Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkit Developers And Legal Liability

Posted by timothy on from the tools-is-tools dept.

FatherTim writes: "I just saw this posting over at SecurityNewsPortal, and thought it would be of interest. It's a question regarding the potential civil risk that developers of rootkits, vulnerabilities, and exploit developers. It does cause one pause to consider the responsibility that would be associated with full-disclosure." Considering the fine line between evil cracking tools and legitimate remote access tools (how about BackOrifice?), this seems like asking whether hammer makers are responsible for murders-by-hammer. (On second thought, don't give any lawyers wind of that idea.)

7 of 189 comments (clear)

  1. Re:Ridiculous by Inoshiro · · Score: 4
    That's stupid. It's like saying, "If you hadn't been in the way of the bullet, you wouldn't have been shot."

    That's stupid. It's like saying "If you're too dumb to read `Unsafe at any speed,` you deserve te drive a deathtrap."

    There are supposed to be federal standards on products because (surprise, surprise) in a capitalist system, the govermment is supposed to be a manifestation of the people which ensures safety and protection from negative influences. This is why you don't have to worry about dieing from over-the-counter pilss bottles, or poison water supplies. The government should also protect the general populace from lemon software, because there is no way every single person who needs software can become enough of an expert to pick the best software.

    This is similar to an arument for capitalsim from the 18th and 19th century -- do you have time te haggle for everything you buy, or should stores compete on price and quality? It sure reduces the
    amount of haggling you have to do.

    Question: is it possible to make a complex piece of software provable secure? Answer: no.

    Have you ever put you sife in the hands of the software used in hospitals? Software engineering is all about provably correct software. If you spend a little extra effort up front, and are warry of the problems involved, you can build provably correct systems. The same thing applies to physical engineering of things like cars. Yeah, there will still be the odd problems, but I'm sure the occasional software recalls are less annoying than hourly reboots, and less danergous than a crash in the software managing you concorde. The Shuttle sure runs on some provably correct code.
    --
    --
    --
    Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
  2. Sue the Writer of the Hacking Tool 'Telnet' by Greyfox · · Score: 4
    Telnet can be used for an astounding amount of hacking. You can use it for everything from mail forgeries to (really slow) port scans. The author claims all those uses were not the original intent of telnet, but the authors of all those root kits claim the same thing (Oh, our code is for educational use only! Yeah, right!)

    And while we're at it, can we sue the authors of every faulty server ever written for installing backdoors onto our systems? What about the ones who really intended to install backdoors into our systems? Can I supoena the Windows source because I suspect Microsoft of installing backdoors for the NSA?

    By the time I get done, it'll be technically illegal to use a computer in the USA! Hmm. Maybe I'll go post that as an Evil Plan over on Badvogato.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  3. I've always wondered.... by Sarcasmooo! · · Score: 4

    If MC-Hammer is responsible for parachute pants, is he also responsible for the resulting baggy pants that, to this day, are worn by 'gangstas' and the many socially inept middle-class white boys that idolize them?

  4. A Similar Situation by DestroyahX · · Score: 4

    I had a friend in high school who wrote "hacking tools" in VB-- they were simply GUI wrappers around software that retrieved information from various text files on the system it was run on-- email, system config files, etc.

    Well, believe it or not, some teache came along and confiscated the zip disk with the projects on it, and deleted not only his project fro the hard drive, but the files named by the programs!

    When the time came to reboot the mcahine, my friend was indouble trouble for having destroyed the machine.

    To this day I can't fathom the idiocy.

  5. Full disclosure is _necessary_ by arcade · · Score: 5

    Full disclosure of cracking tools are a necessity. I will not argue about wheter it should be punishable to create them, but _Publishing_ them when they exist - is commendable.

    First, lets dive into the history of computer security. Crackers has existed as long as computers has existed. The term 'worm' was coined for them on usenet in the early eighties. It never caught on. Later the term 'cracker' was coined. They broke into systems, they had their tools - which circulated among the crackers. When a hole in a daemon / some suid software were discovered - the company that created the software often used months and _years_ to plug the holes. It was not a priority. Admins most likely never knew about them.

    And onto this scene came the morris worm. It quickly spread to the entire Internet, using bandwidth and CPU power, exhausting disk and memory. The internet was literaly shut down for about a week while people crowded onto FidoNet and other networks to create a solution to remove the menace.

    After this, CERT (Computer Emergency Response Team) was created. They was to deal with known vulnerabilities - and get the software vendors to patch up their software. Which they did -- but they gave the vendors far too much time. In the most extreme cases - years. When the vendor had a patch, the vulnerability was published in a cert advisory.

    The problem was that crackers found vulnerabilities, and the knowledge about the holes spread underground. Some admins knew about them - and patched their systems manually. Most admins did NOT know about it. The crackers had far too much power.

    Enter bugtraq and full disclosure. A mailinglist where people could discuss vulnerabilities they had discovered. A place where they could post tools they had discovered, rootkits, exploits, and so forth. A mailinglist where full disclosure was practiced.

    The result? That software vendors were forced to patch up their systems MUCH faster than before, since the exploits that earlier was circulated only among badguys now become widespread and known to the entire world. Consumers would bug their vendors until they delivered a patch.

    Today, we can thank Bugtraq - and aleph1 in particular - that we've got extremely fast responses from most software vendors when vulnerabilities are discoverd. From a vulnerability is discovered to the vendor publishes a patch .. well, most of the time its done within a few days - or at a maximum of 10-14 days. That is a hell of an improvement over the time it took to get a patch developed before bugtraq entered the stage.

    In short. We _need_ a place where admins can share information about known vulnerabilities. We _need_ a place where tools that are found in the wild can be found by _everyone_. If we don't make that information freely available - a selected few will have the power to wreak havoc upon the net. Without it - admins will remain clueless when it comes to security issues. And that -- that is not a situation we want to return to.

    (I'm sorry for any mispellings, inconsistencies or blatant errors in this post, I've written from mind / what I've read - and there are bound to be mistakes)

    --

    --
    "Rune Kristian Viken" - http://www.nwo.no - arca
  6. Intent *does* matter by GroundBounce · · Score: 5

    The argument about the hammer being illegal is an old one, and the flaw with the argument is that it doesn't take intent into account. The law can never be completely objective because humans have intent, and intent is a subjective thing.

    Virtually any object in the world can be used as a weapon, but we obviously can't outlaw all physical objects, can we?

    That being said, there are gray areas, such as guns. Guns are clearly designed to be a lethal weapon; however, there are many non-lethal and justifiable uses for guns, so regulation is contraversial.

    I suspect the same can be said of cracking tools; there are clearly some that are designed to be primarily malicious, and some are designed to be useful, but could be used maliciosly in the wrong hands, much like a gun. It seems that these types of tools will have to be considered on a case by case basis

  7. A Similar Court Case... by Thomas+M+Hughes · · Score: 5

    I saw this, and thought of something from my old Constititional Law class. So I pulled out my text book, and looked up the case, and here's what I found:

    Rice v. Paladin Enterprises, Inc., 940 F.Supp.836 (D.Md. 1996). This was ultimately decided by a Federal District court. Often refered to as the "Murder by the Book case." Paladin had published a couple books (namely "Hit Man: A Technical Manual for Independent Contractors" and "How to Make a Dispoasable Silencer, Vol II.).

    Well, someone went and killed someone using the methods found in the books. Needless to say, the families of the victims were pretty pissed. So they brought Paladin to court. The first court said that Paladin could publish anything they want, after all, its Speech, and Speech is _always_ protected (limitations on speech is justified by claiming its not speech, just as a side note).

    So the case gets appealed to the district appeals court. The appeals court basically says "This is speech, but its also aiding and abetting, which is not protected by the First Amendment."

    Therefore, if the courts use this as an example (as they tend to do), producing the tools will most likely be considered protected as speech, and therefore not something you can provide a prior restraint on, however, if someone abuses your tools, chances are, you can be held responsible.

    Then again, IANAL.
    ---