Slashdot Mirror
Rootkit Developers And Legal Liability
FatherTim writes: "I just saw this posting over at SecurityNewsPortal, and thought
it would be of interest. It's a question regarding the potential
civil risk that developers of rootkits, vulnerabilities, and exploit
developers. It does cause one pause to consider the responsibility
that would be associated with full-disclosure." Considering the fine line between evil cracking tools and legitimate remote access tools (how about BackOrifice?), this seems like asking whether hammer makers are responsible for murders-by-hammer. (On second thought, don't give any lawyers wind of that idea.)
It's funny, you don't usually hear about the authors of insecure software being liable. Yet they are just as much at fault as the people making the rootkits (from a simplistic 'if this code didn't exist, the exploit couldn't happen' point of view).
-- Ed Avis ed@membled.com
What about hunting game, and stock and pest destruction? OK, it's not non-lethal, but it's highly justifiable. In Australia where they are an environmental disaster of the worst sort, it is highly ethical to introduce rabbits to the pointy end of a .22.
Handguns are a different matter. Except in very rare circumstances, the only thing they're useful for is killing and maiming others (or providing a credible threat that one is able to do so).
Go you big red fire engine!
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
"Intent is, or should be, only an issue if a crime has been committed".
This seems to make sense, but if you follow this rigorously, then *no* object or thing could ever be illegal, and I'm not sure I would want to go that far. The primary intent we think of is intent of the user, which is what you are referring to. But there is also intended use of the object itself (i.e., why am I manufacturing this, what is the main intended use for this object?) which must be considered.
Perhaps guns were a bad example. Let's go to the extreme, and take, say, a nuclear weapon. Not many people explode nuclear weapons in their backyard for fun. They are clearly designed for only one purpose - to decimate large amounts of people and property at once, and are extremely dangerous. There is no ambiguity here. Should It be legal for me to have one in my closet and leave the assessment of intent until after I use it on downtown Manhattan? Probably not. at least in my humble opinion.
Now, I'm not saying that this should apply to all cracking tools. Many such tools have valid uses (testing security, etc.) and they should be considered on a case-by-case basis. I just wanted to make the point that there are some things for which the intent is already clear in the manufacture.
> there are many non-lethal and justifiable uses for guns, so regulation is contraversial.
like what many? I can only think of target shooting, and that in itself could easily be construed as just practicing with the tool in preparation for the real purpose.
Not that I belong to the NRA or anything, but guns don't kill people, people kill people, guns are merely the mechanism. People killed each other before guns.
But I digress, but the point is clear. People hacked before rootkits, they will continue to hack with them.
-- Who is the bigger fool? The fool or the fool who follows him? --
I can tell you HOW to comprimise a system.
I can even write you a program to do it.
Then I can also write a program that after you've comprimised a system, you can proceed to modify that system in such a way that you can participate in continuous illegal access of it.
Should they be liable? No, not unless they used the utilities themselves. But they really shouldn't be doing it anyways. BO actually COULD serve a legitimate purpose, but rootkits really don't. Their very existance gives script kiddies fuel they need without even the justification of providing a useful resource to someone else.
What REALLY needs to be done is to catch some of those damn script kiddies and make an example out of them. The FBI won't even attempt to pursue them until the amount of damage caused exceeds a certain point. Its this attitude that causes these problems to perpetuate.
As an example, if some kid were to shoplift a candy bar from a convience store, and he was not caught, the owner of that store hasn't lost much. If he catches the kid and the kid gets prosecuted, then the community will know about it and at the very least, his friends might think twice about trying it themselves.
But if the police and everyone else involved simply looked the other way when this occured, saying it wasn't worth the effort to pursue them, two things will happen. First, there will be a LOT more missing candy bars. And second, that kid will be encouraged to attempt more risky endevours. He'll never have the opportunity to learn responsibility and respect, just abuse through the inactivity of others, he will consider to be ok and beyond reproach from those in authority.
And thus, the kiddies will continue to thrive. We will have DOS's, comprimised boxes, and a lot of annoying idiots on IRC bragging about how 'leet' they are. The unfortunate (depending on your point of view) consequence of this will be that someone will eventually be driven to the point to take vigilante action against some of these idiots. That's when law enforcement will finally get involved, but believe me, it WON'T be to our benefit.
We can't stop the kiddies, we can't make people secure their systems. The only real chokepoints we have to this flood are the rootkits and exploit tools. A very VERY few of us have the ability to stem this tide. Sure, there will always be the occasional script kiddie with actual coding skills, but occasionally someone will take a backhoe to a fibre line too. We can deal with the rarities when they occur.
Civil liability shouldn't even come into play here. We need to take responsibility for our actions. We can still create provide information on security holes and write legitimate remote monitoring programs without at the same time creating tools for the idiots who have nothing better to do than make other's lives miserable.
-Restil
Play with my webcams and lights here
Yes, perhaps we all do drink that poison known as Dihydrogen Monoxide but should we really? Check out www.dhmo.org
From any perspective other than that simplistic (and useless) one your argument/example fails utterly. Sue Ford if your car gets stolen? Sure, if they've sold it to you with the explicit guarantee that it's unstealable.
No piece of code I know of makes such an explicit guarantee. In fact, much of the code I use says (in big bold letters), "NO WARRANTY" and "THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU."
Question: is it possible to make a complex piece of software provable secure? Answer: no.
So you want to hold people accountable unless they write perfect code, every time? Brilliant - you've just filed a lawsuit against every person who's every written software. Good luck.
"We all say so, so it must be true!"
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
One large gun lawsuit was thrown out not too long ago, and I think that's a Good Sign. This society does not need more laws, or lawsuits. We need people to (a) mind their own fucking business, and (b) take responsibility for their own fucking actions. At least as important, we need intelligent and ethical leaders who'll do the same.
Parenthetically, let's not start praising the U.S. arms industry, mmmkay? The United States supplied arms or military technology to more than 92% of the conflicts under way in 1999 [source]. When the U.S. government gives "aid" to another country, that aid is usually not cash, but some sort of voucher for U.S.-made products, often arms. So the U.S. government is using U.S. taxpayer dollars to fund the arms industry to give weapons to foreign governments. Nice deal if you can get it, huh?
"We all say so, so it must be true!"
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
It is the same argument. However, many governments have regulated guns - it is just a matter of time before it happens.
I can't imagine keeping a software safe for all the offensive software and keeping a log of when I take it out and put it back in. That would be hard to regulate. FBI checks would also be hard to manage on ftp sites. Perhaps we can have software shows that get around the regulations.
Remember: Guns don't kill people, bullets do. Guns just make them go very, very fast.
Help save the critically endangered Blue Iguana
Often misquoted indeed -- Niemoller referred to "them", rather than to Hitler, started with "First they came for the Communists" rather than the Jews and never mentioned the Protestant church.
Oh yeh, and Hitler did not "come for the gun owners" for the very good reason that privately held guns were already illegal in Germany by the time he took over, and had been since the First World War.
Other than that, your post only has grammatical errors.
-- the most controversial site on the Web
Firstly, we definitely have to start regarding software manufacturers, such as MS, as potentially liable for damage caused by viruses and hacker exploits. Indeed, even the general public is starting to become aware that MS shares the blame for massive losses caused by Outlook viruses.
Before you fire off a response, notice the term "potentially." I'm not saying that software writers are generally responsible for hacks, but that some companies can be extremely negligent when designing software for which security obviously matters. The analogy (yes, another analogy) is to burglar alarms. Is the maker of your burglar alarm at fault if you're burglarized? Not in general, not usually, but if the alarm system turns out to have a zillion defects then yes, the maker is partially at fault.
Secondly, as someone who does research in crypto, I am quite sick of any analogy to firearms. Actually, I'm not fond of analogies to anything, but firearms in particular. No, that piece of software is not like a gun. Maybe it's like a crowbar, or a lockpick, or a safe, OK, I'll buy that; but nothing in the software world comes close to a gun, in terms of its purpose or dangerous nature.
This is especially important when you are describing these concepts to a layperson utterly unfamiliar with software. "What is a 'debugger'?" "Well, it's like a gun, because etc etc." Now you have someone who has no idea what a "debugger" is, whether it's a computer program or a garden tool, and the first thing you drop in that conceptual hole is "gun." Such analogies should be reserved for people who fully understand what a debugger is, who have used one, who know that you can't kill someone with a debugger, and that it's safe to have a debugger in the house if you have children.
I'm not saying we should lay off firearms analogies because they're too scary or will cause the general public to react too strongly. I'm saying we should lay off firearms analogies because they're stupidly inaccurate.
With a musket, you have to load black powder, load in your shot, carefully pack the load down into the barrel, aim (making sure not to let the shot roll out of the barrel), and fire.
Roll out of the barrel? Have you ever seen a black powder rifle in use? With revolutionary war era muskets, people used a wad of paper to hold the bullet in place until the gun was fired. Civil war era and later black powder rifles used a patch to tightly couple the bullet to the barrel. Those didn't roll out of the barrel either.
Compare a colonial-era musket to a semi-automatic, clip-loading Glock 9mm pistol. With a musket, you have to load black powder, load in your shot, carefully pack the load down into the barrel, aim (making sure not to let the shot roll out of the barrel), and fire. With the modern 9mm, you load the clip, turn off the safety, and fire until you run out of rounds.
You have just shown that you know nothing of which you speak. It just so happens that I own a Glock pistol. There is no external safety machanism on the Glock that must be disengaged before the pistol will fire.
Maybe you'd like to ask the audience.
New firearms are designed to be lighter, higher powered, more accurate, and more reliable. What does all this add up to? Weaponry now is easily many times more lethal than the guns of yesteryear.
Let us go back to the US civil war for example, those guns fired big, heavy lead balls. Anyone who knows anything about terminal ballistics knows that the energy deposit and a mount of soft tissue damage caused by a lead ball is much worse than that of a modern bullet.
And FYI, armor piercing bullets are even LESS destructive when they contact soft tissue than other types of bullets. They deform less upon contact than other types of bullets, so therefore they put smaller holes in things.
The only type of firearm that is not designed to would the target, as opposed to kill is the shotgun.
-You can cry, but you'll still die. There'll be no tears in the end.
And while we're at it, can we sue the authors of every faulty server ever written for installing backdoors onto our systems? What about the ones who really intended to install backdoors into our systems? Can I supoena the Windows source because I suspect Microsoft of installing backdoors for the NSA?
By the time I get done, it'll be technically illegal to use a computer in the USA! Hmm. Maybe I'll go post that as an Evil Plan over on Badvogato.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
If MC-Hammer is responsible for parachute pants, is he also responsible for the resulting baggy pants that, to this day, are worn by 'gangstas' and the many socially inept middle-class white boys that idolize them?
I had a friend in high school who wrote "hacking tools" in VB-- they were simply GUI wrappers around software that retrieved information from various text files on the system it was run on-- email, system config files, etc.
Well, believe it or not, some teache came along and confiscated the zip disk with the projects on it, and deleted not only his project fro the hard drive, but the files named by the programs!
When the time came to reboot the mcahine, my friend was indouble trouble for having destroyed the machine.
To this day I can't fathom the idiocy.
Full disclosure of cracking tools are a necessity. I will not argue about wheter it should be punishable to create them, but _Publishing_ them when they exist - is commendable.
.. well, most of the time its done within a few days - or at a maximum of 10-14 days. That is a hell of an improvement over the time it took to get a patch developed before bugtraq entered the stage.
First, lets dive into the history of computer security. Crackers has existed as long as computers has existed. The term 'worm' was coined for them on usenet in the early eighties. It never caught on. Later the term 'cracker' was coined. They broke into systems, they had their tools - which circulated among the crackers. When a hole in a daemon / some suid software were discovered - the company that created the software often used months and _years_ to plug the holes. It was not a priority. Admins most likely never knew about them.
And onto this scene came the morris worm. It quickly spread to the entire Internet, using bandwidth and CPU power, exhausting disk and memory. The internet was literaly shut down for about a week while people crowded onto FidoNet and other networks to create a solution to remove the menace.
After this, CERT (Computer Emergency Response Team) was created. They was to deal with known vulnerabilities - and get the software vendors to patch up their software. Which they did -- but they gave the vendors far too much time. In the most extreme cases - years. When the vendor had a patch, the vulnerability was published in a cert advisory.
The problem was that crackers found vulnerabilities, and the knowledge about the holes spread underground. Some admins knew about them - and patched their systems manually. Most admins did NOT know about it. The crackers had far too much power.
Enter bugtraq and full disclosure. A mailinglist where people could discuss vulnerabilities they had discovered. A place where they could post tools they had discovered, rootkits, exploits, and so forth. A mailinglist where full disclosure was practiced.
The result? That software vendors were forced to patch up their systems MUCH faster than before, since the exploits that earlier was circulated only among badguys now become widespread and known to the entire world. Consumers would bug their vendors until they delivered a patch.
Today, we can thank Bugtraq - and aleph1 in particular - that we've got extremely fast responses from most software vendors when vulnerabilities are discoverd. From a vulnerability is discovered to the vendor publishes a patch
In short. We _need_ a place where admins can share information about known vulnerabilities. We _need_ a place where tools that are found in the wild can be found by _everyone_. If we don't make that information freely available - a selected few will have the power to wreak havoc upon the net. Without it - admins will remain clueless when it comes to security issues. And that -- that is not a situation we want to return to.
(I'm sorry for any mispellings, inconsistencies or blatant errors in this post, I've written from mind / what I've read - and there are bound to be mistakes)
--
"Rune Kristian Viken" - http://www.nwo.no - arca
The argument about the hammer being illegal is an old one, and the flaw with the argument is that it doesn't take intent into account. The law can never be completely objective because humans have intent, and intent is a subjective thing.
Virtually any object in the world can be used as a weapon, but we obviously can't outlaw all physical objects, can we?
That being said, there are gray areas, such as guns. Guns are clearly designed to be a lethal weapon; however, there are many non-lethal and justifiable uses for guns, so regulation is contraversial.
I suspect the same can be said of cracking tools; there are clearly some that are designed to be primarily malicious, and some are designed to be useful, but could be used maliciosly in the wrong hands, much like a gun. It seems that these types of tools will have to be considered on a case by case basis
I saw this, and thought of something from my old Constititional Law class. So I pulled out my text book, and looked up the case, and here's what I found:
Rice v. Paladin Enterprises, Inc., 940 F.Supp.836 (D.Md. 1996). This was ultimately decided by a Federal District court. Often refered to as the "Murder by the Book case." Paladin had published a couple books (namely "Hit Man: A Technical Manual for Independent Contractors" and "How to Make a Dispoasable Silencer, Vol II.).
Well, someone went and killed someone using the methods found in the books. Needless to say, the families of the victims were pretty pissed. So they brought Paladin to court. The first court said that Paladin could publish anything they want, after all, its Speech, and Speech is _always_ protected (limitations on speech is justified by claiming its not speech, just as a side note).
So the case gets appealed to the district appeals court. The appeals court basically says "This is speech, but its also aiding and abetting, which is not protected by the First Amendment."
Therefore, if the courts use this as an example (as they tend to do), producing the tools will most likely be considered protected as speech, and therefore not something you can provide a prior restraint on, however, if someone abuses your tools, chances are, you can be held responsible.
Then again, IANAL.
---