Feeds

Justice mysteriously delayed for ‘Melissa’ author

So what's David Smith been up to lately?

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Nearly twenty months after entering guilty pleas in state and federal court, David Smith, the confessed author of the infamous 'Melissa' Outlook worm, remains free on bail with no sentencing date in sight, while the prosecutors who once ballyhooed Smith's arrest as a model of swift and certain information age justice have fallen mysteriously silent.

When Melissa struck on 26 March 1999, it introduced a generation of Netizens to the concept of a computer virus. The worm targeted Microsoft Word users, and spread by sending an infected e-mail to the first 50 addresses in each victim's Microsoft Outlook address book. Though non-destructive by design, the virus propagated so quickly that it jammed corporate and government networks, forcing some large companies to sever their connections to the Internet temporarily. By some estimates, the virus caused millions of dollars in losses.

Within a week of the outbreak, New Jersey police and FBI agents tracked the virus through a hijacked AOL account to Smith, then 30. On 9 December of that that year the programmer pleaded guilty to computer crimes in state and federal court, and stipulated in a detailed plea agreement to having caused over $80,000,000 in damage. The losses, coupled with other stipulations in the plea agreement, carry a prison term of 46 to 57 months.

Then-US Attorney General Janet Reno lent a quote to the press release; Smith remained free on $100,000 bail.

There, the flurry of activity stopped. Smith's 18 February 2000 sentencing date was postponed; then, as the new date neared, it was postponed again. In all, Smith's sentencing has slipped five times. If he were to be sentenced today, the elapsed time between his adjudication and sentencing would come in at five times the 125 day federal average. The state case -- subordinate to the federal sentence -- remains in limbo.

The New Jersey US Attorney's office is mum on the reason for the delays, and Smith's lawyer, Edward Borden, didn't return repeated phone calls about the sentencing over the past six months. Smith himself, reached by telephone last May, declined comment.

More mysteriously, court records reflect no filings by either Smith's defense attorney or federal prosecutors relating to his sentencing and the postponements. The only visible additions to Smith's file since his 1999 guilty plea are three court orders granting Smith permission to leave New Jersey, once to travel to Brunswick, Georgia on business, twice to visit friends on the Florida Keys.

Informed speculation on Smith's elusive date with the gavel tends to follow two lines of thought.

First, legal experts say, prosecutors and Smith's lawyer may have privately reopened negotiations over the amount of loss caused by Melissa's rampage. Smith's plea agreement leaves him the option of arguing in court that he should be sentenced below federal guidelines, because he didn't intend to cause financial losses. Additionally, while Smith admitted to causing over $80,000,000 in losses, the court is not bound by that admission, and if a pre-sentence investigation by the US Probation Department finds that Smith caused less damage, the judge would likely hand down a lower sentence.

"It's unusual that it would take this long, but the sentencing details can be maddeningly confusing in this kind of case," says Mark Rasch, a former Assistant US Attorney who handled the only prior federal computer virus prosecution: the case against the 1988 Internet worm author Robert Morris.

"We had exactly the same kind of problem in the Morris case," says Rasch, now vice president for cyberlaw at Predictive Systems. "Morris caused $200,000 in damage, but intended to cause no damage. How do we treat him?"

The second possibility, and one which better accounts for the silence now surrounding the case, is that Smith found a way out of his prison fate: cooperation on another, unrelated investigation.

"Parties are filing things under seal, and that typically means somebody is cooperating with the prosecutor," says Matthew Yarbrough, also a former federal computer crime prosecutor. "The government doesn't want to put him in jail before his cooperation is finished."

Yarbrough, now an attorney with Fish & Richardson, recalls one white collar crime case he prosecuted in which the defendant remained free and awaiting sentencing for two years, while working undercover for law enforcement in exchange for special consideration. "We carried that thing on for two years, under seal," recalls Yarbrough. "We needed him out there, on the ground, helping us."

"That typically would account for a long delay between a plea and a sentencing," agrees Rasch. "Under the sentencing guidelines, the only way you can really reduce your sentence... is to cooperate against other people. In light of the fact that Smith stipulated to eighty million dollars in losses, it's likely that he would offer to cooperate. And if he offered to cooperate, the government may have found a way to use his cooperation."

It's not clear what Smith, a virus writer with no known involvement with other criminals, would have to offer prosecutors. But "there's a serious possibility that could be exactly what it is," says Yarbrough.

"I really couldn't comment on that either way," answers Mike Drewniak, spokesman for the US Attorney's office in New Jersey.

Since Melissa's romp over two years ago, the Internet has hosted hundreds of other viruses, from LoveLetter to Code Red and Sircam. Many of them have wrought more havoc then David Smith's creation. But the open-ended case against Smith remains the only US prosecution of a Web-era Internet virus writer.

Sentencing is currently scheduled for 10 September 2001.

© 2001 SecurityFocus.com, all rights reserved.

The smart choice: opportunity from uncertainty

More from The Register

next story
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.