Slashdot Mirror
Rootkit Developers And Legal Liability
FatherTim writes: "I just saw this posting over at SecurityNewsPortal, and thought
it would be of interest. It's a question regarding the potential
civil risk that developers of rootkits, vulnerabilities, and exploit
developers. It does cause one pause to consider the responsibility
that would be associated with full-disclosure." Considering the fine line between evil cracking tools and legitimate remote access tools (how about BackOrifice?), this seems like asking whether hammer makers are responsible for murders-by-hammer. (On second thought, don't give any lawyers wind of that idea.)
Full disclosure of cracking tools are a necessity. I will not argue about wheter it should be punishable to create them, but _Publishing_ them when they exist - is commendable.
.. well, most of the time its done within a few days - or at a maximum of 10-14 days. That is a hell of an improvement over the time it took to get a patch developed before bugtraq entered the stage.
First, lets dive into the history of computer security. Crackers has existed as long as computers has existed. The term 'worm' was coined for them on usenet in the early eighties. It never caught on. Later the term 'cracker' was coined. They broke into systems, they had their tools - which circulated among the crackers. When a hole in a daemon / some suid software were discovered - the company that created the software often used months and _years_ to plug the holes. It was not a priority. Admins most likely never knew about them.
And onto this scene came the morris worm. It quickly spread to the entire Internet, using bandwidth and CPU power, exhausting disk and memory. The internet was literaly shut down for about a week while people crowded onto FidoNet and other networks to create a solution to remove the menace.
After this, CERT (Computer Emergency Response Team) was created. They was to deal with known vulnerabilities - and get the software vendors to patch up their software. Which they did -- but they gave the vendors far too much time. In the most extreme cases - years. When the vendor had a patch, the vulnerability was published in a cert advisory.
The problem was that crackers found vulnerabilities, and the knowledge about the holes spread underground. Some admins knew about them - and patched their systems manually. Most admins did NOT know about it. The crackers had far too much power.
Enter bugtraq and full disclosure. A mailinglist where people could discuss vulnerabilities they had discovered. A place where they could post tools they had discovered, rootkits, exploits, and so forth. A mailinglist where full disclosure was practiced.
The result? That software vendors were forced to patch up their systems MUCH faster than before, since the exploits that earlier was circulated only among badguys now become widespread and known to the entire world. Consumers would bug their vendors until they delivered a patch.
Today, we can thank Bugtraq - and aleph1 in particular - that we've got extremely fast responses from most software vendors when vulnerabilities are discoverd. From a vulnerability is discovered to the vendor publishes a patch
In short. We _need_ a place where admins can share information about known vulnerabilities. We _need_ a place where tools that are found in the wild can be found by _everyone_. If we don't make that information freely available - a selected few will have the power to wreak havoc upon the net. Without it - admins will remain clueless when it comes to security issues. And that -- that is not a situation we want to return to.
(I'm sorry for any mispellings, inconsistencies or blatant errors in this post, I've written from mind / what I've read - and there are bound to be mistakes)
--
"Rune Kristian Viken" - http://www.nwo.no - arca
The argument about the hammer being illegal is an old one, and the flaw with the argument is that it doesn't take intent into account. The law can never be completely objective because humans have intent, and intent is a subjective thing.
Virtually any object in the world can be used as a weapon, but we obviously can't outlaw all physical objects, can we?
That being said, there are gray areas, such as guns. Guns are clearly designed to be a lethal weapon; however, there are many non-lethal and justifiable uses for guns, so regulation is contraversial.
I suspect the same can be said of cracking tools; there are clearly some that are designed to be primarily malicious, and some are designed to be useful, but could be used maliciosly in the wrong hands, much like a gun. It seems that these types of tools will have to be considered on a case by case basis
I saw this, and thought of something from my old Constititional Law class. So I pulled out my text book, and looked up the case, and here's what I found:
Rice v. Paladin Enterprises, Inc., 940 F.Supp.836 (D.Md. 1996). This was ultimately decided by a Federal District court. Often refered to as the "Murder by the Book case." Paladin had published a couple books (namely "Hit Man: A Technical Manual for Independent Contractors" and "How to Make a Dispoasable Silencer, Vol II.).
Well, someone went and killed someone using the methods found in the books. Needless to say, the families of the victims were pretty pissed. So they brought Paladin to court. The first court said that Paladin could publish anything they want, after all, its Speech, and Speech is _always_ protected (limitations on speech is justified by claiming its not speech, just as a side note).
So the case gets appealed to the district appeals court. The appeals court basically says "This is speech, but its also aiding and abetting, which is not protected by the First Amendment."
Therefore, if the courts use this as an example (as they tend to do), producing the tools will most likely be considered protected as speech, and therefore not something you can provide a prior restraint on, however, if someone abuses your tools, chances are, you can be held responsible.
Then again, IANAL.
---