, SecurityFocus 2002-09-24
A raid on the alleged author of a well-known hacker toolkit is raising eyebrows among electronic civil libertarians, and putting security researchers on guard.
The writing and distribution of the tool is the offense.
But last Thursday's
"I would definitely see it as troublesome," says Lee Tien, senior staff attorney at the Electronic Frontier Foundation. "It's something we have to look at very closely, because the general idea that you can go after someone criminally for simply writing a program raises issues."
The package also includes a backdoor function that allows the attacker to covertly return to a machine that they've hacked. "The more recent ones have had loadable kernel modules, distributed denial of service tools, and stuff like that," says Dave Dittrich, senior security engineer at the University of Washington. "Most of the versions are circulated in the underground, and they're tightly held."
In 2001, Chinese virus writers incorporated a modified T0rnkit into the nasty "Lion" worm. But the kit itself is not a virus; it can't spread on its own accord. And the man arrested last week -- now free pending an October 19th court appearance -- is not accused of breaking into any computers, or of falling in with Chinese cybergangs. "The writing and distribution of the tool is the offense," a Scotland Yard spokesman confirmed in a telephone interview Monday.
And that worries some computer security researchers, who find it all to easy to visualize themselves in the position of the anonymous UK suspect. So-called "white hat" hackers often create programs with potentially malicious applications as an exercise, or to advance the published research base -- active intruders tend to keep their work private.
"I've written tools myself that have only marginal social value, so it actually concerns me quite a bit," says Mark Loveless, a senior security analyst with Bindview Corporation. "I'm worried that something like that could happen to someone just because they have a high profile."
Researchers are even publicly
"If they're arresting guys just for writing tools, that's pretty frightening," says Steve Manzuik, co-moderator of the VulnWatch security mailing list. "I guess anyone who's written a security type tool should be concerned if this is going to become the next trend."
It's not a trend yet, but outlawing hacker tools has never been far from law enforcement thoughts. Last year 33 countries, including the UK and the U.S., signed the Council of Europe's international cybercrime treaty, which recommends prohibiting the creation or distribution of a hacking tool with the intent that it be used to commit a crime, though a last minute change to the treaty allows signatory countries to opt out of the provision.
So far, laws explicitly outlawing hacker tools are hard to find. The UK's Computer Misuse
But the legalese, not dissimilar to U.S. computer crime laws, still allows prosecutors some wiggle room. "You might not have a direct offense in the computer crime law, but if there's an aiding and abetting or solicitation -- those inchoate offenses -- you don't necessarily have to have it in the law," says Tien.
Jennifer Granick, director of Stanford Law School's Center for Internet and Society, says the result could be a kind of Sklyarov-in-reverse. Following the arrest of a Russian programmer at a Las Vegas conference last year, some cryptographic researchers professed reluctance to make presentations in the U.S. for fear of running afoul of the Digital Millennium Copyright Act, which prohibits distributing or using tools that circumvent copy protection schemes. Depending on what happens in the T0rn case -- which is still in the earliest stage -- U.S. security researchers may develop a reciprocal aversion to the U.K.
"If this is really against their law, then you have jurisdictional problems," says Granick. "Anywhere a tool is written, if it becomes available in the UK, that becomes a crime... All sorts of researchers would have to hesitate before visiting the UK."