About the proper way to deal with writers of computer virii and worms

Steven Landsburg proposes to execute writers of computer virii and worms. This is just an extreme expression of the general sentiment that threats to punish writers of computer virii and worms are an adequate way to plug security vulnerabilities, which allow those virii and worms to propagate.

My thesis is that this sentiment is wrong. It is horribly wrong.

When a burglar picks a lock and enters into a building without permission, he is punished (if caught). This is reasonable, because a burglar cannot pick more than one lock at the same time. Any damage he may be doing at a moment of time is limited to a single site. Besides, high quality locks are very expensive.

However, when there is a vulnerability in a software package in widespread use, a cracker has the power to pick the equivalent of one million locks at the same time, by writing a worm which exploits this vulnerability.

If we do not require the software writers to fix this vulnerability promptly by assigning to them responsibility for worm damage, then several installations are at risk. The risk is not only due to crackers. It is theoretically possible, even if rather improbable, for a PC to create automatically self-propagating software by corrupting existing software due, for example, to noise, soft errors (due to overclocking or overheating) or disk crashes.

Besides, the cost of deploying patches which fix the vulnerability, once it is discovered, is very low – unlike the cost of replacing a broken door lock.

Another analogy. Let’s say that a certain bridge was designed and built. The bridge can carry its designed load of pedestrians, cars and trucks as long as they pass on the road passing through it. But an hammer tap on the side would cause the bridge to immediately collapse. Obviously, the bridge designers did not do their job properly. Should we treat as criminal someone, who waits until the night (when there is no transportation on the bridge) and taps on the bridge’s side to trigger its collapse? Probably not, because he is saving us from false reliance upon a bridge, which might suddenly collapse if a strong wind threw a stone at its side.

Yet why do we treat as criminals crackers, who exploit vulnerabilities of widely used software to spread worms, whose payload has only nuisance value? Especially when the software vendor/s in question are not prompt in fixing the vulnerability in question.

Author: Omer Zak

I am deaf since birth. I played with big computers which eat punched cards and spew out printouts since age 12. Ever since they became available, I work and play with desktop size computers which eat keyboard keypresses and spew out display pixels. Among other things, I developed software which helped the deaf in Israel use the telephone network, by means of home computers equipped with modems. Several years later, I developed Hebrew localizations for some cellular phones, which helped the deaf in Israel utilize the cellular phone networks. I am interested in entrepreneurship, Science Fiction and making the world more accessible to people with disabilities.