Why Worm Writers Stay Free

savaget writes "There is an interesting Wired article explaining why worm writers are getting scott free despite their destructive deeds." Nothing really new: overworked law officials, bragging worm writers, you do the math ;) I still find it amazing. The bandwidth wasted by a successful worm is gigantic. To say nothing of time and disk space.

They aren't terrorists!

[Christianfreak]

"Forget that it may be problematic to extradite the individual, or that they may be young, or claim to be doing 'research.' We need to catch them, and place them in a position whereby they are seen for what they are -- a terrorist," Cooper said. "The cost to our businesses, not to mention our way of life, is simply too high to not pursue these individuals."

This is the sort of thing that really pisses me off. Not to say that virus writers don't do damage or even that they are not criminals but how can you compare a computer glitch to killing 3000+ people? These virus writers are kids with too much time on their hands, they aren't terrorists! The solution isn't to toss them in jail or throw away the key, the solution is to get them to do something useful with their skills and then to use products that don't have so many security problems. </rant>

Re:They aren't terrorists!

[metlin]

Well said. Just my thoughts...

As one reader in an earlier post, people who write bad and insecure code have an equal hand in security compromises.

Most of the worms and virii are being coded by teenagers or kids who just do not have an idea as to what they are doing.

Think of this, why are people allowing their systems to be compromised again and again? A hack is a different thing, a worm/virus is a different thing. When there are so many different worms/virii, it cannot all be squarely blamed on the creators. The makers of the softwares should own up responsibility for writing bad code.

Why aren't other operating systems as vulnerable as the Win* platform? It is not like there are not enough people willing to write worms in Linux or FreeBSD. It is just that it is not that easy to.

Most of these people are kids, for God's sake!

Writing a computer worm to show off to your friends is akin to showing off your driving skills. It is just a means of getting recognized by the peers. These people should just be taught that writing bad code is harmful. To compare it to heinous crimes and huge losses is just plain stupid.

If it also causes harm, that is largely because of the immaturity of the technologies. If sysadmins regularly patched up their softwares, and if programmers wrote secure code, the effect of these worms will steadily decline.

But how many admins bother to administer the latest patch? And how many software companies bother to get out good code? It is plain stupidity to blame it all one some poor nerd out there.

Re:They aren't terrorists!

[geophile]

Your posting says that virus writers aren't terrorists because what they do doesn't compare to killing 3000+ people. Then your sig compares Bill Gates to Hitler.

Re:They aren't terrorists!

[dillon_rinker]

Terrorism doesn't necessarily imply killing people. The classical terrorist (ie, the one that exists mainly in poli-sci courses) blows up generators, water plants, radio towers, etc in an effort to destroy the public's trust in the government's ability to protect them. Someone who targets civilian infrastructure meets the threshold for being a terrorists. There's obviously a gradation; those who target large numbers of civilians are also terrorists (duh) but that doesn't mean that someone who blows up an empty building isn't a terrorist.

Furthermore, I would argue that you don't need to have political objectives to be classified as a terrorist. If I blew up a generator station because I think it'd be cool to see, I think it would be valid to classify me as a terrorist. This gets kind of tricky, because it'd be easy to categorize an arsonist as a terrorist, or a vandal, but I digress.

Anyway, the obvious analogy is that someone who targets information infrastructure (ie worm writers targeting email servers) is a terrorist. And don't argue that the analogy doesn't hold simply because there's no no permanent damage simply because it can be repaired. That's like arguing pulverizing every cubic inch of a building isn't permanent damage because it can be rebuilt. Don't argue that there's no real costs associated with worm attacks - do you think net admins work for free? (If so, I've got a job for you :) I'll grant that most costs are overrated.

Counterpoint - if blowing up a building is terrorism, why not burning it down? Should arson be considered terrorism? What about insurance fraud - if I burn down my old barn for the insurance money am I a terrorist? What about vandals? There's a continuum of crimes against property, as well as crimes against people; where do we put "terrorism" on that continuum? We must be cautious in verbiage used to define "terrorism"
in the law, lest the crime be placed further down the continuum than we want.

Counter-counter-point - arsonists rarely burn down every building on the internet; worm-writers at the very least have in their minds the idea that they could take out every email server on the internet (basically a DOS attack) or every workstation with the targeted OS(s) by wiping their drives after re-launching.

C

Re:They aren't terrorists!

[tomstdenis]

The problem is half the time they are not kids with skills. They just download a exploit [done for research] adn use it [for fun].

How many of the attacks where kids are involved were actually invented and written by kids?

Besides yes it is terroism since its mischief on the grand scale. Like it or not the internet is a mass communication medium and its a "way of life" for some people [some == growing].

That's like taking down the entire california telephone network and claiming "I'm bored". Not only is that dangerous [no 911 calls] but its disruptive to literally millions of people.

Tom

Re:They aren't terrorists!

[Afrosheen]

You must be magical because you keep getting mod points and I don't :( Oh well, blow me moderators.

Your point regarding giving skript kiddies jobs creating more skript kiddies isn't very realistic. It's a job, yes, but it's not a job they'd be proud to have. No convicts commit a crime hoping to be making license plates, there's just no incentive. But rather than a pointless punishment (i.e. imprisonment), make it productive. If you do a little research, you'll find that alot of IT security companies have real hackers on board. It makes perfect sense. Alot of insurance companies hire ex-burglars, to see how easy it was to break into someone's home/business. Security is always a 2 way street. It's the responsibility of both the individual and the company/service that provides them with security. Think if you get a 10 million dollar home and have gold bricks lying around in each room. A burglar discovers this from outside. Also you have a million dollar, state-of-the-art security system, but you don't arm it each time you leave the house. Who is at fault when you come home and all your gold bricks are gone?

Re:They aren't terrorists!

[ConceptJunkie]

You must be magical because you keep getting mod points and I don't :(

Think of it this way. I impress the typical /. reader. You decide if that's good or bad. A karma cap and 50 cents'll get you a cup of coffee.

I understand that a lot of IT security companies have hired ex-(h)|(cr)ackers and that's fine. But if getting caught means a good prospect for getting a job in computer security, then rooting someone's box becomes less of a crime and more of a resume builder. You see, there's a significant difference between making license plates, and working in high-tech security. I'm not saying it still couldn't be a deterrent, since many people won't want to deal with an ex-criminal, but people who are stupid enough to make things like nimda, might see it as a way to get ahead.

There are other kinds of useful community service that could be used, even jobs that take advantage of computer skills. I recall a friend got busted for some minor violation in college in the early 80's and ended up setting up a database for a local church as his community service.

I agree that alternatives to "pointless punishment" should be found, because there is an incredible waste of human resource when someone is sitting around sulking in striped sunlight for years on end. But we have to remember that punishment for crimes needs to be something that people want to avoid, not some kind of jobs program for troubled youths. That should happen before the legal system comes into play. We have to remember our first priority is trying to keep people from committing the crimes in the first place, even if we do still want to help them once they do.

That's all I'm trying to say.

Rick

p.s.

Who is at fault when you come home and all your gold bricks are gone?

The thief. You might be at fault for being careless or incompetent (and if it were your job to secure the gold, that's another issue), but the thief is still guilty of far worse. Maybe you shouldn't complain if your house is burglarized, but there is still a significant difference in the degree of moral fault here.

If I walk out and leave my gold bricks lying around unprotected, that in no way mitigates the degree of guilt of anyone who might happen to steal them.

No money in catching them.

[saint10]

A multi-billion dollar industry was created by writers of malware; anti-virus, tripwire, IDSes. Why would any large security company want malware authors to be caught?

*gulp*

[hiryuu]

"We need to catch them, and place them in a position whereby they are seen for what they are -- a terrorist," Cooper said. "The cost to our businesses, not to mention our way of life, is simply too high to not pursue these individuals."

Terrorists? Virus writers are terrorists? Keep it up, boys, and the word will lose all meaning and everyone will be desensitized to what it really means. Sheesh.

Obviously the legal system doesn't see them as such, yet, from the details of the article.

Re:Constructive Uses?

[arrow]

It has been done. I can't remember off the top of my head which one, but I cleaned up a virus infection about a year ago that installed the distributed.net client.

Its gotten bad enough that Symantec has posted a KB article on it, here.

Distributed.net also has a trojans page here.

---
www.symetrix.net

Let's limit the destructive capabilities

[ryanmoffett]

Because the Internet is a global network, authors of these worms come from all over the world, and thus there is no consitency on how they are dealt with according to local laws or lack thereof. The ramifications of such worms are not well understood by local law makers and law enforcement officials. It's quite possible that some worms could be authored by individuals or groups outside the US in which there is almost no law or order. I doubt we can justify bombing a country because of prolific worm propogation.

So, while some sit pondering on how to prosecute the authors of such worms, doesn't it make more sense to focus efforts on preventing the problems that worms cause by eliminating the well known, published ways that the past 4 or 5 recent worms have propogated? How many email worms need to take place before people realize that the worm authors are only half guilty? End users need education. Applications (read Outlook) need to provide better ability for users to limit functionality to core functions unless otherwise needed.

Catching the new virus writers and discovering their techniques is and always will be a game of "whack-a-mole". You slam the hammer down, only to find another one pops up in a "security-hole" somewhere else.

Re:Hilarious part

[ergo98]

Well the context of the story was that the virus writers are usually incredibly dumb, and they have a habit of putting real information to brag to their friends (and enemies) about what they'd done. Imagine going to all that trouble and no one believes that it was really you.

Having said that, people often reveal a lot about themselves even when they include fake information (i.e. the classic is the "opposite" syndrome: If you're a young male say that you're an elderly woman. It doesn't take a genius to flip them).

Re:crimes?

[NexusJedi]

From the original post (emphasis added):

Not to say that virus writers ... are not criminals but ... they aren't terrorists!

I think you missed Christianfreak's point. They are criminals. They should be punished (or, better yet, rehabilitated... but when have we ever done that with criminals?). But they are not terrorists.

Granted, terrorism doesn't have to involve killing, but these kids aren't trying to make some crazed point. They're not striving to strike fear into the heart of everyone in the nation. They are simply, as Christianfreak put it, kids with too much time on their hands.

The people equating virus/worm writers with terrorists seem to be putting their bottom line at least on par with, if not above, the value of human life. That frightens me more than the network being down for a couple of days ever would.

Punishment?

[Darth+RadaR]

But even when writers are caught and brought to trial, the legal system often doesn't know what to do with them.

Pah! I know what to do with them. Charge the writer of a virus/worm for time the Admin puts in to fix or block their poisoned program. If the virus/worm writer doesn't have the money, then the Admin will charge through violence to where one hit upside the virus/worm writer's skull with a 2"x4" will be exchangable to 15 minutes of the Admin's time that could have been better spent.

Sorry to rant, but virus/worm copycats^Wwriters really get on my nerves, especially when I could be spending that time doing something with my friends, instead of telling sendmail to block out the latest "Melissa" clones.

Bad Examples

[overunderunderdone]

Economic damages, bandwidth loss, destroyed data, and wasted time are harder for a cop to take seriously than, for instance, a body on the ground... It is an interesting thought experiment to consider what will happen when a teenager playing in an advanced biology course cultures a virulent bacteria or virus.

I'm all for considering computer crimes as "real" crimes. The damages you mention are real, the crime is real. The motivation whether it's greed, political activism, or just being a "prankster" is irrelevant. Such attacks on computer systems and networks can do enormous economic damage and should be treated as serious crimes.

But you undermine the argument by overstating it and picking examples of even more serious crimes to compare them to. A cop takes a body on the ground more seriously than economic damage, bandwidth loss, destroyed data and lost time because it IS much much more serious. A microbiology student infecting people with a real virus would be a far more serious crime than even the most damaging computer virus.

...Or consider if "goner" had been tracked to the other side of the tanks... to a group a Palestinians.

That is a very interesting thought experiment. I'm a little torn on this since in general I think the act is what should be considered illegal not the motivation behind it. The "not guilty by reason of sincerity" defense (if we approve of your cause) as well as "EXTRA guilty by reason of sincerity" (if we don't approve of your cause) are abhorant to me. They raise the specter of state sanctioned lawlessness and "thought crimes" - It is a mix I associate with tyranny, think of the mutually reinforcing state sponsored lawlessness of kristalnacht and the totalitarian state control of everything else.

On the other hand being blind to considerations of motivation and association could be taken too far. Society, if only to protect itself must take them into account. A lone hacker causing massive economic damage as a prank is a different kind of *threat* than an ideologically driven organization with a stated goal of destroying the society - even if the *crime* is identical. The organization is treated more seriously not because the crime is more serious but because the threat is more serious.

We need to define the crime a worm writer commits

[Philbert+Desenex]

First, the "WiReD" article confuses worm - a program or process that propagates itself to a different computer, usually via some networking protocol, and chainmail - an email message that requires human intervention to automatically send out more email messages, usually containing the same or slightly evolved chainmail. WiReD should straighten up its vocabulary on this issue, they do no service to anyone confusing the two.

Second, the techniques used by both chainmail and worms are all used by legitimate scripts, programs and emails. How does law enforcement propose to declare one email message a crime, and another legitimate? And I don't mean "Let's ask some expert like Graham Cluely."

Sure an IIS worm like Code Red usually uses some initial exploit, like overflowing a buffer in an IIS module or service or plug-in or whatever the MSFT lingo is, but Nimda used a variety of techniques built in to IIS, "shares" and Outlook. The variety of Outlook worms (Anna Kournikova, Nude Housewife, etc etc) and even the CHRISTMA EXE chainmail of 1987 used entirely legitimate techniques built in to Outlook and other email viewers. The 1988 Internet Worm used both legitimate techniques (BSD "r" commands that didn't require a password) and exploits like "fingerd" buffer overflows. How do we define the crime - "I didn't authorize this use of Outlook" really doesn't amount to a way to decide whether or not a particular program committed a crime. Similary, worms like x.c get telnet servers to crash in particular ways when they spread. Gee whiz, a network server process crashes! That's news, for sure. I guess that hasn't happened to me since yesterday. How do we make one instance of a crashed program a crime, and another instance into a bug report?

About the bandwith...

[SevenTowers]

Does anybody have any figures? how much bandwith is used up during a worm attack such as nimbda?

Let's define "terrorist," shall we?

[tswinzig]

"We need to catch them, and place them in a position whereby they are seen for what they are -- a terrorist," Cooper said.

Since some people are confused, let's look it up in the dictionary.

terrorist
n. One that engages in acts or an act of terrorism.

terrorism
n. The unlawful use or threatened use of force or violence by a person or an organized group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons.

Now, I do agree that a skilled person could use computer viruses for the purposes of terrorism, as defined above. But clearly 99% of viruses do not fall into the category of terrorism, and therefore calling their creators terrorists is quite a stretch. Most of them are smart young people with no common sense, no direction, and a distorted sense of right and wrong ... a.k.a. criminals.

I'm sure Russ Cooper is more interested in getting his site linked from wired, and knows mentioning the buzzword 'terrorist' is sure to get a soundbyte.

Re:Hurting people, not network equipment

[Ixitar]

Following that train of thought...

We don't need to punish those that embezzle from the banks, companies, etc. Nobody dies. Production doesn't stop in our factories, our banks and credit cards keep making debt for people, the hospitals don't keel over.

The worm writers steal resources from companies, universities, governments, etc. when they have to deal with tracking down and eliminate the worm. This is valuable time that could be used working on other issues. Just like with embezzlement, there is cost to people involved.

btw: People make debt for themselves.

Re:crimes?

[Pig+Hogger]

So if I leave a window unlocked, it is ok to break into my house? If a woman is wearing a short skirt, it is ok to rape her? You have cash on you, it is ok to mug you? You have a nice car, it is ok to car-jack you?

If your appartment/house has an Abloy high-security lock, it is far less likely to be picked than the neighbour who only has a el-cheapo generic tin-metal lock...

Terrorist no longer means anything...

[Ami+Ganguli]

Over the last few months the word "terrorist" has lost all meaning. I also heard the other day that child pornographers were being called terrorists. And of course the Isrealis, Palestinians, and Americans are terrorists, depending on who you ask. I'm sure the people who set fires around Sydney were terrorists too. Nowadays a terrorist is anybody you don't like.

The old definition of terrorist was somebody who used terror as a tool to some political ends. Basically, if you can't defeat your enemy in a head-on attack, you choose an easy target calculated to demoralize the enemy.

It's too bad, because 'terrorist' really was a useful word. Now that it's being used so broadly there's no concise way to talk about 'classic' terrorists.

Re:Trivial? What will happen with a "real" virus?

I think all we need to do is make it so the next worm spreads copyrighted material, or runs a p2p music/warez-sharing client.. do that, and the FBI will be all over it, after a quick nudge from their high-paying clients in the entertainment industry..

The sad thing is, i'm joking but probably right. How hard would it be to write a virus that quietly rips to mp3 in the background all the audio CDs placed in the computer, then makes those mp3s available, along with all stand-alone programs on the computer, on Gnutella..? (No, not very subtle, but then neither is replacing index.html with HACKED BY CHINESE WORM, and we all know what a good job people did of noticing they were infected with code red.. i still get about six to ten code red 2 attempts on my mac os x box every day..)

See, you just have to figure out what law enforcement officers like to attack, and pander to that. I'm pertty sure if a worm in some way was productive for the trafficking of mp3 or drugs, they'd be all over it immediately, yelling about "computer terrorism"..

worms waste bandwidth? what about packet kiddies?

[mkbz]

CmdrTaco writes:

The bandwidth wasted by a successful worm is gigantic. To say nothing of time and disk space.

if you've ever been on the receiving end of a round-the-clock DDoS attack from irc packet kiddies, you know about wasted bandwidth. worms seem to be a mere drop on the bucket.

the only difference is - worms are indiscriminant; they walk their way thru IP blocks no matter who owns them. so big ISPs get their panties in a bunch and can use their muscle to bargain for the FBI's time. irc revenge DDoS is usually directed towards EFNet servers at the handful of ISPs who are brave enough to still be operating one.

but, these two issues are related. the machines infected with the worms (which expose massive exploits) are usually taken over as zombies for nefarious bidding (such as the aforementioned DDoS).

perhaps then we can roll in responsibility for the DDoS to the charges against the worm writers? then the cost of bandwidth soars astronomically and can probably justify more significant prosecution. (and hey, maybe get a little bit of 'official' attention to this problem (DDoS) that's been going on for years).

TERRORrism

[markj02]

Terrorism implies creating terror. I'm sorry, but most people are simply not scared by the prospect of finding a virus attachment in their E-mail: it is both common and easily dealt with.

Re:only destructive because of incompetence

[Ixitar]

Where did you get your values?

There is nothing technical about the skateboarder's responsibility for something being broken by his/her own actions. Does the owner need to post a no skateboarding sign, or can we as a society rely on common sense.

We, as a society, have relied on the common sense model for a very long time. What has changed in our society, that people don't think that they are responsible for their own actions?

Yes, people shoud do a better job in writing their software. That does not excuse those that are writing the viruses and the worms.