Slashdot Mirror
Creator of Sasser Worm Goes on Trial
Cobb writes "Creator of the Sasser worm Sven Jaschan begins his trial today in Verden, Germany. Arrested in May 2004, Jaschan faces charges for his crimes as a juvenile. A reward from Microsoft partially led to the capture of the virus creator. From the article: 'The charges, which also include disrupting public services and illegally altering data, carry a maximum sentence of five years in prison. However, court spokeswoman Katharina Kruetzfeld said that, as a minor, he faces a lesser penalty.'"
I wish I could put a bounty on people who made me look stupid.
Interesting conundrum for the legal system - do you let him off easy and give him a job at a security company - or hit him hard, and ruin a promising (although mischevious) programmer?
Physics is nothing like religion. If it was, we'd have an easier time trying to raise money!
They evidently saw his skills in identifying and essentially publicising weaknesses in the operating system in a positive light.
Perhaps he ought to be congratulated to some extent for this - Windows is now (barely) more secure.
That is a little like - "I was only curious about how much money was in the register, and how far I could run with it until I got caught".
This, along with prosecution of spammers, is a good start to reducing annoying aspects of the internet, but how far will this go to prevent others from replacing convicted pests?
Is there a way to tackle the problem "from the source" that would prevent would be spammers and virus creators from WANTING to do these things?
I think if enough offenders are prosecuted, and prosecuted severely enough, there is the potential to ward off others from commiting the same acts. However, if only a few, say 1 in 20 or less, virus creators/spammers/etc are caught, I don't think there will be enough push to stop others from taking their place.
Just like anything else in the world, if there is a low risk of punishment and a good chance of some sort of reward (monetary, pride, whatever) for some act, then someone will commit that act.
Maybe the Hacker Mentality needs to be tempered with regard to the consequences of ones actions.
I'm sorry Officer - I only shot him to see what would happen. You don't understand the hacker mentality
init 11 - for when you need that edge.
It'd be nice if his punishment was to do the work of all the IT personnell who had to clean up after his mess. I'd love to sit at home and relax while that little dweeb does my job. I'd be the one getting paid of course.
What he has done is ultimately a favor to microsoft.
He has demonstrated to them the importance of security, and demonstrated to end users the importance of patch management by exposing this vulnerability.
If he did not do it, someone else would have. We are just lucky Sasser was noisy and identifyable. A subtle worm which requires Tripwire to detect which spread on the same scale would be a disaster indeed!
Because of the profile in this case, I have to say toss the book at him. This will not scare the real hacker, but this will have a chilling effect on the casual script kiddies, and that is where the majority of worm/virus/junkware comed from.
But is he allowed to use a touch-tone phone?
Steven Wooston, Lead Programmer, J-J-J-Julius Games
Author of a CONSIDERABLE number of best-selling games
I, for one, find no need in this world for worm writers, virus writers, phishers, Nigerian scammers, adware/spyware secret installers, keyboard loggers, and the rest of the trash that pollutes the otherwise exceptionally useful and wonderful Internet. Locking them away, and away from computers, for the rest of either their lives or my own -- which ever is shorter -- wouldn't bother me a bit.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Let's see him worm his way out of this!
If brevity is the soul of wit, then how does one explain Twitter?
Sorry, fry the kid. Use this as YET ANOTHER wake up call that your computer is NOT a VCR. If parents cannot keep tabs on their kids computer use then they should take away the computer. If the parents cannot understand how to do this, then maybe they shouldn't have a computer till they learn. Responsibility is with the individual and/or mentors.
Or, I just wanted to light a little fire and see what happened.
-- Slashdot: When Public Access TV Says "No"
I do have to say that just because M$ is a security hole doesn't mean that exploiting it in a milicious was is right, or even justified. There are correct ways to report the vulnerabilities, and those are the paths that this person should have taken.
Think of it this way, if you have a kid that is playing in a playground, and you look away for a minute or two, is it right/justified for a kidnapper to take your kid? Sure, it was your fault that you were not looking, but does that mean that since there was an opening to take your kid, someone is justified in taking your kid?
Sure, would-be kidnapper may come up to you and say "hey man/lady, your kid isn't being watched and could be taken easily". Even if the parent STILL keep an eye on their kid, does that make it right for the kidnapper to THEN take your kid just to proove a point and to let other know you were not looking?
This hacker deserves to be put in prision, they need to send a message saying that making virus's isn't right and it will not be tolerated.
Sentence the kid to a computer science school.
These kids hack, because they are at the age of destructiveness. They don't have the vision and maturity to reach the creativity stage, because they have no role models to do so. This kid's skills are good enough to make him a skilled security professional, and he didn't know enough to hand Sasser over to a Secunia and make himself well known in the process and probably have job offers. I'd like to hear his rationale for releasing it into the wild before deciding on how to treat him, butmost of these kids do it for the kicks and respect of disfunctional peer groups (i.e. other hacking clans). Need to show them a better way.
Worms are a two-sided problem. In order for them to happen, it takes a software writer (far too often that software writer being named "Microsoft"...) to create software that has a ready-to-exploit flaw in it, and then it just takes one evil-minded programmer to kick a worm through that hole and make a mess that makes all of us wearing white hats have to do some serious cleanup and deal with downtimes .
While I'm glad the kid is going to get taken to justice, I'm still a little troubled by the fact that all Microsoft did for their part of it was to release a "you shoulda run Windows Update" patch and kicking in a quarter-million US dollar reward... both of which they're doing out of the kindness of Bill Gates' heart because there's no law requiring either of them.
I know small time programmers need liability protection from the abuse of their software... but shouldn't a large company like Microsoft be liable for the cleanup costs associated with their own security bugs?
I think if a kid is capable of commiting a crime knowingly, then he should face the same punishment as an adult.
I think a lot of kids commit crimes with the "knowledge" that if they get caught, it would be a slap on the wrist and go away when they turn 18.
Yes, but shouldn't Bill Gates go to jail for negligence, too?
Let me use this analogy: A kid throws a rock in a mountain, causing an avalanche. Turns out the guys who were warned about possible avalanches didn't do their work, like putting protective fences, blah blah.
So, when people die because of the rocks falling, suddenly a kid's the ONLY person guilty?
Give me a break.
.. at least according to the BBC:
http://news.bbc.co.uk/1/hi/technology/4649361.stm
Watch the Teaser Trailer for "The Lightning Thief" Her
Moreover, he is tried as a juvenile. In Germany, you are invariably tried as a juvenile up to 18 years of age, and more typically up to 21 years if the court determines that "your character is not completely formed". Sentences in a German juvenile court are not primarily for punishment, but to provide guidance and education. Very few juvenile offenders go to prison (and if yes, none goes to an adult prison). Typical sentences include mandatory social work or weekend arrests.
Finally, first time offenders always get much lower sentences, and prison sentences up to a year are nearly always suspended (for first-time offenders with reasonably behaviour and prognosis, so are some longer sentences).
So his risks of actually spending time in prison are rather low.
Stephan
After that we can sue the banks. Did you know there are 1000s of sucessful bank robberies every year?
Banks don't dock money from your account because they have been robbed.
Seven puppies were harmed during the making of this post.
I worked in tech support at the time, and I say that as punishment he needs to be tied to a chair witha headset affixed to his head and take calls from people affected by the worm, and try to convince them that he shouldn't be put in prison. Writing a virus or a worm may be a fun/educational excercise, but to release it into the wild is a sign of stupidity, amorality, or sociopathy. In either case he needs to have his nose rubbed in this so he doesn't do it again, and more importantly so the next kid thinks twice before releasing his creation.
If we add that it is absolutely certain that the avalanche would not have happened if the kid had not thrown the rock, then it's clear who's the guilty party.
Problem is, the kid wasn't the FIRST ONE to throw a rock at the same spot. If he's not the first, but the FIFTH, aren't the people in charge of that mountain responsible?
Ah, but he was a minor. If you're going to fry someone, fry his parents. I'll bet you that will make a difference to the supervision levels of kids using computers.
You may not have been serious, but luckily for everyone concerned Germany is in the EU - where the prohibition of the death penalty is a condition of entry. Plus it would appear that the West German constitution of 1949 abolished it anyway.
I've never quite understood how supposedly civilised countries can put their citizens to death, for whatever reason. The no-death-penalty, no-extradition-to-face-execution clauses of EU membership make be inordinately proud of being European...
Tedious Bloggy Stuff - hooray?
Five Years? That's no big deal then. He'll be on parole before Longhorn actually ships :-)
Jaschan: You want answers?
Prosecutor: I think I'm entitled to them.
Jaschan: You want answers?
Prosecutor: I want the truth!
Jaschan: You can't handle the truth! Old man, we live in a world that has firewalls. And those firewalls have to be setup by men with MCSEs. Who's gonna do it? You? You, Mr. Ballmer?
I have a greater responsibility than you can possibly fathom. You weep for Windows XP and you curse Microsoft. You have that luxury. You have the luxury of not knowing what I know: that Windows XP has faults, while tragic, probably saved jobs. And my existence, while grotesque and incomprehensible to you, saves jobs...
You don't want the truth. Because deep down, in places you don't talk about at LAN parties, you want me on hacking that firewall. You need me finding exploits in that firewall. We use words like reboot, blue screen, exploits, Microsoft...we use these words as the backbone to a life spent hacking something. You use 'em as a punchline.
I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very exploits I find, then questions the manner in which I exploit it!
I'd rather you just said thank you and went on your way. Otherwise, I suggest you pick up a real firewall and configure it. Either way, I don't give a damn what you think you're entitled to!
Prosecutor: Did you write the Sasser worm?
Jaschan: (quietly) I did the job you sent me to do.
Prosecutor: Did you write the Sasser worm?
Jaschan: You're goddamn right I did!!
Anything less is hypocrisy and posturing - "having our cake and eating it, too"...
Reason is the Path to God - Anon
i agree to a point.. honestly, what did he do? created a piece of software that exploited insecure code and enabled a function of the OS (RPC system shutdown).
Or "I just wanted to poison him so I could have sex with his dog all day."
Jeez, can we keep going with the stupid analogies?
To go down the garden path of increasing awareness, try this analogy.
Sasser boy is riding a rollercoaster.
He notices a loose screw.
Does he
A. Inform the rollercoaster operator of the problem
B. Attempt to repair it himself
C. Unscrew it to demonstrate the safety risk of the initial poor design/maintenance?
Yes, there is only one right answer here - and it sure ain't C. If Sasserboy wanted to do something noble, he could have programmed a workaround to patch the hole until M$ could release their patch.
Instead, he took the screw out.
Idiot. We don't need people like this in IT. Common sense is slightly more important than technical savvy - remember, most hacks are social engineered ones.
I was saying goodnight to a friend/colleague who is a medical doctor the other night, and he was meeting a consultant after work. The consultant mentioned that the <insert name of large London hospital> was suffering a virus attack, and most of the computer systems were screwed.
Now, moan all you like about choice of OS in a hospital, but it seems to me that it's not just 'business' that gets harmed. There's no magic wand that means that non-profit organisations, charities or hospitals don't get pwn3d by viruses.
Crack dealers are often very good businessmen, and have to work hard to keep the supply chains running, salesmen on the streets, etc. We don't normally see them working for the DEA afterwards, or getting jobs on Wall Street with their acquired skills. Instead we lock them up for 20 years.
Crack dealers may be great businessmen on the streets, but often there are a different set of skills required to make it in legitimate businesses. Respect for social structure, having "cultural capital" (the ability to maneuver in these structures) and deal with gov't beuracracy, ect are things one working in underground markets doesn't have to deal with as much. For an example of an drug dealer trying to make it in legal business, I would suggest reading Philippe Bourgois's In Search of Respect : Selling Crack in El Barrio. A text common in many Sociology classes.
In the UK, Sasser forced staff at the Maritime and Coastguard Agency to return to manual map reading because computer systems were made unusable by the worm.
Check-in for some British Airways flights was also delayed thanks to Sasser.
Around the world, the Australian Railcorp trains stopped running because computer problems caused by Sasser made it impossible for drivers to talk to signalmen.
In Taiwan, more than 400 branches of the post office were forced to use pen and paper because Sasser crashed desktop PCs.
These are not mere annoyances to "soulless" corporations (which, by the way, employ lots of real people -- perhaps even yourself!). The failure of the UK Coast Guard's system or the train dispatching system in Australia could have easily killed people.
You're treading a dangerous path there, one in which all software authors are held legally responsible for bugs in their code.
Remember the first internet worm? That was an exploit in sendmail. There are rootkits for linux.
Still think the authors should go to jail? Or is it somehow different because MS charge for Windows? My company has bought plenty of copies of RedHat...
(Oh, I'm ignoring the fact that that's the most flawed analogy I've read here in a long time - the author of the sasser worm wasn't some innocent kid idly throwing stones)
It's official. Most of you are morons.