Blaster Variant Creator Pleads Guilty

Hello Kitty writes "Robert Parson, the 18-year-old who modified and re-released a version of Blaster last year, is on his way to being made an example of, after pleading guilty Wednesday in a Seattle courtroom. According to AP, he can now look forward to 18-36 months behind bars and -- shades of Kevin Mitnick's phantom damages -- may be expected to pay millions in restitution. And then there's that lifelong 5cr1pt k1dd13 title. of course."

And...

[Izago909]

In related news top Microsoft executives are expected to address a grand jury tomorrow morning for betraying the public trust by carelessly releasing software without thorough debugging. Yesterday, Steve Ballmer addressed reporters from Reuters and the Associated Press denouncing the charges. "It's like suing an automaker for selling cars without thorough crash testing and evaluation."

Re:And...

[bwy]

Next thing you know murder will be legal and the victim will be held responsible for not wearing kevlar.

Re:And...

[photon317]

There's a balance somewhere inbetween these two statements. It will always be illegal to unleash a virus, just as it will always be illegal to murder. However, just as civil suits can and do win against negligent manufacturers of equipment for failing to include adequate and reasonable safety measures, so should civil class-action suits win against makers of software who haven't done their due diligence on the security side of things. I'm not a fan of punitive damages against the manufacturer, but I think cost-of-purchase would be in order, covering the product bought (or the whole cost of any bundle containing the product). IOW, consumers should be able to sue Eudora for the cost of their mail client if they get penetrated and virused through it, and should be able to sue M$ for the entire cost of Windows since Outlook Express was a bundled component. (And again, not just because there was a bug - those are inevitable - but as a class action suit alleging that they were completely negligent in the area of security as evidence by the pattern of recurrent successful attacks on their software).

Re:And...

Well, if they can charge a kid with gajillions of dollars in unsubstantiated damages, then why shouldn't we be able to sue Microsoft and others for whatever damages we can dream up and somehow connect to their crappy software?

Because you perfectly knew their software was insecure, it's been commonly known for years. You also waived all your rights to Microsoft when you clicked OK to the EULA.

People should take responsibility for their own actions, not sue left and right too..

This is just to show there is more to this argument..

Re:And...

[McSnarf]

Grow up, people.
The "Virus writers are cool heroes" attitude usually comes from non-professionals who would never, ever be allowed to touch a real installation...
Breaking and entering is illegal - even if the victim knowingly employs bad locks.
The main issue here is not the fact that the idiot just changed some lines, but that he knowingly released it into the wild again.
If you use petrol and a lighter to burn down a house and people die, you deserve to be punished. The house could have been a fire trap - but that does not reduce your guilt. (Whoever built it will be sued, too, but the flaw in "virus lover" thinking is that the arsonist should go free because not all houses are fire proof.)

Re:And...

[10101001+10101001]

Because you perfectly knew their software was insecure, it's been commonly known for years.

Granted. It's a shame there weren't more commercials stating that from competitors.

You also waived all your rights to Microsoft when you clicked OK to the EULA.

It's often the case that a judge will rule that sufficient negligence on the part of the contractor can void any "do not sue us" clause. Given the shear number of security flaws found and where Windows advertisements have stated Windows should be used (servers), it seems like gross negligence.

People should take responsibility for their own actions, not sue left and right too..

Right, this guy variant creator should be punished. The question was should MS be sued for making Blaster so possible. A simple analogy, from the start of this thread, is the case of Ford finding a defect in their car. Now, Ford has to go out of its way to fix this defect; they don't just tell the consumer "here's the part, you install it". They do this precisely because until the defect is fixed (or there's been a sufficiently long period of time for which the fix was easily accessible), consumers can go out and sue Ford and win the case.

Now, at this point you might state that Blaster variants didn't start until 2 months after a patch was released. You'd be ignoring, though, that MS didn't mail out letters to its consumers. They didn't mail out CDs either. They didn't have local technicians to install the patch. So, while it's reasonable to say that a competent administrator for a server should never have let Blaster spread--MS did the equivalent of the first two for the technical user while the admin is the third--laying this charge on *all* computer users is like blaming all car defect victims for not being mechanics.
This is why MS has pushed for their autoupdate tool as it can optimally fulfill all parts (ignoring it can't reboot).

I can imagine in the future, MS try to claim not using the autoupdate tool to its full extent (ie, d/l *and* install) is paramount for grounds not to sue. But, will MS take responsibility for when one of their patches kill the network connection on a few million users and someone has to reinstall?

This kid is no Mitnick

[American+AC+in+Paris]

Comparing this kid to Mitnick is like comparing Burt Ward to Bruce Lee. Seriously--all the kid did was made a few minor changes to an already successful virus. Mitnick was doing something relatively new, and he did a lot of original 'work' in doing so. All this idiot did was make a few changes to somebody else's virus, hit send, and get caught.

(Hint to foolish wannabe kiddiez: stick to posting 'me toooo!!!!111' on the warez channel du jour. They won't send your sorry ass to prison for that.)

Re:This kid is no Mitnick

[Rosco+P.+Coltrane]

All this idiot did was make a few changes to somebody else's virus, hit send, and get caught.

Yes, and you know the saddest thing? Most talented hackers, like Morris or even Mitnick, can look forward to full time employment as a security expert at some IT company, due to their fame, after they're done being punished for their deeds. It's an expensive way to get famous, but at least they're famous, at least in computer circles.

This moron on the other hand can look forward to be punished, like hackers, and then apply for a job at Wendy's, because in the eyes of any employer, he'll always be less desirable than a failed CS student, until his script kiddie fame fades away slowly.

Honestly, that's the kid's real punishment...

Re:This kid is no Mitnick

[Binky+The+Oracle]

But, since he just took somebody else's work and made fairly transparent changes to it, he's got a few extra marks on him besides the "convicted felon" thing:

Yeah... like "Future Director, Microsoft R&D" maybe?

I KID!!! I KID BECAUSE I LOVE!!!

Re:This kid is no Mitnick

[golgotha007]

Seriously--all the kid did was made a few minor changes to an already successful virus.

no kidding. not only that, but he was a moron in the pricess:

from the article:
Parson apparently took few steps to disguise his identity. As a byproduct of each infection, every victim's computer sent signals back to the "t33kid.com" Web site that Parson had registered in his own name, listing his home address. The computer bug also included an infecting file called "teekids.exe" that experts quickly associated with Parson's Web site: Hackers routinely substitute "3" for the letter "e" in their online aliases.

holy crap, i could've caught teekid!

Nice.

[Sheetrock]

If you can't catch the original, punish the hell out of the one you can catch.

A smarter system would have this kid be a digital janitor for a year or so. Disinfect this computer, now disinfect that one. You know, like an intern, and maybe he could get a job out of it when he's done.

More productive than license plates, and more likely to pay society back.

Re:Nice.

[Kenja]

"A smarter system would have this kid be a digital janitor for a year or so. Disinfect this computer, now disinfect that one. You know, like an intern, and maybe he could get a job out of it when he's done."

Yea, cause hes just the type of person that I would want working on my computer. I also think that convicted child molesters should be put to work in day care centers. That'll teach em.

Re:Nice.

[gujo-odori]

Being rehabilitated doesn't imply working in IT. In fact, he might do better to get out of it anyway. He's young and can train for anything. He could retrain as a plumbe when he gets out, and if he's any good at it, he'll make more than most people in IT.

He might also want to look into being a mechanic, if he has the talent for it. Mechanics will need to know more and more about dealing with computer systems on vehicles every year.

There are lots of things he can do when he gets out. It doesn't have to be on computers. I'm in the email security field, and I will tell you flatly that there is no way I would consider hiring him. It's not a matter of the fact that he went to prison; it's a matter of the fact that I could not trust him.

If I were running a plumbing company, it wouldn't matter. But of course, I'd never let him near the office computers.

Microsoft should be greatful:

[tpgp]

Parson was charged here last August because Microsoft is based in suburban Redmond.

"We appreciate the fact that the defendant has accepted responsibility for the crime he committed," Microsoft deputy general counsel Nancy Anderson said Wednesday.

He changed Blaster to make it attack the MPAA & RIAA rather then Microsoft.

Microsoft should thank him ;-)

This guy is an idiot an deserves everything he get

[l810c]

Idiot
A Minnesota teenager known online as "teekid" was arrested and placed on electronic monitoring Friday for allegedly unleashing a version of the "Blaster" computer worm that infected thousands of computers.

First for writing the damn thing in the first place

Idiot
Parson apparently took few steps to disguise his identity. As a byproduct of each infection, every victim's computer sent signals back to the "t33kid.com" Web site that Parson had registered in his own name, listing his home address

Second for putting in a direct trace back to himself

Idiot
In court, the high school senior wore a T-shirt that read "Big Daddy" on the front and "Big and Bad" with a grizzly bear on the back. He sported a metal stud under his lip and his hair was dyed blond on top and shaved close around the sides and back

Third for showing no humility in court

Forgive Me

[mfh]

... but I think in this case, he *should* be made an example of. Virus writers need to *STOP*. Now.

On the other hand...

The fact that unscrupulous companies will bill in phantom damages just makes it worse. How are these kids supposed to have any role models when the establishment distances themselves from morality for profit? Phantom damages and those who issue them, ought be fined and sent off to jail with just as much enthusiasm as virus writers.

Example?

[Neurotoxic666]

is on his way to being made an example of

This is not justice. He should get what he deserves, period. Whenever they try to make an example of someone, he or she becomes some marty/icon and the only lesson learnt is: don't get caught doing what you'll do anyway.

Good

[pherthyl]

Harsh sentence, but I don't have a lot of sympathy. Idiot makes virus, idiot gets caught, idiot gets punished.

Next please.

hrm...well,

[hot_Karls_bad_cavern]

i can say this: if you don't know enough to keep from getting caught, well, enjoy the penalty. On that note, no, i don't condone doing such a thing, but with the many ways to get online anonymously (no, not some crappy online anonymizer or some such...i mean, the real ways...if you don't know, i'm sure as fuck not going to tell you) you should never be caught....

...unless you are stupid, reuse code, code with the wrong tools (read up), and release from your own fucking email account, etc. The ways to get away with this shit are many, the stupid take-the-easy-way-out folks get caught and the normal user will click away like there's no tomorrow regardless of the source (ask your local IT guy if you don't believe me on that one).

Sorry, no remorse for those that act without knowing enough.

Re:hrm...well,

[hot_Karls_bad_cavern]

or perhaps he did know it was wrong (why else write a "keewell" virus from an old virus?) Like he didn't know it would fuck things up - you sir, are lost if you think an 18 yr. old that knows how to code (sorta) and re-used known virus code to make another virus, is "lacking the moral logic to recognize what he was doing is wrong". Complete bollocks.

He knew what he was doing was wrong. Knew it would break shit. Did it anyway. Could have been one of those "got out of hand" things though. Fine, but it was wrong and he knew it. If you know enough to mess with viruses, you know enough to know that it's wrong to just release them in the wild and you should garner enough knowledge to hide it if you are stupid enough to release it.

In the "real world" as you call it, people know their shit. Marie Curie didn't know radioactive material would kill her, but the Manhattan Project *knew* that it did (and how to control it's reactions), and didn't blow themselves up on accident...they blew shit up on purpose. And now we have the penalty of nuclear proliferation. And the good side (before you jump the gun...again)? We have loads of great tech (cancer therapy, etc.) from her (and the MP) work....but it's for the good, much like many computers are safer for knowing this danger is out there by being patched. (yes, many are not....that is not the argument here).

Something else to add: when one starts programming and discovers fork(), one *knows* what it does and uses it carefully. If one wants to know just how dangerous it is (or wants to test its danger...much like our little friend, the virus coder might have "just been curious")...one codes in a protected environment....period. If he was really that curious and innocent, he'd have done it on a closed network for testing and learning. If you know enough to know something is dangerous and want to test, you take precautions...or you fuck up and pay the price. The "complexities...in the real world" don't give a good goddamn what your intentions are.

two sides to this fence...

[Obliterous]

He pled guilty, so he's guilty. good. send him to jail. I've got no problem with that.

But as for the millions, who actually get's the money?

an IT profesionals JOB is to deal with problems, much like blaster caused (and still ocasionally does).

What other costs do these companies incur, as a result of a worm/virus?

Do these companies want money to pay the wages of these tech's?

if the worm did it's job through the use of an OS exploit, why isn't the OS creator picking up part of the bill?

legal fee's I can ken, but the rest doesn't quite make sense to Me...

Re:two sides to this fence...

[endoboy]

It's a fireman's JOB to put out fires-- that doesn't make the arsonist any less guilty.

Buh bye.

[OwP_Fabricated]

I'm not the only person who's happy that the asshole that made me waste hours fixing the dozens of idiot-owned unpatched boxes is going to jail?

You can go ahead and blame the user all you want (a popular thing to do in the Slashdot crowd, because of course, us IT people NEVER MAKE MISTAKES), but the user didn't "write" the virus.

Just a guess but...

[antikarma]

Then he'll write a book and become CEO of a startup security company. There's no sense in not profiting from a few months of jailtime.

Unjust

[dtfinch]

All he did was change a little text in the virus. The damage he caused was no worse than if he had simply been infected himself. They just want to make an example of someone. They've spent a lot of money to put someone in jail for much longer than they deserve simply to save face in the public eye. Our legal system is supposed to be just, not popular.

Re:Unjust

[American+AC+in+Paris]

All he did was change a little text in the virus. The damage he caused was no worse than if he had simply been infected himself. They just want to make an example of someone.

That's one way to look at it.

One could also argue that this kid modified and released a piece of software that he knew for a fact would run rampant and infect countless systems worldwide. He'd already seen it in action, and he knew exactly what it did to an infected system. He can't even run the Morris defense of 'it was released accidentally and I had no idea it would be this bad'.

This punk got his hands on a very nasty computer virus, made changes to it, and released it back into the wild knowing fully well what he was doing and would happen as a result of his actions. That it was a mind-numbingly simple change doesn't make his actions any less malicious or criminal. Throw the book at him.

We as a society need to decide how to handle this

[FunWithHeadlines]

This kid played around with tech, in a very simple way, and got caught up in big legal trouble as the feds try to put fear into others thinking of doing the same. It's a complicated issue. We all hate these worms (well, those of you running Windows especially, but I personally hate it from a theoretical perspective, not personal). We know what he did was wrong. But boy these kids sure get the book thrown at them for what amounts to script kiddie penny ante stuff.

He took a worm and modified it and released it. That's not much different in spirit from what many of us did at his age, playing with tech, poking at it, learning how things work. He just picked something that caused massive headaches to all concerned, so we have little sympathy for the kid. And he seems suitably contrite since his arrest, as well he might since that event probably shook him. But what do we do with such kids? We don't want worms being released, and we want to discourage this behavior. And yes, money is involved when businesses spend time to fix the problems. But asking him to repay "millions" is an order of magnitude wrong. Let's see Kenny Boy Lay repay millions, yes. But this kid?!

Those of us who poked and prodded tech at his age, but did so in a way that didn't cause headaches to everyone, understand a little of his motivation. He was a dope, but a curious dope, and now he's learned a lesson. Will all the other script kiddie types learn from this? No way. What if he is told to pay back "millions"? Nope, they still won't care. We need to rethink how we deal with this sort of headache so that we encourage kids not to mess with worms and stuff, without treating them worse than violent criminals. I don't have the answers, but I can't see how throwing the book at this kid is going to solve much.

Phantom damages??

[dedazo]

shades of Kevin Mitnick's phantom damages

When the case is made against Microsoft (or "M$") and how "Windoze" is insecure and should be replaced by Leenucks, the argument is always "the worms and the viruses and malware cost businesses trillions and gazillions of dollars".

But when they nail a dumbass kid who thought he was 1337 and releases a virus (or a variation of one) then it's "phantom damages".

That's great.

Re:I have mixed feelings

[HeghmoH]

I'm sorry, but how did he not cause damages with a virus which disrupted work and forced companies to disinfect their machines?

this guy *wrote* a virus?

[dmbrooking]

Saying that this guy wrote a virus is like me changing the names in The Lord of the Rings and calling myself an author....

Re:I think the time doesn't fit the crime.

[RiDuvessa]

So by using this logic, any victim of a crime deserves what they get if they did not take every effort to prevent it from happening. Example, a person leaves on vacation and locks their home. They stop their mail and have someone take care of their dog. However, they forget to stop their paper, and thus, a criminal notices they are gone and breaks into their home and steals their belongings. By your definition, it is the homeowners who are at fault, and the burglar, if caught, should not be punished. Also, in that same situation, if a person noticed that the house had been broken into, and went in, and stole a painting that been left by the previous burglar, does that mean the individual wasn't guilty, because he hadn't broken into the house originally? By your logic, he isn't. I would argue he is just as guilty as the previous burglar. This kid committed a crime. He deliberately caused harm to people's property. It doesn't matter if he wrote the original virus or not. He needs to be punished. And I don't think the punishment is off base.

Re:*shudder*

[MoneyT]

They're not sending him to prison for typing any more than they send rapists to jail for feeling good.

He took a known computer virus, designed to cause damage. Modified it so that he would know which computers were infected and then willfuly and purposefully released said virus back into the wild to cause havoc.

Robert Parson?

[Rob_Warwick]

The article doesn't mention a Robert Parson.

It talks about Jeffrey Lee Parson. Also the /. story says he's 18. The USATODAY one says 19, though he would have been 18 at the time he released the worm (guessing based on article, I don't know when his birthday is).

Please check the facts before you submit a Slashdot story.

Re:This guy is an idiot an deserves everything he

[Inda]

He was in court to plead guilty. He probably knew he was looking at a stretch. Why does it matter what clothes he was wearing?

I used to get stopped regularly by the police. Normally I was just walking along the pathment minding my own business. I was stopped because of my hooded top most of the time - it's cold and wet in the UK. What a world to live in when people judge you by the clothes you wear.

I've heard geeks here complaining about the stick they get... because they look like geeks? So sad.

For the record I've never been arrested or convicted.

Yeah and? Stupid criminals go to jail. Old story

[SmallFurryCreature]

Sorry but am I supposed to feel sorry for this guy? Well okay, I believe that society should show the compassion to criminals that the criminals showed to their victims. So lets see. If he made the virus easy to remove and totally harmless then lets give him an easy and painless sentence like cleaning the toilets for a couple of months for no pay.

but he didn't did he, he showed no compassion for his victims so why should we show him? He wanted to play with the big boys, cause discomfort to countless people, be the though guy. Well now he can be though in jail. Something tells me he is going to be crying for his mommy.

I don't agree with many things american but the saying "if you can't do the time, don't do the crime" I can get behind. This guy was no victim of society. He was not a poor man stealing bread for his family. He was nothing more then a little punk who went around smashing peoples car, a thief stealing every bike around because he is to lazy to walk, a parasite.

Sure he was an idiot but an idiot who deliberatly set out to cause other people harm. What do you suggest we do? Give him a 50 dollar penalty? Slap on the wrist? Then he will be boasting in seconds on the net on how the pigs couldn't touch him and his leet hacking skills brought down the net.

No let him rot for a couple of months. I doubt it will send a message to other script kiddies but there is always the element of revenge. Ghandi may have a thing or two to say about revenge but Ghandi also left a country wich now has been at war for 50 yrs with itself and its neighbour. (tamils and pakistan)

Your argument fails ...

[GreenEggsAndHam]

It's certain that moral values are learned differently by different people, depending on their genetic make-up and environment.

By the age of 18 however, we have been consistently tutored into the meaning of right and wrong by our elders SPECIFICALLY to make up for the variations in individuals' ability to learn the concept of themselves.

In fact, you don't learn right and wrong spontaneously, it's what society and family teach you.

Your argument seems to say that no one should be held liable for their unwillingness to join society as one of its functional members. Well that's weird because it's when an individual breaches that contract that ... WE LOCK 'EM UP !!!!

It's not like society just left people to their own devices and then will-nilly locked them up for random reasons.

This guy knew perfectly well what he was doing.

Take him down.

Re:This guy is an idiot an deserves everything he

[Moraelin]

I'm such a geek. Normally I don't really give a damn about what people think of what I wear.

(It's decent. I'm not wearing a crotchless S&M outfit to work, or anything. If anyone is fundamentally offended the sight of a clean pair of jeans, they're just stupid. And I have better things to do than worry about stupid people.)

However, in this case we're talking a court of law. You don't want to piss off the judge who might, on a whim, give you a suspended sentence or community service or send you behind bars for a few years.

You _don't_ want to look like an unrepentant "fuck you all" rebel to the judge. You don't want to look like you're damn proud of what you've done. (Which is the impression that such a "Big Daddy" t-shirt would have given even me.)

I'm not even saying he should have worn a suit and tie or anything. But, you know, even if you're gonna wear a t-shirt, make it a plain one.

I mean, geeze, wear that t-shirt to school. Wear it at a party. Wear it even to a job interview if you honestly don't give a damn about the outcome. But a court of law is more serious: unlike a job interview, you can't just try again somewhere else.

Basically all I'm saying is that there's difference between not caring about stupid people, and _being_ the stupid one. Freakin' big difference.