Rootkit Developers And Legal Liability 189
FatherTim writes: "I just saw this posting over at SecurityNewsPortal, and thought
it would be of interest. It's a question regarding the potential
civil risk that developers of rootkits, vulnerabilities, and exploit
developers. It does cause one pause to consider the responsibility
that would be associated with full-disclosure." Considering the fine line between evil cracking tools and legitimate remote access tools (how about BackOrifice?), this seems like asking whether hammer makers are responsible for murders-by-hammer. (On second thought, don't give any lawyers wind of that idea.)
Re:Guns don't kill people... (Score:1)
Re:Guns don't kill people... (Score:1)
It is the same argument. However, many governments have regulated guns - it is just a matter of time before it happens.
The difference is most guns actually are designed to kill people, and the innocent purpose is secondary. There are plenty of guns available for target shooting only purposes, but these don't seem to be the type of gun people want to own. Odd.
So what? (Score:1)
How are rootkits different from locksmith tools? (Score:1)
- Is it illegal to build locksmith tools?
- Is it illegal to own locksmith tools?
- Is it illegal to publish information that describes how to build locksmith tools?
- Is it more (or less) illegal to break in to a candy store using locksmith tools, as opposed to, say, brute force?
- Are the locksmith tool makers liable when someone uses their tools to break into a candy store?
Should the laws governing the use of locksmith tools be any different than those governing the use of cracking tools?Re:Bullets kill people! (Score:1)
Re:Intent *does* matter (Score:1)
Re:Intent *does* matter (Score:1)
Well, and forcing the surrender of the Empire of Japan. That wasn't really a deterrent, unless maybe you mean in the sense of deterring them from continuing the war.
Re:Bullets kill people! (Score:1)
[drawl] Guns don't kill people, the government does :)
Re:Intent *does* matter (Score:1)
Re:Intent *does* matter (Score:1)
Guns that are designed to fire little pieces of metal can be considered lethal [dictionary.com]. Little pieces of metal, when they collide with fleshy matter at high speeds, tend to destroy said matter.
It would be hard to claim that all guns are designed to be lethal weapons. There are a multitude of non-lethal water guns, blackhead guns, and radar guns that are still in production. Just wait until they make you start registering the damn things!
Re:Intent *does* matter (Score:1)
That's because definition #2 is the past tense of "lethal".
"Ed's decision to brake hard while slipping on a patch of ice was lethal."
So, I suppose it should be noted that "lethal", for the purposes of this discussion, means having the ability to cause death.
However, modern firearms and ammunition are designed to be less lethal than they were in the past.
Absolutely not.
Compare a colonial-era musket to a semi-automatic, clip-loading Glock 9mm pistol. With a musket, you have to load black powder, load in your shot, carefully pack the load down into the barrel, aim (making sure not to let the shot roll out of the barrel), and fire. With the modern 9mm, you load the clip, turn off the safety, and fire until you run out of rounds.
Who's designing these non-lethal firearms and ammo? Surely not Glock, Taurus, or Remington. Look at the wide array of armor-piercing
and hollow-point ammo the average person has at their disposal. New firearms are designed to be lighter, higher powered, more accurate, and more reliable. What does all this add up to? Weaponry now is easily many times more lethal than the guns of yesteryear.
Re:Full disclosure is _necessary_ (Score:1)
Also, please remember - there are lots of crackers/programmers in the 'underground circles' on IRC that know how to code exploits. When a vulnerability is found in software - there NEED to be issued a warning about it. There NEED to be issued a patch - and there NEED to be issued what the fsck it was all about.
If this is not done, crackers will just do a diff (binary or source) between the program before beeing patched - and afterwards. It'll be quite easy to discover what has been altered/updated - and thus where you need to look for the vulnerability. From that on, its not really difficult to create an exploit.
Unreleased exploits? Lets see.. I think there was a virus that exploited a vulnerability in Outlook. Some 'date' field without bounds checking or something like that. That certainly was 'unreleased' up until the virus got into the wild. There has also been other cases. Rootshell.com was cracked a couple of years back -- remember? I don't think they ever found out how
--
Re:Full disclosure is _necessary_ (Score:1)
I said:
"Full disclosure of cracking tools are a necessity. I will not argue about wheter it should be punishable to create them, but _Publishing_ them when they exist - is commendable."
Then I went on to argue why we need a full disclosure list such as Bugtraq - where information are freely published.
I did not say anything for or against wheter those that create the tools should be held accountable. I say that when the tools are _made_ -- those that publish them to the general public should be commended, as its better to have'em where everybody can see'em - than to have'em in the hands of a few underground persons.
Now, go back and _read_ the posts you answer to, before you answer.
--
Bad analogy (Score:1)
A hammer is designed as a tool for practical purposes, but can be used to kill. A rootkit is designed to gain unauthorized access, not to as a tool for practical purposes. (But may have practical side effects, akin to a gun, which CAN be used to avoid getting shot, while that is not what it was designed for).
Re:Guns don't kill people... (Score:1)
now it's coming back to haunt us (Score:1)
Those lawsuits against Big Tobacco sure seemed like a good idea at the time. Nobody likes them, they have more money than God, and they sell products that kill. They even tell people that, on the side of the box. Hell with it: someone's cancer is their fault, sue 'em.
Firearms industry? Obviously responsible for subsequent shooting deaths! To the courtroom!
And now.... the software industry? HA HA
It's bittersweet to see today's "Liberals" choke on their own blood sometimes.
Re:Hrmm....A difference maybe? (Score:1)
Actually, that sounds completely legitimate. Microsoft and Symantic (sp?) are out of the loop, but if anything, that increases the legitimacy.
Re:Intent *does* matter (Score:1)
You were on the right track and then missed it a little bit I think. Intent is, or should be, only an issue if a crime has been committed. Writing these tools should not in itself be a crime. Only using the tools illegaly should be a crime.
Ideally intent of the creator simply should not be an issue. To use your gun anology it doesn't matter that a gun is designed only to kill. It only matters if someone uses it to unjustifiably do so.
Re:Intent *does* matter (Score:1)
Thoughtcrime I think it's called. Both mens rea and actus reus need be present for a crime to exist. Intimidating developers into only releasing their wares amongst close associates will do nothing to stem the tide of incompetent system administrators and the goons that hire them.
Old news... (Score:1)
Re:Guns don't kill people... (Score:1)
thats fine. if someone were to break into my house they would be greatly slowed down by a bullet weather or not they had a gun. see how this works? as an example look at south africa. in the last couple years they passed laws banning guns. now the only people who have guns are the criminals [newsmax.com].
you really dont understand the colonies comment? you do realize that at one point in time britan controlled the us colonies and abused them to the point where they had to remove the british. here in the us we refer to that as the revolutionary war. to prevent the citizens from being rolled over by the government, the right to bear arms was written into our constitution. that is why i find it humorous when a person from britan comments on how we have an irrational desire to have the right to bear arms.
The problems with laws ALLOWING guns is you end up with one of the highest gun shot deaths per capita. Britain has something like 1/1000 of the PER CAPITA death by gunshots compared to the USA. Why? Because people don't have guns. What is it you can't understand about that?
vague numbers, do you have any references?
do you really think that if someone wants to kill alot of people not having a gun will stop them? honestly if i wanted to kill alot of people i could make explosives from common chemicals that would make the worst school shooting to date look harmless.
use LaTeX? want an online reference manager that
Re:Guns don't kill people... (Score:1)
some day you will take a statistics class and realize that you cannot make causical assumptions from statistical data. if the only thing that happened in the us and britan was crime, and the only difference between the crimes was one person used a gun you might have a case.
take for example drunk driving. this claims many lives each year. i dont think you will argue that we have alot more land mass here in the us and as a result more people own cars. also on average we drive farther each day. so because you are more likely be killed during a crime in the us are you safer in britan? which one has more cars?
conclusion.. we must now ban all cars.
use LaTeX? want an online reference manager that
Re:Bullets kill people! (Score:1)
just control the automatic and seMi auto weapons , subject to a phychological exam and police inspection of your safe storage locker you can still have them.
I'd love to see a drive by shooting with muskets
at least the target might be the only one hit
One shot guns tend to improve your accuracy !
Re:Hrmm....A difference maybe? (Score:2)
Good argument, but it completely ignores the fact that there ARE legitimate uses for software that takes advanatage of security holes - softare to determine if the hole exists or not.
Example:
IIS has a security hole, MS releases a patch.
OK, so how to I determine if the patch actually fixed the hole?
Answer: by attempting to exploit it.
Checking my own (theoretical - I'd never be caught dead using IIS
Re:Guns don't kill people... (Score:2)
The next time someone breaks into my house they are highly unlikely to be carrying a gun, because I live in a society that isn't obsessed with them. Criminals do not usually carry guns because people do not use them. People do not usually carry guns because criminals do not usually carry them. See how this works?
Not sure about your point about 'the colonies'. Britain doesn't have a gun culture, which means the average citizen neither needs nor wants a gun.
The problems with laws ALLOWING guns is you end up with one of the highest gun shot deaths per capita. Britain has something like 1/1000 of the PER CAPITA death by gunshots compared to the USA. Why? Because people don't have guns. What is it you can't understand about that?
Bullets kill people! (Score:2)
Re:Intent *does* matter (Score:2)
Guns and people who seem just a little too fond of them scare me, but one non-lethal and justifiable use for them is deterence. You might even make the arguement that it prevents injury to both the innocent and the would-be bad guy if it pursuades them to re-think their illegal plans.
Re:Tookits & Rights (Score:2)
I've never ever seen an advertisement for a hammer that suggested any use for it other than pounding nails into wood or pulling them back out with the claw.
This of course makes the entirely reasonable assumption that the original poster was referring to those types of hammers used by carpenters.
Re:Guns don't kill people... (Score:2)
I'm sure you could. However, it's very hard to kill large numbers of people with the identities of your choice in a short space of time without firearms, explosives, or other relatively sophisticated weaponry. If I'm pissed off at my coworkers, if I have the appropriate type of gun it's pretty easy to take it, wander through my workplace, and kill the lot.
The impetus to ban automatic and semi-automatic rifles in Australia came after just this situation - a deranged young man wandered around a historic tourist site and shot 35 people with a gun and ammunition he had legally purchased. Try doing that with your left hand.
Go you big red fire engine!
Re:Exploit tools != detailed advisories (Score:2)
The security expert we hired when there was a breakin into our company's Linux servers said no, but I'm curious to hear what you folks think.
Personally, after having had the experience of having my personal system broken into multiple times, I think the creators of rootkits should be sued within an inch of their lives, shot, boiled in oil and eaten by cannibals. Yes, I hate them that much. Making it trivial to break into someone else's system SHOULD be a criminal offense.
People like me who want to run a hobby server on the web should not have to spend massive amounts of time making their systems secure; eliminating rootkits and published exploits would eliminate 90% plus of successful incursions, because most of them are done by illiterate bozos who don't have a clue. My personal systems would be of absolutely no interest to a professional, but to some pathetic idiot who wants to prove his manhood by cracking a system, they are sitting ducks.
D
----
Re:An argument against criminalizing rootkit autho (Score:2)
I don't know if I really want to destroy people's lives for making rootkits, but I sure wish they wouldn't be developed; I've had three systems damaged by them, and I'm pretty sure they wouldn't have been if someone hadn't created the rootkit.
Full disclosure sounds great in principle, and I'm uncomfortable with the suppression of free speech, but it really, really shouldn't be trivial to destroy someone's web server and force the system administrator to spend a week or more trying to figure out what happened and clean things up.
You could say that it's the admin's fault for not keeping up with exploits; but that's a full-time job in and of itself. Should it take that kind of effort simply to publish stuff on the web? I'd say that's an equivalent restriction on free speech, one that is truly evil since it affects anyone who can afford to run a web server, but not the time to scope out vunerabilities and fix them. There are a heck of a lot more people in that category than there are security enthusiasts who would be affected by a ban.
I come from the old ITS background at MIT; I loathe security with a passion. I'm nostalgic for the good old days when if someone did break in it was for curiosity's sake and nothing would be damaged. Now we have people who know nothing of what they are doing, capable of doing mean-spirited, evil stuff. I think that is, simply, wrong, and helping them is likewise wrong. And that's exactly what rootkit developers do. They are aiding and abetting evil; should they get away with it?
D
----
Re:I'd Rootkit them (Score:2)
Seems to me it would be easier to get at the rootkit author than the person who pulled the trigger. Most of them have email addresses at least.
The real problem with making rootkit authors liable is that I suspect most of them don't have enough money to pay damages. Nobody's going to make a 13-year old kid pay $2,000 for a week of my time plus $30,000 in lost sales - and yet an attack can easily damage a system that much and more.
So what to do that's effective? You tell me.
D
----
Ted Kennedy's car... (Score:2)
An old bumber sticker cliche, but true nonetheless. And of course, they can pry things from my fingers, yada yada yada. Can't we all just get along?
-B
Re:More precise than the gun analogy (Score:2)
Re:Guns don't kill people... (Score:2)
what is so sophisticated about diesel fuel and fertilizer? really there are alot of explosives that are cheap and easy to make. a simple google [google.com] search will provied instructions on how to construct such devices [totse.com]. you can even purchase the books online [pacificnet.net] if you cannot make it down the library [einpgh.org].
really though if someone wants you dead there isnt much you can do to stop them especially if you are not aware of their desire. banning guns treats the symptom and not the problem. the only solution that involves banning stuff is to ban everything. the only way to stop people from violating the rights of others is to strap everyone to a bed at birth and not allow them to come into contact with others.
use LaTeX? want an online reference manager that
Re:Guns don't kill people... (Score:2)
yeah the next time somone breaks into your house ask them if they will hold a target for you. also keep in mind, in the US the right to bare arms is intrinsically link to the distrust of governemnt. the government is less likely to try to opress an armed populace.
i remember after one of those school shootings somone on cnn was interviewing a person from britan. the lady said she couldnt understand why americans think we need guns. i guess she forgot all about the colonies. after the series of school stabbings in japan they are going to have to ban knives.
the problem with laws banning things like guns and root kits is there are already laws banning their abuse. we already have legislation for murder and computer crimes. passing more laws is a silly thing to do. people who murder obviously dont have anything aginst breaking the law. the same with people who go around rooting boxen.
use LaTeX? want an online reference manager that
Re:Guns don't kill people... (Score:2)
this comes back to the statistics thing again. you are trying to make inferences based on two numbers. these two numbers dont even come close to fully describing the situation in either country. by this i mean: in the us a gun may be the tool of choice for suicide. in the uk and else where it might be drugs, or sliting ones wrist. if the people are going to kill themselves either way the method doesnt really matter. this is true for any type of violent crime. thats why i dont think you can make inferential stantments based on the statistics you have put forward.
the next piece of reasoning might be wasted on people who are not from the us. the constitution is written in such a manner that makes this country pseudodemocratic. the constitution states that we have certain rights and legislation is reserved for those issues that are not explicitly mentioned. since the right to bare arms is explicitly mentioned, that removes it from the realm (or should remove it from) of legislation.
there is a mechanism in place to remove this right. it is possible to amend the constitution, but i doubt the democrats will be able to pull enough republicans over to the cause on this issue. amending the constitution was made diffacult intentionally to preserve the rights we do have.
use LaTeX? want an online reference manager that
Re: Not so Ridiculous (Score:2)
A disclaimer can shield you from honest oversights and engineering tradeoffs. But no contractual term can shield you from "negligence."
What's something in negligence in software? That's for the courts to decide, and I don't know if there's case law here yet. But it would be hard to justify crap like explicit backdoors, calling system() with user-supplied data without checking for subshells, etc.
"for educational purpose only" (Score:2)
-- Pure FTP server [pureftpd.org] - Upgrade your FTP server to something simple and secure.
Re: (Score:2)
Lawyers: Been there, done that. (Score:2)
Too late. Gunmakers have been sued with astonishing regularity, essentially being blamed for the actions of the (ab)users of their products.
(Of course, the typical /. liberal wouldn't know or care about that, because guns 'r' bad, mmmmkay, and the typical /. conservative is probably already writing a rant to that effect.
Let the ubiquitous typical /. gun-control-and-politics thread now commence. But let's keep it in one place this time rather than filling the whole damn commentspace with it ;-)
Similar to SLAPP lawsuits (Score:2)
To misquote the gun lobby... (Score:2)
Or, to misquote the rootkit authors(g):
"This gun is for educational purpose only"
Re:Intent *does* matter (Score:2)
In PA, for example, you can't use a semi-automatic rifle for hunting. It must be bolt, pump, lever, etc. Meaning after the bullet is fired you must, by hand, eject the bullet and load the next one (although, with rifles, doing this will usually also prime the trigger).
damned analogies (Score:2)
Re:Intent *does* matter (Score:2)
But, like guns, nuclear weapons can have a strong deterring power. In fact, that has been their only use for over 50 years.
Yeah! (Score:2)
I hope this clarifies analogies in general.
Re:Guns don't kill people... (Score:2)
From the article:
Pretense. Very well chosen word there.
The jury's still out, so to speak, on whether or not the firearms industry will indeed be sued out of existence, but things aren't looking real good right at the moment. The precedent has already been set, to a degree, by the tobacco cases, where it was easiest to whip up public support. The stronger the precedent gets, the less of a chance makers of root kits, or anything else that can possibly be misused (and what can't be?) will have when their turn comes.
The issues are exactly the same, and it's very important that those of you who don't own guns realise that now. If you wait to fight for something that you personally care about, it will be too late. Nanny-statism should be resisted on principle, not just when it infringes on you personally.
Martin Niemöller's famous and often (mis)quoted statement - "When Hitler attacked the Jews I was not a Jew, therefore I was not concerned. And when Hitler attacked the Catholics, I was not a Catholic, and therefore, I was not concerned. And when Hitler attacked the unions and the industrialists, I was not a member of the unions and I was not concerned. Then Hitler attacked me and the Protestant church -- and there was nobody left to be concerned" comes to mind. But remember, they didn't actually come for the Jews first. They came for the gun owners even before the jews - in 1938.
"That old saw about the early bird just goes to show that the worm should have stayed in bed."
Re:Tookits & Rights (Score:2)
1. Can anyone name a legal use for a root kit?
2. Can anyone justify blindly distributing root kits through pratices like anonymous FTP?
While I cannot think of a reason to write a root kit, other than for hacking into a computer I don't have root access on, I'm willing to concede that one of you might. But, knowing the power of such a tool, how could any author take a hands off approach in its distribution and not expect some responsiblity for the havoc it causes.
Re:Tookits & Rights (Score:2)
A rootkit has the same legal uses as a lockpick. Using a lockpick to open the door to your house is legal. Likewise it's legal to pick the locks on a friends or employer's doors if you have permission to do so. Professional locksmiths are more restricted than amateur ones, due to the fact that it's a regulated & licensed profession (like hairdressers, realtors, pharmacists, etc). However, using a lockpick to break into someone's house (either to just look around, or to take stuff) is a crime - it's called breaking & entering; if you take something tack on a burglary charge. It is the action, not the tool, which is (or at least should be) punished.
Re:Guns don't kill people... (Score:2)
The fact that the Australian legislature got a collective case of brain damage and passed knee-jerk legislation should have no impact or bearing anywhere else. The fact that law-abiding Australians meekly surrendered their arms to Big Brother makes me weep. Fourtunately, if the US congress tried similar nonsense we [hopefully] still have enough patriots around who'll march on washington and remind the idiots what the words "shall not be infringed" mean. Also consider what would have happened if Australia had liberal CCW laws -- if just one of the 35 victems you mentioned had been armed, (s)he could have returned fire and saved the other 34. If one of the curchgoers in my previous example had been armed, the swordsman could have been subdued with little or no risk [probably without firing a shot]. More to the point, it's very likely that would-be spree killers would not be willing take the risk of facing an armed victim.
An argument against criminalizing rootkit authors (Score:2)
First of all, even if rootkits were declared illegal tomorrow, they'd still get made and distributed -- they just wouldn't be as available to the people who need to detect them and clean them up. Additionally, illegal in the U.S. doesn't necessarily mean illegal overseas or even illegal in Canada... though I'm sure our government is working on that.
Additionally, if developing rootkits is deemed illegal, we start making our way down that famed slippery slope. How does one define a rootkit? Will 'certified' security experts be able to design proof-of-concept rootkits while the rest of us amateurs are considered to be criminals for doing so even in the interest of proving security vulnerabilities? How about individual exploits; will a chunk of code that demonstrates a vulnerability allowing the spawning of a remote root shell be considered a rootkit? Given the rather loose definitions in our laws, I'd bet so. This would effectively kill the idea of full disclosure and much of the amateur research into computer security.
Finally, the more legal intervention that occurs in Internet activities, the better the chances the things that have always made the Internet useful and unique will get stamped out. Cutting down on the free exchange of ideas is a bad idea except where it is absolutely necessary, and in this case I doubt it would be even slightly effective. The focus should be on fixing the software and the infrastructure, because not having public knowledge of the flaws in these systems isn't going to make the flaws any less exploitable to someone who already doesn't care about the law.
---
Re:Oh no... (Score:2)
Re:Guns don't kill people... (Score:2)
Well hey, if you spent some time here, welcome to the debate. But I do get fed up with people who have zero clue about life here putting their two cents in... I don't start yapping to Germans about the racism issues over there and I expect the same courtesy in return.
But since you have actually spent time here, huzzah.
Re:Guns don't kill people... (Score:2)
It means shoot 'em until they are no longer a threat -- until they stop advancing on you. If a gun is capable of doing that quickly -- with one or two shots, perhaps not optimally aimed due to stress -- it's possible to kill the guy, sure. That's his problem though.
For me, "self defense" refers to guns, yeah. I am not a big guy. I would probably lose a physical struggle, and I am not about to bet my life on my chances in one.
Self-defense is a serious business! If you aren't prepared to take a life, don't use a gun. Using a teeny gun because it is less likely to kill someone will get YOU killed, because the angry guy with 5 tiny holes in him will come kick your ass and take your gun away.
(for you other gun nuts please note I am NOT saying that size is a replacement for good aim. It isn't and I am not advocating that. I'm looking at a worst-case scenario, using a truly tiny caliber like
Do you think the average criminal really wants a fight to the death, or are they more likely to run the second they see that you're armed?
I don't know what the average criminal wants, but if someone advances on me with a weapon, he'll get a warning and then he will get shot if he doesn't wise up.
Statistically guns are a great deterrent and are used a lot just how you describe. But if the bad guy calls your bluff you are in deep trouble! Never carry a gun you are not prepared to use, and never use a gun unless you feel you are justified in taking a life.
The best self defense is generally "running fast", or at least avoiding conflict however you can.
You're correct, in case of burglary you are not supposed to prowl your house trying to shoot the guy. You always should try to make yourself scarce and safe as a first priority. But depending on your house, safe escape might be impossible; your best bet could well be to hole up in the bedroom with the phone. In that scenario, I'd certainly want a gun with me.
Assuming you actually want to defend yourself, that is.
How could a person NOT want to defend themself? Are you a total pacifist, or are you just referring to gun use here?
I can understand people who do not want to risk taking a life during self-defense. Guns aren't for everyone. Great. It's a personal choice. But people who refuse to undertake self-defense of any kind... or who see self-defense as some kind of evil act... how can any rational person defend that position? Self-defense is a basic human right.
Re:Guns don't kill people... (Score:2)
The US also has more stranglings per capita than other nations. We are a weird, violent culture. Guns aren't the cause. Don't know what is, but it isn't the guns.
Re:Guns don't kill people... (Score:2)
Please do not take this as a flame, my good German friend, but you do not have the cultural foundation to partake in this discussion in an informed manner. You can memorize all the statistics that you want, but unless you have lived here for a while, you don't know jack about American culture, and that's what this debate is all about -- culture. Not numbers. Demonstrate some cultural understanding along with the statistics and you are welcome to join in.
Americans believe a lot of things that look crazy to the rest of the world. It probably confuses, frightens, and disgusts you. Sorry; you'll just have to deal with it.
Re:Guns don't kill people... (Score:2)
You don't know much about guns. But that's OK; I'll clue you in.
A
A firearm that imparts more kinetic energy to the target is more likely to stop the target quickly. If someone is attacking you and you need to stop them, it's important to do so quickly. You don't want them to get off a few more shots, or a few more swings, or a few more slashes. Shoot them with a
If your life is on the line, and you actually need to shoot someone else -- you may as well do a good job of it. Unpleasant to think about but it's the truth.
Perhaps we as a nation can't aim very well?
That's a ridiculous statement. Let's see how steady your hands are when your life is in danger from an attack of some kind. Sheesh.
Re:Intent *does* matter (Score:2)
Because they lied. Glock never said, "if you pull the trigger it won't go off, nope, no way, it' sjust decorative."
Re:Full disclosure is _necessary_ (Score:2)
There are legal precedents about how once you edit the content in a public forum, you have become the "publisher" in effect, and you can he held liable for things in that forum. In other words, there are times when "hands off" is the only safe approach for the publisher or ISP; any editorial oversight sort of makes you liable for what's going on. (I think this harkens back to some case Prodigy was involved in, relating to some kind of libelous material on a forum, but I could be misremembering the source.)
I wonder if that might get extended to computer security matters. Once security analysis tools are illegal, publishers will be unable to ship secure products as easily, and to protect themselves they might try to get the same kind of deal. "Well, we didn't know about that root exploit, but since we never tested it we can't be liable. Lucky us!"
Of course, I'm a cynic. Prolly never happen... right? Right? Anyway, the software industry will cram UTICA down our throats soon and protect themselves that way.
Constant Issues (Score:2)
Guns. Guns kill. Sometimes in defence, sometimes in malice, or sometimes in sport.
It's a shoot the messenger sort of mentality. Like when something bad happens, you always like "If only I......" and this is what our culture is having to deal with.
In a lot of senses its a mute point to remove tools in order to curtail. Water, food, and a toothpick can all kill you given certain circumstances. The real issue becomes drawing lines which given the history of world will never remain constant (Surveying has errors let alone whole countries are being redrawn or are in dispute all the time!).
Perhaps, much like that killer "water" we all drink, it will eventually become of less of an issue. For instance, it will become more accepted that hacking information is free, and what we'll really go after are those doing DDOS (once everyone knows what the heck that is).
----
Presentation of the tool (Score:2)
It is similar with rootkits and exploits. How and where someone gives you an exploit or rootkit is important. An exploit on a cracking website might have a different implied use from the same exploit on bugtraq.
Thus, I think you need to examine the intent of the distributor more than the intent of the maker.
Many more ways for things to go wrong (Score:2)
Security holes in code can be boiled down to buffer overflows, incorrect application of user privileges, and access to internal scratch files by other users. Even flawed pointer use can be vetted out with the aid of a debugger tool. If you use functions like vsprintf() and careful in your design, your code will be 99.9% invulnerable to a root exploit.
You want snprintf(), not vsprintf(). But more to the point, these are only the holes that allow a root exploit--as you correctly emphasized, but referring to these as "[all] security holes", as you imply, is misleading. There are plenty of other ways for users to gain improper privilege. For example, look at the bug Slashdot had a while back where you could put a <font> inside your E-mail address and change the color of the text on the rest of the page (I may be slightly misremembering, but there was something like that at one point), or the brouhaha concerning session IDs stored in URLs. For a more subtle example (paraphrasing from experience), you could have a flag allowing special privileges for a chat nickname, which is cleared every time a new user uses the nickname and only set when a password is given--except that the flag isn't cleared if a user with an unknown nickname changes to the nickname in question, allowing improper privileges. There are, of course, many other potential pitfalls, many of which rely on what the program in question does; things like buffer overflows that apply to all programs are the easiest ones to find and fix, but only the tip of the iceberg.
What security holes in code really boil down to is insufficient checking, i.e. improper trusting, of input (this includes not only ordinary stdin/form/file input, but environment variables, signals, etc. as well). By ensuring that all input has a known format, the security and robustness of a well-written program can be proven.
--
BACKNEXTFINISHCANCEL
Re:The U.S. Law system (Score:2)
People interested in breaking in would still find a way - maybe.
On the other hand, anyone who needs to download a canned toolkit to break in probably couldn't do it without one.
The U.S. Law system (Score:2)
The point is, that making the development of rootkits illegal, would introduce many new problems to Administrators, because people who are interested in breaking in would still find a way.
Another point is, thast such a decision wouldn't affect the net. Lists like Bugtraq would move to Europe or Asia and that would them turn into legal lists.
The problem is, that people posting exploit code to this lists would have to fear (by visiting the USA) the persecution by U.S. Law and U.S. Justice, which turns out to be unpleasant.
Re:Guns don't kill people... (Score:2)
Liability for releasing specifics of exploits? (Score:2)
If this is truew, than attacks vs encryption schemes (like RC4) would also be legally problematic (moreso than exploits, due to the DMCA). How else can one develop a secure system? Are we really to believe that most crackers get their exploits from security sites and that if these sites were held liable, that we would live in a more secure world?
I would think it would be defensible in that:
Sig: Warning The following may be illegal under the DMCA (rot-13 decoder):
ABCDEFGH I JK LM
I would point out (Score:2)
More precise than the gun analogy (Score:2)
Aren't we always mocking the 31337 h4x0rz for their lack of actual programming skill? So without the rootkits, the h4x0rz would be basically harmless. With the gun analogy, there's always the possibility of murdering someone another way - by knife, poison, etc.
Re:Ridiculous (Score:2)
Question: is it possible to make a complex piece of software provable secure? Answer: no.
Security holes in code can be boiled down to buffer overflows, incorrect application of user privileges, and access to internal scratch files by other users. Even flawed pointer use can be vetted out with the aid of a debugger tool. If you use functions like vsprintf() and careful in your design, your code will be 99.9% invulnerable to a root exploit.
Legally attacking rootkit designers will not make the Internet safe. It will only make it near impossible for laymen to understand they have a security vulnerability. This is an apparent attempt by really ignorant people who want to kill the messenger, rather than act responsibly to fix the problem.
Oh no... (Score:2)
Too Late!
Apparently that hammer injury 3 years ago is worth some coin...
Screw 3...
Re:Guns don't kill people... (Score:2)
It's not the F-16s that you should be worried, nor the F-18s, nor F-14s, it's the F-117s and the cruise missiles that should be your primary concern.
If Bill Gates or some other rich fart suddenly bought a small army and placed it somewhere, surely the government wouldn't be happy at all.
If Bill Gates, Ted Turner, Rupert Murdoch, or any other billionaire decided to amass a large security force the government might not like it, however the government doesn't like us having access to strong crypto either.
Why does it matter?
Re:Guns don't kill people... (Score:2)
You can place whatever value on your life that you choose. There is nothing that I have that is more valueable than my life. I will use whatever means available to me to preserve it.
And why is the violent crime rate lower everywhere in Europe (and Japan, and Australia, and basically every other first-world country)
You seem to be ignoring the ethnic riots that have happened in Europe this week. Let us also not forget the Japanese man who killed 8 school children last month.
Humans are a violent species, not just Americans.
Re:Guns don't kill people... (Score:2)
Yes, you can own a tank. If you can afford it you can own an F-16. If you can afford the licenses you can have the 20mm vulcan cannon on it as well.
The biggest difficulty would come from the FAA.
Re:Intent *does* matter (Score:2)
Guns are designed as lethal weapons? All guns? Some guns? Which guns?
Re:Intent *does* matter (Score:2)
If you use definitions 1 or 3 from dictionary.com, I agree. Sure all firearms are designed to perform a function that can cause death. Self defense depends on the ability to do damage to your target. However, modern firearms and ammunition are designed to be less lethal than they were in the past.
Re:Hrmm....A difference maybe? (Score:2)
Does that sound like a legitimate use of a remote administration tool?
What about the authors of the vulnerable software? (Score:3)
Re:Intent *does* matter (Score:3)
What about hunting game, and stock and pest destruction? OK, it's not non-lethal, but it's highly justifiable. In Australia where they are an environmental disaster of the worst sort, it is highly ethical to introduce rabbits to the pointy end of a .22.
Handguns are a different matter. Except in very rare circumstances, the only thing they're useful for is killing and maiming others (or providing a credible threat that one is able to do so).
Go you big red fire engine!
Re:Intent *does* matter (Score:3)
This seems to make sense, but if you follow this rigorously, then *no* object or thing could ever be illegal, and I'm not sure I would want to go that far. The primary intent we think of is intent of the user, which is what you are referring to. But there is also intended use of the object itself (i.e., why am I manufacturing this, what is the main intended use for this object?) which must be considered.
Perhaps guns were a bad example. Let's go to the extreme, and take, say, a nuclear weapon. Not many people explode nuclear weapons in their backyard for fun. They are clearly designed for only one purpose - to decimate large amounts of people and property at once, and are extremely dangerous. There is no ambiguity here. Should It be legal for me to have one in my closet and leave the assessment of intent until after I use it on downtown Manhattan? Probably not. at least in my humble opinion.
Now, I'm not saying that this should apply to all cracking tools. Many such tools have valid uses (testing security, etc.) and they should be considered on a case-by-case basis. I just wanted to make the point that there are some things for which the intent is already clear in the manufacture.
Re:Intent *does* matter (Score:3)
like what many? I can only think of target shooting, and that in itself could easily be construed as just practicing with the tool in preparation for the real purpose.
Not that I belong to the NRA or anything, but guns don't kill people, people kill people, guns are merely the mechanism. People killed each other before guns.
But I digress, but the point is clear. People hacked before rootkits, they will continue to hack with them.
Full Disclosure (Score:3)
I can even write you a program to do it.
Then I can also write a program that after you've comprimised a system, you can proceed to modify that system in such a way that you can participate in continuous illegal access of it.
Should they be liable? No, not unless they used the utilities themselves. But they really shouldn't be doing it anyways. BO actually COULD serve a legitimate purpose, but rootkits really don't. Their very existance gives script kiddies fuel they need without even the justification of providing a useful resource to someone else.
What REALLY needs to be done is to catch some of those damn script kiddies and make an example out of them. The FBI won't even attempt to pursue them until the amount of damage caused exceeds a certain point. Its this attitude that causes these problems to perpetuate.
As an example, if some kid were to shoplift a candy bar from a convience store, and he was not caught, the owner of that store hasn't lost much. If he catches the kid and the kid gets prosecuted, then the community will know about it and at the very least, his friends might think twice about trying it themselves.
But if the police and everyone else involved simply looked the other way when this occured, saying it wasn't worth the effort to pursue them, two things will happen. First, there will be a LOT more missing candy bars. And second, that kid will be encouraged to attempt more risky endevours. He'll never have the opportunity to learn responsibility and respect, just abuse through the inactivity of others, he will consider to be ok and beyond reproach from those in authority.
And thus, the kiddies will continue to thrive. We will have DOS's, comprimised boxes, and a lot of annoying idiots on IRC bragging about how 'leet' they are. The unfortunate (depending on your point of view) consequence of this will be that someone will eventually be driven to the point to take vigilante action against some of these idiots. That's when law enforcement will finally get involved, but believe me, it WON'T be to our benefit.
We can't stop the kiddies, we can't make people secure their systems. The only real chokepoints we have to this flood are the rootkits and exploit tools. A very VERY few of us have the ability to stem this tide. Sure, there will always be the occasional script kiddie with actual coding skills, but occasionally someone will take a backhoe to a fibre line too. We can deal with the rarities when they occur.
Civil liability shouldn't even come into play here. We need to take responsibility for our actions. We can still create provide information on security holes and write legitimate remote monitoring programs without at the same time creating tools for the idiots who have nothing better to do than make other's lives miserable.
-Restil
Re:Constant Issues (Score:3)
Re:Full Disclosure (Score:3)
They can, actually. Picture a newbie wannabe-sysadmin (say, someone who wants to run a webserver for his personal stuff over his new DSL or cable connection). He can install that Linux CD he found in some magazine, then download a rootkit to check if there are any well-known leaks in his newly set up server without necessarily having to understand anything the rootkit does, or having to browse a list of exploits manually (which may fail even if someone bothers to do it - a newbie won't necessarily know that BIND is the DNS server (after all the binary is called named), so (s)he may skip BIND errata right away).
Ridiculous (Score:3)
From any perspective other than that simplistic (and useless) one your argument/example fails utterly. Sue Ford if your car gets stolen? Sure, if they've sold it to you with the explicit guarantee that it's unstealable.
No piece of code I know of makes such an explicit guarantee. In fact, much of the code I use says [gnu.org] (in big bold letters), "NO WARRANTY" and "THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU."
Question: is it possible to make a complex piece of software provable secure? Answer: no.
So you want to hold people accountable unless they write perfect code, every time? Brilliant - you've just filed a lawsuit against every person who's every written software. Good luck.
"We all say so, so it must be true!"
Re:Lawyers: Been there, done that. (Score:3)
One large gun lawsuit was thrown out not too long ago, and I think that's a Good Sign. This society does not need more laws, or lawsuits. We need people to (a) mind their own fucking business, and (b) take responsibility for their own fucking actions. At least as important, we need intelligent and ethical leaders who'll do the same.
Parenthetically, let's not start praising the U.S. arms industry, mmmkay? The United States supplied arms or military technology to more than 92% of the conflicts under way in 1999 [source [fas.org]]. When the U.S. government gives "aid" to another country, that aid is usually not cash, but some sort of voucher for U.S.-made products, often arms. So the U.S. government is using U.S. taxpayer dollars to fund the arms industry to give weapons to foreign governments. Nice deal if you can get it, huh?
"We all say so, so it must be true!"
Guns don't kill people... (Score:3)
I can't imagine keeping a software safe for all the offensive software and keeping a log of when I take it out and put it back in. That would be hard to regulate. FBI checks would also be hard to manage on ftp sites. Perhaps we can have software shows that get around the regulations.
Re:Bullets kill people! (Score:3)
misquoting (Score:3)
Often misquoted indeed -- Niemoller referred to "them", rather than to Hitler, started with "First they came for the Communists" rather than the Jews and never mentioned the Protestant church.
Oh yeh, and Hitler did not "come for the gun owners" for the very good reason that privately held guns were already illegal in Germany by the time he took over, and had been since the First World War.
Other than that, your post only has grammatical errors.
Re:Guns don't kill people... (Score:3)
Does this mean that I can posess BackOrafice [cultdeadcow.com] but if I posess backOrafice and an installation of Snort [snort.org] or something, then I'm a hacker rather than a System Administrator? Where would such a line be drawn?
--CTH
--
Blame for software producers, and bad analogies (Score:3)
Firstly, we definitely have to start regarding software manufacturers, such as MS, as potentially liable for damage caused by viruses and hacker exploits. Indeed, even the general public is starting to become aware that MS shares the blame for massive losses caused by Outlook viruses.
Before you fire off a response, notice the term "potentially." I'm not saying that software writers are generally responsible for hacks, but that some companies can be extremely negligent when designing software for which security obviously matters. The analogy (yes, another analogy) is to burglar alarms. Is the maker of your burglar alarm at fault if you're burglarized? Not in general, not usually, but if the alarm system turns out to have a zillion defects then yes, the maker is partially at fault.
Secondly, as someone who does research in crypto, I am quite sick of any analogy to firearms. Actually, I'm not fond of analogies to anything, but firearms in particular. No, that piece of software is not like a gun. Maybe it's like a crowbar, or a lockpick, or a safe, OK, I'll buy that; but nothing in the software world comes close to a gun, in terms of its purpose or dangerous nature.
This is especially important when you are describing these concepts to a layperson utterly unfamiliar with software. "What is a 'debugger'?" "Well, it's like a gun, because etc etc." Now you have someone who has no idea what a "debugger" is, whether it's a computer program or a garden tool, and the first thing you drop in that conceptual hole is "gun." Such analogies should be reserved for people who fully understand what a debugger is, who have used one, who know that you can't kill someone with a debugger, and that it's safe to have a debugger in the house if you have children.
I'm not saying we should lay off firearms analogies because they're too scary or will cause the general public to react too strongly. I'm saying we should lay off firearms analogies because they're stupidly inaccurate.
Re:Intent *does* matter (Score:3)
Roll out of the barrel? Have you ever seen a black powder rifle in use? With revolutionary war era muskets, people used a wad of paper to hold the bullet in place until the gun was fired. Civil war era and later black powder rifles used a patch to tightly couple the bullet to the barrel. Those didn't roll out of the barrel either.
Compare a colonial-era musket to a semi-automatic, clip-loading Glock 9mm pistol. With a musket, you have to load black powder, load in your shot, carefully pack the load down into the barrel, aim (making sure not to let the shot roll out of the barrel), and fire. With the modern 9mm, you load the clip, turn off the safety, and fire until you run out of rounds.
You have just shown that you know nothing of which you speak. It just so happens that I own a Glock pistol. There is no external safety machanism on the Glock that must be disengaged before the pistol will fire.
Maybe you'd like to ask the audience.
New firearms are designed to be lighter, higher powered, more accurate, and more reliable. What does all this add up to? Weaponry now is easily many times more lethal than the guns of yesteryear.
Let us go back to the US civil war for example, those guns fired big, heavy lead balls. Anyone who knows anything about terminal ballistics knows that the energy deposit and a mount of soft tissue damage caused by a lead ball is much worse than that of a modern bullet.
And FYI, armor piercing bullets are even LESS destructive when they contact soft tissue than other types of bullets. They deform less upon contact than other types of bullets, so therefore they put smaller holes in things.
The only type of firearm that is not designed to would the target, as opposed to kill is the shotgun.
Re:Guns don't kill people... (Score:3)
Then I suggest you read up on the laws regarding the use of lethal force in the US. In my particular state, if "a reasonable person believes" that his life is in danger, the use of lethal force is justified. So if a woman threatens to slap me for making a crass remark, no reasonable person would believe that to be a life threatening circumstance and the use of lethal force would not be justified.
If I give a guy the finger for cutting me off in traffic and he comes running up to my truck, with his hand in his jacket, screaming "I'm gonna F'N KILL YOU!", a reasonable person would believe my life to be in danger and therefore the use of lethal force would be justified.
In the meantime, I do recommend you put more value on human life.
It is not possible to put more value on my life than I do. I suggest you consider rasing the price that you place on your own.
Just because someone is threatening you doesn't mean that they deserve to die.
If someone is threatening to take my life, I will do whatever I must to preserve it.
But the violent crime rate in the U.S. is still the highest.
Why then is it that in the US the over all violent crime rate is dropping, but in gunless utopias like Japan, the UK, and Australia the violent crime rate is rising?
Re:Ridiculous (Score:4)
That's stupid. It's like saying "If you're too dumb to read `Unsafe at any speed,` you deserve te drive a deathtrap."
There are supposed to be federal standards on products because (surprise, surprise) in a capitalist system, the govermment is supposed to be a manifestation of the people which ensures safety and protection from negative influences. This is why you don't have to worry about dieing from over-the-counter pilss bottles, or poison water supplies. The government should also protect the general populace from lemon software, because there is no way every single person who needs software can become enough of an expert to pick the best software.
This is similar to an arument for capitalsim from the 18th and 19th century -- do you have time te haggle for everything you buy, or should stores compete on price and quality? It sure reduces the
amount of haggling you have to do.
Have you ever put you sife in the hands of the software used in hospitals? Software engineering is all about provably correct software. If you spend a little extra effort up front, and are warry of the problems involved, you can build provably correct systems. The same thing applies to physical engineering of things like cars. Yeah, there will still be the odd problems, but I'm sure the occasional software recalls are less annoying than hourly reboots, and less danergous than a crash in the software managing you concorde. The Shuttle sure runs on some provably correct code.
--
Sue the Writer of the Hacking Tool 'Telnet' (Score:4)
And while we're at it, can we sue the authors of every faulty server ever written for installing backdoors onto our systems? What about the ones who really intended to install backdoors into our systems? Can I supoena the Windows source because I suspect Microsoft of installing backdoors for the NSA?
By the time I get done, it'll be technically illegal to use a computer in the USA! Hmm. Maybe I'll go post that as an Evil Plan over on Badvogato.
I've always wondered.... (Score:4)
A Similar Situation (Score:4)
Well, believe it or not, some teache came along and confiscated the zip disk with the projects on it, and deleted not only his project fro the hard drive, but the files named by the programs!
When the time came to reboot the mcahine, my friend was indouble trouble for having destroyed the machine.
To this day I can't fathom the idiocy.
Full disclosure is _necessary_ (Score:5)
First, lets dive into the history of computer security. Crackers has existed as long as computers has existed. The term 'worm' was coined for them on usenet in the early eighties. It never caught on. Later the term 'cracker' was coined. They broke into systems, they had their tools - which circulated among the crackers. When a hole in a daemon / some suid software were discovered - the company that created the software often used months and _years_ to plug the holes. It was not a priority. Admins most likely never knew about them.
And onto this scene came the morris worm. It quickly spread to the entire Internet, using bandwidth and CPU power, exhausting disk and memory. The internet was literaly shut down for about a week while people crowded onto FidoNet and other networks to create a solution to remove the menace.
After this, CERT (Computer Emergency Response Team) was created. They was to deal with known vulnerabilities - and get the software vendors to patch up their software. Which they did -- but they gave the vendors far too much time. In the most extreme cases - years. When the vendor had a patch, the vulnerability was published in a cert advisory.
The problem was that crackers found vulnerabilities, and the knowledge about the holes spread underground. Some admins knew about them - and patched their systems manually. Most admins did NOT know about it. The crackers had far too much power.
Enter bugtraq and full disclosure. A mailinglist where people could discuss vulnerabilities they had discovered. A place where they could post tools they had discovered, rootkits, exploits, and so forth. A mailinglist where full disclosure was practiced.
The result? That software vendors were forced to patch up their systems MUCH faster than before, since the exploits that earlier was circulated only among badguys now become widespread and known to the entire world. Consumers would bug their vendors until they delivered a patch.
Today, we can thank Bugtraq - and aleph1 in particular - that we've got extremely fast responses from most software vendors when vulnerabilities are discoverd. From a vulnerability is discovered to the vendor publishes a patch
In short. We _need_ a place where admins can share information about known vulnerabilities. We _need_ a place where tools that are found in the wild can be found by _everyone_. If we don't make that information freely available - a selected few will have the power to wreak havoc upon the net. Without it - admins will remain clueless when it comes to security issues. And that -- that is not a situation we want to return to.
(I'm sorry for any mispellings, inconsistencies or blatant errors in this post, I've written from mind / what I've read - and there are bound to be mistakes)
--
Intent *does* matter (Score:5)
Virtually any object in the world can be used as a weapon, but we obviously can't outlaw all physical objects, can we?
That being said, there are gray areas, such as guns. Guns are clearly designed to be a lethal weapon; however, there are many non-lethal and justifiable uses for guns, so regulation is contraversial.
I suspect the same can be said of cracking tools; there are clearly some that are designed to be primarily malicious, and some are designed to be useful, but could be used maliciosly in the wrong hands, much like a gun. It seems that these types of tools will have to be considered on a case by case basis
A Similar Court Case... (Score:5)
Rice v. Paladin Enterprises, Inc., 940 F.Supp.836 (D.Md. 1996). This was ultimately decided by a Federal District court. Often refered to as the "Murder by the Book case." Paladin had published a couple books (namely "Hit Man: A Technical Manual for Independent Contractors" and "How to Make a Dispoasable Silencer, Vol II.).
Well, someone went and killed someone using the methods found in the books. Needless to say, the families of the victims were pretty pissed. So they brought Paladin to court. The first court said that Paladin could publish anything they want, after all, its Speech, and Speech is _always_ protected (limitations on speech is justified by claiming its not speech, just as a side note).
So the case gets appealed to the district appeals court. The appeals court basically says "This is speech, but its also aiding and abetting, which is not protected by the First Amendment."
Therefore, if the courts use this as an example (as they tend to do), producing the tools will most likely be considered protected as speech, and therefore not something you can provide a prior restraint on, however, if someone abuses your tools, chances are, you can be held responsible.
Then again, IANAL.
---