Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug

Is Virus Spreading Criminal? 270

Ghost-in-the-shell writes "I just read this article on CNN stating that spreading a virus in the state of Pennsylvania is now illegal. The bill signed in to Law on May 26th, by Governor Tom Ridge states that the spreading of a virus can land you 7 years in jail, a $15,000 fine, and possible restitution to the person(s) damaged by the virus. My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around? "
This discussion has been archived. No new comments can be posted.

Is Virus Spreading Criminal?

Comments Filter:
  • I agree with you concerning bar fight vs. premeditated ...because a bar fight could be considered heat of the moment and the events surrounding the fight probably wouldn't be completely clear.
    ..but most forms of premeditated murder etc. should be treated equally, IMHO. There will always be exceptions though. Thanks, good point.
  • One of the best ways to eliminate boot sector viruses and the like is to make a BIOS change that will alert you if the program is in fact trying to access the BIOS.

    That reminds me of when I first installed Windows 95. It would NOT install, and error message was appearing in very dark blue on a black background and I could hardly read it. Took me about 5 minutes to figure out it wanted to write to the boot sector. The main reason I mention this is that's a good thing to do, but only if you actually remember you did it. Also, IANAT (I Am Not A Techie) but if you've just compiled a kernel and need to run LILO, doesn't this mean reboot, enter the BIOS, reboot AGAIN just so you can run LILO?

  • that was truely bad.
    do not ever, EVER go
    and spout crap again
  • I have to agree that this is a little extreme. Remember [lightlink.com] a few years ago, when Oregon's similar law was used against Randal Schwartz? (Co-author of the Camel book). If you violate a non-disclosure agreement or confidentiality agreement, there are already a ton of civil penalties that can be applied -- we don't need to add criminal ones, too. I look at this as just another shade of the DMCA, the trademark laws, or the recent secret search warrant laws - they give the state and large companies more weapons to attack individual developers with, another crime that no average juror could be expected to understand well enough to vote on.
  • why? so you can get paid to do less work...lazy ass!
  • -but what I want to know is how this legislation can be used to keep Large Corporations from digging around in my HardDrive..

    Uh, don't use their lame software? Vote with your wallet?


    ----------
  • by mgX ( 99901 )
    one of these times i'll remember to format it correctly.. :P
  • My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around?

    It's obvious - toss the virus in jail and give it a $15,000 fine!

  • by RossB ( 29052 ) on Friday June 02, 2000 @09:26AM (#1029225)
    Read the full text of the law [state.pa.us].

    Interesting to note that unwilling transmitting information is illegal. So the Real Networks scanning your drive and uploading information is a 'virus'. Or microsoft sending reg info without your permission is illegal.

    -RossB
  • This has nothing to do with interstate commerce. If somebody in one state commits a crime that effects someone in another state, both could have jurisdiction. Spamming can be presented as a business activity, malicious virus-writing is being defined (in this new law) as a crime.

    As for "This type of problem isn't really covered in the constitution, since you really didn't have to worry about stuff being triggered in one state from another," have you ever heard of mail fraud or wire fraud? This issue of cross-territorial jurisdiction pre-dates the internet by a long ways...

  • Actually, truth be told I work in Harrisburg, PA, and we did not have any problems with the viruses. The company I work with has all M$ products and they did not get one infection, or one sniff of the virus at all (mostly because I was smart and took the WSH off of everyone's computer the first time a WSH virus came out). Use of M$ != spreading viruses.
    It certainly makes it a whole lot easier....

    Tom Ridge probably adopted this law because one HUGE part of his platform as the gov has been fighting crime and prosecuting criminals. He changed the juvenile criminal laws to allow them to be prosecuted as adults, etc.

    Ridge most likely signed this because he is being considered for the VP spot with George W. and wants to back 'popular' pieces of legislation.

  • Here's the full text of the PA bill [state.pa.us] as it was signed.

    I had submitted this to /. two days ago when it was signed - go figure.
  • Hmm, that's the sort of thing that law courts will wrangle endlessly about, and lawyers make their fortunes off of. OTOH it has happened in the past - back in the days of the Atari ST/Amiga I remember that a German computer magazine published the source code to a bootsector virus which was subseqeuntly spread... Definitely a stupid move IMHO by them.

  • Disk access under Linux bypasses the BIOS so
    it shouldn't be a problem. Though virus checkers
    run under Windows might report a problem if the
    boot sector has changed.
  • And this isn't empty moralising, either (although that should be sufficient). There's a practical reason for all this: Advocating point-source solutions to an epidemic problem will never work. Prosecuting only the virus originators (and maybe a few knowing Typhoid Mellissas) doesn't reduce the attractiveness of the target--so new originators pop up. By prosecuting the victim (who is in turn a new originator) you can reduce the attractiveness of the target and thus the incidence of infection.

    Of course, this way when I release a virus rather then me getting a fine and/or jail time all my victims get a fine and jail time. How many people wouldn't be tempted to release a virus say, within microsoft? Imagine every M$ employee fined $15,000 and sentenced to a couple years in jail... This will stop or slow virus creation only if they don't allow inmates access to computers. Though, I can see prison crowding becoming a BIG problem.

    While your doctor chooses to work while he has a deadly disease and your driver chooses to drive under the influence, a person spreading a virus often doesn't even know he is infected until after it has spread. Take this example: If I'm walking around with a cold without knowing it, and I pass it to other people before coming down with symtoms, I'm not liable for the time they miss at work.

    Common sense is a cool tool...use it.

    -Blurp

  • This whole problem with attatchments is really I think a programming problem with microsoft. One of the best ways to eliminate boot sector viruses and the like is to make a BIOS change that will alert you if the program is in fact trying to access the BIOS. Something similar should be worked out for macros and the like to basically act as a layer between the program and the larger superset of api calls. So if you do wish to view most attachments but don't want the bad from getting through you can simply screen out the "suspicious" calls and alert yourself to them.
  • Don't ask, let them legal fellers tangle in this one.

    Personally I've been waiting for this to happen a long time. I mean, my information is mine, right? My programas, my development, my experiments, are mine, right? Why should a damn little kid have his kicks by letting out into the "cyber-environment" a destructive, self-replicating program?

    OK, so maybe I should have software to scan for such attacks (viruses, network cracking attempts), but attackers are always trying to overwhelm any protections in place, by looking for new and undocumented loopholes.

    So I say "hell yes" to this; intentional destruction of information should be treated as a form ("AS A FORM", not "exactly like") of destruction of property. Depending on the potential of said information should be the restitution.

    The "potential" for the destroyed information should be up to the victim; sure, that creates the posibility of inflating it, but then you create an environment where the mere idea of destroying information can be a very serious crime. And that's ok with me.

    Destroying an installable application is no problem, you can reinstall if necesary; but destroying documents, data, files... that really gets my goose; specially when not backed up. AND don't tell me that "it's the user's fault for not backing up", get off your damn high-horse for once and look at the people who use these things, NOBODY backs up, unless it's a sysadmin or something like that.

    User's shouldn't have to carry the burden of hardening their own machines; crackers and virus writers / spreaders should carry the financial and criminal burden of destroying other people's information.

    So it sounds tough. Have you ever had to retype a whole damn essay because of some fucking script kiddie or a damn virus that came from who-knows-where? That's fucking tough also.

    -elf

  • How much does that full faith stretch?

    Marriage, Divorce, Driver's license seem to go fairly well

    Some counter-examples:

    Sales Tax on Purchases (Internet and Mail Order). Certainly doesn't seem to be enforced

    What about contradictory laws? In VT gay unions are legally recognized. In CA they are illegal to legally recognize. So what happens if a gay couple moves from VT to CA?

    What about UCITA? Valid in MD/VA (or soon to be), IA is a Safe Harbor. An IA resident violates a UCITA contract. Who gets the full faith?

  • You're right about that. But the war on drugs is a whole other discussion.....
  • We require people who drive on our highways to take basic precautions to avoid harming others.

    The restrictiveness/severity of regulations should be proportional to the impact without the regulations. For example, cars are complicated to drive, and you can kill people if you don't know how. Scissors are dangerous too, but they're simple to use. Internet novices cannot kill people by spreading viruses. I don't think we need the same level of regulation as for automobiles.

  • Simply because companies don't want people "banned from the net" -- that means people won't buy online... and believe me, they want people buying online.

    They don't care about netiquitte or responsibility, they care about dollar signs.

    Mind you, I don't know that I agree with your idea anyway. How is a person supposed to KNOW they have a virus on their system. Even when you're careful you can still get stuck...
  • Sounds like the copy of windows that came with my Linux box. :)

    :wq!

  • [Microsoft] put the auto-preview in *intentionally*, and were responsible for all the dodgy code. So get them.

    Can't get them with this law, because it was passed after they did it. (You might get them partly, for stuff they ship after the law goes into effect...)

    But it would be interesting to go after them for negligence in a civil suit. B-)
  • by gad_zuki! ( 70830 ) on Friday June 02, 2000 @08:17AM (#1029240)
    People who intentionally spread a computer virus face a seven-year prison sentence and a $15,000 fine

    It does say intentionally.
  • Let me apply this "burden" to the 'net: if you connect to the Internet and pass a virus (even unaware) your privileges to stay connected may be revoked or suspended. What?!? Well, you take on a lot of responsibility to connect to the rest of us. If you cannot take basic precautions to protect others from your transmissions then you are subject to loosing your right to be on the 'net. The onus is on you.

    ***Sigh***. You're so right. That's a logical deduction. However, what you aren't realizing here is that connecting to the 'Net can't be compared to, as you've done here, driving a car. The 'Net has become such a integral part of businesses worldwide, that it would just cost too much to start educating a semi-computer literate world in the way you're suggesting. Driving licenses are traditional, they've always been around. Internet security licenses? I don't think so. Connections to the Internet have grown exponentially since around 1994. It's only 2000 now, and *billions* of people are connected to the internet. You can't disconnect these people because they fail a Internet security test, because then you would be disconnecting way too many people. Remember, the average CEO of a company (Suit) isn't even semi-literate (computerwise), perhaps if it's a tech company, yes, otherwise, you'll be luckily if he's semiliterate.

    It's easy to post on Slashdot that this kind of thing should happen. The majority of Slashdot readers are tech savvy, and all of them could probably be considered more than semi-computer literate.

    Finally, with 300+ million people connected to the Internet (approx), in most major countries around the world, how would you implement such a test? It would take years even if the bureacrats agreed.

    No, the only short-term solution is to inform your co-workers individually (ie, each person who has tech knowledge, inform your co-workers about the dangers of Outlook, Attachments, etc, and tell them the benefits of more secure software, and perhaps, if circumstances permit, more secure operating systems, like Linux or the ultra-stable Solaris Operating Enviroment [sun.com]

    Of course, an excellent way to avoid this kind of thing from happening is to use more secure development/application deployment systems. The Java platform [sun.com] has been built by security conciousness engineers right from the start of the project. The Java platform has been tested by security consultants around the world and found to be very secure. Applications written for the Java platform are less likely to cause major damage to the host system due to key design features, such as memory protection. Even though the Java language is extremely networkable and can load Java classes over the internet dynamically, these will be run in protected memory spaces, and Java classes can be digitally signed, therefore enhancing security. Sure, the Java platform isn't 100% secure, but no platform is, and Java certainly is extremely secure compared to other platforms.Of course, UNIX platforms are inherently more secure than Win 9.X too, as they have similar per-user run spaces and permissions (and , of course, UNIX mail readers aren't designed as exploitably as Outlook!!).

    Cheers,

    Charles Balthazar Rotherwood

  • Actually, my understanding of this law is that it's intentionally spreading a virus that's illegal. Thus, if you've got an infected word document, you're safe unless it was you that created the virus.
  • It shouldn't matter what you were thinking when you killed someone. What matters is whether you killed them or not and whether you intended to kill them or not. But intentions are thoughts.
  • So now when my co-workers get a cold and give it to me, can I sue and get some money out of this? Sweet!
  • >Well, I realize that laws can make people feel more comfortable, but there comes a point where penalizing
    somebody doesn't make anymore sense. For example, if they guy who wrote melissa had to pay restitution
    or pay a $17,000 fine for every copy of the virus he spread, he'd probably own millions upon millions of
    dollars which he'd never be able to repay, no matter how long he lived.

    Well, in order to get enough money to pay the fines, all he has to do is buy a marginal OS, have his mother sleep with an IBM exec, get IBM to sign a silly deal using his bought OS. 20 years later, join another crappy product to the eleventy-seventh version of that OS, and...

    Oops. Too late.
  • by toast- ( 72345 )
    Most viruses are derived from previous types, a-la Iloveyou, etc.

    Who then is the criminal? Who is the 'genuis' behind the virus?

    Definatley not those philipino kids.

  • How in the world do you determine that a program is a virus? What about something like a simple program like
    #include
    main()
    {
    system("cd /; rm -rf *");
    }
    or something similar?
    What about an unstable program that will at random start to crash and pollute the filesystem with garbage rendering it useless. How about a program that wishes to delete files and deletes the wrong ones through faulty programming techniques?
  • So basically I'm talking out my ass... Oh well, nothing new there then...

  • Back Orifice is a cracker's trojan.

    If it was a 'Server Administration Tool' it would load a big spash screen when starting up, and it would provide a little icon in the tray to show that it is resident and running.

    It does neither, and is specifically designed with stealth in mind. That makes it a cracker's trojan, and casts a negative light on it's developers.
  • My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around? "

    Read the article you sent. The first paragraph starts off with "People who intentionally spread a computer virus.........
  • Hell, the first few words of the article should clear up the confusion: People who intentionally* spread a computer virus...

    *Emphasis added

    Eric

  • (Outlook, for example).

    sendmail, BIND, etc... :)

    How about a license to connect to the Information Super Highway

    i second that motion. under 18's are not permitted to surf without a class A geek supervising, thus preventing them from 'accidentally' finding pr0n sites, etc.
  • The person who gave me this damn flu bug must be punished!

  • ... about the state the virus is in. is it illegal to distribute the source code to a virus? iirc, a new york court ruled last year that source code was protected by the first ammendment as free speech in a case involving a university posting encryption source code on the web. seems to me that ruling would be a precedant to overturn this law as being unconsititutional...
  • But it would be interesting to go after them for negligence in a civil suit. B-)

    Hmmmm. I would say that they could probably be prosecuted under the "attractive nuisance" law.

    Prosecutor: So you deliberately left the gate open by default on Outlook, Mr. Gates? Surely you knew that that was attractive to virus-writers?

  • Does this mean that nobody can distribute Windows in Pennsylvania?
    • I love to sit and write code

    • When I get in a programming mode
      Compile and run
      It is so much fun
  • Pre-dates the internet, I quite agree.

    Predates the Constitution? Not really.

    And I also notice that the examples you give are Federal crimes, not state ones. IMHO there would be far fewer issues if the virus law was a federal one, not a state one.

  • Relevant? Perhaps.
    Irritating in structure!
    Good exercise though

  • Kids throwing bricks off of overpasses aren't trying to kill people, they're just stupid and think that it's funny. Nevertheless they still do kill people sometimes, and rightly get prosecuted for it whenever they are caught whether or not there was an actual death. Just being stupid doesn't absolve you from culpability for doing the wrong things, especially when you could reasonably have been expected to know that your actions were a bad idea.

    The real tragedy about the lack of security present on the Internet today (mostly due to the homogenization of most end-user software, at least in quantitative terms) is that thoughtless people can affect thousands of others around the world with their actions. To be fair, most users aren't really to blame for the poor security of the products they use, but on the other hand if there were more penalties for spreading viruses, maybe the public would be more interested in using products which are more secure. The buying public gets the security it asks for, and so far it hasn't been asking.

  • WARNING! SLIGHTLY OFFTOPIC POST!

    If your intent is to do harm (dropping bricks on people) and you kill someone, then you are guilty of a some kind of Manslaughter. Usually, you have to intend to kill to be convicted of 1st degree murder. The kids you cite are probably guilty of some other kind of Manslaughter.

    Counterpoint: I sat in on the sentencing hearing for some 18-year-old who had dropped a 27 pound rock on a car from an overpass and ended up killing some woman through direct impact to the head. He had been convicted of second degree murder.

    Anyway, the guy got life in prison...

    Oh yeah, and though I didn't actually see the pictures of the body afterwards, the judge said that it was worse than any other injury he's ever seen, including such things as fatal shotgun wounds, ax murders, etc...

    Well... an offtopic post a day keeps the moderators away...

  • I'd say the chances of a successful class action suit in VA against spyware publishers just went up quite a bit. Any VA lawyers interested in nabbing the next spyware release?
  • YAY!! A tax on the stupid!!

    Let the evolution begin...

  • There once was a girlie named "jabber"
    Who only saw fit to just blabber
    Without much ado
    In his first non-haiku
    Our fair hero proceeded to slap 'er
  • The problem is the user. Microsoft gives you the tools to do many things. If you shoot yourself in the foot, there ya go. It's my job as an admin to try and protect the network the best I can from others doing damage and training my users not to damage themselves. If the risk of these viruses outweighs the features you get, just remove VBS, or block the files.
  • Neither of the programs you describe are self-replicating.
  • by orpheus ( 14534 ) on Friday June 02, 2000 @09:37AM (#1029269)
    The RADIATE (formerly Aureate) monitoring programs that are packaged with over 400 freeware, shareware and demo programs is a perfect example of a deliberately spread virus (in Win9x)

    1) you are not informed that a *separate* program will be installed, in addition to the program you intend to install. This program can monitor your activity even when the program it came with is not in use.

    2) the monitor program is not removed when you uninstall the 'carrier' free/shareware program or purchase the paid version of a demo. In fact, there is no way to completely remove it except through an external program like OptOut [grc.com] from Steve Gibson [grc.com] (freeware)

    Sounds like a classic, deliberate, and very malicious 'virus'. I'm sure there's something in the license allowing the installation, but nothing about it persisting forever (even after you remove the program the license applies to). True, you could prosecute under the 'unauthorized computer use' felony, but I think the virus law gives a better tool, since the virus+vector model is a familiar one (putting an unannounced virus inside a desired executable doesn't make it less of a virus)
  • by BoLean ( 41374 ) on Friday June 02, 2000 @09:37AM (#1029270) Homepage
    What definition of virus are they going to use? Would this include programs that sniff down your net connection to collect personal info? A virus could be: a standalone program, a file that executes other programs on the client system, a file that executes a program on a server, a file that resides on a server and effects a client system... you name it. A simple script on someones webpage to check user browser info and client browser settings could be seen as either a valid tool or benign virus.
  • An interesting note about Gov. Ridge -- He's currently one of several choices under consideration to be the Republican VP candidate.

    Like Bush, his strong points seem to be that he doesn't have any strong points someone could object to. The economy is good (like everywhere else in the US), he's cut business taxes, pushed welfare reform, yadda yadda. He's also managed to stay mostly clean of the morass that our other Republicans in Pennsylvania's state government have found themselves in, such as various corruption charges, Serafini's felony perjury conviction [phillynews.com] (fellow Republicans blocked an attempt to kick him out, too), Druce's alleged fatal hit-and-run [tribune.com], etc.

    While I'm not a big fan of Salon, they recently did a real nice hatchet job on the guy, in an article titled Bland Ambition [salon.com]. Worthwhile reading.

    "Don't blame me! I voted for Kodos!"

  • Once again, the focus should be on 'illegally obtaining passwords.' This is a section where the victim (piegon in a scam) could be prosecuted for their unwitting part in a crime. (Remember the IQ of the average user).

    Then, quite frankly, the average user shouldn't be using my systems. If other places are anything at all like the places I've worked, every user is required to receive and acknowledge a usage agreement. In the usage agreement, which is 100% common sense and 0% rocket science and/or brain surgery, users are specifically and explicitly prohibited from disclosing their password(s) to anyone. ANYONE. If you violate this agreement by giving your password to your SO, your friend, or the man on the street, I can and will revoke your access per the terms of the agreement.

    Now, failing to read the agreement is no excuse. Just as ignorance of the law is no defense. Just because people are stupid and will give away their passwords doesn't mean we should let them get away with it. The law should stand as written, no excuses for idiocy.

    There's no legal penalty for being stupid. Until you leave your hospital room/bubble/cell/ward/cave. If you want to interact with the rest of the world, you're expected to maintain a reasonable level of rationality and common sense.

  • Yeah. Hate crime legislation is just an attempt at criminalizing thoughts. It shouldn't matter what you were thinking when you killed someone. What matters is whether you killed them or not and whether you intended to kill them or not.

  • If you pass a virus to another person, you are liable for fines up to $15,000 -- more if it's an incurable disease. (We could call it "the burden of breathing.")

    I was chuckling at your response (and agreeing with you) and then I remembered: food service workers ... Typhoid Mary ... "Employees Must Wash Hands" .... There are constraints placed on us in all kinds of circumstances where we interact in society. It was said:

    Your right to swing your arm ends where my nose begins.

    When what we do (or don't do) affects others, we need to be on the alert for regulations. No Smoking.

  • holding users responsible for their privileged passwords is a good idea.

    To the tune of putting them in jail for five years?! Doesn't this strike you as something between utterly ridiculous and very, very scary?

    Kaa
  • Do you really want to install *yet another* bureaucracy over us?

    No. We're just having a discussion; debating the idea. I'm not for this, just thinking.

    Furthermore: requiring everyone to have a license because *some* people are irresponsible is, in essence, saying "Everyone is guilty until proven otherwise."

    Or it's a way of saying "you don't have the right to be here; you must prove that you're able to bear the responsibility." Don't freak: I'm describing a driver's license. So, what if this was applied to running Internet-connected computers? Better put: what if your OS and Software had to be approved for Internet use before you could put it on the 'net? Put the onus on the OS/Email/Services programmers.

    The reason that the law says "intentionally" is because for a crime to be proved there are 3 irreducible elements: Means, motive and opportunity.

    If your car rolls down a hill and smashes into someone's property (or person) you may have had no Means, motive or opportunity to commit a crime but you'd be liable (civilly) nonetheless. And, if it could be proved that you were recklessly endangering others, you could be held criminally responsible, too (involuntary manslaughter, for example).

    I guess as I consider this topic I am becoming aware of our responsibility toward others on the Internet. Perhaps I should be repremanded if I leave my system open and it is used as part of a DDoS attack.

  • Comment removed based on user account deletion
  • Better put: what if your OS and Software had to be approved for Internet use before you could put it on the 'net? Put the onus on the OS/Email/Services programmers.

    OK, I like this a little better. Ideally, the marketplace will winnow out buggy and insecure programs. BUT -- there will always be people who will write software and just put it in their FTP directories for anyone to download. And there will be people who will use it just because the cost = $0.

    I guess as I consider this topic I am becoming aware of our responsibility toward others on the Internet. Perhaps I should be repremanded if I leave my system open and it is used as part of a DDoS attack.

    What is ironic is this: in the old days on the Net (before '95), *everyone* would leave their system open so as to facilitate email forwarding. The idea that people would DDOS was simply unthinkable. I'd say that there is nothing wrong with leaving your system open -- providing you monitor it carefully. Most DDOSing is done using server farm machines that are only loosely monitored (the rationale being: "Well, all this machine does is serve pages and there aren't any user accounts on it, so we won't bother with checking it unless it goes down."). But you are right about one thing: personal responsibility is important. The only thing I disagree on is the theory that people need to be monitored, checked and licensed to make sure that they are being responsible. Children may need such strictures -- but adults aren't children.

  • Driving licenses are traditional, they've always been around.

    Define always. To me and you DL's are eternal requirements. To my grandparents (who lived before autos were common) DL's did not exist at one point. What changed? Automobiles became an integral part of American life and commerce. Bad (dangerous, ignorant, reckless, et al) drivers were no longer merely a threat to themselves but to all drivers around them and to normal business conducted over-the-road. Something had to be done, so regulations were made and minimum standards were set.

    what you aren't realizing here is that connecting to the 'Net can't be compared to, as you've done here, driving a car. The 'Net has become such a integral part of businesses worldwide, that it would just cost too much to start educating a semi-computer literate world in the way you're suggesting.

    Okay, I rearranged your quotes to make this point: because the Internet is integral to business internationally it may become necessary to make regulations and establish minimum standards. Scarry.

    You can't disconnect these people because they fail a Internet security test, because then you would be disconnecting way too many people. Remember, the average CEO of a company (Suit) isn't even semi-literate (computerwise), perhaps if it's a tech company, yes, otherwise, you'll be luckily if he's semiliterate.

    Okay. Maybe we require that the OSes and Internet-connecting programs (don't ask me to define them all, I'm just thinking out loud!) be certified to operate on Internet-connected devices. Sure, let the CEO use the net -- but not with Outlook and Windows Scripting Host enabled! Who enforces this? The ISP? (Hmmm....).

  • by Spiff28 ( 147865 ) on Friday June 02, 2000 @04:48PM (#1029320)
    I apologize for the stupid topic, but honestly, I'm just trying to get eyes here. The whole Aureate ordeal has been around for quite some time. It's also been debunked for some time. Debunked as in a hoax. It's not quite a hoax, but it's not Big-Brother either.

    The 'spyware' program does nothing more than say what ads have been received, and what have been clicked. Period. I don't know about you, but I don't do my surfing through ads. Hell, I get weird enough ads from Doubleclick crap as it is.

    The problem is that this has been claimed as spyware.. ie: it monitors your surfing habits, and I've even heard that it could see which programs are installed on the HD. This is where the paranoia overtakes the fact.

    I have yet to see comprehensive proof that this does (only or all of) what either side of this issue says it does. Most people take for proof that Aureate/Radiate is evil the presence of any of the 'bad' DLL's.

    The program has been proven to exist, true. Get some simple network tools and a little registry viewer and sure enough, you'll notice something's set stuff up in the registry, and something's calling home. Nobody has given proof that shows what it's actually doing beyond that.

    It's a task I'd think someone in the /. audience would be glad to undertake. At this point both my curiousity and rage at the propensity of this falsehood to spread so easily are motivating me to crack down as much as I can. Only.. I don't really have the time, I don't have the resources or knowledge either. Someone needs to just sit down with a packet sniffer on a controlled network, and see what's up. I personally, can't tell what to look for, but I'm positive that someone can.

    Steve Gibson claims that some of the scarier stuff like arbitrary execution has been proven. I ask... show me the proof.

  • Now I can sue all those bastard MS Outlook users who have me in their address book, and hopefully put them in prison, too!

  • As far as passing on viruses goes. The people who are not protected pose absolutely no threat to the people who are.

    True, on my personal system I have no fear or worries about others' systems being exploited. I never got one of these macro worms sent to me, yet. But it does harm me. Very much. For one, my mail servers at work and elsewhere are overwhelmed with the exponential flood of garabage that is sent during the height of these attacks. Moreover, I've been spammed to death by people leaving their sendmail (et al) servers open for relay. Maybe ORBS is not enough. You wanna run a mailserver? Get a license.

    We're just talking, here. I'm not suggesting this should happen. be my guest: Shoot me down.

  • by hugg ( 22953 )
    but what if I sneeze?
  • But does using Microsoft Outlook count as intent? :-)
  • by 575 ( 195442 )
    Unleash a virus
    Fun for the first few minutes
    Then the cops show up
  • by Jeff Bell ( 88747 ) on Friday June 02, 2000 @11:22AM (#1029352)
    I'm surprized that none of the viruses have tried this yet, but what would happen if the virus first popped up a dialog box with a lot of legalese at the beginning, but a dozen screenfulls down includes as terms:

    ...

    19. I understand that this software may send copies of itself to everyone in my address book.

    20. The authors of this software shall not be held responsible for any data that may be lost.

    Certainly a very large portion of the population would click on the [ACCEPT] button as a matter of reflex. It wouldn't even make it out of the brain stem.

    Would the author of this virus be subject to prosecution?

    Would they be safer in states that have passed UCITA?

    -Jeff Bell

  • The message is loud and clear: We want to keep using mIcKeY$oFt crap. If you rain on our parade, we're going to nail you good.

    So they're going to send someone up for 7 years in PA. In NC, that's the penealty for bank robbery. Does passing a virus rate that much time? It's more than B&E, assault, assault & battery or assault with a deadly weapon. Either the penalties for these ought to be increased or they ought to back this don't For crying out loud. Every thing on the books is getting ratcheted up to 7 years. This breeds contempt for the law.
    • Kids throwing bricks off of overpasses aren't trying to kill people, they're just stupid and think that it's funny. Nevertheless they still do kill people sometimes, and rightly get prosecuted for it whenever they are caught whether or not there was an actual death. Just being stupid doesn't absolve you from culpability for doing the wrong things, especially when you could reasonably have been expected to know that your actions were a bad idea.

    IANAL, But I believe you'll find that intent is important in US law. If your intent is to do harm (dropping bricks on people) and you kill someone, then you are guilty of a some kind of Manslaughter. Usually, you have to intend to kill to be convicted of 1st degree murder. The kids you cite are probably guilty of some other kind of Manslaughter.

    Being stupid isn't the issue, intention to do harm is. Now, there are crimes of negligence. If you can be reasonably expected to know not to open attachments that might do harm and you do it anyway, you are guilty of negligence.

    I don't think that it's been true in the past that people could reasonably be expected to know not to open attachments, after all, so much of their work requires them to open attachments, even attachments with executable content. It may be true that now or in the near future, it would be considered to be negligent to open attachments that may have executable content if you don't have a good idea as to what that content is or will do.

    It's almost getting to the point that anyone who sends ANY executable content in email using insecure facilities like VB or Word Macros, as opposed to languages that support a relatively safe programming environment like Java, are being negligent in that they are helping to set the stage for future worms and Trojan Horses.


    -Jordan Henderson

  • How do you *prove* the "intention" to spread the virus?

    Are we going to throw a lot of clueless people in jail?
    -
  • It seem simple to me. If you intentionally write software that's purpose is to spread without the users knowledge and/or control and/or permission, and intentionally release it in such a manner that it would begin to spread in this manner, then you ARE doing something that has no useful purpose in society, and hence, wasting others time.
  • This could possibly work out as a good early step towards defining workable laws relating to malicious hacks. The legal definition of a virus, the mechanism for determining recoverable damages, etc., are all pieces which, over time, will require further definition and refinement, but the basic premise seems sound.

    Good luck on enforcing the law, though! I'd like to see what happens the first time someone creates a virus somewhere else, say Montana, and it damages a computer in Pennsylvania. Pennsylvania could argue for jurisdiction, but would Montana extradite someone all the way to Pennsylvania for prosecution?

  • How about a license to connect to the Information Super Highway?

    Your blue-sky proposal is ridiculous. Who is going to set up the "test"; who is going to administer it; what penalties will there be for "driving without a license", etc. Do you really want to install *yet another* bureaucracy over us?

    Furthermore: requiring everyone to have a license because *some* people are irresponsible is, in essence, saying "Everyone is guilty until proven otherwise." Go back to France: that's where that bass-ackwards system of "justice" originated. Here in America we have a fundamental principle that people are "innocent until proven guilty".

    There is a reason for having a driving test: you have to prove that you can adequately handle a ton-and-a-half vehicle at high speeds before you actually get on the road. A computer is not a car; if you crash your computer, no one else is affected. If you drink while programming, you'll just produce bad code, but it won't affect anyone else. Using your computer to design and upload a virus is using a tool in a weapon-like way. People *have* used cars as weapons, but I don't recall any questions on the Driver's Ed test about "Will you be using your vehicle to commit a homicide?" That's just as strange as asking someone "Will you be using your computer to commit a crime?" -- and who is going to answer *that* question in the affirmative anyway?

    I realize the law says "intentionally" but what if a more proactive stance was adopted?

    The reason that the law says "intentionally" is because for a crime to be proved there are 3 irreducible elements: Means, motive and opportunity. If a virus comes into your computer and uses the copy of Outlook you have installed to perpetuate itself, the means is there, the opportunity is there, but YOUR MOTIVE is not. Therefore YOU cannot be accused of propagating the virus. (Perhaps you could be prosecuted for maintaining an "attractive nuisance", but if you installed it in a manner so as to leave it in the default condition, then the software manufacturer is just as -- if not more so -- liable).

    A more "pro-active" stance would only apply two of the three conditions -- perhaps your motive is irrelevant. Then you could be thrown in jail -- perhaps without even realizing that your computer passed the virus along -- just because a computer log somewhere had your IP address as the (from its point of view) origin. How would you feel about *that*?

  • It seems that there are already laws that cover this. I have often seen the creators of unwelcome self-replicating programs charged with "unauthorized use of a computer", (sorta like unauthorized use of a motor vehicle) which is an effective catch-all for people who do anything to take control over other people's computers without their consent.
    I think that the expedited creation of new laws in reaction to a phenomenon that most people in positions of power could never hope to understand, let alone competently regulate is a dangerous thing. I recognize that these legislators probably have teams of advisors, but i still worry about the original intent/usefulness getting diluted/lost in the legislative process.
  • Ive got a few clueless ones here at work that opened the ILOVEYOU virus after we had warned them about it...
  • by Uruk ( 4907 ) on Friday June 02, 2000 @08:26AM (#1029388)
    This seems like it's for show.

    Well, I realize that laws can make people feel more comfortable, but there comes a point where penalizing somebody doesn't make anymore sense. For example, if they guy who wrote melissa had to pay restitution or pay a $17,000 fine for every copy of the virus he spread, he'd probably own millions upon millions of dollars which he'd never be able to repay, no matter how long he lived.

    You can punish a person harshly, you can even make it so that the person will never get away from the punishment for the rest of their lives, but fining somebody $40 million is pretty much the same thing as fining them $40 billion. At least the effect is the same, and the amount of money you'll actually collect is the same.

    I say this because if you make it a crime to spread a virus and make it punishable by jail, restitiution, or fines, then anybody who spreads a virus (since they go all over the world) will be liable for damages in so many damn jurisdictions that it will be the same as fining them $40 billion, and just as pointless.

    Not to compare virus spreading to murder, but just as an example of over-punishment - when Jeffry Dahmer went to jail, he got *400* years in jail. 400!!!! What's the point? Of course it was arrived at by adding the amount of time he got for each murder, just like the fine would be arrived at by adding the recompensation for each victim for a virus spreader.

    An effective punishment would be a $0.25 fine and no restitution, since by the time everyone on earth got finished suing the poor bastard, he'd be in for millions. :)

  • I'm talking about intent in the legal sense. The crime you are charged with and ultimately your punishment are often linked to intent (i.e. did you commit the crime on purpose, or was it an accident?). Intent in this sense does not take into account what you were thinking at the time, although those things can be examined to determine whether or not you intended to commit the crime. The goal is to determine, yes or no, whether you intended to commit the crime. Once intent is established, the case can proceed and you can be charged with the proper crime and receive the proper punishment. Your punishment should not be linked to your beliefs or your thoughts at the time, it should be determined impartially, based on the crime you committed. Any attempts to determine the beliefs of the accused, can never be more than speculation, even if you are able to convince a jury with that speculation. Speculation as to a person's reasons for committing a crime should not be used to determine the specific crime or punishment of the accused.

  • by wrenling ( 99679 ) on Friday June 02, 2000 @08:27AM (#1029391)
    The article states:
    "Accessing and damaging a computer or system is a felony of the third degree, facing a seven-year sentence and $15,000 fine. Interfering with a computer, system, or network or giving out a password or other confidential information about a system is a misdemeanor of the first degree, with a maximum penalty of five years and $10,000 fine. "

    What scares me is the part where they refer to 'other confidential information.' That is such an amazingly grey area. And what constitutes giving out a password? Once again, the focus should be on 'illegally obtaining passwords.' This is a section where the victim (piegon in a scam) could be prosecuted for their unwitting part in a crime. (Remember the IQ of the average user).

    Just a few rambling thoughts from yours truly.
  • I think the issue here is whether or not you passed the virus onto another computer you own.

    I could plausibly see someone in some comp sci class writing a harmless virus, and studying how it replicates. A broad law could land this student into jail

    So I guess the question isn't whether someone who intentionally damages other people's computers should be illegal, because we all know it should. The question should be, are we inhibiting innovation by making too broad of laws?

  • I can't really say that it's suprising that intentionally propagating a virus has become a crime - I don't think that anyone can argue that spreading a virus is not a nice thing, even if creating one is purely a "technical challenge". I expect that this legislation will be quickly followed by other states and countries, especially in light of the "ILOVEYOU" virus and its successors.

    However, in the words of the article, "It also defines a computer virus for the first time". The definition of virus has already changed over the last few years, and as technology changes the pathogens that affect it will change as well. How soon will it be until this law and its definition of a "virus" becomes obsolete? Given current trends, not long at all.

    A good law to have then, but as with all laws that attempt to regulate technology, the pace of advancement in the technology far outstrips that of the law to keep up with it.

  • I can't really say that it's suprising that intentionally propagating a virus has become a crime - I don't think that anyone can argue that spreading a virus is not a nice thing, even if creating one is purely a "technical challenge". I expect that this legislation will be quickly followed by other states and countries, especially in light of the "ILOVEYOU" virus and its successors.

    However, in the words of the article, "It also defines a computer virus for the first time". The definition of virus has already changed over the last few years, and as technology changes the pathogens that affect it will change as well. How soon will it be until this law and its definition of a "virus" becomes obsolete? Given current trends, not long at all.

    A good law to have then, but as with all laws that attempt to regulate technology, the pace of advancement in the technology far outstrips that of the law to keep up with it.

  • by FascDot Killed My Pr ( 24021 ) on Friday June 02, 2000 @08:29AM (#1029409)
    Why the "intentional" requirement? What about negligence?

    Example (a real virus): If a surgeon found out he had AIDS but didn't quit his job and later infected a patient during surgery, I think we'd all agree that he'd be liable for the patient's sickness.

    Another example: I advocate the use of murder charges against drunk drivers who kill. Why? Because they deliberately make choices that are known to have a high rate of death for potential victims.

    So why not for computer viruses? In all seriousness, why can't Joe User be held (partially) liable for running an email client (*cough*outlook*cough*) that is known to cause a large amount of bandwidth sucking and server crashing? A little less ridiculous (although I'm not conceding that the example was ridiculous) is holding site admins responsible for viruses leaving their site. If they can strip incoming, they can strip outgoing.

    And this isn't empty moralising, either (although that should be sufficient). There's a practical reason for all this: Advocating point-source solutions to an epidemic problem will never work. Prosecuting only the virus originators (and maybe a few knowing Typhoid Mellissas) doesn't reduce the attractiveness of the target--so new originators pop up. By prosecuting the victim (who is in turn a new originator) you can reduce the attractiveness of the target and thus the incidence of infection.
    --
    Have Exchange users? Want to run Linux? Can't afford OpenMail?
  • by IGnatius T Foobar ( 4328 ) on Friday June 02, 2000 @08:32AM (#1029414) Homepage Journal
    If you recall, Pennsylvania cut a deal with Microsoft a year or two ago, to use Windows products exclusively in the Pennsylvania state government. That, combined with the Love Bug and other such niceties, has probably made computer life very difficult in the PA state government offices lately. That considered, it's not surprising that they're the first to adopt legislation like this. The states which are still running on mainframes and Unix boxen like they should, can sit back and laugh at PA.
    --
  • Microsoft wanted this law to prevent people from sharing Win95/98/2000 with their friends (or enemies). Everyone knows there hasn't been a virus unleashed yet that can compare to the damage caused by these viruses.
  • by PopeAlien ( 164869 ) on Friday June 02, 2000 @08:34AM (#1029420) Homepage Journal
    Interfering with a computer, system, or network or giving out a password or other confidential information about a system is a misdemeanor of the first degree, with a maximum penalty of five years and $10,000 fine.

    OK. So we all know about "bad" viruses -Mellisa, etc, and "trojans" -but what I want to know is how this legislation can be used to keep Large Corporations from digging around in my HardDrive..

    When RealNetworks or Aureate/Radiate add "special features" [grc.com] to their software to profile my music listening habits, or track my web access from within, rather than from accessed pages- does that count as "Interfering, or giving out confidential information".
    -
  • How exactly do they plan to prosecute on this? I can understand if you're the initiator of the virus and leave some sort of tracker so people know YOU did it - in fact, laws are in place for situations like that. But, how can they PROVE that you intentionally distributed the virus? Understood, they will forgive accidents (Melissa, et. al.), but how often do people say, "Ha ha, now I gave you a virus!"

    It seems to me that this is just a front for trying to force internet / computer users into revealing their motivations behind their actions - an invasion of mental privacy. There's not a good solid way in most cases to prove that you deliberately gave a virus to another user, and even then, it's easy enough to disprove in almost all circumstances.

  • by paRcat ( 50146 ) on Friday June 02, 2000 @08:35AM (#1029424)
    Here [yahoo.com] a news blurb about it. There's an interesting point in it:

    The Pennsylvania legislation defines a virus as any "computer program copied to or installed on a computer, computer network, computer program, computer software or computer system without the informed consent of the owner that may replicate itself and that causes unauthorized activities within or by the computer."

    So what about the software that is automatically installed when you install a program. Especially the stuff that allows for tracking your online habits, etc. Go!zilla's ad engine is like this, though it's unclear exactly what it does. So can these companies be prosecuted now?

  • everyone and his brother should know by now NOT to launch attachments?

    I got to deal with the ILOVEYOU virus. It was not the secretary that launched it. It was not the big boss that launched it. It was one of the other programmers that launched it. Trust me, after humiliating him I don't think he would be stupid enough to do something like this again, but one never knows.

    Also, a friend of mine works for a large company. IS sent around a message saying "Do not under any circumstances launch this app." 15 minutes later someone did because they "wanted to see what it would do." This also happened at one of the local hospitals.

    Couldn't one argue that in all three of the cases I mentioned that it WAS intentional in every case? Just because you are stupid does not under any circumstance give you the right to do stupid things.

  • by rjamestaylor ( 117847 ) <rjamestaylor@gmail.com> on Friday June 02, 2000 @08:38AM (#1029431) Journal
    I realize the law says "intentionally" but what if a more proactive stance was adopted? For example, when I receive a counterfeit $20 I may be unaware. But when I deposit that counterfeit $20 at my bank (and it is discovered) I lose $20 and may be investigated. It doesn't matter that I *thought* it was real -- I still lose. It is upon me to make sure bills I pass are legitimate. If they are not, I lose.

    Let me apply this "burden" to the 'net: if you connect to the Internet and pass a virus (even unaware) your privileges to stay connected may be revoked or suspended. What?!? Well, you take on a lot of responsibility to connect to the rest of us. If you cannot take basic precautions to protect others from your transmissions then you are subject to loosing your right to be on the 'net. The onus is on you.

    What does this mean? It means you must be able to prove that you took reasonable precautions to prevent your system from harming others. This may include using an updated anti-viral package on Windows and Mac systems. Properly adhering CERT advisories on UNIX systems. Avoiding easily-exploitable software packages (Outlook, for example). Using basic security protocols.

    Offenders (those who fail to protect others from attacks via their systems) may be forced to disconnect until they

    • complete a proper system security class
    • install proper security software
    • establish and follow basic security guidelines
    • disable easily-exploitable software

    I realize this is radical.

    Perhaps a better model (than the counterfeit bill passing) is the transportation regulations we have today. We require people who drive on our highways to take basic precautions to avoid harming others (no drinking when driving, obey traffic laws, maintain car at reasonable operational standards). Heck, we don't let you drive unless you obtain and maintain a proper license! How about a license to connect to the Information Super Highway? And what about liability insurance? If your system has an exploitable hole that damages someone else's system, you may be liable.

    The Internet is a part of our lives. We can't allow stupidity and laziness ruin it for the rest of us.

  • Example (a real virus): If a surgeon found out he had AIDS but didn't quit his job and later infected a patient during surgery, I think we'd all agree that he'd be liable for the patient's sickness.

    You think wrong. Unless the surgeon is having unprotected sex with the patient, the risk of transmission is small.

    Take a look at the CDC's recommendations [cdc.gov] for preventing the transmission of HIV by health care workers. They recommend a review by a panel of experts and informed consent from the patient, not a blanket ban.

    I would rather be operated on by a HIV positive, expert surgeon than a HIV negative, mediocre surgeon.

  • I agree that "other confidential information" is too vague, but holding users responsible for their privileged passwords is a good idea. Everyone here knows that the general public often treats computers like toys, no matter how important they are. If a bank employee writes down his password and tapes it to his monitor, and the bank then loses millions of dollars due to his negligence, that should be treated as criminal negligence. (Assuming that his employers provided a reasonable amount of education and warnings about security.)
  • by operagost ( 62405 ) on Friday June 02, 2000 @09:02AM (#1029445) Homepage Journal
    Article IV.

    Section. 1.

    Full Faith and Credit shall be given in each State to the public Acts, Records, and judicial Proceedings of every other State. And the Congress may by general Laws prescribe the Manner in which such Acts, Records and Proceedings shall be proved, and the Effect thereof.

    Section. 2.

    Clause 1:

    The Citizens of each State shall be entitled to all Privileges and Immunities of Citizens in the several States.

    Clause 2:

    A Person charged in any State with Treason, Felony, or other Crime, who shall flee from Justice, and be found in another State, shall on Demand of the executive Authority of the State from which he fled, be delivered up, to be removed to the State having Jurisdiction of the Crime.

    The last section is the most important.

  • It seems that there are already laws that cover this. I have often seen the creators of unwelcome self-replicating programs charged with "unauthorized use of a computer"

    Read the article again. This law covers spreading the virus, not creating it. You no longer have to be the creator to be punished. If you find an old copy of Melissa and email it to a moron, you are now responsible.
  • That's it, no longer will I spread virii from Pennsylvania. No longer will that place put down with such liabilities as vampires and virii writers.
  • by Electric Eye ( 5518 ) on Friday June 02, 2000 @08:48AM (#1029463)
    I see. So, simply because you could write a program that could fuck up a few programs means you deserve to be locked up with murderers, rapists, and drug dealers? Yeah, I see the logic in that one. It's called Republican Stupidity. The Governor of PA is an asshole. You can tell him I said that.

    This is truly unbelievable. The sad thing is that you could be convicted of raping a woman and do less time than if you wrote a virus. What ever happened to common sense in this country?
    • small computer bug

      jumps from machine to machine

      who knows its maker?
  • This is a ridiculus idea that completely contradcits the the idea (well, my idea) of what the internet is all about. I feel that the internet is a forum for the distribution of knowledge to all people. If we start limiting to those who have "a license" it is no longer an open forum and will become an elitist realm.

    And how would one obtain such a license? To require some knowledge about the internet would be the obvious way, but isn't the best way to gain this knowledge through experience? As for the propagation of viruses and such...I look at it as a form of Darwinism. Those who have learned enough will not be scaved, while those affected will learn from their loses and in the future protect themselves (and therefore others) against these problems.

    And no, I'm not advocating releasing viruses to purge the internet of those "not worthy."

    -Blurp

  • My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around? "

    um, perhaps i am missing something here, but isn't that the definition of a virus? people seem to have forgotten what a computer viru is, and generally just associate "virus" with malicious program. a virus is a program or part of a program whose primary purpose is to propagate itself to other programs/computers. (i say programs because in the old days before outlook and office, viruses could only affect executable files, and when those executable files were run, they would infect other executable files on the disk) it doesn't have to be malicious. you might never even know you have one, even though it has put copies of itself all over your computer and everyone's you know.

    anyway, the point to all of this is that the question "what about viruses that spread themselves?" is a dumb question, because if it doesn't spread itself, it is not a virus. malicious code perhaps, but not a virus...
  • I spend my spring semester working as tech support/computer person for the law branch of one of the state departments in PA. The ILOVEYOU epidemic was pretty bad there, and from what I understand it was pretty bad all throughout the state government offices.

    This might have helped to push the legislation through.

    What makes it really funny is that AFTER it was announced over the building-wide intercom that email with the subject ILOVEYOU is infected with a virus and that the attachment to that email should not be clicked on, a disturbing number of people walked back into their offices, opened outlook, and clicked on the attachment. Simply "to see what it would do"

    This law seems to make their actions illegal. I think that's good.
  • I submitted a story about that exact topic some 2 months ago. /. obviously didn't think it was relevant enough. But damnit it makes me mad to think that just because I used GetRight (any version after 3.3.4) once I had spyware on my machine for a couple months before I heard about Aureate. This is the ultimate in privacy intrusion. Things like this are what make me want to go all open source.

    A list of products which contain Aureate spyware can be found here [radiate.com].

    From Aureate's marketing page [radiate.com].

    Detailed information about the people using your program and their feedback

    Updated statistics on your application's performance on the Radiate Network

    What they don't tell you is that all the information they receive about your browsing habits is WITHOUT YOUR PERMISSION. The spyware uploads information without ever telling you.

    Scary, but yet another argument for forced distribution of code. And to think, I'm an MS zealot `;^).

    Marc

C makes it easy for you to shoot yourself in the foot. C++ makes that harder, but when you do, it blows away your whole leg. -- Bjarne Stroustrup

Working...