-- more on -- so what will we do to avoid another mass attack on the "net"

[Dave Farber <dave () farber net>]

> Date: Sun, 24 Aug 2003 12:19:42 -0500
> From: Gene Spafford <spaf () cerias purdue edu>
> Subject: Re: [IP] -- more on -- so what will we do to avoid another mass 
> attack
>  on the "net"
> X-Sender: spaf () dorsai cerias purdue edu (Unverified)
> To: dave () farber net
>
>
> At 3:35 -0400 8/24/2003, Dave Farber wrote:
> > From: Robert Lee <robertslee () comcast net>
> >
> > It would be interesting to know what the score is with regard to punishing
> > the authors of viruses and worms, etc.
>
> That depends on what you mean by "punishment."  First of all is the 
> problem of catching the perpetrators!
>
> Complicating factors include obtaining evidence -- showing that the 
> virus/worm/trojan originated with a particular set of authors and 
> machines;  demonstrating intent, or at least reckless indifference; and 
> finding jurisdiction.   The last of these three is notable because writing 
> viruses, per se, is not a crime in most venues...and probably shouldn't 
> be.   Viruses and virus-like programs can be written for research and 
> testing, and don't represent a problem unless released "into the 
> wild."   If I write a virus for a machine emulator that has no real-world 
> counterpart, that should not be a criminal offense, for instance -- 
> especially if I am performing anti-virus research.   Furthermore, defining 
> a virus unambiguously in the law is not simple.  Thus, the usual path to 
> prosecution is based on the release of the code into the general population.
>
> A year or so ago I helped someone who was doing a history of criminal 
> prosecutions for malware authors.   I can't remember his name, and 
> unfortunately I appear to have not kept a copy of the URL to his 
> paper.  :-(      However, I remember that the total record of successful 
> prosecutions is low -- under a dozen.  About 4 prosecutions have occurred 
> in the US, 2 in the UK, and a few scattered elsewhere in the world.   Most 
> prosecutions resulted in conviction, but limited sentences.   What follows 
> is based on my memory, augmented by a few limited Google searches of news 
> archives.
>
> To identify the author of a new virus/worm will require one of the following:
>   *  someone with personal knowledge talks too much or confesses, as was 
> the case of Jan de Wit, the author of the Kournikova virus, and Richard 
> Brandow, author of the Mac PEACE virus;
>   *  evidence of earlier versions being tested in limited ways is traced 
> back to the author;
>   *  ISPs and major sites keep detailed logs with reliable time-stamps 
> that allow forensic investigation, as was the case with David 
> Blumenthal,  Mark Pilgrim and Richard Swanson with the Mac MBDF virus, 
> and of Christopher Pile, the author of the SMEG viruses (Pathogen and Queeg);
>   *  the author(s) is careless and/or unlucky, and identifying 
> information is left in the code, as happened in the case of the Melissa 
> incident with David L. Smith;
>   *  the author is disclosed during some other investigation (e.g., a 
> disk  search for kiddie porn or credit card numbers turns up copies of 
> tools and testing logs for the code).
>
> Other notable cases of malware prosecution include Robert T. Morris for 
> the 1988 Internet Worm, Joseph Popp author of the AIDS Trojan, Gareth 
> Hardy  and Donald Gene Burleson for their data logic bomb, Onel de Guzman, 
> author of the Love Bug virus, and Chen Ing-hau (also written as Chen 
> Ying-hao ), author of the Chernobyl virus.
>
>  * Smith received a prison sentence, as did Pile.
>  * Morris, Hardy, Pilgrim, Swanson, Blumenthal, Burleson and de Wit were 
> all sentenced to community service, probation and/or fines.
>  * de Guzeman was not prosecuted in the Philippines, but he could be 
> prosecuted if he travels to a country where an indictment is still active.
> * Ing-hau was arrested in 1995 in Taipei, but released when no one 
> produced a formal complaint of damage.  He was rearrested in 1999, but I 
> can't find a record of whether he was ever tried.
>  * Popp was extradited to England, where he underwent trial.  He took to 
> appearing in court with a cardboard box on his head and pink rollers in 
> his beard.    He was declared a "public disgrace" and deported.  He later 
> was convicted in absentia by an Italian court and sentenced to a six 
> month prison term.  I am unaware of whether he served that or not.
>  * Brandow was a magazine publisher who circulated the virus in a 
> diskette with his magazine.  Not only was he not prosecuted, he actually 
> won some form of award for what it!
>
> As I recall, the author of the Mac "scores" virus was allegedly a 
> recently-fired contractor with NASA.  He was not prosecuted, but his 
> security clearance revoked.
>
> I don't believe there are any other cases of identification of an author 
> *and* some punishment for release of the malware.
>
> Thus, based on experience with hundreds of thousands of pieces of malware 
> and tens of billions of $ damage over 20 years, we can point to two people 
> serving a few years in prison,  7 others with fines and probation, and 
> some bad press for a few more.
>
> Not exactly encouraging, eh?

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/