Feelings run high on such matters, for sure. Heck, I know what hassle there is when a machine gets infected. I managed to stop it before it went anywhere.

Most career criminals have no idea of the suffering they cause through their actions. This is another reason why feelings run high within the innocent, law abiding population

There appear to be two issues here.
1. The arrested man is guilty before being proved so.
In the interests of fairness, let's skip addressing the particular individual until proven guilty.

2. We're discussing suitable punishment.
Let's not address that to the individual.

That way we can try and keep the discussion as fair and interesting as possible.

Thanks.

the online equivalent of an internet nuclear bomb

Nuclear bombs killed over 200,000 people 65 years ago.

No moral judgement from me on that action, but I suggest that 200,000 human deaths is not remotely equivalent to the effects of a botnet, even one that takes down WebmasterWorld and all our sites.

Please retain a sense of proportion.

...

Please retain a sense of proportion.

I did - this internet nuke took over 12.7M computers and captured financial data.

Did it kill anyone?

Hard to say how some would react to finding their finances being in ruins, or end up homeless because they suddenly couldn't pay the rent.

it is also important to remember what crime this man is alleged to have committed.
he wrote a program.
was he a contractor? an employee? capo di tutti capi?
he probably made some money from that and he probably even knew it would be used for criminal purposes.
but he wasn't alleged to have run a botnet and i doubt he was getting a piece of the action.
in some places running a botnet isn't even a crime.
in some places recording an idea is called free speech.

Did it kill anyone?

No - and that was my point.

I don't like malware writers and botnet runners any more than you do, and while I enjoy a joke as much as anyone I would suggest that your hyperbole does not help your argument one jot.

Hard to say how some would react to finding their finances being in ruins, or end up homeless because they suddenly couldn't pay the rent.

I have seen no suggestion that anyone was financially ruined or made homeless by this botnet.

Obviously if someone can provide examples I will be better informed (and suitably grateful).

But summary public execution would still seem an excessive response.

...

But summary public execution would still seem an excessive response.

That's the problem these days. Punishments have become so watered down (especially once you factor in early parole, time off for good behavior, etc.). And all the focus is on the "rights" of the convicted (completely ignoring the rights of the victims that the criminal trampled upon when committing the crimes). Most criminals don't feel that they'll be caught, and even if they do they can game the system and get little more than a slap on the wrist. For some, 3 square meals, lodging, cable TV, and a well-stocked gym (all paid for by the taxpayers) actually sounds pretty good.

Maybe what we need is a return to excessive response.

Maybe what we need is a return to excessive response

Would that not - by definition - be excessive?

And as you are a Moderator here, what extra powers would you like?

...

Maybe what we need is a return to excessive response

Would that not - by definition - be excessive?

Yes. In which case it would be, by definition, successfully achieving its purpose. :)

I am not saying I am in favor of summary execution in this case (and I'm not saying I'm not). But I AM advocating tipping the scales of justice in the opposite, non-excessive direction that (I feel) it currently points.

My status as a Mod has no relevance to this issue. This is a Foo topic that has little to do with WebmasterWorld (in a direct sense) and I have been posting without my moderating hat and expressing my personal feelings.

The only "extra powers" I would like to see being given to a judge is the ability to temper the "cruel and inhuman punishment" aspect of any sentencing insofar as it can equal the amount of "cruel and inhuman punishment" that the convicted inflicted upon his victims.

But summary public execution would still seem an excessive response.

Really?

How else are you going to reign it in?

2009 Internet Crime Report [ic3.gov]
The vast majority of referred cases contained elements of fraud and involved a financial loss by the complainant. The total dollar loss from all referred cases was $559.7 million with a median dollar loss of $575. This is up from $264.6 million in total reported losses in 2008.

Not only that, but check out Symantec's 10K filing last year.

These types of criminals cost the public $6.1B in computer protection software with a single vendor and then the computers get infected anyway!

If you don't think people doing things costing us billions in worldwide fraud and billions to protect ourselves doesn't merit an equally serious response then something is wrong.

It's crazy, it must stop, punish away.

I have been posting without my moderating hat and expressing my personal feelings.

Ditto.

If only there were evidence that heavy punishments create a deterrent effect. As far as I know, they don't. So what we're left is is that feeling of vengeance.

When the damage done is financial, maybe we need a new kind of financial punishment - something like 50% of all future earnings get distributed to a victim pool. Make it parallel to a class action settlement, but criminal not civil.

With any law it is almost impossible to measure the deterrent affects except by statistical comparison of the amount of crime from proceeding years. Suffice it to say though there are millions who choose not to go to jail and to behave in a civil manner towards there fellow man that cannot be and aren't measured. Yet few would argue there isn't a deterrent affect. Plus within any society there are people who will act for the common good and some in direct opposition to it regardless of the presence of laws.

Perhaps in the future we should re-evaluate whether lone computers can be utilized as weapons of mass destruction or to plan mass ruin. Already we have laws on the book for about everything but we refuse to engage in the licensing of computers. The mere amount of worldwide financial scams and theft on the Internet is already at levels that we should have had licensing long ago. A drunk psycho sitting at a keyboard can wreak as much havoc as one behind a car wheel.

incrediBILL

If you don't think people doing things costing us billions in worldwide fraud and billions to protect ourselves doesn't merit an equally serious response then something is wrong

It is a serious response I am waiting for.

You started at life imprisonment without parole and progressed through public guillotining to killing people for profit on reality TV - I often enjoy your rants and expect a certain amount of tongue-in-cheekery but you are just making a fool of yourself here.

A kid wrote some code and sold it - "off with his head" because it was the equivalent of a nuclear bomb.

Utterly childish and unworthy of you.

And not one example of anyone financially ruined or made homeless by this botnet.

LifeInAsia

My status as a Mod has no relevance to this issue

Apologies, it was not your status but your title that spawned the remark.

Excessive = too much, more than is reasonable

Moderator = one who works to stop things becoming excessive

Seeing a Moderator explicitly advocating excessive punishment struck me as paradoxical.

--

To everyone:

If anybody here seriously wants to see the accused put to death then I fear for your sanity.

...

Moderator = one who works to stop things becoming excessive

Just because one is a moderator in one field does not necessarily make that person a moderator (or even a moderate) in all fields.

But even if I were a "moderator" in the field of justice, I daresay that the the number of hacks, viruses, DoS attacks, etc. *IS* excessive. And sometimes an excessive response is exactly what is needed to counteract an excessive situation, so not so much of a paradox.

Regardless, Foo is a place where paradoxes, hyperbole, rants, Tom Foolery, and even tongue-in-cheekery can live in harmony.

sometimes an excessive response is exactly what is needed

Incorrect - if it is excessive then by definition it is the wrong response.

What is required (especially in law) is a reasonable response.

Anything else is not justice.

Now I will leave before I get guillotined for your viewing pleasure.

...

Now I will leave before I get guillotined for your viewing pleasure.

Now that response is excessive! :)

What is required (especially in law) is a reasonable response.

Agreed.

So let me rephrase- Sometimes the reasonable response that is needed is what would otherwise be considered excessive.

A kid wrote some code and sold it - "off with his head"

Not just any code, code deliberately crafted for use by criminals that by it's very design will disrupt millions of lives.

If having zero tolerance and strong opinions about punishment for those enabling or executing massive crime waves on a global scale makes me sound childish, so be it, as I certainly don't want to be lumped in the corner of those that coddle them.

Nice to see some lively discussion back in foo again!

> it is also important to remember what crime
> this man is alleged to have committed.

Prime time.

if by "prime time" you are referring to a prison sentence then that sentence should be based upon whose criminal actions most directly caused damage to others and who had the most to gain from the results of those criminal actions.

two of the guys who actually ran mariposa, from spain where botnets are not illegal, now have cushy jobs with a computer security company.
some guy in slovenia with a file editor making a few bucks an hour - not so lucky.

some guy in slovenia with a file editor making a few bucks an hour - not so lucky.

The guy with the "file editor" was a gun for hire, make no mistake about it.

Maybe relocation to Spain would've been prudent.

if he were the "gun for hire" then you might have a leg to stand on.
using your metaphor he was more like the weapons provider than the trigger man.
and in this case he wasn't even selling the "gun", but rather a kit for others to manufacture and rent the weapon.
so iserdo is quite a few degrees of separation from stealing food off your grandmother's table.

and like i said before, while the manufacture and distribution of weapons is typically a regulated industry, writing software is generally considered a form of free speech.

using your metaphor he was more like the weapons provider than the trigger man.

Phranque, with all due respect, it's not like the guy was running a legally licensed and sanctioned weapons development plant.

Using the metaphor, he was building bombs in his basement, which would also get you tossed into jail.

Besides, when you build a tool to hack computers eventually you have to test it in the wild to make sure it really works or interactively test it in conjunction with the people that purchased it.

The level of involvement is far more than just a "getaway driver" or "weapons provider" - the botnet code has to be designed to infect, collect, communicate, and execute procedures in the wild meaning the software developer engineered the crime itself!

It would be like someone plotting how to rob a bank and then selling the bank robbing plans to someone else to do the actual robbing.

Simply take into account that building a botnet is something where it's only valid possible use is criminal, opposed to weapons that even have recreational purposes, such as skeet shooting, target practice, etc., what other purpose does a botnet have?

None!

The actual act of infiltrating computers to build the botnet is a crime in itself therefore the code has no valid purpose except criminal activities therefore the author of the code was knowingly constructing code designed for a criminal act.

The only way I'd buy your argument about "writing software is generally considered a form of free speech" is if it was only used within a confined environment for evaluating security systems, strictly educational purposes only.

The minute that code, which has a sole use that is only criminal, is sold for criminal activity to be used in the wild, the author is just as complicit as those that execute it IMO, aiding and abetting their ill gotten gains.

so by your definition any book that is written that describes a criminal enterprise in enough detail to be helpful to a criminal is itself a criminal expression.
there are hundreds of people descending on las vegas this week to attend defcon.
we should immediately execute a raid on that educational/criminal enterprise.

and by the way, i never suggested he didn't do something criminal - merely that i haven't read any reports that described a criminal activity in which he allegedly engaged.
the details would be important here and the only "reporting" i've read states that he developed the kit.
not a working bomb, not a method of delivery, not a list of targets, etc.
so maybe he did all this, metaphorically speaking - i just haven't seen it reported as such, so i wonder why you are making that assumption.
i'm not so sure (as you are) that writing any type of software is in and of itself a criminal activity, nor is it equivalent to building a bomb.
in the meantime, you are rounding up a pitchfork brigade for the guy who probably made six figures off his work selling technology to criminals while completely ignoring the multiple syndicates making serious money and stealing directly from actual victims of the criminal enterprise.

>if by "prime time" you are referring to a prison
> sentence then that sentence should be based
> upon whose criminal actions

No - I was just saying he was innocent until proven guilty...

i'm not so sure (as you are) that writing any type of software is in and of itself a criminal activity, nor is it equivalent to building a bomb.

I'm talking about very specific activities which have no other purpose and you keep twisting them into larger scale "if he wrote a book" which wasn't what happened.

If someone just wrote a book they'd probably still be home watching cartoons instead of trying desperately not to drop the soap.

Besides, even if it was an incomplete kit, people have been arrested for building just the blasting caps, detonators, and other 'kit' used to make complete devices so that theory doesn't hold water either.

The actual act of infiltrating computers to build the botnet is a crime in itself therefore the code has no valid purpose except criminal activities therefore the author of the code was knowingly constructing code designed for a criminal act.

Exactly. And even if this software had dual purpose, the flipside being something totally legal, he's still guilty.

If someone writes a book specifically on how to make bombs and someone else buys that book, makes a bomb and then levels a schoolhouse full of 12 year old kids, in my opinion the author is guilty of being an accessory before the fact. I'm old school. The writer would go to the chair just as fast as the bomb maker himself. I'd strap them in side by side if I could.

If that same book contains grandma's recipes for hot fudge or gardening tips or advice on what sunscreen to apply when you're going to the lake, this does not absolve the author from any guilt.

This guy wasn't some noob who was unaware of the potential application of what he was writing. He knew what he was doing, did it intentionally and in full awareness of what the results would be. The getting busted part probably didn't factor too heavily into his plans but oh well.

for the guy who probably made six figures off his work selling technology to criminals while completely ignoring the multiple syndicates making serious money

Apparently he had sense enough to avoid those. No one wants a bullet in their head when they decide to get out and do something else.

Interesting and oft amusing thread but there seemed like there was almost a 3rd issue. Incredibill mentioned that ISP's could do more to prevent these viruses from spreading. I would like to see some opinions on the solutions issue. What can be done about it rather than what can we do to him.
Why can't or why won't ISPs do more to deter, prevent or discourage attacks?

that ISP's could do more to prevent these viruses from spreading. I would like to see some opinions on the solutions issue.

I don't think the ISPs could do much. Scan outgoing emails maybe? Scan every website content you download? It would only mean that your future virus comes via https: instead.

The main problem is Windows with its known but unpached flaws. MS should be held accountable if they don't offer timely fixes for all those bugs, especially in MSIE. Maybe Win7 will improve things, but I doubt it.

As long as it is cheaper for MS not to fix things they will probably continue with their current policy.

Having been involved in the US legal system, on both State and Federal levels, I am all about due process. Let the courts decide. I also know from personal experience that this presumption of innocence thing that gets tossed around in the hallways is only an idealized theory that has little basis in reality.

I can't speak for other countries but I know in the US the presumption is that if you get busted in the first place, you're probably guilty. Juries have a hard time believing that cops will lie or that prosecutors will fabricate evidence. A crucial fact that could well exonerate a defendant won't be withheld by the DA in Discovery because they just don't do that.

Well actually they do.

These are our custodians of justice and the prevailing attitude with many American courts is that they are above question and even above scrutiny.

If this guy is innocent, hopefully he's put back enough money to retain counsel that's up to the task of defending him. He needs to be real careful who he hires though. I was involved in a case just recently, and I live in the capital of a midwestern state, 6 figure population and enough trial attorneys to stink up the entire state, and I couldn't find one that was up to speed on internet law. I had money to spend too. I could have had my pick of counsel and not a single one knew what the hell I was talking about or what it would take to defend me.

The courts don't know either. Internet stuff is voodoo in most municipalities (where I'm from anyway). Most sitting judges know how to check their email and that's about it. Prosecutors rely totally on forensic analysis, either from in-house "experts" or farmed out to Universities for evaluation. Very few jurisdictions have actual qualified computer experts on their payroll. These types of case don't come up often enough to warrant it.

If he's innocent I hope he gets off. From everything I've seen it doesn't look like he's innocent though.

Lock him up forever? Hell no. Put him to work somewhere. Make him pay with what he knows how to do...

I believe that a new legal principle needs to be established being "taking a little life from many people" equates to "taking a lot of life from a few (or one)". Consider this...

A human residing in the west typically lives for about 700,000 hours (80 years). Let's say that equates to 500,000 hours being awake and let's also assume that the average person has used up half their alloted life. This means that stealing approximately one hour from 250,000 people equates to killing someone.

You can take this argument further by allocating a monetary value to that time. So, if the average wage of those affected was $20 (after taxes) stealing $5,000,000 in total from many people would also equate to killing someone.

Previously, crimes involving many people were almost non-existant, however, the internet makes such crimes much easier to commit. Furthermore, the absence of this legal principle means that justice is rarely done (if ever). If virus writers knew that detection and capture would result in a sentence that reflected the total cost of their crime, many more would deterred than by the threat of doing a couple of years in a low-security prison.

Of course, politicians will never accept this argument since they habitually waste tax-payers' money and introduce new bureaucratic measures that waste time. This being the case, accepting this argument would mean accepting that politicians that do a bad job should be put to death (since life imprisonment would involve further waste).

Kaled.

Sophistry knows no bounds in Foo.