Security

Fighting fire with water

A TechRepublic community member, in the discussion of the article "Fighting fire with fire", suggested a "community service" component to sentencing for malicious security crackers who are caught and convicted. The idea put forward is that they should contribute to development of software specifically meant to counter the efforts of other malignant computer abusers of their ilk. Let's examine that idea in a bit more detail.

TechRepublic community member Absolutely!, in the discussion of the article, Fighting fire with fire, suggested a "community service" component to sentencing for malicious security crackers who are caught and convicted. The idea put forward is that they should contribute to development of software specifically meant to counter the efforts of other malignant computer abusers of their ilk. Let's examine that idea in a bit more detail.

The original idea

In the Fighting fire with fire article, I offered the observation that the efforts of people like Bitsec AB's CTO Joel Eriksson to use security cracking techniques on security cracking software might ideally lead to efforts by security experts to bring malicious security crackers to justice in a court of law. Whether that is how such a security cracker ends up before a judge's bench or some other path brought him or her there, "Absolutely!" suggested that we should:

make effective anti-virus and anti-spyware engines freeware, not via volunteer/hobbyist coders, but via labor paid by the original authors of malware, who are then thrown in prison with drug dealers for a few years and lifetime probation from computers.

The suggestion seems to lean more toward the idea of extracting money from the violators of the law and paying professional developers rather than  making the offenders do the work themselves. Considering the potential for continued malfeasance on their part, that seems the wise choice with the suggested aim toward providing a discrete software project for security purposes to better protect against others of their kind.

I have another idea, however.

Development labor camps

Given the right approach, we might actually be able to put malicious security crackers to good use directly, and even rehabilitate them in the process. Rather than both fining and imprisoning them, then employing those fines to fund some government run program that might contribute to a conflict of interest wherein the courts end up with some built-in motivation to convict more developers of crimes, a probation system might be organized to allow the offenders to directly contribute to the betterment of society.

The probation system could very easily be patterned after the Google Summer of Code, but with strict oversight (by a competent developer who must vet the offender's code carefully, of course) instead of a stipend. I believe this might prove extremely conducive to rehabilitation, in addition to exacting a payment of the offender's "debt to society" in a real, observable form.

Failure to perform would, of course, constitute a violation of the terms of probation. Go directly to jail, do not pass Go, do not collect $200 (or get any time off for good behavior).

Rehabilitation

Not only would this ensure that the dregs of digital society were exposed to the positive side of bending computers to one's will in a productive, rewarding environment, but it would expose them to an environment extremely hostile to the behavior of malicious security crackers.

The vast majority of open source developers not only have actively negative views of malicious security crackers -- they tend to perceive such miscreants as the lowest of the low, so low that calling them "worms" is unnecessarily complimentary. A little youthful larceny now and then is excusable, assuming one shapes up and gets one's head on straight, but actual malevolence is anathema to people who set out to write excellent code intended to be contributed into the public store of knowledge rather than hoarded according to the traditional business models of the corporate software industry. The open source community tends to be forgiving when it is warranted -- but you generally have to earn your forgiveness, and the poor regard in which you'll be held if you fail to do so can be socially harsher than that of just about anyone else.

Combined with the strict oversight of a cross between a project manager and a probation officer, exposure to such an environment and engagement in such productive pursuits might have a startling positive effect. For those who fail to live up to expectation, jail still awaits.

All Upside

I honestly haven't come up with a downside to this idea yet. Turning malicious security crackers into productive contributors to open source software projects strikes me as a win/win situation.

We have to do something with the human threats to IT security, and this seems like a good choice. Why don't we give it a shot?

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

24 comments
Jaqui
Jaqui

most open source projects are struggling to get good coders, they don't have the manpower to implement a security audit process on their code base to verify the code supplied by the miscreants. This would limit it to only those projects with the member base to put a security audit process in place. That would tend to kill off smaller projects fairly quickly.

apotheon
apotheon

That's why there's a "probation officer" type to oversee everything -- someone to keep a close watch on the doings of his charges with regard to the development process and the safety of the submitted code. Read up on the Google Summer of Code process to get a better idea of what I'm thinking -- the "probation officer" would be like a much more directly involved, strict "mentor" in the GSoC process.

Jaqui
Jaqui

strict mentoring you would be needing a 1 to 1 ratio in far to many cases. I'm sure the smaller projects wold love to get 5 offenders, if they also got 5 "mentors" even then, they would need to have at least one project member verify code. [ since the mentors are human and can make a mistake / miss some code ] The security audit of the code base is a good idea anyway, for all projects, it's just a significant time eater before a release or a constant time eater. maybe the whole idea would need to have the offenders code put in for review by a team of mentors before it gets submitted to the project(s) to really be implementable. The larger projects, which have the members, wouldn't benefit as much from getting these extra bodies as the smaller projects would. A plan that focuses on making it work for the smaller projects will benefit all open source.

apotheon
apotheon

All you'd really need is a probation officer who can spend a few hours a day, a couple days a week, on each of them -- and knows his/her way around things like a debugger, a test harness, and the codebase for the project in question. "[i]maybe the whole idea would need to have the offenders code put in for review by a team of mentors before it gets submitted to the project(s) to really be implementable.[/i]" I certainly wouldn't suggest adding it to the distributed codebase before review by [b]someone[/b].

$$$$$$$$$$
$$$$$$$$$$

I like that you mentioned "payment of the offender's 'debt to society.'" If I saw a referendum for your proposal, which included an absolute requirement of full restitution of all direct and consequential damages, I'd vote "Yes." Anything short of that, "No." Also, it would be helpful to require a televised Q&A, to which the likes of Bruce Schneier and yourself are invited, to inquire about the crackers' development process. Presumably in some cases at least, knowing how the crackers find exploits will help software architects design fewer.

apotheon
apotheon

I like being mentioned in the same sentence as Bruce Schenier. (edit: . . . in a positive light like this.) I also think your idea may have merit, completely aside from your inclusion of me in the panel.

$$$$$$$$$$
$$$$$$$$$$

So many interesting ideas, so little time per day to implement them.

Fregeus
Fregeus

...is judicial jurisdiction. Besides the script kiddies, most real crackers and hackers come from outside North America. Such camps, although a possible punishment alternative, will be deserted. TCB

$$$$$$$$$$
$$$$$$$$$$

Both our nations extradite "terror suspects" to God-knows-where. We can't just rule out justice to foreign users of my country's computer network. Once they're extradited, we would have the option to offer this deal to foreign perpetrators of crimes committed via computer.

apotheon
apotheon

Do you think rehabilitation through positive application of their skills is a realistic goal for dealing with cybercriminals? Is a malicious security cracker recoverable at all if he or she is a professional criminal, rather than just a malicious security cracker hobbyist? Can you think of any improvements to my idea -- or good reasons to scrap it entirely?

Bizzo
Bizzo

But I'd scrap it. The scriptkiddies that they mentioned in the original article don't really know what they're doing, they buy "hacking" tools and such and try them out. They get easily caught because of their lack of skills. Having them do community service will be like sending them on a free training course on how to do it properly. I agree that the majority of them would enjoy the course, learn the error of their ways, and go straight. But you'll be giving these criminals the skills to do their crimes better. What next? Sending muggers on an unarmed combat training course? Or security systems installation courses for failed burglars?

brian.mills
brian.mills

We could always put the "script kiddies" to work in tech support, cleaning the worms, trojans, viruses, etc. off of infected computers. That would potentially keep them from simply learning how to perform their criminal acts more effectively. The more knowledgeable hackers could be put to work as per the original plan, since they already know what they're doing. They could also be put to work training end users how to protect themselves against malicious code. Who better than a hacker to teach someone how to avoid being hacked? There was a show on cable (dunno if it's still on) where a reformed thief would break into a willing person's home, then they'd show the person how to protect their home, and then the thief would try again, almost always unsuccessfully.

Jaqui
Jaqui

on saturday nights. I think on MSNBC

brian.mills
brian.mills

I figured if they can keep trusting Geek Squad, they can keep trusting these kids :)

DanLM
DanLM

Even with oversite... I am not sure if the burned public, even with oversite, would have enough trust to allow the help from these individuals.. Dan

Neon Samurai
Neon Samurai

From the lack of all advertising since, I think your second theory may be correct. Booo! three "batchelor" spinoffs, two "top model" spin offs, two cooking shows, a driving show.. finally a "reality tv" that didn't leave me feeling dimmer and 60 minutes older and it get's tossed. But this from an industry that canned Firefly after seven episodes but continues to run Raymond. I'll have to do some proper research and see what happened to the show or if I can at least track down that second episode.

brian.mills
brian.mills

Well, you'd have to have oversight to make sure they're doing what they're supposed to. Can't just turn them loose without someone making sure they're doing their job and not adding to the problem.

brian.mills
brian.mills

I think the name was "It Takes A Thief." It's been a while since I've seen it, but that could just be because I'm not flipping channels when it's on.

apotheon
apotheon

There were two episodes of that shown in December to premier the series. One of them was the car dealership episode. I don't believe there have been any more since then, though. Maybe the ratings weren't high enough -- or maybe the show fell victim to CourtTV's changing format around the same time.

DanLM
DanLM

This technical support is what is truly needed also... I just wonder if people(who they are trying to help clean the machines) would trust them. Dan

Bizzo
Bizzo

Get the kids to clean up the same kind of mess they create.

Neon Samurai
Neon Samurai

I don't know if Tiget Team is still on but I caught one episode and would have the season on DVD tomorrow if it was available at HMV. Same idea, a "reality tv" film crew follows a team of security testers through a contract per week. The one I caught was them breaking into a high end car dealership. I'll have to have a look around for the show you mention. Have a name off hand?