informa
5 min read
article

Bugs, Crime, And Punishment

Man, oh, man. This past week has been replete with one bug-filled, vulnerable moment after another. Vendors who weren't quashing bugs, or issuing antidotes, were setting out cash or good as same lures to track down even more bugs. The air was virtually thick with repellent and
July 30, 2005
Man, oh, man. This past week has been replete with one bug-filled, vulnerable moment after another. Vendors who weren't quashing bugs, or issuing antidotes, were setting out cash or good as same lures to track down even more bugs. The air was virtually thick with repellent and advice even as a counterevent, "What The Hack" conference, got under way. But the real excitement, it turns out, involved a critical vulnerability that not only wasn't fixed, but was actually made worse by the vendor involved, which in turn made matters even more difficult by attempting to censor a researcher who was trying to point out the fault in the fix. Adding to the drama is the fact that the vendor is industry heavy-weight Cisco, and the affected product its routers, which just happen to provide the underpinning of much of the nation's critical infrastructure. Man, oh, man, all right. Especially since, as it turns out, the researcher was right.In the latest installment of this saga, Cisco and the researcher settled their differences. Cisco says the researcher, who quit his job so he could make a presentation on the issue at Black Hat, was premature in his information. Maybe, but it also sounds like the very problems he wanted to talk about were already making their way onto other Internet forums. Cisco, which didn't object to the presentation until days before it was scheduled, could have handled this a lot better. It doesn't look good to appear to be trying to shush information about a vulnerability in a product key to most companies.

The thing is, if vendors are going to come up with procedures and guidelines for how to responsibly report bugs, including when it's appropriate to go public with the information, and if they're going to actively encourage users to dig into the software to ferret out bugs and other vulnerabilities, then they ought to be willing to listen to, and objectively examine, any evidence brought before them, even if it's not what they want to hear. Let's face it--sooner or later, the problem would have surfaced, bringing with it the sting of adverse publicity. That's the thing about the high-tech industry: You can run, but you cannot hide from weaknesses in your products or policies. There are too many smart people too willing to pour time and energy into debate and testing in an effort to keep everything aboveboard and working. And besides, bugs reports and flaws don't faze IT--all code is breakable--what they need to see is vigilance on the part of their vendors, and fast action when weaknesses are found. And that includes acknowledging the flaw exists.

Judging from responses to a blog entry on the murder of infamous Russian Spammer Vardan Kushnir, many in IT favor strong punishment meted out to the cyber bad guys. Kushnir's violent end pleased more than a few readers, who might find some support for their position in a July 12 New York Times op-ed piece. It examines the supposition by a Prof. Steven Landsburg that his cost-benefit analysis of the economic impact of cybercrime shows that cybercriminals are more deserving of capital punishment than murderers.

Which raises the question of just what is the appropriate punishment for convicted hackers: a 21-month suspended sentence including 30 hours of community service, jail, death, or something worse?

The Times' op-ed suggests Landsburg makes a pretty good case for slapping German teenager Sven Jaschan, convicted of creating one of the most financially damaging cybercrimes in the history of Internet, with the death penalty, but stops short of endorsing that punishment. A German judge saw it differently, and gave Jaschan the barest tap on the wrist for unleashing the Sasser worm -- a 21-month suspended sentence.

Both Landsburg and the judge got it wrong. Death to hackers? Oh, please. And that suspended sentence? Just as moronic. And let's not forget these idiotic rulings that include completely unenforceable restraining orders against using or coming within XX feet of any computer equipment. Like there's no way a guy who can cause billions in damage with a creative computer program could possibly outwit that order, right?

Let's get serious, and realistic, about punishing these people. Either jail them, as in a cell with bars, or put their technical skills to use and make them do really useful community service for a really long time. You don't want to go to jail for 4 years? Do community service 8 hours a day for 4 years. Not the piffling 30 hours Jaschan got in exchange for causing significant economic havoc. Community service sure beats 24 hours in lockup. The goal should be to wring some payback out of these people. Anything--from cleaning up roadside litter, to fixing up playgrounds, clearing vacant lots to painting schools--is of more use to society than any of the three options laid out above. Even better, sentence these hackers, virus writers, and other cyberrabble to creating useable software (under supervision) for nonprofits and schools. They have the skills, these groups have the need. At the very least, Jaschan should be prohibited from exploiting the fruits of his exploit--a job with a computer security company--until his suspended sentence period is over.

Other options, especially where ID theft is involved, might include putting a lock on their credit for a specific time period and stripping them of any plastic or electronic accounts. Let's see how they like functioning in their wired world without credit. It won't be fun.

Otherwise, where is the pain for these kids? What has Jaschan learned? He's famous, he's free, and he's got what I imagine is a well-paying job. A pretty tidy payoff for a little programming work and a couple of court appearances.

But execute them? What is that professor eating along with his Wheaties?