Japanese Man Arrested For Storing Malware 84
Orome1 writes "38-year-old Yasuhiro Kawaguchi is the first person in Japan to get arrested for storing malware on his computer after the upper house's Judicial Affairs Committee has confirmed the new anti-malware law passed by the Japanese parliament. The law considers the creation, distribution and storage of malware a crime punishable with up to three years in prison and a fine that could reach the sum of 500,000 yen ($6,200)."
Symantec? McAfee? (Score:5, Insightful)
Surely any "white hat" working against malware needs to store malware someplace, right? What a dumb law.
From the article: "without a legitimate reason" (Score:5, Informative)
Re:From the article: "without a legitimate reason" (Score:5, Insightful)
The article says the charge was "storing a computer virus without a legitimate reason". In this case, the suspect "told the MPD that he did it to punish people who use file-sharing software"; do you consider that "a legitimate reason"?
I can think of at least two organisations that might.
Re: (Score:3)
So what, I don't consider those organizations legitimate.
Re: (Score:3)
For myself? Yes. And I never broke a single one of them, every time I was close to it I managed to change them just in time.
Re: (Score:1)
Re: (Score:3)
Information should not be illegal.
I hate Malware as much as the next guy, but there are hundreds of ways they could have passed laws that would lead them to be able to arrest this guy without having to making certain types of code illegal.
Re: (Score:2)
As where c.p. has a victim at the time of creation.
Not in jurisdictions that define CP to include a drawing.
Re: (Score:2)
imo, mere possesion of cp should not be a crime. the creation should be targeted. focusing on possession laws makes actual efforts to reduce child abuse less effective. similarly, it is stupid to punish storing malware. intentionally propagating it should be a crime.
Re: (Score:3)
Possession was declared a crime because it destroys the market for CP. Otherwise, you could download (buy) as much CP as you liked and, if you got caught, just go "I did not make it, so I'm not to blame". Now most people will stay away from these sites since just having those pics in you browser cache could be enough to send you to jail. If nobody buys CP anymore, it destroys the incentive for people to create it.
Of course some degree of common sense must be applied. For example, I once stumbled upon a chil
Re: (Score:1)
Re: (Score:2)
Not talking about stealing (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
you can steal as much as you want, just don't pretend to be someone else while paying for your shopping.
Re: (Score:3)
not dumber than cyber-crime law in other countries [slashdot.org]. politicans don't understand the whole computer/network thing
Re:Symantec? McAfee? (Score:5, Insightful)
The German law is even actually dumber.
If I understood the Japanese law correctly, you'd have to have some kind of intent to use that malware to infect other computers to break it. So far, so good. Personally, I don't see anything wrong with that by itself, creating, storing or distributing malware with the intent to infect should be punishable. I wonder how they want to discriminate between intentional and accidental spreading (after all, it could well be that he himself downloaded that somewhere and didn't even know it's malware), but if they find a way to actually identify the intent of someone, that law could actually do much good.
The German "anti-hacker law" cannot. There is simply no angle or way this could possibly have any beneficial effect. Basically, what the law says is that a "hacking tool" is illegal. There may be an exception for good reason, so far nobody tested it. I actually cannot remember a case where it was used. And it's sufficiently ambiguous that a hex editor could be subject to it or a firewall that lets you configure the packets it replies with. But let's stay with nmap, hping and all the other "hacking tools" for a moment. These are very well known and quite powerful tools to check the security of a network, so they can be used to find weaknesses in it, hence they're hacking tools.
And auditing tools. Why? Because auditors use exactly the same tools for an obvious reason: Everything you can use to find weaknesses in a network to break into it can also be used to find weaknesses in a network to fix and seal them. Unfortunately, the law makes little difference in intent. Because not the use, but the possession, is already illegal. And when I own a rifle with a scope, it doesn't make any comment yet on whether I go on a killing spree with it or whether I'm a hunter.
Now let's ponder for a moment who gives a shit about a law that makes those tools illegal: An auditor, whose job and pretty much his career hangs on his police record being spotless, or a criminal who plans to commit a crime much more serious than "possession of hacking tools".
Re: (Score:3)
Technically, though, having a virus-infected PC is both storing and distributing viruses....
Re: (Score:3)
But without intent. And someone who is clueless enough to collect active malware on his PC can credibly claim that there was no intention behind it.
I dunno about your courts. Ours follow the logic of "don't assume malice if stupidity is enough of an explanation".
Re: (Score:2)
I don't know where you're from, but in the U.S. there are far too many DAs who will attempt to indict nearly anyone for nearly anything on the thinnest of pretexts and without regard for the clear intent of the law.
Re: (Score:2)
They usually get shot down quickly by our judges. I guess that's the result when you have a system where judges for superior courts are chosen by their peers instead of being appointed by an administration. They tend to follow the spirit of the law since they want to be considered for higher "honors" and it's general consensus amongst our judges that attorneys who try to bend, stretch or otherwise mutilate the law should be shown their limits.
The drawback is that judges try to weasel out of controversial ca
Re: (Score:2)
If I understood the Japanese law correctly, you'd have to have some kind of intent to use that malware to infect other computers to break it. So far, so good. [..] The German "anti-hacker law" cannot. There is simply no angle or way this could possibly have any beneficial effect. Basically, what the law says is that a "hacking tool" is illegal.
I don't know of any actual cases based on this *great* law but two criminal self-complaints - both were dismissed by the prosecutors. A constitutional complaint was not accepted because the law does not infringe any fundamental rights.
both the Japanese and the German laws are stupid as it is impossible to enforce them with reasonable methods:
* The literal application of the German one would forbade even "hacker tools" like telnet.
* Japanese law enforcement agencies will have problems to distinguish between
Re: (Score:2)
I remember those two self-reports of two malware researchers, both having been dismissed by the courts (iirc, one didn't even get so far but was threatened to get smacked for contempt if he continues to persist... draw your own conclusions), so far no verdict has been issued on the matter.
Personally, I think it's one of those "just to have something" laws. You know, the kind where you get a shady, not-quite-fully-in-sync-with-procedures warrant, crash into the home of the "pesky" individual, find nothing an
Re: (Score:2)
It ain't hard to find ridiculous applications for that law, is it? :)
Given the wording of the law, almost everything remotely dealing with networking could be twisted into being a hacking tool. Here [juris.de] is the original law, unfortunately I'm not good in legalese to try my hand at a sensible translation. Essentially, what it says is that somehow "dealing with" (i.e. creating, storing, acquiring, selling, forwarding...) passwords or codes to access data or programs created for the purpose of committing the crime
Re: (Score:2)
Here's a fine line, for a network or computer systems administrator a disk of the latest malware is highly appropriate as the only means of ensuring the quality of computer systems protection software us functioning properly ie you attempt to infect the system in a controlled fashion and check to see of the various protection system are functioning correctly. Via this method I at one stage was able to ascertain a configuration fault as the system was not updating remote units by reason of a simple referenc
Re: (Score:2)
Erh... no. Not necessarily. Having a trojan to test the security of a computer system is like having a single sample of e coli and using it to see whether a patient's immune system is up to speed. It works, but only if the patient just happens to be not immune. What if he is against this sample but not against the billion others?
Also, given the heuristics getting better in contemporary malware scanners, you might be surprised how many they find even if the sig file they use never had any exposure to the cur
Re: (Score:2)
The Japanese legal system is complicated somewhat. It doesn't work the way many other legal systems work. The police have a fair number of freedoms when interrogating suspects, such that getting confessions is easier than it might otherwise be. So to prove intent is not so difficult if you can convince the suspect to confess (as seems to have been this case here).
You might notice that I'm choosing my words carefully. Like I said, things in Japan are different. I'm not an expert on these matters, and th
Re: (Score:2)
I'd rather think that this has more to do with Japanese culture and the general "I vs. we" difference to Western cultures. I have noticed that the Japanese people I had to deal with put a lot of emphasis on the way they're being viewed and how they affect others, compared to people from Europe or the US who are far more egocentric and more concerned about their personal gain. That's not to say that Japanese are altruistic (far from it...), rather that they seem actually concerned how their actions affect ot
Re:Symantec? McAfee? (Score:4, Informative)
Re: (Score:2)
You could consider Symantec/McAfee a sort of disorder, which is tolerated or even sometimes selected for by its host because of the protection it confers against another pathogen. Sort of the sickle-cell anemia of the computer ecosystem. But probably not a "virus", so it depends on how specific that is...
Re: (Score:2, Funny)
it is some where alone the lines of breaking your own leg to prevent yourself from getting on a bike, because then you might have a nasty crash and hurt yourself
Re: (Score:3)
I doubt Symantec or McAfee store for the purpose of infecting other computers.
No, their regular products do that quite nicely, thank you.
Re: (Score:2)
The summary is pretty poor (as usual). The article says 'The revised Penal Code, which was enforced July 14, bans storage of a computer virus for the purpose of infecting other computers.' I doubt Symantec or McAfee store for the purpose of infecting other computers.
Ask yourself this, who has the most to gain from the continued proliferation of malware?
If malware ceased, virus companies would go under. I'm not specifically saying that Symantec et al write malware, but it is in their business interests to do so, or to encourage it's growth.
Re: (Score:1)
Ask yourself this, who has the most to gain from the continued proliferation of malware?
Spammers and criminals.
Re: (Score:2)
and symantec and mcafee. also, apple.
Re: (Score:2)
You are correct. It's been known for a long time, but it's a tough issue to deal with because: no antivirus program will catch everything, even the most robust that exists today, as there will be new things tomorrow. Etc etc.
So beyond them trying to keep it above a level of "unreliable", there's a level of "keeping out malware" they will never successfully reach anyway.
Re: (Score:2)
Both McAfee and Symantec sell products other than antivirus, though... Kaspersky may suffer a little if viruses disappeared, as may AVG and Avast!, but McAfee and Norton wouldn't be hurt at all. Microsoft certainly wouldn't suffer if they had the opportunity to drop Defender... that one's a money pit for them, and their profits would actually go up.
But as others have pointed out, criminal syndicates who use viruses either to collect credit card info, or to launch DoS attacks for the purposes of either keepi
Re: (Score:3)
I ran servers for years and years as a sysadmin, now I run/develop for servers. From time to time this and that gets hacked, most of the time it is just attempts that leave some binaries, sources here and there. I always keep these to see what they do, how they do it and as a reference to any in-the-future attempts to see if a name, email or something pops up again from an older attack. I keep logs, hacked files packaged and usually password protected.
This law is stupid! I 100% agree. Even writing malware
Re: (Score:2)
High risk businesses have a lot of attacks. Throw-away servers get some malware here and there. These are next-next-next install boxes with default LAMP and wordpress/joomla/etc .... Most of the attacks are unsuccessful, but they leave traces, sometimes binaries uploaded here and there.
BTW I program full time now and let the network people deal with this kind of stuff. :)
Re: (Score:1)
Part of me wants to scream ABOUT TIME. I thought it was outrageous back in 2003 and 2004 when malware really began to infect dial up users within seconds and why no one would do anything about it? I mean what if someone tried to break into your home every 30 seconds? Or what if each time you stopped your car at a light people would dash towards your car trying every method to break in?
Today it is a normal to shrug our shoulders while a single person has 675,000 credit card numbers and names.
Yes, this law is
Sorry, could not resist... (Score:1)
2.5 years in prison for this? (Score:4, Interesting)
FTFA:
Kawaguchi uploaded a file containing the virus, which was titled to suggest child pornography, to the Internet via the file-sharing software Share
Well, normally I consider people who upload viruses via file-sharing software to be scum of the earth, but this guy seems like he was actually doing it for a moderately good cause. "Think of the children" is hella over used, malware is malware, and vigilante justice it questionable, but punishing this guy seems kinda weird, especially that strongly. Also, how the hell do they define "storing" malware? Technically, that could mean anyone infected is guilty, which is really scary.
I'm sure it won't be abused, of course. /sarcasm
Re: (Score:2)
Re: (Score:2)
This g
Re: (Score:2)
You're quite right. I posted in haste after only skimming TFA. Thought this guy got 2 and a half years for this, which seemed way too severe considering what he did. Wish Slashdot had a delete function. Turned out that was some other guy who actually made a fairly malicious virus. This guy should get a punishment, just not that bad. A hefty slap on the wrist, to discourage this kind of thing. To be followed shortly by a job offer, most likely. Still a little skeptical about how they can interpret "storing"
Re: (Score:2)
Where to draw the line? Let him go because he's trying to infect pedos, but impound the guy pretending to seed the latest blockbuster because he's "only" infecting copyright infringers? Or is that ok still (after all, they'd break the law, wouldn't they?) and we should only punish people that try to pretend seeding nude pics of their ex? Or is that still ok because it's "morally" wrong to show nude pics of people you don't like anymore?
Who gets to draw the line?
Re: (Score:2)
Re: (Score:3)
The summary leaves out the important bits like with the intent to infect others.
And while an infected computer would possibly spread that disease, it's certainly not intended by the computer's owner.
enforcable? reasonable? (Score:2)
how will they differentiate between active distribution of malware and infected machines? if some agency identifies an IP address handing out virus they will send in a SWAT team to confiscate all computers to search for installed malware or how should this work?
Re: (Score:2)
Has anyone actually done that IRL??
Re: (Score:1)
What you were doing would not be illegal. What was illegal was this guy storing malware to infect others.
'nother article (Score:2)
Slightly better article here with some extra info:
http://mdn.mainichi.jp/mdnnews/news/20110721p2a00m0na006000c.html [mainichi.jp]
Just a personal opinion, Yomiuri is okay. But it's pretty close to sensationalist journalism without the meat. In the future people would be better off using well just about anything else.
Great news! (Score:1)
Storing? Malware? (Score:1)
Harmonization (Score:2)
RLY? (Score:1)
ouch.... (Score:2)
should have a bypass, such as a white hat or security company or employee studying it.....just like diseases for labs etc...