Slashdot Mirror
Four Kids Confess to Goner Worm
imrdkl writes: "4 kids in Israel have confessed to writing and distributing the Goner worm, according to Fox."
Yet another annoying worm comes and goes, wasting countless IT hours, to say nothing of bandwidth. The kids face up to five years -- of course since they aren't in the U.S., they might actually be punished.
At work, we got it about 1100 EST. One user got it and ran it, and it cascaded. Our servers groaned for about 30 seconds, by that time, the mail admin had run into the server room and yanked the network cable to them. Honestly, I don't think the fault rests on these kids at all. Sure, I guess they should face punishment if they broke the law, but that's their country's problem. I don't blame them.
If our users had listened to the rules, this wouldn't have been a problem. But within 30 seconds of the attachment entering our network, over 50 users had run it. Why can't someone hold the irresponsible user at fault? The instructions are easy - don't run attachments you weren't expecting. Instead of blaming some kids for playing around with code, why can't we find fault in the people that don't follow their instructions?
Yeah, I'm ranting, but to make something constructive out of my waste of bandwidth, how can we get the users to listen? Anyone have effective tools? Yeah, I'm all for firing the ones that can't observe policy, but that would mean firing my boss too. And she's actually pretty decent, as far as managers go.
funny munging
Children do what children do; push buttons to establish limits. That's their job. Punish the managers and complacent sysadmins at the companies impacted, that allowed themselves to get a year behind on maintenance. There will always be children. We don't always have to be cheap/lazy about security. At least not if we're going to bitch and moan about stuff that's completely preventable.
Can You Say Linux? I Knew That You Could.
I think taco's making a specific allusion to MafiaBoy, who got off with probation for his DDOS attack last year.
One might ask the same about birds. What ARE birds? We just don't know.
Instead of being punished (in the usual way) for this annoying act of internet vandalism the Israeli government should make them pay for their crimes in a way that will harness their talents. Maybe some form of Internet good will, like 2 years doing mindless computer support for a charity organisation. :)
These kids are to young to go to gaol and the outcome of confining the kids to a cell for up to five years will only make them criminals.
I just think the punishment should fit the crime and actually make a difference to the outcome of such young and talented delinquents lives
All speling, factual, tact, and/or grametical errers be the result of netwerk interpherance or# transmition ererrs.
I hate to sound old (I'm only 23), but we've had viruses for years before the internet was as commonplace as it is now and no one cared.
You just made your own point. The internet is now commonplace, and it costs large corporations lots of money in lost productivity when one of these get sent out (if only in our IT department alone, laughing at the stupidity of the users falling for the stupid tricks the virus writers use to get them to open the email). There are a hell of a lot more people to care now.
When I was 15 I was like that. I really don't remember why I thought that stuff was cool, it just was. Thankfully I grew out of it.
Hmmm, maybe if there are more crackdowns on script kiddies and more slander against that kind of life these kids won't think it's 'cool' anymore. Just a thought
Same here... but I don't think crackdowns will help. I mean, they probably get enjoyment out of their creation growing (until they fully realized what they did). A better idea than crackdowns might be a controlled environment for kids to screw around in...
Of course, one result would be giving crackes experience / promoting it. But giving out free condoms could be viewed as promoting sex...
whatever. I can't see any especially good solution.
My server
I disagree, these "crack downs" get media time for the kids who are writing the viruses. If anythign I think all of this media coverage glamourises the entire thing. If kids didn't see this as a way to rebel against everyone in the "mainstream" then this wouldn't be as rampant as it is. I am not saying that we should except it, and I am not saying that it wouldn't exist without the meida talking about it every 30 seconds. But what I am saying is that (Insert Anchor Man Name Here) says that this is the worst thing to ever happen, then some kid sitting there who like many of us (and I freely admit that I used to check all the boards) would look at this when they were younger just to understand it, is going to say to himself I can do better than THAT!
Just my 2 cents.
-OctaneZ
We all pine for the 'old days.' But really ... today all they have to do is relate it to 'terrorism' somehow and then the person goes to jail. And then all virus makers are terrorists. And because the terms are generalised, anyone who is a 'hacker' is a terrorist. But wait, there are many linux hackers who don't go around compromising networks. But they are hackers. Sooner or later a linux hacker or two get identified with working on PGP, but strong encryption, according to the US, is a munition - WE HAVE HACKERS MAKING MUNITIONS HERE!! TERRORISTS !!! Arrest them ALL!!! They're helping Osama Bin Laden! And it could all be falling into a cascading cycle of ignroance.
And this is what THEY want because people with outside-the-box knowledge about computer security can always do things with networks that can't be controlled or monitored by the powers that be.
Ah yes, I pine for the good old days. (Btw, if it means anything, I'm younger than you.)
The kids face up to five years, of course since they aren't in the US, they might actually be punished.
Computer crimes are MORE than sufficiently punished in the US, thank you very much. I don't know where you get off implying that the US goes easy on computer "crime". I had a little incident during my freshman year of college. The FBI was very determined to get me jail time for a ridiculously minor offense. It was only through sheer wit and creativity of my laywers that we got the offense down to a misdemeanor and a lousy 600$US fine. That was the most hellish time of my entire life and could have ruined my career forever. All over a tiny little deal (no damage was done).
Imagine what these kids would get in the US for writing such a worm. It'd be a helluva lot worse than 5 years in prison. So put your pro-punishment attitudes away and get real. Remember what our government does to computer criminals.
Why bother.
I think you miss the point of why jail time is an effective deterrent to crime of all types. It not only punishes the guilty, it can also keep the innocent from becoming the guilty. Without stiff punishment there is no deterrent effect to their peers. If you think there may actually be a chance of something bad happening to you for doing something wrong, you are less likely to do it (unless you're an idiot of course).
I guess you think the architects should have been held accountable for the twin towers not withstanding a plane hitting them. I hate M$'s practices as much as the next guy, but you can't hold them responsible when someone else knowingly takes advantage of a problem that they did address in hotfixes and patches! Sure it proved that there are still a lot of ignorant people out there who spread these worms, but the people who write them and send them out into the population are no better than the people stuffing Anthrax into envelopes and exploiting the U.S. postal service. These kids are electronic terrorists and we should take this offense seriously.
Sound waves should be free!
Yeah, I can just imagine that, considering the constant attempts of my school board to notify everyone that they shouldn't use the heavily-monitored, automatically-admin-cc'ed email service for spreading chain letters, porn, etc. because it wastes their precious bandwidth.
Then again, this is from the same school board that says kids can't use the comps for playing games that involve the keyboards, because they wear out quickly that way. They're only allowed to play "mouse games".
Technology has passed these people by. Actually, I don't think we'd ever see something like this because most people I talk to think worms are caused by the Internet or something and act completely stupified when I tell them it's actual people who write them.
If you do any kind of programming, you should have gone through that phase when stuff like that was cool. I remember a time when I thought it would be cool to write viruses or worms. Now, the reason that I thought it would be cool escapes me.
I believe that every programmer, at some point, goes through a phase when they want to try everything under the sun just to say that they can/could/did do it. I never actually wrote a virus myself, but I definitely remember wanting to just for the sake of getting into the guts of a computer and seeing what makes it tick.
Most programmers have also been/are sysadmins. I believe this along with growth/maturity eventually lead to the desire to produce something useful, not destructive, for the rest of the world.
Unfortunately, some never get past it, and some just use pre-fab virus creators. These people for whatever reason didn't move on to the next stage of evolution and probably never will, but at the same time, they keep sysadmins in business and antivirus writers employed.
For grown up security mistakes...
Part of the process of being a kid is learning... While I do not approve destruction or paralizing IT infrastructures, this seriously bugs me depending on the seriousness of the punishment.
Meanwhile, LOADS of spammers are still clugging my Hotmail inbox at a rate of at least 20 spam a day, my ISP email account receives at *LEAST* 5 spams a day, multiply that by X amount of users, THERE'S a big bandwidth waste. These people are still running free and going stronger than ever!
Those lame virus lasts for about a week. If after that, anyone else gets caught, they need to *LEARN* the HARD WAY like "doing backup is a good idea because you never know when your system might fail", well the same should go with "Update that antivirus file, because you never know what might hit you". Heck, the antivirus programs offers to do it automatically, there's no excuses.
--- Metamoderating abusive downgraders since my 300th post.
Maybe I use MS products because I like skipping standard "compile->read manpages->2 hour configuration because no one uses standard configs" process. But, unlike you I don't need to hide behind Linux, I can figure out which attachments to open and which not to open.
For the kid who DoSed yahoo and cnn a while back. They put him a government reform school for 8 months.
.doc files were not executable.)
.doc, .vbs, or .exe onto the network.
That is enough punishment for a silly prank.
And I can't simpathize with the people who blame the users for openning the attachments. Teaching users not to open emails that have "Hi" as the subject line is only a short term solution. Trying to get users to remember which types of files are executable is not an option either. (Until a year ago, I assumed that
A better solution is to not allow executable attachments which end in
An even better solution is for Microsoft to fix their programs or for people to not use Microsoft products.
They're first time offenders who confessed. They're high school students who would otherwise be preparing to be drafted to the Israeli army soon, and the government will not want to disrupt that if it isn't necessary. Finally, they are from a town that is notorious for inducing boredom for its teenagers. They may get a few months, but I wouldn't count on it, and they'll get assigned to the Ma'asiahu prison, where conditions are very good (it's Israel's prison for first time offenders, and it's probably the only place in the world you could call a re-education camp without irony.)
"Using products that suck is your own fault".
For what it's worth, Microsoft is the biggest fish out there. In a large business with many users that aren't technically proficient, learning to use another program is difficult. So, Outlook is what they use and Outlook is what you'll find.
Blaming the users will not solve anything. It's nice to turn up your nose at their technical inferiority, but I fail to the how that helps anyone.
"The kids face up to five years -- of course since they aren't in the U.S., they might actually be punished."
What kind of stupid statement is that??? The U.S. shares the honor of being a country which will execute people for crimes committed in childhood with only one other country in the world -- Libya. Great company there.
Your statement implies that our government is soft on the law-breaking young -- HARDLY! Rather, it's attitude towards (non-white, anyway) children is nothing short of bloodthirst.
Ah yes. It's the user's fault. Damn them for actually using the features in their frigging e-mail clients. How dare they not go through arcane menu commands and figure out how to deactivate features. Let's shoot the slobs now, and totally ignore the fact that lazy-ass developers created all of these problems for the users to begin with.
Oh yeah. very common sense. Unless, perhaps you know joe45@aol.com. Which is the case in most of these "scan the user's address book and send a copy" schemes. That's why it's so successful... e-mails go to people who know, and perhaps trust, the person who launched the virus. Hell, a lot of the viruses are in the form of Word documents, which, believe it or not, are actually passed around via e-mail. See, e-mail is all about communication. People send people things. People open them up. 99.99% of the time, nothing bad happens. That's what e-mail is for. That's why we have attachments. If people aren't supposed to open them, what's the point of having that capability in e-mail clients?
Do you actually expect people to know what the hell a .scr file is? Maybe you've got all of Window's file extensions memorized. Most people I know have more important things to think about.
No, if you want to code up a virus to "fix" this problem, code up one that goes out and downloads and installs an e-mail client that was written by someone with a clue about security. Perhaps install an operating system where something run in userland can't fuck with system files. Hell, write a virus with some AI that can seek out and destroy the source code to lousy e-mail clients, scripting systems that have no concept of security, and operating systems that have no security model to speak of.
In the mean time, screeching at people that doing things that the e-mail clients were designed to do in the first place is grounds for a cyber-anal-raping is about as productive as screeching that they're a witch if they float in water. It may seem obvious to you, but you're not speaking their language.
Comment removed based on user account deletion
Comment removed based on user account deletion
I'm sorry, doing something stupid when you're 18 does not justify academic and professional murder nor is it suicide in those respects. You're going way too far overboard in your idea of what consitutes punishment for my offenses.
First of all, I was a paying student. The money I put into the university system there made those machines run. I had vested interest, so that lessens the severity of the intrusion. If you trespass somewhere on a college campus, as a student, they don't convict you of a felony. They realize you're a college student and you're not only stupid, you're probably just goofing around. They slap you on the wrist, send you home. End of story. They do not kick you out then tell the rest of the world what you did so that no other schools accept you.
Your opinion here is so utterly absurd that it baffles me how someone so intelligent would believe that it makes sense to destroy a person's entire life over a minor offense. Punishment is supposed to correct someone's way to conforming their behavior within the laws. Punishment is not supposed to ruin a person. I suppose your parent's never said "it's for your own good" when they administered a spanking?
The FBI was poised to destroy my life in countless conceivable ways. If I cannot acquire an education and hence live a professional career as a computer scientist, there's not much else I could do at this point. The life I have always wanted would be unreachable. So I cost the university a few man hours patching a few systems that had obvious security holes. I'm sure they made some student do the patching (which I informed the admins needed to be done, which is how I got caught - go benevolence) for free.
The justice system is supposed to balance the punishment with the offense because it is supposed to (as I previously mention) help offenders correct their ways. You do not execute someone for stealing a loaf of bread.
Maybe if you had the experiences I had in the whole situation, you would not hold this silly right-wing extremist viewpoint that believes punishment for every crime is death by sodomy. What I ended up getting was still too much to fit the crime, in not only my opinion, but in the opinions of people much more rational than yourself. (One of my laywers included, who managed to get one of the guys the university to admit, over the phone, that they wanted to make an example out of me by going overboard.)
Oh well... there's just too much I can say here and I know this is a lost cause. I should quit before I fall too far behind in the face of ignorance. Since you show me the discourtesy of defending injustice, I can only respond with the hope that one day you find yourself on the wrong end of an FBI prosecution. Maybe then you'll understand.
Why bother.
That's a bad analogy. It's more like four kids pressed a button on the outside of the WTC at street level, causing the towers to explode due to an engineering flaw. In other words, there is no way for a mail message to directly cause harm to your computer. It must be interpreted by a program which you trust (a traitor, in other words) which is willing to harm your computer at the command of an outside party.
I absolutely can and do hold them responsible. Their decision to facilitate running programs that arrive in the mail without any kind of sandbox or access restrictions was an obviously dangerous one whose implications were immediately visible to people who understand computers. Microsoft spins their product as the omniscient gatekeeper to the internet and handholder to the clueless. They encourage the computer-illiterate to put their trust in Microsoft rather than learning how computers actually work. They created both the software and the culture that propogate malicious code. All of which means that they are greatly to blame for deliberately bringing into existence email viruses.
The question that never gets asked is why all these companies were vulnerable to these attacks. I've worked for several Fortune 500 companies and I've yet to see one with good security. You'd think they'd be going out and hiring a bunch of security professionals after Sept 11 but I'm not seeing a whole lot for infosec or security on the job boards.
Until some CIOs and CTOs start losing their jobs over this crap, the cycle will persist.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Thank you for that insightful, yet totally meaningless argument.
Comment removed based on user account deletion