Is the internet safe enough for eCommerce? Would you risk your money and personal information?

Hacking & Security Downloads: Security utilities How to Stop DoS Attacks How can I learn how to hack?

New tools, old rules

Is L0phtcrack a burglary tool? Hacker-lawyer Jennifer Granick warns
that security auditing may soon be a felony.

By Jennifer Granick
March 20, 2000 3:50 PM PST


Burglary tools aren't just crow bars and lock picks anymore, now they
can also be electronic or virtual tools. Legally speaking, possession
of useful security software can be a crime if the possessor intends to
use that software to steal. That, says Hennepin County Attorney Amy
Klobuchar, is exactly what David Thomas Bell did last year.

Bell used L0phtcrack, a password recovery program, to get the userids
and passwords of workers at two of his former employers. He also
stole the worldwide customer list for one of the companies. Among
other counts, Klobuchar's office charged Bell with two felony counts of
"possession of burglary or theft tools," i.e. L0phtcrack.

Initial word on the Internet was that possession of L0phtcrack had been
declared illegal in Minnesota. Some Minnesota companies went so far
as to call the County Attorney's Office, which is responsible for
prosecuting adult crimes and juvenile offenses in the Minneapolis
Metropolitan Area, for advice on what to do with their copies of the
program.

Bell, however, didn't simply possess L0phtcrack. He used it to commit
crimes, and that made all the difference. The County Attorney
reassured callers that their copies of L0phtcrack were fine, so long as
they weren't planning any thefts. "I don't want anyone to think we're
targeting this software," Klobuchar said.

In fact, any and all software could be treated as L0phtcrack was, and
that concerns me.

Analog theft and burglary can be committed with one's bare hands --
so the use of tools that facilitate the crime, or make it easier to get
away, rightly earns the offender additional punishment. But in online
crime, the perpetrator must use tools, whether to sniff passwords,
transmit a virus or just log-on.

The average juror may have no idea why someone would want a tool
like L0phtcrack, other than to steal passwords.

Since every on-line theft involves tools, this charge is a gimme for
prosecutors, who can pile on additional counts that we wouldn't have
in a comparable off-line crime. People will go to prison longer, for less.

License to Crack
Conviction for possession of burglary tools doesn't require that a
burglary, or even an attempted burglary, actually happen. All it requires
is possession plus the intent to burglarize or steal.

Intent is a common element in many crimes, but few defendants get on
the stand and testify that they were thinking guilty thoughts. Prosecutors
must use circumstantial evidence to prove intent. For example, if a
carpenter is walking down the street with a screwdriver in his toolbox,
that looks a lot less guilty than if that same carpenter is found outside
someone else's house, screwdriver in hand, and the window's been
conspicuously jimmied open.

Usually, though, cases aren't so clear. And since a screwdriver has
legitimate uses, we depend on juries to use their common sense to
distinguish between innocent possession and criminal possession.

And that's where the problem lies. While most jurors are familiar with
screwdrivers, lock picks or crowbars, the same can't be said for
L0phtcrack, Satan or Strobe. The average juror may have no idea
why someone would want a tool like L0phtcrack, other than to steal
passwords. And just try explaining Satan to a jury; If it's good, why
does it have such a bad name?

If prosecutors think copies of these programs on my client's machines
are evidence of the inclination and the ability to hack, the average
juror may go along, convicting people for possession of security tools
because they don't have a good reason for possession, rather than
because the prosecution proved they had a bad reason.

Only security professionals, like the carpenter on the way to his next
job, will be able to possess security tools without concern. This will
result in a de facto licensing requirement for the possession of
security programs. And that's no way to make the Internet safer.


Jennifer Stisa Granick is a defense lawyer practicing in the areas of high tech and computer crime from her office in San Francisco. She defends unauthorized access, trade secret theft, and email interception cases nationally. Granick has written articles on wiretapping, workplace privacy and trademark law for Wired. Additionally, she has spoken at Black Hat Briefings and to NASA computer security professionals about computer crime laws, digital forensics and evidence collection.