Experts disappointed by Kournikova sentence

Security experts are shocked by the light sentence handed down to Jan de Wit, author of the Anna Kournikova virus.

Security experts are shocked by the light sentence handed down to Jan de Wit, author of the Anna Kournikova virus.

A Dutch court sentenced de Wit to just 150 hours community service after law enforcement agencies could only get a small number of firms to admit to being damaged by the virus.

"If you held up a London cab with a knife and stole money, you'd be in Wormwood Scrubs. This guy is basically getting a 150-hour vacation," Bob Ayers, managing director of IT security firm Para Protect and former head of computer security at the US Department of Defence, told CW360.

"This is sending a message to other potential [cyber] criminals that the courts don't think it's important," he added.

Lars Davies, an IT law professor at the University of London, said the case would open up a raft of discussions about the sentencing of cyber criminals. But he pointed out that also de Wit broke the law, the systems he targeted should not have been left open to attack.

"[Anna Kournikova] is based on commonly-known holes in systems that shouldn't be there in the first place," Davies said. "The question isn't just about catching perpetrators and saying 'you shouldn't do this'. It's about protecting the systems in the first place."

Peter Cooper, UK support manager of Sophos Anti-Virus, described the sentence as "laughable", and told CW360: "I'm shocked that he got off so lightly when you consider the amount of hassle and damage this virus has caused for months.

"It's my opinion, and that of Sophos, that [sentences such as this] don't help us at all, because it's saying to kids and virus writers around the world: 'what's the worst can happen to you?'"

Aled Miles, UK managing director of rival anti-virus company Symantec, said: "We've got much in the way of armoury to protect the business community from viruses but there's one piece missing, and that's the deterrent. If you were to steal £120,000 [the combined amount lost by the victim companies] you would expect the punishment to fit the crime."

But punishment will only fit the crime if large companies are prepared to come forward and report that they have been hit, noted Bruce Schneier, US cryptology expert.

"When companies are willing to go public, you will see a big difference in sentences and the way these crimes are treated," Schneier said. "If a business is attacked on the Web they just want the attacker to go away and attack someone else. My company can help prosecute hackers but companies just don't want it. Hackers collaborate and victims isolate."

Read more on Antivirus, firewall and IDS products