[ISN] Worse Than Death

InfoSec News isn at c4i.org
Wed Jul 13 06:15:42 EDT 2005 

http://www.nytimes.com/2005/07/12/opinion/12tierney.html

By JOHN TIERNEY
tierney at nytimes.com
July 12, 2005

Last year a German teenager named Sven Jaschan released the Sasser 
worm, one of the costliest acts of sabotage in the history of the 
Internet. It crippled computers around the world, closing businesses, 
halting trains and grounding airplanes. 

Which of these punishments does he deserve?

A) A 21-month suspended sentence and 30 hours of community service.

B) Two years in prison.

C) A five-year ban on using computers.

D) Death.

E) Something worse. 

If you answered A, you must be the German judge who gave him that 
sentence last week. 

If you answered B or C, you're confusing him with other hackers who 
have been sent to prison and banned from using computers or the 
Internet. But those punishments don't seem to have deterred hackers 
like Mr. Jaschan from taking their place.

I'm tempted to say that the correct answer is D, and not just because 
of the man-years I've spent running virus scans and reformatting hard 
drives. I'm almost convinced by Steven Landsburg's cost-benefit 
analysis showing that the spreaders of computer viruses and worms are 
more logical candidates for capital punishment than murderers are.

Professor Landsburg, an economist at the University of Rochester, has 
calculated the relative value to society of executing murderers and 
hackers. By using studies estimating the deterrent value of capital 
punishment, he figures that executing one murderer yields at most $100 
million in social benefits.

The benefits of executing a hacker would be greater, he argues, 
because the social costs of hacking are estimated to be so much 
higher: $50 billion per year. Deterring a mere one-fifth of 1 percent 
of those crimes - one in 500 hackers - would save society $100 
million. And Professor Landsburg believes that a lot more than one in 
500 hackers would be deterred by the sight of a colleague on death 
row.

I see his logic, but I also see practical difficulties. For one thing, 
many hackers live in places where capital punishment is illegal. For 
another, most of them are teenage boys, a group that has never been 
known for fearing death. They're probably more afraid of going five 
years without computer games.

So that leaves us with E: something worse than death. Something that 
would approximate the millions of hours of tedium that hackers have 
inflicted on society. 

Hackers are the Internet equivalent of Richard Reid, the shoe-bomber 
who didn't manage to hurt anyone on his airplane but has been annoying 
travelers ever since. When I join the line of passengers taking off 
their shoes at the airport, I get little satisfaction in thinking that 
the man responsible for this ritual is sitting somewhere by himself in 
a prison cell, probably with his shoes on. 

He ought to spend his days within smelling range of all those socks at 
the airport. In an exclusive poll I once conducted among fellow 
passengers, I found that 80 percent favored forcing Mr. Reid to sit 
next to the metal detector, helping small children put their sneakers 
back on. 

The remaining 20 percent in the poll (meaning one guy) said that 
wasn't harsh enough. He advocated requiring Mr. Reid to change the 
Odor-Eaters insoles of runners at the end of the New York City 
Marathon.

What would be the equivalent public service for Internet sociopaths? 
Maybe convicted spammers could be sentenced to community service 
testing all their own wares. The number of organ-enlargement offers 
would decline if a spammer thought he'd have to appear in a 
public-service television commercial explaining that he'd tried them 
all and they just didn't work for him.

Convicted hackers like Mr. Jaschan could be sentenced to a lifetime of 
removing worms and viruses, but the computer experts I consulted said 
there would be too big a risk that the hackers would enjoy the job. 
After all, Mr. Jaschan is now doing just that for a software security 
firm. 

The experts weren't sure that any punishment could fit the crime, but 
they had several suggestions: Make the hacker spend 16 hours a day 
fielding help-desk inquiries in an AOL chat room for computer novices. 
Force him to do this with a user name at least as uncool as KoolDude 
and to work on a vintage IBM PC with a 2400-baud dial-up connection. 
Most painful of all for any geek, make him use Windows 95 for the rest 
of his life.

I realize that this may not be enough. If you have any better ideas, 
send them along.

More information about the ISN mailing list