Slashdot Mirror
Japanese Man Arrested For Storing Malware
Orome1 writes "38-year-old Yasuhiro Kawaguchi is the first person in Japan to get arrested for storing malware on his computer after the upper house's Judicial Affairs Committee has confirmed the new anti-malware law passed by the Japanese parliament. The law considers the creation, distribution and storage of malware a crime punishable with up to three years in prison and a fine that could reach the sum of 500,000 yen ($6,200)."
Surely any "white hat" working against malware needs to store malware someplace, right? What a dumb law.
The article says the charge was "storing a computer virus without a legitimate reason". In this case, the suspect "told the MPD that he did it to punish people who use file-sharing software"; do you consider that "a legitimate reason"?
not dumber than cyber-crime law in other countries. politicans don't understand the whole computer/network thing
So... I'm guessing they don't have AOL in Japan then?
So, they effectively locked Microsoft out of Japan?
The summary is pretty poor (as usual). The article says 'The revised Penal Code, which was enforced July 14, bans storage of a computer virus for the purpose of infecting other computers.' I doubt Symantec or McAfee store for the purpose of infecting other computers.
Read the articles before commenting.
"the creation or distribution of a computer virus without a reasonable cause"
You could consider Symantec/McAfee a sort of disorder, which is tolerated or even sometimes selected for by its host because of the protection it confers against another pathogen. Sort of the sickle-cell anemia of the computer ecosystem. But probably not a "virus", so it depends on how specific that is...
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
FTFA:
Kawaguchi uploaded a file containing the virus, which was titled to suggest child pornography, to the Internet via the file-sharing software Share
Well, normally I consider people who upload viruses via file-sharing software to be scum of the earth, but this guy seems like he was actually doing it for a moderately good cause. "Think of the children" is hella over used, malware is malware, and vigilante justice it questionable, but punishing this guy seems kinda weird, especially that strongly. Also, how the hell do they define "storing" malware? Technically, that could mean anyone infected is guilty, which is really scary.
I'm sure it won't be abused, of course. /sarcasm
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
What the hell?? What is Japan's government's definition of "storing"?? So, if I get malware on my computer and don't detect it, I can go to prison for 3 years if the government somehow finds out??? Surely they mean that this only if you have the source code? I can't see that they would put someone in prison for having files on your machine that are infected with malware.
I doubt Symantec or McAfee store for the purpose of infecting other computers.
No, their regular products do that quite nicely, thank you.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
how will they differentiate between active distribution of malware and infected machines? if some agency identifies an IP address handing out virus they will send in a SWAT team to confiscate all computers to search for installed malware or how should this work?
Actually they do, but they just happen to OWN those computers as well.
http://xkcd.com/350/
For years I saved all kinds of malware - mostly email worms. I never ran them on my main PC but I felt that there was some entertainment value from attempting to run them in Wine or in a controlled environment. I don't see how that should possibly be illegal.
The summary is pretty poor (as usual). The article says 'The revised Penal Code, which was enforced July 14, bans storage of a computer virus for the purpose of infecting other computers.' I doubt Symantec or McAfee store for the purpose of infecting other computers.
Ask yourself this, who has the most to gain from the continued proliferation of malware?
If malware ceased, virus companies would go under. I'm not specifically saying that Symantec et al write malware, but it is in their business interests to do so, or to encourage it's growth.
The German law is even actually dumber.
If I understood the Japanese law correctly, you'd have to have some kind of intent to use that malware to infect other computers to break it. So far, so good. Personally, I don't see anything wrong with that by itself, creating, storing or distributing malware with the intent to infect should be punishable. I wonder how they want to discriminate between intentional and accidental spreading (after all, it could well be that he himself downloaded that somewhere and didn't even know it's malware), but if they find a way to actually identify the intent of someone, that law could actually do much good.
The German "anti-hacker law" cannot. There is simply no angle or way this could possibly have any beneficial effect. Basically, what the law says is that a "hacking tool" is illegal. There may be an exception for good reason, so far nobody tested it. I actually cannot remember a case where it was used. And it's sufficiently ambiguous that a hex editor could be subject to it or a firewall that lets you configure the packets it replies with. But let's stay with nmap, hping and all the other "hacking tools" for a moment. These are very well known and quite powerful tools to check the security of a network, so they can be used to find weaknesses in it, hence they're hacking tools.
And auditing tools. Why? Because auditors use exactly the same tools for an obvious reason: Everything you can use to find weaknesses in a network to break into it can also be used to find weaknesses in a network to fix and seal them. Unfortunately, the law makes little difference in intent. Because not the use, but the possession, is already illegal. And when I own a rifle with a scope, it doesn't make any comment yet on whether I go on a killing spree with it or whether I'm a hunter.
Now let's ponder for a moment who gives a shit about a law that makes those tools illegal: An auditor, whose job and pretty much his career hangs on his police record being spotless, or a criminal who plans to commit a crime much more serious than "possession of hacking tools".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I truly hope that includes an exception for infecting computers you own (that cannot infect other computers that you do not own). Otherwise, yes, they most definitely do.
it is some where alone the lines of breaking your own leg to prevent yourself from getting on a bike, because then you might have a nasty crash and hurt yourself
Ask yourself this, who has the most to gain from the continued proliferation of malware?
Spammers and criminals.
They've shoehorned enough malware into my Windows system to get me put away for 200 years!
Surely any "white hat" working against malware needs to store malware someplace, right? What a dumb law.
You really should read the article. Pay particular attention to the wording used to describe what is illegal.
You are correct. It's been known for a long time, but it's a tough issue to deal with because: no antivirus program will catch everything, even the most robust that exists today, as there will be new things tomorrow. Etc etc.
So beyond them trying to keep it above a level of "unreliable", there's a level of "keeping out malware" they will never successfully reach anyway.
Slightly better article here with some extra info:
http://mdn.mainichi.jp/mdnnews/news/20110721p2a00m0na006000c.html
Just a personal opinion, Yomiuri is okay. But it's pretty close to sensationalist journalism without the meat. In the future people would be better off using well just about anything else.
Om, nomnomnom...
A side effect of punishing researchers is that there will now be a deficit in that field for the next 10 years. In other words, Japan will be importing talent. Time to start learning Japanese :) Dewa, hajimemashou ka?
Technically, though, having a virus-infected PC is both storing and distributing viruses....
Both McAfee and Symantec sell products other than antivirus, though... Kaspersky may suffer a little if viruses disappeared, as may AVG and Avast!, but McAfee and Norton wouldn't be hurt at all. Microsoft certainly wouldn't suffer if they had the opportunity to drop Defender... that one's a money pit for them, and their profits would actually go up.
But as others have pointed out, criminal syndicates who use viruses either to collect credit card info, or to launch DoS attacks for the purposes of either keeping competitors off the 'net or blackmailing companies have a *lot* more to gain than Antivirus makers. Antivirus makers are simply profiting off the need to fight back against the people who are actually writing the viruses.
So if my grandma who doesn't know how to use a computer, clicks on and downloads Bonzai Buddy because a purple ape told her to, is she guilty?
If I understood the Japanese law correctly, you'd have to have some kind of intent to use that malware to infect other computers to break it. So far, so good. [..] The German "anti-hacker law" cannot. There is simply no angle or way this could possibly have any beneficial effect. Basically, what the law says is that a "hacking tool" is illegal.
I don't know of any actual cases based on this *great* law but two criminal self-complaints - both were dismissed by the prosecutors. A constitutional complaint was not accepted because the law does not infringe any fundamental rights.
both the Japanese and the German laws are stupid as it is impossible to enforce them with reasonable methods:
* The literal application of the German one would forbade even "hacker tools" like telnet.
* Japanese law enforcement agencies will have problems to distinguish between illegal distribution of malware and infected machines. Confiscate and analyse every computer of an IP distributing malware _is_ effective but not reasonable.
My friends and I used to collect viruses. This was before the term "Malware" was invented. We kept them on floppies and it was simply a contest to see who could collect the most.
Is your grandma Japanese, or living in Japan?
But without intent. And someone who is clueless enough to collect active malware on his PC can credibly claim that there was no intention behind it.
I dunno about your courts. Ours follow the logic of "don't assume malice if stupidity is enough of an explanation".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I remember those two self-reports of two malware researchers, both having been dismissed by the courts (iirc, one didn't even get so far but was threatened to get smacked for contempt if he continues to persist... draw your own conclusions), so far no verdict has been issued on the matter.
Personally, I think it's one of those "just to have something" laws. You know, the kind where you get a shady, not-quite-fully-in-sync-with-procedures warrant, crash into the home of the "pesky" individual, find nothing and now need something to justify that warrant.
We get a lot of those laws lately. Laws where you ponder how the heck they should be enforced since what they criminalize can only be found AFTER you had a warrant...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I ran servers for years and years as a sysadmin, now I run/develop for servers. From time to time this and that gets hacked, most of the time it is just attempts that leave some binaries, sources here and there. I always keep these to see what they do, how they do it and as a reference to any in-the-future attempts to see if a name, email or something pops up again from an older attack. I keep logs, hacked files packaged and usually password protected.
This law is stupid! I 100% agree. Even writing malware is something legit if you do not distribute it. Be it a hobby, a profession, or whatever else.
In that case, Chrome's document inspector is an illegal hacking tool... so is notepad.exe.
I have some programs with that behavior on my Windows computer. Arrest me.
Which would be innocuous? Oh, Japan. I see.
We're not talking about "stealing" information, which involves either espionage, NDA violation, or copyright infringement. We're talking about possessing a copy of information that one already has the right to possess under copyright or trade secret law. Some people think such possession should be a crime just because the information happens to be a harmful computer program.
I was under the impression that Intropy's comment assumed "harmonization" of this Japanese statute into other countries' legal systems.
Part of me wants to scream ABOUT TIME. I thought it was outrageous back in 2003 and 2004 when malware really began to infect dial up users within seconds and why no one would do anything about it? I mean what if someone tried to break into your home every 30 seconds? Or what if each time you stopped your car at a light people would dash towards your car trying every method to break in?
Today it is a normal to shrug our shoulders while a single person has 675,000 credit card numbers and names.
Yes, this law is stupid and I do agree, but at least it is a step in the right direction and yes many many and I mean many criminals need to be thrown in jail. It is like the wild west and for awhile when IE 6 was popular, the threat of e-commerce leaving the web was real. To this day I refuse to do online banking because I am so paranoid. If banks had authenticators like World of Warcraft I would check it but it is not worth the hasle of having my account compromised. ... I develop sites for IE and Windows so probably that is a good thing on my PC.
http://saveie6.com/
It ain't hard to find ridiculous applications for that law, is it? :)
Given the wording of the law, almost everything remotely dealing with networking could be twisted into being a hacking tool. Here is the original law, unfortunately I'm not good in legalese to try my hand at a sensible translation. Essentially, what it says is that somehow "dealing with" (i.e. creating, storing, acquiring, selling, forwarding...) passwords or codes to access data or programs created for the purpose of committing the crime of intercepting or illegally accessing data is illegal.
The interesting part is that "for the purpose". And depending on how you want to read that, either the law is completely useless or insane. Either you assume that no program that can be used for such a purpose has been written with this purpose in mind, because pretty much all of them can also be used to audit and test security with the purpose of improving this security, which renders the law quite use- and toothless.
Or you assume that every program that can be used that way was created with this purpose in mind, outlawing not only all network security tools but also technologies like rainbow tables and accessing (let alone operating) webpages listing default passwords. Given the wording, one could even construct something like outlawing the information (and of course teaching) how to test your network for security leaks, since this information could be considered a tool for "hacking" by itself.
The danger here is that most of security is in information, teaching and learning. nmap is useless if you don't know how to read its output. hping is useless if you don't know what flags to set to get a sensible result that tells you something (again, information needed to understand that output after you know what to input). The magical "press here to find security hole" tool does not exist, even though Nessus is often abused to this end.
My guess is they watched this video and took the crap serious. It's in German. But I think the inanity is understandable even if you have no idea of the language.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
and symantec and mcafee. also, apple.
Wealth is the gift that keeps on giving.
Here's a fine line, for a network or computer systems administrator a disk of the latest malware is highly appropriate as the only means of ensuring the quality of computer systems protection software us functioning properly ie you attempt to infect the system in a controlled fashion and check to see of the various protection system are functioning correctly. Via this method I at one stage was able to ascertain a configuration fault as the system was not updating remote units by reason of a simple reference to a wrong directory (some contractors are no that competent).
Chaos - everything, everywhere, everywhen
Please read the law, that goes for any slashdotters, especially the poster.
The law forbids having malware on your computer with the intend of spreading it, or rather, without the special intend of fighting it. So, you have to prove your intend to fight malware if you want to store it in your systems. Symantec, McAfee etc. have no problem in proving that (years and years of releasing products to fight this) the same with any open source guy who have ever submitted (let alone got) a patch to clam etc.
The law is actually very clever and well thought out, unlike if it was made in America or Australia, it actually tackles the problem and not a superficial pr. stunt.
The guy arrested and if the facts are as stated in the article, will be the first convicted, was storing malware on his system with the intend of spreading it via p2p systems, allegedly because he himself see this as an evil piracy service that needs his personal punishment. It might convince others that this is not the way to go.
I ran servers for years and years as a sysadmin, now I run/develop for servers. From time to time this and that gets hacked [...]
Are you working for Sony ? :)
Seriously, you should reconsider your security policies if it happens from time to time. Subscribe to security lists, upgrade software more often, change your OS/distribution for a better one, improve your firewall(s) configuration and/or whatever else you think might be improved. "From time to time" sounds too often to me.
What about 20% or so Windows PCs infected with malware? Does this law means their owners should be indicted immediately?
The Japanese legal system is complicated somewhat. It doesn't work the way many other legal systems work. The police have a fair number of freedoms when interrogating suspects, such that getting confessions is easier than it might otherwise be. So to prove intent is not so difficult if you can convince the suspect to confess (as seems to have been this case here).
You might notice that I'm choosing my words carefully. Like I said, things in Japan are different. I'm not an expert on these matters, and there is no lack of people who will jump all over the Japanese legal system. I'll just say that the prosecutor's conviction rates are 95% and a great deal of those convictions come from confessions -- far more so than any other country in which I've lived. But the prosecutor is supposed to be impartial and acts to protect innocent people as well as go after guilty people (and to a certain extent, I really believe that happens).
So the upshot of laws like this in Japan is that you have to be very careful *ahead of time* to make sure that what you are doing will be interpreted in the right light. If you do that, you're probably OK.
Erh... no. Not necessarily. Having a trojan to test the security of a computer system is like having a single sample of e coli and using it to see whether a patient's immune system is up to speed. It works, but only if the patient just happens to be not immune. What if he is against this sample but not against the billion others?
Also, given the heuristics getting better in contemporary malware scanners, you might be surprised how many they find even if the sig file they use never had any exposure to the current flavor of the attacker. You might see a scanner detecting something while still lacking current updates. Be careful when relying on that kind of security audit!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'd rather think that this has more to do with Japanese culture and the general "I vs. we" difference to Western cultures. I have noticed that the Japanese people I had to deal with put a lot of emphasis on the way they're being viewed and how they affect others, compared to people from Europe or the US who are far more egocentric and more concerned about their personal gain. That's not to say that Japanese are altruistic (far from it...), rather that they seem actually concerned how their actions affect others and how they want to atone even for only perceived transgressions rather than having people think they act selfish.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
should have a bypass, such as a white hat or security company or employee studying it.....just like diseases for labs etc...
I don't know where you're from, but in the U.S. there are far too many DAs who will attempt to indict nearly anyone for nearly anything on the thinnest of pretexts and without regard for the clear intent of the law.
They usually get shot down quickly by our judges. I guess that's the result when you have a system where judges for superior courts are chosen by their peers instead of being appointed by an administration. They tend to follow the spirit of the law since they want to be considered for higher "honors" and it's general consensus amongst our judges that attorneys who try to bend, stretch or otherwise mutilate the law should be shown their limits.
The drawback is that judges try to weasel out of controversial cases since they know that, no matter how they cast their verdict, it will reflect badly on them. Some judge will certainly disagree.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
No, the funny thing is that you're wrong about that.
High risk businesses have a lot of attacks. Throw-away servers get some malware here and there. These are next-next-next install boxes with default LAMP and wordpress/joomla/etc .... Most of the attacks are unsuccessful, but they leave traces, sometimes binaries uploaded here and there.
BTW I program full time now and let the network people deal with this kind of stuff. :)