Bloomberg Anywhere Remote Login Bloomberg Terminal Demo Request


Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.


Financial Products

Enterprise Products


Customer Support

  • Americas

    +1 212 318 2000

  • Europe, Middle East, & Africa

    +44 20 7330 7500

  • Asia Pacific

    +65 6212 1000


Industry Products

Media Services

Follow Us

Bloomberg Customers


'T0rn' Arrest Alarms White Hats, Advocates

It could almost pass as a routine computer crime case -- a year-long probe

leads Scotland Yard cybercops to a home in the upscale London suburb of

Surbiton, where they seize computer equipment and arrest a 21-year-old man

under the UK's 1990 Computer Misuse Act.

But last Thursday's raid was anything but

routine, because the unnamed suspect, who has not yet been formally charged,

isn't accused of cracking computers, launching a denial of service attack or

distributing a virus. Instead, the joint Scotland Yard/FBI investigation is

focused on his alleged authorship of the "T0rnkit," a collection of custom

programs that help an intruder hide their presence on a hacked Linux

machine. It's apparently the first time the UK's national computer crime

law has been used to crack down on a programmer for writing a tool with

malicious applications -- and it's a chilling development to some security

researchers and electronic civil libertarians.

"I would definitely see it as troublesome," says Lee Tien, senior staff

attorney at the Electronic Frontier Foundation. "It's something we have to

look at very closely, because the general idea that you can go after someone

criminally for simply writing a program raises issues."

T0rnkit first began

showing up on hacked boxes two years ago. Like other so-called "rootkits,"

it includes programs that an intruder can drop into place over genuine

system commands that render the attacker invisible to the computer's

administrator. A replacement "ps" command, for example, will omit the

hacker's network sniffer from a list of processes running on the machine,

where an unadulterated version of the command would finger the intruder.

The package also includes a backdoor function that allows the attacker to

covertly return to a machine that they've hacked. "The more recent ones have

had loadable kernel modules, distributed denial of service tools, and stuff

like that," says Dave Dittrich, senior security engineer at the University

of Washington. "Most of the versions are circulated in the underground, and

they're tightly held."

In 2001, Chinese virus writers incorporated a modified T0rnkit into the

nasty "Lion" worm. But the kit itself is not a virus; it can't spread on its

own accord. And the man arrested last week -- now free pending an October

19th court appearance -- is not accused of breaking into any computers, or

of falling in with Chinese cybergangs. "The writing and distribution of the

tool is the offense," a Scotland Yard spokesman confirmed in a telephone

interview Monday.

And that worries some computer security researchers, who find it all to easy

to visualize themselves in the position of the anonymous UK suspect.

So-called "white hat" hackers often create programs with potentially

malicious applications as an exercise, or to advance the published research

base -- active intruders tend to keep their work private.

"I've written tools myself that have only marginal social value, so it

actually concerns me quite a bit," says Mark Loveless, a senior security

analyst with Bindview Corporation. "I'm worried that something like that

could happen to someone just because they have a high profile."

"PRETTY FRIGHTENING". Researchers are even publicly working

on a rootkit for Windows NT machines, a project that's headed -- not by

anonymous denizens of the cyber underground -- but by Greg Hoglund,

co-founder and CTO of security software company Cenzic, Inc. Aside from

research projects, many security professionals use hacker tools to perform

legitimate "penetration tests" against clients. And some of the most common

security tools like nmap or TCPdump can be used for good or ill.

"If they're arresting guys just for writing tools, that's pretty

frightening," says Steve Manzuik, co-moderator of the VulnWatch security

mailing list. "I guess anyone who's written a security type tool should be

concerned if this is going to become the next trend."

It's not a trend yet, but outlawing hacker tools has never been far from law

enforcement thoughts. Last year 33 countries, including the UK and the U.S.,

signed the Council of Europe's international cybercrime treaty, which

recommends prohibiting the creation or distribution of a hacking tool with

the intent that it be used to commit a crime, though a last minute change to

the treaty allows signatory countries to opt out of the provision.

So far, laws explicitly outlawing hacker tools are hard to find. The UK's

Computer Misuse Act applies to

someone who "causes a computer to perform any function with intent to secure

access to any program or data held in any computer," knowing that he or she

is acting without authorization. The hacker doesn't have to direct the

attack against any particular computer to be culpable under the law, which

carries up to two years in prison for a first time offense -- seven, if

damage resulted.

But the legalese, not dissimilar to U.S. computer crime laws, still allows

prosecutors some wiggle room. "You might not have a direct offense in the

computer crime law, but if there's an aiding and abetting or

solicitation -- those inchoate offenses -- you don't necessarily have to

have it in the law," says Tien.

Jennifer Granick, director of Stanford Law School's Center for Internet and

Society, says the result could be a kind of Sklyarov-in-reverse. Following

the arrest of a Russian programmer at a Las Vegas conference last year, some

cryptographic researchers professed reluctance to make presentations in the

U.S. for fear of running afoul of the Digital Millennium Copyright Act,

which prohibits distributing or using tools that circumvent copy protection

schemes. Depending on what happens in the T0rn case -- which is still in the

earliest stage -- U.S. security researchers may develop a reciprocal

aversion to the U.K.

"If this is really against their law, then you have jurisdictional

problems," says Granick. "Anywhere a tool is written, if it becomes

available in the UK, that becomes a crime... All sorts of researchers would

have to hesitate before visiting the UK." By Kevin Poulsen

blog comments powered by Disqus