A TechRepublic community member, in the discussion of the article "Fighting fire with fire", suggested a "community service" component to sentencing for malicious security crackers who are caught and convicted. The idea put forward is that they should contribute to development of software specifically meant to counter the efforts of other malignant computer abusers of their ilk. Let's examine that idea in a bit more detail.
TechRepublic community member Absolutely!, in the discussion of the article, Fighting fire with fire, suggested a "community service" component to sentencing for malicious security crackers who are caught and convicted. The idea put forward is that they should contribute to development of software specifically meant to counter the efforts of other malignant computer abusers of their ilk. Let's examine that idea in a bit more detail.
The original idea
In the Fighting fire with fire article, I offered the observation that the efforts of people like Bitsec AB's CTO Joel Eriksson to use security cracking techniques on security cracking software might ideally lead to efforts by security experts to bring malicious security crackers to justice in a court of law. Whether that is how such a security cracker ends up before a judge's bench or some other path brought him or her there, "Absolutely!" suggested that we should:
make effective anti-virus and anti-spyware engines freeware, not via volunteer/hobbyist coders, but via labor paid by the original authors of malware, who are then thrown in prison with drug dealers for a few years and lifetime probation from computers.
The suggestion seems to lean more toward the idea of extracting money from the violators of the law and paying professional developers rather than making the offenders do the work themselves. Considering the potential for continued malfeasance on their part, that seems the wise choice with the suggested aim toward providing a discrete software project for security purposes to better protect against others of their kind.
I have another idea, however.
Development labor camps
Given the right approach, we might actually be able to put malicious security crackers to good use directly, and even rehabilitate them in the process. Rather than both fining and imprisoning them, then employing those fines to fund some government run program that might contribute to a conflict of interest wherein the courts end up with some built-in motivation to convict more developers of crimes, a probation system might be organized to allow the offenders to directly contribute to the betterment of society.
The probation system could very easily be patterned after the Google Summer of Code, but with strict oversight (by a competent developer who must vet the offender's code carefully, of course) instead of a stipend. I believe this might prove extremely conducive to rehabilitation, in addition to exacting a payment of the offender's "debt to society" in a real, observable form.
Failure to perform would, of course, constitute a violation of the terms of probation. Go directly to jail, do not pass Go, do not collect $200 (or get any time off for good behavior).
Not only would this ensure that the dregs of digital society were exposed to the positive side of bending computers to one's will in a productive, rewarding environment, but it would expose them to an environment extremely hostile to the behavior of malicious security crackers.
The vast majority of open source developers not only have actively negative views of malicious security crackers -- they tend to perceive such miscreants as the lowest of the low, so low that calling them "worms" is unnecessarily complimentary. A little youthful larceny now and then is excusable, assuming one shapes up and gets one's head on straight, but actual malevolence is anathema to people who set out to write excellent code intended to be contributed into the public store of knowledge rather than hoarded according to the traditional business models of the corporate software industry. The open source community tends to be forgiving when it is warranted -- but you generally have to earn your forgiveness, and the poor regard in which you'll be held if you fail to do so can be socially harsher than that of just about anyone else.
Combined with the strict oversight of a cross between a project manager and a probation officer, exposure to such an environment and engagement in such productive pursuits might have a startling positive effect. For those who fail to live up to expectation, jail still awaits.
I honestly haven't come up with a downside to this idea yet. Turning malicious security crackers into productive contributors to open source software projects strikes me as a win/win situation.
We have to do something with the human threats to IT security, and this seems like a good choice. Why don't we give it a shot?