Rootkit Developers And Legal Liability

FatherTim writes: "I just saw this posting over at SecurityNewsPortal, and thought it would be of interest. It's a question regarding the potential civil risk that developers of rootkits, vulnerabilities, and exploit developers. It does cause one pause to consider the responsibility that would be associated with full-disclosure." Considering the fine line between evil cracking tools and legitimate remote access tools (how about BackOrifice?), this seems like asking whether hammer makers are responsible for murders-by-hammer. (On second thought, don't give any lawyers wind of that idea.)

Re:Guns don't kill people...

In Britain almost 50% of home burglaries happen while the home is occupied. In the US it is only around 13%. Why do you think this is? It has also been demonstrated that when concealed carry laws are passed violent crime rates decrease while the rates of some types of poperty crime increase. While owning a gun might only slightly decrease the overall crime rate, it means that if I am a victim of a crime, it is much more likely that my car will be stolen than my wife will be raped and stabbed by some drug addict after my television.

Re:Guns don't kill people...

It is the same argument. However, many governments have regulated guns - it is just a matter of time before it happens.

The difference is most guns actually are designed to kill people, and the innocent purpose is secondary. There are plenty of guns available for target shooting only purposes, but these don't seem to be the type of gun people want to own. Odd.

So what?

[cduffy]

I don't care what my chances are of being shot to death, I care what my chances are of being murdered.

How are rootkits different from locksmith tools?

[astrosmash]

I think the murder by hammer analogy is poor. Rootkits, and other cracking tools, don't seem very different from locksmith tools. Both are used to by professionals to secure property. Both can be used to circumvent security.

• Is it illegal to build locksmith tools?
• Is it illegal to own locksmith tools?
• Is it illegal to publish information that describes how to build locksmith tools?
• Is it more (or less) illegal to break in to a candy store using locksmith tools, as opposed to, say, brute force?
• Are the locksmith tool makers liable when someone uses their tools to break into a candy store?

Should the laws governing the use of locksmith tools be any different than those governing the use of cracking tools?

Re:Bullets kill people!

[unitron]

There isn't anything in the Constitution about a right to ammunition is there? Hmmm.

Re:Intent *does* matter

[ananke]

btw, where does your sig come from? gorge dad or son? i'd like to find out

Re:Intent *does* matter

[ethereal]

Well, and forcing the surrender of the Empire of Japan. That wasn't really a deterrent, unless maybe you mean in the sense of deterring them from continuing the war.

Re:Bullets kill people!

[ethereal]

[drawl] Guns don't kill people, the government does :)

Re:Intent *does* matter

[tofupup]

um ... the same logic can be applied to handguns

Re:Intent *does* matter

[IanCarlson]

Guns are designed as lethal weapons? All guns? Some guns? Which guns?

Guns that are designed to fire little pieces of metal can be considered lethal. Little pieces of metal, when they collide with fleshy matter at high speeds, tend to destroy said matter.

It would be hard to claim that all guns are designed to be lethal weapons. There are a multitude of non-lethal water guns, blackhead guns, and radar guns that are still in production. Just wait until they make you start registering the damn things!

Re:Intent *does* matter

[IanCarlson]

If you use definitions 1 or 3 from dictionary.com, I agree.

That's because definition #2 is the past tense of "lethal".

"Ed's decision to brake hard while slipping on a patch of ice was lethal."

So, I suppose it should be noted that "lethal", for the purposes of this discussion, means having the ability to cause death.

However, modern firearms and ammunition are designed to be less lethal than they were in the past.

Absolutely not.

Compare a colonial-era musket to a semi-automatic, clip-loading Glock 9mm pistol. With a musket, you have to load black powder, load in your shot, carefully pack the load down into the barrel, aim (making sure not to let the shot roll out of the barrel), and fire. With the modern 9mm, you load the clip, turn off the safety, and fire until you run out of rounds.

Who's designing these non-lethal firearms and ammo? Surely not Glock, Taurus, or Remington. Look at the wide array of armor-piercing
and hollow-point ammo the average person has at their disposal. New firearms are designed to be lighter, higher powered, more accurate, and more reliable. What does all this add up to? Weaponry now is easily many times more lethal than the guns of yesteryear.

Re:Full disclosure is _necessary_

[arcade]

Actually you are wrong. I've seen several exploits posted to bugtraq over the years - that has been found in the wild.

Also, please remember - there are lots of crackers/programmers in the 'underground circles' on IRC that know how to code exploits. When a vulnerability is found in software - there NEED to be issued a warning about it. There NEED to be issued a patch - and there NEED to be issued what the fsck it was all about.

If this is not done, crackers will just do a diff (binary or source) between the program before beeing patched - and afterwards. It'll be quite easy to discover what has been altered/updated - and thus where you need to look for the vulnerability. From that on, its not really difficult to create an exploit.

Unreleased exploits? Lets see.. I think there was a virus that exploited a vulnerability in Outlook. Some 'date' field without bounds checking or something like that. That certainly was 'unreleased' up until the virus got into the wild. There has also been other cases. Rootshell.com was cracked a couple of years back -- remember? I don't think they ever found out how ..


--

Re:Full disclosure is _necessary_

[arcade]

Hello Mr. Anonymous Coward. I see that you didn't read my post.

I said:

"Full disclosure of cracking tools are a necessity. I will not argue about wheter it should be punishable to create them, but _Publishing_ them when they exist - is commendable."

Then I went on to argue why we need a full disclosure list such as Bugtraq - where information are freely published.

I did not say anything for or against wheter those that create the tools should be held accountable. I say that when the tools are _made_ -- those that publish them to the general public should be commended, as its better to have'em where everybody can see'em - than to have'em in the hands of a few underground persons.

Now, go back and _read_ the posts you answer to, before you answer.


--

Bad analogy

[Fellgus]

The analogy, "should hammer makers be responsible for murders-by-hammer" is wrong. It should be "should gun makers be responsible for murder-by-shot?".

A hammer is designed as a tool for practical purposes, but can be used to kill. A rootkit is designed to gain unauthorized access, not to as a tool for practical purposes. (But may have practical side effects, akin to a gun, which CAN be used to avoid getting shot, while that is not what it was designed for).

Re:Guns don't kill people...

[MrHyd3]

Idiots that make any arguments over what gun I can and cannot own is my freedom, not yours. Remember the first 10 Ammendments of the Constitution are for the INDIVIDUALS RIGHTS (You and me) of the country, not the Gov. These first 10 were written to ensure that idiots would not skew the words saying what I can and cannot own.

now it's coming back to haunt us

[krog]

America is fucking itself:

Those lawsuits against Big Tobacco sure seemed like a good idea at the time. Nobody likes them, they have more money than God, and they sell products that kill. They even tell people that, on the side of the box. Hell with it: someone's cancer is their fault, sue 'em.

Firearms industry? Obviously responsible for subsequent shooting deaths! To the courtroom!

And now.... the software industry? HA HA

It's bittersweet to see today's "Liberals" choke on their own blood sometimes.

Re:Hrmm....A difference maybe?

[Tony-A]

The question is if anything should be able to run invisibly.
Actually, that sounds completely legitimate. Microsoft and Symantic (sp?) are out of the loop, but if anything, that increases the legitimacy.

Re:Intent *does* matter

[mako]

The law can never be completely objective because humans have intent, and intent is a subjective thing.

You were on the right track and then missed it a little bit I think. Intent is, or should be, only an issue if a crime has been committed. Writing these tools should not in itself be a crime. Only using the tools illegaly should be a crime.

Ideally intent of the creator simply should not be an issue. To use your gun anology it doesn't matter that a gun is designed only to kill. It only matters if someone uses it to unjustifiably do so.

Re:Intent *does* matter

[mako]

Making something that has no lawful purpose, regardless of intent, and acting with little or no descretion in its distribution, could easily be considered facilitation at the very least.

Thoughtcrime I think it's called. Both mens rea and actus reus need be present for a crime to exist. Intimidating developers into only releasing their wares amongst close associates will do nothing to stem the tide of incompetent system administrators and the goons that hire them.

Old news...

[Covener]

Interpol has had the elusive Dr. Spewfy on their most wanted list for close to 6 years.

Re:Guns don't kill people...

[gimpboy]

The next time someone breaks into my house they are highly unlikely to be carrying a gun, because I live in a society that isn't obsessed with them.

thats fine. if someone were to break into my house they would be greatly slowed down by a bullet weather or not they had a gun. see how this works? as an example look at south africa. in the last couple years they passed laws banning guns. now the only people who have guns are the criminals.

you really dont understand the colonies comment? you do realize that at one point in time britan controlled the us colonies and abused them to the point where they had to remove the british. here in the us we refer to that as the revolutionary war. to prevent the citizens from being rolled over by the government, the right to bear arms was written into our constitution. that is why i find it humorous when a person from britan comments on how we have an irrational desire to have the right to bear arms.

The problems with laws ALLOWING guns is you end up with one of the highest gun shot deaths per capita. Britain has something like 1/1000 of the PER CAPITA death by gunshots compared to the USA. Why? Because people don't have guns. What is it you can't understand about that?

vague numbers, do you have any references?

do you really think that if someone wants to kill alot of people not having a gun will stop them? honestly if i wanted to kill alot of people i could make explosives from common chemicals that would make the worst school shooting to date look harmless.

use LaTeX? want an online reference manager that

Re:Guns don't kill people...

[gimpboy]

The fact is you are far less likely to be killed during a crime in Britain then in the USA. Are you safer in the USA or in Britain? Which one has guns?

some day you will take a statistics class and realize that you cannot make causical assumptions from statistical data. if the only thing that happened in the us and britan was crime, and the only difference between the crimes was one person used a gun you might have a case.

take for example drunk driving. this claims many lives each year. i dont think you will argue that we have alot more land mass here in the us and as a result more people own cars. also on average we drive farther each day. so because you are more likely be killed during a crime in the us are you safer in britan? which one has more cars?

conclusion.. we must now ban all cars.

use LaTeX? want an online reference manager that

Re:Bullets kill people!

[spudgun]

Muzzle loaded Muskets are Arms too

just control the automatic and seMi auto weapons , subject to a phychological exam and police inspection of your safe storage locker you can still have them.

I'd love to see a drive by shooting with muskets
at least the target might be the only one hit
One shot guns tend to improve your accuracy !

Re:Lawyers: Been there, done that.

[Stinking+Pig]

Who pissed in your Cheerios? Most of the people around here are a lot more libertarian than liberal, and the liberals are more liberal than leftist (and therefore tolerant of gun-owning). If you want leftist geek, that's on Kuro5hin. Maybe you're mistaking NIMBYism for liberalism? There's certainly plenty of Not In My Backyard on /., in the form of "issues don't matter until they impinge on me personally or the IT industry as a whole."

Murders with Hammers

[jcr]

Actually, it's well established that if I make a hammer, which you then use to kill someone, I'm not culpable.

If, however, I make a cheap hammer and the head comes off when you're swinging it, and it hits somebody and kills him, then I *am* liable, since the head's not supposed to come off.

-jcr

Re:Murders with Hammers

[inaneboy]

I love the implication here... If I build a defective -gun- and it explodes in someone's hand while they are attempting to commit a murder, then -I'm- liable?

Re:Murders with Hammers

[jcr]

> If I build a defective -gun- and it explodes in someone's hand while they are attempting to commit a murder, then -I'm- liable?

If your product malfunctions and injures someone, then yes, you're liable. In the scenario you suggest, you might get off lucky since the jury wouldn't be sympathetic to the attempted murderer, but if your defective product blows up in someone's hand while they're shooting targets or trying to defend themselves, then you lose.

-jcr

Re:Full Disclosure

[YellowBook]

BO actually COULD serve a legitimate purpose, but rootkits really don't. Their very existance gives script kiddies fuel they need without even the justification of providing a useful resource to someone else.

I'll grant that full rootkits don't have a legitimate purpose, but I think you have to treat published exploits separately. As a sysadmin, I often find them quite useful to test my systems to see if they are vulnerable to specific attacks. Often (because of local patches or details of installations) it's not possible to tell simply from a package's version number whether the version of a package we're running is actually vulnerable. A published exploit is also the easiest way to weed out false alarms, where a package is claimed to be vulnerable but isn't. (On the other hand, there's the problem of checking published exploits for trojans -- just because it's on a reputable mailing list like bugtraq doesn't mean it's safe to simply run it).

Of course, it can be argued that a published exploit should run 'id' with elevated privs rather than running 'sh'; then the truly clueless won't be able to use it for eee-ville.

--
The scalloped tatters of the King in Yellow must cover

Re:A Similar Situation

[slam+smith]

The problem here is public education and the brain and common sense check-in stations and knee-jerk reaction check-out stations at the entrance.

Re:Intent *does* matter

[Bios_Hakr]

Shooting Skeet(sp?). I used to do this for hours on end. Not because I was training to go hunt, not because i was training to kill, but because it was funn as hell.

For that matter, why does target pracitce imply training for anything other than shooting targets.

Think about the pure joy you get out of coding, hacking, overclocking, building muscle cars...whatever. There are people who like to purchace guns, modify them, and shoot them. Is the guy who owns a modified semi-automatic rifle any different from the guy with a nitrous-oxide kit on his Chevy, or the guy with 15 case fans and a 550 watt power supply?

Hammers? - Give Me a Break

[alteran]

I am so sick of rootkits being compared to hammers.

Hammers are EXTREMELY useful tools only occasionally used for mayhem.

Rootkits, OTOH, while having an extremely limited set of legitimate uses, are almost always downloaded and used for the express purpose of gaining access to a machine that the user shouldn't be on. Period. We all know it.

I'm not saying that these guys should be sued/liable. But to continally defend this kind of software without acknowledging it for what it really is just takes away from the legitimacy of the main arguments.

Re:Guns don't kill people...

[Stonehand]

It seems unlikely that you even know what a semiautomatic *is*. One pull, one shot, next round chambered. That's all.

The British *do* shoot each other, incidentally. Or, rather, the criminals are the only ones shooting -- except for the armed police, which they NEED because, er, their gun-less bobbies just don't do the trick when they've got yet another half-naked maniac running around with a sword.

Re:Intent *does* matter

[Stonehand]

And, statistically, allowing ubiquitious concealed carry reduces anti-person (versus anti-property) crime, not just injuries.

Plus, not everybody lives in urban areas... and you just *don't* negotiate with a big cat that sees you as its next dish of Meow Mix.

Re:damned analogies

[Stonehand]

Three examples of legitimate use:

Reviewing a Linux distribution and its included applications. Try a few "sane" configurations (stuff that a novie would probably try), and run it by several rootkits. If you find any problems, that's VERY important information. And if said distro people negligently *shipped* with packages with known, unfixed bugs, there may well be a compelling interest in publishing that information.

Likewise, say you've installed a new system, and you're thinking about hooking it up via broadband. Since you're going to be always-on, security becomes a *large* concern. Trying out the rootkit on your own system lets you find out if you *might* be hosed -- and better that you find out THAT way, then let it be done by somebody else who searches for private data and then dd's your disk devices with random garbage.

Third, security professionals can get paid to test their client's security. Penetration tests could clearly make use of these tools...

Re:Bullets kill people!

[matman]

well, it's arms, not guns in the constitution... I'd say bullets are arms.

Re:damned analogies

[matman]

Nowhere did I suggest obscurity. I just think that manufacturing items with intent to help someone commit a crime is wrong and should be illegal. It's like growing anthrax and putting advertisments out in the paper saying, 'I grew anthrax, come get some for free if you want to do some "research"'. You do that and you're in shit (and rightly so). People in labratories can grow anthrax and sell it to other labs legally because their intent is good; if ever it's discovered that they're selling it to people who are obviously terrorists, the lab could be charged with neglegence, or even murder (if you could prove that the lab people knew they were selling to terrorists). Posessing a root kit for purposes like investigating it's function to help secure your boxes is reasonable, but like other people have said, intent matters.

Re:Intent *does* matter

[ahodgson]

They oppose registration because they know, for a fact, that it's the next step on the way to confiscation. Hell, HGI brags about that being their end goal.

Re:Intent *does* matter

[jesser]

Sorry, I should have said "for the last 50 years" instead of "for over 50 years".

And here's why!

[SaDan]

When was the last time a paper target held up a convenience store? When was the last time you heard about a paper target involved in a bank robbery?

See? People aren't interested in guns that shoot targets well, they're interested in guns that shoot PEOPLE well. People are the ones that do the bad things, not paper targets.

Interested in weather forecasting?

Hammers?

[Azundris]

whether hammer makers are responsible for murders-by-hammer.

"Puns don't kill people" etc.?

--

Re:Hrmm....A difference maybe?

[SirStanley]

You restrict access to VNC with passwords I assume. You can't restrict access with passwords through buffer overflow exploits or some stupid security hole. You still installed VNC as an administration program, which requires access to the box prior to installation.

Hrmm....A difference maybe?

[SirStanley]

Well. Lets look at backorifice. It installes a daemon on the remote computer that allows someone to connect into it. That's Remote administration. Writing a Script that will take advantage of a buffer overflow in say MS IIS would be considered a Malicious tool. Who in their right mind would develop a remote administration tool (that would be used legitimately) that takes advantages in exploitable Security holes. Especially when you can't restrict access to such holes.
Let the script kiddies rot in jail.

Re:Hrmm....A difference maybe?

[SirStanley]

Heh. A few microsoft products notifies its creator who installed it =) I guess you could call it seamless integration

Re:Hrmm....A difference maybe?

[DaHat]

"Who in their right mind would develop a remote administration tool (that would be used legitimately) that takes advantages in exploitable Security holes"
Someone wanting to make a less intrusive admin program? Slightly related example: Ever heard of VNC? I use it on all of my computers and got sick of seeing the lil icon in the task tray all the time, so I removed it, now unless you do some checking you don't know if it's there or not. I did this for my own personal use. I did this for simplicity, yes it could be used for malicious uses but I modified if it to work the way I wanted it to for my uses, if someone uses is for malicious uses so be it, thats not my problem, I only built the gun, I didn't load, aim and fire it.

Re:Hrmm....A difference maybe?

Who in their right mind would develop a remote administration tool (that would be used legitimately) that takes advantages in exploitable Security holes.

Good argument, but it completely ignores the fact that there ARE legitimate uses for software that takes advanatage of security holes - softare to determine if the hole exists or not.

Example:

IIS has a security hole, MS releases a patch.

OK, so how to I determine if the patch actually fixed the hole?

Answer: by attempting to exploit it.

Checking my own (theoretical - I'd never be caught dead using IIS :o) server would fall under "legitimate use", wouldn't it?

Re:Hrmm....A difference maybe?

[whopis]

Back Orifice also has the ability to hide the daemon withing a standard executable. Then when the arbitrary executable is run, the daemon (invisibly) installs itself on the system and (if configured to do so) notifies its creator.

Does that sound like a legitimate use of a remote administration tool?

Great, pass another law.

[Talla]

I'm sure Iraq, China and others will really appreciate it. We'll provide them with a bunch of boxes, because their users had no incentive to secure them. Steve Gibson can probably tell you what happens next.

KIS - Kernel Intrusion System - Release at Defcon

[optyx]

Currently planned to be released is a multipurpose kernel module which by default acts as a rootkit. http://www.uberhax0r.net/kis Scheduled for release Saturday July 14th 10am! -Optyx

Re:Guns don't kill people...

[he-sk]

do you really think that if someone wants to kill alot of people not having a gun will stop them?

The point is, that most gun victims don't die because the other one wanted to kill them in the first place.

You do realize that someone breaking into your house is not an excuse for you to kill him, don't you? So the following ...

if someone were to break into my house they would be greatly slowed down by a bullet weather or not they had a gun. see how this works?

... gives me the perfect argument to prohibit guns. If someone breaks into your house, he deserves justice, not death. Pathetic argument, you might say? No, just idealistic.

you do realize that at one point in time britan controlled the us colonies and abused them to the point where they had to remove the british. here in the us we refer to that as the revolutionary war. to prevent the citizens from being rolled over by the government, the right to bear arms was written into our constitution. that is why i find it humorous when a person from britan comments on how we have an irrational desire to have the right to bear arms.

You know, the German Grundgesetz (our constitution) also says that it is our right to find anybody who is against the order laid out in the Grundgesetz including the government (Art. 20.4: Gegen jeden, der es unternimmt, diese Ordnung zu beseitigen, haben alle Deutschen das Recht zum Widerstand, wenn andere Abhilfe nicht möglich ist.) Still no reason for everybody to keep a dozen shotguns in his house let alone carry one along.

And, as another poster already said: Who are you going to fight with your shotgun? Right.

Re:Guns don't kill people...

[he-sk]

Please do not take this as a flame, my good German friend, but you do not have the cultural foundation to partake in this discussion in an informed manner. You can memorize all the statistics that you want, but unless you have lived here for a while, you don't know jack about American culture, and that's what this debate is all about -- culture.

I hate to break it to you, but I lived for a whole year in the US. As a matter of fact, I spent my senior grade in the States, where I graduated (and then went on to have two more years of German high school).

And yes, you're right, I experienced a whole lot of things that (at first) seemed crazy, confusing, sometimes frightening and sometimes even disgusting. I spent evenings arguing with my host dad about all kinds of political issues, only to realize that he was amazingly unpolitical. I experienced driving through an all-black neighborhood with the doors looked shut.

I know that this discussion is about culture and that I have to respect the American way of doing things. But, I have every right -- especially when I naturally have a very different perspective -- to voice my opinion regarding this American way. And you, as an American, should be able to take good advice when you hear it and not just put it down as being from somebody who doesn't know what he's talking about.

Re:Tookits & Rights

[he-sk]

Having worked on construction sites I know that many people are seriously injured by falling hammers.

Umm, that's why you're supposed to wear a helmet, right? Oh, your post was ironic. I see.

Re:Tookits & Rights

[ahaning]

A legal use? Like when the admin is out and the temporary person in charge does not know the password (or have physical access such that they could do a single-user boot), or when the admin forgets the password and does not have physical access. While both are far-fetched, I don't see how either could be ruled illegal uses of root-kits.

If you lock yourself out of your house or car, is it illegal to have a locksmith break in for you? I would surely hope not.


kickin' science like no one else can,
my dick is twice as long as my attention span.

Re:Intent *does* matter

[cybermage]

To use your gun anology it doesn't matter that a gun is designed only to kill. It only matters if someone uses it to unjustifiably do so.

Some guns are illegal or very tightly regulated (e.g. automatic weapons.) There are legal distinctions about the intended use of the gun.

While a root kit *can* be used to do lawful things, they are typically written with the intent to, at the very least, trespass.

Making something that has no lawful purpose, regardless of intent, and acting with little or no descretion in its distribution, could easily be considered facilitation at the very least.

Re:Intent *does* matter

[mrfiddlehead]

Guns are clearly designed to be a lethal weapon; however, there are many non-lethal and justifiable uses for guns, so regulation is contraversial.

Bzzzzzt. There are some non-lethal and justifiable uses for guns. The problem is that there are way too many pig-headed lunatics who oppose registration, and all of them have an arsenal of weapons.

If that doesn't make you uncomfortable then you're obviously armed yourself.

Re:Presentation of the tool

[Acrucis]

Intent is all-around important in cases of security. Also making sure that your intent is obvious is a good idea, lest someone claim that you weren't really doing whatever to help out.
For example, the ISP I work for has a rule that anyone caught portscanning the servers will be in danger of having their employment terminated. Several guys in tech support have gotten into deep trouble for this. I, however, portscan a server every week or two. I'm the UNIX sysadmin, and for me the portscanner is a useful tool. I can use it not only to verify the results of netstat, but also to make sure that a new installation of portsentry is blocking people properly. I certainly hope that if I ever get caught the managers take into consideration that I already have root on the machines and perhaps I'm using it to test my systems.
It is unfortunate that useful tools often have negative uses, but let's not prevent people from making or distributing something intended to be a tool just because some kiddie might use it for ill. Now, distributing it in a skr1pt k1dd1e channel on IRC is another matter...

Re:Tookits & Rights

[blane.bramble]

The arguments are:

Cigarettes cause cancer, and the tobacco companies covered it up for years. Hence they are guilty of negligence.

Gun companies *could* make guns safer and prevent the number of deaths to small children, but haven't. Hence they are guilty of negligence.

A hammer is designed for a purpose. It cannot be made safer without preventing it's main purpose, which is in itself legal. Hammer manufacturers cannot be held responsible for someone misusing a hammer.

Your argument is?

Re:Guns don't kill people...

[blane.bramble]

Violent crime has been rising for years. Our death by gunshot is far lower than the USA's per capita. The fact is you are far less likely to be killed during a crime in Britain then in the USA. Are you safer in the USA or in Britain? Which one has guns?

Tookits & Rights

[blane.bramble]

Surely it has to be more down to the intended purpose? A hammer is designed for a purpose other than bodily harm. Similarly, some toolkits are designed for purposes other than breaking into someone else's servers.

Blane.

Re:Tookits & Rights

[blane.bramble]

but if Big Tobacco has been required to put warning labels on its products, that should end their liability, provided that cigarettes do not do damage beyond what is stated on the label.

Which is precisely the argument (not a counter argument) - that the Tobacco companies KNEW that their products where addictive and cancerous but didn't warn the consumers.

Re:Tookits & Rights

[buck-yar]

Gun companies *could* make guns safer and prevent the number of deaths to small children, but haven't. Hence they are guilty of negligence.

By doing what? Some of the things mentioned in the industry are:

-harder/longer trigger pulls In theory this would make it more difficult for a child to discharge a weapon. In practice it makes the gun more inaccurate to the user. A longer harder trigger pull causes the weapon to jump around. In self defense situations, do you really want to compound the inaccuracy problems, potentially endangering innocent people?

-finger print IDer In theory only the person who purchased the handgun could fire it. This has several problems. First, what if the battery fails in a self-defense situation? What if there is a glitch in the system. This is not acceptable. This would also drive the cost of handguns out of the range of the average citizen. For women who need handguns for self defense, this is also not an option.

Loaded chamber IDer. This one really gets me. First off, these things can wear off with age and dirt can cover up the painted red areas. A gun should ALWAYS be treated as loaded, unless the chamber is visually inspected to be clear. There is no point to this addon, and can potentially make the gun less safe, obviously by a combo of crud build-up and user safety breach.

Guns are very safe it treated properly. The solution to the child problem is to keep them out of reach or locked up. Using the simple rule of never pointing the rifle at something you don't want destroyed is the only way to stay safe. I've recently had a situation where my SAR-2 slam-fired (gun fired when the charging handle was released), causing the gun to go off without pulling the trigger. Fortunately, I was practicing firearms safety and the rifle dischaged into the ground.

Re:Tookits & Rights

[goofy_root]

About this laywering thing, then Jennifer Smith, 29 year old tourist from New Jersey, after being gored in the right thigh during the San Fermin running of the bulls festival in Pamplona, northern Spain, Saturday, July 7, 2001, can sue U.S. author Ernest Hemingway because he attracts thousands of people from around the world every year?

Re:Tookits & Rights

[neotek(maas)]

1. Can anyone name a legal use for a root kit?

Yes. For a minute, consider a world where rootkits are not publically distributed - only the "bad" guys make them and keep them to themselves for legal and self worth reasons. The _only_ way someone can work out how these rootkits work is to get one (probably in binary form) and spend hours reversing it. Since research into techniques is just not done actively, the "good guys" are worse off. The "bad" guys have more of an upperhand.

This means it is that much _harder_ for a system administrator to determine if they have been rooted, etc. because they do not know what to look for.

Re:Tookits & Rights

[Eslyjah]

A counter-argument would be that at some point, consumers are responsible for the appropriate use of those products they choose to buy. Sure, cigarettes cause cancer, but if Big Tobacco has been required to put warning labels on its products, that should end their liability, provided that cigarettes do not do damage beyond what is stated on the label.

In the case of guns, everyone who purchases one ought to be aware that they can be misused and mishandled. If a child finds a gun and accidently kills one of his friends, the owner of the gun should be liable for not taking the necessary precautions, not the gun manufacturer, who knows nothing about the circumstances under which the gun will be used.

Re:Tookits & Rights

[unitron]

Tobacco peddlers spent billions over the years in advertising and placement in movies and television shows to convince people to actually light up and take the smoke into their bodies. Gun makers advertise "stopping power", that is, being able to disable another person by inserting one or more bullets into them at high velocity.

I've never ever seen an advertisement for a hammer that suggested any use for it other than pounding nails into wood or pulling them back out with the claw.

This of course makes the entirely reasonable assumption that the original poster was referring to those types of hammers used by carpenters.

Re:Tookits & Rights

[cybermage]

Similarly, some toolkits are designed for purposes other than breaking into someone else's servers.

1. Can anyone name a legal use for a root kit?

2. Can anyone justify blindly distributing root kits through pratices like anonymous FTP?

While I cannot think of a reason to write a root kit, other than for hacking into a computer I don't have root access on, I'm willing to concede that one of you might. But, knowing the power of such a tool, how could any author take a hands off approach in its distribution and not expect some responsiblity for the havoc it causes.

Re:Tookits & Rights

[Tassach]

1. Can anyone name a legal use for a root kit?

A rootkit has the same legal uses as a lockpick. Using a lockpick to open the door to your house is legal. Likewise it's legal to pick the locks on a friends or employer's doors if you have permission to do so. Professional locksmiths are more restricted than amateur ones, due to the fact that it's a regulated & licensed profession (like hairdressers, realtors, pharmacists, etc). However, using a lockpick to break into someone's house (either to just look around, or to take stuff) is a crime - it's called breaking & entering; if you take something tack on a burglary charge. It is the action, not the tool, which is (or at least should be) punished.

Re:Guns don't kill people...

[blane.bramble]

if the only thing that happened in the us and britan was crime, and the only difference between the crimes was one person used a gun you might have a case.

35,000 deaths per year to guns in the USA. 44 deaths per year to guns in the UK. Population in the USA, 250 million. Population in the UK, 58 million. So, in which country are you more likely to die by gun? I understand statistics as well as you I suspect.

Re:The U.S. Law system

[geekoid]

The trial about hot coffee in McDonald's I understand that law in any country is complecated, but that trial was was not about hot coffee. It was about coffee that was "dangerously and unreasonalby hot" and McDonaldshad been told that someone would become seriously injured if they where to spill some.(point in fact, the coffee was so hot the women spent 30 days in the hospital).
In american law, its more like, if the item is more dngerous then someone using it should reasonably believe, then the manufacture may be liable.
sorry to rant about this offtopic, but the media breaks everything doen to the lowest common denomentor, and no one bother to check the fact, that it looks like everyone here can sue for the slightest thing, which is not true. what may seem obviouse and stupid on the surface, might atually be reasonable when the facts are looked at.
clearly outlawing root kits is fool hardy at best. When making these type of decisions, its best to look at unattended cirumstanes. to bad most people perfer to go with there knee jerk reaction, then actually bothering to aleveate there ignorance.

Re:Intent *does* matter

[jelson]

So you're saying that if a product is meant to be non-lethal, but certain people use it carelessly in a way which causes their death, the maker of that product should not be sued?

That seems to make sense. But then why are we suing tobacco companies?

Re:Ridiculous

[mheckaman]

Actually, you DO have to worry about dying or being injured by over the counter medications. Just look at the problems they have had with medications that contain PPA, and how there have been cases where people have died from taking one tylenol and having one beer with it.

Matt

Re:Guns don't kill people...

[evildead]

We will, of course, ignore the increases in illegal firearms ownership, crime where a firearm was involved, and the violent crime rate in the UK, since they've taken almost all of them away from the honest citizens.

But hey, why let facts stand in the way of an argument.

Re:Sue the Writer of the Hacking Tool 'Telnet'

[Zero__Kelvin]

Somebody mod this "word that silly humans think can take on a charge" (i.e be "bad" or "good") post up! P.S. To all silly humans - the truly neutral word I refer to is ... shhhh don't tell anyone or say it out loud! .... fuck or more accurately the appropriately conjugated fucking ... he .. he .. he.. he said fuck and fucking ... shhhhhh .. I my god, here comes the devil!!!! ... false alarm ... it's just mom and dad!

Re:Guns don't kill people...

[|<amikaze]

Well, sidewinders aren't going to do anything against the 20mm vulcan cannon! Sidewinders are Air-To-Air missles...

Insure Your Nukes

[streetlawyer]

my insurance company tells me the specifications for safe storage, so that i don't loose my coverage and have to pay myself for any incidental damage. i am personally liable for misuse, however, as with everything.

"We will all go together when we go
Every Hottentot and every Eskimo
There'll be noone with endurance
To collect on our insurance
Lloyd's of London will be loaded when we go!

--Tom Lehrer.

Re:How are rootkits different from locksmith tools

[Totally_Lost]

Carry a pick set, without a lock smith license, and it is considered criminal intent in nearly every place I've ever been.

Hammer liability

[Galen+Wolffit]

This is a somewhat tricky one. The manufacturer of a product is liable for damage caused by that product, whether through normal use, or accidental or intentional misuse - but only damage to the user. In other words, if I smash my thumb with a hammer, I _could_ sue the manufacturer for not putting in sufficient safeguards to prevent damage. However. This does not mean that the manufacturer of the hammer is responsible if I use that hammer to kill someone. The manufacturer is not responsible, because this was not the intended or obvious use of the hammer. Gun manufacturers, thus far, have not been held criminally liable (but may have been held civilly liable) for murders by those using guns they made. To the point at hand, though. Are the developers of rootkits and other mechanisms for breaking into systems, criminally or civilly liable for the criminal use of such mechanisms? Criminally, no. Civilly, quite possibly, because of the intended use of the mechanism. My $0.02 adjusted for inflation.

Re:Guns don't kill people...

[Some+Dumbass...]

i remember after one of those school shootings somone on cnn was interviewing a person from britan. the lady said she couldnt understand why americans think we need guns.


Apparently, we need them to shoot each other, and the Brits don't. This realization seems to have taken flight from most Americans' minds. They seem to forget that burglars are human (and rarely armed) and that your gun can be used to blow other people (like you!) away too. Also, we seem to need huge guns (some people even argue for semi-automatics!) to shoot each other, not just simple .22's, or for that matter, stun guns or other non-fatal weapons. Perhaps we as a nation can't aim very well? And why is the violent crime rate lower everywhere in Europe (and Japan, and Australia, and basically every other first-world country)? Why don't the Brits need guns to shoot each other?

Re:Guns don't kill people...

[Some+Dumbass...]

You can place whatever value on your life that you choose. There is nothing that I have that is more valueable than my life. I will use whatever means available to me to preserve it.


I suspect you'll be in jail very soon, at least if you actually believe that every threatening person deserves to be killed. In the meantime, I do recommend you put more value on human life. Just because someone is threatening you doesn't mean that they deserve to die.


You seem to be ignoring the ethnic riots that have happened in Europe this week. Let us also not forget the Japanese man who killed 8 school children last month.


Rate = Events/Time. A "rate" refers to the number events that occur over a period of time, not just single events. Yes, I know that people in other countries commit violent acts. It would be stupid of me to deny that. But the violent crime rate in the U.S. is still the highest.

Re:Guns don't kill people...

[Some+Dumbass...]

It seems unlikely that you even know what a semiautomatic *is*. One pull, one shot, next round chambered. That's all.


You're right, I'm no expert. Still, it's not a stun gun, right? It's a gun designed to make firing multiple shots easier?


The British *do* shoot each other, incidentally.


You can tell that nobody believes I have half a brain when they take the time to point out things like this. I know that! But the crime rate in the U.S. is still higher than in the UK. That's all I claimed. Please don't read anything too ridiculous into what I wrote - I'm not a complete idiot.

Re:Guns don't kill people...

[Some+Dumbass...]

You don't know much about guns. But that's OK; I'll clue you in.


The first statement is true :) The second is as well.


A .22 is a very low-powered weapon. Unless your shot placement is very precise, you are unlikely to quickly incapacitate someone by shooting them with a .22. (Just to clear things up, by "shot placement" I mean being able to hit them in a vital area -- head or heart.)


Funny, that was exactly my point - a .22 will scare or hurt a person without doing too much harm. Incidentally, does "incapacitate" mean "kill"? You're not talking about pepper-spray style "incapacitate", are you?


A firearm that imparts more kinetic energy to the target is more likely to stop the target quickly. If someone is attacking you and you need to stop them, it's important to do so quickly. You don't want them to get off a few more shots, or a few more swings, or a few more slashes. Shoot them with a .22 and that's likely to happen.


Does "stop" mean "kill" too?

Also, why is it that pro-gun descriptions of how a fight could go always sound like video games? Do you think the average criminal really wants a fight to the death, or are they more likely to run the second they see that you're armed?


If your life is on the line, and you actually need to shoot someone else -- you may as well do a good job of it. Unpleasant to think about but it's the truth.


I also notice that not one of the people who replied to my comment even mentioned stun guns, pepper spray, or other non-lethal weapons. "Self Defense" basically just means "shoot 'em dead" to you guys, doesn't it?

You guys know what the best way to deal with a burglar is? Get outside and get to a nearby house and call the police. The best self defense is generally "running fast", or at least avoiding conflict however you can. Assuming you actually want to defend yourself, that is. Maybe some people want to get into a fight with an armed opponent?


Perhaps we as a nation can't aim very well?

That's a ridiculous statement. Let's see how steady your hands are when your life is in danger from an attack of some kind. Sheesh.


That was a joke. Sheesh.

Exactly.

[Kasreyn]

From the original article:

...this seems like asking whether hammer makers are responsible for murders-by-hammer.

That's a poor analogy. A hammer is a multipurpose tool, which can be used to hammer in a nail, pry out a nail, bang wooden frames into place, and crush the skulls of murder victims.

A better analogy would be handguns. A handgun is an inefficient hunting weapon. Its only true purpose is ending human life. Others have often made the argument that it has a purpose in self-defense (deterrance). I won't bring my personal beliefs into the discussion. But making rootkit and exploit publishers liable is like suing Glock every time someone is murdered with one of their handguns.

Of course, just try explaining the worthlessness of security by obscurity to a non hacker/computer techie. I've tried; they just don't f-ing get it. =( Which means lawyers and politicians surely won't.

-Kasreyn

Re:Bullets kill people!

[pimpinmonk]

uh, last time i checked, people kill people. Jeez, and even DMX of all people said that in "Romeo Must Die."
___________________________________________ _______

Re:Guns don't kill people...

[ffsnjb]

According to this month's America's 1st Freedom (page 61), New York's (state in which I reside) Court of Appeals has "ruled in Hamilton v. Accu-Tek that victims of gun-weilding criminals cannot sue firearms manufacturers for the misuse of a legally manufactured and non-defective product." There goes those ridiculous lawsuits...

And on page 58... "Florida became the 26th state to adopt legislation protecting the firearms industry from reckless lawsuits..." Theres more than half the country saying those lawsuits are retarded...

Re:What is illegal?

[Xcott+R13,+3(0,R4)]

Maybe you should consider reading your comment.

Your post didn't just say dynamite was illegal, but that explosives in general, and parts used in explosives, were illegal. Again, this is false. Totally false. It is legal to buy fertilizer and fuel, it is legal to buy timers and electronics.

Your point that I can't go out and buy dynamite does not somehow imply that all explosives are illegal, including their parts. I never had any need to buy dynamite, or make explosives; but I assure you that I can purchase a microcontroller.

Secondly, you stated flat out that, Because by creating an explosive, you have an intent to either kill someone or destroy property. Sorry, but this is a false statement. You tried to qualify it later, but this is sentence is just plain objectively false. It's not true even you read it twice or look at it funny or examine it in the context of your entire post: someone who creates an explosive does not necessarily have an intent to kill someone or destroy property.

Indeed, this is the logical flaw behind most of your post: you're jumping to the conclusion that people have intent to do harm. In the US, possession can be illegal if there is intent to commit a crime, and here you are basically saying the same thing backwards: that owning or making explosives/etc implies intent. Towit:

you have no right owning and/or distributing a rootkit because you have INTENT to illegally gain access to someone else's computer.

I have no intent to illegally gain access to anyone else's computer. Woops, your logic didn't work. While we're at it, please cite a single reference stating that I have no right to own a rootkit.

Re:What is illegal?

[Xcott+R13,+3(0,R4)]

Is obtaining explosives or parts used in explosives illegal? Should it be illegal? Well, it is illegal.

From what country are you posting? In the USA, it is not illegal to obtain components for explosives. There are restrictions governing the possession and use of them, yes, but they are not plainly illegal.

Because by creating an explosive, you have an intent to either kill someone or destroy property.

Amazingly false. Of course explosives have a legitimate use, or else there wouldn't be legitimate manufacturers. You yourself mention several legitimate uses just a few paragraphs later. Miners do not have an intent to destroy property or kill people. Furthermore, private individuals can have a legitimate use for explosives, just like companies; this is why the US Govt publishes instructions on how to make explosives --- the "Blaster's Handbook."

Finally:

...there is a point where freedom oversteps the bounds of good moral and common sense.

Freedom is not to be limited simply because it violates anyone's morals or local common sense. This is just the age-old argument that freedoms and rights need to be trimmed to "separate the wheat from the chaff," for instance to ban speech which is "clearly" undeserving of protection.

Freedoms tend to be limited only when they infringe on the freedoms of others, and this is a boundary far beyond that of mere moral questionability or offensiveness. Show me how someone else's possession of a rootkit (not use, but possession) infringes on your rights.

Re:ODD????

[mvdwege]

Bob,

I've taken you to reply to as you seem to be the most sensible in this whole gun debate. You got to remember that we here in Europe only get to see the bad consequences of gun ownership on tv. We see the guys that gun down schoolchildren, or the paranoid militia kooks with military grade arsenals, but I am sure there are millions of Americans who own firearms and treat them responsibly.

So here's the question, out of curiousity: what are the safeguards in place in the US to ensure that only the responsible citizen gets to own a gun? What kind of tests are available now, is there some sort of certification? And if not, is that not the direction you need to go for gun control, instead of trying to ban guns outright?

Note this is a serious question, and if you or anyone else want to continue this debate (I am curious) you can mail me if you want.

Mart

Re:Rational questions

[mvdwege]

Bob,

I may have phrased that a little carelessly. What I meant is, as it stands now it is the irresponsible (read 'the criminal') that can get their hands on the guns easily. How can you assure that it's not predominantly them that get to carry weapons, without infringing on the rights of all citizens?

So to recap, my question was not meant as a question on the current state of affairs, but as a theoretical question into the ideal state of affairs. As I said, our view in Europe on the US gun issue is heavily skewed by what makes the news, which is not millions of peaceful gun owners, but drive by shootings and paranoid militias.

Mart

Re:Rational questions

[mvdwege]

Punish abuse. Prosecute those who harm others, regardless of weapon

I tend to agree with your posts (as I said, you seem like a reasonable man), but this seems to be the main problem. If the abuse takes the form of mowing down a schoolyard full of children, it is easy to see why the anti-gun people say that it is the easy availability of automatic weapons that made the perpetrator so dangerous. The fact that his abuse of the 2nd amendment will be punished harshly is no comfort to the survivors.

I think that this is the sticking point in the debate. Sure it will be used as a straw man argument, but it is hard to argue the point that even though it may be punished harshly, firearms abuse has irrevocable consequences, ie dead bodies.

So while I may agree with you, I don't think I agree enough to start pushing for firearms liberalization at home. Perhaps this is, as another poster stated, a uniquely US cultural issue.

Mart

Re:Rational questions

[mvdwege]

Sorry Bob,

But I have to reason from personal experience, as I have a deep distrust of statistics (they are too easy to lie with), and the Netherlands, with fairly tough gun controls has in fact one of the lowest levels of violent crime in Europe. So the proviso that tougher gun controls == more violent crime does not seem to have a causal relationship.

The point I was trying to make is perhaps reinforced by your argument: in countries where gun ownership is considered normal, any tightening of controls will only benefit the criminals, but as I said, down here gun controls have always been a fact of life, and we don't see any reason for relaxing them.

Oh, BTW, I did agree that automatic weapons argument was a straw man. I know it is a bit of a hot button issue for Americans, but please don't spoil the impression of a rational man you've been providing 'til now.

Mart

Re:Rational questions

[mvdwege]

Ok, I can start typing a long answer here, but I'll keep it short. If you want to continue this discussion, I suggest you reply by email, my adress is valid.

I wholly agree that violent crime and gun ownership are seperate things. In fact I agree with you that in places where violent crime is endemic, it might help if the lawful citizens go armed. Altough it is the primary duty of the government to prevent crime, this is in fact rather hard to do, since police can not be everywhere. So self-defense then should be something that is guaranteed to a citizen.

The Netherlands however, do not compare well with the rural US, except perhaps in the mindset of the people living here. I see you want more historical details, I could provide with those. Just drop me an email.

I think looking back on the discussion I think we agree rather well actually. It's been fun talking about this, thanks.

Mart

Re:Rational questions

[mvdwege]

Ok, final answer here.

Protecting the rights of citizens includes preventing crime. After all, what is theft other then depriving someone of his right to his own property? And the Benjamin Franklin quote is quite frankly a strawman. You inevitably have to give up a few liberties to live in a community in the first place. Note that old Ben specifically mentions essential liberties. We give our governments the right to deprive us of certain rights, in exchange for rigidly prescribing when the government can actually use that power, ie when we break the law. That is what I mean by the government exists to prevent crime; they prevent it by promptly acting when a crime is in progress, however this is not always practically possible, hence the right to self-defense.

Mart

Re:damned analogies

[Saxerman]

Lets stop trying to make analogies for every single issue? They're only useful when trying to explain an issue to someone who doesn't understand it; I think that the issue of rootkits is generally pretty well understood by this community. Rootkits are designed to aide criminal activity - I can't think of any other purpose for them except to make sys admins afraid and thus more vigilant.

Pardon my continued use of an analogy, but it seems you are missing the common point which should be "generally understood" by the community.

Let us say I have a bullet proof vest. How safe is the vest? How do I determine how safe the vest is?

We can try and wish the problem away by saying, "If there are no guns, we don't need to protect ourselves from them!" But criminals do have guns. And script kiddies still have root kits.

Now, the irony that the sysadmin will make the world safer by testing her new firewall with her homemade rootkit isn't lost on me. But this mistaken belief that obscurity is security annoys me. Security is a state of mind. And while you might feel more secure NOT knowing your boxen has been rooted, what does that really accomplish?

It has been said that the price of security is eternal vigilance. Pay the toll or get off the highway.

Re:You forgot to blame it on Bush

[Fat+Casper]

He isn't responsible for everything bad that happens; he hasn't the character, my ineffable little scaredy-cat friend.

"You know, the golf course is the only place he isn't handicapped."

That's funny.

[Fat+Casper]

My wife uses those tools to break into our own computers, so she can make them more secure. If everyone with cable/DSL has to re-invent the wheel with security, nothing will be secure.

If you outlaw cracking tools, only outlaws will have them. I don't want my boxes 0wn3d, so I'm glad for downloadable tools.

"You know, the golf course is the only place he isn't handicapped."

Ban computers

[Fat+Casper]

We all know that compuuters do have legitimate uses, but the thought that some kiddie can buy one without an ID, without even a waiting period, chills me to the bone.

I can't stand these jackasses trying to extend regulation everywhere when there are already laws in place that can put the perps in jail for quite some time. But no, they need to expand the definition of crime past injuring someone or something to simple posession. Posession of tools that can help you secure your computer? Publication of information to warn people that their computers are not secure? Burying your head in the sand makes you capable only of burying it deeper.

"You know, the golf course is the only place he isn't handicapped."

Phantasy Star Online

[Koitsu]

I have found many severe bugs in the online game Phantasy Star Online that I have notified Sega about, yet they have not fixed them, or even replied to my contant emails. I want to write an exploit to post onto Bugtraq to force them to fix it, but I don't want to incur liability upon myself.

What am I supposed to do?

What is illegal?

[isa-kuruption]

Is obtaining explosives or parts used in explosives illegal? Should it be illegal? Well, it is illegal. Why? Because by creating an explosive, you have an intent to either kill someone or destroy property.

Let's compare this to a rootkit. Should it be illegal? Maybe. Why? Because building a rootkit is INTENT to commit a crime; that crime being unauthorized and therefore illegal access to a computer system. Just like there cannot be many arguments made for creating or having an explosive device that is 'legitimate' there isn't many arguments for creating a rootkit that's legitimate.

A good example of creating an explosive for legitimate use would be if you were a contractor that dealt with bringing down skyscrapers. Now, if your business is as this is, you have a legal right to have explosives. Likewise, miners use explosives, etc etc.

An example of a rootkit? Well, let's say you're a O/S vender. The ability for you get to administrative access to a machine when your customers can't is an asset (or everyone gets pissed), therefore it would be legal for you to have a rootkit for your O/S.

True, maybe making a rootkit is a "learning experience" but so is making a bomb. It doesn't make it any MORE legal just because you learn from it. Because you learn how to make crack-coccaine doesn't mean it should be legal.

Granted we have all this freedom, but there is a point where freedom oversteps the bounds of good moral and common sense for the good of everyone. Since freedom is a concept for all men and women and not JUST you, then it would be to the benefit of everyone to make either the creation of a rootkit or distribution of a rootkit illegal.


I think you need to flash your brain's firmware.

Re:What is illegal?

[isa-kuruption]

You should try reading my whole comment before making dumb remarks.

First, if you try to go buy dynamite you will not be allowed (try it, I dare you). This is because it is illegal for the common person to own explosive devices. Yes, as I said, people CAN own such things but they require licenses and fall under very strict guidelines. Otherwise, it is illegal.

The reason it is illegal is because unless you are particularly licensed to perform such things as demolition, your only reason for having an explosive device is to maliciously destroy something and cause harm to others, also what I said in my prior statement.

As far as your last comment on rights, obviously your reading comprehension skills are inadequete. I didn't say that you owning a rootkit infringed on my rights. My point was, you have no right owning and/or distributing a rootkit because you have INTENT to illegally gain access to someone else's computer.

I think you need to flash your brain's firmware.

Re:Full Disclosure

[Matt+-+Duke+'05]

Can someone please mod this up? This was the most well though out post that I've read so far. Enough of these "well, shouldn't we just outlaw hammers" analogies... their logic is so flawed. It seems that every time an arguement such as this arises (i.e. Napster, etc.) this same defensive analogy is used, and if it continues to be used, the previous poster's scenario will definitely come true and the government regulation that ensues will be far more restrictive than merely making rootkit developers liable for their products' usage. There is definitely a clear distinction between publishing a piece of software's vulnerabilites (or an OS's for that matter) and writing a tool that even a brainless monkey can easily use to exploit said vulnerability. As the previous author stated, yes, there probably are a few "script kiddies" who can take a security adivsory and have enough skill to whip up a program to exploit this, but on the whole, a vast majority of "script kiddies" do not possess the know-how to do this. Why give them the tools that they need so they can eventually end up causing us usage outages due to DDOS's executed from compromised machines? The only valid arguement here is that published rootkits/exploits/whatever force a software publisher to fix a flawed product, but why not just send the publisher the exploit or an in-depth analysis of the hole? In the end, the only people who lose are us, because our legitimate uses of the Internet will be lost. A perfect example of this can be seen in EFNet. EFNet used to be a nice place to hang out and chat, but because of the prevalance of these published exploits and rootkits, stupid script kiddies have ruined EFNet for the rest of us by causing MANY servers to leave EFNet and by disrupting the flow of the few servers that do remain. With time, this same phenomenon will undoubtedly apply to the Internet at large. Just my two pennies....
-Matt

Its not my fault

[nichughes]

• Its not my fault I fell over the pavement.
• Its not my fault I spilled coffee all over myself
• Its not my fault that the script kiddie I gave my rootkit to used it to hack someone.

Do we really want to live in a world where nobody takes the slightest responsibility for their own actions? We might question the technical ability of a court or jury to judge whether that was the primary purpose of the tool but the same principles must apply to software as to anything else - you may be held responsible for the results of your actions.

Re:What about the authors of the vulnerable softwa

[stuccoguy]

Of course, by using the software you are agreeing to the licensing terms and most licenses (whether open source or closed) contain clauses similar to:

EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

Re:Guns don't kill people...

[haruharaharu]

Well, if you're trying to administrate someone else's notwork, I'd say that's over the line.

Re:Guns don't kill people...

[haruharaharu]

Keep in mind that death by gunshot includes suicides. That means that alot of people who would've blown their heads off jump off a bridge or swallow a pile of pills.

As far as the general gun issue goes, every US state that has passed a law allowing concealed firearms has seen a drop in armed robbery and similar violent crime. I suppose you're less likely to mug somebody when they might have a gun too.

Rational questions

[Bob_Robertson]

Mart,

As England and Australia have discovered with their incendiary increases in violent crimes, including crimes committed utilizing firearms, after their prohibitions on lawful private firearms ownership, the issues are far more complex than just what is "lawful".

"what are the safeguards in place in the US to ensure that only the responsible citizen gets to own a gun?"

Your assumptions are that that there can be such safeguards.

Lawful firearms ownership is, by its definition, responsible ownership in the same way that lawful automobile ownership implies that you haven't harmed anyone by using it irresponsibly. The "law" punishes irresponsible use, anything beyond that is legislated opinion.

It is far easier to un lawfully purchase a firearm in the US than it is to lawfully do so. Waiting periods, background checks, licenses in almost all states to purchase and carry those firearms. Again the experience in England and Australia that when those people who abide the law and forsake ownership give up their arms, the only people left armed are the ones who acquire them unlawfully.

In New York City, Chicago and Washington DC, to cite the most restrictive locations, private lawful firearms ownership is nearly impossible. Yet these are also locations at the top of the "death by firearm" statistics.

Your presumption concerning licensing is also, in my opinion, reversed. It is not impossible to get a license to carry a firearm in those same high-crime cities, the licenses are in fact very hard to get.

Yet in those places where firearms licenses are not required, crime rates are very low. Where the laws have been changed to make lawful firearms ownership easier, in direct contradiction to your implied argument, crime rates have gone down.

The reason for this is simple: Those people that the "laws" disarm are those who were never a problem in the first place.

"False is the idea of utility that sacrifices a thousand real advantages for one imaginary or trifling inconvenience; that would take fire from men because it burns, and water because one may drown in it; that has no remedy for evils, except destruction. The laws that forbid the carrying of arms are of such a nature. They disarm only those who are neither inclined nor determined to commit crimes...Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than to prevent homicides, for an unarmed man may be attacked with greater confidence than an armed man." --Cesare Beccaria, _On Crimes and Punishments_, 1764

Bob-

Re:Rational questions

[Bob_Robertson]

Mart,
"How can you assure that it's not predominantly them that get to carry weapons, without infringing on the rights of all citizens?"

By not infringing on, or restricting, the peaceful carrying of arms.

To oversimplify, prohibition doesn't work, be it alcohol, drug, gun or any prohibition without, as you specify, "infringing on the rights of all citizens". You might want to read what Machiavelli had to say on the subject. Gun control is not a new idea, regardless of what the media and prohibitionists tell you. It has been tried, and failed, throughout history.

Punish abuse. Prosecute those who harm others, regardless of weapon. To stigmatize "firearms" obfuscates the issue of violence and predatory action which is what you actually want to "do something about".

Every emotional railing against "firearms" for their effectiveness diverts attention from the fact that, yes, they are effective in the hands of a weaker, smaller victim in defense against larger, stronger, or even multiple attackers. Had Bernie Geotz(sp?) in NY several years ago caused the same injuries to his attackers by using karate moves, or an umbrella, even if his attackers had died he would have been hailed as a hero for defending himself.

But no, he chose to defend himself from attack by using a firearm, and that's all anyone remembers.

If you're on /., you're most likely someone who works with logic, definate rules, cause and effect. You wouldn't expect 2+2=7 no matter how many times someone said it was 7. So, in effect, do the math: Criminals break the law. Prohibition disarms only those who abide the law, who are by definition not criminals. Therefore, prohibiton doesn't work.

As far as "paranoid militias" go, check out Jews for the Preservation of Firearms Ownership.

Bob-

Re:Rational questions

[Bob_Robertson]

Mart,

This is not a US-centric issue, it's a human rights issue.

You speak of "mowing down a schoolyard full of children", and bring up the very straw-man "easy availability of automatic weapons that made the perpetrator so dangerous" without any basis for your statements.

I must conclude you have never actually fired a fully automatic weapon, or you would know that "spray and pray" doesn't work anywhere but Hollywood. I must also conclude that you believe arms control and prohibition to be a new political phenominon. Both have been refuted so often as to be laughable.

Your conclusion is also completely false. This is not a "uniquely US cultural issue". The increases in crime in the countries that have recently expanded their prohibitions on private firearms ownership are good exmaples. The Swiss, who maintain fully automatic firearms at home and have private firearms ownership (I believe) even higher than the US and yet very little violent crime, are another example.

In direct contradiction to your assertion, Israel actually did have a problem with terrorists "mowing down school children". The answer was to arm teachers, and allow armed parents to accompany school outings.

The result was not more "blood in the streets", the result was simply that after a few dead terrorists the attackes stopped. I will gladly trade a dead terrorist and a couple injured children for a dozen dead children. Won't you?

The only reason there is any debate at all is because of the emotional training that has been received, that firearms are somehow "more inherently dangerous", and private individuals cannot be trusted with them.

This emotional training rejects every historical, statistical and anecdotal rebuttal. When someone finally attempts to argue against the emotional training with emotion, those who fear modern firearms simply reject the appeal as mere emotional argument.

The only reason this is an issue at all is because politicians believe they can get elected by playing on the fears of their citizens. The lowest and most vile of politicians do so by playing on the fears citizens have of other citizens.

Bob-

Re:Rational questions

[Bob_Robertson]

"the Netherlands, with fairly tough gun controls has in fact one of the lowest levels of violent crime in Europe."

the Netherlands also compares well with rural US, where lawful firearms ownership is common. you actually do a wonderful job of demonstrating my point, that violent crime has nothing to do with guns.

from an historical perspective, i would be very interested in the changes to Netherland law that saw the enactment of firearms prohibition, or if it was a general expansion of private arms prohibition as technology changed, etc. Europian peasents have historically been unarmed, so it's perfectly reasonable that "gun control" is irrelevant there. i've not made a study of the Netherlands in that respect.

the general rape and slaughter of unarmed Europian peasents by armed thugs, be they government or freelance, is also a well known historical fact. it is not happening right now, true, but 60 years is not a long time.

automatic weapons are as much a "hot button" for the civil rights activist because of the principle that there is something an individual is not allowed to choose, just as someone who understands engines would object to government mandated "rev limiters", or someone who understands computers would object to government mandated "clock speed limits" or "connection speed limits".

strangely, when talking about denial of service attacks, i have not seen people decrying how this wouldn't happen if people didn't have fast connections, since the misuse of such "assault ADSL" connections demonstrate that easy availablity promotes abuse.

same argument, same reasoning.

Bob-

Re:Rational questions

[Bob_Robertson]

Mart,

Yes, it's been interesting. And I was talking about the lack of crime being comparable, not much else.

We do have one very serious disagreement, however:

"it is the primary duty of the government to prevent crime"

No, it is the primary duty to protect the rights of the citizens. Europe is full of people who believe they must forfeit their rights in order to be safe, to "prevent crime."

"They that give up essential libery for a little temporary safety, deserve neither liberty nor safety." --Benjamin Franklin

How is this any different than what you said? Because in order to prevent crime, you must be able to crush the rights of citizens at will. To prevent crime is to not wait for a crime to be committed before taking action. Yet, if no crime has been committed, all that is left is a "government" continually crushing the rights of its citizens, arbitrarily using powers of search, prohibition and imprisonment to prevent whatever the "government" defines as crime this week. In more honest circles, it's called a "protection racket".

What people who want to be safe forget is that the minorities of Germany, only 60 years ago, were murdered by their lawfully elected government. The Soviet Union, China, Armenia, Yugoslavia, Zimbabwe, Waco Texas, I use these examples because most peope can remember some recent history.

The real issue is not, and never has been "guns" or crime. The issue is control, prohibition, censorship. The illusion of safety, the safety of the tyrant where the criminals are the ones in uniform.

Bob-

Re:Rational questions

[Bob_Robertson]

Mart, you're contradicting yourself.

"ie when we break the law."

Then the crime has not been prevented, it is punished. If they're caught.

You might want to check your local laws. In America at least, it is explicitly written into state and many local laws that the police (and government agents of all stripes) have no legal requirement to protect anyone . Government agents cannot be prosecuted for failure to provide "protection". It's not their job.

Also, governments do not have "rights", they have "powers" that have been granted to them.

The B.F. quote is no strawman. I did not put it there to tear down and then blame you for it. Neither is is use of "essential" at issue, because "essential" is subjective.

Or have you somehow granted to government the power to regulate what is and is not "essential"?

Bob-

ODD????

[Bob_Robertson]

The "purpose" of a gun is to propell a lump at high velocity in a given direction. Every other aspect of the tool is dependent entirely on its weilder. "plenty of guns available for target shooting only purposes,..." as if a .22 Olympic target pistol won't kill, if used for that purpose? GET REAL! The reason that, "but these don't seem to be the type of gun people want to own", is because firearms that are target-shooting specific are like race-cars. They are delicate instruments that operate best when used in skilled hands for their use-specific design purpose. There is no reason you cannot use a race-car on a city street, nor that a target pistol cannot be used in a self defense situation. But one does not race a mini-van at Indianapolis Speedway, nor does one (commonly) carry a Thompson Center Contender in .223 every day for self defense. (however, i have a great story about a G.I. who took his T.C.C. to 'Nam, and "defended" his squad quite effectively) AnnonCoward needs to do some soul searching as to what qualities people want in a firearm before he calls others purchasing decisions "odd". Bob-

Then Prosecute Intent

[Bob_Robertson]

GB,

If, as you say, anything can be used as a weapon, what is the common ground? What makes punching a hole in a paper target just fine, and punching a hole in a human body an evil act?

Intent .

That's why causing a death by accident isn't murder, there is no intent.

Social standards are applied to such situations to determine negligence, the lessons learned by such efforts are an excellent way to assist people in knowing how to own something without injury to others. So is insurance.

Since anything can be used to cause harm, and only the intent is what creates a crime, then prosecute actions based only on the actors intention.

This would, however, make simple ownership of weapons of all kinds, drugs, computer software, rocket engines, annonymous bank accounts and lots of other things perfectly lawful. There are a great number of busy-bodies who just couldn't stand not being able to control others lives to that extent.

Gee! What a Great Idea! When do we Start?

Bob-

Another bumper sticker:

[Bob_Robertson]

Chappaquidic: 1
Three Mile Island: 0
Go Nuclear!

"atomic bombs are arms under the 2nd amendment."

[Bob_Robertson]

Argumentum ad absurdum.

however, it does raise a valid point: at what point is an individual choice so fearful that ones neighbors will kill someone rather than let them make that choice? AnnonCoward believes that atomics are sooooo dangerous that he would rather kill his neighbor than let them own one.

if you think i am "arguing to the absurd", think again. each and every law, no matter how small, depends on the state's ability to take your life, through imprisonment or death, you if you disobay.

so lets say for argument that i choose to buy an atomic device. my insurance company tells me the specifications for safe storage, so that i don't loose my coverage and have to pay myself for any incidental damage. i am personally liable for misuse, however, as with everything.

how about biological weapons? i can deliberately err when making canned tomatos and manufacture a very effective botulin grenade, complete with glass container for maximum shatter effect.

or how about concentrated niccotine? a little Dimethylsulfoxide to carry it into the bloodstream, and lets go spread it on peoples automobile door handles at night as a lark!

and that DSL connection you have, that's too fast. people have been known to use fast internet connections to send large ammounts of spam, and to facilitate denial of service attacks. no one *needs* anything more than 64Kbps, and we all know that speed kills.

Bob-

Re:Guns don't kill people...

[Bob_Robertson]

The point is, that most gun victims don't die because the other one wanted to kill them in the first place.

I know this may violate some rule, but can you provide *ANY* citation or support for this absurd statement?

You do realize that someone breaking into your house is not an excuse for you to kill him, don't you?

Obviously you live somewhere that is not in 49 of 50 states of America and most of the rest of the world too. (Massachusetts is one exception, or at least it was when I lived there)

Someone breaking into your house is defacto evidence that your life and limb are in danger. Killing them is simple self defense. It is prudent to at least *try* to yell "get down" or something first, but as has so often proven true there are times that there simply isn't time for that.

You can argue all day long that "they didn't deserve to die", but then they shouldn't have been breaking into someones home either.

Bob-

Re:Intent *does* matter

[Anomolous+Cow+Herd]

Guns are clearly designed to be a lethal weapon; however, there are many non-lethal and justifiable uses for guns

Oh please. Can you name a non-lethal use for a gun? One is reminded of the episode of the Simposons where Homer uses his gun to turn on lights in his house.

I am a rabid gun-rights supporter myself, but at least I refuse to lie about the issue at hand.

Re:Guns don't kill people...

[Ojin]

Here in Japan,having a gun wizout a licence can put the owner into jail for 3years minimum,plus,if
he has a bullet,the judege adds another 2years circa,depending on how many bullets... the Gangs
boss therefore did not carry the gun.but his security guradmen were carrying,thus,to avoid,their boss being killed by enemy... However,since,few years,ago,The legistration overhere has changed,and extended,to construe,that
those guardmen of the Mafia boss are the employee
of the boss,and the boss is liable,for what the employee is accused of. Therefore, No body??
here dare carry guns illegaly.
apropos, drinking and drivingg death rates....
we have here in Japan, N System, i.e. number system. the cameras are set on every main road
and shortcut road,and these camera scans,the number-plates of the cars,and send the data to
main Police computers. It means, If some one
had once been caught by Police for drink-driving,
and the Police wants to pick him again,the police
input the car number plate into,theirPC or mobile,
then, find, where the car is... or driving from
where to where. so,they send a patrol car,to stop
the car,to check,if he is ddrinking or not.
This N-system was not revealed,to the public,
until, the murder case of Britsih girl, Ms.Blackman, allegedly killed by overdrafted billionair. because, Mr.Blair UK primeminister
requested personaly,to put more efforts on missing
this young Briton,and our Prime Minister,has slipped his tongue,and mentioned, in front of mass
media,about N-System...... this N-system may
be already in yr neighbourhood, or, will be.
Now,here in Tokyo, more peopeple uses public transportation,and they are very clean, cleaner than some airline's biz class. walking,and
taking undergrouond are very healthy,and only few
cities in the world can enjoy,such joy..
USA cannot sign Kyoto agreements,to restrict,
dioxine. because, US citizens cannot live wizout
a car. while, Londoner,Parisians Warszawski,can
all live wizout a car... OJIN in tokyo

Re:Oh my, who is the victim

[FatherTim]

I think that is refered to as an "Act of God"

Hammer and killing don't relate to cracking

[Plague_nz]

Hold on a sec there the whole hammer thing is getting out of control, note that no one is killing anyone. It is closer to saying that someone took a sledgehammer to a building and you are going to sue the maker of the slegdehammer??
That wouldn't make any sense even though the sledgehammer was being used how it was meant to be!
I think that rootkits and exploits should still be published and created, the admins and software makers should just do there job.

Thats my first post :)

Plague

Re:Guns don't kill people...

The next time someone breaks into my house they are highly unlikely to be carrying a gun, because I live in a society that isn't obsessed with them. Criminals do not usually carry guns because people do not use them. People do not usually carry guns because criminals do not usually carry them. See how this works?

Not sure about your point about 'the colonies'. Britain doesn't have a gun culture, which means the average citizen neither needs nor wants a gun.

The problems with laws ALLOWING guns is you end up with one of the highest gun shot deaths per capita. Britain has something like 1/1000 of the PER CAPITA death by gunshots compared to the USA. Why? Because people don't have guns. What is it you can't understand about that?

Bullets kill people!

[sheldon]

I don't care about the guns. It's the bullets that I can't dodge.

Re:Bullets kill people!

[ErikTheRed]

Remember: Guns don't kill people, bullets do. Guns just make them go very, very fast.

Re:Intent *does* matter

[unitron]

"there are many non-lethal and justifiable uses for guns..."

Guns and people who seem just a little too fond of them scare me, but one non-lethal and justifiable use for them is deterence. You might even make the arguement that it prevents injury to both the innocent and the would-be bad guy if it pursuades them to re-think their illegal plans.

Re:Guns don't kill people...

[Goonie]

I'll kill you with my left hand if I have to.

I'm sure you could. However, it's very hard to kill large numbers of people with the identities of your choice in a short space of time without firearms, explosives, or other relatively sophisticated weaponry. If I'm pissed off at my coworkers, if I have the appropriate type of gun it's pretty easy to take it, wander through my workplace, and kill the lot.

The impetus to ban automatic and semi-automatic rifles in Australia came after just this situation - a deranged young man wandered around a historic tourist site and shot 35 people with a gun and ammunition he had legally purchased. Try doing that with your left hand.

Go you big red fire engine!

Re:Exploit tools != detailed advisories

[daviddennis]

Does this mean that if I switched my system software from, say, Linux to Solaris, the system would be more secure since there are fewer people who know SPARC assembly language?

The security expert we hired when there was a breakin into our company's Linux servers said no, but I'm curious to hear what you folks think.

Personally, after having had the experience of having my personal system broken into multiple times, I think the creators of rootkits should be sued within an inch of their lives, shot, boiled in oil and eaten by cannibals. Yes, I hate them that much. Making it trivial to break into someone else's system SHOULD be a criminal offense.

People like me who want to run a hobby server on the web should not have to spend massive amounts of time making their systems secure; eliminating rootkits and published exploits would eliminate 90% plus of successful incursions, because most of them are done by illiterate bozos who don't have a clue. My personal systems would be of absolutely no interest to a professional, but to some pathetic idiot who wants to prove his manhood by cracking a system, they are sitting ducks.

D

----

Re:An argument against criminalizing rootkit autho

[daviddennis]

Yours is by far the best post on this subject defending rootkit developers so far.

I don't know if I really want to destroy people's lives for making rootkits, but I sure wish they wouldn't be developed; I've had three systems damaged by them, and I'm pretty sure they wouldn't have been if someone hadn't created the rootkit.

Full disclosure sounds great in principle, and I'm uncomfortable with the suppression of free speech, but it really, really shouldn't be trivial to destroy someone's web server and force the system administrator to spend a week or more trying to figure out what happened and clean things up.

You could say that it's the admin's fault for not keeping up with exploits; but that's a full-time job in and of itself. Should it take that kind of effort simply to publish stuff on the web? I'd say that's an equivalent restriction on free speech, one that is truly evil since it affects anyone who can afford to run a web server, but not the time to scope out vunerabilities and fix them. There are a heck of a lot more people in that category than there are security enthusiasts who would be affected by a ban.

I come from the old ITS background at MIT; I loathe security with a passion. I'm nostalgic for the good old days when if someone did break in it was for curiosity's sake and nothing would be damaged. Now we have people who know nothing of what they are doing, capable of doing mean-spirited, evil stuff. I think that is, simply, wrong, and helping them is likewise wrong. And that's exactly what rootkit developers do. They are aiding and abetting evil; should they get away with it?

D

----

Re:I'd Rootkit them

[daviddennis]

But how do you determine who these people are?

Seems to me it would be easier to get at the rootkit author than the person who pulled the trigger. Most of them have email addresses at least.

The real problem with making rootkit authors liable is that I suspect most of them don't have enough money to pay damages. Nobody's going to make a 13-year old kid pay $2,000 for a week of my time plus $30,000 in lost sales - and yet an attack can easily damage a system that much and more.

So what to do that's effective? You tell me.

D

----

Ted Kennedy's car...

[Wee]

...has killed more people than my gun.

An old bumber sticker cliche, but true nonetheless. And of course, they can pry things from my fingers, yada yada yada. Can't we all just get along?

-B

Re:More precise than the gun analogy

[Arandir]

So to use the gun analogy... Ban metallurgy?

Re:Guns don't kill people...

[gimpboy]

explosives, or other relatively sophisticated weaponry.

what is so sophisticated about diesel fuel and fertilizer? really there are alot of explosives that are cheap and easy to make. a simple google search will provied instructions on how to construct such devices. you can even purchase the books online if you cannot make it down the library.

really though if someone wants you dead there isnt much you can do to stop them especially if you are not aware of their desire. banning guns treats the symptom and not the problem. the only solution that involves banning stuff is to ban everything. the only way to stop people from violating the rights of others is to strap everyone to a bed at birth and not allow them to come into contact with others.

use LaTeX? want an online reference manager that

Re:Guns don't kill people...

[gimpboy]

There are plenty of guns available for target shooting only purposes, but these don't seem to be the type of gun people want to own. Odd.

yeah the next time somone breaks into your house ask them if they will hold a target for you. also keep in mind, in the US the right to bare arms is intrinsically link to the distrust of governemnt. the government is less likely to try to opress an armed populace.

i remember after one of those school shootings somone on cnn was interviewing a person from britan. the lady said she couldnt understand why americans think we need guns. i guess she forgot all about the colonies. after the series of school stabbings in japan they are going to have to ban knives.

the problem with laws banning things like guns and root kits is there are already laws banning their abuse. we already have legislation for murder and computer crimes. passing more laws is a silly thing to do. people who murder obviously dont have anything aginst breaking the law. the same with people who go around rooting boxen.

use LaTeX? want an online reference manager that

Re:Guns don't kill people...

[gimpboy]

first where did you get the numbers? second do you have the numbers for the number of people knifed to death? jumped off bridgets?

this comes back to the statistics thing again. you are trying to make inferences based on two numbers. these two numbers dont even come close to fully describing the situation in either country. by this i mean: in the us a gun may be the tool of choice for suicide. in the uk and else where it might be drugs, or sliting ones wrist. if the people are going to kill themselves either way the method doesnt really matter. this is true for any type of violent crime. thats why i dont think you can make inferential stantments based on the statistics you have put forward.

the next piece of reasoning might be wasted on people who are not from the us. the constitution is written in such a manner that makes this country pseudodemocratic. the constitution states that we have certain rights and legislation is reserved for those issues that are not explicitly mentioned. since the right to bare arms is explicitly mentioned, that removes it from the realm (or should remove it from) of legislation.

there is a mechanism in place to remove this right. it is possible to amend the constitution, but i doubt the democrats will be able to pull enough republicans over to the cause on this issue. amending the constitution was made diffacult intentionally to preserve the rights we do have.

use LaTeX? want an online reference manager that

Re: Not so Ridiculous

[coyote-san]

You're mixing two distinct items here.

A disclaimer can shield you from honest oversights and engineering tradeoffs. But no contractual term can shield you from "negligence."

What's something in negligence in software? That's for the courts to decide, and I don't know if there's case law here yet. But it would be hard to justify crap like explicit backdoors, calling system() with user-supplied data without checking for subshells, etc.

"for educational purpose only"

[chrysalis]

Rootkits and exploit scripts often come with a little disclaimer : "for educational purpose only", "it's only a proof of concept", etc.

-- Pure FTP server - Upgrade your FTP server to something simple and secure.

Lawyers: Been there, done that.

[Tackhead]

> [Suing security analysts for publishing 'sploits] seems like asking whether hammer makers are responsible for murders-by-hammer. (On second thought, don't give any lawyers wind of that idea.)

Too late. Gunmakers have been sued with astonishing regularity, essentially being blamed for the actions of the (ab)users of their products.

(Of course, the typical /. liberal wouldn't know or care about that, because guns 'r' bad, mmmmkay, and the typical /. conservative is probably already writing a rant to that effect. Let the ubiquitous typical /. gun-control-and-politics thread now commence. But let's keep it in one place this time rather than filling the whole damn commentspace with it ;-)

Re:Lawyers: Been there, done that.

[legLess]

In sharp contrast to the tobacco industry, the gun industry has never lied about its products. "Guns killing people? Why no Senator, we've never heard of such a thing."

One large gun lawsuit was thrown out not too long ago, and I think that's a Good Sign. This society does not need more laws, or lawsuits. We need people to (a) mind their own fucking business, and (b) take responsibility for their own fucking actions. At least as important, we need intelligent and ethical leaders who'll do the same.

Parenthetically, let's not start praising the U.S. arms industry, mmmkay? The United States supplied arms or military technology to more than 92% of the conflicts under way in 1999 [source]. When the U.S. government gives "aid" to another country, that aid is usually not cash, but some sort of voucher for U.S.-made products, often arms. So the U.S. government is using U.S. taxpayer dollars to fund the arms industry to give weapons to foreign governments. Nice deal if you can get it, huh?

"We all say so, so it must be true!"

Similar to SLAPP lawsuits

[slam+smith]

What people should realize is that even if you are right, you can still be "attacked" in court. SLAPP (Strategic Lawsuit against Public Participation) are very common today. Someone tries to participate in the public and they will get sued. The person suing them has no way to win but still just the threat of the suit can be enough to stifle participation. I can be the same with rootkits. These kits may be used in ways not anticipated by thier developers. But someone may decide that they will sue to keep the kit developer from going ahead. Given the legal defense fund size(zero) of the average hacker, this is a pretty daunting prospect. Even if the hacker is virtually guarenteed to win the case.

To misquote the gun lobby...

[stefanlasiewski]

"Rootkits don't hack... people do!"

Or, to misquote the rootkit authors(g):

"This gun is for educational purpose only"

Re:Intent *does* matter

[karb]

While it might mean something different by definition, the popular view of semi-automatic is that a trigger pull fires the gun, ejects the bullet from the chamber, loads the next bullet, and primes the trigger.

In PA, for example, you can't use a semi-automatic rifle for hunting. It must be bolt, pump, lever, etc. Meaning after the bullet is fired you must, by hand, eject the bullet and load the next one (although, with rifles, doing this will usually also prime the trigger).

damned analogies

[matman]

Lets stop trying to make analogies for every single issue? They're only useful when trying to explain an issue to someone who doesn't understand it; I think that the issue of rootkits is generally pretty well understood by this community. Rootkits are designed to aide criminal activity - I can't think of any other purpose for them except to make sys admins afraid and thus more vigilant. If you have a root kit, you can claim that you're experimenting to see how it can be defeated... but if you create one, you're creating a tool which has a sole purpose that's illegal. I don't think we need more law for this; shouldn't it be covered by aiding and abetting laws already?

Re:Intent *does* matter

[jesser]

Perhaps guns were a bad example. Let's go to the extreme, and take, say, a nuclear weapon. Not many people explode nuclear weapons in their backyard for fun. They are clearly designed for only one purpose - to decimate large amounts of people and property at once, and are extremely dangerous. There is no ambiguity here. Should It be legal for me to have one in my closet and leave the assessment of intent until after I use it on downtown Manhattan? Probably not. at least in my humble opinion.

But, like guns, nuclear weapons can have a strong deterring power. In fact, that has been their only use for over 50 years.

Yeah!

[Greyfox]

Making analogies is totally useless. Like when you have a sheep and you need a firehose. Or like when you have a dingo but no nipples! I would go so far as to say that making analogies is like when you have a vampire bat and a sausage and you can't figure out which one you want to put in women's underwear!

I hope this clarifies analogies in general.

Re:Guns don't kill people...

[Arker]

From the article:

However, the way it was described to my legal-system-lame self was that the same pretense that the tobacco industry and gun industry is being sued under would apply to Computer Exploit, Rootkit, and Vulnrability developers -- that being that the developers and producers were aware of the damage their work would cause, but non-the-less released the software/information.

Pretense. Very well chosen word there.

The jury's still out, so to speak, on whether or not the firearms industry will indeed be sued out of existence, but things aren't looking real good right at the moment. The precedent has already been set, to a degree, by the tobacco cases, where it was easiest to whip up public support. The stronger the precedent gets, the less of a chance makers of root kits, or anything else that can possibly be misused (and what can't be?) will have when their turn comes.

The issues are exactly the same, and it's very important that those of you who don't own guns realise that now. If you wait to fight for something that you personally care about, it will be too late. Nanny-statism should be resisted on principle, not just when it infringes on you personally.

Martin Niemöller's famous and often (mis)quoted statement - "When Hitler attacked the Jews I was not a Jew, therefore I was not concerned. And when Hitler attacked the Catholics, I was not a Catholic, and therefore, I was not concerned. And when Hitler attacked the unions and the industrialists, I was not a member of the unions and I was not concerned. Then Hitler attacked me and the Protestant church -- and there was nobody left to be concerned" comes to mind. But remember, they didn't actually come for the Jews first. They came for the gun owners even before the jews - in 1938.

"That old saw about the early bird just goes to show that the worm should have stayed in bed."

Re:Guns don't kill people...

[Tassach]

Not too long ago, a deranged man walked into a church in England with a sword and started hacking people with it. [I forget the exact body count, but that doesn't matter.] OK, so now you ban swords. When next lunatic uses an axe or a sledgehammer or a chainsaw to do the same thing, you'll have to ban axes, chainsaws, and sledgehammers. Are you going to ban cars when a lunatic drives his car into a school bus stop and runs over the 18 kids standing there? A quarterstaff is a pretty lethal weapon too -- are you going to outlaw trees?
The fact that the Australian legislature got a collective case of brain damage and passed knee-jerk legislation should have no impact or bearing anywhere else. The fact that law-abiding Australians meekly surrendered their arms to Big Brother makes me weep. Fourtunately, if the US congress tried similar nonsense we [hopefully] still have enough patriots around who'll march on washington and remind the idiots what the words "shall not be infringed" mean. Also consider what would have happened if Australia had liberal CCW laws -- if just one of the 35 victems you mentioned had been armed, (s)he could have returned fire and saved the other 34. If one of the curchgoers in my previous example had been armed, the swordsman could have been subdued with little or no risk [probably without firing a shot]. More to the point, it's very likely that would-be spree killers would not be willing take the risk of facing an armed victim.

An argument against criminalizing rootkit authors

[Sheetrock]

While it is obvious that the easiest way to clean up the problem of DDOS attacks (or website defacements) is to remove the capability of the people executing the attacks to compromise servers, creating or using legal punishments for rootkit designers is not as clean an approach as some would hype it to be. In fact, I can use much the same arguments as I'd use in favor of full disclosure.

First of all, even if rootkits were declared illegal tomorrow, they'd still get made and distributed -- they just wouldn't be as available to the people who need to detect them and clean them up. Additionally, illegal in the U.S. doesn't necessarily mean illegal overseas or even illegal in Canada... though I'm sure our government is working on that.

Additionally, if developing rootkits is deemed illegal, we start making our way down that famed slippery slope. How does one define a rootkit? Will 'certified' security experts be able to design proof-of-concept rootkits while the rest of us amateurs are considered to be criminals for doing so even in the interest of proving security vulnerabilities? How about individual exploits; will a chunk of code that demonstrates a vulnerability allowing the spawning of a remote root shell be considered a rootkit? Given the rather loose definitions in our laws, I'd bet so. This would effectively kill the idea of full disclosure and much of the amateur research into computer security.

Finally, the more legal intervention that occurs in Internet activities, the better the chances the things that have always made the Internet useful and unique will get stamped out. Cutting down on the free exchange of ideas is a bad idea except where it is absolutely necessary, and in this case I doubt it would be even slightly effective. The focus should be on fixing the software and the infrastructure, because not having public knowledge of the flaws in these systems isn't going to make the flaws any less exploitable to someone who already doesn't care about the law.

---

Re:Oh no...

[ErikTheRed]

Don't laugh - there are many products out there (ladders and scaffolding come immediately to mind) where one of the largest cost components is liability insurance for the manufacturers.

Re:Guns don't kill people...

[IronChef]

Well hey, if you spent some time here, welcome to the debate. But I do get fed up with people who have zero clue about life here putting their two cents in... I don't start yapping to Germans about the racism issues over there and I expect the same courtesy in return.

But since you have actually spent time here, huzzah.

Re:Guns don't kill people...

[IronChef]

Self Defense" basically just means "shoot 'em dead" to you guys, doesn't it?

It means shoot 'em until they are no longer a threat -- until they stop advancing on you. If a gun is capable of doing that quickly -- with one or two shots, perhaps not optimally aimed due to stress -- it's possible to kill the guy, sure. That's his problem though.

For me, "self defense" refers to guns, yeah. I am not a big guy. I would probably lose a physical struggle, and I am not about to bet my life on my chances in one.

Self-defense is a serious business! If you aren't prepared to take a life, don't use a gun. Using a teeny gun because it is less likely to kill someone will get YOU killed, because the angry guy with 5 tiny holes in him will come kick your ass and take your gun away.

(for you other gun nuts please note I am NOT saying that size is a replacement for good aim. It isn't and I am not advocating that. I'm looking at a worst-case scenario, using a truly tiny caliber like .22 for defense.)

Do you think the average criminal really wants a fight to the death, or are they more likely to run the second they see that you're armed?

I don't know what the average criminal wants, but if someone advances on me with a weapon, he'll get a warning and then he will get shot if he doesn't wise up.

Statistically guns are a great deterrent and are used a lot just how you describe. But if the bad guy calls your bluff you are in deep trouble! Never carry a gun you are not prepared to use, and never use a gun unless you feel you are justified in taking a life.

The best self defense is generally "running fast", or at least avoiding conflict however you can.

You're correct, in case of burglary you are not supposed to prowl your house trying to shoot the guy. You always should try to make yourself scarce and safe as a first priority. But depending on your house, safe escape might be impossible; your best bet could well be to hole up in the bedroom with the phone. In that scenario, I'd certainly want a gun with me.

Assuming you actually want to defend yourself, that is.

How could a person NOT want to defend themself? Are you a total pacifist, or are you just referring to gun use here?

I can understand people who do not want to risk taking a life during self-defense. Guns aren't for everyone. Great. It's a personal choice. But people who refuse to undertake self-defense of any kind... or who see self-defense as some kind of evil act... how can any rational person defend that position? Self-defense is a basic human right.

Re:Guns don't kill people...

[IronChef]

The US also has more stranglings per capita than other nations. We are a weird, violent culture. Guns aren't the cause. Don't know what is, but it isn't the guns.

Re:Guns don't kill people...

[IronChef]

Please do not take this as a flame, my good German friend, but you do not have the cultural foundation to partake in this discussion in an informed manner. You can memorize all the statistics that you want, but unless you have lived here for a while, you don't know jack about American culture, and that's what this debate is all about -- culture. Not numbers. Demonstrate some cultural understanding along with the statistics and you are welcome to join in.

Americans believe a lot of things that look crazy to the rest of the world. It probably confuses, frightens, and disgusts you. Sorry; you'll just have to deal with it.

Re:Guns don't kill people...

[IronChef]

You don't know much about guns. But that's OK; I'll clue you in.

A .22 is a very low-powered weapon. Unless your shot placement is very precise, you are unlikely to quickly incapacitate someone by shooting them with a .22. (Just to clear things up, by "shot placement" I mean being able to hit them in a vital area -- head or heart.)

A firearm that imparts more kinetic energy to the target is more likely to stop the target quickly. If someone is attacking you and you need to stop them, it's important to do so quickly. You don't want them to get off a few more shots, or a few more swings, or a few more slashes. Shoot them with a .22 and that's likely to happen.

If your life is on the line, and you actually need to shoot someone else -- you may as well do a good job of it. Unpleasant to think about but it's the truth.

Perhaps we as a nation can't aim very well?

That's a ridiculous statement. Let's see how steady your hands are when your life is in danger from an attack of some kind. Sheesh.

Re:Intent *does* matter

[IronChef]

But then why are we suing tobacco companies?

Because they lied. Glock never said, "if you pull the trigger it won't go off, nope, no way, it' sjust decorative."

Re:Full disclosure is _necessary_

[IronChef]

There are legal precedents about how once you edit the content in a public forum, you have become the "publisher" in effect, and you can he held liable for things in that forum. In other words, there are times when "hands off" is the only safe approach for the publisher or ISP; any editorial oversight sort of makes you liable for what's going on. (I think this harkens back to some case Prodigy was involved in, relating to some kind of libelous material on a forum, but I could be misremembering the source.)

I wonder if that might get extended to computer security matters. Once security analysis tools are illegal, publishers will be unable to ship secure products as easily, and to protect themselves they might try to get the same kind of deal. "Well, we didn't know about that root exploit, but since we never tested it we can't be liable. Lucky us!"

Of course, I'm a cynic. Prolly never happen... right? Right? Anyway, the software industry will cram UTICA down our throats soon and protect themselves that way.

Constant Issues

[AntiPasto]

Much like abortion, race, or other grey areas, the tools to comit crimes have been a constant source of public outcry.

Guns. Guns kill. Sometimes in defence, sometimes in malice, or sometimes in sport.

It's a shoot the messenger sort of mentality. Like when something bad happens, you always like "If only I......" and this is what our culture is having to deal with.

In a lot of senses its a mute point to remove tools in order to curtail. Water, food, and a toothpick can all kill you given certain circumstances. The real issue becomes drawing lines which given the history of world will never remain constant (Surveying has errors let alone whole countries are being redrawn or are in dispute all the time!).

Perhaps, much like that killer "water" we all drink, it will eventually become of less of an issue. For instance, it will become more accepted that hacking information is free, and what we'll really go after are those doing DDOS (once everyone knows what the heck that is).

----

Re:Constant Issues

[z4ce]

Yes, perhaps we all do drink that poison known as Dihydrogen Monoxide but should we really? Check out www.dhmo.org

Presentation of the tool

[RuneB]

IMHO, You have to look at the way a tool is presented when determining responsibility. Selling a hammer in a weapons shop would be entirely different from selling the exact same hammer in a supply store. The implied use of items from a weapons shop is different from items in a supply store.

It is similar with rootkits and exploits. How and where someone gives you an exploit or rootkit is important. An exploit on a cracking website might have a different implied use from the same exploit on bugtraq.

Thus, I think you need to examine the intent of the distributor more than the intent of the maker.

Many more ways for things to go wrong

[achurch]

Security holes in code can be boiled down to buffer overflows, incorrect application of user privileges, and access to internal scratch files by other users. Even flawed pointer use can be vetted out with the aid of a debugger tool. If you use functions like vsprintf() and careful in your design, your code will be 99.9% invulnerable to a root exploit.

You want snprintf(), not vsprintf(). But more to the point, these are only the holes that allow a root exploit--as you correctly emphasized, but referring to these as "[all] security holes", as you imply, is misleading. There are plenty of other ways for users to gain improper privilege. For example, look at the bug Slashdot had a while back where you could put a <font> inside your E-mail address and change the color of the text on the rest of the page (I may be slightly misremembering, but there was something like that at one point), or the brouhaha concerning session IDs stored in URLs. For a more subtle example (paraphrasing from experience), you could have a flag allowing special privileges for a chat nickname, which is cleared every time a new user uses the nickname and only set when a password is given--except that the flag isn't cleared if a user with an unknown nickname changes to the nickname in question, allowing improper privileges. There are, of course, many other potential pitfalls, many of which rely on what the program in question does; things like buffer overflows that apply to all programs are the easiest ones to find and fix, but only the tip of the iceberg.

What security holes in code really boil down to is insufficient checking, i.e. improper trusting, of input (this includes not only ordinary stdin/form/file input, but environment variables, signals, etc. as well). By ensuring that all input has a known format, the security and robustness of a well-written program can be proven.

--
BACKNEXTFINISHCANCEL

Re:The U.S. Law system

[AndrewD]

People interested in breaking in would still find a way - maybe.

On the other hand, anyone who needs to download a canned toolkit to break in probably couldn't do it without one.

The U.S. Law system

[senfman]

According to my last experience, the U.S. law system makes the manufacter of a thing responsible for its 'danger' (i.e. The trial about hot coffee in McDonald's). This might seem stupid to us europeans and maybe it really is.
The point is, that making the development of rootkits illegal, would introduce many new problems to Administrators, because people who are interested in breaking in would still find a way.
Another point is, thast such a decision wouldn't affect the net. Lists like Bugtraq would move to Europe or Asia and that would them turn into legal lists.
The problem is, that people posting exploit code to this lists would have to fear (by visiting the USA) the persecution by U.S. Law and U.S. Justice, which turns out to be unpleasant.

Re:Guns don't kill people...

[ffsnjb]

Britain's violent crime rate since outlawing guns has gone up 68%. The tool used in the crime has nothing to do with the outcome. I'll kill you with my left hand if I have to. Same outcome, very different tools.

Liability for releasing specifics of exploits?

[einhverfr]

I hope not. Security through hoping-no-one-will-notice-you-are-vulnerable is no security at all. In fact releasing specifics of the exploit lead to more rapid fixes and more rapid application of those fixesby administrators. The price of security is eternal vigilance.

If this is truew, than attacks vs encryption schemes (like RC4) would also be legally problematic (moreso than exploits, due to the DMCA). How else can one develop a secure system? Are we really to believe that most crackers get their exploits from security sites and that if these sites were held liable, that we would live in a more secure world?

I would think it would be defensible in that:

1. Publishing exploits is vital to overall security regardless of the harm it may cause to people who have no business running computers
2. The good outways the harm.

Sig: Warning The following may be illegal under the DMCA (rot-13 decoder):
ABCDEFGH I JK LM

I would point out

[Sycraft-fu]

That a great many firearm makers, Beretta, H&K, Glock, Sig-Sauer, Fanas, etc are NOT US companies. The only major US firearms maker that springs to mind is Colt. Much harder to sue a German firearms maker than a US one.

More precise than the gun analogy

[s20451]

Aren't we always mocking the 31337 h4x0rz for their lack of actual programming skill? So without the rootkits, the h4x0rz would be basically harmless. With the gun analogy, there's always the possibility of murdering someone another way - by knife, poison, etc.

Re:Ridiculous

[slashdot_commentator]

It doesn't change the fact that shoddy coding practices, ignorance, and inertia in correcting code is primary reason for these types of security breaches. They ONLY can be CORRECTED by action from the vendor or the customer. Making rootkit designers responsible for Internet security IS ridiculous.

Question: is it possible to make a complex piece of software provable secure? Answer: no.

Security holes in code can be boiled down to buffer overflows, incorrect application of user privileges, and access to internal scratch files by other users. Even flawed pointer use can be vetted out with the aid of a debugger tool. If you use functions like vsprintf() and careful in your design, your code will be 99.9% invulnerable to a root exploit.

Legally attacking rootkit designers will not make the Internet safe. It will only make it near impossible for laymen to understand they have a security vulnerability. This is an apparent attempt by really ignorant people who want to kill the messenger, rather than act responsibly to fix the problem.

Oh no...

[kypper]

On second thought, don't give any lawyers wind of that idea.

Too Late!

Apparently that hammer injury 3 years ago is worth some coin...

Screw 3...

Re:Guns don't kill people...

[No+Tears+In+The+End]

But what's a stupid 20mm cannon going to do against the government's F-16:s with sidewinders?

It's not the F-16s that you should be worried, nor the F-18s, nor F-14s, it's the F-117s and the cruise missiles that should be your primary concern.

If Bill Gates or some other rich fart suddenly bought a small army and placed it somewhere, surely the government wouldn't be happy at all.

If Bill Gates, Ted Turner, Rupert Murdoch, or any other billionaire decided to amass a large security force the government might not like it, however the government doesn't like us having access to strong crypto either.

Why does it matter?

Re:Guns don't kill people...

[No+Tears+In+The+End]

Also, we seem to need huge guns (some people even argue for semi-automatics!) to shoot each other, not just simple .22's, or for that matter, stun guns or other non-fatal weapons.

You can place whatever value on your life that you choose. There is nothing that I have that is more valueable than my life. I will use whatever means available to me to preserve it.

And why is the violent crime rate lower everywhere in Europe (and Japan, and Australia, and basically every other first-world country)

You seem to be ignoring the ethnic riots that have happened in Europe this week. Let us also not forget the Japanese man who killed 8 school children last month.

Humans are a violent species, not just Americans.

Re:Guns don't kill people...

[No+Tears+In+The+End]

Can I buy a tank or a fully armed squadron of F-16:s in the US and put them in my garage?

Yes, you can own a tank. If you can afford it you can own an F-16. If you can afford the licenses you can have the 20mm vulcan cannon on it as well.

The biggest difficulty would come from the FAA.

Re:Intent *does* matter

[No+Tears+In+The+End]

Guns are clearly designed to be a lethal weapon; however, there are many non-lethal and justifiable uses for guns, so regulation is contraversial.

Guns are designed as lethal weapons? All guns? Some guns? Which guns?

Re:Intent *does* matter

[No+Tears+In+The+End]

Guns that are designed to fire little pieces of metal can be considered lethal. Little pieces of metal, when they collide with fleshy matter at high speeds, tend to destroy said matter.

If you use definitions 1 or 3 from dictionary.com, I agree. Sure all firearms are designed to perform a function that can cause death. Self defense depends on the ability to do damage to your target. However, modern firearms and ammunition are designed to be less lethal than they were in the past.

What about the authors of the vulnerable software?

[Ed+Avis]

It's funny, you don't usually hear about the authors of insecure software being liable. Yet they are just as much at fault as the people making the rootkits (from a simplistic 'if this code didn't exist, the exploit couldn't happen' point of view).

Re:Intent *does* matter

[Goonie]

like what many?

What about hunting game, and stock and pest destruction? OK, it's not non-lethal, but it's highly justifiable. In Australia where they are an environmental disaster of the worst sort, it is highly ethical to introduce rabbits to the pointy end of a .22.

Handguns are a different matter. Except in very rare circumstances, the only thing they're useful for is killing and maiming others (or providing a credible threat that one is able to do so).

Go you big red fire engine!

Re:Intent *does* matter

[GroundBounce]

"Intent is, or should be, only an issue if a crime has been committed".

This seems to make sense, but if you follow this rigorously, then *no* object or thing could ever be illegal, and I'm not sure I would want to go that far. The primary intent we think of is intent of the user, which is what you are referring to. But there is also intended use of the object itself (i.e., why am I manufacturing this, what is the main intended use for this object?) which must be considered.

Perhaps guns were a bad example. Let's go to the extreme, and take, say, a nuclear weapon. Not many people explode nuclear weapons in their backyard for fun. They are clearly designed for only one purpose - to decimate large amounts of people and property at once, and are extremely dangerous. There is no ambiguity here. Should It be legal for me to have one in my closet and leave the assessment of intent until after I use it on downtown Manhattan? Probably not. at least in my humble opinion.

Now, I'm not saying that this should apply to all cracking tools. Many such tools have valid uses (testing security, etc.) and they should be considered on a case-by-case basis. I just wanted to make the point that there are some things for which the intent is already clear in the manufacture.

Re:Intent *does* matter

[Raleel]

> there are many non-lethal and justifiable uses for guns, so regulation is contraversial.

like what many? I can only think of target shooting, and that in itself could easily be construed as just practicing with the tool in preparation for the real purpose.

Not that I belong to the NRA or anything, but guns don't kill people, people kill people, guns are merely the mechanism. People killed each other before guns.

But I digress, but the point is clear. People hacked before rootkits, they will continue to hack with them.

Full Disclosure

[Restil]

I can tell you HOW to comprimise a system.
I can even write you a program to do it.

Then I can also write a program that after you've comprimised a system, you can proceed to modify that system in such a way that you can participate in continuous illegal access of it.

Should they be liable? No, not unless they used the utilities themselves. But they really shouldn't be doing it anyways. BO actually COULD serve a legitimate purpose, but rootkits really don't. Their very existance gives script kiddies fuel they need without even the justification of providing a useful resource to someone else.

What REALLY needs to be done is to catch some of those damn script kiddies and make an example out of them. The FBI won't even attempt to pursue them until the amount of damage caused exceeds a certain point. Its this attitude that causes these problems to perpetuate.

As an example, if some kid were to shoplift a candy bar from a convience store, and he was not caught, the owner of that store hasn't lost much. If he catches the kid and the kid gets prosecuted, then the community will know about it and at the very least, his friends might think twice about trying it themselves.

But if the police and everyone else involved simply looked the other way when this occured, saying it wasn't worth the effort to pursue them, two things will happen. First, there will be a LOT more missing candy bars. And second, that kid will be encouraged to attempt more risky endevours. He'll never have the opportunity to learn responsibility and respect, just abuse through the inactivity of others, he will consider to be ok and beyond reproach from those in authority.

And thus, the kiddies will continue to thrive. We will have DOS's, comprimised boxes, and a lot of annoying idiots on IRC bragging about how 'leet' they are. The unfortunate (depending on your point of view) consequence of this will be that someone will eventually be driven to the point to take vigilante action against some of these idiots. That's when law enforcement will finally get involved, but believe me, it WON'T be to our benefit.

We can't stop the kiddies, we can't make people secure their systems. The only real chokepoints we have to this flood are the rootkits and exploit tools. A very VERY few of us have the ability to stem this tide. Sure, there will always be the occasional script kiddie with actual coding skills, but occasionally someone will take a backhoe to a fibre line too. We can deal with the rarities when they occur.

Civil liability shouldn't even come into play here. We need to take responsibility for our actions. We can still create provide information on security holes and write legitimate remote monitoring programs without at the same time creating tools for the idiots who have nothing better to do than make other's lives miserable.

-Restil

Re:Full Disclosure

[bero-rh]

BO actually COULD serve a legitimate purpose, but rootkits really don't.

They can, actually. Picture a newbie wannabe-sysadmin (say, someone who wants to run a webserver for his personal stuff over his new DSL or cable connection). He can install that Linux CD he found in some magazine, then download a rootkit to check if there are any well-known leaks in his newly set up server without necessarily having to understand anything the rootkit does, or having to browse a list of exploits manually (which may fail even if someone bothers to do it - a newbie won't necessarily know that BIND is the DNS server (after all the binary is called named), so (s)he may skip BIND errata right away).

Ridiculous

[legLess]

It's funny, you don't usually hear about the authors of insecure software being liable. Yet they are just as much at fault as the people making the rootkits (from a simplistic 'if this code didn't exist, the exploit couldn't happen' point of view).

That's stupid. It's like saying, "If you hadn't been in the way of the bullet, you wouldn't have been shot."

From any perspective other than that simplistic (and useless) one your argument/example fails utterly. Sue Ford if your car gets stolen? Sure, if they've sold it to you with the explicit guarantee that it's unstealable.

No piece of code I know of makes such an explicit guarantee. In fact, much of the code I use says (in big bold letters), "NO WARRANTY" and "THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU."

Question: is it possible to make a complex piece of software provable secure? Answer: no.

So you want to hold people accountable unless they write perfect code, every time? Brilliant - you've just filed a lawsuit against every person who's every written software. Good luck.

"We all say so, so it must be true!"

Re:Ridiculous

[Inoshiro]

That's stupid. It's like saying, "If you hadn't been in the way of the bullet, you wouldn't have been shot."

That's stupid. It's like saying "If you're too dumb to read `Unsafe at any speed,` you deserve te drive a deathtrap."

There are supposed to be federal standards on products because (surprise, surprise) in a capitalist system, the govermment is supposed to be a manifestation of the people which ensures safety and protection from negative influences. This is why you don't have to worry about dieing from over-the-counter pilss bottles, or poison water supplies. The government should also protect the general populace from lemon software, because there is no way every single person who needs software can become enough of an expert to pick the best software.

This is similar to an arument for capitalsim from the 18th and 19th century -- do you have time te haggle for everything you buy, or should stores compete on price and quality? It sure reduces the
amount of haggling you have to do.

Question: is it possible to make a complex piece of software provable secure? Answer: no.

Have you ever put you sife in the hands of the software used in hospitals? Software engineering is all about provably correct software. If you spend a little extra effort up front, and are warry of the problems involved, you can build provably correct systems. The same thing applies to physical engineering of things like cars. Yeah, there will still be the odd problems, but I'm sure the occasional software recalls are less annoying than hourly reboots, and less danergous than a crash in the software managing you concorde. The Shuttle sure runs on some provably correct code.
--

Guns don't kill people...

[iconnor]

It is the same argument. However, many governments have regulated guns - it is just a matter of time before it happens.

I can't imagine keeping a software safe for all the offensive software and keeping a log of when I take it out and put it back in. That would be hard to regulate. FBI checks would also be hard to manage on ftp sites. Perhaps we can have software shows that get around the regulations.

Re:Guns don't kill people...

[hillct]

In many municipalities it's illegal to posess 'burgulary tools' which condist of such things as vary large screw drivers, and other comonly available items. Generally the laws are envorced in cases where a specific selection of multiple burgulary tools are posessed by one person.

Does this mean that I can posess BackOrafice but if I posess backOrafice and an installation of Snort or something, then I'm a hacker rather than a System Administrator? Where would such a line be drawn?

--CTH

--

Re:Guns don't kill people...

[No+Tears+In+The+End]

I suspect you'll be in jail very soon, at least if you actually believe that every threatening person deserves to be killed.

Then I suggest you read up on the laws regarding the use of lethal force in the US. In my particular state, if "a reasonable person believes" that his life is in danger, the use of lethal force is justified. So if a woman threatens to slap me for making a crass remark, no reasonable person would believe that to be a life threatening circumstance and the use of lethal force would not be justified.

If I give a guy the finger for cutting me off in traffic and he comes running up to my truck, with his hand in his jacket, screaming "I'm gonna F'N KILL YOU!", a reasonable person would believe my life to be in danger and therefore the use of lethal force would be justified.

In the meantime, I do recommend you put more value on human life.

It is not possible to put more value on my life than I do. I suggest you consider rasing the price that you place on your own.

Just because someone is threatening you doesn't mean that they deserve to die.

If someone is threatening to take my life, I will do whatever I must to preserve it.

But the violent crime rate in the U.S. is still the highest.

Why then is it that in the US the over all violent crime rate is dropping, but in gunless utopias like Japan, the UK, and Australia the violent crime rate is rising?

misquoting

[streetlawyer]

Martin Niemöller's famous and often (mis)quoted statement - "When Hitler attacked the Jews I was not a Jew, therefore I was not concerned. And when Hitler attacked the Catholics, I was not a Catholic, and therefore, I was not concerned. And when Hitler attacked the unions and the industrialists, I was not a member of the unions and I was not concerned. Then Hitler attacked me and the Protestant church -- and there was nobody left to be concerned" comes to mind. But remember, they didn't actually come for the Jews first. They came for the gun owners even before the jews - in 1938.

Often misquoted indeed -- Niemoller referred to "them", rather than to Hitler, started with "First they came for the Communists" rather than the Jews and never mentioned the Protestant church.

Oh yeh, and Hitler did not "come for the gun owners" for the very good reason that privately held guns were already illegal in Germany by the time he took over, and had been since the First World War.

Other than that, your post only has grammatical errors.

Blame for software producers, and bad analogies

[Xcott+R13,+3(0,R4)]

Two points:

Firstly, we definitely have to start regarding software manufacturers, such as MS, as potentially liable for damage caused by viruses and hacker exploits. Indeed, even the general public is starting to become aware that MS shares the blame for massive losses caused by Outlook viruses.

Before you fire off a response, notice the term "potentially." I'm not saying that software writers are generally responsible for hacks, but that some companies can be extremely negligent when designing software for which security obviously matters. The analogy (yes, another analogy) is to burglar alarms. Is the maker of your burglar alarm at fault if you're burglarized? Not in general, not usually, but if the alarm system turns out to have a zillion defects then yes, the maker is partially at fault.

Secondly, as someone who does research in crypto, I am quite sick of any analogy to firearms. Actually, I'm not fond of analogies to anything, but firearms in particular. No, that piece of software is not like a gun. Maybe it's like a crowbar, or a lockpick, or a safe, OK, I'll buy that; but nothing in the software world comes close to a gun, in terms of its purpose or dangerous nature.

This is especially important when you are describing these concepts to a layperson utterly unfamiliar with software. "What is a 'debugger'?" "Well, it's like a gun, because etc etc." Now you have someone who has no idea what a "debugger" is, whether it's a computer program or a garden tool, and the first thing you drop in that conceptual hole is "gun." Such analogies should be reserved for people who fully understand what a debugger is, who have used one, who know that you can't kill someone with a debugger, and that it's safe to have a debugger in the house if you have children.

I'm not saying we should lay off firearms analogies because they're too scary or will cause the general public to react too strongly. I'm saying we should lay off firearms analogies because they're stupidly inaccurate.

Re:Intent *does* matter

[No+Tears+In+The+End]

With a musket, you have to load black powder, load in your shot, carefully pack the load down into the barrel, aim (making sure not to let the shot roll out of the barrel), and fire.

Roll out of the barrel? Have you ever seen a black powder rifle in use? With revolutionary war era muskets, people used a wad of paper to hold the bullet in place until the gun was fired. Civil war era and later black powder rifles used a patch to tightly couple the bullet to the barrel. Those didn't roll out of the barrel either.

Compare a colonial-era musket to a semi-automatic, clip-loading Glock 9mm pistol. With a musket, you have to load black powder, load in your shot, carefully pack the load down into the barrel, aim (making sure not to let the shot roll out of the barrel), and fire. With the modern 9mm, you load the clip, turn off the safety, and fire until you run out of rounds.

You have just shown that you know nothing of which you speak. It just so happens that I own a Glock pistol. There is no external safety machanism on the Glock that must be disengaged before the pistol will fire.

Maybe you'd like to ask the audience.

New firearms are designed to be lighter, higher powered, more accurate, and more reliable. What does all this add up to? Weaponry now is easily many times more lethal than the guns of yesteryear.

Let us go back to the US civil war for example, those guns fired big, heavy lead balls. Anyone who knows anything about terminal ballistics knows that the energy deposit and a mount of soft tissue damage caused by a lead ball is much worse than that of a modern bullet.

And FYI, armor piercing bullets are even LESS destructive when they contact soft tissue than other types of bullets. They deform less upon contact than other types of bullets, so therefore they put smaller holes in things.

The only type of firearm that is not designed to would the target, as opposed to kill is the shotgun.

Sue the Writer of the Hacking Tool 'Telnet'

[Greyfox]

Telnet can be used for an astounding amount of hacking. You can use it for everything from mail forgeries to (really slow) port scans. The author claims all those uses were not the original intent of telnet, but the authors of all those root kits claim the same thing (Oh, our code is for educational use only! Yeah, right!)

And while we're at it, can we sue the authors of every faulty server ever written for installing backdoors onto our systems? What about the ones who really intended to install backdoors into our systems? Can I supoena the Windows source because I suspect Microsoft of installing backdoors for the NSA?

By the time I get done, it'll be technically illegal to use a computer in the USA! Hmm. Maybe I'll go post that as an Evil Plan over on Badvogato.

I've always wondered....

[Sarcasmooo!]

If MC-Hammer is responsible for parachute pants, is he also responsible for the resulting baggy pants that, to this day, are worn by 'gangstas' and the many socially inept middle-class white boys that idolize them?

A Similar Situation

[DestroyahX]

I had a friend in high school who wrote "hacking tools" in VB-- they were simply GUI wrappers around software that retrieved information from various text files on the system it was run on-- email, system config files, etc.

Well, believe it or not, some teache came along and confiscated the zip disk with the projects on it, and deleted not only his project fro the hard drive, but the files named by the programs!

When the time came to reboot the mcahine, my friend was indouble trouble for having destroyed the machine.

To this day I can't fathom the idiocy.

Full disclosure is _necessary_

[arcade]

Full disclosure of cracking tools are a necessity. I will not argue about wheter it should be punishable to create them, but _Publishing_ them when they exist - is commendable.

First, lets dive into the history of computer security. Crackers has existed as long as computers has existed. The term 'worm' was coined for them on usenet in the early eighties. It never caught on. Later the term 'cracker' was coined. They broke into systems, they had their tools - which circulated among the crackers. When a hole in a daemon / some suid software were discovered - the company that created the software often used months and _years_ to plug the holes. It was not a priority. Admins most likely never knew about them.

And onto this scene came the morris worm. It quickly spread to the entire Internet, using bandwidth and CPU power, exhausting disk and memory. The internet was literaly shut down for about a week while people crowded onto FidoNet and other networks to create a solution to remove the menace.

After this, CERT (Computer Emergency Response Team) was created. They was to deal with known vulnerabilities - and get the software vendors to patch up their software. Which they did -- but they gave the vendors far too much time. In the most extreme cases - years. When the vendor had a patch, the vulnerability was published in a cert advisory.

The problem was that crackers found vulnerabilities, and the knowledge about the holes spread underground. Some admins knew about them - and patched their systems manually. Most admins did NOT know about it. The crackers had far too much power.

Enter bugtraq and full disclosure. A mailinglist where people could discuss vulnerabilities they had discovered. A place where they could post tools they had discovered, rootkits, exploits, and so forth. A mailinglist where full disclosure was practiced.

The result? That software vendors were forced to patch up their systems MUCH faster than before, since the exploits that earlier was circulated only among badguys now become widespread and known to the entire world. Consumers would bug their vendors until they delivered a patch.

Today, we can thank Bugtraq - and aleph1 in particular - that we've got extremely fast responses from most software vendors when vulnerabilities are discoverd. From a vulnerability is discovered to the vendor publishes a patch .. well, most of the time its done within a few days - or at a maximum of 10-14 days. That is a hell of an improvement over the time it took to get a patch developed before bugtraq entered the stage.

In short. We _need_ a place where admins can share information about known vulnerabilities. We _need_ a place where tools that are found in the wild can be found by _everyone_. If we don't make that information freely available - a selected few will have the power to wreak havoc upon the net. Without it - admins will remain clueless when it comes to security issues. And that -- that is not a situation we want to return to.

(I'm sorry for any mispellings, inconsistencies or blatant errors in this post, I've written from mind / what I've read - and there are bound to be mistakes)

--

Intent *does* matter

[GroundBounce]

The argument about the hammer being illegal is an old one, and the flaw with the argument is that it doesn't take intent into account. The law can never be completely objective because humans have intent, and intent is a subjective thing.

Virtually any object in the world can be used as a weapon, but we obviously can't outlaw all physical objects, can we?

That being said, there are gray areas, such as guns. Guns are clearly designed to be a lethal weapon; however, there are many non-lethal and justifiable uses for guns, so regulation is contraversial.

I suspect the same can be said of cracking tools; there are clearly some that are designed to be primarily malicious, and some are designed to be useful, but could be used maliciosly in the wrong hands, much like a gun. It seems that these types of tools will have to be considered on a case by case basis

A Similar Court Case...

[Thomas+M+Hughes]

I saw this, and thought of something from my old Constititional Law class. So I pulled out my text book, and looked up the case, and here's what I found:

Rice v. Paladin Enterprises, Inc., 940 F.Supp.836 (D.Md. 1996). This was ultimately decided by a Federal District court. Often refered to as the "Murder by the Book case." Paladin had published a couple books (namely "Hit Man: A Technical Manual for Independent Contractors" and "How to Make a Dispoasable Silencer, Vol II.).

Well, someone went and killed someone using the methods found in the books. Needless to say, the families of the victims were pretty pissed. So they brought Paladin to court. The first court said that Paladin could publish anything they want, after all, its Speech, and Speech is _always_ protected (limitations on speech is justified by claiming its not speech, just as a side note).

So the case gets appealed to the district appeals court. The appeals court basically says "This is speech, but its also aiding and abetting, which is not protected by the First Amendment."

Therefore, if the courts use this as an example (as they tend to do), producing the tools will most likely be considered protected as speech, and therefore not something you can provide a prior restraint on, however, if someone abuses your tools, chances are, you can be held responsible.

Then again, IANAL.
---