By Declan McCullagh, 18 August 2004 11:05
COMMENT Computer worms and viruses cost us millions in lost productivity and are among the biggest headaches for IT departments. So, says Declan McCullagh, the individuals who create these menaces should at least get the same types of punishments as car thieves and environmental polluters.
Jeffrey Lee Parson pleaded guilty last week to unleashing part of the MSBlast worm attack that wreaked havoc on the internet a year ago. He got off easy.
Federal prosecutors predictably touted Parson's guilty plea as an example for other would-be vandals. John McKay, the US attorney for Seattle, proclaimed: "The damage to individual computer users is very real, and the penalties are also very real."
Not really. McKay neglected to mention that Parson's all-expense-paid visit to Club Fed will be surprisingly brief. Prosecutors say that the deal they cut means that Parson, who is 19 years old, will be sentenced to between 18 and 37 months.
That's mild punishment for someone who admitted to inserting nasty features into the original version of MSBlast to make it more noxious. By releasing his MSBlast.B variant that took advantage of a bug in Microsoft Windows, Parson intentionally harmed tens of thousands of people for his own amusement.
Compare Parson's sentence with the far stiffer penalties that the government metes out to marijuana 'criminals', who harm nobody and cause no property damage. For the 2001 fiscal year, the average sentence for a marijuana offense was 38 months in prison, according to the Office of National Drug Control Policy.
Parson could be serving more time if he had simply stolen a neighbor's car on a whim. The average federal sentence for motor vehicle theft in 2000 was 28 months, the US Justice Department reports. Aggravated assault is punished with an average sentence of 33 months.
If prosecutors took real computer crimes seriously, might that deter future worm attacks? Consider that federal law says the maximum penalty for the offenses listed in Parson's arrest warrant is at least 30 years.
Light sentences for worm and virus writers is hardly a new phenomenon. In 1988, a Cornell University graduate student named Robert T. Morris released the first internet worm - and was eventually sentenced to three years' probation, 400 hours of community service and a $10,000 fine.
Morris probably didn't deserve a harsher sentence. He never meant for his worm to spread so quickly that it became a worldwide menace (a programming error, not malice, made that happen). Today's generation of so-called script kiddies have no excuse - their handiwork is carefully crafted to be both disruptive and destructive.
David L. Smith, who created the Melissa virus, which clogged the internet in 1999, was sentenced in 2002 to 20 months in prison and a $5,000 fine. Jan de Wit, the 20-year-old living in the Netherlands who wrote the Anna Kournikova virus, received only 150 hours of community service - and no jail time.
Better deterrence is especially important because the FBI and other police agencies have such a poor record of identifying the virus and worm writers that infest the internet's underbelly.
The FBI and its counterparts have failed to convict anyone for a slew of viruses and worms, including Code Red, Nimda, SirCam, Klez, Sobig and Nachi. Police failed to identify the author of the Slammer worm, which threw some bank ATMs offline and knocked out a PC network at a nuclear power plant in Ohio. (A $5 million reward fund created by Microsoft has had better luck, nabbing a Sasser suspect in May.)
You might expect criminals who intentionally infect tens of thousands of computers to be treated at least as harshly as environmental scofflaws. An example: In 1999, the plant manager at LCP Chemicals of Brunswick, Ga., was sentenced to six and a half years in prison for illegally releasing mercury and chlorine into a nearby creek. The chairman of LCP Chemicals' parent company received a nine-year prison sentence.
Worms and viruses pollute today's internet and cost society far more to clean up than LCP Chemicals' toxic release. So why do their creators get off easier?
Declan McCullagh writes for CNET News.com
Comments
There are 12 comments. Join the discussion
1. Eric
You obviously have never seen a prison from the inside, 18 to 37 months is no fun in prisson.
I sure agree virus writers should be punished hard, they break in systems they do not have access to so basicaly it's just burglaring 100.000 times.
2. miTchy
I think if you mess with the internet in any way shape or form the you should be punished...simple as that...it is a good thing going here...why ruin it??? There are too many other things in life to mess with...
3. anonymous
Personally i think they need to concentrate on more serious offences, ie Murder, Rape, Theft. Say if someone seriousely goes into a huge corporation then yes they deserve to get punished, people that get there joys off of ruining other corporations could use there abilities to probably say make anti-viruses and Firewalls. On top of that make them a lot of money and not be put in prison.
4. anonymous
Will longer punishments really help? Most of the young people doing this think that they won't get caught or fail to appreciate the consiquences if they do, so there is no (or little) deterrent effect. Besides, enhancing US punishment does nothing about the people in other contries that are doing this...
5. Eileen
Will severe punishments really serve as a more effective deterrent? The whole point of crime is to not get caught.
6. Don B So'lax
Make the punishment fit the crime - how about 1hour of community service for each computer infected with their worm, virus, whatever.
Or, calculate the time needed to clean and restore each pc infected, then multiply that times the number of PCS infected to equal the number of community service hours to be served by the purp...AFTER they've served 3 months in prison - just so they know what they're missing throughout their community service hours...and what a good 'deal' they got by 'just' getting community service instead of prison service.
7. Anon UK
Why dont you all wake up.. ?
These so called kids that write viruses know exactly what they are doing.
Attacking anybody, a company or individual is tantamount to assault. When your poor old grandma gets a virus on her PC and it causes here no end of worry, this is emotional assault. I think they should at the least lock these little **ards away for a very .. very long time .. make an example of them and stop virus companies employing them and basically rewarding thier destructive efforts.
8. anonymous
Try to deal with the cause - the buggy Microsoft software - not the consequence - script kiddies. Why not send the bill for disinfecting the pcs, your wrath etc to the maker of the software who made it all (worms etc) possible? To Microsoft that is? Some of the questions you might want to ask yourselves: Why does Microsoft make it soooooo easy for script kiddies to do their thing? Who asked Microsoft to enable active scripting in email messages? Why aren't Windows locked down by default? Why do we keep buying Microsoft's buggy software?
9. anon
they do cuase damage but putting 1 dude in jail for a long ass time for an idea and an inconvienence is hardy going to stop the millions of others. (they can only do this anyways becuase microsoft is so insecure and ineffecient an operating system.)
what is this with microsoft saying windows will be secure within 7 years? this is insane. dont blame curiosity, blame the incompetant comp sci majors who are cuasing billions of dollars in damage from releasing insecure software.
everything will be exploited, then patched, as long as there are 1's and 0's. sentencing somone to life for a handfull of code is rather.... close minded.
10. Blue
I'd have to say although people who write viruses know exactly what they are doing, they only know so on a technical sense. Of course you'd thrive off knowing that you have this sense of control over other things. There's no real sense of consequence, and I doubt longer jail sentences will actually help. For example, a while ago a couple kids in an apartment shot up people on the street with bb guns and got off with a small sentence. What they really deserved (IMO) is to each get shot in the leg with the bb gun, see how it really feels as a victim instead of all this 'oh I'm so sorry, I'll never do it again' crap which is just for show.
Unfortunately, few of these virus writers have actually been seriously hacked themselves. I think the biggest problem is user ignorance. If you're smart, you don't get many viruses, only the stupid tend to get infected.
The other major problem is indeed the software, but cranking out a perfectly stable system is near impossible. Lol, and there are too many so-called comp-sci majors who have half their heads stuck in the dark.
11. elliot smart
Some food for thought....
The next major international war will be an information war aimed at undermining the economies of countries through electronic sabotage and disruption. It is inevitable that this is so because the cost of real war is beyond the means of those who would wish to start one with the intention of winning. In a sense the hostilities have started with the use of internet fraud to fund terrorism.
However, todays virus writers are doing us a favour by a) continually probing for weakspots without the malice of a powerful follow-through and b)forcing us to learn some of the techniques of survival in such a war.
Now I'm not saying that these people should be feted or fed lobster for lunch, many of them are not the pimple faced kids they are made out to be but hardened criminals seeking to perpetrate the worst kinds of non-physically invasive crime. I am saying that 'winning the war on viruses' is definitely not a good idea since the real war hasnt started yet.
12. Jason Franks
While I have to applaud your example of marijauna users' stiff penalties, I also have to applaud anyone who takes the time to learn and point out inherent flaws in software. Why not hold the manufactuerers accountable? And lack of redundancy is probably the chief cause of loss in productivity and profit.