Controversy is brewing around articles by John Tierney in the New York Times (registration code required), and Steven Landsberg in Slate which propose the death penalty as an appropriate punishment for authors of Internet worms such as Sasser.
The reasoning goes that since these viruses cause millions – sometimes billions – of dollars worth of damage, the punishment should scale to meet the cost to society.
Unfortunately, as with most articles written about viruses by lay journalists or lawyers, Tierney falsely applies analogies from the physical world that simply don’t apply.
One is the “terrorism” analogy. From the article:
Hackers are the Internet equivalent of Richard Reid, the shoe-bomber who didn’t manage to hurt anyone on his airplane but has been annoying travelers ever since. When I join the line of passengers taking off their shoes at the airport, I get little satisfaction in thinking that the man responsible for this ritual is sitting somewhere by himself in a prison cell, probably with his shoes on.
If it wasn’t so scary that Tierney was allowed to publish this article in a respectable newspaper, this would be hilariously wrong. Instead, it’s dangerously wrong. For one, he has failed to define which particular hackers he’s talking about. There is a very broad range of activities that fall within the catergory of “Hacking” – one would not morally equate someone lighting a candle on a birthday cake to an arsonist setting fire to his neighbours house or to Aborigines engaging in controlled burning to maintain an ecologically stable natural environment, yet all are different classes of the same basic activity.
This raises the question of intent. Richard Reid intended to kill himself and those around him in a very direct, sociopathic way. He had a malicious intent and a political axe to grind, and deserves to be punished. Sven Jaschan, author of the Sasser worm, had little appreciation of the scale of destruction he would cause. Part of the reason for this is the properties of the internet, which thanks to Microsoft is largely populated by an homogenous organism (Windows) packed with features and with little thought given to security.
If Microsoft Windows was a creature in the natural world, mother nature would have destroyed it long ago. Survival is dependant upon diversity and adaptation, and Windows abhors the former and has been far too slow with the latter.
In debating whether Hackers should be given the death penalty, no-one seems to be raising the issue of how easy it is to cause this scale of destruction. If anyone could cause a plane to fall out of the sky by pointing a lead pencil at it, we’d pretty quickly change the design of our planes. The design of Windows, and its ubiquitousness, invites the kind of destruction we saw with the Sasser worm. Prosecuting those few hackers that we can find (who probably cooked up the virus in 5 minutes with a publicly available construction kit) will be cold comfort for those whose Windows XP workstations are consumed and destroyed within 12 minutes of being connected to the Internet.
Another analogy. Imagine that one company manufactured front doors for 98% of our homes. One day, someone finds a way to make every door swing open permanently, all at once, from their bedroom in Norway. Do you think people would be more angry at the “hacker”, or the door manufacturer?
There are certainly organisations out there whose intent is to extort and destroy businesses using sophisticated, targeted Internet attacks. Most of these have strong links to traditional organised crime. It is these organisations, with their large resources and sophisticated methods, who should be subject to the full force of the law, not teenage miscreants who know not what they do and have been given disproportionate power to destroy data by lazy systems administrators and corner-cutting OS manufacturers.
Let the scale of the punishment to fit the crime, not the inadvertent follow on effects. And let the scale of our security systems reflect the real risks and losses due to viruses and worms. If a 15-year-old can indirectly bring down your entire company (and thousands of others) with a few keystrokes on the other side of the world, you need better locks.
One final note: Even on Windows, it’s incredibly easy to stop these kinds of attacks. Just turn on the built-in firewall, and use a non-privileged account. Suddenly, no-one can bring down your system.