'T0rn' Arrest Alarms White Hats,
A raid on the alleged author of a
well-known hacker toolkit is raising eyebrows among electronic
civil libertarians, and putting security researchers on guard.
Kevin Poulsen, Sep
24 2002 1:58PM
It could almost pass as a routine
computer crime case -- a year-long probe leads Scotland Yard
cybercops to a home in the upscale London suburb of Surbiton,
where they seize computer equipment and arrest a 21-year-old
man under the UK's 1990 Computer Misuse Act.
But last Thursday's
raid was anything but routine, because the unnamed
suspect, who has not yet been formally charged, isn't accused
of cracking computers, launching a denial of service attack or
distributing a virus. Instead, the joint Scotland Yard/FBI
investigation is focused on his alleged authorship of the
"T0rnkit," a collection of custom programs that help an
intruder hide their presence on a hacked Linux machine. It's
apparently the first time the UK's national computer crime law
has been used to crack down on a programmer for writing a tool
with malicious applications -- and it's a chilling development
to some security researchers and electronic civil
"I would definitely see it as troublesome," says Lee Tien,
senior staff attorney at the Electronic Frontier Foundation.
"It's something we have to look at very closely, because the
general idea that you can go after someone criminally for
simply writing a program raises issues."
T0rnkit first began showing up on hacked boxes two years
ago. Like other so-called "rootkits," it includes programs
that an intruder can drop into place over genuine system
commands that render the attacker invisible to the computer's
administrator. A replacement "ps" command, for example, will
omit the hacker's network sniffer from a list of processes
running on the machine, where an unadulterated version of the
command would finger the intruder.
The package also includes a backdoor function that allows the
attacker to covertly return to a machine that they've hacked.
"The more recent ones have had loadable kernel modules,
distributed denial of service tools, and stuff like that,"
says Dave Dittrich, senior security engineer at the University
of Washington. "Most of the versions are circulated in the
underground, and they're tightly held."
In 2001, Chinese virus writers incorporated a modified T0rnkit
into the nasty "Lion" worm. But the kit itself is not a virus;
it can't spread on its own accord. And the man arrested last
week -- now free pending an October 19th court appearance --
is not accused of breaking into any computers, or of falling
in with Chinese cybergangs. "The writing and distribution of
the tool is the offense," a Scotland Yard spokesman confirmed
in a telephone interview Monday.
And that worries some computer security researchers, who find
it all to easy to visualize themselves in the position of the
anonymous UK suspect. So-called "white hat" hackers often
create programs with potentially malicious applications as an
exercise, or to advance the published research base -- active
intruders tend to keep their work private.
"I've written tools myself that have only marginal social
value, so it actually concerns me quite a bit," says Mark
Loveless, a senior security analyst with Bindview Corporation.
"I'm worried that something like that could happen to someone
just because they have a high profile."
Researchers are even publicly
on a rootkit for Windows NT machines, a project that's headed
-- not by anonymous denizens of the cyber underground -- but
by Greg Hoglund, co-founder and CTO of security software
company Cenzic, Inc. Aside from research projects, many
security professionals use hacker tools to perform legitimate
"penetration tests" against clients. And some of the most
common security tools like nmap or TCPdump can be used for
good or ill.
"If they're arresting guys just for writing tools, that's
pretty frightening," says Steve Manzuik, co-moderator of the
VulnWatch security mailing list. "I guess anyone who's written
a security type tool should be concerned if this is going to
become the next trend."
It's not a trend yet, but outlawing hacker tools has never
been far from law enforcement thoughts. Last year 33
countries, including the UK and the U.S., signed the Council
of Europe's international cybercrime treaty, which recommends
prohibiting the creation or distribution of a hacking tool
with the intent that it be used to commit a crime, though a
last minute change to the treaty allows signatory countries to
opt out of the provision.
So far, laws explicitly outlawing hacker tools are hard to
find. The UK's Computer Misuse
Act applies to someone who "causes a computer to perform
any function with intent to secure access to any program or
data held in any computer," knowing that he or she is acting
without authorization. The hacker doesn't have to direct the
attack against any particular computer to be culpable under
the law, which carries up to two years in prison for a first
time offense -- seven, if damage resulted.
But the legalese, not dissimilar to U.S. computer crime laws,
still allows prosecutors some wiggle room. "You might not have
a direct offense in the computer crime law, but if there's an
aiding and abetting or solicitation -- those inchoate offenses
-- you don't necessarily have to have it in the law," says
Jennifer Granick, director of Stanford Law School's Center for
Internet and Society, says the result could be a kind of
Sklyarov-in-reverse. Following the arrest of a Russian
programmer at a Las Vegas conference last year, some
cryptographic researchers professed reluctance to make
presentations in the U.S. for fear of running afoul of the
Digital Millennium Copyright Act, which prohibits distributing
or using tools that circumvent copy protection schemes.
Depending on what happens in the T0rn case -- which is still
in the earliest stage -- U.S. security researchers may develop
a reciprocal aversion to the U.K.
"If this is really against their law, then you have
jurisdictional problems," says Granick. "Anywhere a tool is
written, if it becomes available in the UK, that becomes a
crime... All sorts of researchers would have to hesitate
before visiting the UK."