Slashdot Mirror
Busted for (L0pht)Crack Possession
TaoJones writes, "Seems like the city of Hopkins, Minn. has declared L0phtcrack illegal. The story from Channel4000 details 11 felony charges against one David Thomas Bell, including two counts of "possession of burglary or theft tools"... namely L0Phtcrack.
" What next? Debuggers?
When I was in my lockpicking phase (anyone have a link to the MIT Lockpicking Guide?), I learned an important point:
Having lockpicks isn't illegal. Using them in conjunction with a crime (breaking and entering, robbery, etc.) is illegal and a separate charge.
There is no difference in having cracking tools. If I'm not cracking anything, then it doesn't matter. A quick look at the article indicates they were using those tools to crack machines. Thus, a separate charge.
-- Ever notice that fast-burning fuse looks exactly the same as slow-burning fuse? I didn't... (Edgar Montrose)
What exactly is the issue here? I expect a flame war will shortly erupt here over whether or not l0phtcrack is inherently evil, and eventually conclude that it's a tool that can be used for any purpose.
In this case, the purpose appears to have been the theft of userids/passwords from their former employers, which is already illegal under several existing statutes I'm sure.
So, please pardon my confusion, where does their posession of l0phtcrack become an issue here?
Anthony
"I think any time you expose vulnerabilities it's a good thing." -Attorney General Janet Reno
They were NOT busted just for possessing lophtcrack, they were busted for stealing usernames, passwords, and customer lists.
Just like there's nothing wrong with owning a crack pipe until you get caught with crack, there's nothing wrong with owning crack() until you get caught cracking.
--
blue
i browse at -1 because they're funnier than you are.
I think this is akin to carrying a screwdriver. You can use it to fix a lock, or you can use it to break a lock, enter a building and steal the contents.
Let's not get too sensationalistic here..
ekk
Read closely and you may not feel so sorry for them. They used L0phtCrack as a tool to commit a crime, rather than to secure their own networks.
L0phtCrack is a legit tool and is legal, HOWEVER, should you use that tool, it could be called a tool to commit a crime. If he had done a physical entry they would have called his power tools, should they have been used to break in, as theft tools. Its a way to add on years (or the threat of) to their possible sentance. Somehow this is supposed to deter other criminals. Don't ask me if it works or not. I don't have a clue.
"These crimes were the high-tech equivalent of physically breaking into a business and stealing valuable documents from a locked file cabinet..."
People need to learn that the two simply don't equate. Stealing means that a victim does no longer have what was once theirs. Breaking into something means physically harming a device intended to prevent entry for the purpose of extracting data.
Neither of these things apply in this case. I understand that IP works differently, but we're going to have to work on the laws to make them apply. "[P]ossession of burglary or theft tools" just don't cut it.
-Waldo
The summary of the article provided as the blurb here on slashdot, right down to the very title of the article itself "Busted for (L0pht)Crack Posession" is extremely misleading, and I have to wonder if it's deliberately so?
I'm not usually one to come out and accuse the
The article says they were arrested and charged with 15 felony counts not for posession of L0phtcrack, but for repeatedly hacking into the computers of their former employers to steal lists of usernames and passwords. This is illegal, and no new news.
If we could moderate the articles themselves, I'd moderate this one down as Flamebait or Troll.
Anthony
"I think any time you expose vulnerabilities it's a good thing." -Attorney General Janet Reno
kids... read the article first before flaming...
While it is perfectly legal for me to walk around with a baseball bat, even swinging it around wildly... But it becomes illegal at your nose...
Oh yeh - at this point the baseball bat would become "a deadly weapon"
So posession of these programs is not illegal, but using them to harm someone else's property is... and then they become "weapons".
As long as we only prosecute people for actions and not thoughts, we're fine...
of course... with "hate crime" legislation and profiling people to community forced anti-psychotic medication (really... its happening in california) we may have moved far away from this principle...
hopefully we can fix this system and not have to scrap it...
... hi bingo
I realy get tired of seeing claims like this from companies "They said that the user IDs and passwords provided access to proprietary information valued in millions of dollars, and they estimated the cost of issuing new user IDs and passwords at approximately $12,500. " Explain to me how in god's fucking name can someone justify that much to reissue new id's and passwords? The only way I could see this being an issue is if this also required email addresses to be changed and there was lost business messaging. Maybe costs related to notifying people of new email addresses? Some please explain to me how this number can be justified.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
The problem comes because there is a level at which something isn't dangerous enough that it needs to be illegal. Obviously we can't use the argument that something MIGHT be used to harm someone, therefore it should be illegal to possess, since just about any piece of matter in the universe could be used to hurt someone in some way. (Ban books, because big heavy ones can be dropped on people from ten stories up!)
The point is that we eventually do draw a line somewhere. However I don't think that, in general, things that aren't intended for causing injury to other people should be illegal. (Burglary tools, for example, or cracking programs.) I say SHOULD because, in general, things that aren't intended for harming people are NOT illegal. So why should software be any different? The only way I can see this being justified is if the software is designed to circumvent safety locks/overrides on, say, an elevator, or the air traffic control system, or a nuclear reactor -- things that, if they break, will almost certainly cause injury. And much as I appreciate and agree with the old saw about cracking to show that the security is weak, when people's lives are at stake, I don't think it holds up any longer.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Okay yeah, Rob went a bit nuts with the summary so we need to give him a collective good kick in the ass. Someone set a date/time in Zulu time and I'll be there.
anyway, I'm puzzling over the fact that the company states that it will cost US$12 500 to issue new logins and passwords? WTF? Depending on the size of the company, it's going to be an administrative bitch, but it's nothing terribly difficult and is basically a time is money issue.
Are they embellshing for effect, or are they just morons?
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
How are the actions referred to in the article even remotely comparable to either of the things you cite?
Do you actually claim that the man and woman did nothing wrong? I just can't see it. Bell was *FIRED* and then used both his contact on the inside and l0Phtcrack to break in and steal stuff. It's clear he wasn't supposed to be there. There's no way he could use the defense "I was just looking around/experimenting/playing/didn't know what I was doing". It was pretty clear he was persona non grata.
The main page headline for this article is just sensationalistic. Please, read, then THINK, then post.
after reading the article, these people were not just busted for possesion of l0phtcrack. they were busted for illegal activities and for the possesion of the tools that they used to commit those illegal activities.
this is not only irresponsible, but sensationalistic on the part of cmdrtaco.
Come on, this story is clearly "score -1: misleading". We need to get story moderation going so that people can filter out stories like this. /. editors pay a little bit more attention to what they are posting.
Either that, or have the
Tarsnap: Online backups for the truly paranoid
Owning a crowbar for use in opening locks, it's questionable.
Owning a crowbar for possible use in killing living beings, a bit more questionable.
Owning a crowbar for bashing people's heads in plain sight, most likely illegal.
I think this is a very poor arguement. It's quite clear that these two were busted for illegal use of the 'tools' and they are just trying to bring as many charges as possible against the two. That way, that's one more charge that they have to plea bargin down.
I know I have been burned by this issue myself once or twice, but it's important to establish intent to use a weapon/tool. I might own a gun and be just a hunter. Or I might own a gun and use it to shoot children. Our country has decided that intent is more important than the possiblities of danger. And well.. that's a whole different issue. `8r)
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Stealing is taking something that dosen't belong to you. If you used a high quality scanner to copy my drivers license and return my original copy without my knowing, you have still taken something that you had no right to take.
Breaking and Entering dosen't have to involve harm to a device. If you find a store key laying on the sidewalk and unlock the door and walk in, you can still be rightfully charged with B&E. The reason? You didn't belong there. You had no permission and having possesion of the key is not a free license to use it as you see fit. It is still a crime if no damage is caused.
If someone had a duplicate set of keys to your car, would you complain when they take it only because they can? What if they decide to just keep it because they like it?
Geez, I learned these things when I was a child. Do most people even care anymore?
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
That depends on where you live. Where I live having 'paraphernalia' used to be legal. Then they made it so that it was legal until it was used (IE contained 'residue'). Now it is illegal to posess at all. Technically zig-zag type rolling papers and old-man type tobacco pipes are illegal under the current laws. Of course those items are sold openly at tobacco shops and drug stores, etc. Old geezers would never get bothered about possessing such things. The law isn't applied uniformly of course. If someone who is say under 40 had such items, they would likely be considered dangerous contraband. The owner of a local t-shirt/music store was busted on drug paraphernalia charges for selling the same zig-zag papers that are sold openly at the local Walgreens drug store.
Back on topic: While in the case at hand, the person getting busted may have actually used the tools for unlawful purposes, it may be only a matter of time before someone else is charged with only possession of tools. Not every jurisdiction makes sane judgements about such things, even ones who might on other issues. Heck, sometimes such things are strictly related to election year politics (the 'head shop' crackdowns tend to happen in years the county prosecutor is up for re-election). Coincidence?
The point is, this is one of those slippery slope issues where once things start downhill, it is very hard to get back up again.
If I murder somebody with a rock, I should get charged with murder, not possession of a rock.
The issue that I see is that many many programs can be exploited manually. What if you have a vulnerable network daemon and the attacker uses nc to feed it input. Is nc illegal then? How about if somebody writes a trojan in C, is the compiler illegal? the linker?
I'm not attempting to be difficult, I just fail to see the point of criminalizing a particular password recovery tool moreso than other methods of attack. If the alleged crimes are true, then I have no problems with them going down for what they did, but I don't see the how as being particularly relevant.
----------------------------
From the article: (emphasis is mine)
David Thomas Bell, 33, of Coon Rapids, faces 11 felony charges. They include three counts of unauthorized computer access, two counts of theft of trade secrets, two counts of attempted theft of trade secrets, two counts of computer theft and two counts of possession of burglary or theft tools (specifically, a software program for extracting user IDs and passwords from a computer system).
So, you see? Apparently (L0pht)Crack is a burglary tool, and Bell was charged with 2 counts of possession of it.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
This comparison of murder with a rock was covered elsewhere (look for someone talking about crowbars).
The point is that you're also charged with murder. Should you get out of the murder charge for some reason, there's still use of a deadly weapon. I'd bet there would be a string of charges should you kill someone with a rock.
L0pht crack when used to steal passwords is illegal. This doesn't make the compiler illegal, much like using a grinder to make lockpicks doesn't make the grinder illegal. It's the picks and using them in a crime that is.
It's just that the laws in this jurisdiction are probably broad enough to cover this. See my earlier comments for the laws in MA (which appear to be tighter). The DA/prosecutor is probably savvy enough to know cracking technology.
-- Ever notice that fast-burning fuse looks exactly the same as slow-burning fuse? I didn't... (Edgar Montrose)
From the article (my emphasis):
David Thomas Bell, 33, of Coon Rapids, faces 11 felony charges. They include three counts of unauthorized computer access, two counts of theft of trade secrets, two counts of attempted theft of trade secrets, two counts of computer theft and two counts of possession of burglary or theft tools (specifically, a software program for extracting user IDs and passwords from a computer system).
Seems like that's where possession of (L0pht)Crack comes in.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Because something must be done about those rubber duckys! If you are in the legislative branch of government and breaking into cars is already a crime, then you have no way to show how tough on crime you are. When it's time to be re-elected, are you going to run an ad that says, "And I would have passed the don't-breaking-into-cars law, if it hadn't already been done"? That is soooo lame!
So here's what you do: raise the visibility of rubber duckys in the public eye, and make sure that everyone knows that rubber duckies are a car thief's favorite tool. I bet you can even find someone to get on 60 Minutes and tearfully recount how a child molester stole their car just to pay for their rubber ducky habit. Then pass the law that makes it an additional crime to use a rubber ducky in the commission of other crimes.
Next election ad season, make sure that your ad states that you are pround to run on your record, and mention that your sponsored or supported the three-ducks-and-your-out law. Point out that your opponent opposed the rubber ducky law. He is obviously soft on crime. He is one of those liberals who thinks we should let everyone out of jail.
This is not a joke. This really happens. Watch the ads. I think they're quite a bit a part of the reason we have these types of laws.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
"when it gets down to specifics the police that I know personally err on the side of caution"
I have to concur. When a police officer recieves a complaint or sees something suspicious, the first thought is to take care of the situation as quickly as possible by using whatever methods they have at their disposal.
These include:
Speaking to the subject(suspect)
Confiscation of item(s)
Arresting the subject(suspect) or taking the subject into custody (these are different things, of course).
Shooting or disabling the subject (almost always a last resort).
Anecdote:
In the State of Illinois, all knives are legal besides switchblades and ballistic knives (knives which shoot the blade). Butterfly knives are (and contrary to popular opinion), last I checked, legal. So, by extention, swords are legal. So, standing out in your front lawn with a sword, chopping on your own tree is legal.
A friend of mine did this.
And when the police officer came by, she confiscated the sword. The reason the officer was called was because an elderly person across the street called and complained.
After some hassle, including threatening legislation, he got the sword back.
So, the sword is not illegal.
However, if he went over and threatened the elderly person who called with the sword, that would be illegal, and the tool would be rightfully confiscated. Same thing if he chopped her head off.
I hope this wasn't that confusing.
later
Dan
[It is legal swing a bat wildly...] but it becomes illegal at your nose....
Not quite. (IANAL, but) it is a crime ("menacing") the instant you present a credible threat of intentionally striking the other person with the bat.
This has some pretty deep consequences. If you swing the bat at me, I don't have to wait until the bat connects before acting in self-defense. This applies even if you're "spoofing" me and I misinterpret the facts in the fraction of a second between seeing a fast-moving bat and my response. Since a baseball bat to the head is "lethal force," in most jurisdictions I have the right *to kill you* in self-defense. In these cases it won't even matter that the bat is a hollow plastic toy, if I have no reasonable way to know this. (This could happen if you come up on me from behind.)
On a related note, every so often you hear about some teen killed while branishing an unloaded weapon - or even a realistic toy. They seem to think that there is some legal distinction if the weapon is unloaded (or unreal). They're wrong - and just as in the case of the bat the victim isn't forced to wait until the instant the bullet strikes his skull before he can act. In many jurisdictions merely displaying possession of a gun constitutes use of lethal force - and the other person is legally able to use lethal counterforce to remove himself from that situation. People might be able to outrun bats and knives, but not guns, and the only sure way for most people to disarm someone with a gun is to kill them first. Remember that next time some kids complain that The Man has no sense of humor about them driving down the street while waving (realistic) toy guns out the window. That actually happened here, a few years ago!
What you quoted is actually a misquote a First Amendment "protected speech" argument. Your speech might offend me (and others), but it doesn't cause us harm in the same way that a punch in the nose does. So we have to live to learn with objectionable speech, not with idiots who wildly swing their fist (or bats!) around others.
Back on point, this is totally irrelevant. Nobody said that L0phtCrack was intrinisically illegal to possess, they said that it was a "criminal tool" used while commiting criminal acts. That's no different from calling a hammer a "criminal tool" because it was used to break car windows, a screwdriver a "criminal tool" because it was used to break the lock in the steering column, etc.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken