Is Virus Spreading Criminal? 270
Ghost-in-the-shell writes "I just read this article on CNN stating that spreading a virus in the state of Pennsylvania is now illegal. The bill signed in to Law on May 26th, by Governor Tom Ridge states that the spreading of a virus can land you 7 years in jail, a $15,000 fine, and possible restitution to the person(s) damaged by the virus. My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around?
"
Re:..other cases of redundancy (Score:1)
..but most forms of premeditated murder etc. should be treated equally, IMHO. There will always be exceptions though. Thanks, good point.
Re:attatchments and computer safety (Score:1)
That reminds me of when I first installed Windows 95. It would NOT install, and error message was appearing in very dark blue on a black background and I could hardly read it. Took me about 5 minutes to figure out it wanted to write to the boot sector. The main reason I mention this is that's a good thing to do, but only if you actually remember you did it. Also, IANAT (I Am Not A Techie) but if you've just compiled a kernel and need to run LILO, doesn't this mean reboot, enter the BIOS, reboot AGAIN just so you can run LILO?
Re:Limerick (Score:1)
do not ever, EVER go
and spout crap again
Re:Pay attention to the bottom of the article: (Score:1)
Re:Tricky... (Score:1)
Re:VIRUS Definition (Score:1)
Uh, don't use their lame software? Vote with your wallet?
----------
d'oh. (Score:1)
Jail the virus! (Score:1)
My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around?
It's obvious - toss the virus in jail and give it a $15,000 fine!
Text of bill. (Score:3)
Interesting to note that unwilling transmitting information is illegal. So the Real Networks scanning your drive and uploading information is a 'virus'. Or microsoft sending reg info without your permission is illegal.
-RossB
Re:yup, it's in the constitution (Score:1)
As for "This type of problem isn't really covered in the constitution, since you really didn't have to worry about stuff being triggered in one state from another," have you ever heard of mail fraud or wire fraud? This issue of cross-territorial jurisdiction pre-dates the internet by a long ways...
Re:Welcome to Pennsylvania (Score:1)
Actually, truth be told I work in Harrisburg, PA, and we did not have any problems with the viruses. The company I work with has all M$ products and they did not get one infection, or one sniff of the virus at all (mostly because I was smart and took the WSH off of everyone's computer the first time a WSH virus came out). Use of M$ != spreading viruses.
It certainly makes it a whole lot easier....
Tom Ridge probably adopted this law because one HUGE part of his platform as the gov has been fighting crime and prosecuting criminals. He changed the juvenile criminal laws to allow them to be prosecuted as adults, etc.
Ridge most likely signed this because he is being considered for the VP spot with George W. and wants to back 'popular' pieces of legislation.
Full text of the Bill (Score:2)
I had submitted this to
Re:Does seem kinda obvious (Score:1)
Hmm, that's the sort of thing that law courts will wrangle endlessly about, and lawyers make their fortunes off of. OTOH it has happened in the past - back in the days of the Atari ST/Amiga I remember that a German computer magazine published the source code to a bootsector virus which was subseqeuntly spread... Definitely a stupid move IMHO by them.
Re:attatchments and computer safety (Score:1)
it shouldn't be a problem. Though virus checkers
run under Windows might report a problem if the
boot sector has changed.
Re:Why limit it? (Score:1)
Of course, this way when I release a virus rather then me getting a fine and/or jail time all my victims get a fine and jail time. How many people wouldn't be tempted to release a virus say, within microsoft? Imagine every M$ employee fined $15,000 and sentenced to a couple years in jail... This will stop or slow virus creation only if they don't allow inmates access to computers. Though, I can see prison crowding becoming a BIG problem.
While your doctor chooses to work while he has a deadly disease and your driver chooses to drive under the influence, a person spreading a virus often doesn't even know he is infected until after it has spread. Take this example: If I'm walking around with a cold without knowing it, and I pass it to other people before coming down with symtoms, I'm not liable for the time they miss at work.
Common sense is a cool tool...use it.
-Blurp
attatchments and computer safety (Score:1)
Re:Tricky... (Score:1)
Don't ask, let them legal fellers tangle in this one.
Personally I've been waiting for this to happen a long time. I mean, my information is mine, right? My programas, my development, my experiments, are mine, right? Why should a damn little kid have his kicks by letting out into the "cyber-environment" a destructive, self-replicating program?
OK, so maybe I should have software to scan for such attacks (viruses, network cracking attempts), but attackers are always trying to overwhelm any protections in place, by looking for new and undocumented loopholes.
So I say "hell yes" to this; intentional destruction of information should be treated as a form ("AS A FORM", not "exactly like") of destruction of property. Depending on the potential of said information should be the restitution.
The "potential" for the destroyed information should be up to the victim; sure, that creates the posibility of inflating it, but then you create an environment where the mere idea of destroying information can be a very serious crime. And that's ok with me.
Destroying an installable application is no problem, you can reinstall if necesary; but destroying documents, data, files... that really gets my goose; specially when not backed up. AND don't tell me that "it's the user's fault for not backing up", get off your damn high-horse for once and look at the people who use these things, NOBODY backs up, unless it's a sysadmin or something like that.
User's shouldn't have to carry the burden of hardening their own machines; crackers and virus writers / spreaders should carry the financial and criminal burden of destroying other people's information.
So it sounds tough. Have you ever had to retype a whole damn essay because of some fucking script kiddie or a damn virus that came from who-knows-where? That's fucking tough also.
-elf
Re:I'm not sure (Score:1)
Marriage, Divorce, Driver's license seem to go fairly well
Some counter-examples:
Sales Tax on Purchases (Internet and Mail Order). Certainly doesn't seem to be enforced
What about contradictory laws? In VT gay unions are legally recognized. In CA they are illegal to legally recognize. So what happens if a gay couple moves from VT to CA?
What about UCITA? Valid in MD/VA (or soon to be), IA is a Safe Harbor. An IA resident violates a UCITA contract. Who gets the full faith?
Re:So, virus writing is worse than rape now? (Score:1)
Re:Burden of Connecting (Score:1)
We require people who drive on our highways to take basic precautions to avoid harming others.
The restrictiveness/severity of regulations should be proportional to the impact without the regulations. For example, cars are complicated to drive, and you can kill people if you don't know how. Scissors are dangerous too, but they're simple to use. Internet novices cannot kill people by spreading viruses. I don't think we need the same level of regulation as for automobiles.
This will never happen (Score:2)
They don't care about netiquitte or responsibility, they care about dollar signs.
Mind you, I don't know that I agree with your idea anyway. How is a person supposed to KNOW they have a virus on their system. Even when you're careful you can still get stuck...
Re:This is how they defined "VIRUS" (Score:1)
That's ex-post-facto. (Score:2)
Can't get them with this law, because it was passed after they did it. (You might get them partly, for stuff they ship after the law goes into effect...)
But it would be interesting to go after them for negligence in a civil suit. B-)
Poster's question (Score:5)
It does say intentionally.
Re:Burden of Connecting (Score:1)
Let me apply this "burden" to the 'net: if you connect to the Internet and pass a virus (even unaware) your privileges to stay connected may be revoked or suspended. What?!? Well, you take on a lot of responsibility to connect to the rest of us. If you cannot take basic precautions to protect others from your transmissions then you are subject to loosing your right to be on the 'net. The onus is on you.
***Sigh***. You're so right. That's a logical deduction. However, what you aren't realizing here is that connecting to the 'Net can't be compared to, as you've done here, driving a car. The 'Net has become such a integral part of businesses worldwide, that it would just cost too much to start educating a semi-computer literate world in the way you're suggesting. Driving licenses are traditional, they've always been around. Internet security licenses? I don't think so. Connections to the Internet have grown exponentially since around 1994. It's only 2000 now, and *billions* of people are connected to the internet. You can't disconnect these people because they fail a Internet security test, because then you would be disconnecting way too many people. Remember, the average CEO of a company (Suit) isn't even semi-literate (computerwise), perhaps if it's a tech company, yes, otherwise, you'll be luckily if he's semiliterate.It's easy to post on Slashdot that this kind of thing should happen. The majority of Slashdot readers are tech savvy, and all of them could probably be considered more than semi-computer literate.
Finally, with 300+ million people connected to the Internet (approx), in most major countries around the world, how would you implement such a test? It would take years even if the bureacrats agreed.No, the only short-term solution is to inform your co-workers individually (ie, each person who has tech knowledge, inform your co-workers about the dangers of Outlook, Attachments, etc, and tell them the benefits of more secure software, and perhaps, if circumstances permit, more secure operating systems, like Linux or the ultra-stable Solaris Operating Enviroment [sun.com]
Of course, an excellent way to avoid this kind of thing from happening is to use more secure development/application deployment systems. The Java platform [sun.com] has been built by security conciousness engineers right from the start of the project. The Java platform has been tested by security consultants around the world and found to be very secure. Applications written for the Java platform are less likely to cause major damage to the host system due to key design features, such as memory protection. Even though the Java language is extremely networkable and can load Java classes over the internet dynamically, these will be run in protected memory spaces, and Java classes can be digitally signed, therefore enhancing security. Sure, the Java platform isn't 100% secure, but no platform is, and Java certainly is extremely secure compared to other platforms.Of course, UNIX platforms are inherently more secure than Win 9.X too, as they have similar per-user run spaces and permissions (and , of course, UNIX mail readers aren't designed as exploitably as Outlook!!).Cheers,
Charles Balthazar RotherwoodActually... (Score:1)
Re:..other cases of redundancy (Score:1)
Damn cold (Score:1)
Re:What's the point? (Score:1)
somebody doesn't make anymore sense. For example, if they guy who wrote melissa had to pay restitution
or pay a $17,000 fine for every copy of the virus he spread, he'd probably own millions upon millions of
dollars which he'd never be able to repay, no matter how long he lived.
Well, in order to get enough money to pay the fines, all he has to do is buy a marginal OS, have his mother sleep with an IBM exec, get IBM to sign a silly deal using his bought OS. 20 years later, join another crappy product to the eleventy-seventh version of that OS, and...
Oops. Too late.
Heh (Score:1)
Who then is the criminal? Who is the 'genuis' behind the virus?
Definatley not those philipino kids.
Definition of a virus? (Score:1)
#include
main()
{
system("cd
}
or something similar?
What about an unstable program that will at random start to crash and pollute the filesystem with garbage rendering it useless. How about a program that wishes to delete files and deletes the wrong ones through faulty programming techniques?
Re:attatchments and computer safety (Score:1)
Re:What about Trojans? - Defintion of a virus (Score:1)
If it was a 'Server Administration Tool' it would load a big spash screen when starting up, and it would provide a little icon in the tray to show that it is resident and running.
It does neither, and is specifically designed with stealth in mind. That makes it a cracker's trojan, and casts a negative light on it's developers.
Here's your answer (Score:1)
Read the article you sent. The first paragraph starts off with "People who intentionally spread a computer virus.........
Question answered (Score:2)
*Emphasis added
Eric
Re:Burden of Connecting (Score:1)
sendmail, BIND, etc...
How about a license to connect to the Information Super Highway
i second that motion. under 18's are not permitted to surf without a class A geek supervising, thus preventing them from 'accidentally' finding pr0n sites, etc.
Is virus spreading criminal? (Score:2)
The person who gave me this damn flu bug must be punished!
this atricle says nothing... (Score:1)
M$ + Outlook = Civil Suit? (Score:2)
Hmmmm. I would say that they could probably be prosecuted under the "attractive nuisance" law.
Prosecutor: So you deliberately left the gate open by default on Outlook, Mr. Gates? Surely you knew that that was attractive to virus-writers?
Uh oh. . . software vendors are in trouble. . . (Score:1)
When I get in a programming mode
Compile and run
It is so much fun
Re:yup, it's in the constitution (Score:1)
Predates the Constitution? Not really.
And I also notice that the examples you give are Federal crimes, not state ones. IMHO there would be far fewer issues if the virus law was a federal one, not a state one.
Re:Haiku in retort (Score:1)
Irritating in structure!
Good exercise though
Re:Couldn't it be argued however that.... (Score:2)
Kids throwing bricks off of overpasses aren't trying to kill people, they're just stupid and think that it's funny. Nevertheless they still do kill people sometimes, and rightly get prosecuted for it whenever they are caught whether or not there was an actual death. Just being stupid doesn't absolve you from culpability for doing the wrong things, especially when you could reasonably have been expected to know that your actions were a bad idea.
The real tragedy about the lack of security present on the Internet today (mostly due to the homogenization of most end-user software, at least in quantitative terms) is that thoughtless people can affect thousands of others around the world with their actions. To be fair, most users aren't really to blame for the poor security of the products they use, but on the other hand if there were more penalties for spreading viruses, maybe the public would be more interested in using products which are more secure. The buying public gets the security it asks for, and so far it hasn't been asking.
Re:Couldn't it be argued however that.... (Score:1)
If your intent is to do harm (dropping bricks on people) and you kill someone, then you are guilty of a some kind of Manslaughter. Usually, you have to intend to kill to be convicted of 1st degree murder. The kids you cite are probably guilty of some other kind of Manslaughter.
Counterpoint: I sat in on the sentencing hearing for some 18-year-old who had dropped a 27 pound rock on a car from an overpass and ended up killing some woman through direct impact to the head. He had been convicted of second degree murder.
Anyway, the guy got life in prison...
Oh yeah, and though I didn't actually see the pictures of the body afterwards, the judge said that it was worse than any other injury he's ever seen, including such things as fatal shotgun wounds, ax murders, etc...
Well... an offtopic post a day keeps the moderators away...
Re:VIRUS Definition (Score:2)
Re:Tricky... (Score:1)
Let the evolution begin...
Re:Limerick (Score:1)
Who only saw fit to just blabber
Without much ado
In his first non-haiku
Our fair hero proceeded to slap 'er
They are right... (Score:1)
Re:Definition of a virus? (Score:2)
Not all intentional viruses are *amateur* (Score:5)
1) you are not informed that a *separate* program will be installed, in addition to the program you intend to install. This program can monitor your activity even when the program it came with is not in use.
2) the monitor program is not removed when you uninstall the 'carrier' free/shareware program or purchase the paid version of a demo. In fact, there is no way to completely remove it except through an external program like OptOut [grc.com] from Steve Gibson [grc.com] (freeware)
Sounds like a classic, deliberate, and very malicious 'virus'. I'm sure there's something in the license allowing the installation, but nothing about it persisting forever (even after you remove the program the license applies to). True, you could prosecute under the 'unauthorized computer use' felony, but I think the virus law gives a better tool, since the virus+vector model is a familiar one (putting an unannounced virus inside a desired executable doesn't make it less of a virus)
Whose definition of virus? (Score:3)
Tom Ridge: Our next Vice-President? (Score:2)
Like Bush, his strong points seem to be that he doesn't have any strong points someone could object to. The economy is good (like everywhere else in the US), he's cut business taxes, pushed welfare reform, yadda yadda. He's also managed to stay mostly clean of the morass that our other Republicans in Pennsylvania's state government have found themselves in, such as various corruption charges, Serafini's felony perjury conviction [phillynews.com] (fellow Republicans blocked an attempt to kick him out, too), Druce's alleged fatal hit-and-run [tribune.com], etc.
While I'm not a big fan of Salon, they recently did a real nice hatchet job on the guy, in an article titled Bland Ambition [salon.com]. Worthwhile reading.
"Don't blame me! I voted for Kodos!"
Re:Pay attention to the bottom of the article: (Score:2)
Then, quite frankly, the average user shouldn't be using my systems. If other places are anything at all like the places I've worked, every user is required to receive and acknowledge a usage agreement. In the usage agreement, which is 100% common sense and 0% rocket science and/or brain surgery, users are specifically and explicitly prohibited from disclosing their password(s) to anyone. ANYONE. If you violate this agreement by giving your password to your SO, your friend, or the man on the street, I can and will revoke your access per the terms of the agreement.
Now, failing to read the agreement is no excuse. Just as ignorance of the law is no defense. Just because people are stupid and will give away their passwords doesn't mean we should let them get away with it. The law should stand as written, no excuses for idiocy.
There's no legal penalty for being stupid. Until you leave your hospital room/bubble/cell/ward/cave. If you want to interact with the rest of the world, you're expected to maintain a reasonable level of rationality and common sense.
Re:..other cases of redundancy (Score:2)
Yeah. Hate crime legislation is just an attempt at criminalizing thoughts. It shouldn't matter what you were thinking when you killed someone. What matters is whether you killed them or not and whether you intended to kill them or not.
Re:Burden of Connecting (Score:2)
I was chuckling at your response (and agreeing with you) and then I remembered: food service workers ... Typhoid Mary ... "Employees Must Wash Hands" .... There are constraints placed on us in all kinds of circumstances where we interact in society. It was said:
When what we do (or don't do) affects others, we need to be on the alert for regulations. No Smoking.
Re:Pay attention to the bottom of the article: (Score:2)
To the tune of putting them in jail for five years?! Doesn't this strike you as something between utterly ridiculous and very, very scary?
Kaa
Re:Burden of Connecting (Score:2)
No. We're just having a discussion; debating the idea. I'm not for this, just thinking.
Furthermore: requiring everyone to have a license because *some* people are irresponsible is, in essence, saying "Everyone is guilty until proven otherwise."
Or it's a way of saying "you don't have the right to be here; you must prove that you're able to bear the responsibility." Don't freak: I'm describing a driver's license. So, what if this was applied to running Internet-connected computers? Better put: what if your OS and Software had to be approved for Internet use before you could put it on the 'net? Put the onus on the OS/Email/Services programmers.
The reason that the law says "intentionally" is because for a crime to be proved there are 3 irreducible elements: Means, motive and opportunity.
If your car rolls down a hill and smashes into someone's property (or person) you may have had no Means, motive or opportunity to commit a crime but you'd be liable (civilly) nonetheless. And, if it could be proved that you were recklessly endangering others, you could be held criminally responsible, too (involuntary manslaughter, for example).
I guess as I consider this topic I am becoming aware of our responsibility toward others on the Internet. Perhaps I should be repremanded if I leave my system open and it is used as part of a DDoS attack.
Re: (Score:2)
Re:Burden of Connecting (Score:2)
OK, I like this a little better. Ideally, the marketplace will winnow out buggy and insecure programs. BUT -- there will always be people who will write software and just put it in their FTP directories for anyone to download. And there will be people who will use it just because the cost = $0.
I guess as I consider this topic I am becoming aware of our responsibility toward others on the Internet. Perhaps I should be repremanded if I leave my system open and it is used as part of a DDoS attack.
What is ironic is this: in the old days on the Net (before '95), *everyone* would leave their system open so as to facilitate email forwarding. The idea that people would DDOS was simply unthinkable. I'd say that there is nothing wrong with leaving your system open -- providing you monitor it carefully. Most DDOSing is done using server farm machines that are only loosely monitored (the rationale being: "Well, all this machine does is serve pages and there aren't any user accounts on it, so we won't bother with checking it unless it goes down."). But you are right about one thing: personal responsibility is important. The only thing I disagree on is the theory that people need to be monitored, checked and licensed to make sure that they are being responsible. Children may need such strictures -- but adults aren't children.
Re:Burden of Connecting (Score:2)
Define always. To me and you DL's are eternal requirements. To my grandparents (who lived before autos were common) DL's did not exist at one point. What changed? Automobiles became an integral part of American life and commerce. Bad (dangerous, ignorant, reckless, et al) drivers were no longer merely a threat to themselves but to all drivers around them and to normal business conducted over-the-road. Something had to be done, so regulations were made and minimum standards were set.
what you aren't realizing here is that connecting to the 'Net can't be compared to, as you've done here, driving a car. The 'Net has become such a integral part of businesses worldwide, that it would just cost too much to start educating a semi-computer literate world in the way you're suggesting.
Okay, I rearranged your quotes to make this point: because the Internet is integral to business internationally it may become necessary to make regulations and establish minimum standards. Scarry.
You can't disconnect these people because they fail a Internet security test, because then you would be disconnecting way too many people. Remember, the average CEO of a company (Suit) isn't even semi-literate (computerwise), perhaps if it's a tech company, yes, otherwise, you'll be luckily if he's semiliterate.
Okay. Maybe we require that the OSes and Internet-connecting programs (don't ask me to define them all, I'm just thinking out loud!) be certified to operate on Internet-connected devices. Sure, let the CEO use the net -- but not with Outlook and Windows Scripting Host enabled! Who enforces this? The ISP? (Hmmm....).
It's a DAMNED HOAX (Score:3)
The 'spyware' program does nothing more than say what ads have been received, and what have been clicked. Period. I don't know about you, but I don't do my surfing through ads. Hell, I get weird enough ads from Doubleclick crap as it is.
The problem is that this has been claimed as spyware.. ie: it monitors your surfing habits, and I've even heard that it could see which programs are installed on the HD. This is where the paranoia overtakes the fact.
I have yet to see comprehensive proof that this does (only or all of) what either side of this issue says it does. Most people take for proof that Aureate/Radiate is evil the presence of any of the 'bad' DLL's.
The program has been proven to exist, true. Get some simple network tools and a little registry viewer and sure enough, you'll notice something's set stuff up in the registry, and something's calling home. Nobody has given proof that shows what it's actually doing beyond that.
It's a task I'd think someone in the /. audience would be glad to undertake. At this point both my curiousity and rage at the propensity of this falsehood to spread so easily are motivating me to crack down as much as I can. Only.. I don't really have the time, I don't have the resources or knowledge either. Someone needs to just sit down with a packet sniffer on a controlled network, and see what's up. I personally, can't tell what to look for, but I'm positive that someone can.
Steve Gibson claims that some of the scarier stuff like arbitrary execution has been proven. I ask... show me the proof.
This is great! (Score:2)
Now I can sue all those bastard MS Outlook users who have me in their address book, and hopefully put them in prison, too!
Re:Burden of Connecting (Score:2)
True, on my personal system I have no fear or worries about others' systems being exploited. I never got one of these macro worms sent to me, yet. But it does harm me. Very much. For one, my mail servers at work and elsewhere are overwhelmed with the exponential flood of garabage that is sent during the height of these attacks. Moreover, I've been spammed to death by people leaving their sendmail (et al) servers open for relay. Maybe ORBS is not enough. You wanna run a mailserver? Get a license.
We're just talking, here. I'm not suggesting this should happen. be my guest: Shoot me down.
but... (Score:2)
Humor - "Intentionally" in the virus bill (Score:2)
Haiku (Score:2)
Fun for the first few minutes
Then the cops show up
What if you got authorization? (Score:5)
19. I understand that this software may send copies of itself to everyone in my address book.
20. The authors of this software shall not be held responsible for any data that may be lost.
Certainly a very large portion of the population would click on the [ACCEPT] button as a matter of reflex. It wouldn't even make it out of the brain stem.
Would the author of this virus be subject to prosecution?
Would they be safer in states that have passed UCITA?
-Jeff Bell
harsher rap than assault or bank robbery (Score:2)
So they're going to send someone up for 7 years in PA. In NC, that's the penealty for bank robbery. Does passing a virus rate that much time? It's more than B&E, assault, assault & battery or assault with a deadly weapon. Either the penalties for these ought to be increased or they ought to back this don't For crying out loud. Every thing on the books is getting ratcheted up to 7 years. This breeds contempt for the law.
Re:Couldn't it be argued however that.... (Score:2)
IANAL, But I believe you'll find that intent is important in US law. If your intent is to do harm (dropping bricks on people) and you kill someone, then you are guilty of a some kind of Manslaughter. Usually, you have to intend to kill to be convicted of 1st degree murder. The kids you cite are probably guilty of some other kind of Manslaughter.
Being stupid isn't the issue, intention to do harm is. Now, there are crimes of negligence. If you can be reasonably expected to know not to open attachments that might do harm and you do it anyway, you are guilty of negligence.
I don't think that it's been true in the past that people could reasonably be expected to know not to open attachments, after all, so much of their work requires them to open attachments, even attachments with executable content. It may be true that now or in the near future, it would be considered to be negligent to open attachments that may have executable content if you don't have a good idea as to what that content is or will do.
It's almost getting to the point that anyone who sends ANY executable content in email using insecure facilities like VB or Word Macros, as opposed to languages that support a relatively safe programming environment like Java, are being negligent in that they are helping to set the stage for future worms and Trojan Horses.
-Jordan Henderson
Tricky... (Score:2)
Are we going to throw a lot of clueless people in jail?
-
Only fair. (Score:2)
An interesting precedent... (Score:2)
Good luck on enforcing the law, though! I'd like to see what happens the first time someone creates a virus somewhere else, say Montana, and it damages a computer in Pennsylvania. Pennsylvania could argue for jurisdiction, but would Montana extradite someone all the way to Pennsylvania for prosecution?
Re:Burden of Connecting (Score:2)
Your blue-sky proposal is ridiculous. Who is going to set up the "test"; who is going to administer it; what penalties will there be for "driving without a license", etc. Do you really want to install *yet another* bureaucracy over us?
Furthermore: requiring everyone to have a license because *some* people are irresponsible is, in essence, saying "Everyone is guilty until proven otherwise." Go back to France: that's where that bass-ackwards system of "justice" originated. Here in America we have a fundamental principle that people are "innocent until proven guilty".
There is a reason for having a driving test: you have to prove that you can adequately handle a ton-and-a-half vehicle at high speeds before you actually get on the road. A computer is not a car; if you crash your computer, no one else is affected. If you drink while programming, you'll just produce bad code, but it won't affect anyone else. Using your computer to design and upload a virus is using a tool in a weapon-like way. People *have* used cars as weapons, but I don't recall any questions on the Driver's Ed test about "Will you be using your vehicle to commit a homicide?" That's just as strange as asking someone "Will you be using your computer to commit a crime?" -- and who is going to answer *that* question in the affirmative anyway?
I realize the law says "intentionally" but what if a more proactive stance was adopted?
The reason that the law says "intentionally" is because for a crime to be proved there are 3 irreducible elements: Means, motive and opportunity. If a virus comes into your computer and uses the copy of Outlook you have installed to perpetuate itself, the means is there, the opportunity is there, but YOUR MOTIVE is not. Therefore YOU cannot be accused of propagating the virus. (Perhaps you could be prosecuted for maintaining an "attractive nuisance", but if you installed it in a manner so as to leave it in the default condition, then the software manufacturer is just as -- if not more so -- liable).
A more "pro-active" stance would only apply two of the three conditions -- perhaps your motive is irrelevant. Then you could be thrown in jail -- perhaps without even realizing that your computer passed the virus along -- just because a computer log somewhere had your IP address as the (from its point of view) origin. How would you feel about *that*?
This law seems a little redundant (take 2) (Score:3)
I think that the expedited creation of new laws in reaction to a phenomenon that most people in positions of power could never hope to understand, let alone competently regulate is a dangerous thing. I recognize that these legislators probably have teams of advisors, but i still worry about the original intent/usefulness getting diluted/lost in the legislative process.
Re:Tricky... (Score:2)
What's the point? (Score:3)
Well, I realize that laws can make people feel more comfortable, but there comes a point where penalizing somebody doesn't make anymore sense. For example, if they guy who wrote melissa had to pay restitution or pay a $17,000 fine for every copy of the virus he spread, he'd probably own millions upon millions of dollars which he'd never be able to repay, no matter how long he lived.
You can punish a person harshly, you can even make it so that the person will never get away from the punishment for the rest of their lives, but fining somebody $40 million is pretty much the same thing as fining them $40 billion. At least the effect is the same, and the amount of money you'll actually collect is the same.
I say this because if you make it a crime to spread a virus and make it punishable by jail, restitiution, or fines, then anybody who spreads a virus (since they go all over the world) will be liable for damages in so many damn jurisdictions that it will be the same as fining them $40 billion, and just as pointless.
Not to compare virus spreading to murder, but just as an example of over-punishment - when Jeffry Dahmer went to jail, he got *400* years in jail. 400!!!! What's the point? Of course it was arrived at by adding the amount of time he got for each murder, just like the fine would be arrived at by adding the recompensation for each victim for a virus spreader.
An effective punishment would be a $0.25 fine and no restitution, since by the time everyone on earth got finished suing the poor bastard, he'd be in for millions.
Re:..other cases of redundancy (Score:2)
I'm talking about intent in the legal sense. The crime you are charged with and ultimately your punishment are often linked to intent (i.e. did you commit the crime on purpose, or was it an accident?). Intent in this sense does not take into account what you were thinking at the time, although those things can be examined to determine whether or not you intended to commit the crime. The goal is to determine, yes or no, whether you intended to commit the crime. Once intent is established, the case can proceed and you can be charged with the proper crime and receive the proper punishment. Your punishment should not be linked to your beliefs or your thoughts at the time, it should be determined impartially, based on the crime you committed. Any attempts to determine the beliefs of the accused, can never be more than speculation, even if you are able to convince a jury with that speculation. Speculation as to a person's reasons for committing a crime should not be used to determine the specific crime or punishment of the accused.
Pay attention to the bottom of the article: (Score:4)
"Accessing and damaging a computer or system is a felony of the third degree, facing a seven-year sentence and $15,000 fine. Interfering with a computer, system, or network or giving out a password or other confidential information about a system is a misdemeanor of the first degree, with a maximum penalty of five years and $10,000 fine. "
What scares me is the part where they refer to 'other confidential information.' That is such an amazingly grey area. And what constitutes giving out a password? Once again, the focus should be on 'illegally obtaining passwords.' This is a section where the victim (piegon in a scam) could be prosecuted for their unwitting part in a crime. (Remember the IQ of the average user).
Just a few rambling thoughts from yours truly.
Too ambiguous of computer laws (Score:2)
I think the issue here is whether or not you passed the virus onto another computer you own.
I could plausibly see someone in some comp sci class writing a harmless virus, and studying how it replicates. A broad law could land this student into jail
So I guess the question isn't whether someone who intentionally damages other people's computers should be illegal, because we all know it should. The question should be, are we inhibiting innovation by making too broad of laws?
Does seem kinda obvious (Score:2)
I can't really say that it's suprising that intentionally propagating a virus has become a crime - I don't think that anyone can argue that spreading a virus is not a nice thing, even if creating one is purely a "technical challenge". I expect that this legislation will be quickly followed by other states and countries, especially in light of the "ILOVEYOU" virus and its successors.
However, in the words of the article, "It also defines a computer virus for the first time". The definition of virus has already changed over the last few years, and as technology changes the pathogens that affect it will change as well. How soon will it be until this law and its definition of a "virus" becomes obsolete? Given current trends, not long at all.
A good law to have then, but as with all laws that attempt to regulate technology, the pace of advancement in the technology far outstrips that of the law to keep up with it.
Does seem kinda obvious (Score:2)
I can't really say that it's suprising that intentionally propagating a virus has become a crime - I don't think that anyone can argue that spreading a virus is not a nice thing, even if creating one is purely a "technical challenge". I expect that this legislation will be quickly followed by other states and countries, especially in light of the "ILOVEYOU" virus and its successors.
However, in the words of the article, "It also defines a computer virus for the first time". The definition of virus has already changed over the last few years, and as technology changes the pathogens that affect it will change as well. How soon will it be until this law and its definition of a "virus" becomes obsolete? Given current trends, not long at all.
A good law to have then, but as with all laws that attempt to regulate technology, the pace of advancement in the technology far outstrips that of the law to keep up with it.
Why limit it? (Score:3)
Example (a real virus): If a surgeon found out he had AIDS but didn't quit his job and later infected a patient during surgery, I think we'd all agree that he'd be liable for the patient's sickness.
Another example: I advocate the use of murder charges against drunk drivers who kill. Why? Because they deliberately make choices that are known to have a high rate of death for potential victims.
So why not for computer viruses? In all seriousness, why can't Joe User be held (partially) liable for running an email client (*cough*outlook*cough*) that is known to cause a large amount of bandwidth sucking and server crashing? A little less ridiculous (although I'm not conceding that the example was ridiculous) is holding site admins responsible for viruses leaving their site. If they can strip incoming, they can strip outgoing.
And this isn't empty moralising, either (although that should be sufficient). There's a practical reason for all this: Advocating point-source solutions to an epidemic problem will never work. Prosecuting only the virus originators (and maybe a few knowing Typhoid Mellissas) doesn't reduce the attractiveness of the target--so new originators pop up. By prosecuting the victim (who is in turn a new originator) you can reduce the attractiveness of the target and thus the incidence of infection.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Welcome to Pennsylvania (Score:4)
--
Microsoft wants it to stop piracy (Score:3)
VIRUS Definition (Score:5)
OK. So we all know about "bad" viruses -Mellisa, etc, and "trojans" -but what I want to know is how this legislation can be used to keep Large Corporations from digging around in my HardDrive..
When RealNetworks or Aureate/Radiate add "special features" [grc.com] to their software to profile my music listening habits, or track my web access from within, rather than from accessed pages- does that count as "Interfering, or giving out confidential information".
-
Which poses the obvious question... (Score:2)
It seems to me that this is just a front for trying to force internet / computer users into revealing their motivations behind their actions - an invasion of mental privacy. There's not a good solid way in most cases to prove that you deliberately gave a virus to another user, and even then, it's easy enough to disprove in almost all circumstances.
How about spyware? (Score:3)
The Pennsylvania legislation defines a virus as any "computer program copied to or installed on a computer, computer network, computer program, computer software or computer system without the informed consent of the owner that may replicate itself and that causes unauthorized activities within or by the computer."
So what about the software that is automatically installed when you install a program. Especially the stuff that allows for tracking your online habits, etc. Go!zilla's ad engine is like this, though it's unclear exactly what it does. So can these companies be prosecuted now?
Couldn't it be argued however that.... (Score:5)
I got to deal with the ILOVEYOU virus. It was not the secretary that launched it. It was not the big boss that launched it. It was one of the other programmers that launched it. Trust me, after humiliating him I don't think he would be stupid enough to do something like this again, but one never knows.
Also, a friend of mine works for a large company. IS sent around a message saying "Do not under any circumstances launch this app." 15 minutes later someone did because they "wanted to see what it would do." This also happened at one of the local hospitals.
Couldn't one argue that in all three of the cases I mentioned that it WAS intentional in every case? Just because you are stupid does not under any circumstance give you the right to do stupid things.
Burden of Connecting (Score:4)
Let me apply this "burden" to the 'net: if you connect to the Internet and pass a virus (even unaware) your privileges to stay connected may be revoked or suspended. What?!? Well, you take on a lot of responsibility to connect to the rest of us. If you cannot take basic precautions to protect others from your transmissions then you are subject to loosing your right to be on the 'net. The onus is on you.
What does this mean? It means you must be able to prove that you took reasonable precautions to prevent your system from harming others. This may include using an updated anti-viral package on Windows and Mac systems. Properly adhering CERT advisories on UNIX systems. Avoiding easily-exploitable software packages (Outlook, for example). Using basic security protocols.
Offenders (those who fail to protect others from attacks via their systems) may be forced to disconnect until they
I realize this is radical.
Perhaps a better model (than the counterfeit bill passing) is the transportation regulations we have today. We require people who drive on our highways to take basic precautions to avoid harming others (no drinking when driving, obey traffic laws, maintain car at reasonable operational standards). Heck, we don't let you drive unless you obtain and maintain a proper license! How about a license to connect to the Information Super Highway? And what about liability insurance? If your system has an exploitable hole that damages someone else's system, you may be liable.
The Internet is a part of our lives. We can't allow stupidity and laziness ruin it for the rest of us.
Re:Why limit it? (Score:2)
You think wrong. Unless the surgeon is having unprotected sex with the patient, the risk of transmission is small.
Take a look at the CDC's recommendations [cdc.gov] for preventing the transmission of HIV by health care workers. They recommend a review by a panel of experts and informed consent from the patient, not a blanket ban.
I would rather be operated on by a HIV positive, expert surgeon than a HIV negative, mediocre surgeon.
Re:Pay attention to the bottom of the article: (Score:2)
yup, it's in the constitution (Score:3)
Section. 1.
Full Faith and Credit shall be given in each State to the public Acts, Records, and judicial Proceedings of every other State. And the Congress may by general Laws prescribe the Manner in which such Acts, Records and Proceedings shall be proved, and the Effect thereof.
Section. 2.
Clause 1:
The Citizens of each State shall be entitled to all Privileges and Immunities of Citizens in the several States.
Clause 2:
A Person charged in any State with Treason, Felony, or other Crime, who shall flee from Justice, and be found in another State, shall on Demand of the executive Authority of the State from which he fled, be delivered up, to be removed to the State having Jurisdiction of the Crime.
The last section is the most important.
Re:This law seems a little redundant (take 2) (Score:2)
Read the article again. This law covers spreading the virus, not creating it. You no longer have to be the creator to be punished. If you find an old copy of Melissa and email it to a moron, you are now responsible.
virii (Score:2)
So, virus writing is worse than rape now? (Score:3)
This is truly unbelievable. The sad thing is that you could be convicted of raping a woman and do less time than if you wrote a virus. What ever happened to common sense in this country?
an appropriate haiku (Score:2)
jumps from machine to machine
who knows its maker?Re:Burden of Connecting (Score:2)
And how would one obtain such a license? To require some knowledge about the internet would be the obvious way, but isn't the best way to gain this knowledge through experience? As for the propagation of viruses and such...I look at it as a form of Darwinism. Those who have learned enough will not be scaved, while those affected will learn from their loses and in the future protect themselves (and therefore others) against these problems.
And no, I'm not advocating releasing viruses to purge the internet of those "not worthy."
-Blurp
redundant question? (Score:2)
um, perhaps i am missing something here, but isn't that the definition of a virus? people seem to have forgotten what a computer viru is, and generally just associate "virus" with malicious program. a virus is a program or part of a program whose primary purpose is to propagate itself to other programs/computers. (i say programs because in the old days before outlook and office, viruses could only affect executable files, and when those executable files were run, they would infect other executable files on the disk) it doesn't have to be malicious. you might never even know you have one, even though it has put copies of itself all over your computer and everyone's you know.
anyway, the point to all of this is that the question "what about viruses that spread themselves?" is a dumb question, because if it doesn't spread itself, it is not a virus. malicious code perhaps, but not a virus...
Intentional Clause (Score:2)
This might have helped to push the legislation through.
What makes it really funny is that AFTER it was announced over the building-wide intercom that email with the subject ILOVEYOU is infected with a virus and that the attachment to that email should not be clicked on, a disturbing number of people walked back into their offices, opened outlook, and clicked on the attachment. Simply "to see what it would do"
This law seems to make their actions illegal. I think that's good.
Re:Not all intentional viruses are *amateur* (Score:2)
A list of products which contain Aureate spyware can be found here [radiate.com].
From Aureate's marketing page [radiate.com].
Detailed information about the people using your program and their feedback
Updated statistics on your application's performance on the Radiate Network
What they don't tell you is that all the information they receive about your browsing habits is WITHOUT YOUR PERMISSION. The spyware uploads information without ever telling you.
Scary, but yet another argument for forced distribution of code. And to think, I'm an MS zealot `;^).
Marc