Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Worms Government Security The Courts News

Creator of Sasser Worm Goes on Trial 350

Cobb writes "Creator of the Sasser worm Sven Jaschan begins his trial today in Verden, Germany. Arrested in May 2004, Jaschan faces charges for his crimes as a juvenile. A reward from Microsoft partially led to the capture of the virus creator. From the article: 'The charges, which also include disrupting public services and illegally altering data, carry a maximum sentence of five years in prison. However, court spokeswoman Katharina Kruetzfeld said that, as a minor, he faces a lesser penalty.'"
This discussion has been archived. No new comments can be posted.

Creator of Sasser Worm Goes on Trial

Comments Filter:
  • I wish I could put a bounty on people who made me look stupid.
  • by TJ_Phazerhacki ( 520002 ) on Tuesday July 05, 2005 @12:30PM (#12986788) Journal
    Interesting conundrum for the legal system - do you let him off easy and give him a job at a security company - or hit him hard, and ruin a promising (although mischevious) programmer?
    • by Anonymous Coward
      hit him hard, he shouldnt be rewarded for that.

      you should not be rewarded for criminal activity.

      yes burglers can eventually lead a good life and help others with their knowledge. but those are rare cases and a lot of time passes generally (prison for instnace)
    • There is no conundrum...he caused a lot of damage and cost people a lot of time and money that could have been put to better uses. As soon as he decided to be an asshole, he lost his right to participate in society.
      • As soon as he decided to be an asshole, he lost his right to participate in society.

        Can we get this added to the US Constitution somewhere? Its kind of subjective, but I think it is clearly a case of the positives far outweighing the negatives ;)
      • There is no conundrum...he caused a lot of damage and cost people a lot of time and money that could have been put to better uses. As soon as he decided to be an asshole, he lost his right to participate in society.
        Fortunately for MS employees, your logic is not applied universally. Otherwise, they could only hope that there is no capital punishment in the state of Washington.
    • by badboy_tw2002 ( 524611 ) on Tuesday July 05, 2005 @12:50PM (#12986978)
      Crack dealers are often very good businessmen, and have to work hard to keep the supply chains running, salesmen on the streets, etc. We don't normally see them working for the DEA afterwards, or getting jobs on Wall Street with their acquired skills. Instead we lock them up for 20 years.

      There's a big interest in keeping guys like these around. This one kid "cost" some people millions but also help justified thousands of jobs for people in the security industry, virus protection firms, etc. I think it hurts the credibility of the security industry that there's an absolute revolving door of black hats to white after they grow up and figure that they need a paycheck more than 1337 status on IRC. If anything these guys should be more like paid informants than actual employees. Use them for what they know but keep them far away with a long stick.

      Given that this kid is a juvenile I'm all for a second chance, but I don't think 6 months in lockup would hurt him either. There should definately be a punishment here. The world isn't exactly hurting for promising programmers. 1000 IT guys aren't worth the pause given to some kid about to hit the enter button on a destructive command and thinking "Hmmm...I could get 5 years for this."
      • There's a big interest in keeping guys like these around. This one kid "cost" some people millions but also help justified thousands of jobs for people in the security industry, virus protection firms, etc.

        The crack dealers you mention "help justify" thousands of jobs in the DEA, FBI, and local LEAs...
        • This is true, but what is your point? That we shouldn't have crack dealers? That crack dealing is bad? That script kiddies are bad? Or that we should legalize and tax narcotics? My point is that while the computer security industry is vital and necessary given the reality of the world, the revolving door makes me a little weary of the "I'll scratch your back, you scratch mine" scenario that could easily pop up with both sides working in close quarters.

          Of course, this is in the drug enforcement arena t
      • The punishment should fit the scope and sale of the crime.

        IOW, $1 for every computer infected.
      • Crack dealers are often very good businessmen, and have to work hard to keep the supply chains running, salesmen on the streets, etc. We don't normally see them working for the DEA afterwards, or getting jobs on Wall Street with their acquired skills. Instead we lock them up for 20 years.

        Crack dealers may be great businessmen on the streets, but often there are a different set of skills required to make it in legitimate businesses. Respect for social structure, having "cultural capital" (the ability to ma
    • > Interesting conundrum for the legal system - do you let him off easy and give him a job at a security company - or hit him hard, and ruin a promising (although mischevious) programmer?

      The Law vs Justice has been a long fight and I don't see the end of it. People getting off on technicalities or getting caught because of their ignorance. Law cannot substitute for Justice - it can only be the fighting arm of Justice.

      Also IMHO, they shouldn't try and make an example out of him - but they can't jus

      • The Law vs Justice has been a long fight and I don't see the end of it. People getting off on technicalities or getting caught because of their ignorance. Law cannot substitute for Justice - it can only be the fighting arm of Justice.

        At this point in your post, you rip open your shirt to reveal a red T-shirt with a big yellow "G" on it before streaking into the sky.
    • by RapmasterT ( 787426 ) on Tuesday July 05, 2005 @01:30PM (#12987375)
      Interesting conundrum for the legal system - do you let him off easy and give him a job at a security company - or hit him hard, and ruin a promising (although mischevious) programmer?
      in my opinion there's no conundrum at all.

      I'd no more consider this guy for a job in my organization than I would a person who keeps losing jobs for punching his coworkers in the face.

      This line of thinking, while being unfortunately common, is extremely flawed in that it assumes that these "black hat" types are more skilled than responsible and reputable people in the industry.

      So you hire an anarchist criminal because he's good at what your company does. Guess what, now you have an anarchist with a criminal mindset working INSIDE your company.

      That makes you sleep better why?

      • Very true.

        Any half-skilled person can write a virus. Heck, a skilled programmer with the right talents and a bit of research could probably write a Warhol worm with just a little research.

        Optimize the distribution routines before hand, figure out what tricks you are willing to use to run/hide your virus in the OS, code the core of it, and sit around on security mailing lists. As soon as a new major security hole comes out, add the exploit code and release it.

        That's more than enough for a functio

      • by Mr2cents ( 323101 ) on Tuesday July 05, 2005 @02:59PM (#12988220)
        So you hire an anarchist criminal

        There are so many harsh names in the /. reactions! This isn't an anarchist cyber-criminal mafioso terrorist, it's just a kid. At that age, I was mixing potassium nitrate with charcoal and sulphur, and I made some very nice craters with the resulting gunpowder. It's only later that I realized the full impact (pun intended) of what I was doing. At the time it was thrilling but there was no sense of real danger (if something had gone wrong, I'd be sitting in a wheelchair right now - best case scenario).

    • Interesting conundrum for the legal system-- do you let him off easy and give him a job with a home security company, or hit him hard and ruin a promising locksmith (although he got caught stealing my tv)?
  • by gunpowda ( 825571 ) on Tuesday July 05, 2005 @12:31PM (#12986800)
    From TFA: He now works for a German security software company called Securepoint.

    They evidently saw his skills in identifying and essentially publicising weaknesses in the operating system in a positive light.

    Perhaps he ought to be congratulated to some extent for this - Windows is now (barely) more secure.

  • Good start? (Score:4, Insightful)

    by kevmo ( 243736 ) on Tuesday July 05, 2005 @12:33PM (#12986807)
    This, along with prosecution of spammers, is a good start to reducing annoying aspects of the internet, but how far will this go to prevent others from replacing convicted pests?

    Is there a way to tackle the problem "from the source" that would prevent would be spammers and virus creators from WANTING to do these things?

    I think if enough offenders are prosecuted, and prosecuted severely enough, there is the potential to ward off others from commiting the same acts. However, if only a few, say 1 in 20 or less, virus creators/spammers/etc are caught, I don't think there will be enough push to stop others from taking their place.

    Just like anything else in the world, if there is a low risk of punishment and a good chance of some sort of reward (monetary, pride, whatever) for some act, then someone will commit that act.
  • by Bonzor ( 856075 ) on Tuesday July 05, 2005 @12:34PM (#12986822)
    It'd be nice if his punishment was to do the work of all the IT personnell who had to clean up after his mess. I'd love to sit at home and relax while that little dweeb does my job. I'd be the one getting paid of course.
    • Just leave him with the Server and PC Support staff where I work. Unplugging, cleaning, and replugging in 3000+ computers was hell with 10 guys. It would be a death sentence.

    • by Darth_brooks ( 180756 ) <[moc.liamg] [ta] [773reppilc]> on Tuesday July 05, 2005 @12:57PM (#12987065) Homepage
      Don't you mean "Clean up after *your* mess" ?

      The patch for sasser's vulnerability was up two weeks before the worm hit. If you're not going to be thorough and proactive in defense of your systems, you're going to get nailed.

      "but...but...Microsoft's evil patch might possibly break something somewhere at some point!!!!"

      Tough. If it breaks, you're there to fix it. Lose X amount of time / work fixing something that Microsoft's patch broke, or lose Y time / work trying to clean up from a worm that you know nothing about.

      Patches can be rolled back. Very easily rolled back at that. You test, you roll out, you fix it if it breaks. Yes, the kid who wrote sasser is a nasty little shit that made a lot of work for a lot of people. But it didn't have to.

      "It is easy to be a bad sysadmin"
  • in the long rung (Score:3, Insightful)

    by cmdr_tofu ( 826352 ) on Tuesday July 05, 2005 @12:36PM (#12986841) Homepage
    What he has done is ultimately a favor to microsoft.
    He has demonstrated to them the importance of security, and demonstrated to end users the importance of patch management by exposing this vulnerability.

    If he did not do it, someone else would have. We are just lucky Sasser was noisy and identifyable. A subtle worm which requires Tripwire to detect which spread on the same scale would be a disaster indeed!
    • What he has done is ultimately a favor to microsoft.

      Spare me. What arguments like this neglect is that this kid's actions had a cost, and that he should be held liable for that cost, not congratulated. For example, admins could not take the risk that the virus was harmless, and had to spend a great deal of time and effort tracking it down and stamping it out.

      The cost goes beyond the financial, too. If the virus got loose in a safety-critical environment (hospital, air traffic control, power plant, tak
  • script kiddies (Score:5, Insightful)

    by a_greer2005 ( 863926 ) on Tuesday July 05, 2005 @12:37PM (#12986847)
    Because of the profile in this case, I have to say toss the book at him. This will not scare the real hacker, but this will have a chilling effect on the casual script kiddies, and that is where the majority of worm/virus/junkware comed from.
    • Or, conversely, the script kiddies who feel invulnerable to begin with ("It'll never happen to me, I'm too smart for that!") will lash out in protest and everything will go to hell in a handbasket again.
    • The charges, ..., carry a maximum sentence of five years in prison.

      At least he wasn't busted with pirated music. That carries a real penalty.
  • Z3R0 C00L (Score:3, Funny)

    by Steven W00ston ( 626723 ) on Tuesday July 05, 2005 @12:37PM (#12986850) Homepage
    But is he allowed to use a touch-tone phone?
  • by Nom du Keyboard ( 633989 ) on Tuesday July 05, 2005 @12:38PM (#12986863)
    I, for one, find no need in this world for worm writers, virus writers, phishers, Nigerian scammers, adware/spyware secret installers, keyboard loggers, and the rest of the trash that pollutes the otherwise exceptionally useful and wonderful Internet. Locking them away, and away from computers, for the rest of either their lives or my own -- which ever is shorter -- wouldn't bother me a bit.
    • On the other hand (Score:2, Interesting)

      by aztektum ( 170569 )
      I, for one, don't want to have my taxes used to incarcerate someone who doesn't pose a life or death threat to anyone else in society. Fine him up the ass, make him do community service for a decade, but there's no reason why we should throw essentially a social criminal who harmed no one but business into prison.

      I'm amazed by the /. crowd, some super smart folks, who will quickly resort to violence over someone fucking with their geekdom.
      • This is a very good point. While I'm a little fed up with minors facing less charges (unless someone wants to seriously argue he didn't know what he was doing was wrong), prison isn't the answer.

        Community service is definitely the answer, IMHO; no point in leaving him to rot in prison, much better to get him out, and doing something useful!
      • Re:On the other hand (Score:5, Interesting)

        by Tim Browse ( 9263 ) on Tuesday July 05, 2005 @02:28PM (#12987961)
        Fine him up the ass, make him do community service for a decade, but there's no reason why we should throw essentially a social criminal who harmed no one but business into prison.

        I was saying goodnight to a friend/colleague who is a medical doctor the other night, and he was meeting a consultant after work. The consultant mentioned that the <insert name of large London hospital> was suffering a virus attack, and most of the computer systems were screwed.

        Now, moan all you like about choice of OS in a hospital, but it seems to me that it's not just 'business' that gets harmed. There's no magic wand that means that non-profit organisations, charities or hospitals don't get pwn3d by viruses.

  • Let's see him worm his way out of this!
  • by dangermen ( 248354 ) on Tuesday July 05, 2005 @12:40PM (#12986876) Homepage
    Sorry, fry the kid. Use this as YET ANOTHER wake up call that your computer is NOT a VCR. If parents cannot keep tabs on their kids computer use then they should take away the computer. If the parents cannot understand how to do this, then maybe they shouldn't have a computer till they learn. Responsibility is with the individual and/or mentors.
  • by Agoln ( 869166 ) on Tuesday July 05, 2005 @12:41PM (#12986883)
    I do have to say that just because M$ is a security hole doesn't mean that exploiting it in a milicious was is right, or even justified. There are correct ways to report the vulnerabilities, and those are the paths that this person should have taken.

    Think of it this way, if you have a kid that is playing in a playground, and you look away for a minute or two, is it right/justified for a kidnapper to take your kid? Sure, it was your fault that you were not looking, but does that mean that since there was an opening to take your kid, someone is justified in taking your kid?

    Sure, would-be kidnapper may come up to you and say "hey man/lady, your kid isn't being watched and could be taken easily". Even if the parent STILL keep an eye on their kid, does that make it right for the kidnapper to THEN take your kid just to proove a point and to let other know you were not looking?

    This hacker deserves to be put in prision, they need to send a message saying that making virus's isn't right and it will not be tolerated.
  • by GPLDAN ( 732269 ) on Tuesday July 05, 2005 @12:42PM (#12986907)
    Sentence the kid to a computer science school.

    These kids hack, because they are at the age of destructiveness. They don't have the vision and maturity to reach the creativity stage, because they have no role models to do so. This kid's skills are good enough to make him a skilled security professional, and he didn't know enough to hand Sasser over to a Secunia and make himself well known in the process and probably have job offers. I'd like to hear his rationale for releasing it into the wild before deciding on how to treat him, butmost of these kids do it for the kicks and respect of disfunctional peer groups (i.e. other hacking clans). Need to show them a better way.
    • by BaudKarma ( 868193 ) on Tuesday July 05, 2005 @01:31PM (#12987406) Journal
      Yeah, that makes sense. Kid breaks the law, so we punish him by sending him to computer science school. I assume the state is going to pay for this.

      Meanwhile the kid down the street, who knows just as much about computers but somehow managed to resist the temptation to drop a worm on the internet, gets to work two jobs and apply for scholarships and financial aid and try to figure out how he'll afford a higher education.

      That'll teach 'em.

    • 1) Not every kid is enough of a sociopath to pull shit like this. (When you infect a hospital's software systems and maybe destroy patient's records the patient can die.) They may know that they can do it, but they are also aware enough to understand the consequences. Any one of the age of reason (seven years old) should know that you just can't do that sort of thing (even the nastiest bully I ever knew knew that, he did it anyway but he at least knew it.)

      2) Not every employer is going to want to hire such
  • Worms are a two-sided problem. In order for them to happen, it takes a software writer (far too often that software writer being named "Microsoft"...) to create software that has a ready-to-exploit flaw in it, and then it just takes one evil-minded programmer to kick a worm through that hole and make a mess that makes all of us wearing white hats have to do some serious cleanup and deal with downtimes .

    While I'm glad the kid is going to get taken to justice, I'm still a little troubled by the fact that all
  • A slap on the wrist (Score:5, Interesting)

    by gameboyhippo ( 827141 ) on Tuesday July 05, 2005 @12:44PM (#12986920) Journal
    I think if a kid is capable of commiting a crime knowingly, then he should face the same punishment as an adult.

    I think a lot of kids commit crimes with the "knowledge" that if they get caught, it would be a slap on the wrist and go away when they turn 18.
    • by cr0sh ( 43134 ) on Tuesday July 05, 2005 @01:51PM (#12987594) Homepage
      As long as they are also given the rights to vote, legally own property, and be party to contracts - in essence, if we as a society are willing to treat our kids as adults when it comes to crime, then we should be willing to treat our kids as adults when it comes to everything else in life.

      Anything less is hypocrisy and posturing - "having our cake and eating it, too"...

  • by gambit3 ( 463693 ) on Tuesday July 05, 2005 @12:55PM (#12987033) Homepage Journal
    .. at least according to the BBC:
    http://news.bbc.co.uk/1/hi/technology/4649361.stm [bbc.co.uk]

  • String him up! (Score:3, Insightful)

    by starX ( 306011 ) on Tuesday July 05, 2005 @01:12PM (#12987199) Homepage
    I worked in tech support at the time, and I say that as punishment he needs to be tied to a chair witha headset affixed to his head and take calls from people affected by the worm, and try to convince them that he shouldn't be put in prison. Writing a virus or a worm may be a fun/educational excercise, but to release it into the wild is a sign of stupidity, amorality, or sociopathy. In either case he needs to have his nose rubbed in this so he doesn't do it again, and more importantly so the next kid thinks twice before releasing his creation.
  • Five Years! (Score:4, Funny)

    by buckhead_buddy ( 186384 ) on Tuesday July 05, 2005 @01:34PM (#12987422)
    Five Years? That's no big deal then. He'll be on parole before Longhorn actually ships :-)
  • by select * from ( 593191 ) on Tuesday July 05, 2005 @01:41PM (#12987484)
    Jaschan: You want answers?

    Prosecutor: I think I'm entitled to them.

    Jaschan: You want answers?

    Prosecutor: I want the truth!

    Jaschan: You can't handle the truth! Old man, we live in a world that has firewalls. And those firewalls have to be setup by men with MCSEs. Who's gonna do it? You? You, Mr. Ballmer?

    I have a greater responsibility than you can possibly fathom. You weep for Windows XP and you curse Microsoft. You have that luxury. You have the luxury of not knowing what I know: that Windows XP has faults, while tragic, probably saved jobs. And my existence, while grotesque and incomprehensible to you, saves jobs...

    You don't want the truth. Because deep down, in places you don't talk about at LAN parties, you want me on hacking that firewall. You need me finding exploits in that firewall. We use words like reboot, blue screen, exploits, Microsoft...we use these words as the backbone to a life spent hacking something. You use 'em as a punchline.

    I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very exploits I find, then questions the manner in which I exploit it!

    I'd rather you just said thank you and went on your way. Otherwise, I suggest you pick up a real firewall and configure it. Either way, I don't give a damn what you think you're entitled to!

    Prosecutor: Did you write the Sasser worm?

    Jaschan: (quietly) I did the job you sent me to do.

    Prosecutor: Did you write the Sasser worm?

    Jaschan: You're goddamn right I did!!
  • Give him something constructive to do, instead of misdirecting his time and talents (read: community service in the technology field).
    Maybe his parents weren't paying any attention to him, or perhaps he felt lonely and unnoticed. We don't know what this kid has gone through, but he probably doesn't belong in a jail cell!

    Just because the kid caused some of you sysadmins a hard time (ok, you lost some money too) doesn't mean he shouldn't receive mercy and understanding. The kid has some skillz and motivation
  • While everyone pratles about punishment, I wonder what crime has been comitted here. Certainly no theft or targetted damage. It's more like mischief -- the worm went wherever it could without the writer's intervention.

    OK, you could say the writer wished to cause harm irrespective of target. Like dumping nails on a road. But then you get into a slippery slope of criminal intent. He caused harm. What about all those who spread their worm through their unpatched systems? What about those who had been w

Unix: Some say the learning curve is steep, but you only have to climb it once. -- Karl Lehenbauer

Working...