10/07/2002 In response to the T0rnK1t dilema, regarding legislation being applied to the aprehension of persons developing software of this nature. The apparent legal position being taken, is that the development or authorship of such software is the primary offense. Apparently, a relevant text present in the UK where these problems are currently occuring, are in regards to the COE Cybercrime Treaty which makes illegal [1] -> a. the production, sale, procurement for use, import, distribution or otherwise making available of: i. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Article 2 ? 5; b. the possession of an item referred to in paragraphs (a)(1) or (2) above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 ? 5. A Party may require by law that a number of such items be possessed before criminal liability attaches. The important part of the above, is the statement "primarily for the purpose of commiting any of the offeces established..". An interpretion of this, which seems to be quite cohesive with the courts, is that if software was written to break into a computer, then yes, that program is now going to be held relevant. That is - if your intent was to use it for the primary purpose of committing an offense. That does not imply that the purpose of writing such software as in t0rnkit or other such programs, indicates that this purpose is to commit an offense such as computer trespass. Much akin to the fact of a gun, which has a primary purpose of being a weapon, does not indicate that my primary purpose or ownership, is to commit a felony. If I do however use a gun to commit an offense, then its certain that the severity of charges and sentencing will be escalated. In the realm of drug offenses. The ownership of a utensil for the primary purpose of inhaling smoke produced by the burning of "tabacco" or other non prohbited substance, is a lawwful activity under many legislative systems. If that utensil is then used for the purpose of intaking an illegal substance, it is now illegal possesion of a utensil for the purposes of consumption of a prohibited substance. Rootkits as they stand, are not even conceivable as being authored for the primary purpose of a direct offense; as a rootkit is not a means of breaking into a computer, only in maintaing control of the system. This may be for legitimate reasons or illegitamte reasons. The lawful purposes of rootkits are far and many and best explained elsewhere. However, they do have uses in maintaining "legitimate" control of a system. Is a Honeypot a rootkit which is so widely proclaimed by many who see otherwise for less popular software developers. A Honeypot indeed as abilities to gather information passively for use in following intruders.q A rootkit often has this exact functionaly! A rootkit can seemingly remove your visible presence from the system. A Honeypot has this explicit requirement, else what is the point! Most or all of security software may be used in an appropriate or inappropriate manner. The security industry idealizes in understanding the weak and strong point of computing. It is only natural that these can be used for either lawful or unlawful activies. I worked for a company performing vulnerabity assessment. Many other companies do this also. It is our profession to actively probe systems for security problems - and develop the software to do this automatically. If the author of t0rnkit was arrested because and only because of t0rnkit, then perhaps there should be in enquiry into the entire commercial corporate secter of the computing industry! "The Supreme Court's decisions in Scales and Robel established what is accepted today as a basic tenet of constitutional law: guilt cannot be imposed based soley on one's association with an organization that has both lawful and unlawful ends. Instead, guilt must be personal, and it must be based on clear proof of an intent to furthur the unlawful ends of such an organization by resort to force or violence." [1] Perhaps it is not a question of violence or force in the t0rnkit drama, however the underlying meaning remains the same as quoted. Rootkits indeed have lawful and unlawful applications. If the author of t0rnkit is arrested, it is not because of his association with an ambiguity of the subjective validation of his software which is used for both lawful and unlawful activities. It is because he has committed an offense. If it is only because his software is seen as an unnecessary evil with less positive reward, then I would pray that this be dropped quickly, and we be forced to settle with the unnecessary evils of the constitution and the necessary deviances to maintain fundamental freedoms and liberties. [1] HTTP://conventions.coe.int/Treaty/EN/CadreListeTraites.htm [2] "Silencing Poltical Dissent", Nancy Chang. Page 29. -- Silvio