Tuesday, July 12, 2005

Hit the editorialist over the head with a frying pan will you?

I don't read the New York Times religiously (read "at all") but this popped up on Slashdot and I was just floored. I suppose I shouldn't be surprised that some people think a few million dollars is actually worth the death of a few people...but I am. I'm surprised. And more than a little sick.

The article in it's entirety can be found at the New York Times and I had to register just to read it - blech - but I've listed some of the highlights below:


Last year a German teenager named Sven Jaschan released the Sasser worm, one of the costliest acts of sabotage in the history of the Internet. It crippled computers around the world, closing businesses, halting trains and grounding airplanes.

Which of these punishments does he deserve?...
--
I'm tempted to say that the correct answer (the death penalty), and not just because of the man-years I've spent running virus scans and reformatting hard drives. I'm almost convinced by Steven Landsburg's cost-benefit analysis showing that the spreaders of computer viruses and worms are more logical candidates for capital punishment than murderers are.
--
Professor Landsburg, an economist at the University of Rochester...figures that executing one murderer yields at most $100 million in social benefits.


Of course the article goes on to talk about how executing people would be a bad choice, not because it's you know - stupid to equate life with money - but because it's just not mean enough. (You really should read the whole thing.) It kinda bothers me that people are so worried about the money hackers waste and want to torture them or put them to death, but the people who cheat large companies and all their employees of billions are excusable? What about tax-cheats...should they be put to death too? Oh and welfare cheats? What about petty thieves?

4 comments:

Anonymous said...

Resources that are wasted by computer viruses and worms are unavailable for other purposes, such as
saving lives. I suspect that the author of the Sasser worm has contributed to increased mortality, and while
I oppose the death penalty I would not mind if he served life in prison.

katy said...

That may be true, however people who crank call 911 also tie up live-saving resources and probably increase the mortality rate in the same way. However, in the USA people are not even put in jail for that. Nor are they charged when they way-lay a police officer, fire trucks, or ambulances. Fines yes, jail time, no.

Hackers do get jail time. My husband brought up a good point last night that companies have a responsibility to protect against hackers in order to keep their systems clean and their services running smoothly. While I think blaming the company is much like blaming the pilot for the hijacker, it is true that companies spend less on security than any other endevor and the reason so much money is lost is because their insurance claims are much higher than what was actually lost. Meaning more money paid to the company, more insurance premiums, and the cascade that comes from the whole system.

Stolen resources? It comes down to money, spend the money and the hackers can't get those resources. Yes it's not fair, but neither is putting someone in jail for life to pay for a crime that was not the intent of the action. Hackers don't hack to stop ambulances, they hack to prove that people aren't prepared.

Anonymous said...

I respectfully disagree.
If hackers hacked to prove that people weren't prepared, they worms and viruses wouldn't be destructive. It would just pop up a "gotcha, you aren't prepared" message on the screen, and let that be it.
Way too many hackers are simply vandals. They are essentially the same as the guy walking down the street smashing car windows, allthough their m.o. is different.

Yes, calling 911 as a prank takes resources, but that's limited damage, and in most cases redundant. To compare it with a hacker attack, try visualizing knocking out the whole 911 hotline for a few days, so noone can call it.

Yes, hacker attacks do cost money, but it's important what the damages in itself is. Most valuable information, as well as important systems, is stored in computers, and that's what's lost.
For example, medical records, phone switchboards, insurance information, etc.

Imagine getting sick, and not being able to call 911 because a worm knocked out the switchboard, then when you get to the hospital, the doctor cannot check medical records becuas that computer was also hit, and the insurance company cant find your information, because they've been hit as well. And so on... This isn't money, it's information. The fact that it's measured in money does not change that fact.

And I dont agree with the fact that companies are responsible to protect themselfes. It's like blaming a store for shoplifters, because they dont lock their doors well enough, and dont stripsearch everyone leaving.
The hackers spend all their time finding the weak points in computer systems. Most of the really damaging attacks are done by exploiting obscure openings, that the companies usually arent aware of, since they're usually created in the software to begin with.

Companies should have basic security, like a firewall, good access policies, antivirus, etc.. But they cant really be expected to go bug-hunting in the latest MS security patch...

katy said...

Again the argument can go the other way. If a bank locks the doors to their office but doesn't lock the door to the safe and someone breaks in stealing money, security lock boxes with personal information, vital records, the bank is held liable to their customers by both the court and public opinion.

But no one goes to jail.

The fact of the matter is though code may be malicious, it's intent is rarely to deny some poor smuck in Maryland from getting a tetanus shot in the ER. If leaders of companies are allowed to steal, misrepresent, and misuse company information with a penalty of 3-10 years in jail, shouldn't the penalty for hackers be the same thing? Not death, not life in prison.

Murders are sent to life in prison (or death) only when a court can prove they had specific intent. Hackers don't have specific intent to kill, if they did it's be much easier to simply take a gun and shoot.

The purpose of the editorial was to point out that they needed a penalty that would be a deterrent for hacking crimes. None of these would be a good choice because hackers don't believe they will get caught - ever. They aren't afraid of the consequences. However, I am afraid that people continue to think that money and retrievable information is more important than the life of a human being. It's almost a sign of extreme disconnection with humanity. Not that I'm saying either of you are there, but the people mentioned in the article certainly come off that way.