[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] erstmals Verhaftung wg. Hacker-Tool

To: "Infowar.de" <infowar - de -! - infopeace - de>
Subject: [infowar.de] erstmals Verhaftung wg. Hacker-Tool
From: Ralf Bendrath <bendrath -! - zedat - fu-berlin - de>
Date: Mon, 30 Sep 2002 15:50:37 +0200
Organization: http://www.fogis.de
Reply-to: infowar - de -! - infopeace - de
Sender: bendrath -! - zedat - fu-berlin - de

Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

Damit ist genau das eingetreten, was Viele im Zusammenhang mit der
Europäischen Cybercrime-Konvention befürchtet haben. Nicht mehr nur das
Cracken selber wird unter Strafe gestellt, sondern das Programmieren von
Tools dafür. Diese Tools sind aber 100% dual-use, weil sie auch von
IT-Sicherheitstestern für gute Zwecke eingesetzt werden. Mit der
gleichen Logik müssten mindestens auch sämtliche Waffenhersteller
verhaftet werden, nicht nur die Leute, die damit durch die Gegend
ballern (obwohl eine Waffe nicht so viele "gute" Anwendungen hat).
RB

'T0rn' Arrest Alarms White Hats, Advocates

http://online.securityfocus.com/news/813

By Kevin Poulsen, 
Sept 24, 2002 

It could almost pass as a routine computer crime case -- a year-long
probe leads Scotland Yard cybercops to a home in the upscale London
suburb of Surbiton, where they seize computer equipment and arrest a
21-year-old man under the UK's 1990 Computer Misuse Act.

But last Thursday's raid was anything but routine, because the unnamed
suspect, who has not yet been formally charged, isn't accused of
cracking computers, launching a denial of service attack or
distributing a virus. Instead, the joint Scotland Yard/FBI
investigation is focused on his alleged authorship of the "T0rnkit," a
collection of custom programs that help an intruder hide their
presence on a hacked Linux machine. It's apparently the first time the
UK's national computer crime law has been used to crack down on a
programmer for writing a tool with malicious applications -- and it's
a chilling development to some security researchers and electronic
civil libertarians.

"I would definitely see it as troublesome," says Lee Tien, senior
staff attorney at the Electronic Frontier Foundation. "It's something
we have to look at very closely, because the general idea that you can
go after someone criminally for simply writing a program raises
issues."

T0rnkit first began showing up on hacked boxes two years ago. Like
other so-called "rootkits," it includes programs that an intruder can
drop into place over genuine system commands that render the attacker
invisible to the computer's administrator. A replacement "ps" command,
for example, will omit the hacker's network sniffer from a list of
processes running on the machine, where an unadulterated version of
the command would finger the intruder.

The package also includes a backdoor function that allows the attacker
to covertly return to a machine that they've hacked. "The more recent
ones have had loadable kernel modules, distributed denial of service
tools, and stuff like that," says Dave Dittrich, senior security
engineer at the University of Washington. "Most of the versions are
circulated in the underground, and they're tightly held."

In 2001, Chinese virus writers incorporated a modified T0rnkit into
the nasty "Lion" worm. But the kit itself is not a virus; it can't
spread on its own accord. And the man arrested last week -- now free
pending an October 19th court appearance -- is not accused of breaking
into any computers, or of falling in with Chinese cybergangs. "The
writing and distribution of the tool is the offense," a Scotland Yard
spokesman confirmed in a telephone interview Monday.

And that worries some computer security researchers, who find it all
to easy to visualize themselves in the position of the anonymous UK
suspect. So-called "white hat" hackers often create programs with
potentially malicious applications as an exercise, or to advance the
published research base -- active intruders tend to keep their work
private.

"I've written tools myself that have only marginal social value, so it
actually concerns me quite a bit," says Mark Loveless, a senior
security analyst with Bindview Corporation. "I'm worried that
something like that could happen to someone just because they have a
high profile."
  
"Pretty Frightening"

Researchers are even publicly working on a rootkit for Windows NT
machines, a project that's headed -- not by anonymous denizens of the
cyber underground -- but by Greg Hoglund, co-founder and CTO of
security software company Cenzic, Inc. Aside from research projects,
many security professionals use hacker tools to perform legitimate
"penetration tests" against clients. And some of the most common
security tools like nmap or TCPdump can be used for good or ill.

"If they're arresting guys just for writing tools, that's pretty
frightening," says Steve Manzuik, co-moderator of the VulnWatch
security mailing list. "I guess anyone who's written a security type
tool should be concerned if this is going to become the next trend."

It's not a trend yet, but outlawing hacker tools has never been far
from law enforcement thoughts. Last year 33 countries, including the
UK and the U.S., signed the Council of Europe's international
cybercrime treaty, which recommends prohibiting the creation or
distribution of a hacking tool with the intent that it be used to
commit a crime, though a last minute change to the treaty allows
signatory countries to opt out of the provision.

So far, laws explicitly outlawing hacker tools are hard to find. The
UK's Computer Misuse Act applies to someone who "causes a computer to
perform any function with intent to secure access to any program or
data held in any computer," knowing that he or she is acting without
authorization. The hacker doesn't have to direct the attack against
any particular computer to be culpable under the law, which carries up
to two years in prison for a first time offense -- seven, if damage
resulted.

But the legalese, not dissimilar to U.S. computer crime laws, still
allows prosecutors some wiggle room. "You might not have a direct
offense in the computer crime law, but if there's an aiding and
abetting or solicitation -- those inchoate offenses -- you don't
necessarily have to have it in the law," says Tien.

Jennifer Granick, director of Stanford Law School's Center for
Internet and Society, says the result could be a kind of
Sklyarov-in-reverse. Following the arrest of a Russian programmer at a
Las Vegas conference last year, some cryptographic researchers
professed reluctance to make presentations in the U.S. for fear of
running afoul of the Digital Millennium Copyright Act, which prohibits
distributing or using tools that circumvent copy protection schemes.  
Depending on what happens in the T0rn case -- which is still in the
earliest stage -- U.S. security researchers may develop a reciprocal
aversion to the U.K.

"If this is really against their law, then you have jurisdictional
problems," says Granick. "Anywhere a tool is written, if it becomes
available in the UK, that becomes a crime... All sorts of researchers
would have to hesitate before visiting the UK."

<tips -!
- securityfocus -
 com>

---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.

Prev by Date: [infowar.de] RAND-Umfrage zu Information Infrastructure Security
Next by Date: [infowar.de] USA wollen mit Flugblättern auf Iraks B/C-Waffen-Kommandeure zielen
Previous by thread: [infowar.de] RAND-Umfrage zu Information Infrastructure Security
Next by thread: [infowar.de] USA wollen mit Flugblättern auf Iraks B/C-Waffen-Kommandeure zielen
Index(es):
- Date
- Thread