As I write this, officials have made two arrests in connection with the MSBlast worm. But Romanian Dan Dumitru Ciobanu, 24, and American Jeffrey Lee Parson, 18, were just low-hanging fruit. All they did was download copies of MSBlast, alter it slightly, and send their versions back out again. Neither arrest brings us any closer to finding out who authored the original, which did the real damage.

Ciobanu and Parson more or less told law enforcement where to find them. Ciobanu, a college student, included some text within MSBlast.f attacking one of his professors and attempted a denial-of-service attack on his own university. He also included his home address, making for a quick arrest.

Parson, at least, used his Internet nickname, T33kid, as his MSBlast executable. Still, anyone with access to an Internet search engine could have found T33kid's Web site (since removed), which included the youth's Minnesota home address. Parson's parents described their son on national TV as a good kid, but "not brilliant; he's not a genius."

Still looking for the real author
What's important here is context: these two guys didn't actually write the MSBlast worm. Yet law enforcement, antivirus vendors, and even some in the media are suggesting they each should be given maximum sentences for their crimes. In Ciobanu's case, thanks to a new Romanian law, that could mean up to 15 years in prison. For Parson, thanks to the U.S. Patriot Act and the Cyber-Security Enhancement Act, the sentence could be anywhere from 10 years to life in prison.

What's important here is context: these two guys didn't actually write the MSBlast worm.

In reality, unless Microsoft makes a big stink and presses for stiffer punishment, I think we'll see sentences that are significantly less than in the statutes on the books. But that forces the question: Why are those penalties so stiff in the first place?

I think the sentencing guidelines currently on the books are grossly out of line, the result of lawmakers' ignorance. We fear most what we don't understand. Those in Congress calling for stiffer penalties seem to have the least understanding of how computers really work. The U.S. Patriot Act is a prime example. It was an ill-conceived omnibus of legislation, passed in response to the events of 9/11 that, among other things, said criminal hacking was linked with international terrorism. Oh, really?

What bothers me most is that here in the United States, rapists serve, on average, 10 years in prison. Yet if, instead of assaulting another human being, that same person had released a virus on the Net, the criminal would get the same or an even harsher sentence. Are we really saying that the lasting physical and psychological damage done by a violent crime is equivalent to the temporary virtual damage done by computer viruses?

Laws for cybercrime out of control
It's time to put punishments for these crimes into perspective.

I favor more moderate sentences similar to those imposed on world-famous hacker Kevin Mitnick and on Melissa author David Smith: serve three years behind bars, then spend another three on probation without access to computers or the Internet. Mitnick is now a security consultant; it remains to be seen what will happen with Smith, who's nearing the beginning of his three-year probationary period now. In some cases, convicted criminal hackers will give something back to society if we allow them to teach us what they know.

Stiffer penalties for virus writers are not the answer.

Stiffer penalties for virus writers--no matter how tempting they seem right now--are not the answer. We've had no major viruses for a year, which Attorney General John Ashcroft and others ascribe to the stiffer penalties imposed after 9/11. But then the MSBlast and Sobig worms both hit the Internet just as powerfully as the one-two jolt from Code Red and Sircam back in July of 2001. In other words, we're right back where we started, pre-9/11.

But all this talk of punishment is perhaps premature. The FBI and the Secret Service investigated Parson only because Microsoft pursued the issue so aggressively. Maybe if we had more arrests to compare, we could find a proper punishment that actually fits the crime.

What do you think of the Parson/Ciobanu arrests? How severely should virus writers be punished? TalkBack to me.