Call it criminal negligence, aiding and abetting, being an accessory to a crime, whatever. It comes down to one simple conclusion: victims of computer viruses should be prosecuted.
This is 2007. Everyone knows that the Internet is a jungle and that unprotected computers are at risk from computer viruses, trojans, rootkits, spyware, adware, and malware in general. Security software is everywhere. It lines the shelves of every store that sells software, comes preinstalled on new computers, and turns up 59,100,000 hits in a Google search for "antivirus software." Universities give it to students. Corporations install it. A lot of it costs money. And a lot of it is free. There is simply no excuse not to have it. And even less of an excuse to not keep it updated.
An estimated 90 percent of all email is spam. That's nine out of 10 phone calls you receive coming from telemarketers, or 54 minutes of every one-hour television show taken up by commercials. What would you do about that?
In 2003, estimates put the cost of spam for U.S. businesses at just under $900 per employee in lost productivity -- and that doesn't include increased hardware and bandwidth costs to deal with the increased email traffic. Spam has become a much bigger problem since 2003. The amount of spam flooding inboxes across the world doubled from 2005 to 2006 alone. Spam is easily the most widespread form of economic sabotage, and a lot of people are accessories to the crime.
Internet users have an obligation to have safe computers before navigating the Information Superhighway.An April 2006 article in Baseline estimated 3 million to 3.5 million computers have been turned into bots or zombies, with an additional 200,000-250,000 new infections per day. These computers have been infected with viruses or some other form of malware and are then used to disperse up to 85 percent of the estimated 90 billion spam messages flooding the Internet every single day.
Antivirus and firewall software is so widely available that it is a complete mystery why anyone would not have it. Since most software either upgrades itself or prompts the user to install upgrades, there is no reason not to have the latest and most secure versions. Responsible computer users know not to click on strange attachments in emails from mysterious senders but antivirus software has become so dummy-proof that it will intercept viruses from attachments users click on anyway (assuming the antivirus software is up-to-date, that is).
Lack of knowledge is not a defense. Nor is the "it was too complicated to use" excuse. In the same way that people are expected to have safe automobiles when they drive on public streets, Internet users have an obligation to have safe computers before navigating the Information Superhighway. Failure to do so puts them at risk of being accomplices to a problem afflicting everyone else. And, since most spam violates state and federal anti-spam laws, failure to secure their computers could mean that they are accessories to criminal activity.
What punishment fits the crime, you ask? Hard prison time is tempting, but the prisons are already overcrowded with criminals far less disruptive to society than spammers. Revoking Internet access goes without saying. Perhaps a more appropriate punishment would be on the scale of that given to the mythological Sisyphus. But instead of having to roll a stone to the top of a hill only to have it roll back down again for all of eternity, let the spambot owners be damned to cleaning out an inbox only to have it filled back up with spam over and over and over again.
After all, that's what most of us have to do anyway thanks to negligent computer users.
Comments
sonu commented, on April 9, 2007 at 2:04 a.m.:
they must be Prosecuted.thnx for article.
Aaron commented, on April 9, 2007 at 7:10 p.m.:
So if I'm a talented virus writer and I write a new virus that none of your fancy anti-virus software knows about yet and I manage to exploit the latest security hole in Vista and get it installed on your PC and command it to start spewing spam, you are arguing that you, the victim, should be prosecuted because you weren't smart enough to predict how I'd get into your computer next?!? Hahahahaha!!! Sounds good to me!
getalifeandstopbitching commented, on April 9, 2007 at 7:14 p.m.:
Hi Jamie Wilson,
you're one of those people that have no clue on what they're talking about. i've compromised your computer and i'm sending naked pictures of your mom to my gmail account. i'm suing you cause she's FUc|<ING hideous
you're such a f*cktard...
Tony commented, on April 9, 2007 at 9:21 p.m.:
Better still why don't we publish a list of people who buy from spammers, if no one bought their crap they wouldn't do it.
Adam Ricketson commented, on April 9, 2007 at 10:01 p.m.:
Before mandating the use of this software, the government should just fund the development of free computer security software (and fund an update service).
If you want to sue someone for negligence, sue the software manufacturers who allow huge security holes in their software.
Anonymous commented, on April 9, 2007 at 10:43 p.m.:
your not to bright are you?
Do you have any idea how malware works and spreads?
Do you do any research before opening your mouth or just always talk out your ass?
Matthew Murphy commented, on April 9, 2007 at 10:55 p.m.:
Jamie, it's obvious from reading this article that you're personally frustrated by something. It's even more obvious that you have no earthly clue of the magnitude of what you suggest.
Issue #1 with this thesis is the zero-day problem. Many people were hosed by the Animated Cursor exploit before there were even IDS/AV signatures (much less security updates) for it.
Issue #2 with this is the unavoidable fact that anti-virus software contains erroneous or invasive detections. They detect non-threatening items on occasion as viruses (take the nmap security scanner for example) causing people to deactivate or otherwise limit them.
Issue #3 is that anti-virus software is imperfect. It false positives on occasion and many brands false-negative on trivially-altered variants of known malware. You act as though running AV software and a firewall = a secure computer. You're dead wrong.
Issue #4 is that even a momentary compromise can be rendered unidentifiable to the software by the author of a sufficiently invasive rootkit.
Issue #5 is that some malware lives entirely in memory, out of the reach of AV scanners, exploiting things like buffer overrun vulnerabilities to remain transiently on the system without ever hitting disk.
Issue #6 is that a firewall only protects you if you offer no services. Try telling the web server admin you just charged with negligence that he/she should've installed a firewall. Odds are the answer will be "I did". All it takes is one hole in that firewall for a legitimate service and the machine can be exploited. It doesn't matter if the firewall is XP RTM's cheap ICF, or a Cisco Pix.
Issue #7 is that all the security experience in the world sometimes simply isn't enough. I should know: I've seen one of my web server installs exploited by zero-day attacks which bypassed perimeter intrusion alerting, multiple firewalls, and running AV... with *all* patches applied. Only an outbound connection attempt logged on the perimeter firewall alerted me to the intrusion. A beginner would have not seen that log event -- I had specifically hiked up the perimeter firewall's log level to capture it.
At that point, I'd been doing security professionally for *years*. What's worse, the malware installed was so sophisticated that anti-malware teams I sent it to couldn't return an analysis for weeks. I have no doubt there were others in my position; some of them probably don't know and may never.
Ed commented, on April 10, 2007 at 2:34 a.m.:
You are so such an ignorant, gosh. You sound republican too. Bush-style thinking.
That Guy commented, on April 10, 2007 at 4:35 a.m.:
To the author:
Whose d**k did you suck to get your job? You are obviously an incompetent idiot.
Here's another idea that should appeal to your particular brand of genius. Let's arrest and jail all sick people. If it weren't for all those people with colds and such going around making other people sick, we could eliminate all communicable diseases tomorrow!
You're so stupid it hurt my brain to read your article.
Since you are so concerned with folks breaking the law, I'm calling the Tennessee State Police right now - obviously the Tennessee Journalist is violating labor laws by employing 10-year-olds to write articles for them.
In any case, stay in school. You obviously could really use an education.
anonymous commented, on April 10, 2007 at 5:39 a.m.:
This Jamie Wilson obviously has no clue whatsoever about what he's talking about. People such as these should be prevented from writing at newspapers or any public-influencing media.
Funker Vogt commented, on April 10, 2007 at 7:44 a.m.:
Am I going to be prosecuted when a thief perpetrates a hit-n-run with my stolen car, too?
And who's going to pay for all of the extra forensics work required to establish in any given malware instance, I'd "adequately" protected my PC or whether it was my fault the malware propagated to someone else?
Sorry, this idea is just not workable.
geo.ego commented, on April 10, 2007 at 4:54 p.m.:
Damn right. Every person who picks up a keyboard should be immediately versed in security, and punished by law if they don't abide. I mean, what do you care if the surgeon who could have saved your life is behind bars for getting an email virus because he'd rather study his field than computer security?
Get real. There's not a damn thing in your background that qualifies you to speak on this. Take it from a computer security professional -- no system in the world is EVER 100% secure. If your background had anything to do with security, you'd know that.
Ryan C commented, on April 10, 2007 at 7:28 p.m.:
Excellent idea Jamie!
I have a similar proposal. Journalists who publicly voice uninformed/misinformed suggestions that have the potential to result in negative consequence should be held accountable criminally and serve jailtime.
-Ryan.
Me commented, on April 11, 2007 at 10:05 a.m.:
This proposal casts a VERY wide net. You are going to catch oodles of innocent bystanders if it isn't reworked. I agree that it is important to stifle malware, but punishing those who are suffering a malware infestion often propogate that malware and would thus be caught by your proposal.
idk commented, on April 11, 2007 at 1:23 p.m.:
as a former opinions editor, I didn't let anyone write for my section unless they were well researched and proved to be well educated on the topics they present. Complex thinking skills that weighed pros and cons were also a plus.
yet everyday on tnjn I read an opinion article that I can logically rip to pieces step by step after a single google search into the facts of the case presented. (and so can many other people. see coment #7)
opinion pieces aren't just for anyone with an opinion. while everyone has a right to an opinion, not everyone has a right to a column. editorials are to be as well researched and factually based as any news story, while also providing insightful commentary on the issues at hand. I gained no insight on the issue from this article. I gain little insight to anything in this entire section. as an editor, it is your job to be the gatekeeper to quality writing. even if that means editing yourself.
I know in the age of foxnews and talk radio this is hard for people with uninformed opinions to wrap their heads around - but please. try.
TheHorse13 commented, on April 11, 2007 at 1:29 p.m.:
Worst idea - ever.
idk2 commented, on April 11, 2007 at 1:32 p.m.:
this editorial is sarcastic, right?
it was for comments like these. I knew it. I've been tricked.
I re-read it, and its the only explanation I can come up with.
and I revoke that I called it unresearched, its only half unresearched, or selectively researched, which is better than no research, but still irresponsible opinionating.
but I don't revoke my general criticism of the entire editorial section.
it still needs far more content and far fewer unbased assertions. Students (should) have had english 101 and 102. Students (should) be capable of responsible editorials. And if they aren't they should(nt) be writing.
I'm serious.
Jamie Wilson commented, on April 12, 2007 at 11:10 a.m.:
Yes, this opinion piece was written with sarcasm, hence the suggested Sisyphus punishment at the end of the article. I don't really think that grandma and grandpa should be jailed for getting a computer virus. But I did accomplish my goal of drawing attention to a serious (and costly) problem and stirring up some discussion about it. It certainly worked better than writing a piece that merely says “computer users should take responsibility for security,” don't you think?
I purposely chose not to delve into explanations of zero-day exploits, software vulnerabilities, and anti-virus shortcomings. I'm aware of them (I get plenty of CERT advisories every week on new vulnerabilities and I was a Microsoft user for years before switching to Linux). But the piece isn't about zero-day exploits and failures of software developers, and the target readers of TNJN are not computer security professionals. The goal of the article was to point out that end-users need to take responsibility for computer security and realize that failure to do so has the potential to affect many other people.
The enjoyment of opinion writing is that it is just that: opinion. I get to step away from the news and feature writing and bend the rules a bit, stir up emotions, play devil's advocate...and make people think about something in a different way.
russian commented, on April 13, 2007 at 4:48 p.m.:
Dude. You are wrong.
The business model that instantly sprung into my mind is offering services to American citizens wanting to ruin other American citizens - any (I mean it) computer can be broken into, so you hire someone, he breaks into your enemy's computer and makes it a malware host, and you sue the victim off the internet. Tada!
russian commented, on April 13, 2007 at 4:49 p.m.:
in short the potential for abuse is endless
That Guy commented, on April 16, 2007 at 4:47 a.m.:
>Jamie Wilson commented, on April 12, 2007 at 11:10 a.m.:
>
>Yes, this opinion piece was written with sarcasm
If that didn't occur to anyone that has posted here, well then they're as dumb as you are.
You really need to stop sleeping through journalism class. You have to come clean with your opinions right off the bat - any idiot can write a really stupid article and then come back and say "haha, I was just playing the troll". No one has utterly any reason to believe you, since your credibility is completely gone.
Coming back here and saying essentially "just kidding" is not going to cut it. Everyone in your audience knows that malware and viruses are really big problems - you solve nothing by posting stupid ideas, and then pretending you were trolling.
I know you thought "I am a troll if all else fails" was a really good excuse for writing such drivel, but personally, I'm not buying your "excuse".
Oh BTW, you really impressed everyone with your reference to Sisyphus - we rubes obviously have no idea who that is.
Gimme a break.