Germany's Sasser Worm Suspect Confessed-Police

SOURCE (http://www.reuters.com/newsArticle.jhtml?type=topNews&storyID=5080012)

BERLIN - The 18-year-old man arrested by German police on suspicion of creating the destructive "Sasser" computer worm confessed to police that he had programed the worm, a police spokesman said on Saturday.
"He made a confession to police," said spokesman Frank Federau for Lower Saxony police.

Federau did not give any details on where the admission was made or whether the man went to police before they searched his parents' home, where he also lives, on Friday afternoon.

Federau said more details would be available at a police news conference at 5 p.m. (1500 GMT).

Sasser, a tenacious computer worm, is expected to infect millions of machines before it runs its course.

Since appearing a week ago, it has wreaked havoc on personal computers running on the ubiquitous Microsoft Windows 2000, NT and XP operating systems, but is expected to slow down as computer users download anti-virus patches.

Some people's kids.
I think it's time to make an example of one of these losers.
Serious jail time and heavy financial penalties.
Screw him good and maybe his fate will give pause to other potential worm/virus authors.

The WWW is not just a toy or a way to kill some time on forums, it's a vital part of the worldwide infrastructure and these morons who casually screw around with it should be treated accordingly.
His action was fundamentally no different than someone who releases anthrax or Sarin into the wild. He is a terrorist.
Age is no excuse.
Let him rot.

I agree, these things can risk lives.

For example this one appears to have affected the UK Coast Guard.

Source (http://www.wired.com/news/infostructure/0,1377,63325,00.html?tw=wn_7techhead)

Who knows how many lives have been put at risk, or indeed lost as a result of this type of behavior. It is time we made it clear that it is not acceptable.

how is that possible? maybe he's just a pupet and the real author is still in hiding...

and why "confess" to police?

do I smell bullshit here? <_<

Boy, James...
Jumping right to the conspiracy theories, aren&#39;t we?

Maybe he confessed because they had strong evidence against him, hmmm?

Just a theory.
I guess we&#39;ll have to wait till the police press conference and see how dubious the story is.

What he did was certainly not acceptable but....


Originally posted by clocker
His action was fundamentally no different than someone who releases anthrax or Sarin into the wild. He is a terrorist.

that really is hysterical and also quite offensive to the people who were killed in the Sarin attack in Japan. There is no comparison between murder and releasing malicious code.

Also any Gvt body that was affected by this worm should sack their administrators. I&#39;m not joking. There is NO NEED to have port 135 open to the internet on any system, let alone safety critical systems.

That is in no way detracting from the authors guilt but...

If your local hospital left the ambulance doors unlocked and they all got stolen you would blame the thieves, but you would also blame the stupidity of whoever left the ambulances unlocked. This is exactly the same scenario. Utter incompetence.

This worm should have been a non-issue for any commercial or government body. There is absolutely no excuse for such organisations getting caught out by this worm.

clocker i think you need to pipe down a bit..

Originally posted by leftism@8 May 2004 - 11:52


that really is hysterical and also quite offensive to the people who were killed in the Sarin attack in Japan. There is no comparison between murder and releasing malicious code.


Lefty,

1). The people killed in the subway attack in Japan are currently dead. As such, they are incapable of being offended.

2). You have no idea of the life-threating ( or indeed, life-ending) consequences of disrupting computers worldwide. As pervasive and essential to modern life as computers are, it takes little imagination to see just how lethal a computer attack can be.

3). Whether or not computer administrators also share responsibility for any harm is completely irrelevant to the question of this kid&#39;s guilt or the severity of his punishment. If I was wounded by a stray bullet, your argument lays the blame at my feet since I wasn&#39;t wearing a Kevlar vest, a "reasonable precaution" in the neighborhood, perhaps. The two issues are not at all linked.
Punish the kid first and then look to others later.

JB,
Although I didn&#39;t feel I was especially strident in my first post, I see no reason to "pipe down".
A wonderful tool is being corrupted and placed in jeopardy almost daily now, and I hate the idea of armor-plating Sprocket just to defend her against the imprecations of some pimply- faced basement dweller.
These clowns need to be treated as the criminals they are, not as poor, unaware children.

I agree with clokers opinion.

Neither Sarin (http://www.geocities.com/CapeCanaveral/Lab/7050/) nor Anthrax (http://www.bt.cdc.gov/agent/anthrax/index.asp) has the power or capabilities to cause so much damage and influence so much in so short time. You may just not fully realize what it means.
Imagine this scenario:

#1: A virus like Sasser is created.
(However now, after the first one, way more sophisticated)
#2: Sasser 2 is released into the Net.
(But it does not activate yet, only spreads itself throught the Net with low efficiencyand waits for the call to activate)
#3: DoS, DDoS or other type of attack on major AV companies and System Developers/Supporters.
(No quick way of stopping by system or AVs definitions update)
#4: Designated time aproaches and the virus activates itself.
(Less fortified systems fall, medium ones are severly damaged and temporarly offline, best protected systems become overloaded and reduceall traffic. Mass-Media gone bye-bye for a week, only local services work. Internet slows down and becomes useless for the time needed to get servers back online.)


Fiction, you say ? No. Colorized ? Yes. But, please do remember, that what sometime ago was impossible now is old fashioned.



1). The people killed in the subway attack in Japan are currently dead. As such, they are incapable of being offended.

Keep in mind that most religions have a after-life part so by that, a beliver is being offended.

Originally posted by Autumn Fox@8 May 2004 - 16:53


Keep in mind that most religions have a after-life part so by that, a beliver is being offended.
Sounds like a pretty crappy afterlife if they have the time, or the desire, to be offended by living dweebs such as I.

Count me out.

JBR,

I doubt our 18 internet thug is very streetwise and this is probably his first run-in with the law. When the men in black came to his house and got in his face and promised him a life in prison where his ass would see more traffic than an ashtray at a Pall Mall convention if they didn&#39;t get his full and immediate cooperation, he probably caved.

"You hold out, we&#39;ll throw the book at you. But if you talk, maybe we can cut a deal." Rather standard police practice to intimidate, pretend to know more than they do and embellish the penalties.

I caught onto this trick after my 15th arrest. ;)

http://www.zigarette.de/shop/media/pall_mall_soft_pack.jpg

Clocker,

I know this guy who is spending a tremendous amount of time and energy to optimize his computer. He wants to improve its efficiency and test its limits. Why, because he enjoys the learning and the challenge, and that is it. Minesweeper and Solitaire don&#39;t require that much tweeking to run effectively.

I look at hackers the same way, trying to test limits and simply see if they can accomplish something. Particularly if all the worm does is shut down the computer.

So I see the intent as being far different than a single minded effort to kill. We really shouldn&#39;t make light of attacks which have killed people. We cannot offend the dead, but we can re-open the emotional wounds of their surviving heirs. I would definately be angry if someone equated a virus which turn off computers to 9/11.

You are totally correct that the crime is greivous and harsh punishment should be dealt. After all, this is not a matter of a few minutes work, but a premeditated and dedicated attempt to corrupt an essential societal utility.

I imagine the young man would have been devastated if people had died, but he must be accountable for any consequences of his action. Ignorance of the potential consquences is not an excuse.

An example needs to made so that those future social outcast hackers can see that the punishment far outweighs their 15 minutes of infamy.

The truth is that if you can create a computer virus which has the means to spread itself and targets the right function, you can cause such disruption of the internet, that many people could potentially die. This would be an act of terrorism.

I don&#39;t think that the penalty for attempting such acts would disuade any real "terrorist", but stiff penalties for doing what this kid did, might seriously scare off the thrill seeking hackers.

Originally posted by clocker+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (clocker)</td></tr><tr><td id='QUOTE'>Lefty,

1). The people killed in the subway attack in Japan are currently dead. As such, they are incapable of being offended.[/b]

The families of those who died, whatever, ... the point remains. It is offensive to compare this to mass murder.


Originally posted by clocker@

2). You have no idea of the life-threating ( or indeed, life-ending) consequences of disrupting computers worldwide. As pervasive and essential to modern life as computers are, it takes little imagination to see just how lethal a computer attack can be.


How many worms have there been since 1986? A hell of a lot. How many deaths caused by these worms? None that I know of, and I&#39;m sure the media would tell us all about it if it happened.

If the release of a computer worm was as dangerous as your making out (on the same level as sarin gas or anthrax) we would have had tens of thousands of deaths over the last 20 years. If you wanted to keep it purely recent for the sake of comparison to todays networked world we should have seen a few thousand in the last 3-5 years alone.

The point is that we do know the consequences of disrupting computers worldwide. Its been happening on a fairly regular basis for 2 decades.

<!--QuoteBegin-clocker
3). Whether or not computer administrators also share responsibility for any harm is completely irrelevant to the question of this kid&#39;s guilt or the severity of his punishment. If I was wounded by a stray bullet, your argument lays the blame at my feet since I wasn&#39;t wearing a Kevlar vest, a "reasonable precaution" in the neighborhood, perhaps. The two issues are not at all linked.
Punish the kid first and then look to others later.
[/quote]

1st.. That analogy is completely inappropriate.

Securing a networked computer that is responsible for safety is in no way the same as wearing a kevlar vest in a bad neighbouthood. Securing a networked computer is the same as locking your car or your front door. It&#39;s common sense and moreover, if you are an administrator of an important computer system its the most basic of duties and your getting paid good money to do it.

2nd. I know the incompetence of administrators is irrelevant to the question of his guilt or punishment. I&#39;m not talking about that. I&#39;m talking about the damage done to important systems. That is the responsibility of the administrators. As I said, this worm should have been nothing to these Gvt systems, zip, zero, nada, nothing. Only the complete stupidity of certain overpaid individuals allowed it to be a problem. I cannot emphasise this enough.. there is no explanation asides from gross negligence of the worst kind that can explain how these safety critical systems were affected.

What happens time and time again in these cases, is that we "punish the kid", have a hysterical outburst for a little while, and then get back to the same state of affairs we had before. These idiot administrators stay in their jobs making the same mistakes in preparation for the next inevitable worm, and it is inevitable until some clever spark comes up with a solution to completely solve the issue of criminality.....

After 20 years of internet worms its time we got real and realised hysteria about terrorists and the end of the world does not help, it hinders by drawing attention away from an important issue that&#39;s been overlooked for far too long.

I know this guy who is spending a tremendous amount of time and energy to optimize his computer. He wants to improve its efficiency and test its limits. Why, because he enjoys the learning and the challenge, and that is it. Minesweeper and Solitaire don&#39;t require that much tweeking to run effectively.

I look at hackers the same way, trying to test limits and simply see if they can accomplish something. Particularly if all the worm does is shut down the computer.

So I see the intent as being far different than a single minded effort to kill. We really shouldn&#39;t make light of attacks which have killed people. We cannot offend the dead, but we can re-open the emotional wounds of their surviving heirs. I would definately be angry if someone equated a virus which turn off computers to 9/11.
Hobbes,
I think I&#39;d enjoy meeting this "guy" that you know, he sounds like a kindred spirit.

Isn&#39;t it possible to test the limits of one&#39;s skills in a controlled environment?
Is it really necessary to release your pet program worldwide and then hope that nothing bad happens?

I certainly did not mean to make light of attacks which have killed people in the past, I meant to point up the fact that a virus/worm which "just shuts down computers" willy-nilly can be equally as deadly in our modern world as Sarin or anthrax.

Had the Sasser worm shut down my PC ( it didn&#39;t), I would have been irritated and inconvenienced.
My Minesweeper and Solitaire scores would have suffered.
No biggie.
But what if my computer monitored my insulin level or heart rate?
What if I was an eighty year old shutin who&#39;s primary contact with the outside world was my PC?
You are a man of considerable imagination
hobbes...these scenarios and more I&#39;m sure, have crossed your mind.

How pissed off would the author of this worm have been if HIS PC was suddenly removed from his conrol and then randomly shut down?
You think he didn&#39;t think about that as he went about his work?

Originally posted by clocker@9 May 2004 - 05:01
What if I was an eighty year old shutin who&#39;s primary contact with the outside world was my PC?
You are a man of considerable imagination
hobbes...these scenarios and more I&#39;m sure, have crossed your mind.


Yes, I admitted that it could be a very lethal thing to do. It is all about intent.

I was more discussing how a "decent " person could do a "bad "thing" as a result of an attempt to test limits, rather than a maniac hoping to kill as many as possible.

Laws should be set up to really punish these people so the weekend hacker is strongly disuaded from testing the limits.

Stay out of my computer and fuck with your own is my motto.

BTW, this guy I was talking about, well he comes off gay. :lol:

Originally posted by clocker
But what if my computer monitored my insulin level or heart rate?

Such a system has no business being connected to the whole internet. This system would and should only be available to the systems it needs to &#39;speak&#39; to.

If someone allowed this system to be reachable from the entire net, they should be prosecuted in the same way that a train company that fails to meet safety regulations is.

A couple of things spring to mind:

1. As I remember, internet news was from Nuremburg, so I think we can rule him out.

2. Clocker-I have made the acquaintance of Hobbes&#39;s friend; he&#39;s quite a piece of work, but I don&#39;t think he&#39;s gay.

Actually, he&#39;s a rather sober individual who loves to drink. ;)

3. While I must say I agree for the most part with Clocker&#39;s opinion of this individual and wishes for his future prospects, I am compelled to also note that many people would/could equate the necessity of an unsullied WWW with that of the free flow of oil at a fair market price.

4. Those who complain of the impropriety of rash comparisons between internet shenanigans and Sarin attacks might think twice before comparing George Bush to Adolph Hitler.

Just my opinions, of course.

Originally posted by j2k4@9 May 2004 - 05:43
4. Those who complain of the impropriety of rash comparisons between internet shenanigans and Sarin attacks might think twice before comparing George Bush to Adolph Hitler.


That one may just be a classic.

Just remember, it was Clocker who did such.

Originally posted by j2k4
Those who complain of the impropriety of rash comparisons between internet shenanigans and Sarin attacks might think twice before comparing George Bush to Adolph Hitler.

I wasn&#39;t aware that anyone complaining about the "impropriety" of "comparisons between internet shenanigans and Sarin attacks" had compared Bush to Hitler.

The search facility doesn&#39;t show me or Hobbes comparing Bush to Hitler and we&#39;re the only ones complaining about the sarin/internet worm comparison. You&#39;ve obviously made an innocent mistake. :)

Perhaps I should clarify.

Clocker compared the internet attacks to the Sarin attacks. I think this is an overstatement, with all due respect.

The reason I thought J2K4&#39;s post to be a classic is that many individuals like to make equally inappropriate comparisons between Bush and Hitler, and feel themselves fully justified.

The families of those who died, whatever, ... the point remains. It is offensive to compare this to mass murder.
Sorry, but I disagree.

I know the incompetence of administrators is irrelevant to the question of his guilt or punishment. I&#39;m not talking about that. I&#39;m talking about the damage done to important systems. That is the responsibility of the administrators.
Secondarily, yes. The primary responsibility still lies with the author of the worm/virus.

What happens time and time again in these cases, is that we "punish the kid", have a hysterical outburst for a little while, and then get back to the same state of affairs we had before.
Hmmm, since punishment hasn&#39;t worked in the past, I suppose we just let the little geek go.
After all, what&#39;s the point.
BTW, punishment for murder doesn&#39;t seem to be terribly effective either, so....

Leftism, I have no problem with your dislike of incompetent computer security experts...we actually agree on this one ( despite my lack of knowlege of the field...).
That still does not shift responsibility from the malicious authors of the code attacks, and, despite a lack of direct casualities, the very real threat that they pose.
If not the Sasser worm, then the next.... or the next...inevitably, a worm-to-come will be intentionally malicious-let&#39;s shut down the powergrid or launch an attack on a nuclear power plant- and the defense is what, "It&#39;s the fault of the computer admins"?

Originally posted by clocker+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (clocker)</td></tr><tr><td id='QUOTE'>
Originally posted by leftism+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (leftism)</td></tr><tr><td id='QUOTE'>I know the incompetence of administrators is irrelevant to the question of his guilt or punishment. I&#39;m not talking about that. I&#39;m talking about the damage done to important systems. That is the responsibility of the administrators.
[/b]

Secondarily, yes. The primary responsibility still lies with the author of the worm/virus.
[/b]

Of course, but if you want take practical steps to address the nuisance caused by these worms your going to have to deal with these administrators.

It&#39;s like having a town full of people who refuse to lock their doors. Unless you have a magic solution to get rid of all the burglars these people are going to have to learn to lock their doors.

Allocating responsibility and punishment is one thing, but by the time you get round to doing that its too late. The horse has already bolted, the damage is already done. Dealing with these incompetent administrators will preempt future attacks and will produce practical results. At the moment the media circus and scaremongering that surrounds these cases seems to divert peoples attention away from this factor again and again.


Originally posted by clocker


Originally posted by leftism
What happens time and time again in these cases, is that we "punish the kid", have a hysterical outburst for a little while, and then get back to the same state of affairs we had before.

Hmmm, since punishment hasn&#39;t worked in the past, I suppose we just let the little geek go.
After all, what&#39;s the point.
BTW, punishment for murder doesn&#39;t seem to be terribly effective either, so....

I&#39;m not suggesting we shouldn&#39;t punish the kid and I&#39;m sure your aware of that. I&#39;m saying that punishment alone will not solve this.

<!--QuoteBegin-clocker@

despite a lack of direct casualities, the very real threat that they pose.
If not the Sasser worm, then the next.... or the next...inevitably, a worm-to-come will be intentionally malicious-let&#39;s shut down the powergrid or launch an attack on a nuclear power plant- and the defense is what, "It&#39;s the fault of the computer admins"? [/quote]

I think the media have to take responsibility for this popular misconception and for the complete lack of focus on the admins who are 50% of the problem.

The fact is that worms spread randomly and as quickly as possible, If nuclear power stations and power grids were vulnerable to worms (i.e directly connected to the net) they would have been hit many many times in the last 20 years. The worm would not have to attack them purposefully as you&#39;re suggesting. Worms "attack" everything which is why we definitely would have had some disaster by now if it were possible.

This is why I find your comparison of mass murder and terrorism with malicious code to be completely inappropriate. Worms are simply not a "real threat" to the national infrastructure and cannot be compared to nerve gas or biological warfare.

They are a nuisance and can cost companies money because they can&#39;t carry out their online business as usual. When it comes to safety critical systems no one in their right mind would allow them anywhere near the web because i) it&#39;s completely unnecessary, ii) it&#39;s far too dangerous.

That&#39;s why isolated incidents such as the coastguard are as disgusting as they are rare. Leaving a safety critical PC directly connected to the web with no protection at all is akin to a pilot downing a bottle of whisky then taking a plane full of passengers for a spin.

<!--QuoteBegin-hobbes
The reason I thought J2K4&#39;s post to be a classic is that many individuals like to make equally inappropriate comparisons between Bush and Hitler, and feel themselves fully justified.[/quote]

To be a true "classic", the individuals complaining about the Sarin/worm comparison would have to be the same ones comparing Bush with Hitler.

bah. viruses, worms, trojans. you can avoid all of those with a nominal amount of technical savvy.

what gov&#39;ts, corporations and ISPs really oughta put some effort into legally combating is the spam. it&#39;s getting to the point where most people with email accounts spend an inordinate part of each day deleting spam and configuring their spam filters. spammers might claim it&#39;s a matter of free speech, but that&#39;s totally bogus: e-mailboxes aren&#39;t public property; they&#39;re the property of the ISP/host, on lease to the end user. t&#39;ain&#39;t nuthin&#39; but harrassment, plain & simple.

If windows didnt have so many holes then this wouldnt have been a problem.

if i leave my car door open it does not give someone the right to steal from me. if they do they are 100% to blame, i am not to blame at all. the fact that i did not take precautions against being the victim of a crime is entirely irrelevant.

Actually where I live you can get fined for not locking your car doors. I agree it&#39;s silly, but it&#39;s true.


the prick who wrote this worm is totally to blame for his actions and should suffer the consequences.

Yes he should. He was aware of what he was doing and has only himself to blame.


it is in no way the fault of people who did not protect themselves from his anti-social behaviour. they are innocent people just going about their business.

Except that they have put themselves into a position where they are responsible for peoples lives. This should also mean they are responsible to a degree for leaving themselves open to attack if they cannot show they have taken reasonable precautions to prevent these things. It&#39;s not as if they are unaware of the potential threat from these constant viruses/worms.

TD

Originally posted by tracydani@9 May 2004 - 13:40

it is in no way the fault of people who did not protect themselves from his anti-social behaviour. they are innocent people just going about their business.

Except that they have put themselves into a position where they are responsible for peoples lives. This should also mean they are responsible to a degree for leaving themselves open to attack if they cannot show they have taken reasonable precautions to prevent these things. It&#39;s not as if they are unaware of the potential threat from these constant viruses/worms.

TD
Good point.

However to my mind it does not detract from the fact that the author of the worm is totally responsible for the damage it causes.

They should indeed take precautions, because they are operating in the real world. However they should not have to, it is only because of idiots like this that valuable time an resources are lost. One hates to imagine how much time and money has been spent on trying to stop this type of thing, or clearing up after it.

So my solution, get rid of the idiots. Jail time, then internet ban.

I think a long jail sentence is rather harsh.














A short spell in a nice jail near Baghdad should do nicely. :blink:





Incidently, do any of you computer buffs know how to remove a Trojan from my registry file? I have to quarantine the two files it generates every time I start up. I had a look at the registry file but to be quite honest I could not see anything called "I&#39;m a virus delete me". Consequently, I decided caution was the better part of valour.

According to AVG the trojan is called Revop.C - I think it is adware that my daughter has picked up from her various bizarre Japanese Anime sites.

Apparently Avast Anti Virus (a free trial download) will remove it.

http://www.avast.com/

Thanks J&#39;Pol I will give it a whirl.

Originally posted by Fugley+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Fugley)</td></tr><tr><td id='QUOTE'>Leftism

absolute shite[/b]

Eloquently put :)


Originally posted by JP Fugley+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (JP Fugley)</td></tr><tr><td id='QUOTE'>
if i leave my car door open it does not give someone the right to steal from me.[/b]

Correct.


Originally posted by JP Fugley
if they do they are 100% to blame, i am not to blame at all. the fact that i did not take precautions against being the victim of a crime is entirely irrelevant.


Incorrect. If you want to live in a fantasy world and refuse to lock your doors then people will steal from you. Its not right, but thats the real world. Deal with it. We don&#39;t live in Care Bear land so protecting whats yours is your responsibility.

If someone came on this forum and said "hey I left my front door open and got robbed" I seriously doubt you or anyone else would offer any sympathy. More likely people would tell him to grow up, get real, and learn to lock his damn door like most responsible adults do.

Anyway.. that analogy is incorrect. It&#39;d be more appropriate to use the security guard analogy. If a security guard left a building unlocked and took the night off he would be sacked and rightly so. That situation is no different to these incompetent administrators who seem to get away with it time and time again.


Originally posted by JP Fugley

the prick who wrote this worm is totally to blame for his actions and should suffer the consequences. it is in no way the fault of people who did not protect themselves from his anti-social behaviour. they are innocent people just going about their business. he is in the wrong, fucking about with other people&#39;s lives because he is an inadequate bastard who wants to show other inadequate bastards how big his cyber prick is.

Worm writers are like all criminals. You can punish them but you will never get rid of them entirely. Having accepted that reality like mature adults, we can either wring our hands and whine about it or we can deal with it.

You can leave safety critical computers unprotected as a matter of principle, you can leave your car unlocked as a matter of principle. They are going to get f***ed with because thats the world we live in. These people are getting paid good money to protect these systems. If they cannot do their jobs or are unwilling to do their jobs, there are plenty of people who will be happy to take their place.


Originally posted by JP Fugley
who knows how many lives have been effected by this. who knows how many lives have been shortened through the extra stress it causes. who knows how many have been lost, the domino effect does exist.

Ohh the hand wringing, ohh the melodrama "lives shortened by stress" :lol: :lol: Is it puppy and kittens time yet? Lets try and keep this in perspective.

<!--QuoteBegin-JP Fugley@

long jail sentence, let the other sad fucks know what the consequences are.[/quote]

No ones disagreeing with you on that one.

<!--QuoteBegin-J&#39;Pol

So my solution, get rid of the idiots. Jail time, then internet ban. [/quote]

That "solution" has consistently failed to get rid of any form of criminality. Until we come up with a magic bullet to rid the world of all criminality we&#39;re going to have to protect whats ours and continue punishing these people. Failure to do either of those two things is akin to living in a fantasy world.

The point is that the punishments should be more severe to

a, take offenders out of the system for a protracted period.

b, deter others from following suit.

As long as the victims are being partially blamed for the crime then this is used in mitigation. The defence of - if he had taken sensible precautions then my crime would not have worked.

It is time to put all on the blame on the perpetrators and leave the victims alone. What happened to them was not in any way shape or form their fault.

No-one is suggesting that people should not lock their car. The suggestion is that we should have the expectation that our property will not be attacked. When it is we have the right to expect that the law will prosecute them and punish them in an appropriate matter. The suggestion is that we Should be able to leave our property unlocked, not that we can.

Oh and are you suggesting that someone&#39;s data being destroyed by a virus or worm is not a cause of stress. Your use of "hand wringing" and such phrases does not make the point made any less true.

Originally posted by J&#39;Pol+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (J&#39;Pol)</td></tr><tr><td id='QUOTE'>The point is that the punishments should be more severe to

a, take offenders out of the system for a protracted period.

b, deter others from following suit.

As long as the victims are being partially blamed for the crime then this is used in mitigation. The defence of - if he had taken sensible precautions then my crime would not have worked.

It is time to put all on the blame on the perpetrators and leave the victims alone. What happened to them was not in any way shape or form their fault.

No-one is suggesting that people should not lock their car. The suggestion is that we should have the expectation that our property will not be attacked. When it is we have the right to expect that the law will prosecute them and punish them in an appropriate matter. The suggestion is that we Should be able to leave our property unlocked, not that we can.

Oh and are you suggesting that someone&#39;s data being destroyed by a virus or worm is not a cause of stress. Your use of "hand wringing" and such phrases does not make the point made any less true.[/b]

You are speaking exclusively from a legal view point. I am talking about a practical viewpoint.

The administrator of a computer system has taken on a job and agreed that in return for money he will protect our infrastructure. He is not your average victim of crime. His failure to do his job has no bearing on the responsibility or guilt of the offender, but it does have a serious bearing on how much damage these inevitable attacks cause.

Recognising that an administrator is incompetent does not detract from the offenders guilt or provide the offender with any defence. To my mind the two issues are completely separate. If the legal system cannot grasp that, then that is the legal systems problem. I don&#39;t see why we should have to ignore an important issue that needs to be dealt with, because the legal system lacks common sense on this issue.

What if the perpetrator was not a civilian, what if it was a foreign Gvt or terrorists? What good will the niceties and principles of the legal system do us then? By ignoring these rogue administrators completely, as we have done for far too long, we are putting critical systems at risk. You cannot deny that is the case.

You seem to be arguing that we should focus on one area of the problem alone, out of principle. I&#39;m saying that we need to tackle both these problems to come up with a practical solution.

Putting "all the blame on the perpetrators" as the sole solution will get us nowhere fast in terms of practical solutions although it might make us feel all warm and fuzzy...

If you have incompetent and grossly negligent security guards you sack them and get decent ones. Why on Earth should cyberspace be any different to real life in this respect? Why does the latter break some important principle when the former does not?

PS

My "hand wringing" phrase referred to the fact that some individuals will label land mines and slavery as "puppy dog and kittens" issues and then promptly get all serious about malicious code. People need to put things in perspective.

<!--QuoteBegin-JP Fugley

see, i come from the E.U. where we have a human rights thing. it says that all people are entitled to enjoy their privacy and their property and that other people can&#39;t take it away from them. so if somebody does it is a bad thing.

so when someone takes my things away, they are 100% to blame no matter what precautions i did, or did not take.

this is a principle rather than a practicality.

the law and punishment should reflect that and not apportion the blame between the perpetrator and the victim. that sounds like ooer missus you were wearing a sexy frock, you were asking for it a wee bit. [/quote]

Sacking an incompetent security guard or administrator who cannot do the job they&#39;re paid for is nothing like blaming a rape victim for the way she is dressed.

Sacking an incompetent security guard or administrator who cannot do the job they&#39;re paid for does not remove guilt from the offender or weaken the principle that people are entitled to enjoy their privacy and their property.

Sacking an incompetent security guard or administrator who cannot do the job they&#39;re paid for will lessen the impact of these inevitable attacks and will increase security.

What is the problem?

The prosecution and punishment of offenders should be based on the ideal world, that is the point. If they breach my rights then what precautions I put in place are irrelevant. They are the guilty party.

This does not relate to negligent security guards, who have failed to carry out their alloted duties, however I see you wish to cling to this inappropriate analogy, you must like it. I forgot that this is something you do often, choose an analogy which suits your side of the debate than stick to repeating it. No matter how irrelevant it is.

It relates to people who have done nothing wrong and simply wish to go about their daily business. This includes private individuals, small companies running their own networks etc. they all have the right to be unmolested by this type of thing.

The issue of appropriate security in the real world is an entirely separate one.

Ah, there you are, J&#39;Pol-

Tend to your PMs, would you? ;)

Your receivables are mounting. :)

Originally posted by j2k4@9 May 2004 - 20:24
Ah, there you are, J&#39;Pol-

Tend to your PMs, would you? ;)

Your receivables are mounting. :)
Sorry, willdo skip.

Originally posted by J&#39;Pol+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (J&#39;Pol)</td></tr><tr><td id='QUOTE'>The prosecution and punishment of offenders should be based on the ideal world, that is the point. If they breach my rights then what precautions I put in place are irrelevant. They are the guilty party.

This does not relate to negligent security guards, who have failed to carry out their alloted duties, however I see you wish to cling to this inappropriate analogy, you must like it. I forgot that this is something you do often, choose an analogy which suits your side of the debate than stick to repeating it. No matter how irrelevant it is.

It relates to people who have done nothing wrong and simply wish to go about their daily business. This includes private individuals, small companies running their own networks etc. they all have the right to be unmolested by this type of thing.[/b]

The protection of vital infrastructure is based on the real world, not an ideal world. Your argument is that we should ignore 50% of the problem (incompetent admins) because to address this problem will somehow detract from the offenders guilt. That will not solve the problem in the real world. This flawed approach is why we are repeating the same mistakes again and again.

The security guard analogy is perfectly appropriate. The protection of the network is a major part of an administrators job. It is their daily business. If they are incompetent and leave their networks unprotected they have done something wrong, in the same way that a security guard who leaves a building unlocked has done something wrong. If you do not understand this and truly believe it is an irrelevant analogy then you do not understand the issue you are debating.

<!--QuoteBegin-J&#39;Pol

The issue of appropriate security in the real world is an entirely separate one[/quote]

I told you from the start that I am talking about "the damage done to important systems.".

The legal system has had 20 years to "limit the damage done to important systems" and has failed miserably. I&#39;m simply suggesting we get real and accept the fact that prosecuting offenders is only 50% of the solution.

Do you ever read what other people post, or do you just have difficulty in understanding.

1, We should prosecute offenders on the basis that they are wholly to blame for the offence they committed. The victim is blameless, whether they took precautions or not.

2, We should deal with protecting our systems from them, as an entirely separate issue. You even quoted me posting that.

They are not mutually exclusive. That is what I said, that is what my argument is.

You accuse me of not understanding the point which I am debating, you however do not read (or more worryingly understand) simple concepts which other people put forward.

Originally posted by J&#39;Pol@9 May 2004 - 08:55
As long as the victims are being partially blamed for the crime then this is used in mitigation. The defence of - if he had taken sensible precautions then my crime would not have worked.
those computers were promiscuous tarts. they were asking to be infected.

Originally posted by J&#39;Pol+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (J&#39;Pol)</td></tr><tr><td id='QUOTE'>Do you ever read what other people post, or do you just have difficulty in understanding[/b]

It appears that you are the one having difficulty understanding me. Your objection to my position on this subject is neither coherent nor realistic. I can only assume that this is the result of you not understanding it or the subject matter.


Originally posted by J&#39;Pol+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (J&#39;Pol)</td></tr><tr><td id='QUOTE'>
1, We should prosecute offenders on the basis that they are wholly to blame for the offence they committed. The victim is blameless, whether they took precautions or not.
[/b]

Yes we should prosecute them on that basis. I&#39;ve never contradicted that statement.

However as I have explained to you time and time and time again the "victim" (overpaid administrator who&#39;s job it is to secure the network) is not responsible for the attack but is partly responsible for the level of needless damage caused.

Is this what we&#39;re arguing about here? We shouldn&#39;t hold admins responsible for insecure networks in case a worm author uses that defence in court? The lack of common sense among the legal community on this subject should not stop the rest of us doing what needs to be done to make worms non-issues.

Hmm that sounds similar to something I said earlier.. not that you would fail to read or understand someone elses post of course......

Your argument is that admins should shoulder no responsibility whatsoever for the level of damage caused.


Originally posted by J&#39;Pol
However to my mind it does not detract from the fact that the author of the worm is totally responsible for the damage it causes.

It is this position, this belief that incompetent administrators are not part of the problem, that has led us to this point, where what should be a non-issue turns into a major issue.


Originally posted by J&#39;Pol

2, We should deal with protecting our systems from them, as an entirely separate issue. You even quoted me posting that.

Your position has always been that placing responsibility on the admins is the wrong thing to do. You are opposed to this on the grounds that it does not reflect an "ideal (courtroom) world". This means that you oppose the most speedy and effective way to "protect our systems from them".

<!--QuoteBegin-J&#39;Pol@
You accuse me of not understanding the point which I am debating, you however do not read (or more worryingly understand) simple concepts which other people put forward.[/quote]

It is you who does not understand.

You do not understand the nature of the job of the administrator as shown by your opposition to the security guard analogy, you do not understand how easy it would be to turn these worms into non-issues, you do not understand how appallingly negligent an administrator has to be to get caught out by these things and most importantly you do not understand that your "ideal world" courtroom approach to a real world problem is completely inappropriate and ineffective.

You are concerned with ivory tower legal arguments.

<!--QuoteBegin-J&#39;Pol

As long as the victims are being partially blamed for the crime then this is used in mitigation. The defence of - if he had taken sensible precautions then my crime would not have worked. [/quote]

I am concerned with practical solutions to real life problems.

the real world (http://www.cotse.com/20032801.html)

It&#39;s as simple as that.

The problem is that you (as you often also do with others) state what you believe my position to be. Almost invariably you get it wrong, or post your interpretation in such a manner as to twist the meaning.

If it were only me I would question whether it was perhaps my explanation which were incorrect or inaccurate. However as it is also with others, whose posts appear perfectly clear to me I have to come to the conclusion that it is the one soldier who is out of step and not the rest of the army.

The victim is not the administrator, the victim is the owner of the system, whether it is a personal computer or a network (of whatever size). To use your own analogy - the victim is not the security guard, it is the owner of the building.

Originally posted by Mr JP Fugley@9 May 2004 - 11:39

if i leave my car door open it does not give someone the right to steal from me. if they do they are 100% to blame, i am not to blame at all. the fact that i did not take precautions against being the victim of a crime is entirely irrelevant.

Tell that to your insurance company.. ;)



My point of view is that the guy who wrote the virus is entirely responsible for his own actions, and therefore should be held entirely accountable for the damage he has done.

More than likely he&#39;ll get recruited by a cyber-security company to aid in preventing this sort of thing in the future.. :P


However, as other people have also said, people really have to take precautions to avoid getting infected by worms and viruses. It&#39;s not difficult, it just requires a bit of common sense and a bit of awareness on what exactly is going on under the desk.

This vulnerability was widely reported long before the actual outbreak, and so could easily have been avoided. Ignorance shouldn&#39;t be a defence..

Well after reading this http://tooleaky.zensoft.com/ and yes I know its out of the year 2001, then for someone, with malicious intent, there is absolutely nothing to be done to protect one&#39;s computer/ property. (Apart from disconnecting it from the internet)

Originally posted by nigel123@10 May 2004 - 10:53
Well after reading this http://tooleaky.zensoft.com/ and yes I know its out of the year 2001, then for someone, with malicious intent, there is absolutely nothing to be done to protect one&#39;s computer/ property. (Apart from disconnecting it from the internet)
Yes, that is quite an old article, and pretty outdated (although possibly zonealarm is still vulnerable to that sort of thing, I haven&#39;t used it for a while so I&#39;m not sure)

Leftism,

Several of your posts here refer to "overpaid, incompetant" system administrators.
I can only assume that you have had personal experience ( certainly traumatic) with such people.
I&#39;m sure that they exist and of course, should be replaced.

But what of the good guys?
There must be some.
Even the best security can/will be breached by a determined and resourceful attacker.
One simply cannot foresee all the eventualities, nor take precautions against a new and unique method of attack.

You have also repeatedly stated that critical systems have no business being allowed access to/from the internet, but is this really possible?
If a computer is part of a network, ultimately isn&#39;t it reachable from the outside unless the entire network is a completly isolated closed loop?
How practical is that ?

Again, I stress my lack of knowlege in the area of networking on a large scale...perhaps you can enlighten me.

well he seems to have had help and now poeple who do as he has done will end up in jail.

Originally posted by J&#39;Pol+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (J&#39;Pol)</td></tr><tr><td id='QUOTE'>The victim is not the administrator, the victim is the owner of the system, whether it is a personal computer or a network (of whatever size). To use your own analogy - the victim is not the security guard, it is the owner of the building.[/b]

So when I initially suggested getting rid of these administrators, why did you bring up the issue of blaming the victim? It was you who equated administrators with victims J&#39;Pol.


Originally posted by clocker+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (clocker)</td></tr><tr><td id='QUOTE'>Leftism,

Several of your posts here refer to "overpaid, incompetant" system administrators.
I can only assume that you have had personal experience ( certainly traumatic) with such people.
I&#39;m sure that they exist and of course, should be replaced.
[/b]

It&#39;s funny you should mention that because my university was badly affected by the worm today. After all the publicity surrounding the worm, after the patches have been available from M&#036; they still got caught out. There is no excuse for that, it&#39;s pure negligence.

<!--QuoteBegin-clocker@

But what of the good guys?
There must be some.
Even the best security can/will be breached by a determined and resourceful attacker.
One simply cannot foresee all the eventualities, nor take precautions against a new and unique method of attack.
[/quote]

A resourceful attacker and a worm are very different. Worms almost always use vulnerabilities that have been known about for months and that have patches available to fix them. They also usually use ports that have no business being open to the internet in the first place.

If a very very skillful attacker broke into an organisation using exploits he&#39;s created himself then yes, I totally accept that there is not much the good guys can do about that. However worms are simple blunderbuss affairs that require at most a couple of clicks to protect against.

It is possible that the skillful attacker could create a worm using these techniques but... every worm that has made a serious impact in the last few years such as slammer, blaster and sasser were all of the blunderbuss variety. Crude weapons that even a half arsed attempt at security would foil.

<!--QuoteBegin-clocker
You have also repeatedly stated that critical systems have no business being allowed access to/from the internet, but is this really possible?
If a computer is part of a network, ultimately isn&#39;t it reachable from the outside unless the entire network is a completly isolated closed loop?
How practical is that ?[/quote]

Its very practical to do that. Networks are effectively broken up into segments and strict rules are (or should be) applied to what communications can travel between segments. Servers that require access to the net are often placed in "Demilitarized Zones" (DMZ) that are heavily quarantined from the rest of the internal network. Good administrators almost expect computers in the DMZ to get compromised at some point in the future and make sure that the attack goes no further.

To be specific about this recent worm, it appears to use ports 139 and 445. These ports are for offering files and printers over the network. There is no reason to offer remote drives and printing services to the whole internet so even computers in a DMZ should be completely safe. It really is as easy as clicking a few times on a firewall, or entering a few lines of text into a router.

Colinmaccs point about insurance companies is very apt. If insurance companies started treating these incompetents in the same manner they treat you or I if we leave our doors unlocked I am sure we would see a significant decrease in the damage these worms cause.

Originally posted by leftism+10 May 2004 - 16:11--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (leftism @ 10 May 2004 - 16:11)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-J&#39;Pol
The victim is not the administrator, the victim is the owner of the system, whether it is a personal computer or a network (of whatever size). To use your own analogy - the victim is not the security guard, it is the owner of the building.

So when I initially suggested getting rid of these administrators, why did you bring up the issue of blaming the victim? It was you who equated administrators with victims J&#39;Pol. [/b][/quote]
Well, they are victims in that it&#39;s their jobs that are on the line when things go wrong.

Originally posted by SnnY+10 May 2004 - 16:33--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (SnnY @ 10 May 2004 - 16:33)</td></tr><tr><td id='QUOTE'>
Originally posted by leftism@10 May 2004 - 16:11
<!--QuoteBegin-J&#39;Pol
The victim is not the administrator, the victim is the owner of the system, whether it is a personal computer or a network (of whatever size). To use your own analogy - the victim is not the security guard, it is the owner of the building.

So when I initially suggested getting rid of these administrators, why did you bring up the issue of blaming the victim? It was you who equated administrators with victims J&#39;Pol.
[/b][/quote]
At least this has cleared up one thing. It really is your comprehension skills which are at fault.

It is your inability to read what people post without putting your own spin / preconceived notion on it. That does make sense, not only here but elsewhere.

In a way I am glad, it makes a lot of sense in relation to much you have posted.

*cough* Maybe we should apply the "Pinto" three steps method, it might help us understand each other better....Ok, ok I am off back to the lounge... :)

Originally posted by J&#39;Pol
At least this has cleared up one thing. It really is your comprehension skills which are at fault.

It is your inability to read what people post without putting your own spin / preconceived notion on it. That does make sense, not only here but elsewhere.

In a way I am glad, it makes a lot of sense in relation to much you have posted.

wtf? You contradicted yourself. How does that equate to me being at fault?

Lets go over this quickly

1. I argued that incompetent administrators should be held responsible for the level of unnecessary damage caused.

2. You objected to this on the grounds that it would equate to "blaming the victim".

3. You then stated that administrators aren&#39;t victims, thus making your original argument invalid.

You&#39;ve now departed from the subject completely and seem intent on provoking a flame war. It&#39;s not going to happen J&#39;Pol.

Mis-representing again, but now I know it is not your fault, so that&#39;s cool.

Originally posted by barbarossa@10 May 2004 - 03:09


This vulnerability was widely reported long before the actual outbreak, and so could easily have been avoided. Ignorance shouldn't be a defence..
Just so.

We seem to be arguing two completely different and only marginally related subjects in this thread.

I ( and others) have been discussing the fate of the ( presumably guilty) author of the worm.
Leftism has been talking about the impact of said worm due to incompetence/negligence on the part of sysops worldwide ( including his school where, presumably, Lefty is leading a massive student rally which will result in the public lynching of the offending IT personnel...).

One argument hardly impacts the other.
As I see it, the author of the worm, despite it's crude "blunderbuss" construction ( and let's not forget that even a weapon as crude as a blunderbuss can be lethal under the correct circumstances) is completely responsible for his act of computer terrorism.
And, make no mistake, an act of terrorism it was.
To a typically savvy habitue of this forum, perhaps the Sasser worm was a complete non-issue, but it caused widespread damage and aggravation to many,many casual PC users.
You may disdain their naivite all you want, but that doesn't lessen by one whit their right to expect their property to be safe and held sacrosanct.

The kid breached these fundamental legal boundries and should be held accountable.
Period.

Whether his ultimate fate matters at all to another potential script-kiddie, or wheter it deters even one more socially-challenged misfit is immaterial...he did the crime, he can do the time.

Originally posted by J&#39;Pol
Mis-representing again, but now I know it is not your fault, so that&#39;s cool.

Not at all. It was a perfectly accurate overview of our discussion.