By JOHN TIERNEY
July 12, 2005
Last year a German teenager named Sven Jaschan released the Sasser
worm, one of the costliest acts of sabotage in the history of the
Internet. It crippled computers around the world, closing businesses,
halting trains and grounding airplanes.
Which of these punishments does he deserve?
A) A 21-month suspended sentence and 30 hours of community service.
B) Two years in prison.
C) A five-year ban on using computers.
E) Something worse.
If you answered A, you must be the German judge who gave him that
sentence last week.
If you answered B or C, you're confusing him with other hackers who
have been sent to prison and banned from using computers or the
Internet. But those punishments don't seem to have deterred hackers
like Mr. Jaschan from taking their place.
I'm tempted to say that the correct answer is D, and not just because
of the man-years I've spent running virus scans and reformatting hard
drives. I'm almost convinced by Steven Landsburg's cost-benefit
analysis showing that the spreaders of computer viruses and worms are
more logical candidates for capital punishment than murderers are.
Professor Landsburg, an economist at the University of Rochester, has
calculated the relative value to society of executing murderers and
hackers. By using studies estimating the deterrent value of capital
punishment, he figures that executing one murderer yields at most $100
million in social benefits.
The benefits of executing a hacker would be greater, he argues,
because the social costs of hacking are estimated to be so much
higher: $50 billion per year. Deterring a mere one-fifth of 1 percent
of those crimes - one in 500 hackers - would save society $100
million. And Professor Landsburg believes that a lot more than one in
500 hackers would be deterred by the sight of a colleague on death
I see his logic, but I also see practical difficulties. For one thing,
many hackers live in places where capital punishment is illegal. For
another, most of them are teenage boys, a group that has never been
known for fearing death. They're probably more afraid of going five
years without computer games.
So that leaves us with E: something worse than death. Something that
would approximate the millions of hours of tedium that hackers have
inflicted on society.
Hackers are the Internet equivalent of Richard Reid, the shoe-bomber
who didn't manage to hurt anyone on his airplane but has been annoying
travelers ever since. When I join the line of passengers taking off
their shoes at the airport, I get little satisfaction in thinking that
the man responsible for this ritual is sitting somewhere by himself in
a prison cell, probably with his shoes on.
He ought to spend his days within smelling range of all those socks at
the airport. In an exclusive poll I once conducted among fellow
passengers, I found that 80 percent favored forcing Mr. Reid to sit
next to the metal detector, helping small children put their sneakers
The remaining 20 percent in the poll (meaning one guy) said that
wasn't harsh enough. He advocated requiring Mr. Reid to change the
Odor-Eaters insoles of runners at the end of the New York City
What would be the equivalent public service for Internet sociopaths?
Maybe convicted spammers could be sentenced to community service
testing all their own wares. The number of organ-enlargement offers
would decline if a spammer thought he'd have to appear in a
public-service television commercial explaining that he'd tried them
all and they just didn't work for him.
Convicted hackers like Mr. Jaschan could be sentenced to a lifetime of
removing worms and viruses, but the computer experts I consulted said
there would be too big a risk that the hackers would enjoy the job.
After all, Mr. Jaschan is now doing just that for a software security
The experts weren't sure that any punishment could fit the crime, but
they had several suggestions: Make the hacker spend 16 hours a day
fielding help-desk inquiries in an AOL chat room for computer novices.
Force him to do this with a user name at least as uncool as KoolDude
and to work on a vintage IBM PC with a 2400-baud dial-up connection.
Most painful of all for any geek, make him use Windows 95 for the rest
of his life.
I realize that this may not be enough. If you have any better ideas,
send them along.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.