Slashdot Mirror
Creator of Sasser Worm Goes on Trial
Cobb writes "Creator of the Sasser worm Sven Jaschan begins his trial today in Verden, Germany. Arrested in May 2004, Jaschan faces charges for his crimes as a juvenile. A reward from Microsoft partially led to the capture of the virus creator. From the article: 'The charges, which also include disrupting public services and illegally altering data, carry a maximum sentence of five years in prison. However, court spokeswoman Katharina Kruetzfeld said that, as a minor, he faces a lesser penalty.'"
I wish I could put a bounty on people who made me look stupid.
That is a little like - "I was only curious about how much money was in the register, and how far I could run with it until I got caught".
This, along with prosecution of spammers, is a good start to reducing annoying aspects of the internet, but how far will this go to prevent others from replacing convicted pests?
Is there a way to tackle the problem "from the source" that would prevent would be spammers and virus creators from WANTING to do these things?
I think if enough offenders are prosecuted, and prosecuted severely enough, there is the potential to ward off others from commiting the same acts. However, if only a few, say 1 in 20 or less, virus creators/spammers/etc are caught, I don't think there will be enough push to stop others from taking their place.
Just like anything else in the world, if there is a low risk of punishment and a good chance of some sort of reward (monetary, pride, whatever) for some act, then someone will commit that act.
hit him hard, he shouldnt be rewarded for that.
you should not be rewarded for criminal activity.
yes burglers can eventually lead a good life and help others with their knowledge. but those are rare cases and a lot of time passes generally (prison for instnace)
Maybe the Hacker Mentality needs to be tempered with regard to the consequences of ones actions.
I'm sorry Officer - I only shot him to see what would happen. You don't understand the hacker mentality
init 11 - for when you need that edge.
There is no conundrum...he caused a lot of damage and cost people a lot of time and money that could have been put to better uses. As soon as he decided to be an asshole, he lost his right to participate in society.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
What he has done is ultimately a favor to microsoft.
He has demonstrated to them the importance of security, and demonstrated to end users the importance of patch management by exposing this vulnerability.
If he did not do it, someone else would have. We are just lucky Sasser was noisy and identifyable. A subtle worm which requires Tripwire to detect which spread on the same scale would be a disaster indeed!
Because of the profile in this case, I have to say toss the book at him. This will not scare the real hacker, but this will have a chilling effect on the casual script kiddies, and that is where the majority of worm/virus/junkware comed from.
I don't give a rat's ass about the "hacker mentality" - why? Because they don't care about the rest of us.
This guy should get the max and should be made to pay restitution for all the trouble he caused.
That was the most PC way I've ever seen someone say "they obviously dont care about his moral fiber or his ability to destroy property as part of his hobby without remorse, and decided to give hima job because theyd rather have him on their side because yeah, he's good, and we'll, they dont care about the rest".
There's nothing Intelligent about Intelligent Design.
Or, I just wanted to light a little fire and see what happened.
-- Slashdot: When Public Access TV Says "No"
I do have to say that just because M$ is a security hole doesn't mean that exploiting it in a milicious was is right, or even justified. There are correct ways to report the vulnerabilities, and those are the paths that this person should have taken.
Think of it this way, if you have a kid that is playing in a playground, and you look away for a minute or two, is it right/justified for a kidnapper to take your kid? Sure, it was your fault that you were not looking, but does that mean that since there was an opening to take your kid, someone is justified in taking your kid?
Sure, would-be kidnapper may come up to you and say "hey man/lady, your kid isn't being watched and could be taken easily". Even if the parent STILL keep an eye on their kid, does that make it right for the kidnapper to THEN take your kid just to proove a point and to let other know you were not looking?
This hacker deserves to be put in prision, they need to send a message saying that making virus's isn't right and it will not be tolerated.
This is stupid !!.. Creating awareness is one thing - but wanton destruction is another.
This is almost like saying Bin Laden did a good thing by levelling World Trade center - because he create "awareness" about Terrorism.
Working a security firm is like being a sparring partner - your job is not to knock the champ down, but to make sure he get enough training and test his skills with something that hits back.
Quidquid latine dictum sit, altum videtur
I think Bin Laden needs to be added to Godwin's rule.
As x approaches total apathy I couldn't care less.
Yes, but shouldn't Bill Gates go to jail for negligence, too?
Let me use this analogy: A kid throws a rock in a mountain, causing an avalanche. Turns out the guys who were warned about possible avalanches didn't do their work, like putting protective fences, blah blah.
So, when people die because of the rocks falling, suddenly a kid's the ONLY person guilty?
Give me a break.
Crack dealers are often very good businessmen, and have to work hard to keep the supply chains running, salesmen on the streets, etc. We don't normally see them working for the DEA afterwards, or getting jobs on Wall Street with their acquired skills. Instead we lock them up for 20 years.
There's a big interest in keeping guys like these around. This one kid "cost" some people millions but also help justified thousands of jobs for people in the security industry, virus protection firms, etc. I think it hurts the credibility of the security industry that there's an absolute revolving door of black hats to white after they grow up and figure that they need a paycheck more than 1337 status on IRC. If anything these guys should be more like paid informants than actual employees. Use them for what they know but keep them far away with a long stick.
Given that this kid is a juvenile I'm all for a second chance, but I don't think 6 months in lockup would hurt him either. There should definately be a punishment here. The world isn't exactly hurting for promising programmers. 1000 IT guys aren't worth the pause given to some kid about to hit the enter button on a destructive command and thinking "Hmmm...I could get 5 years for this."
If I burn your house, I don't take anything. If I install remote video surveilance in your bathroom, I don't take anything. If I duplicate your identity so that I can infiltrate the United States and destroy the Godless infidel, I don't take anything.
I cause trouble, sure, but not for personal gain.
Your analysis borders on the inane. The little moppet compromised enormous numbers of comptuer systems and put them in a state that people would generally acknowledge required substantial repairs or reconstuction.
Don't you mean "Clean up after *your* mess" ?
The patch for sasser's vulnerability was up two weeks before the worm hit. If you're not going to be thorough and proactive in defense of your systems, you're going to get nailed.
"but...but...Microsoft's evil patch might possibly break something somewhere at some point!!!!"
Tough. If it breaks, you're there to fix it. Lose X amount of time / work fixing something that Microsoft's patch broke, or lose Y time / work trying to clean up from a worm that you know nothing about.
Patches can be rolled back. Very easily rolled back at that. You test, you roll out, you fix it if it breaks. Yes, the kid who wrote sasser is a nasty little shit that made a lot of work for a lot of people. But it didn't have to.
"It is easy to be a bad sysadmin"
There are some people that if they don't know, you can't tell 'em.
After that we can sue the banks. Did you know there are 1000s of sucessful bank robberies every year?
Banks don't dock money from your account because they have been robbed.
Seven puppies were harmed during the making of this post.
There's a big interest in keeping guys like these around. This one kid "cost" some people millions but also help justified thousands of jobs for people in the security industry, virus protection firms, etc.
The crack dealers you mention "help justify" thousands of jobs in the DEA, FBI, and local LEAs...
I worked in tech support at the time, and I say that as punishment he needs to be tied to a chair witha headset affixed to his head and take calls from people affected by the worm, and try to convince them that he shouldn't be put in prison. Writing a virus or a worm may be a fun/educational excercise, but to release it into the wild is a sign of stupidity, amorality, or sociopathy. In either case he needs to have his nose rubbed in this so he doesn't do it again, and more importantly so the next kid thinks twice before releasing his creation.
If we add that it is absolutely certain that the avalanche would not have happened if the kid had not thrown the rock, then it's clear who's the guilty party.
Problem is, the kid wasn't the FIRST ONE to throw a rock at the same spot. If he's not the first, but the FIFTH, aren't the people in charge of that mountain responsible?
Ah, but he was a minor. If you're going to fry someone, fry his parents. I'll bet you that will make a difference to the supervision levels of kids using computers.
You may not have been serious, but luckily for everyone concerned Germany is in the EU - where the prohibition of the death penalty is a condition of entry. Plus it would appear that the West German constitution of 1949 abolished it anyway.
I've never quite understood how supposedly civilised countries can put their citizens to death, for whatever reason. The no-death-penalty, no-extradition-to-face-execution clauses of EU membership make be inordinately proud of being European...
Tedious Bloggy Stuff - hooray?
I'd no more consider this guy for a job in my organization than I would a person who keeps losing jobs for punching his coworkers in the face.
This line of thinking, while being unfortunately common, is extremely flawed in that it assumes that these "black hat" types are more skilled than responsible and reputable people in the industry.
So you hire an anarchist criminal because he's good at what your company does. Guess what, now you have an anarchist with a criminal mindset working INSIDE your company.
That makes you sleep better why?
Yeah, that makes sense. Kid breaks the law, so we punish him by sending him to computer science school. I assume the state is going to pay for this.
Meanwhile the kid down the street, who knows just as much about computers but somehow managed to resist the temptation to drop a worm on the internet, gets to work two jobs and apply for scholarships and financial aid and try to figure out how he'll afford a higher education.
That'll teach 'em.
It's the land of the brave, and the home of the free
Where the less you know, the better off you'll be.
Anything less is hypocrisy and posturing - "having our cake and eating it, too"...
Reason is the Path to God - Anon
i agree to a point.. honestly, what did he do? created a piece of software that exploited insecure code and enabled a function of the OS (RPC system shutdown).
Very true.
Any half-skilled person can write a virus. Heck, a skilled programmer with the right talents and a bit of research could probably write a Warhol worm with just a little research.
Optimize the distribution routines before hand, figure out what tricks you are willing to use to run/hide your virus in the OS, code the core of it, and sit around on security mailing lists. As soon as a new major security hole comes out, add the exploit code and release it.
That's more than enough for a functioning worm. Heck, the right social engineering can create an extremely effective worm.
Yet some people (and employers) consider these "black hats" programming gods. Why?
Is it foolish HR departments? Or is it just a publicity stunt?
His crime? His actions were directly and indirectly responsible for millions of dollars of problems, for many thousands of hours wasted in peoples' lives, virtual trespassing, the list is rather long. The crime isn't that he wrote a piece of software. It's what he did with it. He screwed over a lot of people, businesses, and organizations. Including, IIRC hospitals. You know, the places that care for sick and dying people?
I don't recall the details of this specific worm (MS plays only a very small role in my job, thank God, and a microscopic role at my home; hence I never saw the thing) so I won't argue how much of the blame resides with users in this specific case.
But regardless of that, the guy who comes in through the window and trashes your house is the criminal, and should be prosecuted, whether you were stupid enough to lock the doors and windows or not.
Whether your insurance company compensates you for damages is another issue.
So you hire an anarchist criminal
/. reactions! This isn't an anarchist cyber-criminal mafioso terrorist, it's just a kid. At that age, I was mixing potassium nitrate with charcoal and sulphur, and I made some very nice craters with the resulting gunpowder. It's only later that I realized the full impact (pun intended) of what I was doing. At the time it was thrilling but there was no sense of real danger (if something had gone wrong, I'd be sitting in a wheelchair right now - best case scenario).
There are so many harsh names in the
"It's too bad that stupidity isn't painful." - Anton LaVey
In the UK, Sasser forced staff at the Maritime and Coastguard Agency to return to manual map reading because computer systems were made unusable by the worm.
Check-in for some British Airways flights was also delayed thanks to Sasser.
Around the world, the Australian Railcorp trains stopped running because computer problems caused by Sasser made it impossible for drivers to talk to signalmen.
In Taiwan, more than 400 branches of the post office were forced to use pen and paper because Sasser crashed desktop PCs.
These are not mere annoyances to "soulless" corporations (which, by the way, employ lots of real people -- perhaps even yourself!). The failure of the UK Coast Guard's system or the train dispatching system in Australia could have easily killed people.
You're treading a dangerous path there, one in which all software authors are held legally responsible for bugs in their code.
Remember the first internet worm? That was an exploit in sendmail. There are rootkits for linux.
Still think the authors should go to jail? Or is it somehow different because MS charge for Windows? My company has bought plenty of copies of RedHat...
(Oh, I'm ignoring the fact that that's the most flawed analogy I've read here in a long time - the author of the sasser worm wasn't some innocent kid idly throwing stones)
It's official. Most of you are morons.
A man comes into a hospital with a gunshot wound to the chest.
The Doctor on call decides to wait to hear from some of his fellow doctors in a couple days before deciding on a course of action. Oh, and maybe this months New England Journal of Medicine will have an article or two. Besides, treating gunshot wounds is messy and time consuming. In the meantime the patient dies.
According to you, only the guy that did the shooting is guilty of a crime. It's called negligance, and it's legally valid.
Not patching your box might not be criminal, but it is negligant.
There are some people that if they don't know, you can't tell 'em.