Why Worm Writers Stay Free

savaget writes "There is an interesting Wired article explaining why worm writers are getting scott free despite their destructive deeds." Nothing really new: overworked law officials, bragging worm writers, you do the math ;) I still find it amazing. The bandwidth wasted by a successful worm is gigantic. To say nothing of time and disk space.

Re:*gulp*

[Silver222]

Everyone is a terroist now. The meaning of the word has been so diluted because everyone with an agenda to push labels people they don't like as a terrorists.

Pretty soon you won't be able to sneeze in a subway car without someone accusing you of biological warfare.

Wasted bandwidth from SirCam

[Adversive]

I answer Webmaster e-mail for Velocitus Internet Services and I typically receive about 150-200 SirCam virus e-mails every day.

As SirCam virus e-mails average 250kb per message, each month we pass over a gigabyte of bandwidth on this crap.

I wonder if its possible to approximate how many dollars worth of bandwidth and lost productivity have been lost to these kinds of worms. I don't see why the authors shouldn't be prosecuted more harshly. This is just large-scale vandalism that raises the prices for everyone else to make up for it.

Form a posse?

[Nikau]

OK, maybe "posse" isn't the correct term. But in the article it says that most of the information leading to an arrest of worm writers comes from people who happen to see the worm writers bragging, etc.

So what I'm wondering is if anyone has bothered to form an organization to do exactly that, maybe along the line of CyberAngels. Let's face it, the people who write these useless things, although they definitely aren't terrorists, are wasting other peoples' bandwidth, resources, and precious time. And they do deserve to be punished. But what's stopping the slew of arrests is a lack of manpower. Law enforcement officials can't be everywhere, they have their limits.

So what I'm suggesting is something based off of CyberAngels. The people volunteering there track down stalkers, harassers, child pornographers, and other "cybercrimes" that go beyond the Internet and into your personal life. They do good work. My idea then, is much the same. Get people with the necessary skills, who understand the net, understand the technology, and make use of those skills to help track down all those worm writers, script kiddies, and the like.

Personally, I think it may work. Anyone have any thoughts?

Writing Word templates is not a crime.

[gig]

I don't blame the worm writers. Blaming them is like blaming the rain. Rain is a feature of our planet and worms and viruses are a feature of Microsoft software. Writing a Word template, no matter how complex or unusual, is not a crime. Releasing email clients and operating systems that blow up or do really weird things when they encounter Word templates ... that's questionable.

Re:*gulp*

[jrbrtsn]

I think it would be more appropriate to classify virus writers as "vandals", and treat them as such legally.

Time for a better metaphor

[drew_kime]

"If someone left their front door unlocked ... " Gah, I am so sick of hearing that analogy every time someone talks about computer security. Phisical theft and defacement is not the same as digital. So what would be a better analogy?

Imagine if someone went to a photographer and had some "personal" photos taken for their spouse. And that the photographer made poster-size prints and put them in the front window with a sign saying, "Please don't look at these."

Would you prosecute the 13-year-old kid who came by and looked at them? How about if he took picutres of the posters and put them up on his web site? The originals are still "secure" in the studio's safe. How can you blame the photographer?

If current computer law (UCITA, DMCA) were applied to this situation, the 13-year-old would be in jail and the photographer would be suing me for telling you that the posters were available.

Re:Time for a better metaphor

[Winged+Cat]

Actually, there is a relevant legal theory for this kind of insecurity. Take, for example, a swimming pool with no fence around it, in a neighborhood with lots of young kids. The pool tempts some kids to try to swim - but, for those who don't know how to swim, it can drown them. The legalese name is "attractive nuisance", and the owner of the pool can be held criminally negligent for not putting up even minimal security (say, a solid wood fence to obscure the pool from public view, or a chain link fence with a locked gate that at least prevents kids from getting at it without nontrivial effort).

Now imagine if, instead of being posted in the windows, the photos were in a drawer with a big-lettered sign - big enough to be readable from the street, through the open door the sign faces - that says "Nude pix! Do not open!". I suspect the same legal theory could apply, especially if the kid were to sustain any injury as a result. (The way the world is going, forever destroying one's ability to blindly trust big institutions might almost count as "injury". ^_-)

I know this applies in California, USA, at the least; does anyone know if it applies elsewhere?

Misplaced blame

[ryanvm]

I really liked the analogy a previous poster in a different thread had come up with:

Virus/worm authors are like cockroaches. Sure it sucks to have to deal with them, but it's your own damn fault. And prosecuting is pointless - there's a million more where the last one came from.

Most current viruses are NOT very sophisticated. They exploit wide-open security holes in unpatched operating systems that were produced by careless vendors. It's like getting pissed at people walking into your house at all hours of the night. Yes, they shouldn't be doing it - but if you were locking your doors it wouldn't be a problem.

My point is that the blame should not fall entirely on the virus/worm authors. It should be evenly distributed between the vendor (for being negligent with regard to security); the system admin (for the same); and the virus author.

Re:They aren't terrorists!

Well, perhaps then the solution is to put some enforcement muscle behind requiring people who develop and distribute software to stand behind their product. I.e. require anybody who releases software for others to use to carry a Ten Million Dollar liability policy or they're not allowed to distribute their software.

Microsoft could afford that, no problem. So could Lotus and Novell.

Guess whose software would overnight become illegal to distribute?

Re:They aren't terrorists!

[ConceptJunkie]

OK, I'll bite, Troll.

A criminal is, by definition, someone who commits a crime. Speeding is a crime. It doesn't compare to murder in severity.

Actions have consequences. We can (and should) blame Microsoft all day for their flippant disregard of security, but that doesn't mean these script kiddies aren't commiting serious crimes. What if a teenager broke into a factory and managed to shut it down for several hours. Would we be sitting around saying, "Oh, well, he's just a kid with too much time on his hands!" or would we be considering the fact that he cost the company thousands or millions of dollars. Well, Internet servers have reached the point where they can have as much impact on a business as the physical property and machinery.

We need to recall that consequences (and punishment) should fit the crime, not the criminal. A relatively harmless crime needs a small punishment (or possibly even just a warning), whereas a larger crime requires a larger punishment. Otherwise you end up with anarchy.

I don't want to see young kids pulling years of hard time for youthful indiscretions aided by bad security measures, but if there's no threat of punishment, then there will be no deterrent.

I wish it were possible to focus a little less on fuzzy IP issues (which are important, but the government is listening too much to the money and not enough to its own law, precedent, and common sense) and a little more on the fact that the entire global computer network is being bogged down by the actions of a small number of penny-ante vandals.

This is the way I learned comuters!

I know there are others out there

when I started out, i'd download those toolz
then I tried to figure out how they work...
before long I was writing those goofy chat nukes
and yes some viri....but after that I had some knowladge of programming and moved on to more constructive things like game cheaters. Now i'm a programmer.
kids will be kids If you don't want them doing bad stuff, then go after the parents
parents just dont talk to kids anymore
insted of blaming computers or movies or whatever
try taking some resposability on your own
I mean heck they are YOUR kids.
don't look for anyone else to keep them in line when you don't yourself!

Re:This is the way I learned comuters!

[Restil]

Somewhat off topic...

But a few months ago, a system I maintained got hit by a cracker. Completely my fault, had a rather obvious security hole. So, I shrugged my shoulders and went about the task of reloading the system. Only I didn't patch up the new load right away, and he got back in, playing exactly the same games. Removing log files and setting up irc bouncers. Sure, I could have spent another hour and done a reload correctly at this point, but I decided to play with this guy for a while. Since the machine wasn't vital to any operations, I simply quarantined it on its own network, and set another system on that network strand to sniff all data going to and from the telnet and ftp ports.

Then I let the guy have fun. I'd hate to make assumptions as to his age, because I never did find out exactly, but judging by his rather brazen messages I'd place him in the sub-20 crowd. So after obtaining logs from more than five ip addresses from an ISP, I called the ISP and after they figured out which customer of theirs it was, I had them call the customer and mention that I'd be pressing charges if it didn't stop. It stopped. Completely. Never even tried again.

Now, I know as well as most poeple, that even if law enforcment even paid attention to me, it probably wouldn't go anywhere. I figure it was probably the parents of that kid that got the phone call from the ISP and while they may not be completely aware of what their son was doing, they were pretty damn well aware of what the scare word "hacker" meant and probably started to monitor the activities of their son a little more closely, as they realize they'd be legally liable if someone actually DID press charges.

I'm sure this cocky guy didn't stop of his own free will just because he realized someone was on to him. He knew I was on to him before that and was making quite a scene when he thought he had thwarted my sneaky logging techniques (he wasn't aware of the sniffing). If he was smart he would have stopped then, but no, he kept on trudging. But a single phone call stopped him.

I almost have to assume it was the parents.

-Restil

Re:They aren't terrorists!

[JWhitlock]

The solution isn't to toss them in jail or throw away the key, the solution is to get them to do something useful with their skills and then to use products that don't have so many security problems.

Great idea! Take a kid who obviously has no respect for other's property, and hand him the keys to your enterprise system! By the time he's done, all the backdoors, security holes, and other problems will be patched, except for your script kiddie's backdoors. Then, shoot the script kiddie. No known security holes, and one less 1337 haxor - everyone wins!

The one flaw in your plan is that the folks that make these worms are, for the most part, social backwards (no respect for others' property or lost time, and usually from a middle-class background, so they don't know how to really work for a living), and don't have a great set of computer skills, outside of those needed to find holes. It's a bit easier to find and exploit holes then it is to find and patch those holes, so the assholes will always have the advantage.

Personally, I like the Kevin Mitnick treatment - put 'em in jail for a while, away from computers, then put them on probation, again without access to computers. If you are too socially retarded to play the game right, then you'll have to sit on the sidelines. Too bad these kids are privileged enough that their parents could hire lawyers, and parents are brainwashed into thinking that computers are necessary for their kid's education...

Re:No money in catching them.

[ackthpt]

Ages ago, there was something of a scandal in the news when a prominent anti-virus company CEO warned of a doomsday of a new virus or worm making the rounds. Of course, sheep bought the software, but nothing much materialized and the CEO resigned in disgrace after being accused of trying to create a market by scaring people, some people went so far as to suggest the particular company was actually the orgin of virii and worms. Wish I could remember who that was, maybe this is article alludes to it (the Michelangelo virus)

Re:They aren't terrorists!

[alcmena]

An interesting conversation I had with my dad went on similar lines. Consider this:
You are in a car accident, your fault. The other guy was wearing a seat belt and suffers minor injuries. You are charged with failure to control. You pay a minor fine and maybe do some community service.

Now consider your same action:
You are in a car accident, your fault. The other guy was not wearing a seat belt and dies. You are charged with vehicular homiside. You spend a few years in jail.

Your same actions caused two different events based solely on someone else's choice. Is it truly fair that you should be punished more severely for the second result than the first? The same situation exists in your example. You wrote some stupid virus that spreads, but doesn't do much more. Clearly, you're not a saint. However, because some putz in charge of the airport control system left out the patch, your "innocent" virus spread through the airport control system, and unfortunately DOSed it offline. This brought down planes.

Should you really be charged with terrorism when the intent was not there? Where is the responsibility for the other person who allowed this to happen?

Re:They aren't terrorists!

[Winged+Cat]

Not that I fully agree either, but one possible defense: just how many man-years has Gates' commitment to insecure OSes and ruthless trouncing of all would-be competitors cost?

Illegal software

[CaptainSuperBoy]

I am of the belief that there is practically no piece of software that should be illegal. This includes viruses, worms, spamware and other software with no redeeming qualities. It's one of those slippery slope problems where you're banning certain types of speech, but it could easily get murky as to what was a worm or a virus. Some security software has just as much legitimate use as it has potential for misuse.

The only rational solution, as is the case with other "banning the tool vs. banning the act" problems, is to ban the act of dissemminating virii or worms maliciously. Banning certain types of software is an ill-conceived notion, just like banning certain guns.

Those who believe that software (in the US at least) is constitutionally protected speech may want to think twice if they believe virus writers should be prosecuted. Judging software based on its purpose is probably impossible - is deCSS a tool for piracy or for interoperability? Depending on who you ask, you will get 2 different answers. Is back orifice a security tool or a hacking tool? Is it a virus? Should the writers be prosecuted?

Virus/worm software does have redeeming educational value, however little.. it's useful for exposing vulnerabilities, even if it only shows that the end user is stupid.

So even though virii, worms, spamware etc. are a pain in the ass, I do support your right to create any type of software you like. The other alternative, banning classes of software, is actually more dangerous.

Note this has nothing to do with my view on copyright. Of course if you infringe someone else's copyright in your software you are breaking the law.

Re:They aren't terrorists!

[jedidiah]

No it can't. No it shouldn't.

Pervasively defective applications and system software, coupled with a highly predatory monopolist work to ensure that most naive end users are unecessarily vulnerable to security exploits.

If the UCC were being effectively applied to Microsoft, these worm attacks would cease as Microsoft would find the motivation to re-engineer their products.

These are not some highly crafted bits of machine language. By old virus standards, they are incredibly crude. Yet they continue to cause havoc.

This is primarily due to security being an afterthought at the company that controls most consumer software.

This element of the problem simply can't be ignored so that you people can play a Puritan game of "crime and punishment".

These nuisance worm writers are actually doing us a BIG favor at this point. These exploits will eventually escalate to the point of being genuinely harmful. We have time now to get ready for this because of these "teenage joyriders".

They are the flu and they are telling us we should mind our hygeine.

Why worm writers stay script kiddies

[fmalita]

IMNSHO the most annoying aspect of those worms is the poor quality of the code. Total ignorance.

It's enough to take a quick look at my server's logs to see a bunch of attempts to exploit IIS holes in Apache! This alone makes me wanna put them behind bars...

For God's sake, all they have to do is check the server type and thus spare lots of bandwidth. A real coder would do that.

Apparently VB aware script kiddies wouldn't...

Put a price on their head

[FreeUser]

OK, several points:

• Virus, Trojan, and Work authors (who disseminate their software into the open net) are criminals. The are not terrorists, as nothing they do comes anywhere close to instilling terror. They are vandals, perhaps even "mass vandals" if there is such a word, but terrorists they are only in Newspeak.
• They should be punished for their crimes, and the punishment should fit the severity of the crime. For the record, no amount of monetary damage comes anywhere close to equalling the atrocity of a single act of violent rape or murder. Keep that in mind when pondering sentences.
• If these worm authors really are doing billions and billions of dollars of damage here in the cosmic fugue, then perhaps the corporations so affected should put a few thousandths of a cent on the dollar where their mouths are, and put a bounty on the perps head. Say, oh, I dunno, $25,000,000 US?
• Of course, the real damage done isn't anywhere close to the same order of magnitude as that which is claimed, which is probably one reason why a $25M bounty is seen as exhorbitantly expensive, rather than a bargain. Go figure.
• If one more person equates terrorism with blatently non-terroristic acts, such as voicing a dissenting, perhaps unpopular opinion or committing acts of vandalism (electronic or otherwise) which clearly do not instill "terror" in their victims (except perhaps the terror of one incompetent system administrator about to loose their job and, I'm sorry, that doesn't count as widespread terror by any sane definition) I will personally bitchslap their ass to kingdom come.