Sasser worm writer in court

What is up with German law? Did they enjoy the sasser virus or something? If the kid is old enough to knowingly commit a crime that affected millions and cost millions too, why should he receive a suspended sentence and avoid jail? I'm having a "It makes me sick..." week

http://news.bbc.co.uk/2/hi/technology/4659329.stm

 

He'll also get a nice job with an AV company! hope that makes you feel a little better Lev

 

Perhaps...he might have gotten a reduced sentence in return for being an informant, or work for them for nothing for a certain period of time!!?? Who knows...you begin to wonder sometimes how the wheels of justice work!!!! Look at the guy that gets 15yrs for smoking pot, as opposed to the guy that got 8 yrs for raping and molesting multiple children!!

Roger

 

God forbid we should "punish" young people these days. it might cause them to become depressed and lower their self esteem. as long as they admit their "mistake" and say "im sorry" we give them a hug and with a shake of the finger say "dont do that again" . then send them out into the world with the idea planted firmly in their little minds that "WOW, i can get away with anything"

 

Would I be guilty if your door is open and my dog walks into your house.He was too young and dumb.But Microsoft has much more to learn.I wish him all the best if he uses his talents to help build better security.

-----------------------

 

Ofcourse,theres better ways to get noticed though than wrecking millions of computers,as has been done in the past send uncle bill some rubbers and viagra and charge it to his own account,probably a bit tougher to do now,since the last guy that did it now works for microsoft and protects his account.

 

I think the kid did get hired by a German IT firm. . . .

Anyhoo, his intent was to write a virus that would kill MyDoom. But, as we all know, that went awry in a big way. Malware that kills other malware. Good Grief!

Know your enemy: the author of Netsky/Sasser speaks


PP

 

Alot rests in personal experience I'm lucky enough to have never had any major infections,I RRR every couple of months,but I have seen what they can do to vulnerable pc's,a friend of mines daughters computer had the sasser worm or some form of something,her daughter was distraught when her project couldnt be finished for school the next day in that respect I say lock him in jail,he doesnt deserve a good life and job.

 

no YOU wouldnt be, but your dog might end up dead.

awww hell who am i trying to kid. i would be more likely to let the dog chew my arm off than shoot the darn thing

 

Actually, yes. If your dog wandered in and hurt somebody or wrecked the place, you WOULD be legally responsible.

But the situations aren't analagous. In your scenario, you did't toss the dog in through a back window, which is basically what Mr. Scum did. A whole LOT of back windows.

Virus writers aren't illiterate, quite the contrary. They've all read the damage done, and the millions to billions they cost people. They don't give a crap. Until they get caught.

Something has gotten lost in our legal systems. Restitution. Making right the damage that you caused. I hope every single company that got damaged financially by this joker sues him for his eye teeth. Unfortunately, he won't be able to pay any of it, so none of them will bother. And he'll basically get off scott free. Proper karma would have him get run over by a truck sometime soon.

 

Thanks for your opinions Mississippimud & G.T.

But I must add one more statement you can give your views on that as well.Viruses are codes,they dont live without something to execute it.Now it is a vulnerability in your OS that is causing a program that you do not want to run to be executed.I feel law against such crime has been necessary because of the current system, which is well .But my point is that boy is just a scapegoat.However as quoted before comercial virus buisness,bundling viruses with various programs and direct network attacks are big crimes to me.If you cannot control what programs are executed in your computer,the solution I as customer would want will be to get the technology right.It is not impossible.

 

I disagree,if you have enough enough tries at robbing a bank eventually you will steal from it,its a cert this is in the same vein I see hackers and virus writers,eventually they will get through with a virus or trojan,I dont think this will ever change,thats why the law in the uk is if your even caught talking about robbing a bank,your going to jail,let alone attempting to rob it,should this be the same with hacking?

You could take the most secure place in the world 10-20 clever guys sat round a table and discussed it they would find a way in,if they couldnt no one else on the planet would be able to get in it would be that secure,thats the main problems with all security,the harder it is for an unauthorised person to access the harder it is for an authorised person to access,in a world of growing communication I think it would become impractically complex to to make it totally secure.

 

The ground floor apartment I used to live in had a vulnerability I wasn't aware of. The window locks could easily be defeated by somebody outside. I found out when somebody popped the lock on a window and stole a couple thousand dollars worth of my stuff. The window manufacturer caused the vulnerability, but they weren't legally responsible for the break-in. The illegality was the crook that broke in. HIS job was to find a vulnerability, and to make use of it. The crime was breaking in at all, even if the window was left wide open (which mine NEVER was). After the break-in, I cut broomsticks to fit and wedged those windows closed where NOTHING would open them, but I cound NOT sue either the apartment complex or the window manufacturer for the vulnerability, the only "fault" that could be applied was to the burglar.

There are vulnerabilities to LOTS of things in life, computer or real world. We all try to fix them when we become aware of them, but the CRIME is breaking and entering. The intent of the bad guy is the CRIME. Even if your doors and windows are all wide open, it's a CRIME for somebody off the street to come in and start rifling your drawers.

Fixing vulnerabilities is part of life, but blaming the operating system and giving a pass to those that commit CRIME is totally upside down.

Virus is code. It's also a burglar's tool, with one purpose. To commit the crime of ilegal entry. The guy that makes and uses that tool is the criminal. The fact that the damage done isn't right in front of the criminal doesn't lessen it's impact, or his responsibility for it.

If I physically went around cutting power to businesses and hospitals, causing millions of dollars in damage to their operations, there would be no question at all that I should be punished. Why should somebody that does it remotely get any less harsh punishment?

And scapegoat??? This guy caused many many millions of dollars worth of damage, and he's getting off with PROBABION? Not nearly harsh enough for the damage he did.

 

Regarding the sasser, the vulnerablity was with the Local Security Authority Subsystem Service in windows.The sasser is a special worm because of its sucesfull code.There are other viruses which have much more deadly missions that are not known.A very large number of viruses are made by commercial virus makers.Why wait till the internet brakes down.The commercial virus makers will do that and there wont be any internet left.Would you catch all these virus makers so that you can ensure security.The easiest path in this case is to make the operating system tougher,it would be far easier than rounding up all the virus makers.It is your computer and your operating system,if the sasser can start a server on your computer without your permission it is definetly a loophole(how dumb can a pc get).Why doesnt the mac or linux get attacked as much?What happens if virusmakers become powerfull enough to completly control the most secure computers?How many virus makers do they catch?What is the point in investing in security.Now microsoft blames the virus makers that will be good for as long as anti-virus programs and firewalls are sucseful.Why did ms offer a reward for this worm and not so many other?What will happen when the whole internet is taken over?If that boy hadnt found the loophole in lsass.exe somebody else would have and the consequence could have been far worser.The boy is guilty under law and all you points are valid.It should discourage potential virus makers,which is good and the young man must learn what it means to take responsibility for ones actions. But he is not the main enemy of internet security,commercial virus makers are.Microsoft should come up with an open source community to tackle security loopoles where individuals must be allowed to point out vulnerabilities without having to release worms.But everyday new loopholes are being found and we are just beta testers for Microsoft?

 

Sasser was released May 1, 2004.Which means Sven Jaschan was not the first to find the vulnerablity.Shows how important it is to apply your patches.

 

from what I have heard, German Law, is pretty easy on everyone.

 

Tell that to those who reside in a german prison

I see your avatar is ready for summer Mellowman

 

the biggest tragdey in this ruling is the message it sends to this kid. and not just him but all young people. a lack of appropriate consequences leeds to a lack of accountability. they are doing this kid and society a great disservice in letting him off so easy

 

I am sorry but someone else writing destructive code cannot be pawned off on Microsoft.

I saw a crack of light from under my neighbor's window the other night. Should I see if there is a way for me to get in? After all, it should be the builder's fault for leaving that possibility.

Thats basically what you are saying.

 

And are you saying that its ok for the builder to leave a crack?I agree that it is a crime to make a virus, just that I am worried more about the system.

 

No, the "crack" should be fixed, but the criminals who use that "crack" to their advantage should be punished appropriately.

Nothing is perfect, be it a building, or an OS.

You cannot claim innocence because an exploit was there and you used it. Lets face it, if there aren't criminals breaking the law, then technically, said flaw isn't an exploit. Without a criminal to take advantage of it, the flaw is irrelevant.


You can't excuse criminals for their actions.

 

http://www.sptimes.com/2005/07/04/State/Wi_Fi_cloaks_a_new_br.shtml

Here is a good example of how someone walked right into someone's network, because it was not secure. Now, the law will punish him (we hope).

Thats how it should be.

 

Everybody worries about the system. But the topic of THIS thread was the treatment of the virus writer.

As far as system worries, it's not just Microsoft. They're hit most because they're the biggest, and frankly, a fairly easy target. But they're sure not the only vulnerabilities in the "Windows" world to worry about. Lots of secondary software is vulnerable as well. Nor is Windows the only "vulnerable" operating system. Again, it's just the most popular target since it's the most used.

 

A legal fix for software flaws?
Is Microsoft to Blame?Contagious Computing
Is Microsoft to Blame?Legal Aid?
No responsibility without liability?

 

Yes there is the MS EULA

 

I love typical MS haters, who will turn any story around. Doesn't matter that someone made a malicious program designed to screw up Windows, it must be Microsoft's fault.

Here is a little tidbit of info for you. Auto makers have recalls on their cars all the time, a lot of times for safety issues. The manufacturers don't always discover the issues themselves, its usually reports from other people, and from work orders in the repair shop, that they are discovered.

When it becomes a big enough issue, they issue a recall. It is UP TO YOU to take your car in for the repairs. Do you blame the car manufacturers? I would, if they didn't issue recalls. But, they do.

Now, how many people out there know of the recalls on their vehicles?
--How many take their vehicles in?

On the same note:

How many people out there know of the Windows Updates available?
--How many update their computers?


Microsoft and others (aguably, mostly others) find issues all the time. They issue patches, all the time. It is UP TO YOU to download and install them. I would blame them, if they didn't issue FIXES.

I fail to see the problem here, other than people are lazy, or ignorant. How many people out there run no firewall, or antivirus? Shall we attribute that to a failure on Microsoft's part, too?

 

That's like saying "why does the United States get attacked more by terrorists than some small third-world country does?" The United States is attacked more because its bigger, hated more, and would affect more people if attacked. Likewise with MS. Mac and Linux don't get attacked as much because there aren't nearly as many people or businesses out there with Mac or Linux based systems. The average person doesn't even know Linux exists.

 

I did

Dontcha just love auto update

 

Yes, but my point is, how many don't do it, and them blame Microsoft for their troubles

 

Bottom line.....just because there is a problem with something...doesn't give ANYONE the right to exploit the problem in a criminal manner or in such a way that it is going to inflict havoc on thousands of innocent others!!!! Noone is perfect, so therefore you can't expect EVERYTHING that has ever been developed by a human, to not have problems/bugs!! Especially when they offer a way for it to be fixed!!

If you have a keyless entry for your car and you get out at the mall and hit the remote to lock the car...but for some reason it is unknowingly left unlocked because the remote didn't work as expected....so while you are in the mall...someone steals your car because it is unlocked (which ofcourse makes it easier)...does that mean the theif gets off easy just because the remote was defective?? I don't think so!!!!

Oh but wait a minute...your not jealous of the person that invented the remote and makes a killer living inventing something that everyone uses (BY CHOICE) so therfore you've got to lash out at that person/company every chance you get!!!! I don't necessarily like Bill Gates...but lets face it...he was smart enough to invent something that turned out to benefit millions and in turn padded his bank account very well, so therefore, just because he and his employees are human (which means your not perfect, I don't care who you are!!) and they develope something with bugs in them, and later offer fixes... that doesn't make him the one responsible for the actions of the jackass the gets the thrill of making everyone elses life miserable!!

Roger

 

An article on Sven Jaschan

 

Local Security Authority Subsystem Service (lsass.exe)supposed to be managing security functions on users machines has a loophole and is victim to a buffer overflow attack from a kid who decided to take on the beagle and mydoom virus with his own virus after messing up his code.Quite a tragedy.

 

Kadavill,

If you want to bash Microsoft, create a new thread, instead of using this one.

Bottom line has been said many times. An exploit does not give someone the right to destroy or disrupt. I am sorry you can't grasp this concept.

I am sorry, I do not buy this. I've seen and repaired the damage it does, that wasn't a mess up, that was intentional.

 

I was just saying it was not intentional.Read my links Adrynalyne.Hanke a Microsoft data protection official in Germany said that.And this is about the virus writer not microsoft.

 

Why didn't he just simply contact microsoft with the details of the problem he discoverd and peacefully resolve the problem by presenting them with a resolution that he thought might resolve the issue, instead of taking the matter into his own hands!!!????

Or better yet...if he is so good with programming...If he wanted all the recognition...then he could have developed a program with the fix for the loophole, that people can VOLUNTARILY choose to use to fix the gap if they are concerned about it!! Just like all these other developers do for other viruses and malware!! But no...he decided to take matters in his own hands and it backfired...BIG TIME!!!!

Instead he decided scoop to the level of all other virus writers and force it on everyone, so therefore he didn't think it out very clearly and wreaked havoc on millions of innocent people, and therefore he should be punished to some extent!! PERIOD!!! The fact that Microsoft didn't intentionally make this loophole in order to ruin everybodys life...means that Microsoft IS NOT guilty, because some a$$ took advantage of it!! I really can't see what you are missing here!!?????????????????????????????

The fact that he wrote a variety of versions of a malicious program, instead of fixing a problem that he knew he created more problems...I find it hard to believe the ignorance defense that he is using!!!

Roger

 

I bet you he's thinkin that right now Roger. Hindsight is always 20/20.

 

For those who dont know what a buffer overflow attack is:

Such a vulnerability was known righ from Von-Neumans times.Around the fifties.It only happens when there is a programming error.Specificaly a neglect of code bounds checking on an input field.In this case the attacker sends more data than the program was expecting.Its a way of intruding into kernel memory.Nowadays compilers automaticaly do it for you, Compiler based run-time bounds checking is integrated in most compilers.And now there are operating system features like DEP and other library based tools to detect and stop buffer overflow.Here is a description from http://www.imperva.com/application_defense_center/glossary/buffer_overflow.html

It is the operating system that is responsible to look at memory allocation to all user programs.A program whose memory stacks cannot be controlled is an embarasment to any operating system developer.

 

To those that have written spyware that i have to waste time cleaning of peoples computers, that clogs up the internet, to spammers that waste my bandwidth, to the idiots that spam my chat in wow, i say we stick em on and island with a 28.8 connection, only a BASIC compiler, and only 1 computer....

Then we can videotape the result and sell it to fox as a reality tv show...

 

Castration. No jail time, I don't want my tax dollars going to them, too.