Should virus/worm writers be held at all responsible for deaths caused by them?

This is a debate taking place on Slashdot, in regards to the Sasser worm, which took down part of the UK Coast Guard’s systems, among others.

If someone had died because of a worm/virus malfunction or crash, and the writer was caught, could he (and should be) be prosecuted for murder or manslaughter?

(Slashdot is also, of course, debating whether Microsoft would or should have any liability then, too; feel free to address that too if you like.)

Gah! Leave Microsoft alone! They’d not be any more liable for the death than would Smith & Wesson be liable for a shooting death…unless of course ya could prove that the MS software ignored the known threat of the Sasser virus yadda yadda…

And the virus writers most certainly should be held accountable for the damage done by their product despite their product’s operation as advertised. Just as you’d be responsible for the plane crashes if you waltzed in to your local air traffic control station and started unplugging all the machines. Which sounds kinda fun now I mention it…

Worm Writer: Yes.

MS: Just as much responsibility as Boeing has when their planes get hijacked.

Yes; in the case of the coastguard, the virus writers should be accountable in the same way as would someone who, say, broke in and physically damaged the communications systems, or sabotaged one of their rescue boats. These people have a moral choice: they know the disruptive potential of their creations, but they still choose to unleash them. They should be held to account for that.

Hm. Perhaps manslaughter the first time. This would be widely publicized, then if someone died from another worm/virus, the court could say to the second writer, “You know what happened because of the [whatever] virus, so you should have known it could happen again,” and call it murder.

A “worm/virus malfunction”? I’d say that he should be held accountable for it, but unless that malfunction is there due to negligence, he’s far less responsible for its effects than for the intended effects of the virus - which could also lead to deaths, of course.

The main difference between a virus and a legitimate program in this respect, IMO, is that a virus finds its way onto your computer without your consent or knowledge. There’s a presumption that by installing software, you’re accepting the risk that it might fail, but you don’t have that choice with a virus.

OTOH, a lot of viruses today only spread by email, and users have to click on an attachment to install them. (Sasser may be an exception since it exploits holes in Windows.) Any user who gets one of those viruses is largely responsible for its effects - not quite as responsible as someone who installs a legitimate program, since the virus may misrepresent itself as something else, but anyone who goes clicking willy-nilly on attachments in the year 2004 is negligent.

… and speaking of negligence, one could argue that Microsoft (and other software writers) should be held responsible for the effects of holes in their software that are there due to negligence.

As a programmer, I know that hardly any software is rock solid, and some bugs are always to be expected. I don’t think the bugs exploited by worms like Sasser count as negligence. But when there’s a clear choice between a secure way and an insecure way to implement something, and someone chooses the insecure way, then sure, he should be held accountable when that insecurity puts someone in danger.

Why not hold the IT guys responsible? If they had installed the MS patches when they were released, (3 weeks before Sasser appeared), there would have been no problems. I can excuse individuals whose home computers get infected, but corporations and other institutions with highly paid IT staffs? No excuse; any disruption, financial loss or injury was entirely preventable.

Hear hear!

It appears that the originator has been caught.

So if someone’s out there taking random potshots, I’m responsible for being shot because I didn’t put on my bullet proof vest?

No, sorry. When a virus or worm is intended to cause failures, the person responsible for that virus should take the consequences when those failures happen.

Your example, Fear, of the same problem occuring because of a bug in the software is not true, because the bug isn’t there out of malice. That being said, if buggy code on a critical path is installed, somebody’s head ought to roll, because anything responsible for life maintenance had bloody well better be tested out the wazoo before it’s deployed. There are, I’m sure, valid cases in which a critical program has been rushed out the door before it was ready, and I feel 99% sure that in such cases it has not been the programmers who rushed it. Willful negligence in such a case should probably also be prosecuted, and that probably means going several layers up.

But even so, that’s not the same as releasing a virus or worm whose sole purpose is to cause crashes or failures. That’s exactly the same as the example given by Mangetout. And I don’t see that installing sub-standard locks to protect equipment carries the same culpability as breaking in through those locks and destroying the equipment does.

It’s worse than that; I would contend that worm/virus writers cannot possibly envision every potential scenario that their handiwork can cause- they know it will be disruptive, but they have no clue of the magnitude of its effects. Not only are they being reckless, they’re being recklessly reckless, if that makes any sense. For that reason, yes, they should be prosecuted if someone dies as a consequence of their work. They should also be prosecuted for damages, loss of income, damage to property, “mental anquish” etc. In short, come down hard and fast on anyone who writes such crap (regardless of their age) so as to deter the next fuckwit whose action may indeed end up killing someone (or a planeload of someones).

No, but if you hire a security professional, and he knows you are a target for a sniper, he is derelict in his duties if he doesn’t make you wear a bullet proof vest. That is his job.

Obviously, the virus creator is is the most culpable. But that does not excuse laziness among computer security professionals. If they fail to protect the company assets from foreseeable attacks, they should be held responsible by the company that hired them.

Personally, I think jailing a teenager for writing a computer virus is kinda pointless.

I favour public floggings for such offenses.

It’s not that simple. Applying an operating system patch incurs the risk of breaking some critical application. Microsoft does not (and can not) test for compatibility of patches with all software, even with popular standard software of other vendors - for example, Service Pack 6 for Windows NT 4.0 broke Lotus Notes, an app used on millions of PCs, unless the user had local administrator rights. Blindly apply all Microsoft patches and it’s only a matter of time for your mission-critical application to stop working or corrupting data.

Microsoft isn’t blameless for its products’ vulnerability.

For one, a sensible access rights policy has only been introduced in the last few Windows versions (it used to be that every process and user could mess with the system to their hearts’ content). As a legacy of this, the Windows-based programming culture did not take access rights seriously, and now a lot of third-party applications still don’t work if the user’s account does not have administrator rights. MS Office is said to be OK in this respect now, but that’s no use if you need to use one of those third-party apps.

Also Microsoft has long given new features absolute priority over limiting their security risks. Only think of that “hide known file extensions” default setting which allowed worm authors to make Windows display their iloveyou.txt.vbs worm as iloveyou.txt to hapless victims.

The coast guard probably doesn’t need to have ALL of their computers hooked up to the internet. Sure, it’s more convenient to surf the web during work (what I am doing right now, but since this is an important issue, I felt like writing a comment), but do we really have to?

It would be that much better to have the crucial part of the system running outside of the internet and when someone needs to download something, he could do so at the computers for this specific purpose and transfer the stuff to the network later on, once it is deemed safe.

That sasser worm distributes without the need of a user to open exe file attachements in e-mails, so slapping everyone on the fingers and saying “don’t open e-mail attachements” isn’t going to help. As for the patches, obviously the exploit needs to be known first - i.e. in most cases there needs to be a virus abusing a security loophole, before it can be fixed - to patch it. So while it is possible to patch the OS now, it wasn’t possible in the initial stages I think.

Right now, we’ve got some trouble here at work as well, several of the unpatched computers are infected and I cannot do any measurements on those computers - one of the computers hooked up to a measurement setup isn’t on the network though. That’s the way I’d prefer things for hospitals, the coast guard, the electricity companies and other installations where the effects of a virus can be catastrophic.

As for the guilt of the virus programmer: I think distribution of a virus should be a crime. However, since the further distribution of the virus is done automatically, the programmer should not be help responsible for the resulting mayhem of that virus after its first distribution.
The coast guard really shouldn’t hook up their computers to the internet, that’s just plain careless (but I guess the majority of people, myself included, are in this regard at least).