A computer prank gone awry will likely send the author of the Anna Kournikova email worm to jail, hackers and computer crime prosecutors predicted Friday.
After turning himself in to police in his hometown of Sneek on Wednesday, the 20-year-old Dutchman was questioned and later released, pending a district court hearing that’s expected by the end of the month. The man, who used the nickname OnTheFly, was later identified by InternetNews.com as Jan de Wit.
While it’s not clear how prosecutors will apply Holland’s 1992 computer misuse law, Matthew Yarbrough, a former computer crime prosecutor with the Department of Justice, said it’s time for governments around the world to take virus-related crimes more seriously.
“We put hackers in jail for longer than we do virus and worm writers. In my mind, these people really deserve heavier sentences and I believe governments are going to demand this. Why? Because this is damaging the flow of foreign and interstate commerce,” said Yarbrough, currently an attorney with Fish & Richardson in Dallas.
Gerrie Mansur, one of the leaders of the Dutch hacking group Hit2000, agrees that government prosecutors will probably throw the book at de Wit. While the Kournikova worm was not designed to destroy data, it managed to snarl up some email servers and disrupted Internet users around the world.
“In the Netherlands, we are very dependent on infrastructure, so when something happens on such a large scale, it’s a big problem. This one is very easy for the government because it has a lot of media attention and would show that they are capable of pursuing crackers and defacers and those sort of people,” said Mansur, who works as a security consultant and recently warned operators of major security holes at sites including Nasdaq.com and CBS.MarketWatch.com.
At age of 26, Mansur is a senior citizen in the Dutch hacking scene, and he says it’s wrong to call OnTheFly a script kiddie.
“He’s less than a script kiddie. They usually know what they are doing. But all he did was click 5 buttons and was world famous and got a free mug shot as a bonus,” said Mansur.
In an online confession note, OnTheFly said he used a program called the VBS Worms Generator to create his virus, and that he never intended to harm people who received the infected email.
Dutch courts are likely to consider de Wit’s contrition and willingness to cooperate with law enforcement as they consider appropriate sentencing, said Mark Rasch, vice president of cyberlaw for Predictive Systems, Inc. But the former Justice Department computer crime prosecutor says authorities will not be able to ignore the worm’s damage.
“Clearly you’ve got a significant dollar loss and significant disruption. He likely did not intend the type of damage he did, but you also have to take responsibility for the unintended consequences of what you do. The analogy is kids playing with matches in a forest. If the match that you light burns down somebody’s house, you still have some liability,” said Rasch, who led the US government’s 1992 prosecution of Robert Morris, the author of one of the original Internet worms.
While de Wit reportedly faces up to four years in prison if convicted, Rasch says Dutch prosecutors will have to delicately balance their desire to send a message to other virus writers, with their responsibility to make the punishment fit the crime.
“If you punish him too much, you run the risk of making him a martyr and the hacker community responds by doing something bad. But if you punish him too little, you’re saying ‘we don’t take these crimes seriously’ and the hacker communit
y thinks they can get away with it,” said Rasch.
Mansur admits to writing viruses himself in the past to learn more about computer systems, but he says he’s taken great care not to release them. Today, he prefers to spend his time on security pursuits that pay — “hacking for food” as he calls it.
“It’s useless to write programs without getting paid for it. You can find exploits and hack other people’s property but it’s useless unless they pay for it. I’m not saying that you have to try to get money from organization you hack. Just don’t get into their systems unless they ask you,” said Mansur.