Creator of Sasser Worm Goes on Trial 350
Cobb writes "Creator of the Sasser worm Sven Jaschan begins his trial today in Verden, Germany. Arrested in May 2004, Jaschan faces charges for his crimes as a juvenile. A reward from Microsoft partially led to the capture of the virus creator. From the article: 'The charges, which also include disrupting public services and illegally altering data, carry a maximum sentence of five years in prison. However, court spokeswoman Katharina Kruetzfeld said that, as a minor, he faces a lesser penalty.'"
Ah the bounty... (Score:2, Insightful)
Re:Ah the bounty... (Score:5, Funny)
Re:Ah the bounty... (Score:5, Funny)
Punishments for minors (Score:4, Interesting)
Re:Punishments for minors (Score:2, Insightful)
you should not be rewarded for criminal activity.
yes burglers can eventually lead a good life and help others with their knowledge. but those are rare cases and a lot of time passes generally (prison for instnace)
Re:Punishments for minors (Score:3, Insightful)
Re:Punishments for minors (Score:3, Interesting)
Can we get this added to the US Constitution somewhere? Its kind of subjective, but I think it is clearly a case of the positives far outweighing the negatives
Re:Punishments for minors (Score:2)
Re:Punishments for minors (Score:4, Insightful)
I don't recall the details of this specific worm (MS plays only a very small role in my job, thank God, and a microscopic role at my home; hence I never saw the thing) so I won't argue how much of the blame resides with users in this specific case.
But regardless of that, the guy who comes in through the window and trashes your house is the criminal, and should be prosecuted, whether you were stupid enough to lock the doors and windows or not.
Whether your insurance company compensates you for damages is another issue.
Re:Punishments for minors (Score:5, Insightful)
There's a big interest in keeping guys like these around. This one kid "cost" some people millions but also help justified thousands of jobs for people in the security industry, virus protection firms, etc. I think it hurts the credibility of the security industry that there's an absolute revolving door of black hats to white after they grow up and figure that they need a paycheck more than 1337 status on IRC. If anything these guys should be more like paid informants than actual employees. Use them for what they know but keep them far away with a long stick.
Given that this kid is a juvenile I'm all for a second chance, but I don't think 6 months in lockup would hurt him either. There should definately be a punishment here. The world isn't exactly hurting for promising programmers. 1000 IT guys aren't worth the pause given to some kid about to hit the enter button on a destructive command and thinking "Hmmm...I could get 5 years for this."
Re:Punishments for minors (Score:3, Insightful)
The crack dealers you mention "help justify" thousands of jobs in the DEA, FBI, and local LEAs...
Re:Punishments for minors (Score:2)
Of course, this is in the drug enforcement arena t
Re:Punishments for minors (Score:2)
IOW, $1 for every computer infected.
Crack Dealers as Legitimate Businessmen (Score:3, Interesting)
Crack dealers may be great businessmen on the streets, but often there are a different set of skills required to make it in legitimate businesses. Respect for social structure, having "cultural capital" (the ability to ma
Re:Punishments for minors (Score:2)
Law vs Justice.. (Score:2)
The Law vs Justice has been a long fight and I don't see the end of it. People getting off on technicalities or getting caught because of their ignorance. Law cannot substitute for Justice - it can only be the fighting arm of Justice.
Also IMHO, they shouldn't try and make an example out of him - but they can't jus
Re:Law vs Justice.. (Score:2)
At this point in your post, you rip open your shirt to reveal a red T-shirt with a big yellow "G" on it before streaking into the sky.
Re:Punishments for minors (Score:5, Insightful)
I'd no more consider this guy for a job in my organization than I would a person who keeps losing jobs for punching his coworkers in the face.
This line of thinking, while being unfortunately common, is extremely flawed in that it assumes that these "black hat" types are more skilled than responsible and reputable people in the industry.
So you hire an anarchist criminal because he's good at what your company does. Guess what, now you have an anarchist with a criminal mindset working INSIDE your company.
That makes you sleep better why?
Re:Punishments for minors (Score:3, Insightful)
Very true.
Any half-skilled person can write a virus. Heck, a skilled programmer with the right talents and a bit of research could probably write a Warhol worm with just a little research.
Optimize the distribution routines before hand, figure out what tricks you are willing to use to run/hide your virus in the OS, code the core of it, and sit around on security mailing lists. As soon as a new major security hole comes out, add the exploit code and release it.
That's more than enough for a functio
Re:Punishments for minors (Score:4, Insightful)
There are so many harsh names in the
Re:Punishments for minors (Score:2)
Increasing awareness is a good thing? (Score:4, Interesting)
They evidently saw his skills in identifying and essentially publicising weaknesses in the operating system in a positive light.
Perhaps he ought to be congratulated to some extent for this - Windows is now (barely) more secure.
Re:Increasing awareness is a good thing? (Score:5, Insightful)
Re:Increasing awareness is a good thing? (Score:2)
Re:Increasing awareness is a good thing? (Score:5, Insightful)
This is almost like saying Bin Laden did a good thing by levelling World Trade center - because he create "awareness" about Terrorism.
Working a security firm is like being a sparring partner - your job is not to knock the champ down, but to make sure he get enough training and test his skills with something that hits back.
Re:Increasing awareness is a good thing? (Score:5, Insightful)
Re:Increasing awareness is a good thing? (Score:5, Funny)
Re:Increasing awareness is a good thing? (Score:2)
I think Bin Laden needs to be added to Godwin's rule.
Nazi...
Re:Increasing awareness is a good thing? (Score:2)
There's an old saying - keep your friends close, keep your enemies closer.
Depends (Score:2)
If, however; on the lock package there was a phrase like, "This lock is provided AS IS, and is not warranted nor guaranteed to be fit for any particular use or purpose whatsoever and any loss of personal property or data is all YOUR FAULT!" then you're silly to trust it.
Good start? (Score:4, Insightful)
Is there a way to tackle the problem "from the source" that would prevent would be spammers and virus creators from WANTING to do these things?
I think if enough offenders are prosecuted, and prosecuted severely enough, there is the potential to ward off others from commiting the same acts. However, if only a few, say 1 in 20 or less, virus creators/spammers/etc are caught, I don't think there will be enough push to stop others from taking their place.
Just like anything else in the world, if there is a low risk of punishment and a good chance of some sort of reward (monetary, pride, whatever) for some act, then someone will commit that act.
Re:Good start? (Score:5, Insightful)
Walking straight into a stranger's house uninvited is a good way to get shot, whether his door was unlocked or not.
If you left your car parked on the street one night, and I came along and keyed the hell out of it, would it be partially your fault for leaving it out instead of locking it in your garage? Partially maybe, but it wouldn't make me any less of an antisocial asshole for keying it in the first place.
Re:Good start? (Score:2)
I do have a garage, but I don't have a car, you, erm, non-sensual sod!
Re:Good start? (Score:2)
Re:Good start? (Score:2)
Re:Good start? (Score:2, Insightful)
I would expect someone to walk in, but that doesn't mean they should. They have no right to enter my property even if I have a giant "ROB ME" sign posted on my roof.
Re:Good start? (Score:3)
Re:Good start? (Score:2)
I suppose you also think women are 'just asking for it' if they get raped, and they should share some of the blame and accept responsibility?
If you leave your doors unlocked and wide open, why the fuck wouldn't you expect someone to walk right on in?
Because in a civilized society, you're expected not to. And besides, there may be a loaded shotgun waiting for you inside.
Re:Good start? (Score:2)
While Microsoft is the application coder, Sysadmins are end users. (every microsoft windows 2000, linux, bsd, osx, etc. user is a sysadmin)
So you most definitely are blaming the victim.
Also, lots of computer attacks are bruteforce (and are on the increase). Going to start prosecuting lock manufacturers because someone used an acetelyne torch to cut through your lock or C4 to blow it up?
Re:Good start? (Score:2)
or... i guess you're advocating that it's time to prosecute linus torvalds?
Re:Good start? (Score:2)
you think sysadmins are the end users?
ask any of them and they will disagree with you, unless they are the only one's using the systems, at which point they do become the victim and aren't reponsible anymore.
I'm confused. Why the distinction between systems where the end user is synonymous with the sysadmin, and those where they are not the same? I believe you're trying to draw a difference between a private home owner and a corporate machine; but then what is the smallest size corporation at which
Re:Good start? (Score:3, Insightful)
The juvenile immaturity (intentionally redundant) overflowing from this post says volumes about the poster.
Here's an analogy for you: You can lock your house up to the best of your ability, and I guarant
Re:Good start? (Score:2)
Slavery sounds good (Score:4, Funny)
Re:Slavery sounds good (Score:2)
Just leave him with the Server and PC Support staff where I work. Unplugging, cleaning, and replugging in 3000+ computers was hell with 10 guys. It would be a death sentence.
Re:Slavery sounds good (Score:5, Insightful)
The patch for sasser's vulnerability was up two weeks before the worm hit. If you're not going to be thorough and proactive in defense of your systems, you're going to get nailed.
"but...but...Microsoft's evil patch might possibly break something somewhere at some point!!!!"
Tough. If it breaks, you're there to fix it. Lose X amount of time / work fixing something that Microsoft's patch broke, or lose Y time / work trying to clean up from a worm that you know nothing about.
Patches can be rolled back. Very easily rolled back at that. You test, you roll out, you fix it if it breaks. Yes, the kid who wrote sasser is a nasty little shit that made a lot of work for a lot of people. But it didn't have to.
"It is easy to be a bad sysadmin"
Re:Slavery sounds good (Score:3, Insightful)
The Doctor on call decides to wait to hear from some of his fellow doctors in a couple days before deciding on a course of action. Oh, and maybe this months New England Journal of Medicine will have an article or two. Besides, treating gunshot wounds is messy and time consuming. In the meantime the patient dies.
According to you, only the guy that did the shooting is guilty of a crime. It's called negligance, and it's legally valid.
Not patching
in the long rung (Score:3, Insightful)
He has demonstrated to them the importance of security, and demonstrated to end users the importance of patch management by exposing this vulnerability.
If he did not do it, someone else would have. We are just lucky Sasser was noisy and identifyable. A subtle worm which requires Tripwire to detect which spread on the same scale would be a disaster indeed!
Re:in the long rung (Score:2)
Spare me. What arguments like this neglect is that this kid's actions had a cost, and that he should be held liable for that cost, not congratulated. For example, admins could not take the risk that the virus was harmless, and had to spend a great deal of time and effort tracking it down and stamping it out.
The cost goes beyond the financial, too. If the virus got loose in a safety-critical environment (hospital, air traffic control, power plant, tak
script kiddies (Score:5, Insightful)
Re: (Score:2)
He's lucky! (Score:2)
At least he wasn't busted with pirated music. That carries a real penalty.
Z3R0 C00L (Score:3, Funny)
Just no need for this (Score:4, Interesting)
On the other hand (Score:2, Interesting)
I'm amazed by the
Re:On the other hand (Score:2)
Community service is definitely the answer, IMHO; no point in leaving him to rot in prison, much better to get him out, and doing something useful!
Re:On the other hand (Score:5, Interesting)
I was saying goodnight to a friend/colleague who is a medical doctor the other night, and he was meeting a consultant after work. The consultant mentioned that the <insert name of large London hospital> was suffering a virus attack, and most of the computer systems were screwed.
Now, moan all you like about choice of OS in a hospital, but it seems to me that it's not just 'business' that gets harmed. There's no magic wand that means that non-profit organisations, charities or hospitals don't get pwn3d by viruses.
Re:On the other hand (Score:2)
Second, yeah like businesses need a justification that "a virus writer cost us downtime, time to jack up prices." Greedy business men have done a fine job w/o that excuse for decades.
*ducks* (Score:5, Funny)
Sorry, fry the kid. Use this as YET ANOTHER... (Score:4, Interesting)
Re:Sorry, fry the kid. Use this as YET ANOTHER... (Score:2)
Ah, but he was a minor. If you're going to fry someone, fry his parents. I'll bet you that will make a difference to the supervision levels of kids using computers.
Re:Sorry, fry the kid. Use this as YET ANOTHER... (Score:5, Insightful)
You may not have been serious, but luckily for everyone concerned Germany is in the EU - where the prohibition of the death penalty is a condition of entry. Plus it would appear that the West German constitution of 1949 abolished it anyway [wikipedia.org].
I've never quite understood how supposedly civilised countries can put their citizens to death, for whatever reason. The no-death-penalty, no-extradition-to-face-execution clauses of EU membership make be inordinately proud of being European...
Re:Sorry, fry the kid. Use this as YET ANOTHER... (Score:2)
Debating whether to post AC.... Nah.
It's still not right. (Score:5, Insightful)
Think of it this way, if you have a kid that is playing in a playground, and you look away for a minute or two, is it right/justified for a kidnapper to take your kid? Sure, it was your fault that you were not looking, but does that mean that since there was an opening to take your kid, someone is justified in taking your kid?
Sure, would-be kidnapper may come up to you and say "hey man/lady, your kid isn't being watched and could be taken easily". Even if the parent STILL keep an eye on their kid, does that make it right for the kidnapper to THEN take your kid just to proove a point and to let other know you were not looking?
This hacker deserves to be put in prision, they need to send a message saying that making virus's isn't right and it will not be tolerated.
Do something progressive... (Score:4, Interesting)
These kids hack, because they are at the age of destructiveness. They don't have the vision and maturity to reach the creativity stage, because they have no role models to do so. This kid's skills are good enough to make him a skilled security professional, and he didn't know enough to hand Sasser over to a Secunia and make himself well known in the process and probably have job offers. I'd like to hear his rationale for releasing it into the wild before deciding on how to treat him, butmost of these kids do it for the kicks and respect of disfunctional peer groups (i.e. other hacking clans). Need to show them a better way.
Re:Do something progressive... (Score:4, Insightful)
Meanwhile the kid down the street, who knows just as much about computers but somehow managed to resist the temptation to drop a worm on the internet, gets to work two jobs and apply for scholarships and financial aid and try to figure out how he'll afford a higher education.
That'll teach 'em.
Two thoughts on this (Score:2)
2) Not every employer is going to want to hire such
Re:Do something progressive... (Score:2)
Who's fault is this really? (Score:2, Interesting)
While I'm glad the kid is going to get taken to justice, I'm still a little troubled by the fact that all
A slap on the wrist (Score:5, Interesting)
I think a lot of kids commit crimes with the "knowledge" that if they get caught, it would be a slap on the wrist and go away when they turn 18.
I would have no problem with this... (Score:5, Insightful)
Anything less is hypocrisy and posturing - "having our cake and eating it, too"...
Copped to doing it on his first day (Score:3, Interesting)
http://news.bbc.co.uk/1/hi/technology/4649361.stm [bbc.co.uk]
String him up! (Score:3, Insightful)
Five Years! (Score:4, Funny)
Partial transcript from the trial (Score:4, Funny)
Prosecutor: I think I'm entitled to them.
Jaschan: You want answers?
Prosecutor: I want the truth!
Jaschan: You can't handle the truth! Old man, we live in a world that has firewalls. And those firewalls have to be setup by men with MCSEs. Who's gonna do it? You? You, Mr. Ballmer?
I have a greater responsibility than you can possibly fathom. You weep for Windows XP and you curse Microsoft. You have that luxury. You have the luxury of not knowing what I know: that Windows XP has faults, while tragic, probably saved jobs. And my existence, while grotesque and incomprehensible to you, saves jobs...
You don't want the truth. Because deep down, in places you don't talk about at LAN parties, you want me on hacking that firewall. You need me finding exploits in that firewall. We use words like reboot, blue screen, exploits, Microsoft...we use these words as the backbone to a life spent hacking something. You use 'em as a punchline.
I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very exploits I find, then questions the manner in which I exploit it!
I'd rather you just said thank you and went on your way. Otherwise, I suggest you pick up a real firewall and configure it. Either way, I don't give a damn what you think you're entitled to!
Prosecutor: Did you write the Sasser worm?
Jaschan: (quietly) I did the job you sent me to do.
Prosecutor: Did you write the Sasser worm?
Jaschan: You're goddamn right I did!!
Give the kid a job (Score:2)
Maybe his parents weren't paying any attention to him, or perhaps he felt lonely and unnoticed. We don't know what this kid has gone through, but he probably doesn't belong in a jail cell!
Just because the kid caused some of you sysadmins a hard time (ok, you lost some money too) doesn't mean he shouldn't receive mercy and understanding. The kid has some skillz and motivation
Mischief (Score:2)
OK, you could say the writer wished to cause harm irrespective of target. Like dumping nails on a road. But then you get into a slippery slope of criminal intent. He caused harm. What about all those who spread their worm through their unpatched systems? What about those who had been w
Re:I don't get it (Score:4, Insightful)
Re:I don't get it (Score:5, Insightful)
Yup. (Score:2)
Pfft. Tell that to Wynona [eonline.com] .
Re:I don't get it (Score:2, Offtopic)
Re:I don't get it (Score:2)
Re:I don't get it (Score:5, Insightful)
I'm sorry Officer - I only shot him to see what would happen. You don't understand the hacker mentality
Re:I don't get it (Score:5, Insightful)
Let me use this analogy: A kid throws a rock in a mountain, causing an avalanche. Turns out the guys who were warned about possible avalanches didn't do their work, like putting protective fences, blah blah.
So, when people die because of the rocks falling, suddenly a kid's the ONLY person guilty?
Give me a break.
Re:I don't get it (Score:2)
Re:I don't get it (Score:3, Insightful)
Problem is, the kid wasn't the FIRST ONE to throw a rock at the same spot. If he's not the first, but the FIFTH, aren't the people in charge of that mountain responsible?
Re:I don't get it (Score:2)
It sounds like the kid and god are conspiring against the kid and anyone else in the path of the avalanche. I sure wouldn't blame some minimum wage fence jockeys. I bet they already have enough problems.
Yes he SHOULD. (Score:2)
Re:I don't get it (Score:3, Insightful)
Remember the first internet worm? That was an exploit in sendmail. There are rootkits for linux.
Still think the authors should go to jail? Or is it somehow different because MS charge for Windows? My company has bought plenty of copies of RedHat...
(Oh, I'm ignoring the fact that that's the most flawed analogy I've read here in a long time - the author of the sasser worm wasn't som
Re:I don't get it (Score:5, Informative)
Moreover, he is tried as a juvenile. In Germany, you are invariably tried as a juvenile up to 18 years of age, and more typically up to 21 years if the court determines that "your character is not completely formed". Sentences in a German juvenile court are not primarily for punishment, but to provide guidance and education. Very few juvenile offenders go to prison (and if yes, none goes to an adult prison). Typical sentences include mandatory social work or weekend arrests.
Finally, first time offenders always get much lower sentences, and prison sentences up to a year are nearly always suspended (for first-time offenders with reasonably behaviour and prognosis, so are some longer sentences).
So his risks of actually spending time in prison are rather low.
Re:I don't get it (Score:2)
Re:I don't get it (Score:2, Insightful)
Re:lesser penalty? (Score:2)
I don't believe in capitol punishment at all. Not that some people don't deserve to die for their crimes mind you, but the goverment certainly isn't to be trusted with such decisions.
Minors get lesser penalties, because for the most part, they're all idiots.
While I feel this guy deserves to be punished, I don't feel he needs the book thrown at him.
Re:this is how you reduce cyber crime (Score:2, Flamebait)
Well, aside from the fact that your statement doesn't make much sense...
He confessed (or possibly 'made his convictions known') to the 'crimes.'
So, he has already admitted his guilt, and is now waiting to see how wide to open up.
Like 'Federal Pound-Me-In-The-Ass-Prison' wide, or Goatse wide...
Actually he deserves solitary. (Score:2)
I'd lock him up on a fenced in acre of Wyoming with a bunch of books on ethics and have his meals brought in by an armored book mobile robot.
Later, I'd expand the range of books to include self-help books.
His attitude and actions deserve ostracism and we deserve to be protected from him.
Re:Wrong side of... (Score:2)
Heh, that'll be the day... software security and stability has done nothing but go downhill since the mid 1990's. Programmers always bitched about how there were so many different types of hardware and so many different drivers, and this was why it was so difficult to create programs that worked well on every machine. Microsoft PROMISED that Windows '95 would take care of all the low level stuff, creating a uni
Re:Wrong side of... (Score:2)
Re:Wrong side of... (Score:4, Insightful)
Banks don't dock money from your account because they have been robbed.
Re:The Logic of Executing WormWriters (Score:2)
The above is the full text of the Eighth Amendment to the Constitution of the United States. Unfortunetly for this guy, he's not an American. Thankfully, the whacko in your link can't enforce that kind of idea in the U.S.
Re:Freedom Corporate cash (Score:3, Insightful)
In the UK, Sasser forced staff at the Maritime and Coastguard Agency to return to manual map reading because computer systems were made unusable by the worm.
Check-in for some British Airways flights was also delayed thanks to Sasser.
Around the world, the Australian Railcorp trains stopped running because computer problems caused by Sasser made it impossible for drivers to talk to signalmen.
In Taiwan, more than 400 branches of the post office were forced to use pen and paper