Why Worm Writers Stay Free

savaget writes "There is an interesting Wired article explaining why worm writers are getting scott free despite their destructive deeds." Nothing really new: overworked law officials, bragging worm writers, you do the math ;) I still find it amazing. The bandwidth wasted by a successful worm is gigantic. To say nothing of time and disk space.

They aren't terrorists!

[Christianfreak]

"Forget that it may be problematic to extradite the individual, or that they may be young, or claim to be doing 'research.' We need to catch them, and place them in a position whereby they are seen for what they are -- a terrorist," Cooper said. "The cost to our businesses, not to mention our way of life, is simply too high to not pursue these individuals."

This is the sort of thing that really pisses me off. Not to say that virus writers don't do damage or even that they are not criminals but how can you compare a computer glitch to killing 3000+ people? These virus writers are kids with too much time on their hands, they aren't terrorists! The solution isn't to toss them in jail or throw away the key, the solution is to get them to do something useful with their skills and then to use products that don't have so many security problems. </rant>

Re:They aren't terrorists!

[metlin]

Well said. Just my thoughts...

As one reader in an earlier post, people who write bad and insecure code have an equal hand in security compromises.

Most of the worms and virii are being coded by teenagers or kids who just do not have an idea as to what they are doing.

Think of this, why are people allowing their systems to be compromised again and again? A hack is a different thing, a worm/virus is a different thing. When there are so many different worms/virii, it cannot all be squarely blamed on the creators. The makers of the softwares should own up responsibility for writing bad code.

Why aren't other operating systems as vulnerable as the Win* platform? It is not like there are not enough people willing to write worms in Linux or FreeBSD. It is just that it is not that easy to.

Most of these people are kids, for God's sake!

Writing a computer worm to show off to your friends is akin to showing off your driving skills. It is just a means of getting recognized by the peers. These people should just be taught that writing bad code is harmful. To compare it to heinous crimes and huge losses is just plain stupid.

If it also causes harm, that is largely because of the immaturity of the technologies. If sysadmins regularly patched up their softwares, and if programmers wrote secure code, the effect of these worms will steadily decline.

But how many admins bother to administer the latest patch? And how many software companies bother to get out good code? It is plain stupidity to blame it all one some poor nerd out there.

Re:They aren't terrorists!

[geophile]

Your posting says that virus writers aren't terrorists because what they do doesn't compare to killing 3000+ people. Then your sig compares Bill Gates to Hitler.

Re:They aren't terrorists!

[dillon_rinker]

Terrorism doesn't necessarily imply killing people. The classical terrorist (ie, the one that exists mainly in poli-sci courses) blows up generators, water plants, radio towers, etc in an effort to destroy the public's trust in the government's ability to protect them. Someone who targets civilian infrastructure meets the threshold for being a terrorists. There's obviously a gradation; those who target large numbers of civilians are also terrorists (duh) but that doesn't mean that someone who blows up an empty building isn't a terrorist.

Furthermore, I would argue that you don't need to have political objectives to be classified as a terrorist. If I blew up a generator station because I think it'd be cool to see, I think it would be valid to classify me as a terrorist. This gets kind of tricky, because it'd be easy to categorize an arsonist as a terrorist, or a vandal, but I digress.

Anyway, the obvious analogy is that someone who targets information infrastructure (ie worm writers targeting email servers) is a terrorist. And don't argue that the analogy doesn't hold simply because there's no no permanent damage simply because it can be repaired. That's like arguing pulverizing every cubic inch of a building isn't permanent damage because it can be rebuilt. Don't argue that there's no real costs associated with worm attacks - do you think net admins work for free? (If so, I've got a job for you :) I'll grant that most costs are overrated.

Counterpoint - if blowing up a building is terrorism, why not burning it down? Should arson be considered terrorism? What about insurance fraud - if I burn down my old barn for the insurance money am I a terrorist? What about vandals? There's a continuum of crimes against property, as well as crimes against people; where do we put "terrorism" on that continuum? We must be cautious in verbiage used to define "terrorism"
in the law, lest the crime be placed further down the continuum than we want.

Counter-counter-point - arsonists rarely burn down every building on the internet; worm-writers at the very least have in their minds the idea that they could take out every email server on the internet (basically a DOS attack) or every workstation with the targeted OS(s) by wiping their drives after re-launching.

C

Re:They aren't terrorists!

[Afrosheen]

You must be magical because you keep getting mod points and I don't :( Oh well, blow me moderators.

Your point regarding giving skript kiddies jobs creating more skript kiddies isn't very realistic. It's a job, yes, but it's not a job they'd be proud to have. No convicts commit a crime hoping to be making license plates, there's just no incentive. But rather than a pointless punishment (i.e. imprisonment), make it productive. If you do a little research, you'll find that alot of IT security companies have real hackers on board. It makes perfect sense. Alot of insurance companies hire ex-burglars, to see how easy it was to break into someone's home/business. Security is always a 2 way street. It's the responsibility of both the individual and the company/service that provides them with security. Think if you get a 10 million dollar home and have gold bricks lying around in each room. A burglar discovers this from outside. Also you have a million dollar, state-of-the-art security system, but you don't arm it each time you leave the house. Who is at fault when you come home and all your gold bricks are gone?

Re:They aren't terrorists!

[ConceptJunkie]

You must be magical because you keep getting mod points and I don't :(

Think of it this way. I impress the typical /. reader. You decide if that's good or bad. A karma cap and 50 cents'll get you a cup of coffee.

I understand that a lot of IT security companies have hired ex-(h)|(cr)ackers and that's fine. But if getting caught means a good prospect for getting a job in computer security, then rooting someone's box becomes less of a crime and more of a resume builder. You see, there's a significant difference between making license plates, and working in high-tech security. I'm not saying it still couldn't be a deterrent, since many people won't want to deal with an ex-criminal, but people who are stupid enough to make things like nimda, might see it as a way to get ahead.

There are other kinds of useful community service that could be used, even jobs that take advantage of computer skills. I recall a friend got busted for some minor violation in college in the early 80's and ended up setting up a database for a local church as his community service.

I agree that alternatives to "pointless punishment" should be found, because there is an incredible waste of human resource when someone is sitting around sulking in striped sunlight for years on end. But we have to remember that punishment for crimes needs to be something that people want to avoid, not some kind of jobs program for troubled youths. That should happen before the legal system comes into play. We have to remember our first priority is trying to keep people from committing the crimes in the first place, even if we do still want to help them once they do.

That's all I'm trying to say.

Rick

p.s.

Who is at fault when you come home and all your gold bricks are gone?

The thief. You might be at fault for being careless or incompetent (and if it were your job to secure the gold, that's another issue), but the thief is still guilty of far worse. Maybe you shouldn't complain if your house is burglarized, but there is still a significant difference in the degree of moral fault here.

If I walk out and leave my gold bricks lying around unprotected, that in no way mitigates the degree of guilt of anyone who might happen to steal them.

No money in catching them.

[saint10]

A multi-billion dollar industry was created by writers of malware; anti-virus, tripwire, IDSes. Why would any large security company want malware authors to be caught?

*gulp*

[hiryuu]

"We need to catch them, and place them in a position whereby they are seen for what they are -- a terrorist," Cooper said. "The cost to our businesses, not to mention our way of life, is simply too high to not pursue these individuals."

Terrorists? Virus writers are terrorists? Keep it up, boys, and the word will lose all meaning and everyone will be desensitized to what it really means. Sheesh.

Obviously the legal system doesn't see them as such, yet, from the details of the article.

Re:Constructive Uses?

[arrow]

It has been done. I can't remember off the top of my head which one, but I cleaned up a virus infection about a year ago that installed the distributed.net client.

Its gotten bad enough that Symantec has posted a KB article on it, here.

Distributed.net also has a trojans page here.

---
www.symetrix.net

Punishment?

[Darth+RadaR]

But even when writers are caught and brought to trial, the legal system often doesn't know what to do with them.

Pah! I know what to do with them. Charge the writer of a virus/worm for time the Admin puts in to fix or block their poisoned program. If the virus/worm writer doesn't have the money, then the Admin will charge through violence to where one hit upside the virus/worm writer's skull with a 2"x4" will be exchangable to 15 minutes of the Admin's time that could have been better spent.

Sorry to rant, but virus/worm copycats^Wwriters really get on my nerves, especially when I could be spending that time doing something with my friends, instead of telling sendmail to block out the latest "Melissa" clones.

Bad Examples

[overunderunderdone]

Economic damages, bandwidth loss, destroyed data, and wasted time are harder for a cop to take seriously than, for instance, a body on the ground... It is an interesting thought experiment to consider what will happen when a teenager playing in an advanced biology course cultures a virulent bacteria or virus.

I'm all for considering computer crimes as "real" crimes. The damages you mention are real, the crime is real. The motivation whether it's greed, political activism, or just being a "prankster" is irrelevant. Such attacks on computer systems and networks can do enormous economic damage and should be treated as serious crimes.

But you undermine the argument by overstating it and picking examples of even more serious crimes to compare them to. A cop takes a body on the ground more seriously than economic damage, bandwidth loss, destroyed data and lost time because it IS much much more serious. A microbiology student infecting people with a real virus would be a far more serious crime than even the most damaging computer virus.

...Or consider if "goner" had been tracked to the other side of the tanks... to a group a Palestinians.

That is a very interesting thought experiment. I'm a little torn on this since in general I think the act is what should be considered illegal not the motivation behind it. The "not guilty by reason of sincerity" defense (if we approve of your cause) as well as "EXTRA guilty by reason of sincerity" (if we don't approve of your cause) are abhorant to me. They raise the specter of state sanctioned lawlessness and "thought crimes" - It is a mix I associate with tyranny, think of the mutually reinforcing state sponsored lawlessness of kristalnacht and the totalitarian state control of everything else.

On the other hand being blind to considerations of motivation and association could be taken too far. Society, if only to protect itself must take them into account. A lone hacker causing massive economic damage as a prank is a different kind of *threat* than an ideologically driven organization with a stated goal of destroying the society - even if the *crime* is identical. The organization is treated more seriously not because the crime is more serious but because the threat is more serious.

We need to define the crime a worm writer commits

[Philbert+Desenex]

First, the "WiReD" article confuses worm - a program or process that propagates itself to a different computer, usually via some networking protocol, and chainmail - an email message that requires human intervention to automatically send out more email messages, usually containing the same or slightly evolved chainmail. WiReD should straighten up its vocabulary on this issue, they do no service to anyone confusing the two.

Second, the techniques used by both chainmail and worms are all used by legitimate scripts, programs and emails. How does law enforcement propose to declare one email message a crime, and another legitimate? And I don't mean "Let's ask some expert like Graham Cluely."

Sure an IIS worm like Code Red usually uses some initial exploit, like overflowing a buffer in an IIS module or service or plug-in or whatever the MSFT lingo is, but Nimda used a variety of techniques built in to IIS, "shares" and Outlook. The variety of Outlook worms (Anna Kournikova, Nude Housewife, etc etc) and even the CHRISTMA EXE chainmail of 1987 used entirely legitimate techniques built in to Outlook and other email viewers. The 1988 Internet Worm used both legitimate techniques (BSD "r" commands that didn't require a password) and exploits like "fingerd" buffer overflows. How do we define the crime - "I didn't authorize this use of Outlook" really doesn't amount to a way to decide whether or not a particular program committed a crime. Similary, worms like x.c get telnet servers to crash in particular ways when they spread. Gee whiz, a network server process crashes! That's news, for sure. I guess that hasn't happened to me since yesterday. How do we make one instance of a crashed program a crime, and another instance into a bug report?

Let's define "terrorist," shall we?

[tswinzig]

"We need to catch them, and place them in a position whereby they are seen for what they are -- a terrorist," Cooper said.

Since some people are confused, let's look it up in the dictionary.

terrorist
n. One that engages in acts or an act of terrorism.

terrorism
n. The unlawful use or threatened use of force or violence by a person or an organized group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons.

Now, I do agree that a skilled person could use computer viruses for the purposes of terrorism, as defined above. But clearly 99% of viruses do not fall into the category of terrorism, and therefore calling their creators terrorists is quite a stretch. Most of them are smart young people with no common sense, no direction, and a distorted sense of right and wrong ... a.k.a. criminals.

I'm sure Russ Cooper is more interested in getting his site linked from wired, and knows mentioning the buzzword 'terrorist' is sure to get a soundbyte.

Re:crimes?

[Pig+Hogger]

So if I leave a window unlocked, it is ok to break into my house? If a woman is wearing a short skirt, it is ok to rape her? You have cash on you, it is ok to mug you? You have a nice car, it is ok to car-jack you?

If your appartment/house has an Abloy high-security lock, it is far less likely to be picked than the neighbour who only has a el-cheapo generic tin-metal lock...

Terrorist no longer means anything...

[Ami+Ganguli]

Over the last few months the word "terrorist" has lost all meaning. I also heard the other day that child pornographers were being called terrorists. And of course the Isrealis, Palestinians, and Americans are terrorists, depending on who you ask. I'm sure the people who set fires around Sydney were terrorists too. Nowadays a terrorist is anybody you don't like.

The old definition of terrorist was somebody who used terror as a tool to some political ends. Basically, if you can't defeat your enemy in a head-on attack, you choose an easy target calculated to demoralize the enemy.

It's too bad, because 'terrorist' really was a useful word. Now that it's being used so broadly there's no concise way to talk about 'classic' terrorists.

TERRORrism

[markj02]

Terrorism implies creating terror. I'm sorry, but most people are simply not scared by the prospect of finding a virus attachment in their E-mail: it is both common and easily dealt with.