The author of the Melissa virus, David L. Smith, has finally been sentenced on charges of computer theft and sending a damaging computer program. The sentence includes 20 months prison, a fine of $5000 and three years of supervised release, during which time Smith is forbidden to use computer networks or the internet.
W97M/Melissa.A first started spreading on 26 March 1999, and Smith was identified as the probable author and arrested within a month. Smith pleaded guilty in December 1999, admitting that Melissa caused damage of at least $80 Million. Some estimates claimed damages totalling $1.2 Billion were caused by Melissa, but the lower figure accepted by the court is probably much more accurate. There was speculation that the long delay between Smith's plea and the sentence was because he was informing on other virus writers. This was confirmed when the judge said he received a lighter sentence because he cooperated with ongoing investigations.
To emphasise the disparity of sentencing in Computer Virus cases, the news from the Netherlands is that Jan de Wit, the author of the "Anna Kournikova" worm (technically, VBS/OnTheFly.A) is appealing his sentence of 150 hours community service, which was delivered seven months after OnTheFly started spreading. De Wit has also been praised for his technical know-how, and offered a job by the major of his town.
Other virus authors who have been caught add to the disparity: Christopher Pile ("The Black Baron", author of SMEG) served 18 months; Chen Ing-Hau (author of CIH), was questioned by police, released, employed by a Linux company and then arrested after his creation re-activated, he has yet to be sentenced; Onel de Guzman (author of VBS/Loveletter) was questioned and released because the Philippines had no applicable laws.
Smith claimed that Melissa's epidemic spread was something "completely unexpected" and he had not imagined how much the damage the virus would cause. De Wit and other virus writers have also claimed that their creations caused damage beyond their expectations and intentions. Other virus writers seem to think that creating viruses is OK, as long as there is no intention to distribute or do harm with them. PaX, a member of the UK virus community has said: "Currently in the UK there are to my knowledge only five or six active virus writers, including myself, and none of these ever release any harmful code into the public domain." But this ignores the chaotic, uncontrolled nature of self-replicating code - once a virus has been created, it is a threat: a minor mistake could start it spreading outside of the authors' control. Pax, unintentionally, emphasised this when talking about Chen Ing-Hau, who gave the source code of CIH to a number of people, including PaX, as members of the Source Of Kaos web group. "Again, Chen has never been a virus spreader," maintained PaX. However, CIH caused an incredible amount of damage - hundreds of thousands of computers in Korea and China were affected. CIH carries two highly destructive payloads, it overwrites data on the hard disk and, technically far harder to achieve, it overwrites the Flash BIOS on certain (quite common) motherboards. Thus, Chen wrote a virus with a highly destructive payload with, if we are to believe the best about him, no intention of spreading it to victims. He passed the source code to other people interested in viruses. Somehow, the virus started spreading and a large amount of damage was caused. It was credible for the authors of the first PC virus, Brain, to express surprise that it spread so far, so quickly, but such a claim nowadays, with so many examples to learn from, is a demonstration of ignorance, stupidity, criminal negligence, or blatant lying.
Chen Ing-Hau and Jan de Wit receiving job offers based on their virus-writing activities is a worrying trend - a more recent virus, W32/Klez contains a plea for a job, "I want a good job, I must support my parents. Now you have seen my technical capabilities. How much my year-salary now?" Hopefully Smith's ban on working with computer networks will discourage further job seekers taking this route.
In the time between Smith's arrest and sentencing we have seen no reduction in the number of new viruses, or the damage they cause. Code Red and Nimda caused two of the high-profile outbreaks, but viruses like W32/Klez, W32/Sircam and W32/Magistr have remained common for a much longer period. Virus writers are the petty vandals of Computer Crime - they cause damage, and receive no direct material gain from their actions, but viruses are also the commonest type of Information Security incident. Although individual virus writers may be poor programmers, or highly skilled; they appear incapable of understanding, caring or taking responsibility for the ultimate consequences of their actions. A few more sentences like Smiths, handed down promptly, would discourage them.
Electronic Transactions
Hong Kong is currently reviewing its' Electronic Transactions Ordinance (ETO) and some of the issues raised are relevant elsewhere. The ETO gave legal status to digital signatures (supported by a certificate issued by a recognised CA) using a PKI when it came into operation in April 2000 and the current review was planned in recognition of the fast-developing state of IT. However, uptake of electronic transactions has remained low since the enactment. Some of the criticism of the ETO is that it is too technology-specific and it therefore inhibits e-business. Some groups are advocating biometrics be accepted for authentication, and a consultation paper suggests a PIN could be accepted, in specified cases, as fulfilling the requirement for a signature.
In terms of promoting e-business, Biometrics and PINs would be a disaster. To be effective, biometrics would require a trusted, tamper-proof reader at every home and business. A PIN is, of course, a numeric-only password and very weak, in most other cases, they are used in conjunction with a card, resulting in much stronger two-factor authentication (something you know, something you have). Users poor management of multiple PINs would compound the weakness. If e-business became common as a result of allowing PINs, users would be constantly asked to choose new PINs for new services they joined, or when old PINs expired. To cope with this, they will reuse PINs from other services, choose easily guessable numbers, or write them down.
The problem I see is that recommendations are being made without full consideration of the technical aspects. Security experts appreciate the beauty and simplicity of asymmetric cryptography and how it solves many real-world security problems. The general public, however, become confused by the multiple steps and keys involved and do not see the end result: the first step (getting your certificate) is difficult, but once you start using digital signatures you can do business everywhere with no further registrations or enrolments.
This is not to say that new technologies should not be considered in future, just that offering a "choice" of using older, weaker, more flawed technologies will not encourage e-business development. Digital Signatures are the best available technology for electronic signatures today, and there is no reason to encourage adoption of less suitable systems.