bum rap for a worm tweaker
September 2, 2003
Michael Gartenberg really seems to want to throw the book at Jeffrey Lee Parson, the kid who modified the Blaster worm and let it out on the net at large. I think Michael's mad at the wrong guy.
The reality is, Sobig is the worm that's done the most damage recently, which is a totally different problem. And the strain of Blaster which caused the most damage had already run its course before Parson created his version. All he did was modify an existing worm and make a variant that was, by all accounts, much less successful. Throw in words like "terrorism" and "potential damage", though, and this kid's going to get royally screwed when this case comes to trial.
It's easy to say, "he's a criminal" and of course that's literally true. But he ought not suffer for the far more serious crimes of others, and I fear that it's quite likely that he will. This isn't, despite what the prosecutors will say, a kid with a great deal of technical knowledge. I'm pretty sure I have enough technical knowledge to modify an existing worm and release it, though I wouldn't be foolish enough to stamp my name on the damn thing. And I'm a biz dev guy, for pete's sake. Imagine what a real programmer could do.
I'm not saying the kid shouldn't be punished. But I suspect a lot of people want to make this kid suffer for their victimization by the original Blaster and by Sobig, though those were both the work of people far more sophisticated than Parson. If not for the havoc wreaked by those worms (and, yes, if not for the vulnerability of Microsoft software in general) Parson wouldn't be making the news at all for what's essentially a failed attempt at making his own version of someone else's malware. Punish him for what he's done, yes. But don't make him suffer for others' sins.
You probably don't know anybody who's suffered at the hands of Parson's worm, and you would never have even heard of his case if not for the crimes of others. That doesn't make him responsible for their actions, and he ought not be punished for crimes that even the prosecutors havent' accused him of.
2:07 PM
2 TrackBacks
Jeffrey Lee Parson, the 18-year-old who created the Blaster worm that exposed a vulnerability in Windows, was punished for his... Read More
Gartenberg is only giving cherry picked and, it seems, erroneous facts regarding the CERT advisories and Linux / open-source. Not that they are a concrete measure of system security or securability, but let's at least see if we can get the facts a litt... Read More
I have to agree, Parson is just a scapegoat right now, the stupid kid who had the dumb luck to be offered up as punching bag for angry computer users - there are still about half a million other victims out there affected by the non-Parson Blaster virus (whereas his affected 7,000). Maybe some of the ill will is due to the fact that he's perpetuating all bad stereotypes about computer nerds: Weird, fat, socially backward, seems like a shut-in.
Yeah, they made much of his being overweight and reclusive in the papers and online venues that broke the story. It's precisely the same kind of hyperbole as accompanied the Mitnick case: cyber-terrorist, mastermind, etc. Pretty ridiculous.
Truly is a shame the penalty he will have to pay. Fat geek in a little cell...
This incident really reminds me of the movie "Hackers," in which the hackers save the day by defeating the evil corporation, much to the chagrin of the authorities. This kid is now our whipping boy.
I wouldn't hold my breath waiting for Garty to blame Microsoft for the problem. I'm fond of a lot of people who work at MSFT, but institutionally the place brooks little dissent from its vendors. If you wonder why the crowd blaming MSFT is so small - it's because most industry professionals can't afford to lose their Microsoft relationships and contracts.
Check out the heavy dude's web site. He had posted a worm to be spread on peer-to-peer networks such as the specifically named "kaza". His site linked to other dark side hacker sites. He participated in activities that included trojans, taking over your computer and linked to sites I didn't know existed a buy your own trojan that is not detected by Norton's.... but of course if you use Firewall protection - the outgoing BS is going to be detected for sure.
No he didn't create the first worm, but he did create his very own version, distributed it, and distributed other destructive malicious code. Viruses, worms, (and even spam) are truely screwing up the internet, personal computers, business computers and the functioning of services that we all rely on. It is time these assholes stopped this nonsense. Do not collect $200 - go to jail - period..... and one day get out and run a security business....
So intent has nothing do with it? That would go against the principles that apply when judging other crimes.
His real intention was to cause the same amount of damage as the first worm did, regardless of what actually happened. That hardly makes him qualify as a "scapegoat", and neither has it anything to do with being overweight, stupid, etc.
"...stereotypes about computer nerds: Weird, fat, socially backward, seems like a shut-in..."
Thats not about most computer nerds, thats about most Americans.
I would disagree, Pason is more than a scapegoat. He modified a known virus in an attempt to wreak more havoc. Did it do as much damage as Sobig? No, but I don�t think that�s the point. Anyone who goes in this direction of attacking public infrastructure should be punished, not romanticized. As for assigning blame to Microsoft, they of course bear the burden of making their systems more secure but as I have pointed out in the past, finger pointing at Redmond doesn�t resolve the issues nor does it relieve users of the bearing responsibilities for the systems they own or deploy.
The thing I find interesting about the article is that they mention his height and weight at all. Why? Is he "on the loose" and are we to look out for him?
I suspect it's more to let people perpetuate stereotypes than anything else. That's sad.
You probably don't know anybody who's suffered at the hands of Parson's worm
Well, I've no way to know for sure whether it was Parson's strain or some other, but MSBlaster pretty much fucked things up in my life. My own personal computer was sacked, as were two computers at work. I also had to fix two other computers for friends. Each of these fixes required careful removal of the worm, followed by time-consuming downloads to patch Windows to the its latest (supposedly secure) state. I know of several other people who were affected by MSBlaster that didn't ask me to fix the problem for them.
Yeah, yeah: I should keep up-to-date with all the security patches, as should all my family and friends. If I had, this never would have happened. That's an ideal world. In my world, the comuters were all fucked up for several days because of MSBlaster.
All of this havoc from the one worm, but I only know one person who was affected by Sobig. Some kind of Oregon anomoly? I don't know.
Whatever the case, if the kid was fucking around tyring to create virii and worms, he should suffer the legal consequences, nothing more, nothing less.
isn't that usual-to mention height and weight in thes cases?
I am pretty sure I have seen it done in many cases
"Yeah, yeah: I should keep up-to-date with all the security patches, as should all my family and friends...."
yes, you should. while my workplace got hammered by sobig, none of the five computers i have sitting at home have ever been touched by a virus or worm (although, karmically, I'll be probably be nailed now)
you can talk about the "intent" of this script kiddie who, again, was stupid enough to put his own name on his work, but you can also talk about the fact that this was made possible by the end user, as is any virus or worm.
i believe the news is out there that microsoft does have the occasional security hole. why is it always such a suprise when people get nailed for not updating their system?
if your bank stored your money in a shoebox, who would you blame when they got robbed?
Unfortunately, I don't think he has got the skill or knowledge base to be in the security business... although he will undoubtably have plenty of time to read up on it in the very near future. I have known plenty of guys who have ventured into shall we say the dark side while young, full of angst and looking for their calling. Most that I have known have found their path and ended up in software engineering positions with major companies -- nVidia, Microsoft, IBM and RealNetworks. Unfortunately there are even more out there that don't have the discipline, mental aptitude, or whatever to become truly productive coders, designers, architects etc. Most of them are like Jeffrey -- marginally skilled at hacking someone else's program, but not skilled enough to create a unique useful program from scratch. Usually they lack the common sence or ability to see the consequence of their actions. Quite often they feel marginalized by society, and I can feel for them in a small way, after all who among us did not feel isolated, misunderstood and misrepresented when we were somewhere in that decade between puberty and say 22 - 23.
The end result is that Anil is right, Jeffrey's going to get the book trown at him. I will not be surprised to see him get the full 10 years of jail time at sentencing. He will get out sooner of course, with parole, as 2 years from now the general public will have no memory of him at all. He was careless, misguided and clumsy.
> Each of these fixes required careful removal of the worm, followed by time-consuming downloads to patch Windows to the its latest (supposedly secure) state.
Are you saying that he's responsible for you having to patch your system? The thing was broken. Unless you are keeping on top of your patches, if you connect said broken software to a public network, you have the computer equivalent of unsanitary conditions.
STOP SPREADING WORMS. PATCH YOUR SYSTEM.
Clowns like Parson wouldn't be able to cause widespread damage if people took responsibility for what *their* computer is doing (how many computers did *your computer* infect? And you knew the dangers of not patching beforehand, right?).
> Whatever the case, if the kid was fucking around tyring to create virii and worms, he should suffer the legal consequences, nothing more, nothing less.
I agree, and so did Anil when he posted this, and nobody here has said otherwise. Anil's point was that to throw the book at him would be unfair. Going for maximum jail time, branding him as a "computer terrorist", or claiming he caused X trillion in damages is ridiculous, yet quite possibly this is what is going to happen.
Well, they're not really charging him with anything outside of the Blaster.B worm, but the penalties they are seeking certainly seem vindictive.
Clowns like Parson wouldn't be able to cause widespread damage if people took responsibility for what *their* computer is doing (how many computers did *your computer* infect? And you knew the dangers of not patching beforehand, right?).
I'm guilty as charged. I've openly admitted that I was foolish and I paid the price for it. I did know the risks involved with not staying up-to-date with the latest OS updates.
But what of my friends and relatives who buy their computer and use it with the assumption that what they've purchased is inherently secure? Are they culpable because they trust that the product they've bought is reliable? I don't think so. I think it's pretty poor reasoning to blame them for the spread of a virus or a worm.
The "if your bank kept your money is a shoebox" argument is pretty lame — it's tantamount to claiming that any criminal activity is acceptable if it's easy to do. What? The person taking the money is not responsible because it's just sitting in a shoebox? Somehow it's their's to take?
After reading more about the case, it's clear that I was affected by the first worm and not Parson's worm. And it does sound like he's just an average geek who did something pretty damn stupid. I, too, hope that he's not used as an example. He's probably learned his lesson already.
An interview with Parson.
http://www.msnbc.com/news/960377.asp?vts=090320030620
I knew. Most people did not. The comparison to banks and shoeboxes does not hold. To most people the security holes in MS's products are not obvious. Even when they are, it does not in any way excuse those who try to exploit them.
There's a similar debate in Sweden now, based on the fact that young female rape victims who dress "inappropriately" (short skirts, tight shirts, etc.) are viewed by the courts and police as having themselves to blame. That is to say, they "knew the danger". I strongly disagree, and thankfully, so does a majority of people in Sweden.
While the nature and effect of these crimes have little in common, this would still be a better comparison. There are of course many others (open windows and burglars, driving, etc). You figure them out for yourselves.
But it would seem that some people confuse insurance policies, which by their nature need to take into account factors of neglect, and the law.
well, that bank analogy got torn up right successfully.
i'm not excusing the virus writers, i'm just saying we know it will occur, so we should take precautions to prevent their success (patches).
i guess the reason so many people still won't update their systems or, god forbid, not open every attachment they receive, is that nothing too terribly serious has occurred.
yes, worms are clogging up networks and costing billions of dollars in time spent repairing, but that's still an intangible cost to many people.
maybe when sobig is converted to search computers for quicken or microsot money files and email them to a hotmail account, the public perception might change
There's also the fact that some people are reluctant to download patches immediately because they screw up computers.
From a ZDNet UK article:
Advice being given to companies is that they should avoid installing individual patches released by the software giant, and only deploy service packs once they have been through a rigorous internal testing procedure. The move is a further indication that Microsoft's Trustworthy Computing initiative, which is supposed to increase the company's reputation as a reliable software developer, is not being taken seriously by the industry.
Pierre Noel, security strategist at security company TruSecure International, said that if customers followed Microsoft's patching instructions earlier this year, they were left vulnerable to the Slammer virus. However, if they had only installed the service packs and ignored the various individual patches and hot fixes, they would have been safe.
"Microsoft released a number of patches for its SQL server over a period of 12 months. The first few had protection against the vulnerability, but the last patch -- which was one month before Slammer was released -- was intended to fix another problem, but it reopened SQL server vulnerability," said Noel.
My friend actually MET the kid. He said that he made it so Microsoft would actually do something about the problem in Windows. Well... technically, it worked.