September 25th, 2002, 06:21 PM
crack down on a programmer for writing a tool with malicious applications
'T0rn' Arrest Alarms White Hats
'The writing and distribution of the tool is the offense.'
-- Scotland Yard
"If they're arresting guys just for writing tools, that's pretty frightening," says Steve Manzuik, co-moderator of the VulnWatch security mailing list. "I guess anyone who's written a security type tool should be concerned if this is going to become the next trend."
-If you haven't noticed, they are starting to run out of people to point fingures at, and the increase of skript kiddies that only know how to run code is starting to lead to the fingers being pointed at the original programmer of these suspected tools. Do you feel that this may be the next big trend?
September 25th, 2002, 06:38 PM
I'm kind of mixed about this one. On the one hand, if the tools were written specifically for the purpose of carrying out illegal activity, then I can agree with the arrest. Seems to me the tools are called "security" tools.
If they're security tools and have an original purpose other than hacking, I think it's ridiculous. It would be like arresting the head of Ford Motor Company because his cars are used by bank robbers. At this point, all I can see is trouble for security programmers.
September 25th, 2002, 07:13 PM
This would have to be taken at a case by case basis. Consider the Moris Worm. It was written to map out what was then the Internet. Becuase of an error in coding, the worm ran out of control and cuased all kinds of problems. The worm was not intended to be malicous(sp) but the end product caused damage. If the worm had functioned as intended, should Morris have been held accountable for any misdeads done with his original code?
September 25th, 2002, 07:27 PM
Alot of this has to do with proving intent. Most security agencies feel it is a good practice to download and build such tools as long as the intent is to use them to test your own servers/networks that you have express written permission to audit.
When it comes to distribution people will probably need to take greater care in authenticating and authorizing those who download the tools. Most people simply put them in anonymous ftp or web servers. If you have a proven list of people who you distributed to and that they have significant need of the tools (and hopefully non malicious intent to use them). This can be handled by making people actually 'sign' for tools by giving them eula's, and making them prove who they are by giving digital signatures or maybe even credit card info (doesn't have to charge, just using the processors to say that the person using the card is giving the correct info).
I think to get around this practice of persecuting the developers of the tools the developers or companies/institutions they work for will have to show greater due dilligence in their distribution methods.
It's kind of like the other software you buy, when you buy it you always get the eula that says you won't use the code for photoshop 6 to help Iraq build nuclear weapons. The developers/institutions will have to do more work to cover their asses legally.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
October 2nd, 2002, 10:56 AM
Juridian, while that is certianly a sound arguement, it lacks practicality. nobody trusts those "hey, give me your credit-card number so i know who you are...i promise not to charge it. really, cross my heart i wont." beyond that(and even WITH CC based authentication), you dont know who anybody really is. also, what do you supose is a way to "prove" you need it? i, being a college student, could claim i need it because i'm taking a class in X type of computer security and i wish to analyze how it does whatever it does for a paper. is that proof enough or do i have to then show that i'm actually in such a class? who is going to deal with meticulasly following up on EVERY request for the ap?
most sites that host security software already have disclamers that say "nothing on here is to be used for malicious purposes; everything is provided for educational purposes only" or something similar with an "i agree" button. that sounds pretty much like the web version of an EULA to me.
There are 10 types of people in this world: those who understand binary, and those who dont.
October 2nd, 2002, 11:12 AM
I'd have to agree that everything that could be done for protection against malicious use of these programs has been done. That is within reason. To arrest the authors of these programs is riduculous for one reason in particular. As forementioned the programs in question could be used either for harm or for security progression. Either offensive measures or defensive. Within the context, it is no different from a gun, knife, or even (forementioned as well) a vehicle. To deny the rights of use of these tools because of harmful potential would logically mean they should deny us our guns, our knives, and our cars, among many other things, (even plastic silverware can kill, and hey, anybody ever heard of people tripping over childrens toys and breaking their neck, heh, harmful potential). Whatever happened to civil liberties?
The radiance of ignorace in a world of nothingness and all of this time your pestilence has created nothing but uselessness
October 2nd, 2002, 03:48 PM
I agree with imaginedsanity, especially if the code kiddie downloads just the source and has to compile the source themselves. If I stab you with a candy cane, should the maker be held for the candy canes' potential to be sharpened down and used as a weapon? What happened to personal accountability and responsibility?
October 2nd, 2002, 04:05 PM
Good thoughts on the entire thread!
In my programming experience, any script I write or any code I create, I document the crap out of it. Only twice have I written anything that could've deemed a "risk" (network scanner specifically for P2P agents on a work environment and something else). In the header though, was a disclaimer of what the intent was, who wrote it, and that I, the author, accept no responsibility for anyone's misuse as there is no warranty, express or implied. Sure, that won't hold up completely but if I create a legit *tool* for a specific task and someone abuses it through a loophole or bug or whatever, I can show proof that that's not what the original task was meant to be.
As for personal accountability and responsibility, that's just getting worse every day. Kids nowadays have access to cable modems, DSL, highschool computer labs, etc etc...I bet 80% of them are under 18, which makes them "invulnerable" to the law. What I would do is remove all repositories of code that is blatantly destructive or abuses a loophole/bug. Where you could put that so that tracking is easier on those that use it is beyond me but the wide availability of these hacks/cracks/scripts for breaking/destroying/denial-of-service is not at all helping the issue.
The authors that write code that abuses loopholes and such, if they're doing it for fun just because they're that smart, that's fine...but when it's made available to the unknown masses, that's where it starts going downhill. Do they serve time for someone using their stuff or can they claim feigned ignorance by saying "Well I never knew someone would use it..."?
Disclaimer: these are my opinions...and do not reflect those of AO or anyone else.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.