20 years old. A little remorse goes a long way in the courts, and turning yourself in too usually helps to give a lighter sentance.

--

If God gave us curiosity
1. Re:Reasoning... by Telek · 2001-09-16 08:25 · Score: 2
  
  But prison is NOT a deterrant. There are people who would rather be in prison than on the streets. I can agree that there is merit in allowing them to exercise, watch TV, study, and do many other things that some people outside don't have the opportunity to do, but it is those who take advantage of the situation that ruin it for everybody. How can you justify sending someone to prison for hacking a computer beside someone who is a serial rapist? The justice system is royally screwed up. If prison were a box in the artic where you airdropped food in once a day, I think that we would have far far far less people becoming criminals than you do today.
  
  --
  
  If God gave us curiosity
Right decision by lukel · 2001-09-15 04:04 · Score: 2

Sure kids who program or release viruses should get their wrirsts slapped and do some community service. What gets me is these stupid figures for damages that get banded about. If companies really are losing much as they claim, why don't they just hire someone to install security patches when they become available, it's not exactly rocket science. In my view if you have some critical systems but don't bother to add security patches when they become available, you are equally to blame and should not be allowed to claim damages.
1. Re:Right decision by WolfWithoutAClause · 2001-09-15 04:34 · Score: 2
  
  Huh? If you leave your keys in the ignition of your car, and someone jumps in takes it for a ride and torches it, you're not allowed to sue him for the loss of your car because you left your keys there?
  
  And that's a lot more lacsidasical than we are talking here- it's closer to a manufacturing a car that's easy to hotwire.
  
  In my view you're an ass. There are very real costs with setting a system up right. How long does it take you to reinstall your operating system? My personal system takes a couple of evenings for the basics and won't be right for weeks.
  
  >If companies really are losing much as they claim, why don't they just hire someone to install
  >security patches when they become available, it's not exactly rocket science.
  
  They do. These networks can be vast though, and getting to all of the machines in time can be difficult. Also, many patches or fixes involve switching off services or features. Companies cannot blindly install patches, they need to test them first. It ain't easy.
  
  --
  -WolfWithoutAClause
  "Gravity is only a theory, not a fact!"
2. Re:Right decision by archen · 2001-09-15 06:46 · Score: 2, Insightful
  
  "How long does it take you to reinstall your operating system? My personal system takes a couple of evenings for the basics and won't be right for weeks. "
  
  Two words dude: Norton Ghost
  
  Besides which as most any computer oriented person will tell you, backing everything up is most important.
3. Re:Right decision by WolfWithoutAClause · 2001-09-15 07:54 · Score: 2
  
  >If there is a fire and they?re not blamed, it?s not the end
  >of the world for them since other people do most of the clearing up.
  
  Oh right, so the architects of the WTC were to blaim for the building falling down? [In that case I think they should be admired that the building stood for an hour after such a brutal attack; and the failure mode was the best you could really have- almost straight down.]
  
  Some or even many attacks cannot be realistically avoided; but can only be dealt as best anyone can when they occur. We don't know the holes until somebody finds them, and the bad guys sometimes find them first.
  
  >They have an incentive take less than the optimum level of fire
  >precautions and to make sure arsonists get all the blame for fires.
  
  Not so much; if they are being significantly reckless they will carry some small part of the blame in all likelyhood, same as if you leave the door open; and that can be career affecting. But still, 90+% of the blame rests on the attacker.
  
  In the company I work for Red Code attacked a handful of servers out of hundreds or even thousands- the rest had been patched; in that case perhaps there was some recklessness involved, they should have patched them. But 95% of the blaim lies at the doors of the authors.
  
  --
  -WolfWithoutAClause
  "Gravity is only a theory, not a fact!"
4. Re:Right decision by WolfWithoutAClause · 2001-09-15 08:32 · Score: 2
  
  >backing everything up is most important.
  
  Yeah, if you have the hardware to do that; and even then only if your data is necessary.
  
  People that go around trashing, writing worms, trojans or viruses, or cracking are dirt. It's like stealing peoples lives- often hundreds of dollars worth of time per system. Even with backups.
  
  --
  -WolfWithoutAClause
  "Gravity is only a theory, not a fact!"
5. Re:Right decision by WolfWithoutAClause · 2001-09-15 09:24 · Score: 2
  
  >I'm suggesting that if reasonable precautions haven't been taken,
  >then blame should be shared.
  
  How many hours of community service should the system admins have been given then? Get a clue dude, you've lost it.
  
  --
  -WolfWithoutAClause
  "Gravity is only a theory, not a fact!"
6. Re:Right decision by aozilla · 2001-09-17 02:50 · Score: 2
  
  What if circuit city accidently marks the price of its TVs at $5.00? The value of the TV is $100. They were selling for $500. You hear about this "bug", and go to circuit city and buy 1000 TVs. The cashier accepts the purchase and you go home with 1000 TVs for $5000. The TVs are destroyed in an explosion when you get home. Should you owe Circuit City $95000, $495000, or nothing? Should you have to do community service, or spend time in jail?
  
  --
  ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
7. Re:Right decision by WolfWithoutAClause · 2001-09-17 02:59 · Score: 2
  
  Are you admitting to something? ;-)
  
  IANAL; sounds like you would need one...
  
  --
  -WolfWithoutAClause
  "Gravity is only a theory, not a fact!"
D'oh by zpengo · 2001-09-15 04:05 · Score: 4, Offtopic

And here I was seeing "Kournikova" and "slapped" and thinking this article was going to be much more interesting (and perhaps have some pics!)

--

Got Rhinos?
That seems like a reasonable sentence by iabervon · 2001-09-15 04:09 · Score: 3, Insightful

It's a light sentence, as sentences go, but it makes the whole process, from putting it together to serving the sentence, more trouble than it's worth in entertainment.

The reason lame modern viruses get written is that it's really easy; you put in very little time, and then get to hear reports about how it spreads: very little effort, a little entertainment. If he'd known that it would take 250 hours of work, he probably wouldn't have bothered.

The same goes for hacking websites: people do it because it doesn't take any real effort. If it took 250 hours of boring work that you can't automate, people wouldn't bother.
Re:How to calculate the damage? by Dr.+Prakash+Kothari · 2001-09-15 04:24 · Score: 2, Offtopic

Sir, I find your sig to be more than a small bit offensive.

As an Arab living in the United States, I too have been affected by the tragedy inflicted on your country by these terrorists. I had several friends in the WTC at the time of the attacks, and I feel that the USia needs to extract vengance upon those who committed these acts. However, you must understand that the men who perpetrated this violence represent a distinct minority among Arabs.

Your suggestion that all arabs have their arms amputated strikes me as offensive and highly insensitive. Racially motivated violence will not bring the dead back to life.

Now is the time for level-headedness and tolerance, not ignorance and persecution.

--
"Technically, a cat locked in a box may be alive or dead." -Kurt Cobain
Why did they to that... by Karpe · 2001-09-15 04:30 · Score: 2

...to the father of the beutiful tennis player?
Kevin Mitnick by Zero__Kelvin · 2001-09-15 04:42 · Score: 2, Interesting

"A man was sentenced to 18 months in jail in the U.K. in the early 1990s. The man served 11 months, said Hypponen.' but that can't be true. What about Robert Morris?"

Not to take away from RTM, but what about Kevin Mitnick?

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
1. Re: Kevin Mitnick by Inthewire · 2001-09-15 04:47 · Score: 2, Informative
  
  KM didn't release a virus
  
  --
  
  Writers imply. Readers infer.
Wrist slapped? by sedawkgrep · 2001-09-15 04:53 · Score: 2, Insightful

240 hours of community service is quite a bit, at least in my book.

Say you work a 40-hour week (days)...that pretty much only gives you weekends to devote to service. If you work 8 hours on saturday, it will take 30 weeks to complete the sentence.

Anybody want to give up 30 saturdays? I didn't think so.

The punishment is certainly less than what one might have expected, but I think this is a good trend, not a bad one. I'd much rather see these marginally troublesome white-collar criminals get easier sentences than ANY drunk driver or other violent criminal acts. So the virus is bad. Sure. Was there any loss of life? Was anyone maimed or psychologically traumatized (heh) over the incident? Hell - he didn't even try to steal information or money.

Punishments should fit the crime. What he did was not excusable, but a little perspective check is in order - especially after tuesday's events.

sedawkgrep

--
Is that a salami in my pants or am I just happy to be me?
1. Re:Wrist slapped? by Tyndareos · 2001-09-15 05:38 · Score: 2, Funny
  
  Actually, in the Netherlands killing someone by drunk driving will usually lead to the same 240 hours of civil service
  Only if you're a famous soccer player or opera singer ...
The Death Sentence by Aceticon · 2001-09-15 04:57 · Score: 2

"I didn't know what it (the worm) would do. I just clicked away... I did this without thinking and without overseeing the consequences and without the intent to cause damage to anyone," he said. "I am not a programmer; this was the first time I created something myself."
We should send a message to all clueless amateurs out there that go around "clicking" in virus making kits and creating Outlook viruses that force law abiding companies to close down their e-mail systems and loose thousands of dolars in revenues (imagine all those suffering employees that cannot send the latest joke to all their collegues).
If we don't act swiftly and decisively now, we risk having these "amateurs" playing around with Code Red Creation Kits.
I say hang the guy in Dam square in Amsterdam - that will show them!!!
Re:How to calculate the damage? by LoudMusic · 2001-09-15 05:00 · Score: 2, Informative

Dude, he's talking about guns, weapons. Not human limbs.
"Arms" as defined by dictionary.com.
~LoudMusic

--
No sig for you. YOU GET NO SIG!
Re:Virus Kits aren't that new by jandrese · 2001-09-15 06:13 · Score: 2

I remember those kits. Especially the one that came with wordstar built in that was set up like Turbo-C. They were pretty shoddy IIRC, it was the quickest way to write a virus that all antivirus packages would immediatly detect (because the kits themselves tended to leave their signature on the virus). I do remember some of the more sophisticated kits claiming to make your virus automatically polymorphic, but I don't know if they actually worked. Most of those kits were riddled with bugs to boot (heck, most _viruses_ have bugs in them, have you ever read through those virus bestiaries?).
Besides, I never heard of any kits that helped you to write boot sector viruses, which were the only ones that ever seemed to spread anywhere, at least before Word Macro viruses and Outlook worms came along.

--

I read the internet for the articles.
Re:GOOD! by Graymalkin · 2001-09-15 07:50 · Score: 2

For fuck sake dude, a good sized rock can be used to kill someone. Does that mean rocks of particular sizes ought to be outlawed? Should the writers of compilers be held accountable for people who used their compiler to make a virus? Run of the mill network utilities can easily be used to DOS some poor sap with a slower connection than yours. You post vulnerabilities in order to expose the fact that company X doesn't test their shit properly and ought to learn how before they lose all their customers. I'd rather use a product that has had bugs exploited and fixed than one where I didn't know if it had been exploited or not. If you're the target of an exploit especially a dumbfuck exploit like macro virii then you live and learn.

--
I'm a loner Dottie, a Rebel.
Re:The 1990s UK Case - not about viruses by spectecjr · 2001-09-15 09:38 · Score: 2

The conviction in 1990 wasn't for creating a virus. I know, because I was network manager at one of the sites involved and was responsible for logging network activity which formed part of the evidence.

Uh, actually, no, it was for creating a virus, and had nothing to do with mainframes as you suggest.

I had corresponded with the author (he was part of the SAM Coupé programming community). I know who he is. I have tons of his source code. And he was convicted for (on the surface of it) creating the first assembly-language polymorphic virus, and putting it into a virus kit.

The virus was called Smeg.

Here's a link that you might find informative:

News story

Simon

--
Coming soon - pyrogyra
Virus kits... by BarefootClown · 2001-09-15 10:43 · Score: 2

...c'mon, where's the craftsmanship? Where's the pride in your work? When I wrote viruses, it was all about doing it yourself, accomplishing something. Now you don't even have to be a programmer, you just have to know how to point-and-click. I tell ya, when pride in craftsmanship goes down the toilet, there's nothing left.

--
"Make it ten--I am only a poor corrupt official."
--Captain Louis Renault (Claude Rains), Casablanca
Re:GOOD! by sheetsda · 2001-09-15 10:52 · Score: 2

One example, not too long ago, someone posted instructions which would allow Hotmail users to read emails belonging to other Hotmail users. What purpose was served by posting this stuff in a public forum?
The purpose was to force Hotmail to fix the vulnerablity. It worked. The reason it worked was because the Joe Blow User found out about the vulnerablity due to the coverage, and took appropriate action. Different people take different actions, but the end result gave Hotmail a clear message: fix it, or you won't have enough business to sustain your operation. Often these security holes are considered too obscure and therefore not a threat. All you have to do it get the message out to a couple blackhats and average users, and walla, it becomes a serious threat even to those who would rather not deal with it.

We had already known hotmail security was breached. Did the poster think that someone might just use it to illegally break into another person's hotmail account?

Yes, the poster knew all too well that the blackhats would find and exploit the vulnerablity if it were made public, and they would run amuck if it were not fixed, as such he/she made it so public that Hotmail is left with no choice but to fix it. The same principle is the reason we invest in the stock market: We give up a little bit of something now, to get more back later. That something is money or security depending on your favorite paradigm.
CmdrTaco's Weird Idea of Sentences by OnanTheBarbarian · 2001-09-15 11:35 · Score: 2

CmdrTaco appears to be one of those people out there who have a rather confused notion of how severe sentences actually are. This is the second posting about how 18 months in juvie or 240 hours of community service + a criminal record amounts to a slap on the wrist.

This is pretty dumb. Jail is boring, obnoxious, demeaning and occasionally dangerous, particularly for these type of people. A sentence of several months is not a slap on the wrist. Community service sounds about right.