Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sasser Worm Takes Down UK's Coastguard

timothy posted more than 10 years ago | from the thanks-for-using-windows dept.

Security 733

jonman_d writes "The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"

cancel ×

733 comments

Sorry! There are no comments related to the filter you selected.

He should be (5, Insightful)

Heartz (562803) | more than 10 years ago | (#9061354)

We must come down hard on these individuals. Virus/Worm writters write code with malicious intentions.

It wouldn't be murder per say, but definitely manslaughter. If they catch the guy, I hope the full force of the law comes down on him.

Re:He should be (5, Insightful)

rokzy (687636) | more than 10 years ago | (#9061369)

but also some responsibility on the retards who didn't get a secure system - MS is officially unsuitable for this sort of thing.

if the virus writer is the "terrorist" then the coast guard admin is the idiot who ignored the "we're coming to bomb $building at $time on $day in a $colour van with registration $reg" message.

Re:He should be (4, Insightful)

Anonymous Coward | more than 10 years ago | (#9061495)

if the virus writer is the "terrorist" then the coast guard admin is the idiot who ignored the "we're coming to bomb $building at $time on $day in a $colour van with registration $reg" message.

Don't forget the 'oh, and please leave the gate open or we'll have to go somewhere else'.

Yes, it is partially Microsoft to blame as well - which twit thought it would be a good idea to have ports open by default with services listening to whatever crap other computers might send? You really have to trust your programming to allow something like that. If it's not actually necessary, why do it?

Re:He should be (4, Interesting)

Willeh (768540) | more than 10 years ago | (#9061374)

I think it would be a lot better for companies to persue options that would help prevent these kinds of things, not a short term asskicking to some scriptkiddy, when you know thousands more are willing to jump into his shoes for some "internet notoriety" or other BS.

Re:He should be (0, Troll)

the_real_nugator (767999) | more than 10 years ago | (#9061421)

In that case Microsoft should be charged with being an accessory to murder.

Re:He should be (1, Interesting)

Anonymous Coward | more than 10 years ago | (#9061435)

If this was a car company and they produced products that could lead to accidents (we've seen this before) they'd have been taken to the cleaners by now.

Yes virus writer are wrong, wrong, wrong to keep creating this crap BUT ultimate responsibility lies with Microsoft, they allow this to happen by producing third rate crap, avoiding the real issues and putting all their efforts it seems into political manouverings and doggy business practices. They are not fixing the problems, I suggest Bill gets his house in order.

Re:He should be (2, Interesting)

bnet41 (591930) | more than 10 years ago | (#9061484)

actually a better analogy would the gun makers. Should we put gun makers in jail b/c their products are used to kill people? The fault here lies with the malicious person, not the maker of the item. Sure, faults do exist in the product, but not anything that can cause problems usually without someone with malicious intent putting things into motion. With car makers, they usually get nailed b/c they ignore a defect that gets people killed in the normal day to day operation of the vehicle. For this to apply here, the software would have to crash on its own, and cause the breakdown, which is not what happened, an outside malicious force had to act first.

Re:He should be (5, Insightful)

dexterpexter (733748) | more than 10 years ago | (#9061533)

You see, I disagree. I see this another way: If this were a car company, security would be an issue that wouldn't even be feigned with interest from the court system.

Operating systems are designed to be just that...an operating system. No matter how secure they make it, there will be some dirty virus writer out there that shatters that security. Now, I think it is good business practice for software companies to protect the best that they can against hackers, scripts, viruses, etc. However, that really isn't the business they are in... security. The deplorable human state has forced them into this position, but I pose the question: is it fair?

I mean, back to your car reference: If you drove through a bad neighborhood and a guy runs out, beats your window in with a baseball bat, and steals your backback, is the car company responsible for not making unbreakable windows? (pun intended) This would probably be laughed out of court, so I don't see how we can really blame the Operating System companies for a lack of security when all they are selling is an operating system.

Now, again, I think that they should secure it to the best of their ability... and that some of the security holes I have seen are ridiculous. And, if they tout complete security as a feature, then they are taking on that part of the business.
But, and correct me if I am wrong, I don't think most companies advertise 100% security anymore for this very reason. Because that is just a pipedream.

If someone breaks into my house, I am not suing the person who built my house. I am buying a security system (firewall) and using it. However, I assume that this isn't 100% effective, either.

Just I thought. I could be wrong.

I don't know about Britain... (5, Informative)

Tuxedo Jack (648130) | more than 10 years ago | (#9061355)

But here in the U.S., I believe it falls under both 18 USC 1030 and some clause in the Patriot Act.

Doesn't everything? (4, Insightful)

Bender Unit 22 (216955) | more than 10 years ago | (#9061451)

and some clause in the Patriot Act
doesn't everything? seems to me that it get stretched more than a rubber band.

Safety Critical Systems (5, Insightful)

Interruach (680347) | more than 10 years ago | (#9061361)

Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.
However, it's not just the software at fault. Whoever implemented the system was sharing a network with other people's machines in some way, without a firewall. There is fault spread out here, between microsoft, the lifegaurds IT people, and the virus writer.

Re:Safety Critical Systems (4, Insightful)

upside (574799) | more than 10 years ago | (#9061382)

My thoughts exactly. Back here in Finland a bank had to close shop in the entire country for a day because of Sasser. Instead of being worried about how they didn't update their systems I'm more worried why MS is being used on mission critical systems like banks and the coast guard.

Re:Safety Critical Systems (0)

Anonymous Coward | more than 10 years ago | (#9061461)

I just read the EULA, and the only place they mention Windows not being suitable for critical systems is in reference to Java.

Note on Java Support. The SOFTWARE may contain support for programs written in Java. Java technology is not fault tolerant and is not designed, manufactured, or intended for use or resale as online control equipment in hazardous environments requiring fail-safe performance, such as in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, direct life support machines, or weapons systems, in which the failure of Java technology could lead directly to death, personal injury, or severe physical or environmental damage. Sun Microsystems, Inc. has contractually obligated MS to make this disclaimer.

They don't say anything about the OS as a whole being unsuitable, other than their standard "no liability for consequential damages" clause.

The real question is (4, Insightful)

rudy_wayne (414635) | more than 10 years ago | (#9061363)


Why did the the UK Coastguard allow this to happen? The Sasser worm is 100% preventable if your system is properly patched and firewalled.

Re:The real question is (0)

Anonymous Coward | more than 10 years ago | (#9061378)

Why do viruses get anywhere?

Why aren't machines patched the day they come out?

Usually it falls down to one of three choices:

Not enough money to hire people, inept IT department and human ignorance in believing it won't happen to us.

Re:The real question is (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9061387)

The real question is why does Microsoft ship their systems with services listening on public ports?

MacOS X ships with *0* ports open.

Re:The real question is (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9061415)

if 0 ports are on, how did you post this message? or did you forget about the web browswer?

Re:The real question is (0)

Anonymous Coward | more than 10 years ago | (#9061535)

Do you even understand what listening port are? No, thought not.

Re:The real question is (0)

Anonymous Coward | more than 10 years ago | (#9061430)

Someone should be fired for allowing Windows in such a vital role. Who thought this was a good idea?

Re:The real question is (0)

Anonymous Coward | more than 10 years ago | (#9061448)

They will surely be firewalled, but there are always employees which bring their portable pc from home, and of course Joe User's machine is not patched...

Re:The real question is (0)

boogy nightmare (207669) | more than 10 years ago | (#9061487)

Well, who is there to do it ? out coastgaurd (for you non-UK is actually called the RNLI which stands for the Royal National Lifeboat Institution)

Now despit the Royal start to its name its even more fantastic that this is not a Gov body like in the US, it is totally manned by volunteers, every person saved, every ship saved is done by normal men/women with no extra pay etc etc. The RNLI runs totally on charity work and contributions and is not funded in any way shape or form by the Gov even though it is one of the 7 emergency services) During the day these people have normal jobs (usually fishermen etc) to earn the money to feed and cloth their family.

Where do you think the money or tech expertise would come in to this to fix or update the computer. Its all well and good saying 'patch and imune' but not every one is as tech as us...

Re:The real question is (1)

91degrees (207121) | more than 10 years ago | (#9061530)

Are there 7 emergency services?

Police, Fire, Ambulance, Coastguard, Mountain rescue, Cave rescue. Who am I missing?

Re:The real question is (0)

Anonymous Coward | more than 10 years ago | (#9061498)

Laptops get plugged in behind the firewalls.

At my job anyone who comes with a computer from outside has to have anti-virusprogram with updated viruslists, it has to have the windows update up to date and a firewall before they are allowed to plug them in.

The IT manager should be sacked for specifying MS (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9061513)

It seems the Coastguard were negligent in not using a firewall / applying security patches. They were certainly negligent in using Microsoft software in a mission-critical system, since MS has a deservedly bad reputation regarding security. I hope that their IT manager is sacked for this - which would have an exemplary effect on other people considering specifying MS software.

If the programmer at Microsoft... (2, Interesting)

greppling (601175) | more than 10 years ago | (#9061364)

..., whose mistake caused the security hole, gets identified, can he be held at least partially responsible for any deaths that occurred during this outage?

Hmmmm (3, Insightful)

Professeur Shadoko (230027) | more than 10 years ago | (#9061376)

I would rather blame the lazy sysadmin who spent his time surfing for pr0n instead of running windows update and setting the firewall up.

Re:If the programmer at Microsoft... (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9061393)

Microsoft provided a patch that prevents this. If you insist on holding them responsible for this, then the OpenBSD folks are responsible for anyone who (against recommendations) uses a version with the remote root exploit in it.

Re:If the programmer at Microsoft... (5, Insightful)

tarunthegreat2 (761545) | more than 10 years ago | (#9061400)

can he be held at least partially responsible for any deaths that occurred during this outage?

That's an interesting point, which my college CS prof demonstrated to good effect. He asked the class one day - "How many of u expect your cars to be engineered such that they will run safely and properly 99.9% of the time?" Everbody's hand's go up. "How many of u think that if there is a life-threatening fault in the car, the engineers responsible for building it should be held accountable?" Everbody's hand goes, up, along with a few grunts of "DUH!". Then the next question: "How many of you feel that if mission-critical software, like the stuff that runs airplanes, fails, the programmers should be held accountable too?" Silence.... granted writing code ain't quite like building a car, but he got his point across. He wanted to bring home the fact that most software comes with the rider that it won't just one-day break. This applies to non-M$ as much as M$, though with a lot less frequency....

Re:If the programmer at Microsoft... (1)

tarunthegreat2 (761545) | more than 10 years ago | (#9061494)

Whoops, I meant that most sw comes with a rider that it MAY break some day...

Re:If the programmer at Microsoft... (2, Insightful)

jeffs72 (711141) | more than 10 years ago | (#9061401)

Why is it Microsofts fault? If it were Linux systems that hadn't been properly secured, weren't behind a firewall, and weren't patched properly, would we try to place some responsibility on college student / developer number #34875897 and #09875872 and demi-god Linus?

Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Does it? Maybe it should raise some doubts over hiring admins that don't understand a firewall is important, can't figure out how to implement Microsoft SUS in their environment to auto-apply patches, can't properly secure their machines, etc.

Re:If the programmer at Microsoft... (3, Insightful)

Flingles (698457) | more than 10 years ago | (#9061429)

Does that mean if I leave my bicycle unchained, and a person takes advantage of the situation it's my fault? I say anyone who creates a virus solely for the destruction of private property should not only be partially responsible but fully, for all setbacks caused. The worst thing that could happen to microsoft is a case of false advertising, if they specifically said it is more secure than this. Otherwise, no one forced you to buy windows.

Re:If the programmer at Microsoft... (1)

tarunthegreat2 (761545) | more than 10 years ago | (#9061525)

Umm, yes, if you leave your bike unchained, you're 50% at fault. But the bike company is also at fault if they make a bike which it is difficult to lock up, making it the main target for theives i.e. the designers left a SCREW LOOSE...HAHA (ducks)

MSG to all the upcoming trolls: please don't carry this analogy any further...

Can you blame an individual? (1)

lxt (724570) | more than 10 years ago | (#9061436)

I don't think we can say a single programmer made a "mistake"...blaming individuals for secureity holes isn't the way to go. Windows is a very large piece of software - there are bound to be security holes unless the software is subject to many years of testing - Windows XP was released some time ago, and this hole only came to light in the past few months. By your "blame the programmer" logic I should blame the QA team for not catching the bug...

Oh, for fuck sake (0, Flamebait)

Anonymous Coward | more than 10 years ago | (#9061373)

Like no system except a Microsoft system has ever gone down. The first fucking worm ever written was for Unix, nerds. You lot sound like a bunch of stuck records.

Re:Oh, for fuck sake (0)

Anonymous Coward | more than 10 years ago | (#9061394)

Like no system except a Microsoft system has ever gone down. The first fucking worm ever written was for Unix, nerds. You lot sound like a bunch of stuck records.

Well, yeah, but the discussion here's about culpability.

I haven't RTFA - read this in the paper last night - but the coastguard basically said "Not a problem! We can still get by with our paper charts."

Re:Oh, for fuck sake (0)

Anonymous Coward | more than 10 years ago | (#9061417)

And?
How much Unix worms out there?
How much Windows worms out there?

Re:Oh, for ----- sake (4, Insightful)

eclectro (227083) | more than 10 years ago | (#9061447)

Like no system except a Microsoft system has ever gone down. The first f---- worm ever written was for Unix, nerds.

I think that there is a difference between going down occasionally and going down every week.

BTW, that is Mr. Nerd to you.

Re:Oh, for fuck sake (5, Interesting)

Unique2 (325687) | more than 10 years ago | (#9061516)

Hook, line and sinker but...

According to Wikipedia [wikipedia.org] Elk Cloner [wikipedia.org] was the first virus to be caught "in the wild" i.e. outside of a research lab. It ran on Apple II systems, more than likely because MS-DOS was barely capable of running programs at the time.

Also, lets keep things in context, Sasser can install and execute itself remotely without any user interaction -- there is a big difference between that and booting from a random floppy disk or logging in as root, downloading, chmod +x virus, and executing ./virus.

virii are a fact of life (0)

Anonymous Coward | more than 10 years ago | (#9061377)

what is pathetic is the people managing the system. I don't think there is a clear line of responsibility here. Admins are partly to blame, but even if an admin does their best, some cases they can't just install the patches. There's no gaurantee it won't break existing services on their servers.

Microsoft has to take part of the responsibility and offer to send consultants out for free to patch and fix the servers. The same is true of all operating systems. Microsoft has the issue of their marketing claiming anyone can manage a windows server when that obviously isn't true and never was. It takes skill and not just any MCSE.

Re:virii are a fact of life (1)

eclectro (227083) | more than 10 years ago | (#9061478)

what is pathetic is the people managing the system.

Unfotunately there is a large segment of the population who does not have somebody to take care of it for them.

Also, many entities simply do not have the money/resources/funding to have a sysadmin on staff to take care of problems like these.

I also do not think this is going to change much either. I suspect a year from now slashdot will still be reporting weekly about the latest worm to hit Microsoft systems.

What about... (2, Informative)

HolyCoitus (658601) | more than 10 years ago | (#9061379)

The company or the people that are unable to secure their computer? There is a whole chain here, and in other cases with the law, it always seems the manufacturer gets sued. Shouldn't that be the case here? If there is a single vendor or individual that can be blamed, shouldn't they?

The difference here, possibly, being that Microsoft had patched against this and that could be seen as an equivalent to a warning or a recall. It makes you wonder though, if a worm hits on an unknown exploit, will Microsoft be responsible? In any other industry, I'd have to say yes, but I'm not so sure when it comes to software.

Anyhow, this is just another case for why any infrastructure should not be ran on a single operating system. If you have multiple kernels with multiple implementations that can all work, you'll be much safer. Linux kernels with different versions, BSDs, AIX, Solaris... Those won't have the same exploits and have different strengths and weaknesses. No worm can traverse all of that (hopefully).

Should have patched (0)

Anonymous Coward | more than 10 years ago | (#9061380)

Perhaps it's just me, but I say it's just as much the coast guard's fault. They should have kept their systems up to date.

Methinks. (1, Insightful)

haxor.dk (463614) | more than 10 years ago | (#9061381)

"if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"

Replace "outage" with "outrage".

There is no way in hell an important insitution should put up with shit like this. If any arbitrary piece of code that gets sent around could bring my companys systems (as often as it is the case about WIndows XXX) to its knees I'd start seeing red about what the software manufacturer was spending its time on.

And choose a different supplier.

Re:Methinks. (2, Insightful)

upside (574799) | more than 10 years ago | (#9061445)

Yup, a new supplier and a contract that stipulates a certain level of service. I'm also surprised why critical systems are linked to the Internet.

Re:Me (Group)thinks. (1)

Pike65 (454932) | more than 10 years ago | (#9061452)

"[I'd] choose a different supplier"

Personally I'd go for a different sysadmin first.

I mean shit - it's not rocket science [microsoft.com] . Hell, my sister was patched before this thing hit and she only uses Windows for Works and Solitaire . . .

Re:Me (Group)thinks. (1)

haxor.dk (463614) | more than 10 years ago | (#9061464)

How about choosing a system that didn't need to be patched in the first place ?

Re:Me (Group)thinks. (1)

TehHustler (709893) | more than 10 years ago | (#9061480)

Monoculture.

If linux was more widespread, you'd get more stuff written for it. It's been pointed out countless times before.

Patching (0)

Anonymous Coward | more than 10 years ago | (#9061384)

Then again, why was this critical infrastructure not patched last week? Their admins are just as guilty as the virus writer.

Critical Services Should Use Hardened Systems (4, Insightful)

osewa77 (603622) | more than 10 years ago | (#9061385)

It's not just Linux that forms a good alternative to Windows. OPenBSD was built to be a secure OS. Where lives are involved, there is good reason to go the extra mile to use an OS which, though less convenient, has proven to be more reliable. In the current era, with all these worms, Microsoft just isn't the best alternative. On the other hand, all they needed to do was use http://windowsupdate.microsoft.com and enable Windows' built-in firewall software. Worm and Virus writers should be made to know that they are accountable when their creations do what they were (mis)designed to do "take over systems, disable them, disrupt networks?" How do you actually catch the original author of a worm, anyway?

Re:Critical Services Should Use Hardened Systems (1)

eclectro (227083) | more than 10 years ago | (#9061520)

How do you actually catch the original author of a worm, anyway?

It's amazing that with the patriot act in place, carnivore, and more wiretaps than ever (most placed under the no-judge required clause) that we have yet to see anybody brought to justice since 1999. At least I can't think of anybody.

At that time we had no patriot act either.

Patches (5, Interesting)

Amiga Lover (708890) | more than 10 years ago | (#9061386)

OK I know there's going to be a million comments about how we should all patch vulnerabilities and there'd be no problems... and then the inevitable responses from admins who haven't done so because testing hasn't been complete and the patches are causing more problems after doing them...

But...

Why aren't MS patches single discrete objects? One patch for One vulnerability? That way IMHO clears the problem of a "patch" that comes up, is huge, and attempts to fix ten documented vulnerabilities (but knowing the code used in huge projects, it's possibly many dozen fixes at once).

This kind of fine grained control is what works WELL in debian for example. To update an error in ssh, download it's patch. to update an error in an x library, update that one library. Not bundled in with loads of extra crap

I suspect this is a marketing thing. MS can truthfully say they only had 4 patches in a year, when the patches in linux systems number "in the hundreds", when the reality is far different.

Even MacOS seems to be partway to the debian like approach, where there may be a dozen security updates in a year fixing a small number of vulnerabilities each. It's a consistent line of updates, instead of happening in large steps over which an admin has no control.

Re:Patches (0)

Anonymous Coward | more than 10 years ago | (#9061422)

As an admin, this would be rediculous. I have enough trouble dealing with the current number of patches without haveing to deal with ten times the number all year around. No thanks. I dont know how Linux admins handle all the updateing they have to do to be honest

"no danger to the public" BBC (4, Informative)

Phil Hands (2365) | more than 10 years ago | (#9061388)

As reported on the BBC [bbc.co.uk] , this killed their mapping systems, forcing them to revert to the paper maps that they've always used in the past.

No safety critical systems were involved.

Re:"no danger to the public" BBC (-1, Troll)

onebuttonmouse (733011) | more than 10 years ago | (#9061425)

Yup, I submitted that story yesterday (when it happened). It was rejected.

Re:"no danger to the public" BBC (0)

Anonymous Coward | more than 10 years ago | (#9061426)

Exactly, this is a storm in a tea cup. There was at no time any risk to life, there was no loss of opperational capability.

Re:"no danger to the public" BBC (2, Insightful)

ForestGrump (644805) | more than 10 years ago | (#9061444)

But 5 years from now, when eveyrone gets used to using a GPS and some fancy mapping program, what then?

Paper? what paper? oh! ePaper!
nope, our laptop got the virus last night. Sorry, WE CAN'T RESCUE YOU UNTIL WE GET OUR LAPTOP FIXED!

Boy, im not optimistic tonight.
-Grump

Re:"no danger to the public" BBC (1)

JamesD_UK (721413) | more than 10 years ago | (#9061518)

But 5 years from now, when eveyrone gets used to using a GPS and some fancy mapping program, what then?

If you've received any formal marine navigation training, you'll have been taught that your GPS, electronic maps, radar etc are simply navigation aids. Whilst GPS a useful tool, it won't stop me plotting a track on a paper chart and using traditional methods to verify or estimate my current position. The same applies to aircraft pilots who may be equipped with autopilots and sophisticated navigation and safety warning but still learn to fly by compass, map and visual references. Besides all that, using a map, compass and your brain to find your way is far more rewarding than just following the instructions from your GPS.

Re:"no danger to the public" BBC (4, Insightful)

ColaMan (37550) | more than 10 years ago | (#9061457)

It depends on how you look at it:

The computer mapping system (I presume) is easier to use than the paper maps. So if someone's missing and it takes (say) an extra 5 minutes to get the map out, plot drifts and currents and say "we'll search here", and the searchplane passes overhead 4 minutes after the boat has sunk without trace... is this still safety critical? If an extra life could have been saved if you had the computer system up?

Just generally ... (5, Insightful)

Quixotic Raindrop (443129) | more than 10 years ago | (#9061392)

... no. To be guilty of any kind of homicide or manslaughter, your act has to have been the proximate cause [freeadvice.com] of a person's death. The writer(s) of the Sasser worm might have prevented the Coast Guard from rescuing someone in danger, but the fact that that person was in danger in the first place was not the fault of the virus writer, which would prevent even an involuntary manslaughter charge. Unless the worm caused, say, a malfuntion in the boat's bilge system, which caused the boat to take on too much water and capsize ...

With that, are they off the hook? No way. If they are caught, there are lots of laws they could be charged with, some of which are felonies. Murder, or even manslaughter, are not among them, however. At least, not under this limited hypothetical.

Re:Just generally ... (2, Insightful)

dexterpexter (733748) | more than 10 years ago | (#9061449)

In addition, I was fairly sure that there was a limited liability policy on software that limited damages that could be recovered from death or other injuries caused by software (this includes both the Microsoft product, since people have mentioned their potential liability, and the virus itself, if you want to extend the definition of software to viruses) to the price of the CD. In this case, since it was a virus propagating, then the price of the CD is nothing, which would limit the liability of the virus writer to nothing. I know that this is true of the United States; I am not sure about the U.K., however.

On the other hand, one could take the Patriot Act into consideration, at least in the U.S. If it were shown that the attack was intentional to take down the system of rescue personnel, this could consider an act of terror and thus the virus writers could be tried as terroritsts.

We must also consider the administrator who did not patch the system. He might not be legally held responsible, but I am sure that his bosses will see this another way.

In the U.S., the virus writers probably wouldn't be prosecuted for software-caused manslaughter (because of the limited liability thing), but they would still get charged with felonies, as you pointed out.

The U.K, on the other hand... that is something different entirely.

The question is, if the Virus Writers themselves even came from the U.K.
Wouldn't they be prosecuted under their country's laws unless expediated? Which, since we don't know who they are, this question shall remain unanswered.

Re:Just generally ... (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9061523)

The simple fact is that these limitied liability clauses in licenses aren't worth a damn. If this is something actually written in law in the US then your country is even more screwed up than anyone though.

Re:Just generally ... (1)

HolyCoitus (658601) | more than 10 years ago | (#9061454)

In this day and age, wouldn't there be a possibility of an attempt at trying the individual as a terrorist? They've done it with other things, and I would really really see them doing it here if the virus writer manages to foul up a good portion of things.

Just because the law says one thing doesn't mean that is going to happen in this day and age.

Proximate cause (3, Interesting)

ArsenneLupin (766289) | more than 10 years ago | (#9061469)

Quoting from your link, second paragraph:

Responsibility for injury lies with the
last negligent act that produces the injury (after the ball rolls down the hill, a stranger picks it up, throws it through a window which breaks the glass, causing the glass to shatter and strike a person who was sitting next to the window, cutting her arm and requiring her to obtain medical treatment). In this example, although you caused the ball to roll down the hill, your act is not the proximate cause of the injury to the lady sitting next to the window, the stranger's act is the proximate cause of the lady's injury and the stranger, not you, should be held responsible for the injury that she suffered.
I think this would put responsibility squarely on the "virus" side of the chain of events. Indeed, although some initial malfunction may have put the person at sea in danger in the first place, it was only the crippling of the coast guard that caused the sea accident to become fatal.

Ok, would that make the virus writer responsible? Again, no. The virus writer just tossed a ball which somebody else picked up.

Who is this somebody else? Microsoft? No, again. Although, Microsoft did pick up the ball, they didn't throw it at the victim's window themselves. They only threw it to the next "player".

That next player would be coast guard management who decided to run their system on Windows instead of the more secure Linux or OpenBSD. Would they be guilty of manslaugher? Again, no. They just tossed the ball to the next player.

The next player would be the sysadmin who failed to run windows update on his known vulnerable system (A windows system is always deemed vulnerable. Thus, "not having heard of" the worm is no defense). And he would be the final player who tossed that ball through the window.

What about vendor's liability? (1)

manavendra (688020) | more than 10 years ago | (#9061396)

First off, this isn't a flamebait or an all-out attack on Microsoft

However, it seems that software vendors are somehow let off much easily by the law, than say, electrical equipment manufacturers. If someone is electrocuted by say a faulty electrical appliance which was a) interfaced with a third party device/switch, b) caused electrical spikes because of some malicious hacker load shedding/spiking the electrical supply in the local powerhouse, then wouldn't the company be liable for damages if the device fails to withstand such spikes/surges (within a range, of course)?

I agree there is a flaw in this reasoning - it wasn't the original device that was faulty, or that the device was interfaced/affected by a third party with an intent to harm. However, aren't all products made with such situations in mind? If a car skids and causes fatal injuries to drivers and passengers, aren't the car companies responsible (and thus coming up with safer cars or with better anti-skid features)?

Sasser FUn! (4, Insightful)

ender81b (520454) | more than 10 years ago | (#9061397)

Working tech desk during Sasser outbreak is fun lemme tell you. God save microsoft if they actually were responsible for tech support costs during this thing.

I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.

I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever. Now try pulling down 50 some megs of critical updates over a freaking dialup modem. Remember - not a *single* major PC manufacturer I know of installs ANY critical updates on their home pc's they sell to the end user. Nothing. Nada. Dell, HP, Compaq, etc. I've ranted about how irresponsible and stupid this is before and i'll continue to do so now :). I've had two people call recently who - literally - just bought a brand new computer from the local best buy, plugged it into the internet and with 5 minutes got either Sasser or Blaster.

I dearly, sincerly wish that Microsoft would actually build not only a real firewall into their products or/and shut off unneeded services to the internet. I also wish manufactures would actually ship their machines with all the critical updates installed. I also want a pony.

This outbreak isn't as bad as blaster was but still. I'm no MS hater, I understand their product code base is massive and keeping track of all that and bug fixes takes an enormous amount of money and time but they *seriously* need to work on security. I would estimate virus cleanup and spyware sucks up 10-15% of my time at work.

Re:Sasser FUn! (2, Interesting)

harikiri (211017) | more than 10 years ago | (#9061497)

I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever.

What's even worse is the fact that most internet users are still stuck on dialup! According to this recent article [cbsnews.com] at CBS, 3 out of 5 internet users don't have broadband.

The very issue of security patches, their sizes, and the problems for dialup users trying to download them was covered here [securityfocus.com] as well.

Re:Sasser FUn! (0)

Anonymous Coward | more than 10 years ago | (#9061508)

I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.

Well, if your tech support is as bad as your math, your customers have even bigger problems than Sasser!

Re:Sasser FUn! (1)

Gwylan (621764) | more than 10 years ago | (#9061519)

Too right. I know of people who have similarly been affected within minutes. Judging by some of the people I have met in PC stores, I doubt whether some of the 'technical' staff could spell critical update, let alone install one. The lack of security awareness out there is scandalous. PS Don't say you want a pony in Britain - it means something very different.

Re:Sasser FUn! (1)

chendo (678767) | more than 10 years ago | (#9061522)

I agree with your post.

When I bought my laptop at the end of last year, within minutes of plugging into the internet, I was hit with Blaster. Thankfully, I've personally helped other people with this problem, so I was able to abort the shutdown and get a firewall. Seriously, though, why doesn't Microsoft release -pre-patched- systems? Like, every week or so, since there seems to be a new one out every day *cough*.

Nice to know (1)

b4rtm4n (692708) | more than 10 years ago | (#9061408)

That safety critical systems are being maintained in such a shoddy fashion.

Fortunately the coastguards affected were not called on to deal with any emergencies.BBC [bbc.co.uk]

The affect on train control systems in Oz preventing drivers talking to signals was to me far more serious and could have resulted in serious loss of life.

As for punishing the writer - reckless endagerment anyone?

I blame 'Microsoft only' consultants for this. (4, Insightful)

Peter Cooper (660482) | more than 10 years ago | (#9061410)

How hard is it to have a BSD or Linux box acting as an el-cheapo firewall between the Internet and your internal network? I have a $200 laptop which has done just that task for several years now. I can never be bothered to patch my (Windows) machines, but they never have trouble because they can only talk within each other and not get attacked from the outside. Jeez, even if you paid someone to install it, you could have the whole job done for $1000 with old hardware and a copy of FreeBSD.

I offer one reason why this doesn't happen too often, particularly in the UK. Way too many 'technical consultancies' for institutions like the coastguard are staffed by MCSEs with no proper computer science knowledge who just install Windows XP on every machine, set up 'Internet Connection Sharing', and leave. They wouldn't even dream of putting a non-Windows box on a network!

Thankfully these worms and virus attacks are showing up these idiotic 'we only touch Microsoft stuff' agencies for what they're worth. Any decent technical consultant should be able to advise companies on the right hardware and software to use, independent of vendors.. so it might be Microsoft on the client end, and UNIX on the back end.. but no, the UK (at least) is filled with MCSE ridden agencies who get totally lost when they don't have a 'Start' button to click.

Re:I blame 'Microsoft only' consultants for this. (1)

Peter Cooper (660482) | more than 10 years ago | (#9061463)

How hard is it to have a BSD or Linux box acting as an el-cheapo firewall between the Internet and your internal network? I have a $200 laptop which has done just that task for several years now.

And before anyone calls me out saying 'Uh, a big company wouldn't just have a stupid laptop running UNIX as a firewall'.. I know that. I just wanted to exclude the argument that straying from Microsoft-only solutions is some cost problem.

A decent sized organization should just buy some proper firewalls (i.e. Cisco) and do it the 'right' way.. but in a small company, with a tiny budget, you can still have a proper firewall on the cheap thanks to BSD or Linux..

Re:I blame 'Microsoft only' consultants for this. (3, Informative)

b4rtm4n (692708) | more than 10 years ago | (#9061529)

Here Here!

Doesn't even need a *nix box.

A cheap NAT router would break the direct link to the network that sasser needs to spread.

No way does anyone need a publicly addressable IP on their office workstation.

Vive la RFC 1918

Re:I blame 'Microsoft only' consultants for this. (2, Insightful)

sholden (12227) | more than 10 years ago | (#9061470)

Firewalls aren't enough.

Someone always manages to bring an infected laptop inside the firewall.

Those 'technical consultancies' need to include keeping the systems patched in that TCO they love to rant about so much.

Re:I blame 'Microsoft only' consultants for this. (0)

Anonymous Coward | more than 10 years ago | (#9061496)

You need only 1 laptop to plug in into your internal network to bypass this shiny BSD box at the gate. A lot of companies were hit this way, while they were still testing the patches MS provided.

Re:I blame 'Microsoft only' consultants for this. (1)

Bert64 (520050) | more than 10 years ago | (#9061527)

Actually, a lot of the consultants know better.. The people employing them demand windows, OR.. and far more commonly, the consultants use windows on purpose.. think of it this way:
If you setup a BSD system that never goes down and never fucks up.. the consultant will never get any more work, if you setup a windows machine that needs patching regularly and gets infected with viruses and other malware then the consultant has a lot more work to do.
Aside from that, even behind a firewall windows machines often get infected with malware, look at the recent worms that target ie, not to mention email bourne viruses and social engineering attacks.
The key is not only to protect windows machines behind a firewall, but also to patch them regularly, install software firewalls on the machines themselves, disable ie and outlook, disallow users to run executeables etc.. or better yet in a business environment where users only have limited tasks to do, give them a highly restricted environment which doesn't allow them to do anything else, and preferably not using windows.
The reason this doesn't get done, is because it takes longer to setup... companies won't pay for someone skilled (and therefore more costly) to come and spend weeks setting up machines when they can employ someone to sloppily setup a bunch of windows machines, by the time they realise that they've had to pay more money and waste more time it's too late and theyre locked into a kludged together network that they have to keep paying through the nose to maintain...
Call it a honey trap, offer a "cheap" solution to draw them in, then keep em trapped.

I think it depends (1)

dr. chuck bunsen (762090) | more than 10 years ago | (#9061413)

On the virus writers intentions, they were certainly not to kill people. One would also hope that the Coastguard is smart enough to have some form of backup comminications in place. This was not caused by virus writers alone. It was caused by poorly written software and poor security models at the networks which were affected. Yes, the virus was the spark, but software was an enabler, and the IT crew I would think should have first accountability.

Re:I think it depends (1)

ptolemu (322917) | more than 10 years ago | (#9061514)

On the virus writers intentions, they were certainly not to kill people Perhaps, but then again, in any case such as this there is a lack of consideration for organisations such as the coastguard that depend on their computers. Machines will be machines, but to remain ignorant to the fact that they can be key components in ensuring or helping prevent deaths, I think, is no different than targetting the coastguard directly. "One would also hope that the Coastguard is smart enough to have some form of backup comminications in place." From the article...: "Luckily we can still use telephones and radios. It just means we have to rely on paper and pens,"

Also affected Deutsche Post (3, Interesting)

Meijer (237978) | more than 10 years ago | (#9061416)

On Monday, thousands of people tried to access the banking services of Deutsche Post.
Due to stricter securities setting (because of Sasser) this was not possible for hours.

a reminder... (2, Insightful)

ptolemu (322917) | more than 10 years ago | (#9061418)

that the more we depend on technology the more important it is to realize this dependence and the implications of trusting it blindly

it would be reliable for critical system if... (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9061423)

if it wouldn't require you to reboot the OS after installing a secturity patch.

so in that scenario there would be NO excuses for having the system outdated.

Devil's advocate (5, Insightful)

pleitner (95644) | more than 10 years ago | (#9061424)

While I fully agree that the authors of virus/worms etc must be held accountable for their actions, surely there are other parties that are also liable for any issues that arrise from a virus/worm infestation.

The obvious one is the good old Microsoft. This has been beaten to death so many times that I am not going to delve into it...

The other group to consider is the people who have been infected. They have partially brought any problems upon themselves. This happens because of many things including the choice they made to run the system was vulnerable, the choice to not patch promptly (if a patch was available), the choice to not better secure their critical systems, etc.

Blaming the virus/worm authors and the author of the vulnerable software is easy (and absolutely right), but people really need to start looking beyond that and realise that it is really their decisions that are the core issue. If you don't want to be vulnerable to Windows virii/worms then don't run Windows. If you need to run Windows, secure it. If is a critical app, pay some serious attention to it...

Basically, I am advocating a bit of responsibility for ones own destiny...

Microsoft should take the blame equally (1)

abionnnn (758579) | more than 10 years ago | (#9061427)

Since they actually make a profit on those deaths. But ofcourse, in the real world, if windows kills your dog microsoft will hide behind it's EULA.

No - the Coast Guards IT department is at fault. (5, Insightful)

baadfood (690464) | more than 10 years ago | (#9061432)

Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault. I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make - I dont think the OS choice is relevent. Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.

Leave MS out of this (-1, Troll)

ellem (147712) | more than 10 years ago | (#9061446)

Do you kow what to total fucktrd you have to be to get hit with this thing? Please -- cars can kill ou i you don't service them properly wanna sue Ford because you didn't properly inflate the tires on your SUV?

Re:Leave MS out of this (2, Insightful)

HolyCoitus (658601) | more than 10 years ago | (#9061472)

I do sue Ford though if they later tell me that I also needed to buy doors to my car (firewall) and that the car had a mechanism to allow anyone with the proper knowledge to cause damage to it without even being near it (antivirus).

This isn't a car. Not only do they not give you the full package, they can force the vendors with a license into not giving it to you as well.

"You can't package that, it's against our license."

Re:Leave MS out of this (0)

Anonymous Coward | more than 10 years ago | (#9061473)

Dude, the patch is b0rked. It b0rks alot of people's systems.

Re:Leave MS out of this (2, Insightful)

m_dob (639585) | more than 10 years ago | (#9061511)

Bad analogy. If Ford find a critical fault, they recall the product. How many critical faults have MS found in XP so far?

The message is simple (4, Insightful)

Alioth (221270) | more than 10 years ago | (#9061455)

Windows is a consumer operating system (despite labels like Windows XP Professional). It has no business being installed on any critical system. This just goes to demonstrate further that you can't cut corners and make false economies by installing consumer operating systems where they are not appropriate.

Re:The message is simple (0)

Anonymous Coward | more than 10 years ago | (#9061517)

but it wasn't a critical system.

read the fucking article.

A nautical option (3, Funny)

FraggedSquid (737869) | more than 10 years ago | (#9061456)

Possessing a long maritime tradition, here in the UK we could offer the writers a selection punishments [1] Keel Hauling from stem to stern [2] Flogging with a cat-o'-9 tails [3] Hanging (if the worm caused a fire in a naval dockyard) [4] Run the Gauntlet [5] Picking okum

Lazy admin? (1)

BigWhale (152820) | more than 10 years ago | (#9061475)

Aren't they to blame? IT department? They should have fixed that. Virii writers? If yes, then also all weapon designers and such should be locked up. Hell, they designed the weapon. Or sold it or whatever.

Maybe their IT should use different kind of infrastructure, different software, ... Maybe...

microsoft could have done it (1)

cyrilc (126593) | more than 10 years ago | (#9061477)

What if Microsoft did commit someone to launch this worm (that reboots each computer) in order to force all of their user base to do an upgrade ?

Frankly, this rebooting is so anoying that no one will stand having his computer/server infected... of course with some little side effects !!

American Express also was hit [infoworld.com] as seen on Netcraft [netcraft.com]

What I'd really like to know is... (1)

Cooper_007 (688308) | more than 10 years ago | (#9061488)

Why is this news *now*?
Sounds like yesterday's news to me... [slashdot.org]

I know it's fun to bash Microsoft, but over and over with the same argument...?

Cooper
--
Don't you just love the sound of nature?
- Ginger Snaps II -

hang em high (1)

swingwing (649601) | more than 10 years ago | (#9061490)

The guy who wrote and dispatched this virus knew exactly that what he was doing could cause at worst a lot of inconvience and possibly more serious consequences. he has to be held accountable for his actions. The law should be enforced to the max on this guy

You can lead a horse to water... (4, Informative)

mindmaster064 (690036) | more than 10 years ago | (#9061493)

Despite the apparent Slash-Spin of this article it should be noted that Microsoft released the patch for this vulnerablity over two weeks ago, per:

MS's Security Bulletin on April 13th [microsoft.com] (this is a week before Sasser "hit".) Microsoft did their job, but can the UK Coastguard do theirs? Apparently not... It is so easy to point the finger at the provider or some anonymous joe on the Internet, but it is so hard to take responsibilty for your own lack of action. It's the UK Coastguard's job to apply their patches in a timely fashion so that the services they render can be reliably delivered.

It's possible to get these notices emailed to you as soon as they're available. These people should be fired, er wait.. in UK... sacked.

- Mind

I blame the dotheads (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9061503)

If those worthless parasites weren't leeching jobs with ZERO contribution, maybe these people would be working instead of showing Billy's flaws.

NUKE INDIA WITH EXTREME AGGRESSION!

I don't think... (1)

acceber (777067) | more than 10 years ago | (#9061509)

The perpetrator cannot be held liable for the deaths because the element of causation isn't there. To be held accountable, the criminal act must have been the direct cause for the deaths and sadly, the virus would not be ultimately responsible for that.

If/when the perpetrator is caught, it would be interesting to see how the law and the international community handles the situation as it obviously would have made a huge impact to businesses and individuals alike. The case would probably set a precedent in itself.

Whatever happened to isolation? (5, Insightful)

thesp (307649) | more than 10 years ago | (#9061512)

The one consistent question that keeps being raised in my mind whenever I hear about mission critical systems being brought down by worms/viruses is: Why were these systems ever connected to the wider world in the first place? Mapping systems? Baggage loading computers? Surely these don't need to talk outside anything but a single discrete group of computers. My fear is that people tend to put web browsers, email clients etc on any system these days, for convenience, which is quite bad for security. Here in my office we have two networks, with two machines on the desk (on a KVM switch), one for external email, internet etc, and one for internal work (it's called COREnet). We've had problems with the former, but the critical, internal stuff has gone on quite happily on the latter, untroubled by worms. Oh, and software patches and antivirus are available centrally on COREnet, so the boxes on the internal network aren't just left to chance should something come on via zipdisk/cd. And our company rolls on....
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>