21 limericks = 20 months

Rob Rosenberger, Vmyths co-founder
Thursday, 30 May 2002

DAVID L. "COMPLETE idiot" Smith will finally go to prison for writing the Melissa virus. 'Bout time, I say. In case you didn't know it, it took prosecutors almost 29 months to sentence the guy after they convicted him.

Melissa virus author David L. Smith will spend 20 months in prison — because antivirus firms couldn't protect their paying customers from 105 lines of Word macro source code.

Ironically, those same antivirus firms profited from their abject failure to protect customers. Who says crime doesn't pay?

Smith will serve 20 months in a federal penitentiary for writing 105 lines of Word macro source code — the functional equivalent of 21 limericks. Let me repeat the previous sentence just in case you missed its significance. Smith will serve 20 months in a federal penitentiary for writing 105 lines of Word macro source code — the functional equivalent of 21 limericks. CNN Headline News anchors smirked while reporting on Smith's sentence. Folks, I don't smirk when a deadly cyber-terrorist causes "at least $80 million" in damage to our fragile national economy. Demoted White House fearmonger Richard Clarke said it best: Smith's 105 lines of Word macro source code is "the functional equivalent of four 767s crashing into buildings." Well, okay, perhaps I quoted Clarke out of context after the 9/11 disaster. I certainly wouldn't have quoted him out of context before 3,000 Americans died on his watch. Still, I for one think he should rot in prison. A complete idiot deserves to get railroaded. Smith, I mean. And boy, did the feds railroad Smith! Memo to complete idiot: if someone drops a bar of soap in the shower, don't pick it up. You might get infected by a virus. Oddly, though, not everyone believes the Melissa virus completely and utterly destroyed the Internet in 1999. The judge levied only a $5,000 fine even though prosecutors allege Smith caused "at least $80 million" in U.S. damages. The court also showed its mercy by putting Smith to work for the betterment of mankind with only 100 hours of community service. Ironically, the convicted virus writer will repay society by working on a computer. (Again!) But don't worry: this time Smith will use his "deathtop PC" under the strict supervision of an adult. If you do the math, you'll see Smith got 57 minutes of community service for each line of Word macro source code he wrote, and he'll pay $1 for every $16,000 of (alleged) economic damage. My loan officer never gave me such a great deal on my mortgage, I can tell you that.
AND I CAN tell you something else — the antivirus industry quietly laughs at the prosecution's kindergarten kalculator skills. The anomaly of a miniscule fine intrigued SecurityFocus pundit Mark Rasch, who wrote:

Did David Smith really "steal" $80 million? Was the economy and the people affected by the Melissa virus really impacted to the tune of $80 million? Interestingly, no company affected amended their SEC filings to indicate significant losses from the virus. No company was reported to have filed "Melissa" insurance claims. To a great extent, we measure the wrong things when measuring the significance of computer crime.

(Let's digress. Rasch believes "Smith's twenty month sentence seems to be appropriate, though it was reached for the wrong reason." I agree on the latter point but not the former — the guy got railroaded. Big time. For one thing, the feds should have focused on Smith's other crimes, e.g. illegal AOL access. For another thing, the feds arbitrarily embrace potentially more dangerous threats to society, e.g. Georgi Guninski. So why didn't I jump to Smith's defense? Because he's a carbon copy of Meursault and he deserved to get railroaded in a kangaroo court.) "The damage estimates are so grossly overestimated that it's a joke," declared another industry expert who spoke on condition of anonymity. "In all of the cases that I know of where Melissa got loose on a major university or corporate network, it was deliberately spread by internal employees who were trying to bring the network down so they could go home early." Students spread it on college networks "because they thought it was funny" to do so.

Why not unleash a virus on your employer's network from time to time? You won't actually get punished for your actions. Unlike Smith, you might even get rewarded!

Frankly, I dismiss the "in all cases" part of this guy's quote. It glosses over an obvious fact: popular antivirus software failed miserably to stop 105 lines of Word macro source code. Yet I do believe his key point. More than a few people unleashed Melissa on their employers' networks either out of simple curiosity or to deliberately shorten their workday. You know the people I'm talking about — they sometimes "accidentally" lock out their network accounts so they can go on a long lunch. Indeed, a writer for hacker magazine 2600 unleashed Melissa^[1] on his PC just to experience the repercussions. Smith will quite literally spend time in the big house for the actions of such people. This leads us to ask a philosophical question. Why not unleash a virus on your employer's network from time to time? Oh, sure, a bleary-eyed technician may scowl at you as he (yet again) patches the antivirus software on your PC — but you won't get punished for your malicious actions. You won't get fired; you won't get demoted; you won't lose your bonus pay. Unlike Smith, you might even get rewarded! Just don't tell anyone you spread the virus on purpose. Enjoy your three-martini lunch.
SMITH WILL ALSO serve some time in the slammer because antivirus firms failed to protect their paying customers from 105 lines of Word macro source code. Ironically, those same antivirus firms profited handsomely from their abject failure to protect customers. Who says crime doesn't pay?