Is hard time for worm author too harsh?

The teenager sentenced to 18 months in prison for unleashing a variant of the MSBlast worm got off easy, a majority of people said in a poll from Sophos.

In January, a federal district court found 19-year-old Minnesota resident Jeffrey Lee Parson guilty of modifying the original MSBlast worm, also known as Blaster, and releasing the variant onto the Internet.

News.com Poll

Just deserts?
Jeffrey Lee Parson got 18 months for modifying the Blaster worm and releasing a minor variant. Was the prison sentence:

Not harsh enough
Just right
Too harsh
Inappropriate--should have been community service

View results

About 53 percent of the 250 business PC users responding to the poll said the sentence was too lenient, the antivirus maker said on Wednesday. Only 14 percent believed the sentence should have been less harsh, and 12 percent said the most appropriate punishment was community service.

The frustration felt by virus victims is likely behind the feeling that the writer of a minor Internet threat should get major prison time, said Graham Cluley, senior security consultant for Sophos. Parson is a visible target, unlike most creators of Internet nuisances, he pointed out.

"What is 18 months going to do for this guy?" Cluley said. "There are much bigger criminals out there on the Internet than Jeffrey Parson."

While the first MSBlast is estimated to have infected at least 9.5 million computers, the offshoot created by Parson infected perhaps 50,000, according to prosecutors' claims. Neither the original worm nor Parson's variant damaged computers, experts believe.

"Launching a worm or virus can hurt the entire global economy and negatively impact people's trust and reliance on technology," Tim Cranton, Microsoft senior attorney, said in a statement. "We support the court's decision on the sentencing. The court considered both the harm caused by Mr. Parson as well as the circumstances surrounding his particular case and we are pleased that the defendant has accepted responsibility for the crime he committed."

The original guidelines called for a sentence of three to 10 years for Parson. Judge Marsha Pechman said the sentence handed down was shorter because of Parson's age and his history of mental illness, and because his parents had failed to monitor his online activities. The judge also sentenced Parson to 100 hours of community service, saying that he had to take part in society.

"I don't want you to have anonymous friends," she said, according to a release from the U.S. Attorney's Office. "I want you to have real-world friends."

The MSBlast epidemic was a major black eye for Microsoft. In tandem with the Sobig.F virus, the threat slammed the infrastructure of the Internet and had system administrators scrambling. Microsoft revamped its fledgling Trusted Computing Initiative soon after the attacks, pushing patches out to customers faster. The software maker also changed its development of Service Pack 2 to focus solely on security.

By comparison, Parson's MSBlast.B was barely a hiccup for most administrators, as defenses against the original MSBlast worm also protected systems against the variant.

MSBlast victims taking part in the poll may have associated Parson with the original attack, Cluley said.

"I think it is a danger that we are using Jeffrey Parson as the straw man for virus attacks," he said.

Perhaps we should be thanking him?

While there are several justifications for the sentence, the fact remains that the actual impact of this worm was minimal in contrast to the worst case scenario.

In some ways, we should be thankful for the worm authors who have to date done more to promote security than any technology vendor's ad campaign.

In the wake of each of these non-destructive worms, thousands more machines are protected, and thousands more users are educated about security (my mom can accurately describe the basic functions of a firewall now).

Personally, I'm somewhat happy for these worms, despite the several hours of my own time they cost me supporting impacted users. I can only imagine the economic impact of a similarly widespread worm that, for example, could delete one's entire hard drive. The worms are terribly annoying, probably to the point of justifying this sentence, but they also serve as excellent fire drills.

Straw man.

The article says that people associated Parsons with the original attack. It's saying the original attack was worse. So it was but Parsons shouldn't be treated leniently just because he's inept. If I attempt to rob a bank because I've seen somebody else do it I wouldn't expect to get a lighter sentence just because I didn't do it as well as those that have gone before me.

[System Tyrant]

There are two kinds

You have two kinds of people. Those who do it because they can and don't figure they will get caught. And those who do it for profit and/or prestege.

You can use people like Parsons to set an example (Yeah it sucks, but hey he did the crime). It will scare off a lot of the "punks", but it's very unlikely it will deter those in the second group. So what you did is put a few "kids" to bed, but the adults will still play.

OR... They will probably scare of those that were curious and not those hard core writers.

new Cassandra

When a civilization adopts a communications network, for
it's Government, finance, industry, research, military and
citizens that is so weak and fragile that it can be
interrupted or damaged by a boy we call this arrogance
hubris. Wise grandfathers used to say, "Don't put all your
eggs in one basket, son." Today we ignore the new
Cassandras and their actions by throwing them in jail. If we
could hear or care to listen to what we don't want to hear
we could begin to understand the level of misplaced trust
in such a delicate
system that places individuals in jeopardy and makes
countries vulnerable

[Mad Dog - Chi]

Microsoft deserves some of the blame

Microsoft deserves some of the blame for allowing computers to be so susceptible.

If a bank leaves the vault unlocked and gets robbed, sure the robber is the culprit, but the bank could have prevented the problem.

We are lucky this worm did not have a more destructive payload. Maybe we should thank this guy for waking people up to the fact that they need to be proactive regarding computer security.

[Udri]

Punishment to great for the crime

50,000 computers used by people who don't have the slightest idea of how to secure their own computer. That was the toll of the worm variant released by that kid.

There was a security patch released by Microsoft for the first infection, and all anybody, with the least bit of common sense, had to do was keep the automatic updates running.

The worm was not even a quarter as dangerous as the first version. Parsons is just a poorly educated child, paying a high price for the stupidity of 50,000 users.

He should have been punished, but 18 months in jail is too much for what he did. If anybody wants to hang a virus maker, they should look for the guy who made the original worm.

Cruel and Unusual Punishment

"Neither the original worm nor Parson's variant damaged computers, experts believe."

I agree with others in that all that Parson did was highlight major shortcomings of Microsoft software to these types of attacks, which could have been significantly more damaging. If anyone should be held responsible, it should be Microsoft, for releasing faulty software.

Those who advocate "setting an example," are exactly advocating injustice, because how else do you set an example than by excessive punishment? It means that one person (the one being made an "example") bears a disproportionate burden of the punishment for a crime. "Setting an example" is a ridiculous and barbaric sentiment that has no place in any justice system.

EB

Vette example is bogus

When you bought your 'Vette, did you ever have the impression that its paint was unscratchable?

Well, millions of people mistakenly had the impression that their Microsoft software was reasonably secure. Then they unleashed themselves on the Internet and opened up the email attachments containing the worm.

It's more like they scratched their own cars through ignorance. Or, in this particular case, since there was no damage, it was more like they just unwittingly dirtied up their cars a little.

EB

The real cost / The real solution

It has been argued that as "Neither the original worm nor Parson's variant damaged computers, experts believe." thus it is seen seen as something of a no-harm-no-foul case.

But just as attempted murder doesn't actually kill the victim, it IS still a crime. The sentence for attempted murder would be less than that for murder its'self & similarly in this case the criminal got 18 months, when they could have been sent down for 10 years.

Even when there is no damage to a computer, there is a significant cost to users. Some estimates suggest that the online community will exceed 1 BILLION this year & most are likely to be using some sort of M$ O/S. Even though this virus (variant) only affected about 50,000 computers, consider how many tens of millions of people, who may have had to update virus .dat files (if they even had protection).

M$'s O/S has been compared to a bank vault with the door left open. But a better comparison would be to a car that easier to break into than other models - it has locks, they just aren't as good - they were designed to look good, because that's what the consumer asked for .

With the growth in computing, non-computer literate people have assumed that the PC is some sort or self-monitoring, self-remediating, self-guiding device that requires no expertise to use. We have had automobiles for almost 100 years and are only now nearing the point of seeing self-drive machines. So, just as a novice car driver should take lessons & practice before heading onto the freeway, just as the first-time firearm buyer should learn how to use that firearm safely, the new computer user MUST learn how to use their computer, so as to reduce risks.

For as long as the public (and businesses) demand remote access, VPN's etc. they are going to be providing a possible way into their computers, to the criminal.

So,
1. 18 months seems in no way excessive for trying to vandalise something that took many man-years to create. I would prefer a harsher sentence.
2. Windows is NOT wide-open. There is a reason that these flaws are sometimes compared to "back-doors". They are obscure flaws in the system, NOT major breaches.
3. The user must take responsibility for their own system - it is NOT a god. It can NOT protect its'self, without your help. When you park your car in a public place, you turn the engine off, hide valuables, get out & lock the car - you must take the same care with your computer; when you're online, your computer IS in a public place.

Microsoft....

Microsoft deserves all of the blame. Had they made the OS house that hand Windows that closed this poor lad wouldn't have seen the open Windows and decided to go shopping.

Did the kid get what he had coming? Yes, without a doubt. Did Microsoft get what they had coming for putting out an OS with wholes big enough to drive a Mac truck through? No, at least not yet. Will they? Someday.

Like with IE and Firefox, sooner or later a viable alternative will hit the streets and people will jump from the Microsoft ship like rats jumping from a burning garbage tug.

Don't tell me the alternative is here and it is Linux because it isn't and it isn't. Linux does have possibility, but it also has a long way to go before mom and dad and grandma and grandpa will won't it on their computer. Most importantly we need native applications for it like Photoshop, Dreamweaver and the like. Only then can it really start doing damage to the desktop market.

Robert

way too harsh

In a way, Microsoft should take some of the punishment for
releasing software with so many holes, bugs, and unfixed issues.
Every business that was effected should also be punished for
their lack of installing patches and keeping their networks up to
date with the latest patches. This code writer shouldn't be
thrown in jail, but forced or offered a job in the security field, or
virus company.

If this young code writer gets this long of a sentence for
exploiting bad software, and causing billions of lost time/
money. Then why haven't we seen the CEO's that stole billions
from peoples pensions at major companies like 'Enron'.

Perhaps it's okay to cause pain and strife to individuals, but a
crime when it costs businesses....

Recommend torture

As someone who has to deal with the disruption to a corporate network and the resulting costs incurred to regain control, I don't feel the punishment nearly fits the global impact of the crime. While recommending torture may be a bit excessive, I'm really tired of working overtime to correct the problems that virus and worm writers are creating. We have to send the message that this type of behavior will not be accepted and will be punished.

Prison sentence will not rehabilitate

Prison sentence will only provide this individual with "networking with other criminals"
What is more appropriate, would be community sentence, Looking after disadvantaged children, looking after elders, looking after "physically challenged persons" (paraplegics etc) And lastly that he be assigned to assist individuals and companies to recover data and infrastructures damaged or detroyed. He / she needs to be put in the shoes of those effected. Rehabilitation is the preferred path, Passport / drivers licence needs to be withdrawn for a certin period and travel beyond his city limits needs to enforced.

I am sure that this individual is your everyday kid next door, everyones son, and needs to be put in a position of responsibility, and prison will not provide this.

Irfaan - South Africa / Switzerland

MORE INFO

1. This person caused a Denial of Service loss of over $1,000,000 against www.windowsupdate.com - it was not a harmless prank.
2. Prior to the removal of sentencing guidelines, this kid would have got a MINIMUM of 3 years jail time.
3. His lawyers are tring to get him 6 month jail, 6 months treament & 6 months rehab.
4. Kevin Mitnick got this sort of paltry sentence. If you don't know who he his - Google him. KM allegedly hacked NORAD - the inspiration for the movie WAR GAMES & he was also the subject of the movie TAKEDOWN. He kept getting lame sentences & kept offending (stole 20,000 credit card #'s on one occassion). The lame sentence didnt stop him - even holding him for 4 years without trial didn't stop him - but at least we had 4 years he wasn't hacking.
5. A mature citizen does NOT take advantage of another persons mistake, they discreetly tell the person about their error. That's why websites have the "report bug" links.