Beer, hacker roasts, and peace of mind

“Fry him!”

That was a popular sentiment of what to do with the teenager recently arrested for deploying the Blaster-B  virus, a conclusion reached after several hours spent drinking Bass with fellow IT workers.

This initial reaction seems reasonable at first glance; after all, these little twerps are so difficult to catch, yet cause so much destruction, that when we do get lucky and snag one, it seems we should make the most of the opportunity.

After some Advil and a few moments spent in sober reflection, the situation becomes somewhat more convoluted. Creating new punishments to fit specific crimes is a dangerous and ultimately destructive path. The kid should be punished in accordance with his crime. The beer buddies would scream bloody murder at that observation, because they still subscribe to the urban myth that all captured teenage hackers are stuck in an interrogation room with Yoda, turned to the good side of the force, and subsequently given six-figure security jobs in Silicon Valley.

Back on planet Earth, though, punishing the kid in accordance with what he did should prove adequate. After all, we know what kind of damage these viruses can cause. Sobig caused $29.7 billion in damages during just the month of August, according to mi2g, a risk assessment outfit stationed in London. Even if Blaster-B caused nowhere near that kind of heartache, the potential certainly existed. And if the perpetrator, kid or not, had enough knowledge of current events to modify Blaster-A, he certainly had enough knowledge to know what it could do.

I don’t think we need to light him up; but trying him -- while keeping in mind the billions of dollars in damage he could have done -- ought to harvest a sentence of sufficient weight. But we, and especially the folks in Redmond, can’t stop there.

We pundits have said it over and over again. But I hope someone in Redmond is listening, because now I’m saying it as a customer -- and more importantly, as a customer who makes buying decisions for lots of other customers: This can’t go on. I can’t keep selling my customer base, especially the midsize and small-business guys, on a platform on which they can’t depend. Nor can I keep having them balloon their IT costs with additional third-party software designed to protect them from platform problems. I have guys with sites holding only five networked nodes who are spending upward of $5,000 on additional security products.

I’ll grant Microsoft that Windows XP was a big step in the right direction. But it obviously wasn’t enough. Security must become focus No. 1 up there in the rainy Northwest, and it must extend beyond Windows and down to every product in Microsoft’s stable. You folks can work wonders when it comes to much more complex innovations -- user interfaces, and product integration, for example. So why not security?

And if Microsoft manages to step up its efforts, the rest of us better get serious as well. Securing against Internet-based attacks of any kind requires attention from more than just end-node platform vendors. We must examine the Internet as an organism. The critical nature of much of the data floating around out there is belied by the level of security the Internet can or even desires to provide. If we leave Pandora’s Box lying around indefinitely, it’s only a matter of time before someone can’t help but open it. Ultimately, we either learn to control the Internet or we find another way to exchange secure data.

If I had to sum it up, I’d say that the meteoric growth of the Web, of Microsoft, and of our own need to exploit these platforms comprises the real problem. Hackers are just a side effect. Dealing with them appropriately is certainly a requirement, but we must work harder than that for any long-term peace of mind.