By Martin Brampton, 2 November 2004 07:49
COMMENT Sending virus writers to jail is unlikely to stop their behaviour, says Martin Brampton. And shouldn't our morally ambivalent society and the creators of vulnerable systems share the blame?
Some people want to see more virus writers sent to jail for long periods. The damage they cause can be substantial. But are they really such a threat to society that we should feel justified in locking them up?
Software viruses were originally created almost by accident. The idea of creating small pieces of software that could move from one computer to another is as old as networking itself. Perhaps it was irresponsible to experiment with such schemes and the early results produced surprisingly large problems.
Deliberate attempts to cause widespread damage followed. But, as one might expect, they came largely from the sector of society that causes by far the most disruption - young males. The vast majority of crime is committed by exactly this group. For that matter, armies consist mainly of precisely the same kind of people.
So we must accept it is part of the natural order of things that young men will look for ways to exercise their aggression, regardless of the constraints that society seeks to impose. Moreover, we live in an environment that is ambivalent about rules of behaviour. David Beckham merely reflected broader trends when he calculated that a deliberate foul was justified if negative consequences could be evaded.
Time and time again, financial institutions are being found guilty of deceiving their customers by selling inappropriate products or offering self-interested advice. This is not something that is confined to peripheral organisations run by mavericks. The companies that have rulings against them by regulators are frequently leaders in national or even global markets.
Headline cases such as Enron look to be only the tip of an iceberg. We know that quoted companies, taken as a whole, make public statements about their profits that cannot be sustained when the final analysis is made. Corporate executives talk about 'playing hardball' when they mean calculated breaches of rules that are deemed to bring more benefit than damage.
These factors combine with the fact we have created systems that are extraordinarily vulnerable. Huge networks have been built involving remarkable technical achievements. But little thought has gone into how they will be used when they embrace many different organisations and individuals.
The hazards are not confined to deliberate yet largely pointless damage. When interfaces are built between many commercial organisations with different goals, we have little understanding of how they will work. It is all too easy to assume that everyone will cooperate and comply with the letter and the spirit of the rules. Yet that is scarcely likely, given the general environment.
Pursuing the metaphor that has persuaded us to call malicious software that spreads itself a virus, what other parallels should we notice? In natural situations, we know the more uniform the characteristics of a population, the more vulnerable it is to diseases, including those carried by viruses. Yet the digital systems we build are substantially lacking in the kind of variety that would limit the spread of unwanted software.
It was almost certainly inevitable that as we constructed networks that linked vast numbers of individuals and organisations, we would find all the ills that afflict life in general. If it took virus writers to make us realise that, then perhaps our focus should not be simply their punishment. We need to be thinking a great deal more seriously about the kinds of network that will work successfully on a global scale.
There has never been a time when punishment, however severe, has eliminated behaviours that were seen as anti-social. Likewise, there is no reason to believe large computer networks can be freed of all ills. Computers are not independent mechanisms, they are tools that implement the intentions of human beings. Society is extremely complex but if we seek to make improvements, there is no substitute for careful thought.
Comments
There are 24 comments. Join the discussion
1. Patrick
"Some people want to see more virus writers sent to jail for long periods. The damage they cause can be substantial. But are they really such a threat to society that we should feel justified in locking them up? "
if someone breaks into your house, defecates in your bedroom, rips apart your furniture and then carves their name on your kitchen table. should they be let off because you didn't have large enough lock on our front door? and should you thank them for showing us the error in your security?
2. Adrian Lee
So we shouldn't be naive and think that everyone will play nice, and therefore, when someone makes some malicious software that causes thousands/millions of pounds worth of damage, we shouldn't do much to them, because well, it would be naive to think that they would play nice?
How about people commiting fraud? They can often get jail sentances, you think we should be more 'morally ambivilent' to them as well?
We shouldn't NEED to have to make networks immune to malicious attacks, people just should attack them in that way. The fact that it's daft to think people won't attack them, doesn't mean we should let them off.
A lack of effort in making something secure isn't always the case either. In areas it is, and people who end up getting infected by a virus that's been around for 2 years only really have themselves to blame as there are plenty of protection solutions around. But thats not to say the virus writer shoudl get off scot free for all the damage they would've caused when it was intially released.
It's like saying it's people's own fault when they get ripped off by some cowboy plumber, just because they don't know enough about plumbing.
Yes, virus writers who cause considerable amounts of damage should be locked up, like any other criminal who maybe goes round smashing up cars and costing lots of money that way.
3. Nigel Perry
You don't need locks on your houses, you don't need complex security on your computers, and you don't need to blame the victim of a crime. You just need to decide how many fingers per crime to amputate from the people who give grief to others.
4. anonymous
According to this idiot, because some capitalists are swindlers, anarchists crooks are innocent.
5. John Foster
Door locks are a good analogy. If a company sold door locks that could be easily picked they would quickly go out of business. And rightly so. I believe OS vendors have the same responsibility - to make sure their software is impervious to attack. After all, it's really not that difficult.
6. Steve
It's a crime plain and simple.
Yes, they should be locked up. They spread destruction and mayhem on a global scale.
I know what Devil's Advocate means but taking pity on the poor little virus writers is like saying in rape cases... it was the victim’s fault for wearing a short skirt. Absolutely no way.
We shouldn't blame the victims and go easy on virus writers just because in the most part they are immature kids. They are old enough to know it's wrong and they know it costs the rest of us millions. If they play, they pay the price!
7. John
If I though that the consequnce of breaking into your house was that I would get a job with a locksmith for 50k a year, I would happily smash down your front door.
The punishment isnt only for the hacker/virus writer. Its so that the rest of us know that there is a consequnce to their actions, and we feel slightly more secure when we turn of the lights at night.
8. RonB
It's criminal behavior that costs society at large. Jail time punishes wrongdoers and serves as a deterrent. Hopefully it will make these smucks think twice about the actions they are undertaking.
9. RonB
If secure software with multi-functionality and interoperability is easy to create why hasn't the chap who mentioned it started his own business? Designing secure software isn't a 100% guarantee. Why? Because it is designed by man and man is fallible. Don't misunderstand, I do believe that software makers should attempt to make their wares as secure as possible!
10. anon
If society wants these kids off of the net making constructive decisions maybe the corps that need their skills need to revise how they do their hiring. Bringing in virus writers and/or hackers is definitely a way to ensure you are getting skill but how can they tap this skill before the youngsters do something destructive? Tell them go to school and wait until they have a MA? Their very nature makes that difficult, the classes are remedial and nobody wants to give them a chance at a real job, so they write...and prove to the world. How to hire them before they break the law, that's the question.
11. anonymous
not only should they be locked up they should be beaten they are costing every one big bucksexcept the malware removel companiesthat invent the virus problem to sell their malware removal programs
12. anonymous
We've always punished young men for their antisocial activities, whether it's rape, violence or virus writing. We just put them in prison till they outgrow that kind of stuff. No reason why it shouldn't work of virus writing too.
13. Charles of Lamid Learning
Hello I am Charles Of Lamid Learning, i believe the virus writers should be dealt with one way or another. Our way was to create a Custumized Counter Hacking Course like no other in Ottawa Canada. Our course is a extreme 5day the overview is at our site, www.lamid.com
i hope this is another insight in the fight against them.
14. anonymous
While clearly breaking into a house or system and stealing or making a mess is an antisocial behaviour, so is breaking in looking around and leaving undetected without making a mess or damaging anything.
Everyone knows its easy to kick a front door in, and hence it is an antisocial crime. All the kids on the estate I grew up on knew how to open each others front doors without a key. A burglar taught my dad the hard way how easy it was to force a window. I have shown many friends how easy it is to pick or bypass a lock and how to make it difficult. This is not a crime and it educates them as to how easy lack security can be to bypass without leaving a trace.
In the world of IT many companies have no idea how easy it is to get through their security and if a grey hat wants to do so for fun, and inform them how easy it was to do so, the company in question should be glad they did so before a competitor does without telling them or leaving a trace.
If Linux hadn't offered a more immedeately secure alternative to windoze, MS would never have bothered to make it more secure.
Its the breaking that people should be punished for, not the entering. The fact that kids feel they can brag about breeching Linux security and not be prosecuted is why Linux is more secure. The sooner the windoze admins learn this the sooner we'll be rid of the vast wastes of unwanted network traffic that are a result of shoddy software.
15. anonymous
Your article is incisive, insightful and indicative of some serious thought about the matter and very well articulated. I do not know what the answers are but i see potential benefit in trying to do things right the first time, a path that is inherently difficult in a system that thinks short term.
16. johnny k.
I consider it as a crime. we should make internet a better place. PEACE INTERNET.
17. anonymous
Don't send them to jail. Execute them. If you raise the ante enough, it might discourage some and will remove some others from the "playing field"
18. anonymous
Execution seems to be a little extreme in this case - If they are mostly teenaged lads with raging hormones, surely castration would stop a lot of the problem? It would provide an incentive... I have no problem with moral hackers, when they are proving a point and demonstrating, but when there is just wanton destruction on the agenda (vandalism) that is another matter
19. Jim Kirk
Everything about this article is silly
Of course young males are problematic in almost all aspects of society but exactly what has that got to do with punishing them when their behavior exceeds societal norms (i.e. the Law).
The truth is whatever age or for whatever reason, these people wilfully attempt to disrupt the daily lives of people, not just corporations or networks, but every day people trying to communicate with their friends. They do so callously and not only with indifference for the consequence, but trying to create the largest possible consequence.
The article premises that punishment never prevented such behavior. Quite true there will be new criminals born/made every day, but without the law and punishment such behaviors could become far more common.
The argument that because other criminals (ie Enron) get away with it, or David B deliberately fouls someone is totally bogus. Whatever Society as a whole as as its moral centre, some criminals will always get away, and sometimes the consequence of the deliberate foul are less than the immediate benefit. As I remember Beckham had to work hard to regain his place in peoples good books.
Back to the point. Criminal activity should be at least kept in check by appropriate levels of punishment. Someone deliberately disrupting the lives of MILLIONS of people because it is "cool", could use a custodial sentance to teach them new meanings of the word and to assure the rest of us that society takes our distress and losses seriously.
20. anonymous
I like the idea of amputating fingers. That surely would make someone think when they sat down at a keyboard about whether writing a virus and releasing it was worth the risk.
21. Kairuka Tetsugara
I think they should have to dismantle irreparable computers for recycling in a white-collar prison facility. That way, they have to look at and touch computers every day but know that they can't use one. It's like eating a big old bowl of pasta in front of someone who just started the Atkins Diet :-). And hey, recycling computer parts is important, because some of the parts contain materials that really shouldn't escape into groundwater. After all, these guys should know how to take apart a computer, shouldn't they?
22. Doug
Good points, well thought out. Perhaps the punishment (and yes, there must be a consequence to anti-social actions) could be incarceration until the "perp" comes up with code to patch the vulnerability he exploited.
Full marks for the observation that a homogenous system is more susceptible to damage. The net was designed around a distributed architecture for a reason: we need "distributed" systems using it to keep it reliable.
23. anonymous
The "benefit" should not be the foundation of the Justice. Otherwise anything appearing not profitable or not in benefit of public or the economic system become a crime as just many express their opinions here.
Actually nobody cares the foundation of justice.
24. anonymous
Those who intentionally initiate outbreaks of viruses should be punished severely. This punishment should consist of long prison terms, public humiliation, and in some cases corporal punishment.