Topics:
Security
Bugs, Crime, And Punishment
In the latest installment of this saga, Cisco and the researcher settled their differences. Cisco says the researcher, who quit his job so he could make a presentation on the issue at Black Hat, was premature in his information. Maybe, but it also sounds like the very problems he wanted to talk about were already making their way onto other Internet forums. Cisco, which didn't object to the presentation until days before it was scheduled, could have handled this a lot better. It doesn't look good to appear to be trying to shush information about a vulnerability in a product key to most companies. The thing is, if vendors are going to come up with procedures and guidelines for how to responsibly report bugs, including when it's appropriate to go public with the information, and if they're going to actively encourage users to dig into the software to ferret out bugs and other vulnerabilities, then they ought to be willing to listen to, and objectively examine, any evidence brought before them, even if it's not what they want to hear. Let's face it--sooner or later, the problem would have surfaced, bringing with it the sting of adverse publicity. That's the thing about the high-tech industry: You can run, but you cannot hide from weaknesses in your products or policies. There are too many smart people too willing to pour time and energy into debate and testing in an effort to keep everything aboveboard and working. And besides, bugs reports and flaws don't faze IT--all code is breakable--what they need to see is vigilance on the part of their vendors, and fast action when weaknesses are found. And that includes acknowledging the flaw exists. Judging from responses to a blog entry on the murder of infamous Russian Spammer Vardan Kushnir, many in IT favor strong punishment meted out to the cyber bad guys. Kushnir's violent end pleased more than a few readers, who might find some support for their position in a July 12 New York Times op-ed piece. It examines the supposition by a Prof. Steven Landsburg that his cost-benefit analysis of the economic impact of cybercrime shows that cybercriminals are more deserving of capital punishment than murderers. Which raises the question of just what is the appropriate punishment for convicted hackers: a 21-month suspended sentence including 30 hours of community service, jail, death, or something worse? The Times' op-ed suggests Landsburg makes a pretty good case for slapping German teenager Sven Jaschan, convicted of creating one of the most financially damaging cybercrimes in the history of Internet, with the death penalty, but stops short of endorsing that punishment. A German judge saw it differently, and gave Jaschan the barest tap on the wrist for unleashing the Sasser worm -- a 21-month suspended sentence. Both Landsburg and the judge got it wrong. Death to hackers? Oh, please. And that suspended sentence? Just as moronic. And let's not forget these idiotic rulings that include completely unenforceable restraining orders against using or coming within XX feet of any computer equipment. Like there's no way a guy who can cause billions in damage with a creative computer program could possibly outwit that order, right? Let's get serious, and realistic, about punishing these people. Either jail them, as in a cell with bars, or put their technical skills to use and make them do really useful community service for a really long time. You don't want to go to jail for 4 years? Do community service 8 hours a day for 4 years. Not the piffling 30 hours Jaschan got in exchange for causing significant economic havoc. Community service sure beats 24 hours in lockup. The goal should be to wring some payback out of these people. Anything--from cleaning up roadside litter, to fixing up playgrounds, clearing vacant lots to painting schools--is of more use to society than any of the three options laid out above. Even better, sentence these hackers, virus writers, and other cyberrabble to creating useable software (under supervision) for nonprofits and schools. They have the skills, these groups have the need. At the very least, Jaschan should be prohibited from exploiting the fruits of his exploit--a job with a computer security company--until his suspended sentence period is over. Other options, especially where ID theft is involved, might include putting a lock on their credit for a specific time period and stripping them of any plastic or electronic accounts. Let's see how they like functioning in their wired world without credit. It won't be fun. Otherwise, where is the pain for these kids? What has Jaschan learned? He's famous, he's free, and he's got what I imagine is a well-paying job. A pretty tidy payoff for a little programming work and a couple of court appearances. But execute them? What is that professor eating along with his Wheaties? « California: Good At Technology, Stinks At Pizza | Main | A Ratings System for Open Source Software » |
| Sign Up Now For InformationWeek News Alerts |
This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.
Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.
Important Note: This comment area is NOT intended for commercial messages or solicitations of business.
