Security

There is no legal solution to malware


In response to my recent article, Why do people write viruses?, I have run across proposals for legal solutions to the problem of self-propagating mobile malicious code and other malware. The proposals involve such solutions as mandatory prison sentences, corporal punishment (e.g., public caning), and even capital punishment (i.e., public execution). One suggestion involved a month's incarceration -- without access to a computer, of course -- per discrete infection, sentences running consecutively, potentially leading to several lifetimes' worth of incarceration for particularly successful viruses.

There are a number of problems with such solutions, however.

First, many virus writers would be effectively immune to these legal penalties by simple virtue of the fact that they live outside your jurisdiction. Taking victims in the United States as an example, they might be affected by a virus created by a miscreant in the Russian Federation or Jordan, neither of which has an extradition treaty with the United States.

The problem of extradition treaties doesn't even come up until you figure out who committed the crime, though. How do you conduct a criminal investigation across international borders when you don't even have any physical evidence, and when the process of performing forensic analysis requires getting access to computers that belong to people who are citizens of another nation? Even for "friendly" nations, this can impose some significant roadblocks in your investigation. A successful conclusion to that kind of investigation would require the aid of computer forensic experts in the employ of other nations' law enforcement agencies, according to those other nations' laws. Since criminals do not need to physically visit other countries for the crime's trail to pass through them, when the crime is one of propagating computer viruses, it's easy to route the commission of the crime through nations that are least likely to be of aid to US law enforcement.

Now, let's consider the political matter of punishment. Many nations would not much like the idea of several centuries of imprisonment for a precocious sixteen year old who wrote a little bit of code in his free time. Even worse is the idea of corporal or capital punishment. Many nations that have extradition treaties with the United States refuse to turn over criminals to US law enforcement when their crimes are punishable by death under US law. If you apply corporal punishment (what some would call "torture") or capital punishment (some call that "murder") to the crime of writing viruses that cause significant harm, even many countries that have extradition treaties with the US will say "no" when you ask them to turn over the criminal for prosecution.

Finally, there's the "problem" of the laws in the US. Are you prepared to urge Congress to amend the Constitution to allow corporal punishment, or to imprison someone for ten thousand consecutive one-month sentences? There are prohibitions against "cruel and unusual punishment" in the federal government's founding document that the courts would likely rule prohibit exactly the sort of legal measures advocated.

Imposing more severe penalties is likely to provide only the weakest of deterrents, if they are any deterrent at all. Statistical studies tend to show that even capital punishment doesn't provide a statistically significant deterrent to the criminal population. In some cases, mandatory harsh penalties such as three-strikes laws actually increase the likelihood that a given criminal will commit more heinous crimes, such as killing potential witnesses to increase their chances of getting away with the robbery that started the whole mess. Similar effects of criminal penalties for malware writers are possible.

How would we count the number of infections in a manner that can be substantiated in court to impose a month's incarceration per infection? Does "innocent until proven guilty" no longer apply when we are counting up the number of incidents of infection? Should law enforcement be allowed to propagate its own self-replicating malware, whose only purpose is to spy on our computers to report back on the presence of other viruses? Should we rely entirely on voluntary reporting from people whose apathy will prevent them from caring enough to fill out the necessary paperwork and testify in court?

Would you really want a string of ten thousand witnesses for the prosecution coming to court, anyway? The first case brought to trial could grind not just the court system but the whole country to a halt, if we need to bring in that many witnesses.

The most important goal of any system of jurisprudence should always be the protection of the would-be victim. Where someone demonstrates that he or she is not only capable of violating others' rights, but eager to do so, that person should definitely be prevented from doing so in the future. Incarceration should be regarded as a preventative measure, employed in cases of people who have made it clear that they intend to violate the rights of others by already taking action to violate others' rights. That, alone, will not solve the problem of malware, though. The only real deterrent for such acts that is likely to work is to make the very attempt pointless.

If the malware never achieves any success at all, nobody will ever bother writing any. In this case, the technical solution is the only effective solution. The way to defeat malware writers, and to get them to stop doing what they do, is to take steps to eliminate our vulnerability to their malware -- not to try to execute all the malware writers in the world. When the vulnerability does not exist in any reasonably exploitable form, indiscriminately propagating malware will no longer be written, just because there's no point in writing code that doesn't do anything.

There are ways to eliminate our vulnerability to malware, believe it or not, but that's a subject for another article.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

20 comments
michaelburton01
michaelburton01

Reciently I tracked down the registrar for one such piece of work called "AntiwareProtect" I called and filed my heated complaint that they have enabled this fictious company to exist and it's scamming of users who un-knowingly become infected. Their worthless software uses EXTORTION to steal from unsuspecting victims. And to add insult to injury, not performing as claimed. The hosting service was shocked but ultimatly said "Oh Well" My recommended solution is to Boycott, file a complaint with the BBB, Publicly Humiliate, and BlackList any hosting firm or registrar that has provided service to the pervayors of pestilance that has ruined the intent and purpose of the internet as a whole. Now I fully understand the "First Amendment" will become a crutch or defense for these people. And some may even say the cannot be held liable for the actions of their customers. But lets think about that for a moment. A parent is held accountable for their minor childs actions. An employer is liable for damage caused by an employee. The driver of a car is charged with littering if a passenger throws trash from the vehicle. If you provide service to a Bank Robber (IE: Drive him to the bank) are you not an accomplice in a court of law? Claiming a waiver of liability and hold harmless agreement can no longer be tolerated by the general Internet public. It's time we put our foot down. It's time we hold these entities that support and provide service to individuals and companys, who willfully commit acts of fraud and theft, responsable and punishable to the fullextent as if they themself had performed the crime. Would this not be a step forward? It's time we take our internet back !

apotheon
apotheon

Malware cannot be solved by legal solutions -- at least, not without a single world government and a bunch of laws that violate privacy.

toms45
toms45

agree with your proposals and supporting logic. The "I didn't know" defense is just another excuse for not accepting responsibility for your actions or lack of actions. Fee based email will be a reality as soon as enough members of our gov't. decide to make it so.

staffordd
staffordd

I just read your post about how virus writers can't be legally punished. I really think you are missing the point. On Tech Republic, I just read an article about the Mydoom worm. This worm allowed access to millions of personal computers, and cost people billions of dollars/euros/whatever due to the theft and misuse of their personal information. Some call this "rape". Now I proposed harsh sentences for virus writers, because it's a subject close to my heart - a related group, who scam elderly and sick people, robbed my own mother just recently (she is 77 years old). Over time, they took her last 10,000 dollars. So when you say that lawmakers aren't going to want to punish a 16 year old boy for writing "a few lines of code" - well, first of all, that's an uninformed statement, because those "few lines of code" cost us, real people, real harm with Mydoom (and the like). When you say something like that, you set yourself up as a proponent of virus writers. So as I said to the other esteemed gentleman who seemed to want to DEFEND these hurtful, destructive, anti-social criminals - are you YOURSELF a virus writer and that's why you are defending this "innocent" little 16 year old boy? AGE has nothing to do with the seriousness of a CRIME. If a 9 year old boy kills another boy, he deserves life imprisonment or whatever, as much as a 40 year old would. And don't try and say the 9 year old DOESN'T REALISE HE HAS MURDERED. In the same way, the 16 year old, when he writes his few lines of code, knows FULL WELL the consequences, and the amount of money to be made by robbing millions of people via identity theft. I think your post shows that you feel virus writing is OK. I have said this before, I feel like a broken record, but, it is NOT OK. Under ANY circumstances. Why do people in this thread continue to try and JUSTIFY the actions of these virus writers when morally, there can be NO JUSTIFICATION. Wholesale robbery via identity theft is not a crime worthy of a slap on the wrist. In fact, you are so wrong it isn't funny, because it's exactly that 16 year old boy who needs to have his antisocial, destructive "habit" nipped in the bud, to prevent him from becoming more and more destructive as time goes on. Forget extradition. Each country needs to deal with it's own virus writers, but, they need to deal with them FIRMLY, and stop excusing them, as you seem to want to. I don't exactly care what the punishment is, but we NEED A DETERRENT so this crap will STOP. And you saying we can't prosecute a 16 year old boy for writing a few lines of code - well, I guess you SUPPORT viruses and worms, and you WANT to see people hurt, and you WANT criminals, who cause personal, emotional, property and financial damage, to go free. That's what Chad would seem to want, based on his very forgiving attitude towards virus writers. There was a clear tone from many of the community within this thread, one that involved a certain barbaric method of punishment. As I said, I am not normally in favour of this, but the anger I feel about what was done to my unsuspecting 77 year old mother - well, that anger wants to see both scammers and virus writers put away forever. Virus writers - no matter what governments do, no matter what laws there are, you need to remember that there are thousands, probably millions, of innocent people who have either BEEN victimised, and/or know someone who has been victimised. And those people are hurt, and angry. So don't be surprised to wake up one morning with a hundred people at your front door - with rope. For you Chad, since you represent Tech Republic - I ask you to reconsider your post. I really feel it was ill-advised, and it only serves to encourage criminal behaviour, while at the same time making you seem to appear to be in favour of virus writing. Let's ask everyone here. Do you think the poor, little misunderstood 16-year old boy who wrote a "few lines of code" should be allowed to go free (before you answer, don't forget how this boy has preyed upon elderly, infirm, disabled and helpless people, and robbed them blind via identity theft). Other than that, I'm sure he's a REALLY NICE BOY. I hope this is clear.

chris
chris

Why not hire out to get back at these guys? There are plenty of clever people that I bet would relish it.

seanferd
seanferd

I certainly cannot imagine any new laws well written enough to be effective and to avoid the unintended consequences and abuse which frequently seem to outweigh effectiveness in many cases anyway. We don't use the current laws effectively, why should anything new work better? In a large part, the more serious malware is a market issue. If it is not cost effective to develop malware for one reason or another, it will tend to die off.

robo_dev
robo_dev

Legal solutions mean we can at least try to reduce the scope of the problem. Have you ever battled with Vundo or Virtumonde spyware? This little pest has caused me to waste tons of time and I'm sure there are millions of others who feel the same way. Ordinary users end up taking their PC in for service to get rid of malware such as this, costing end users tens of millions of dollars, as well as lost time and productivity. At the very least, legal solutions can 'show us where the guy lives', so we can round up an angry mob with some pitchforks, torches, tar and feathers...... Maybe if us end-users started creating a 'bounty fund' like Microsoft did for the Conficker author?

seanferd
seanferd

It sounds like you read 5-10 random words and made some sort of guess colored with assumptions and your personal beliefs, and then ascribed the results to someone else. There are good ways to control crime, and there are bad, nonfunctional ways purported to stop crime by angry or attention-seeking or non-rational people. I'm sorry to hear your mother was robbed, but does it matter how? Theft is theft, and if you can catch the thieves in a friendly jurisdiction, press charges. I noticed that you have proposed no solution, other than "need a deterrent" and "deal with them firmly". On second thought, I see you have a solution all mapped out. Now perhaps you should run for political office. Or maybe, you could submit some rational ideas, disagree with actual points, or even bring in ideas you've seen elsewhere, properly attributed, and disagree with them. Go ahead and vent your spleen against malware authors and users, but choose your targets accurately. Collateral damage, friendly fire, and random attacks are BS.

apotheon
apotheon

I just read your post about how virus writers can't be legally punished. That would be pretty difficult to do, since I've never written a "post" or article about how virus writers can't be legally punished. What are you talking about? On Tech Republic, I just read an article about the Mydoom worm. If you're talking about the Mydoom.FUD article, I wrote it, so I'm quite familiar with it. So when you say that lawmakers aren't going to want to punish a 16 year old boy for writing "a few lines of code" - well, first of all, that's an uninformed statement, because those "few lines of code" cost us, real people, real harm with Mydoom (and the like). It seems to me that you are the one missing a point here. I never said anything to the effect that someone shouldn't be dealt with as harshly as necessary to stop him or her from harming more people, after demonstrating his or her willingness to do so, regardless of age or the fact that it was "a few lines of code" that served as the mechanism for causing that harm. What I said was that many nations wouldn't be willing to do so. Please read more carefully in the future, and avoid assigning to me the opinions I suggest belong to people other than me. That should help you figure out how to address what I actually said. Saying that some lawmakers aren't willing to do something isn't the same as saying that I'm not willing to do so. In fact, I made no comment in the article one way or the other about whether I'd be willing to do so. When you say something like that, you set yourself up as a proponent of virus writers. No -- when you confuse what I said about other people's opinions with my opinions, it's you who set me up as a proponent of virus writers. are you YOURSELF a virus writer and that's why you are defending this "innocent" little 16 year old boy? No. Now I have a question for you: Are you usually this prone to making accusations in lieu of reasoned arguments? I think your post shows that you feel virus writing is OK. I think your reading comprehension skills are seriously lacking. Why do people in this thread continue to try and JUSTIFY the actions of these virus writers when morally, there can be NO JUSTIFICATION. Why are you so thoroughly dead-set on believing the worst of everyone around you that you're willing to overlook what they actually said? I don't exactly care what the punishment is, but we NEED A DETERRENT so this crap will STOP. Please read the article again, without letting your desire to find new reasons to assume people are evil, and see if you can figure out where I addressed that issue. And you saying we can't prosecute a 16 year old boy for writing a few lines of code I didn't say that. I didn't say that. I DIDN'T SAY THAT. Maybe added emphasis will help you get a clue. That's what Chad would seem to want, based on his very forgiving attitude towards virus writers. There's nothing "forgiving" in the article. Learn to read. For you Chad, since you represent Tech Republic - I ask you to reconsider your post. I don't represent TR. I represent myself. I'm a contributor, not an employee.

robo_dev
robo_dev

the latest malware is 'ransomware' that encrypts your hard drive and asks for money. So we should just pay the bad guys and walk away? "Annual Worldwide Economic Damages from Malware Exceed $13 Billion" (2007) http://www.computereconomics.com/article.cfm?id=1225 "The goal of malware authors has shifted over the past several years. Cyber-criminals today are motivated more by a desire to gain financially than to create havoc. Instead of releasing malware as a form of electronic vandalism, they design malicious code to quietly use infected machines to accomplish their objectives, such as sending spam, stealing credit card numbers, perpetuating click-fraud, displaying advertisements, or providing a backdoor into the organization's network" Cyber-crime is a now a business, not just a bunch of bored pimply-faced teenagers off to create havoc. "Viruses and malware is currently written by professionally organized groups with the intention of making money. The current situation of the internet helps malware creators make money with very little risk, and they aren't out to just have fun anymore. Also, malware writers are increasingly targeting newer devices like smartphones, which have a low security barrier. I feel that cyber-terrorism will increase as well, with countries infrastructure being targeted more and more in the days to come." http://www.computerworlduk.com/management/security/cybercrime/in-depth/index.cfm?articleid=1947 Malware will die off by itself at the same time the Internet stops being a source for porn....

apotheon
apotheon

We only need to "give up" on thinking that legislative solutions will have any positive effect more than removing an occasional miscreant from the pool, once in a while, when we're lucky. Balance that against the potential for harm in legislative "solutions" -- harm to privacy and security, ironically enough -- and it should be obvious that we have to be very, very careful how we address the matter.

apotheon
apotheon

Did you respond to the wrong comment? I don't really see how this pertains to what I said.

patrick
patrick

Is is commercially attractive because it costs nothing to send messges on the internet. So criminals clog the system with millions of messages in order to make a few thousand dollars. And this "volume" environment facilitates rapid evolution of different scamming strategies, with more or less no penalties or hindrance at all. As other contributers have said, it is not about to get better. If email cost (say) 1 cent per message, then a) the extra revenue would fund prevention activities (you bet, if someone is paying for it) b) people woud be soon aware if their computer got used to send email messages Currently they neither know or care c) to collect the revenue, providers would have a strong interest in properly identifying true senders and recipients. Currently they know little and care less Put another way, what do you think woudl happen if the postal system were completely free. Would you get more junk mail? How rapidly would the fake competitions and other scams develop into much larger criminal activities?

seanferd
seanferd

We need to use existing law effectively. Enforcement is a very important aspect of that, for sure.

apotheon
apotheon

That's as appropriate a response as many of the "solutions" presented in State legislatures and the United States House of Representatives.