Criminal confession

I AM A computer criminal.

I figure that it’s better to simply ‘fess up, come clean, and hope that the court, in its wisdom, will have mercy and recognize that it was an act of youthful impulse — I haven’t engaged in such conduct for years — and that I recognize the grave seriousness of my offense.

You see, several years ago, as research for a comparison of anti-virus software to be published in another, long-gone-out-of-business magazine, I downloaded a virus toolkit, built a simple virus, and distributed it among the computers on my test bed. None of these machines was connected to the Internet. This virus has never gone “wild.”

There is no chance it ever will go “wild” unless I happen to find the floppy disk with the source code, because the virus won’t run on computers with a system date past 1997. To top it off, the payload is completely harmless: A pop-up box displays a message. That’s about it.

I know many of you are thinking that this is a pretty lame confession, and you’re right. But prosecuting legitimate security researchers who merely write tools that are exploited by others with nefarious intent is even more lame.

When Scotland Yard’s cybercrime task force picked up an unnamed suspect who allegedly created the “T0rnkit” rootkit, which includes programs that replace ordinary Linux binaries with compromised versions that allow backdoor access, it sent a chilling message to the security community.

A version of “T0rnkit” was adapted for use in the 2001 “Lion” worm. But Mr. X is not being charged with spreading the worm, or breaking into any machines; he is merely charged with writing code that exploited weaknesses in various Linux kernels. There’s no way to tie him to the “Lion” or any other conspiracy, so even that last resort of prosecutors won’t fly.

I’ve argued that using copyright laws to stifle legitimate security research is bad, but using criminal laws to do so is even worse. At least here in the States we have the luxury of freedom of speech thanks to the First Amendment, unlike Mr. X in England. But in the Brave New World of digital rights management, eternal vigilance against terrorism, and suppressed civil liberties, the offense of “criminal thought” cannot be too far in the future.

The problem with laws covering computer crime is that they cover everything, yet fit nothing. There’s no distinguishing between legitimate research and malicious behavior, whether in the United Kingdom’s Misuse of Computers Act or various laws enacted in the United States and other countries. Part of the reason is that in most cases the laws are being drafted by people who know how to write laws, but know nothing about how software is developed.

So, to get back to my plea, yes, I am a criminal. I have written a computer virus, I have downloaded various “cracker” kits, and what I want to know is: Will Uncle Sam someday send me to Club Fed for this?