Slashdot Mirror
Why Worm Writers Stay Free
savaget writes "There is an interesting Wired article explaining why worm writers are getting scott free despite their destructive deeds." Nothing really new: overworked law
officials, bragging worm writers, you do the math ;) I still find it amazing.
The bandwidth wasted by a successful worm is gigantic. To say nothing of
time and disk space.
SirCam contains this text in its code: "SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico."
Smith has a hunch that the author of SirCam is or was in Cuitzeo, and is probably a student. Cuitzeo is located 16 miles from Morelia City, which boasts a large university.
Talk about a blinding flash of the glaringly obvious...
As the article implies, authorities deem these attacks trivial because they cannot see actual physical damage done to equipment. Economic damages, bandwidth loss, destroyed data, and wasted time are harder for a cop to take seriously than, for instance, a body on the ground. Of course, the fact that virus writers are usually script-kiddie teenagers helps to make the attacks seems like pranks. It is an interesting thought experiment to consider what will happen when a teenager playing in an advanced biology course cultures a virulent bacteria or virus. Or consider if "goner" had been tracked to the other side of the tanks... to a group a Palestinians.
Why don't these people put their worms to work doing somethign constructive? A SETI/RC5/whatever else you can do distribured worm would waste even more bandwidth, but at least it would have a purpose beyond just screwing things up.
Because all the spare law enforcement officials are giving me traffic tickets.
Rolling stop my ass.
This is the sort of thing that really pisses me off. Not to say that virus writers don't do damage or even that they are not criminals but how can you compare a computer glitch to killing 3000+ people? These virus writers are kids with too much time on their hands, they aren't terrorists! The solution isn't to toss them in jail or throw away the key, the solution is to get them to do something useful with their skills and then to use products that don't have so many security problems. </rant>
The Anti-Blog
A multi-billion dollar industry was created by writers of malware; anti-virus, tripwire, IDSes. Why would any large security company want malware authors to be caught?
Terrorists? Virus writers are terrorists? Keep it up, boys, and the word will lose all meaning and everyone will be desensitized to what it really means. Sheesh.
Obviously the legal system doesn't see them as such, yet, from the details of the article.
Karma: Excellent, but still won't get you laid.
Talk about stupid people, take a look at the links of stupid criminals. It's pretty amusing.
stupid bank robbers
The Web-Odditorium
You should not be using insecure products, but that does not excuse the crime.
Fight Spammers!
As SirCam virus e-mails average 250kb per message, each month we pass over a gigabyte of bandwidth on this crap.
I wonder if its possible to approximate how many dollars worth of bandwidth and lost productivity have been lost to these kinds of worms. I don't see why the authors shouldn't be prosecuted more harshly. This is just large-scale vandalism that raises the prices for everyone else to make up for it.
Adversive
My cat's breath smells like cat food.
If the author spreads the worm, then we should hold them accountable. However, I feel that the people who simply author worms/virii/etc should be allowed to. I say it's free speech!
Maybe we need some open source worms...
I get about ten spams a day from Excite, so they could do with a hit. The rest are mostly from Yahoo, so they obviously need to be hit, and after that, well there are plenty of sites with lists of the offenders.
And before anyone tells me that Yahoo have an anti-spam policy, taking 3 days to send a robot reply is not likely to prevent spamming. It can't be hard to recognise 20,000 identical e-mails have been sent, and to delete all of them instantly. And if other ISPs are allowing Yahoo's name to be attached to mail not originating from Yahoo, then they could perfectly well sue under a bunch of existing legislation. They don't, because they don't give a @#£$ for anyone other than their own users, and all they want to do with them is fob then off. DoS for Yahoo - Yesssssss!
Because the Internet is a global network, authors of these worms come from all over the world, and thus there is no consitency on how they are dealt with according to local laws or lack thereof. The ramifications of such worms are not well understood by local law makers and law enforcement officials. It's quite possible that some worms could be authored by individuals or groups outside the US in which there is almost no law or order. I doubt we can justify bombing a country because of prolific worm propogation.
So, while some sit pondering on how to prosecute the authors of such worms, doesn't it make more sense to focus efforts on preventing the problems that worms cause by eliminating the well known, published ways that the past 4 or 5 recent worms have propogated? How many email worms need to take place before people realize that the worm authors are only half guilty? End users need education. Applications (read Outlook) need to provide better ability for users to limit functionality to core functions unless otherwise needed.
Catching the new virus writers and discovering their techniques is and always will be a game of "whack-a-mole". You slam the hammer down, only to find another one pops up in a "security-hole" somewhere else.
So what I'm wondering is if anyone has bothered to form an organization to do exactly that, maybe along the line of CyberAngels. Let's face it, the people who write these useless things, although they definitely aren't terrorists, are wasting other peoples' bandwidth, resources, and precious time. And they do deserve to be punished. But what's stopping the slew of arrests is a lack of manpower. Law enforcement officials can't be everywhere, they have their limits.
So what I'm suggesting is something based off of CyberAngels. The people volunteering there track down stalkers, harassers, child pornographers, and other "cybercrimes" that go beyond the Internet and into your personal life. They do good work. My idea then, is much the same. Get people with the necessary skills, who understand the net, understand the technology, and make use of those skills to help track down all those worm writers, script kiddies, and the like.
Personally, I think it may work. Anyone have any thoughts?
There is no escape from The Muffin.
I don't blame the worm writers. Blaming them is like blaming the rain. Rain is a feature of our planet and worms and viruses are a feature of Microsoft software. Writing a Word template, no matter how complex or unusual, is not a crime. Releasing email clients and operating systems that blow up or do really weird things when they encounter Word templates ... that's questionable.
I mean shouldn't we go after the people who are dumb enough to open up stange attachments and spead the Goner Viurs....
.exe files, .com, .pif, .bat, heck anything and says "are you sure you want to open this? This may contain a virus." and voila... that will probably cut our virus spreading down by half!!!!
Or how about going after Microsoft for leaving gaping holes in IIS or in good olde stand-by Outlook Express. You know, the staple e-mail client that everyone uses to spread these viruses....
Anyone can write a virus.... We need to educate and create barriers to stop your average villige idoit from opening up viruses.... even if it mean having a pop-up on outlook that recognizes
www.slightlycrewed.com - Because aren't we all?
Contrary to popular belief, _nobody_ dies when someone releases a worm. Sure, the Internet gets slowed down, a headache is made for all kinds of computer people, but outside of the Internet, nobody dies. Production doesn't stop in our factories, our banks and credit cards keep making debt for people, the hospitals don't keel over.
The world is just not that dependant on the Internet, and never will be. Worms are definitely annoying, but they aren't hurting anyone physically, ever.
"Look at me, I invented the stove!" -- Ben Franklin
Under the logic they are using when they say worm writers are "terrorists", including those that only spread and do no damage, i can recall a few other things like this.
Should we consider chain letter senders terrorists too now?
Anyone who sends blast emails?
All advertising done through email?
They all distribute massive amounts of text over the internet at an alarming rate of speed...
Are all over P2P ppl. Why? There isn't any visible crime. Bandwith isn't even wasted. I'll tell you why one type of thing gets investigated andf another doesn't. D O L L A R S !!!!! Pure and simple.
When the United States says it will bomb or attack a nation, because said nation is known to support terrorism then the United States threat is a terrorist action. The United States is a terrorist nation, no strong argument can be made against this. For the United States to stop terrorism, as our politicians claim they want to in their rhetoric, they would have to refrain from bombing nations such as Kosovo, Iraq, Libya, etc., and avoid even threatening nations for political reasons. They could do but would be extremely difficult for them.
When so many people use the word terrorism incorrectly it is easy to not know what the word means; its meaning becoming even more ambiguous than it was before. In context the mass media is using it people with little power who do not have the legitamcy of the government allied with the United States, who use or threaten violence are terrorists. An entity with vast power such as the United States the way they are using the word is not considered a terrorist, yet they do exactly what Osama Bin Laden does to further their own goals. Might does not make right, though, whether you are Osama Bin Laden ordering attacks or the American government bombing Afghanistan.
Does this mean that worm writers can sue anti-virus companies for dis-assembly under the DMCA ?
"Cyber criminals are like idiot Hansel and Gretels, scattering electronic breadcrumbs that lead straight to them," said retired New York City detective Pete Angonasta. "You just don't see this sort of behavior in other criminals. I've never seen a burglar leaving cute notes crediting the crime to himself. "
This detective must have never watched the old Batman shows.
Blowing up a building is different than erasing a computer, or causing it to be in a situation where it needs to be erased.
A backup can be restore or a reinstall done in a trivial amount of time _compard to recreating everything by hand, including writing the OS, etc_.
The comparison which IS valid between making files and building disappear is David Copperfield making the statue of liberty "disappear".
The equipment was not damaged, just your ability to see what you expect in both scenarios.
It doesn't make it right to do so, but don't whine about it unless you never sped, jaywalked, spit on the sidewalk, littered and othewrwise obeyed every law on the books, right or wrong.
But even when writers are caught and brought to trial, the legal system often doesn't know what to do with them.
Pah! I know what to do with them. Charge the writer of a virus/worm for time the Admin puts in to fix or block their poisoned program. If the virus/worm writer doesn't have the money, then the Admin will charge through violence to where one hit upside the virus/worm writer's skull with a 2"x4" will be exchangable to 15 minutes of the Admin's time that could have been better spent.
Sorry to rant, but virus/worm copycats^Wwriters really get on my nerves, especially when I could be spending that time doing something with my friends, instead of telling sendmail to block out the latest "Melissa" clones.
/*drunk.. fix later*/
Though I think those responsible for writing these need to share some responsibility, particulaly if they are the ones who released it, or if they wrote it intending to release it...
I, personally, don't ever feel anger towards those who wrote these. 99% of them spread due to the sheer ignorance of the masses.
Or rather, if someone in the company opens a virus attachment, and it spreads, I don't say 'damn virus'.. I get mad at the employee. There is NO EXCUSE for not understanding what to open.
The idiots who *ran* the attachment and mailed you these 250kb files are the ones who should be paying for it.
The kid who wrote sircam is just showing how stupid people are.
I think that this article also sheds light on the adversarial system of criminal justice. Being that the justice system only thrives on crime, the only people who have the power to thwart crime are too biased to fully eliminate it. To supress crime is good for business, while to eliminate it would be catastrophic to the ecconomy (security, law, justice).
Why do worm writers stay free? Maybe they've accumulated enough hotel points on their credit cards.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
I don't know... Maybe it's just my imagination...
Just seeing 'informed' and 'authorities' together just made me picture a Hippo and an Aligator dancing. Those two words just don;t go together well.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
"If someone left their front door unlocked ... " Gah, I am so sick of hearing that analogy every time someone talks about computer security. Phisical theft and defacement is not the same as digital. So what would be a better analogy?
Imagine if someone went to a photographer and had some "personal" photos taken for their spouse. And that the photographer made poster-size prints and put them in the front window with a sign saying, "Please don't look at these."
Would you prosecute the 13-year-old kid who came by and looked at them? How about if he took picutres of the posters and put them up on his web site? The originals are still "secure" in the studio's safe. How can you blame the photographer?
If current computer law (UCITA, DMCA) were applied to this situation, the 13-year-old would be in jail and the photographer would be suing me for telling you that the posters were available.
Nope, no sig
I really liked the analogy a previous poster in a different thread had come up with:
Virus/worm authors are like cockroaches. Sure it sucks to have to deal with them, but it's your own damn fault. And prosecuting is pointless - there's a million more where the last one came from.
Most current viruses are NOT very sophisticated. They exploit wide-open security holes in unpatched operating systems that were produced by careless vendors. It's like getting pissed at people walking into your house at all hours of the night. Yes, they shouldn't be doing it - but if you were locking your doors it wouldn't be a problem.
My point is that the blame should not fall entirely on the virus/worm authors. It should be evenly distributed between the vendor (for being negligent with regard to security); the system admin (for the same); and the virus author.
got a virus or worm at work or at home. Sure, I have cleaned many a virii off of my users machines. My point is that most people who get infected are morons. They just click on anything in their inbox and happily send it along. The people who write the worms and virii (and let them out) are just taking advantage of the collective stupidity (when it comes to computers) of your average person. If people didn't take advantage of stupidity, do you think we would ever elect a government offical in the US?
Economic damages, bandwidth loss, destroyed data, and wasted time are harder for a cop to take seriously than, for instance, a body on the ground... It is an interesting thought experiment to consider what will happen when a teenager playing in an advanced biology course cultures a virulent bacteria or virus.
...Or consider if "goner" had been tracked to the other side of the tanks... to a group a Palestinians.
I'm all for considering computer crimes as "real" crimes. The damages you mention are real, the crime is real. The motivation whether it's greed, political activism, or just being a "prankster" is irrelevant. Such attacks on computer systems and networks can do enormous economic damage and should be treated as serious crimes.
But you undermine the argument by overstating it and picking examples of even more serious crimes to compare them to. A cop takes a body on the ground more seriously than economic damage, bandwidth loss, destroyed data and lost time because it IS much much more serious. A microbiology student infecting people with a real virus would be a far more serious crime than even the most damaging computer virus.
That is a very interesting thought experiment. I'm a little torn on this since in general I think the act is what should be considered illegal not the motivation behind it. The "not guilty by reason of sincerity" defense (if we approve of your cause) as well as "EXTRA guilty by reason of sincerity" (if we don't approve of your cause) are abhorant to me. They raise the specter of state sanctioned lawlessness and "thought crimes" - It is a mix I associate with tyranny, think of the mutually reinforcing state sponsored lawlessness of kristalnacht and the totalitarian state control of everything else.
On the other hand being blind to considerations of motivation and association could be taken too far. Society, if only to protect itself must take them into account. A lone hacker causing massive economic damage as a prank is a different kind of *threat* than an ideologically driven organization with a stated goal of destroying the society - even if the *crime* is identical. The organization is treated more seriously not because the crime is more serious but because the threat is more serious.
See how stupid it sounds when you give it a real world analogy? This is the same logic that says that if your house is unlocked then it's legal to rob it. If people were made to defend themselves from every threat then there'd be no need for police or defence forces. The sad thing is that some people believe this "Well, they were vulnerable, they were asking for it. They should have been more careful! Not my fault."
Now, I agree that Microsoft needs to focus more strongly on security but people who write malicous code are still criminals, not terrorists but still criminals.
First, the "WiReD" article confuses worm - a program or process that propagates itself to a different computer, usually via some networking protocol, and chainmail - an email message that requires human intervention to automatically send out more email messages, usually containing the same or slightly evolved chainmail. WiReD should straighten up its vocabulary on this issue, they do no service to anyone confusing the two.
Second, the techniques used by both chainmail and worms are all used by legitimate scripts, programs and emails. How does law enforcement propose to declare one email message a crime, and another legitimate? And I don't mean "Let's ask some expert like Graham Cluely."
Sure an IIS worm like Code Red usually uses some initial exploit, like overflowing a buffer in an IIS module or service or plug-in or whatever the MSFT lingo is, but Nimda used a variety of techniques built in to IIS, "shares" and Outlook. The variety of Outlook worms (Anna Kournikova, Nude Housewife, etc etc) and even the CHRISTMA EXE chainmail of 1987 used entirely legitimate techniques built in to Outlook and other email viewers. The 1988 Internet Worm used both legitimate techniques (BSD "r" commands that didn't require a password) and exploits like "fingerd" buffer overflows. How do we define the crime - "I didn't authorize this use of Outlook" really doesn't amount to a way to decide whether or not a particular program committed a crime. Similary, worms like x.c get telnet servers to crash in particular ways when they spread. Gee whiz, a network server process crashes! That's news, for sure. I guess that hasn't happened to me since yesterday. How do we make one instance of a crashed program a crime, and another instance into a bug report?
These guys are completely prejudist against College students. Forget the fact that it's most often college students that commit these crimes, and therefore reasonable to suspect college students over other people.
Hey, if Blacks and Mexicans can use that crap as a legal defense, surely geeks could squirm out of legal action on that same basis.
Does anybody have any figures? how much bandwith is used up during a worm attack such as nimbda?
Imperium et libertas
Autocracy and freedom
Since some people are confused, let's look it up in the dictionary.
Now, I do agree that a skilled person could use computer viruses for the purposes of terrorism, as defined above. But clearly 99% of viruses do not fall into the category of terrorism, and therefore calling their creators terrorists is quite a stretch. Most of them are smart young people with no common sense, no direction, and a distorted sense of right and wrong
I'm sure Russ Cooper is more interested in getting his site linked from wired, and knows mentioning the buzzword 'terrorist' is sure to get a soundbyte.
"And like that
Those are sanitary pads. Not tampons.
Clearly you're outside your area of expertise if you don't know the difference between sanitary pads and tampons.
Over the last few months the word "terrorist" has lost all meaning. I also heard the other day that child pornographers were being called terrorists. And of course the Isrealis, Palestinians, and Americans are terrorists, depending on who you ask. I'm sure the people who set fires around Sydney were terrorists too. Nowadays a terrorist is anybody you don't like.
The old definition of terrorist was somebody who used terror as a tool to some political ends. Basically, if you can't defeat your enemy in a head-on attack, you choose an easy target calculated to demoralize the enemy.
It's too bad, because 'terrorist' really was a useful word. Now that it's being used so broadly there's no concise way to talk about 'classic' terrorists.
It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
I know there are others out there
when I started out, i'd download those toolz
then I tried to figure out how they work...
before long I was writing those goofy chat nukes
and yes some viri....but after that I had some knowladge of programming and moved on to more constructive things like game cheaters. Now i'm a programmer.
kids will be kids If you don't want them doing bad stuff, then go after the parents
parents just dont talk to kids anymore
insted of blaming computers or movies or whatever
try taking some resposability on your own
I mean heck they are YOUR kids.
don't look for anyone else to keep them in line when you don't yourself!
In the case of laying some responsibility at the feet of the OS writer and the System Administrators, in the first case it is their job to make sure that their product is reasonably secure. In the second case it is part of their job to keep up with the security patches and make sure that the corporate systems are reasonably secure.
In the case of the people who wrote the OS or software that gets compromised again and again, a better analogy might be to compare them to a bunch of builders who build houses with no locks or faulty locks that fail to keep people out.
In the second case, you might compare the system administrator to someone who bought the house and then didn't take any action when the lock recall went out (or he didn't install it becase installing the new lock makes the toilet stop flushing...) In many cases he does this even though he lives in a hood known for its high level of break-ins and robberies.
When it's your job to make sure the company's network is reasonably secure and the same attacks against holes that were announced months ago work again and again to compromise that security, I'd say you're not doing your job very well. Excuses may be made, like "The fix breaks 14 other things" or "We didn't have time to test it on all the company platforms." In the first case I'd say the vendor is at fault and if they can't fix the problem to your satisfaction maybe you should consider a new vendor. In the second case, I might want to send some blame the way of the CIO/CEO as the department is obviously underfunded or the corporate infrastructure is badly designed.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I think all we need to do is make it so the next worm spreads copyrighted material, or runs a p2p music/warez-sharing client.. do that, and the FBI will be all over it, after a quick nudge from their high-paying clients in the entertainment industry..
The sad thing is, i'm joking but probably right. How hard would it be to write a virus that quietly rips to mp3 in the background all the audio CDs placed in the computer, then makes those mp3s available, along with all stand-alone programs on the computer, on Gnutella..? (No, not very subtle, but then neither is replacing index.html with HACKED BY CHINESE WORM, and we all know what a good job people did of noticing they were infected with code red.. i still get about six to ten code red 2 attempts on my mac os x box every day..)
See, you just have to figure out what law enforcement officers like to attack, and pander to that. I'm pertty sure if a worm in some way was productive for the trafficking of mp3 or drugs, they'd be all over it immediately, yelling about "computer terrorism"..
I thought this was going to explain why worm makers use free software. Otherwise, they might get jailed for mass copyright violation.
One thing about Corps, they're generally consistent. Of course, that's generally, not always.
Under capitalism man exploits man. Under communism it's the other way around.
I find it hard to believe that the photographer wouldn't be prosecuted for this IF it was against the consent of the person being photographed.
On the other hand, if they signed an agreement saying it was ok to make all this stuff public, it's sort of like the license agreements people sign to run Microsoft Windows.
Just to add to the confusion, there is, in some states (Massachusetts, I think), a lemon law, stating that EVEN IF you are told that an automobile sucks, if it dies, then the person who sold it to you is legally liable, and may be forced to refund your money.
Would you prosecute the 13-year-old kid who came by and looked at them? How about if he took picutres of the posters and put them up on his web site? The originals are still "secure" in the studio's safe. How can you blame the photographer?
Your analogy only makes sense if cracking a site requires a passive activity such as accidentally visiting a URL or attempting to connect via FTP. Unfortunately, most cracking involves active malicious intent by the perpetrators which doesn't jibe with your analogy.
A better analogy would be if the photographer had the pictures in a drawer marked and some teenager felt that he/she couldn't resist looking at the pictures. The teenager is still in the wrong but one can also blame the photographer for not taking better precautions which means both parties are at fault which is the case in most cases of cracking websites.
Who do you think is sending the anthrax? Its a bunch of old school computer geeks who used to hang out on the illuminatus BBS from 88-92. Check the ficticious return address on the Tom Daschle letter (the only one of the first 4 letters with a return address). That return address is a direct reference to "teenagers from outers space" campaign that was hosted on the illuminatus BBS around that time period. There is no greendale elementary school, and the 4th grade is obviously and obfuscated reference to the 4th school that the campaigners were all from. Check this site out. Not to mention the fact that the illuminati trilogy mentions breaking the walls of the pentagon in order to free the demon trapped inside. I wonder how the campaign is going, and what the GM is gonna have the players do next for experience.
In the distance you hear an ominous moo.
Your new metaphor vapid on so many levels.
You imply that digital data has no intrinsic worth, and therefore can't be stolen. What century are you living in? Future generations will view your analogy as hopelessly anachronistic, something like stories your grandpa tells today about one-room schoolhouses.
And as for the substance of your analogy - "a guy takes nude pix of his wife and puts them up in his window with a sign saying don't look at these" - how does this utterly absurd statement clear things up for you better than the "if you leave your front door unlocked" one? Do you even know what your point is?
Invisible Agent
This post is a mirror; when a monkey stares in, no hacker gazes out.
"Forget that it may be problematic to extradite the individual, or that they may be young, or claim to be doing 'research.' We need to catch them, and place them in a position whereby they are seen for what they are -- a terrorist," Cooper said. "The cost to our businesses, not to mention our way of life, is simply too high to not pursue these individuals."
To compare virus/worm writers (like the creator of Melissa) to terrorists (Osama bin Laden) is insane. I'm sorry but creating worldwide/widespread havoc on the internet is NOTHING compared to a bomb blowing up a building or killnig a few people.
I am of the belief that there is practically no piece of software that should be illegal. This includes viruses, worms, spamware and other software with no redeeming qualities. It's one of those slippery slope problems where you're banning certain types of speech, but it could easily get murky as to what was a worm or a virus. Some security software has just as much legitimate use as it has potential for misuse.
The only rational solution, as is the case with other "banning the tool vs. banning the act" problems, is to ban the act of dissemminating virii or worms maliciously. Banning certain types of software is an ill-conceived notion, just like banning certain guns.
Those who believe that software (in the US at least) is constitutionally protected speech may want to think twice if they believe virus writers should be prosecuted. Judging software based on its purpose is probably impossible - is deCSS a tool for piracy or for interoperability? Depending on who you ask, you will get 2 different answers. Is back orifice a security tool or a hacking tool? Is it a virus? Should the writers be prosecuted?
Virus/worm software does have redeeming educational value, however little.. it's useful for exposing vulnerabilities, even if it only shows that the end user is stupid.
So even though virii, worms, spamware etc. are a pain in the ass, I do support your right to create any type of software you like. The other alternative, banning classes of software, is actually more dangerous.
Note this has nothing to do with my view on copyright. Of course if you infringe someone else's copyright in your software you are breaking the law.
To protect their interests, "anti"-virus companies will probably start writing their own viruses and releasing them...if they don't do that already.............
D'oh.
Expanding a vast wasteland since 1996.
CmdrTaco writes:
if you've ever been on the receiving end of a round-the-clock DDoS attack from irc packet kiddies, you know about wasted bandwidth. worms seem to be a mere drop on the bucket.
the only difference is - worms are indiscriminant; they walk their way thru IP blocks no matter who owns them. so big ISPs get their panties in a bunch and can use their muscle to bargain for the FBI's time. irc revenge DDoS is usually directed towards EFNet servers at the handful of ISPs who are brave enough to still be operating one.
but, these two issues are related. the machines infected with the worms (which expose massive exploits) are usually taken over as zombies for nefarious bidding (such as the aforementioned DDoS).
perhaps then we can roll in responsibility for the DDoS to the charges against the worm writers? then the cost of bandwidth soars astronomically and can probably justify more significant prosecution. (and hey, maybe get a little bit of 'official' attention to this problem (DDoS) that's been going on for years).
www.pixelectric.com
That sig may compare Gates to Hitler, but only in ideaology. It doesn't say Bill should be treated like a war criminal. Indeed, there are many people that think like Hitler, but they havn't acted on the urge to go kill thousands of people.
I happen to like a web page that compares Margret Sanger's ideaology with the Aryan ideology. It doesn't say she should be(have been) hanged for crimes against humanity (because she didn't personally commit any).
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
If you read their click-wrap agreement, it says:
When I contacted AMI about the Y2K problem on a 1993 motherboard, they told me there waas no bios update, but they would be willing to sell me a clock card.
Fight Spammers!
...and the next Internet worm I write will have the following string "Made by JonKatz, Bill Gates, and George Bush".
Strings inside code could be used as evidence, but they are not very serious evidence, not more serious than a papernote left by a burglar saying "I wasn't!". After all, we don't want incrimination to be that easy.
Why do worm writers stay free?
Would that be free as in beer or Free as in speech?
I wish virus/worm writers would write viruses that make statements rathar than viruses that just blunder around and piss people off. A "port-scan" worm would be great (one that, after it's done worming it's way into a network, it starts portscanning random IPs. It wouldn't do anything, but since port scanning is illegal, it would provide a nice cover for anyone who happened to get caught for doing it "for real"... "No sir, I wasn't port-scanning, I just caught a virus!") or even better a simple child-porn worm (You can go to jail for having anything that resembles "child-porn", even if the actors are above 18, even if it was faked, even if it's anime, and even if you *didn't know it was on your computer*, no questions asked...) and, of course, the "Terrorism" worm, that writes nasty letters to the gobment...
"Your superior intellect is no match for our puny weapons!"
Think of all the other problems you will get rid of. Bloated M$ formats that contain no no real information, you know, 12MB Power Point presentations, 2MB Word wastes and other usless stuff that takes 10 times as much space as needed. Inane calls over BSoD. Unintended video streams. Warez trolls and robots, and all sorts of other evil stuff fostered by comercial software.
You would do us all a favor by not catering to M$ users and the people who abuse them. Untill you do, you are just another piece of the problem. You should insist that your cracked clients take reasonable and free steps to solve their problems.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
You imply that digital data has no intrinsic worth, and therefore can't be stolen.
This is exactly the mindset I was criticizing. I didn't say or imply that digital data has no intrinsic worth. I said that its worth had to be calculated differently from the worth of phsical goods.
Theft of physical goods deprives the rightful owner of their use. Copying of digital goods does not deprive anyone of their use, but in fact greatly increases the number of people who may potentially use them. This could, of course, possibly reduce the value of the digital goods. Certain information is only valuable when it is not widely known. This is why Digital Rights Managment is so important to the RIAA and MPAA.
The point of the analogy, since you seem to have missed it, is that the customer pays someone for a product, and the provider doesn't take steps to ensure that the product is secure. The fact that EULA's have not been tested in court is the only reason software producers continue to believe this is acceptable.
Nope, no sig
Geez, someone's got chocolate salty balls today. what the hell did he say that was flamebait?!?!
Many computer systems, and even networks could be compared to a business with nobody home. I wonder how much sympathy a company would get from the courts if everyone went on vacation for a couple of weeks, and left the lights on and the doors open.
What would happen if I bought a house, furnished it, paid the utilities, and then just let it sit. Maybe I would even come by every few months and add some stuff to it, a new fridge, new stove, another TV, and so on.
Could I expect the guy that gets caught living there for free to go to jail after a couple of years of the place being open to whoever had the inclination to walk throught the wide-open front door? Or whoever decided to relocate my TV to their living room... Would it matter if I had a little sign on the front yard that said "no trespassing"?
Casca
First off, many of them are smart enough to not put their name and address in the worm/virus. (Suprise! if youre smart enough to write this you might have a tiny bit of common sense.) Second, most are from outside the country, WHERE THE US GOVT. HAS NO JURISDICTION. Read that closely everyone, the FBI cannot go into china and arrest someone. and many countries are getting sick of the free-raid mentality that the US govt has had lately. Would you let your neighbor constantly search your house for problems? maybe at first, but when your neighbor starts taking your things because they look suspicious or sren;t allowed in his home... then you start to get pissed.
The people in our Govt are the problem and the terrorists. They try and generate fear in the public about what these worms can do!
I say we leave it to a team of geeks to find these people, and then bludgeon them with rubber hoses and soap in socks.. 3 months in prison wont stop them but the fear of getting their ass kicked by a few pissed IS/IT people will.
Do not look at laser with remaining good eye.
Did they not know that Y2k was comming?
I you bothered to read my post, you will see that I never said that they were terrorists. They are criminals! I just get sick of hearing people excuse these criminals actions as youthful indiscretions. They need to pay for their criminal acts.
narc!
How do you "waste" bandwidth?
Since today's unused bandwidth cannot be used tomorrow, it stands to reason that any use of bandwidth up to whatever the congestion point is cannot be seen as waste. The only really wasted bandwidth is *unused* bandwidth.
You can make a value judgement about the quality of the information being transited but you cannot call that bandwidth wasted.
Some people buy "bandwidth", but what they're really buying is the right to transit X amount of bits per month for a fixed amount of money. But the same thing about congestion holds true for this kind of bandwidth -- as long as you don't go over your monthly cap, only used bits are wasted.
Outlook is such a mess that every beginning VB programmer with a bit of fantasy can write a virus. Usually that kind of people is very astonished when they get worldwide headlines and are said to have caused many millions of dollars damage.
You can't frighten this kind of people. They see themselves as kids playing a bit around and they think that writing virusses is something done by nerds who know all Windows API's and protocols(including the secret ones).
Somehow someday Microsoft will become stricter too. Only then is there a chance that we can stop virusses (or at least make them rare).
The value and beauty of the English language is that it affords the possibility of bending it in so many ways. This is its true advantage over other stricter languages.
Honestly, how many languages do you know of with which you can verb a noun? Perhaps it's culture rather than an inherent property of the language, but what other language so speedily incorporates the vernacular into the language proper?
Don't restrict yourself to some arbitrary 'correct' usage. That's double-plus-ungood.
Regardless of all that, possession or containment is a perfectly acceptable use of the transitive verb 'boast.' To mere possession it adds a sense of pride by the subject for the object. I learned in fourth grade that one step on the road of good writing is to replace common, boring, limp words like 'have' or 'say' with uncommon, more powerful, specific or exciting words like 'boast' or 'blab.'
So don't harp on this journalist for trying to be a better writer.
Free as in beer
Free as in software
Free as in worm author
Terrorism implies creating terror. I'm sorry, but most people are simply not scared by the prospect of finding a virus attachment in their E-mail: it is both common and easily dealt with.
scot-free - O.E. scotfreo "exempt from royal tax," from scot "royal tax," from O.N. skot "contribution, shot" + freo (see free). http://www.geocities.com/etymonline/s1etym.htm
The US Army defines terrorism (for its own purposes) as "any act designed to influence an audience beyond the immediate vicitms". The "classical terrorist" you describe is actually a sabateur, and the crimes you describe him as committing fit better under the definition of "subversion".
This is why terrorists generally have demands completely unrelated to the violent act committed, and have no problem with killing their victims. The vicitms aren't the people they're trying to manipulate.
Similarly, worm writers _should_ be considered criminals and held liable for the damage they produce, just as any other sabateur should. However, if they haven't declared a digital "holy war" against the devils in Redmond and claim that they will continue until no Fortune 500 company runs Microsoft software anywhere in their organisation, then they aren't terrorists.
Summary:
script kiddie who defaces a web site with "J00 R H4X0R3D!!!" == vandal
script kiddie who defaces a web site with "Let this be a warning to all others who run the Redmond Beast's operating system" == terrorist
Travel the Galaxy! Meet fascinating life forms...
Worms and viruses are the equivalent of teenagers skateboarding in a China shop. Sure, technically, if they knock something over, they are responsible. But why the hell did the shop keeper allow skateboards in the shop in the first place?
It would be a sweet deal for Internet businesses to be able to have all their security-related costs to the public. But the people who should pay for Internet security are the ones benefitting from Internet business--the merchants and infrastructure providers. Putting this responsibility on the public amounts to a huge corporate welfare check for Microsoft and Internet businesses, who get to keep making profits without bearing the cost of security.
1. No company can perfectly ensure safety of their product. A housebuilder can't always provide indestructable windows to thwart a thief, just as a Java programmer cannot always provide the absolute "best practices" to ensure software coding 'safety.'
2. Not everyone has a sysadmin's skill set, hence, patching faulty products is not something everyone knows how to do, or why they should do it.
3. Not all crimes can be solved. Just as thiefs make off with stolen goods every day, so too a script-kiddie can remain safely anonymous from the law.
The basis you are all forgetting, is this: If we were given the tools in the first place to make our homes/software secure, we wouldn't be in such a vulnerable position if we didn't want to be. Thankfully, Microsoft does offer free patches when THEY fix the flaw in their product. Unfortunately, there is no way to know if they forgot a lock on the upstairs window until someone manages to stumble upon the fact, because they've chosen to limit everyone's right to fully use their own house (read: software). If you lease it, you can't upgrade it...
Similarly, if I want to own a gun (at least in America still) to protect my house and family from intrusion, I can. Is it fullproof? No, but it's better than not being able to own a gun. Get my point?
All I am saying is that I DO prefer Windows ease of use and advancements they've made to date, but what REALLY worries me is that I can't 'make things better' as I see fit without paying more for the 'lease.' Linux, on the other hand, encourages everyone to add to it, rebuild it, and fortify it by giving everyone the rights to do so. Can I do so directly? No, I'm not a programmer, but at least other people have released add-on tools that I can use to do so.
And finally, security through obscurity is nice for the CEO, but bad for the end-user. Why? I test software, and I've seen it over and over again: a product gets released with a couple bugs that no one has the time to test, and before you know it, it's causing serious problems for the end-user. Now when you release the software with the bugs, and tell people, "Hey, check this software out. It may never be perfect, but we hope you can catch the bugs and repair, or help us repair them before they cause a big problem."
IMNSHO the most annoying aspect of those worms is the poor quality of the code. Total ignorance.
It's enough to take a quick look at my server's logs to see a bunch of attempts to exploit IIS holes in Apache! This alone makes me wanna put them behind bars...
For God's sake, all they have to do is check the server type and thus spare lots of bandwidth. A real coder would do that.
Apparently VB aware script kiddies wouldn't...
Why not? Because they haven't violated the DMCA. When worms start cracking DVDs, or eBooks, or traffic warez, then we'll see more worm authors caught.
13 year old white supremacists are shitty web designers.
It's not the virus writers fault for all these shenanigans. It's the computer owner's fault. The virus is simply a string of bits. It doesn't do anything by itself. But you running the virus on your computer makes you responsible. You should know exactly what your computer is doing at all times. If you can't handle a multitasking operating system (that runs viruses in the background) maybe you should write all your software in assembly so you know exactly what your computer is doing at all times.
Got friends?
The bandwidth wasted by a successful worm is gigantic. To say nothing of time and disk space.
In terms of bandwidth/time/storage space, which is worse for the net as a whole, then? Is it successful worms, or is it really the spam?
I think it's the spam... and since I've never been directly affected by a successful worm, I most certainly would rather see spammers get jailtime rather than worm writers, if I had to choose one or the other.
Both would certainly be acceptable.
"Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
Of course there free, no one would wanna buy one!
Sircam, Nimda, CodeRed.. bring it on. If you can infect my comp, kudos to you.
Punish the script kiddies? Why? Damage? What damage? A few million dollars here, a few million there, it's only money!
Let's get our priorities straight! Now that Sklyarov guy, there's a dangerous criminal! His ultra-dangerous Adobe-buster is cyber-terrorism at it's worst! That must be why Skylarov has spent more time in jail than all the script kiddies in the world combined. And people think our government doesn't have any sense of priority! Way to go DOJ!
the other guy is serious ... difference enough for ya ?
One could compare the users to people who like to push buttons they don't know. If you don't absolutely trust the source DON'T EXECUTE IT ? Is it really that hard to comprehend ? If there's a red button on a cube-like humming box I made, you will not push it. Why is it that when I send you a program you do push the button ? NOT knowing what it does ?
And sjeesj, using outlook should be made a crime. Everybody knows it is the main tool for destroying the internet. It really should be banned. Don't let kids play with fire/knives/outlook !
there's something wrong with people who execute it.
The Future of Human Evolution: Autonomy
I happen to like a web page that compares Margret Sanger's ideaology with the Aryan ideology. It doesn't say she should be(have been) hanged for crimes against humanity (because she didn't personally commit any).
Wow. Before now, I wasn't sure what a libruhl Freeper sounded like. Here's a link, in case anyone is wondering why this fucking clown thinks someone who was persecuted and prosecuted for spreading information about preventing STDs and unwanted pregnancies is the moral equivalent of a Nazi sympathizer.
If you have a problem with Nazi supporters in the US, you need to look to the right and not to the left. It sure as hell wasn't wobblies, unionists, and labor activists who bankrolled that monster. Think bankers and industrialists, and particularly think the Bushes.
--
Freeper Logic
After reading a million analogies here:
Windows are poor security in any setting- a house, a car, a PC. You can put as many locks as you want- but you can always easily break windows. Notice how bank vaults generally have no windows.
Those that suggest you "dance like no one is watching" really want to see you make a complete fool of yourself.
The other half is because people have ignorantly abrogated their responsibility for prosecuting their own loss.
If just ONE of those companies that "lost billions" had prosecuted the perp themselves, we wouldn't be having this discussion.
But no, we sit here and decry how "law enforcement is overworked" to do all the prosecuting for us. And in those places where medical service is also government provided? Gee, the same discussion, how "medical providers are overworked".
Maybe the pattern this obvious to me is obvious to others. Has anyone who claims to have lost money gone after a virus writer? Anyone? Any company? Any organization?
The negative effects of abrogating your physical security to "law enforcement" is well known. There is very little argument that even the best firewall does not eliminate the requirement that individual PC's and servers be individually hardened.
Yet with all this emphasis on distributed defense, there is not a distributed offence against these virus writers?
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
Or isn't it?
If it is then there's your answer.
We have to separate things.
One thing is to make a self-replicant program, with is very mind stimulating and such, and it needs to be able to be published perfectly in a website, letting people know it is a virus and "download only if u are interested to analyze the code" without any fear.
Another very different thing is to write a virus and send it into people without alerting them to make it spread (or to take a virus published by a no-evil person and spread it with evil intentions).
The ones that should be punished is that ones, and the ones who write or administrators who use applications with very stupid holes that allow code to be executed without the user agreeement (Like M$ Internet Exploder, Outunlock, m$ OriFFICE, and such kind of crap)
It's normal in many parts of the world to pay for the traffic actually used - I live in Australia, where the normal charge is on the order of 5-10 cents per megabyte. That gigabyte suddenly costs on the order of $100-$200 . . .
/I/ pay12c/MB for incoming traffic. A couple of hundred a month is real money for me.
/they/ have to pay for bandwidth - ISPs do, too, they just incorporate the costs into their pricing structures). It might seem like bandwidth is essentially free, particularly if you're in the US, but it's /not/. That kind of thinking is part of why so many cheap ISPs go under.
/does/ cost money, and that money has to come from somewhere. Worms like SirCam are more than just minor annoyances consuming negligible capacity on the network.
Sure, that's not much if you're talking about a company, but I live in a residential college, and
And what if you have a bandwidth cap? You find yourself on some worm's hitlist, and suddenly it's gone, and you have to pay excess to stay online.
What's more, you're completely ignoring the cost to the infrastructure providers (hint:
The kind of calculation you made is really naive. Which isn't to say that the kind of stupid calculations companies and law enforcement people throw about are accurate, of course - the reality probably lies somewhere in between. But bandwidth
himi
My very own DeCSS mirror.
As far as I can see, there are a number of factors that contribute to the difficulties we're having with worms at the moment.
...
1. The authors. Namely what they do with their time and / or their self esteem. It needs to be said that creative hackers that come up with some of this stuff could be applying their skills towards much more productive uses. When possible we should encourage those who appear to be inclined to waste time in this way to use their time and skills wisely.
There is no reason why even designing a destructive system is benificial, no matter how clever it is. Any creativity that is shown through development of something such as this has a place elsewhere.
2. The users. It is true that we must educate end-users to be discerning towards what they execute. Most importantly, this must not be a 'if you get a message that looks something like this, do this', we need to ensure that they understand how these things are distributed and the forms they can come in. It's not hard to do. In my family's case without any real protection we've had an almost entirely hit free bill of health over the last few years.
3. The software. Obviously Microsoft products are a popular target, and I don't have a lot of respect towards the way they've treated security in their applications. Unfortunately it is true that the one thing they have been very successful at doing is creating a slick, clean working enviroment, something that isn't easily found elsewhere. This is crucially important to this issue. My relatives immediately notice the difference if I put them in front of, say, Mozilla or StarOffice, despite their impressive efforts (I must say they are beginning to come together nicely of late). As well as that, I have *not* seen anything that handles schedule management or other PHB-friendly features as well as something like Outlook. Until competitors do some serious work towards user friendliness, things will stay this way.
Please note that I'm not saying that Microsoft software is exclusively ahead of the pack, but it is an acknowledged leader.
Just my 2c
-- No, no gems to be found in this sig.
...should really almost be part of the previous one. Worm writers go free because companies don't care about it enought to prosecute. QED.
Jake
Dating: while( 1 ){ call_girl(); get_rejected(); drink_40(); } return 0;
You wanna see a worm? How about 3rd party cookies(just a random of many possible targets)?
/.ing .
I mean seriously people, we let doubleclick and other organizations use our computing power, bandwidth, and hdd space for their own profit... it is unsolicted/unlicensed distributed computing.
Give me a break, I work in IT too. Blaming virii and worms for down networks is just an excuse for a complete lack of robustness and stability. It is one thing to have a server down for a bit due to a DoS, but entire networks... I haven't heard of too many ISP's loosing all service due to a good
BTW: I could have targetted any number of M$ built in features or other internet browser concepts for this, but chose a easier to explain target.