Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/29/2005
07:23 PM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

Bugs, Crime, And Punishment

Man, oh, man. This past week has been replete with one bug-filled, vulnerable moment after another. Vendors who weren't quashing bugs, or issuing antidotes, were setting out cash or good as same lures to track down even more bugs. The air was virtually thick with repellent and

Man, oh, man. This past week has been replete with one bug-filled, vulnerable moment after another. Vendors who weren't quashing bugs, or issuing antidotes, were setting out cash or good as same lures to track down even more bugs. The air was virtually thick with repellent and advice even as a counterevent, "What The Hack" conference, got under way. But the real excitement, it turns out, involved a critical vulnerability that not only wasn't fixed, but was actually made worse by the vendor involved, which in turn made matters even more difficult by attempting to censor a researcher who was trying to point out the fault in the fix. Adding to the drama is the fact that the vendor is industry heavy-weight Cisco, and the affected product its routers, which just happen to provide the underpinning of much of the nation's critical infrastructure. Man, oh, man, all right. Especially since, as it turns out, the researcher was right.In the latest installment of this saga, Cisco and the researcher settled their differences. Cisco says the researcher, who quit his job so he could make a presentation on the issue at Black Hat, was premature in his information. Maybe, but it also sounds like the very problems he wanted to talk about were already making their way onto other Internet forums. Cisco, which didn't object to the presentation until days before it was scheduled, could have handled this a lot better. It doesn't look good to appear to be trying to shush information about a vulnerability in a product key to most companies.

The thing is, if vendors are going to come up with procedures and guidelines for how to responsibly report bugs, including when it's appropriate to go public with the information, and if they're going to actively encourage users to dig into the software to ferret out bugs and other vulnerabilities, then they ought to be willing to listen to, and objectively examine, any evidence brought before them, even if it's not what they want to hear. Let's face it--sooner or later, the problem would have surfaced, bringing with it the sting of adverse publicity. That's the thing about the high-tech industry: You can run, but you cannot hide from weaknesses in your products or policies. There are too many smart people too willing to pour time and energy into debate and testing in an effort to keep everything aboveboard and working. And besides, bugs reports and flaws don't faze IT--all code is breakable--what they need to see is vigilance on the part of their vendors, and fast action when weaknesses are found. And that includes acknowledging the flaw exists.

Judging from responses to a blog entry on the murder of infamous Russian Spammer Vardan Kushnir, many in IT favor strong punishment meted out to the cyber bad guys. Kushnir's violent end pleased more than a few readers, who might find some support for their position in a July 12 New York Times op-ed piece. It examines the supposition by a Prof. Steven Landsburg that his cost-benefit analysis of the economic impact of cybercrime shows that cybercriminals are more deserving of capital punishment than murderers.

Which raises the question of just what is the appropriate punishment for convicted hackers: a 21-month suspended sentence including 30 hours of community service, jail, death, or something worse?

The Times' op-ed suggests Landsburg makes a pretty good case for slapping German teenager Sven Jaschan, convicted of creating one of the most financially damaging cybercrimes in the history of Internet, with the death penalty, but stops short of endorsing that punishment. A German judge saw it differently, and gave Jaschan the barest tap on the wrist for unleashing the Sasser worm -- a 21-month suspended sentence.

Both Landsburg and the judge got it wrong. Death to hackers? Oh, please. And that suspended sentence? Just as moronic. And let's not forget these idiotic rulings that include completely unenforceable restraining orders against using or coming within XX feet of any computer equipment. Like there's no way a guy who can cause billions in damage with a creative computer program could possibly outwit that order, right?

Let's get serious, and realistic, about punishing these people. Either jail them, as in a cell with bars, or put their technical skills to use and make them do really useful community service for a really long time. You don't want to go to jail for 4 years? Do community service 8 hours a day for 4 years. Not the piffling 30 hours Jaschan got in exchange for causing significant economic havoc. Community service sure beats 24 hours in lockup. The goal should be to wring some payback out of these people. Anything--from cleaning up roadside litter, to fixing up playgrounds, clearing vacant lots to painting schools--is of more use to society than any of the three options laid out above. Even better, sentence these hackers, virus writers, and other cyberrabble to creating useable software (under supervision) for nonprofits and schools. They have the skills, these groups have the need. At the very least, Jaschan should be prohibited from exploiting the fruits of his exploit--a job with a computer security company--until his suspended sentence period is over.

Other options, especially where ID theft is involved, might include putting a lock on their credit for a specific time period and stripping them of any plastic or electronic accounts. Let's see how they like functioning in their wired world without credit. It won't be fun.

Otherwise, where is the pain for these kids? What has Jaschan learned? He's famous, he's free, and he's got what I imagine is a well-paying job. A pretty tidy payoff for a little programming work and a couple of court appearances.

But execute them? What is that professor eating along with his Wheaties?

 

Recommended Reading:

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
All Videos
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Back Issues | Must Reads
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4560
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4589
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
CVE-2020-4328
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
CVE-2020-4377
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
CVE-2020-4534
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...