Slashdot Mirror
'Hacking' To Be Declared Illegal
sowalsky writes sent us an MSNBC story that talks about hacking being declared illegal. Talks about the difference between hacking and cracking,
but more importantly, how the Draft Cybercrime Treaty would make things like BugTraq illegal, as publishing exploits would be aiding and abetting.
The Council of Europe has promised to provide a list of exceptions to the treaty, and professional network administrators will likely end up exempt.
Does this mean that just because I'm a home user/developer (not a 'professional network administrator') I can't run nmap on my system? And who determines 'professional network administrator'? Do I need a note from my boss? Or do I have to register with the gov't? I do administer two systems at home, and I do some development for work on them. Am I a professional or an amateur? What about someone in school who's learning sysadmin? Do they need a letter from their teacher saying they're allowed to look at Bugtraq? Maybe we could just make all the security sites and mailing lists government entities. You register with your SSN and passport number, and, if you have no priors, then you can see what's going on.
grrrr . . .
Very few. A lot of them were high-profile though.
Contrary to the popular belief, there indeed is no God.
I've been approached by a private investigator reciently. Someone on disability appears to be running a buisness from his house, the invistigator wants to know if I can break into his comptuer and collect evidence.
Note that I have not aggreed to the above, and will not until I get more information. However we can all agree that IF fraud is committed the evidence I collect would be honest, but if not I would be stepping over the line. So are cracking tools illegal? The private investigator can presumably use lock picks (bugler's tools which are illegal to possess) to break into this person's house to collect evidence. (THe law is very shady here)
A loaded gun does not nessicarly kill someone. I've handled a loaded gun several times, and yet none of those guns have killed someone. If the gun is not treated like it will kill someone, yet it probably will (at some time) injure someone. Even then though, there are few places were you can get shot and killed making accidents more likely to require a hospital stay then a funeral. Ronald Reagon was shot in 1982(?), and it didn't kill him. Many others have been shot and not died.
A gun can kill people. So can a knife. A gun can also put food on a poor person's table. A gun can make for an enjoyable afternoon of target practice. A knife can cut an onion. A baseball thrown at someone's head can kill. A baseball bat can kill someone. Combine the bat and ball and you have America's favorite passtime.
We (the USA) learned that lesson the hard way in the 1920s, with prohibition.
I think it's rather obvious that we learned nothing from prohibition, else we would not be spending obscene amounts of money trying to prevent people from smoking pot in this country. It's done nothing but increase the number of people that are deemed criminals, fill up our prisons to the point where we are constantly building new ones, increase actual violent crime and theft, increase corruption of our own and foreign governments, and violate the basic human rights of millions of people.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
I am a lawyer, but this is not legal advice. If you need legal advice, contact an attorney licensed in your jurisdiction.
Judicial review is really kind of hard to avoid. First of all, the Federalist Papers made it clear that this was understood to be how things would be done. Second, when forcing something to be doee (or not done), the action is taken in court. Judicial review of a law is in reality the court deciding wehether or not it has authority to act as one party is demanding: if there is no Constitutional authority for the law, then any court action enforcing the law would exceed the powers granted the court in the Constitution . . .
THis becomes necessary becasue the COnstitution enshrines the Supreme COurt as the highest court. Other solutions are possible, though--instead of a Supreme COurt, we could use the Senate, a la the British House of Lords (in which it's actually a committee of Law Lords; the rest of the chamber just rubber stamps)--but that would require a different structure.
hawk, esq.
How does security through obscurity NOT work?
At the risk of feeding a troll...
Security though obscurity does not work in much the same way as believing that you can fly by flapping your arms doesn't work. Or the same way that Trade Secrets are only protected so long as everyone keeps their mouth shut and nobody finds out how to do it on their own.
An example: Your have your box accepting telnet on port 22 instead of 23. That's security through obscurity. If I happen across it and find telnet reponding on an odd port, that just intensifies my curiosity. What are you trying to hide by covering it with such a thin veil of protection?
Another example: Your encrypt your sex diary by XORing with the word "sex". You don't tell anyone that you XOR it but you instead say "I've got strong security on my sex diary." Now someone like me comes along and plays around and breaks it with a lucky guess or three. What safety did your security through obscurity provide? Absolutely none.
If you're gonna do something, do it right. That includes writing software to be free from bugs and "unplanned features". If you rely on your system to be secret enough to not warrant any stronger security measures, you deserve to be rooted.
Here's a footnote from the Word version availalble at http://conventions.coe.int/treaty/EN/projets/cyber crime.doc (yes I'm using windows...) :
Several comments from industry indicated that the so-called "cracking-devices", to which Article 6 applies, may also be used legitimately to test system security. The explanatory report shall clarify that the conduct defined by Article 6, when undertaken with such legitimate purposes, would be considered to be "with right". Furthermore, the burden of proof of the unlawfulness of conduct under Article 6 would lie with the prosecution. In this context, reference should be made to the footnote under Article 2 concerning the meaning of "without right".
That would seem to indicate that comments (from someone at least -- "industry" could mean anything from Microsoft executives to me) weren't ignored.
* And remember, it's spelled N-e-t-s-c-a-p-e, but it's pronounced "Mozilla."
but this is ridiculous. First, it was letting AOLers on to Usenet. Then it was the plethora of ISP's and all the newbie net users. Remember the CDA? Submarine net patents? DMCA? I feel like I've had a run in with one million Michele Triola's, and I'm no Lee Marvin.
I'm going to propose something radical, something elitist, something morally wrong, something curmudgeonly. But I remember the "Good Old Days". Well, they are not that old. And at 9600 baud, "Good" is a relative term. But I'll loose the bandwidth. I'll lose the web. I'll lose everything except mail, usenet, telnet, ftp, and a small smattering of other services. But I want them gone. The users. Almost all of them. Everyone who first got online after 92, maybe up to 94.
Maybe this is flamebait. Maybe this is a troll. I don't know. I don't care. I'm seeing red. Nothing but crimson red. We had everything we needed back then. Gopher, usenet, mail, and muds. It was the holy quartet. Everyone new something about computers. You couldn't get online if you didn't. Remember typing in slip manually? How about hand timing a script to pick up as soon as PPP connected? Everybody had to do this. Sure, we couldn't email our mom's then. But I'll give that back too. To be on the net was something that only you understood. Your family didn't know or care. Hell, they couldn't think of a reason they would use it. They were right.
Now I know what you are thinking. The net is too powerful to keep away from everyone. Its draw is irresistible. Like moths to a flame, people are drawn to information. Like Stella Liebeck to her coffee cup, the masses came to the net. And both were pissed when it was hot. Sometimes, it is better to never serve coffee in the first place. We thought community, they thought lawsuits. We though information, they thought "of the children". We though porn... Well, they thought the same thing. They cannot always be wrong, you know.
And speaking of the children, how come I don't hear about parents complaining about all of those 8 year old drivers out there. Oh, 8 year olds cannot drive? What does this logically imply Skippy? Really? If I truly feel that the net is as dangerous as a car, I shouldn't let my kids use it just like I don't let them drive a car? Nah, that is too much. I'll just demand for laws to protect them. Lord knows I'm not going to.
I'm not seriously proposing that we get rid of the "masses". I know it is impossible. But we should have kept it from them. Somehow. Maybe like a clue server on netrek. We could have kept all that knowledge and power to ourselves. The net would have been smaller, but we would have had so much more power because of it. Like gods among men, we could have levied our advantage to get sensible preemptive laws put into place. We knew they were coming. We should have prepared.
In short, we had it all, we gave it away. It doesn't suck yet, but it could. And we could have prevented it. Maybe we still can, but we definitely could have by acting earlier.
Of course, that's just my opinion. I could be wrong.
This sort of treaty is asanine because every person should have the freedom to learn how things work. The mere ownership of hacking tools doesn't denote the misuse of the tool. A just society punishes individuals based on their activity and behavior with tools, not ownership. Anything else is presumption that the law always knows the best use and intent for a tool.
This is really about freedom when you get down to it. Do you have the liberty to run Nmap on your own network, or do you have to pay $200/hour to some monkey that is endorsed by a beaurocrat? Will the the knowledge of computer security be outlawed so that a priveledged class of individuals can do what anyone else could have done themselves? I certainly hope not.
-- Solaris Central - http://w
My only criteria are (1) bandwidth (2) food quality/availability and (3) climate. I hear Brazil is nice...
--
Care about electronic freedom? Consider donating to the EFF!
On the other hand, the only thing proven to reduce crime is keeping habitual criminals in jail until they are too old for the game.
The real answer is we need enough jails to keep all the street thugs off the streets, no more, no less. Until we fix or delete the drug war, we are unlikely to know whether this is more or less tyhan we already have.
I wrote parts of this stuff
When your kid asks for a new bicycle (to go upstairs/fuel for his car/ etc...) give him a loaded gun instead - it's safer that way.
Being at work, I don't have the numbers on me, but more children die (individually) as a result of falling down stairs, drowning, or being hit by a car while on a bicycle each year than by negligent firearms use. Not that anyone can really be expected to know that, considering how one-sided the media can be about these issues.
I'd feel my children to be a lot safer with a gun in the house than a pool in the back yard or stairs to fall down. Just because I managed to survive both pools and stairs to reach breeding age doesn't mean that they're inherently safer. In fact, they're much more dangerous.
--
It's pretty pathetic when karma can drop when you do nothing
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
Well, you see, a gun is made to kill/break/hurt something. Maybe a person, maybe a tasty animal, maybe a target, but something.
/. reader should know how often the government sides with us poor citizenry.
So are clubs. So are knives. Yet you don't see the same rabid attacks against them. I maintain that they are all tools. Nothing more, nothing less.
A club was originally designed to bash something in order to kill/break/hurt it. Do we have regulation? No. Is it easy to obtain? Damn straight, if there are trees or construction or anything of a suitable shape out there. Are they incredibly prevalent in society? Well, I see them used every time I watch a baseball game . . . Are they blamed when someone's beaten to death? No. Can they be used for good OR evil? Yes.
Same with knives. Originally designed to cut and stab things. You can buy them in a sporting goods department. You can buy them from RonCo. You can get them in any kitchen store. They're probably more prevalent than any other object intended as a weapon. Do a quick check: how many knives are there in your house right now? Don't you think you should check this knife proliferation? Do we have to treat you with kid gloves because you might flip out and go on a stabbing spree?
Anyway, you can't compare gun control to hacking control, or anything else, because a gun is a weapon, designed to hurt something, and other things cause damages as a side effect.
Sure you can. I could easily use ping, traceroute, nmap, the latest DDoS scripts, etc, as weapons against your system. I could crash it, hurting either your hardware, your ISP's hardware, potentially a business' revenue. One exists in the physical realm (guns), the other in the electronic realm ("hacking" tools). They can both be used as weapons, both offensive and defensive. How they're used is the responsibility of the user. Neither has an inherent evil nor an inherent good, anymore than that thick piece of wood you're brandishing to either scare off the strangers, or coerce money from the locals with. They just exist.
(Sorry, guns do not have a side effect of reducing crime,
I beg to differ. Just the very act of training with a gun, knowing how to use it, knowing you don't have to be a victim reduces crime. It gives you a level of self-confidence and self-assurance in yourself and your abilities. Sure, you might not have a gun on you at the time, but predators can smell fear and intimidation. If you have that self-confidence in yourself, you become less attractive as prey.
Plus, if you do have a gun, you don't necessarily need to use it. It's a method of last resort to have to shoot someone. Every personal protection course I've ever taken (NRA-sponsored, no less) emphasizes that the best course of action is to get away as quickly as possible. Barring that, try to find a non-violent solution (this could be as simple as shouting, or telling someone you have a gun, or showing it, but you'd better be prepared to use it at that point). Otherwise, as a last resort, use violence of whatever kind is necessary to protect yourself and/or your family.
Personally, I plan to take every step possible to defend what's mine. That means in the physical world, having access to firearms, being trained in their use, and having the resolve to use them should that need ever arise. I don't intend to sit idly by waiting for the police to show up at some indeterminate point in the future, because of something happening right now.
In the electronic world, it means using the same tools that likely attackers of my systems are going to use. Being familiar with how they work, what they do, and why they do it is invaluable to protecting my boxen. If I'm unable to do so, I'm just begging to be a victim, and can only attempt to put the pieces back together again after the harm has been done.
In both cases, an ounce of prevention is worth a pound of cure.
nor of holding back government oversteps)
Realizing you might not necessarily be familiar with American history, I again beg to differ. There was this little spat between England and the colonies. And wouldn't you know it, those crazy gun-weilding wackos managed to revolt against an oppresive government.
Do I think it's likely to happen today? No, there are too many sheeple, and folks who think the government has our best interests at heart instead of its own. Any
So yes, it's possible for guns to hold back government oversteps, and be used in constructive and defensive ways. It's also true that hacking tools can be used in a similar manner. Anyone who tells you otherwise has an agenda to advance, and certainly isn't looking out for your best interests.
--
It's pretty pathetic when karma can drop when you do nothing
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
you're absolutely correct, but more to the point, if a treaty would violate the Constitution, then it is unconstitutional for the president to negotiate it and for the Senate to ratify it. if either/both of those happen with an unconstitutional treaty, that is grounds for immedaite impeachment for violating the highest law of the land.
"onward!" cried the copper man, little knowing brass corrupts...
The next thing you now is that you need to registar yourself as a person with knowledge to hack. If you take away the right for me to see what is the problem with MY computer system and tell the world about it then I see something wrong with this picture.
Nurses are responsible for the medications administered, and believe me, they do not trust doctors or computers to know what the hell is going on. They check everything.
And life support systems are generally embedded and not networked in any hackable way... the possibility is there but it's not as likely as you think.
"Free your mind and your ass will follow"
Define sysadmin. I have 2 *nix boxes at home and I am the sysadmin, does that mean I'm exempt? I doubt it. Will Bugtraq be closed down and any dissemination of information about exploits be made illegal? It sure sounds like it.
Will the Europeans decide to try once more for the Holy Land and ride into Jerusalem as liberating crusaders? Will the American government decide to finish the genocide of the native peoples? The way the governments have been acting lately I wouldn't be suprised...
"Free your mind and your ass will follow"
From the news:
?In part because of the ingenuity of lawyers and the ingenuity of [computer criminals] to get around the laws we?ve got, the laws we?ve got aren?t sufficient,? Hyde said. ?The draft convention?.will make it much easier for people to investigate. It will have an immense impact.?
What this JERK forgets to mention is the colossal analphabetism that runs among the police structures. The HUGE and COLOSSAL ignorance about computers and networks. Will the convention make much easier for people to investigate? ABSOLUTELY CORRECT. Because what will happen is that such law will give enforcement organisations the right to hassle computer experts and hackers. To get a cheap and easy-to-manipulate mass of technical experts that will work for these IDIOTS to avoid jail and/or other forms of persecution. This is putting all Security Experts hostage of a group of people that barely understands the technical and psychological specifics of our world of computers.
This will not help fighting cybercrime. ABSOLUTELY. Because what first goes into HELL is cybercrime pervention. You can't study/analyse security holes. You will be dependent of a mystical/abstract support from developers to implement security measures. What you get? A Cybercrime Freeway. Now when this happens who is going to be hassled first? Criminals? How? If police, even with the most modern systems cannot manage to understand some of the most basic principles of network/computer security? You of course! They will come to you because they know that you still do "something on the side" (you don't wanna loose your admin job right?). And they will hassle you to work "for them". OF COURSE they will REMIND you that you are a SINNER. So your work will cost [$$$ - (cost to keep you out of trouble)].
In the mean time wait for a whole trash of surveillance systems on your place. Why? Because you don't have the right anymore to do security. Well, in fact, they may leave you with that. but in a way, that practically, you have no rights at all. Because:
You don't have any information (bye BugTraq)
You can only rely on developers to fix bugs (we will fix it on our next release)
You cannot develop/study your systems for security (pay and you'll get it)
You fall into a double standard (are you fixing bugs or making security hacks? Are your development "inoccent"?)
If anything goes wrong, call 911. (In the meantime your systems are completely bleached)
So don't wonder if the badge guys will be knocking your door too frequently. Or even replace you...
I wouldn't be so general. Such documents are not a "conspiration against Mankind" but more the result of petty domestic fights between lobbyists of different fields. Lawmakers gather laws from discusssions with experts, lunches with corporative managers, talks with government officials, letters from citizens, the mass-media (yuks!) and the greys :). In result they produce something like this. Generally they barely understand what is written here. Their main task is to create something practical, juridically correct and which will not burn their next election.
The problem here is that, probably someone managed to sniff his own stupidity into this treaty. Probably someone from the equivalent of the FBI or NSA in America. Probably he explained lawmakers how his life is a Hell because of these tools "roaming the Internet" and that "forbidding them would make life much more easy". Then a representative of a corporation like Microsoft may have told them that "these tools are the source of big losses", then an expert explained them vaguely what these tools may be used for. And, finally they decided to write this article without hearing anyone else because the quantity nd quality of experts was "enough". And consequently we got this piece of trash in the middle of a treaty that doesn't look so bad at all...
Well if we go to the extremes then... beware your hands, your feet, or, even your head :)))))))))))))
A great destructive method is kicking out the computer. Specially if it's turned on. Besides you think about kicking it... So don't be horrified if court decides to have you slandered in the best of medieval ways. Anyway, you're carrying illegal devices, rigth?
Have your read carefully this article:
... for purpose...". This foggy term reminds some stalinist times when, by possessing "burgeois" literature you are considered already a criminal. Because you already possess a "potential weapon" for commiting a crime.
"a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5"
[...]
the possession of an item referred to in paragraphs (a)(1) and (2) above, with intent that it be used for the purpose of committing the offenses established in Articles 2 - 5
The problem is that any security bug is potentially a break-in! So if you create a testing tool you might well giving ground to fall under the laws created through this treaty. Besides note that 2a talks about "intent
What kind of "intent for purpose" can be understood before commit a real crime? Is the fact that I have a gun on my closet an "intent to be used for the purpose" of killing my neighbor or rob my bank?
Does the fact that I possess nmap on my computer be equivalent to an intent for the purpose of breaking into slashdot.org? Well they don't explain the intent. But they do link intent to purpose. In courts such games are the base to give you a cold shower:
Lawyer: Is nmap an instrument for the purpose to break into slasdot.org.
Expert: bla-bla-bla.. Generally yes.
Lawyer: So we have now demonstrated that Mr. Hacker possesses a weapon for the purpose to break into slashdot.org. So, CONSEQUENTLY, he had the INTENT to break into slashdot.org!
What should be done here is to wipe this article and write everything in a new way. Specially:
Remark the distribution of tools that specifically don't only explore a security bug but also may ease the manipulation of systems where a clear break in has been made.
Remark that these tools can be used as evidence (and how) in courts. This is much more important as many courts drop out cases as they don't know on how to deal with such software.
Forbid te distribution of data that may be resulted from these break-ins (by agravating penalties) or that may ease such break-ins. Specifically the words "password", access code" should be erased from here, by substituitng them into a more universal term. Something like: "data that allows access to computer system and its data, beyond the limits of the people/systems allowed to access it." This would include such things like spoofing, packet hijacking and others.
Mark more clearly the limits of using security tools for analysis/test/development and the criminal acts.
:))))))))))))))))))))))))
:)
Was not encryption equalized to "Ammunitions" by the Department of Commerce? Dear fellow Americans, weren't you crying all this time that this is incorrect?
Ok, people NOW RUN to the D.C. and CONFIRM: "YEAH IT'S AMMUNITIONS, NO, IT'S GUNS, NO, IT'S COOOLER THAN NUKES!!!!
In the meantime sneak a draft to them about considering security tools also as High-Grade Weapons. And stamp all this with the Right To Bear Arms.
Btw don't forget that the suggestion came from Russia. As always, we have been good partners on what considers this stuff. And don't worry about us not being able to get your weapons. We will always find a way to exchange them
Make the penalties so ridiculous that the law becomes unenforcable.
Anyone in possession of a compiler should serve a mandatory twenty years in prison.
NO excuses. And when something breaks, we don't fix it...
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
In a previous job, we've dealt with detectives from a *BIG* law-enforcement agency, and they've done pretty clueless things in an investigation of a computer-based scam (we've saved the show for them) to whom we had originally sold the computers and LANs they used to do their scam. The problem is that they take policemen and try to turn them into hackers. The reverse should be done: you take competent computer types and make them into policemen.
Becoming a policeman is easy, as it is routinely done for the simple minded, so it should prove a cinch for computer geeks... (Plus, imagine the revenge you'd get with the martial-arts training on all those who picked on you - as of myself, I was so much geek that it was the other geeks who were bullying me)
I am taking a management class right now, and the moonlighting teacher normally works for the same *BIG* law-enforcement agency as above. Well, he has setup a web-BBS& lt;/a> for discussing course issues, and whenever some dope does an anonymous posting to criticize the course he goes apeshit, and shuts down access to the whole of the AC's class-C subnet!!!! He does not seems familiar with the concept of a USER-ID/password, and I have shown him /.
whose principle he hasen't started to fathom. As a result most students
are penalized, since this backwoods place ain't got much ISPs...
--
Americans are bred for stupidity.
Vote Libertarian.
They don't think the federal government has any Constitutional authority to make laws regarding this issue.
-
Well, this is a treaty, not a law. And the Constitution doesn't limit treaties as strongly as it limits laws.
It does, however, restrict treaties to compliance with the Constitution. We had this argument a couple of months ago, I was on your side, and we lost.
-
Jay (=
I think you've misinterpreted the Constitution. Article VI is actually used to *avoid* passing unconstitutional laws by simply signing treaties. Because a treaty is made part of the "law of the land," it is also subject to Constitutional constraints on what can be part of the law of the land. The First Amendment is one such Constitutional requirement that this treaty would not be reconcilable with.
Every law that Congress passes is part of the "law of the land," but that doesn't stop the Supreme Court from being the final arbitrator of what is Constitutionally permissable.
-- Don't Tase me, bro!
The gun laws in places like Washington DC only disarm the law abiding (aka, "victims"). Meanwhile, the politicians who make these laws have dedicated policemen to guard their workplaces and sometimes even persons. Armed policemen, of course.
If victim disarmament laws really worked, then the police should be disarmed just like anyone else. But of course, they don't, and nobody is so foolish as to advocate disarming the police when the criminals are pulling down billions in their highly regulated economic sphere.
The analogy maps perfectly to computer security. Take away legal possession of hacking tools, and sure enough no reputable people will have them. But the crackers still will, of course, and there will be a brave new world of ignorant sys admins with no ability to defend their systems.
Well said. I would also mention that guns save innocent lives far more often than taking them (at least in the US). Following the news on packing.org shows that nearly every day, a family, a small store owner or just a citizen on the street fights back with a gun to save their life and this is reported in the local news (not national news, thay aren't interested in self-defence stories).
Or as I like to put it, Ted Kennedy's car has killed more people than my guns.
Finkployd
Network admins would be exempt from the ban on "hacking tools"
Let's say I'm not a network admin, but I want to be. This law effectivly makes it IMPOSSIBLE for that to happen. It's s simple catch 22, I need to know how to do these things to get the job, but I'm not allowed to until I have the job.
It's a brain-dead treaty no matter how you look at it. It's the same failing war we have fought with drugs and guns. Bans DO NOT WORK at all. Especially on things that have legimate uses (drugs, guns, and hacking software).
Linux itself can be used as a hacking tool, let's remove that from the hands of everyone but trained professionals (thus ending 90% of linux development)
Finkployd
Guns saving lives show up anecdotally
and statistcally, but since these statistics don't mesh well with the general bias of the media, they don't get reported (another example of this is how the media conviently never reports the failings of censorware)
And the stats that show guns taking lives are usually exagerated. Remember the gun in your home is more likely to kill a loved one than killing an intruder. That stat counted crack houses as homes, drug dealers and bookies as "loved ones" and suicides were lumped in as well. Statistically, addidental deaths with guns are almost nil. whereas they are used litterally (and documented) daily in preventing and stopping crime.
Finkployd
Well, this is a treaty, not a law. And the Constitution doesn't limit treaties as strongly as it limits laws.
--
Preventive War is like committing suicide for fear of death. - Otto Von Bismarck
The really controversial bit is the section on "tools", right? Well, it says after that:
with intent that it be used for the purpose of committing the offences established in Articles 2 - 5
So, they have to prove that you are going to use the tools to break into computer systems to which you do not have "right", i.e. which aren't yours.
This doesn't outlaw white-hat stuff at all, because you can do white-hat stuff against your own boxes. Is anyone here going to stand up and say that we should all have the right to text exploits on other people's machines?
In the same way, BugTraq will be perfectly safe unless people stop putting a disclaimer at the bottom which says "educational purposes only."
Gerv
This is such a patently bad idea. Okay, so we eliminate all public hacking discourse and we prevent law abiding citizens from being able to use and develop hacking tools. The results would be the following:
1) criminal hackers will use encryption and numerous other methodologies to conceal their trade in and development of hacking tools.
2) corporate security managers will be unable to test the security of their own systems.
3) home computer users will be unable to test the security of their own systems.
4) bugs found in common systems will be left unannounced and will be openly exploited by the people mention in point #1 above
I mean can there possibly be a greater recipe for disaster on the Internet? *sigh* You can pull my copy of nmap out of the clutches of my cold dead hand!
---
This sig has been temporarily disconnected or is no longer in service
Anyhow, I believe that the Notepad in question is the one with Windows 3.1. Because of this ability of simple tools to perform "hacking", Microsoft in later years made Notepad acts as you described, and have also blocked Wordpad from loading files ending in .EXE. (Easily dodged with the obvious dodge.)
(It is also remotely possible I did it with the 6.1 MS-DOS edit.com utility, which probably also won't work that way anymore. Either way, it's Notepad.exe and edit.com that have changed.)
America today has more incarcerated citizens per capita that Stalinist Russia did. (Not counting those executed outright by the state.)
This is incredibly bogus. How many people, per capita, were murdered by the state in the USSR (not Russia) under Stalin? How many were not incarcerated but sent into internal exile? Put down your crack pipe and compare those numbers to the US today.
Thanks.. that was easy enough. :) My letter is on the way.
BilldaCat
Isn't that less effective than seperate letters? I would think so.. seeing 10 letters instead of 1 letter with 10 signatures on it.
BilldaCat
Until the US decides to hop on and sign this treaty.. did you read the article?
BilldaCat
Yes.. laws against 'hacking' should be made. Penalties for 'computer tresspassing' are all it should amount to.
As for exploits being published? As a seriuos sysadmin, I *DEMAND* access to this information, as I've always had.
Now.. if they want to make these things *potentially* illegal, you know, like how a crowbar can be a 'break & enter device' if you are caught breaking and entering with it.. that may be acceptable. But mere posession of information? Good luck.
They 'can't' because it's STUPID.
WE license physicians because, as a society, we don't want people DYING because they were duped into using a non-approved physician. we do it to obtain some sort of level of awareness about skills, when LIVES are at stake.
Lawyers too. Engineers. All for the same reasons (lawyers may not protect your life physically, but they protect your freedom to do things)
We do not license McDonald's workers, farm workers, or grass cutters. I do not see any need to license 'network administrators'. Why should we?
I think she's overstating the fact. Perhaps because she also does not like the law...
Aiding and Abetting, though IANAL, probably must be MUCH closer tied to the actual crime. THe fact that your brand of crowbar was used to break into a building does NOT make you criminal. Neither does the fact that techniques in your book on weapons practice were used to kill someone.
Now, if someone came and said 'I"m breaking into that house over there. Can you recommend a good crowbar?' and you sold him your top of the line crowbar.. you are 'aiding and abetting'.
Same for hackers I suppose. Remember this....
One can only be 'aiding and abetting' if a crime happens!
THe reason for these contributory laws are to discourage the crime more effectively. ie: today, they can only charge the person who actually did the hacking (if that). The person who paid him and is standing next to him probably can't be charged. Under this law, he could (as he could with any other crime)>
Kind of makes sense.
Yes, it does. Bugtraq is in no way aiding and abetting a criminal act.
Just as the crowbar salesman does not ask you what you are doing with the crowbar, neither does bugtraq ask you waht you are doing with the information.
Anyone who tried to say bugtraq was knowingly aiding hackers would get shot down terribly.
Certainly, the possibility for someone to interpret it as a violation is there.. but it wouldn't fly.
Hold on. I'm not talking about some company 'certifying' someone on their products; that's fine and dandy: the people who know the product the best (those that make it) are stating who is and is not certified by them to have a certain level of knowledge about the product.
This is VERY different than professional certifications for things like engineering and medicine and law. Those are not tied to a 'product' or a company.
I think the prevelence of these people trying to break in HELPS software in general in making security a high consideration in design.
Laws like this might make security worse by giving the non technical the impression that the law will protect them from someone in a foreign land thats trying to break in...
Your not going to stop these people ever unless you make security a high priority.
The question is how do you fairly prosecute the really mallicious ones while letting those just poking around off. How are damages calculated? The Mitnick case set a very bad precident in this deptartment with ridiculously high losses sited in court but not to shareholders or the Securities and Exchange Commision (SEC).
But if a safe cracker gets his own safe and figures out the internals himself, hiding the diagram would be a useless gesture. The only solution is to design the safe in a way that even when it is obvious how it works, it would still be impossible or impractically difficult to open. Computer security is even riskier since the very difficult tasks can be reduced to a stupid little script (hence script kiddies), so therefore computer security needs to be in the "impossible" category.
Only the system itself can tell you that its secure, and not the back of the box, and the only way to find out is to take it apart.
Agreed, lots. Me, I'm worried more about the ramifications. What can I legally *do* by way of a job? I'm a linux consultant/sysadmin; I rely on nmap on a daily basis if only to *test* my scripts. I'm not going to give up and spew code for Lotus Bloats just because some government chooses to outlaw legitimate activity.
.|` Clouds cross the black moonlight,
The law is doing what it does to the best of its ability: making the world criminals and itself look like an ass.
~Tim
--
~Tim
--
Rushing on down to the circle of the turn
This is not without precident. As I understand it, there are a good many lockpicking devices that you have to be a registered locksmith to get.
-- Who is the bigger fool? The fool or the fool who follows him? --
Oh, puhh-lease!!!
The point is, if you read the MSNBC article is that some consider it as a 21st century witch-hunt. This treaty reminds me of the silliness of persecuting those who use unconventional methods, sometimes at the risk of their lives. Witch-hunting and inquisition were used to keep the masses ignorant and prevent those free-thinkers from disturbing the status quo.
Plus, Halloween is in 5 days, and this story is most definitely scary.
Offtopic my ass. I'm beginning to understand how Signal 11 felt. Yeah and fuck karma too. I don't need some pathetic counter to tell me if I'm good or bad.
---
Vote Inanimate Carbon Rod in 2000
if a treaty would violate the Constitution, then it is unconstitutional for the president to negotiate it and for the Senate to ratify it. if either/both of those happen with an unconstitutional treaty, that is grounds for immedaite impeachment for violating the highest law of the land.
Except that impeachment dosn't actually appear to do much. Rather less of a disincentive than "High Treason", for which the traditional punishment is execution.
Dunno, plain text and extrans used to work, until one day, a long time ago, they suddenly switched names... and thus began the reign of the confused slashdot community. People who were troubled by the tags started posting about young teenage girls, breakfast foods, and prehistoric man chatter. They gained followers, recruited friends, and soon the dominion was overrun with pre-pubescent males trying to gain esteem among their peers. Gone was the Age of Wisdom, the Age of Legends... There are no beginnings or ending to Slashdot. What is, what was, and what shall be may yet... oh wait... been reading too much Wheel of Time...
--
"It's tough to be bilingual when you get hit in the head."
Yea I know what you mean. I cannot stand legislatoin like this!
Here are a couple of loop holes here...
What about MS DOS debug program. This falls under the guise of hacking, but is distributed with almost every OS MS has produced!
Whate about nmap? The article discusses this. The councel says there will be exemptions... From the article, " The Council of Europe has promised to provide a list of exceptions to the treaty, and professional network administrators will likely end up exempt"
First of all what software will be exempt? I've used a DDoS tool for fluding my own network to see if my machines would choke! (BTW it was fun seeing win 9x croke but linux just slow down a little) This tool was designed for DDoS but I have a completely legit use for it.
The other part "...network administrators will likely end up exempt." This really pisses me off!!! I'm a C++ developer not a net admin. But I can do a better job of net. admin. thay anybody in my co's IT dept. Would I end up exempt? Who knows, I'll probably get prosecuted for haveing a copy of nmap!
This is just bogus crap! What lawmakers do not understand they prosecute. If it looks like it breaks a law and they don't understand it, prosecute it!
If at first you don't succeed, skydiving is not for you.
That just isnt good enough. Unless its in the treaty theres bugger all chance of the explanatory report being reflected in law. My response to the coe (which I copied on to /.) asks that they include in the wording of article 6 that intent to commit offense must be proved.
There is also the thorny issue of article 11 - which as written makes it illegal to submit patches to security software, if you did not realise that the intent of the author was black hat ('cos if they are later prosecuted you are in the shit for aiding and abetting). D'oh!
Thirdly, there equally profound implications later in the document. Whilst posession of kiddie porn is evil, the provisions of article 9 make it illegal to *cache* transmissions including kiddie porn. They also make it illegal for companies to collect surfed material in order to provide proof for a tribunal or prosecution that the employee surfed kiddie porn. They make it impossible to develop tools that would be capable of classifying images as kiddie porn.
-------
CAIMLAS
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
- Article 6 - Illegal Devices
- a) the production, sale, procurement for use, import, distribution or otherwise making available of:
1. a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5;
The last line of section A (intended use) might cover white hats, but perhaps not. It seems like that could be interpreted in serveral ways.Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally and without right:
2. a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed
with intent that it be used for the purpose of committing the offences established in Articles 2 - 5;
b) the possession of an item referred to in paragraphs (a)(1) and (2) above, with intent that it be used for the purpose of committing the offenses established in Articles 2 - 5. A party may require by law that a number of such items be possessed before criminal liability attaches.
--
They want to outlaw tools that are produced/distributed with the intent to commit a crime.
Which means that if some guy on the street is shouting "come get a fancy coat hanger! It's great for opening car doors!", that might be illegal under this treaty. But if someone else is advertising coat hangers for use on coats, then that person's act of selling hangers wouldn't be illegal.
Or something dumb like that.
--
The speed of the arms race must be controlled.
--
Yeah, but should it be legal to leave a rocket launcher laying out in public view? Someone could walk by, pick it up, aim it at someone, and pull the trigger on an emotional whim.
Should it be legal to have software that's as easy to use?
Perhaps BUGTRAQ type exploits aren't quite as close to this, but what if there was a program that when run, would bring up a list of hospitals... the user selects a hospital and hits the "Okay" button... the software then uses its preprogrammed automation to find the power source for the hospital, hack into the power station, and turn the power off. Should such software be allowed to publicly propagate?
--
Brilliant. The critical difference with the internet, as always, is that information is easily copiable. Preventing use of physical weapons is a lot easier than preventing use of program/information weapons. And the US government hasn't been able to get a good handle on physical weapons yet.
--
You can also write to your Senator. Look them up here.
I also sent the above letter to Phil Gramm and Kay Bailey Hutchison.
> Just because there has not been a lethal hack to date
There has, actually. Crackers/hackers/script kiddies/Al Gore/whoever took down a British weather station computer in the 1980s, causing the death of a sailor relying on the information to navigate in stormy weather.
"Don't mind me cutting myself on Occam's Razor"
Only if they see viable options, and what is "broken" is VERY broken.
Both Netscape and IE have a long, long history of bugs, including numerous security issues -- yet, people haven't flocked en masse to, say, Opera or Amaya. For most tasks involved with light browsing, both of these two perform well -- vulnerabilities involving theft of cookies, for instance, do NOT suddenly mean it can't browse.
Instead, MS and AOL/Netscape simply release updates and, it seems, retain their user base.
Software doesn't need to be great or flawless (even in the sense of security) for people to use it; it just has to be "good enough", taking into account the availability and convenience (or lack thereof) of other options. Unfortunately, security flaws often do not impact apparent functionality enough to cause users to flee a product en masse...
Only the dead have seen the end of war.
I take it you have never heard of a decompiler. binaries are hard to look at but not impossible. A highly motivated (read paid) black hat *will* go through the trouble of deciphering and diagramming out your confusing code, after all, it's his job.
The white hats who benevolently find this stuff without compensation aren't going to violate laws or go through the trouble of unwrapping your riddle in an enigma. After all, nobody's paying them and if it isn't fun enough, why bother. There certainly is other code to review where the writers are not intentionally giving them the middle finger.
The result is that you have cracked programs and nobody is sounding the alarm until it is too late and China's investment of a cracker brigade gets them the ability to send hostile code into the Win2k control systems of the US Navy's smart ships.
Does this make it clear?
DB
A little off topic but harmfully hacking a hospital to cause deaths isn't very hard, it's just not as obvious as hacking an individual's medical equipment. Turning off the HVAC systems in July in Arizona is, unfortunately, all too easy and guaranteed to cause a large bodycount.
I learned about that one at a hacker kiddie BBS in the 80's. It was one of those classic conversations of the greenhorn saying "what's this" and more experienced hands saying "stop it before you kill someone". I suspect the practice of dialup control of HVAC systems hasn't changed much since then.
Life support covers a wider range of infrastructure than you think. There are two major water lines that feed into NYC. A little bit of drilling and demolition work in the woods of Westchester county and you would not be able to truck in enough water to avoid major population evacuation (AFAIK they are still working on tunnel 3). The knowledge necessary to carry off this attack gets broadcast over PBS programs in the area at least once a year.
I won't go into the several other ways 5 reasonably intelligent middle schoolers came up with (in about two days) to cause unstoppable havoc and mayhem but let's put it this way. City living is remarkably fragile and the stupidity of terrorists both cyber and the garden variety kind is a continuing gift from God.
DB
I was raised to take certain things for granted. That my minister is not packing heat as he gives the "Love Thy Neighbor" sermon is one of them.
Does this
If it was a passing of a domestic law, then we could actually do quite a bit about it. Unfortunately, international treaties are a sneaky way to get things passed into law without actually going through the sequence of events that can get outraged citizens to discuss the probability that the lawmakers are suffering from cranial-rectal inversion.
Unbreakable toys can be used to break other toys.
I can see it now, "Imminent Death of BUGTRAQ predicted!"
Objects in the blog are closer then they ap
Just download it, make a few changes, sign it, and send it to your senators. You can find their addresses here.
No more excuses. Print it out and send it in today.
Trains stop at a train station. Buses stop at a bus station.
Buses stop at a bus station
Trains stop at a train station
On my desk there's a workstation....
I can't believe how our society avoids prosecuting actual criminals, and focuses on nazi-like prevention instead.
Saying that bugtraq causes hacking is like saying a pencil causes spelling mistakes.
Theoretically, an exploit could cause death,... if the exploit were against NASA, or a hospital. I mean, imagine an exploit which screws up a medical record database, and suddenly they give you a medicine you're allergic to.
Unlike what the article claims, the treaty does NOT outlaw BugTraq and the likes.
Article 6.2 (which the "illegalizing BugTraq" part must be referring to) explicitly states it's illegal to [...] distribute [exploits] "with intent that it be used for the purpose of committing the offences established in Articles 2-5".
I didn't know BugTraq's intent was to make exploits available to script kiddies...
This message is provided under the terms outlined at http://www.bero.org/terms.html
The bold word "there" in the quote above is incorrect. It should be "their." Ordinarily I am not anal about these things, but if you sent this letter to your congressman it is important that you use proper grammar and spelling if he is to take it seriously.
I think that you missed the point. The point was that this treaty would have to be ratified by the Congress. Yes, it would be treated as a law should we pass it, but as with many treaties of the past, just because the US had a hand in creating it doesn't mean that we will sign it.
Anyone remember the Treaty of Versailles?
~LE
Thank you for point this out. I've been thinking it while reading this thread, but you articulated it so well. If I had some mod points you'd get a few. I know several people who have guns and they are very responsbile with them, but they also have a lot of fun taking out for some target practice and shooting cd's, old computers, phone books, vegetables, etc.
Just because someone owns a gun doesn't mean they have any intention of killing someone with it. In my friends cases they just enjoy the hobby.
Things you think are in the Constitution, but are not.
Text version of the word doc
Warning, very quick and dirty :)
Are there any organizations or legislators that we can pass on our concerns on this issue. Maybe a petition, URL, or e-mail?
But then again...I guess anyone using Windows or Linux could be put in jail...can't "ping-ing of death" be considered a no-no according to this?
Security tools and security information are not bad, but how you use it can be a danger, but this shouldn't prevent people from having access too them.
BreezyGuy
Eric B
ebresie@gmail.com
I want to voice strong opposition to the proposal the COE has made for legislation to combat "cybercrime." There are many problems with the proposal which could be pointed out. The most problematic, in my opinion, is article 6, which (if enacted by signatories) would prohibit the possession of any "exploit" code which could be used to illegally access a computer. I run a small network for my home. My computer has been cracked. So I am someone who has an interest in being protected from cybercrime. This treaty would not help me, it would actively hurt my ability to protect my vulnerabilities. How? The primary way I protect myself is relying on the reports from private organizations and groups interested in computer security, who keep track of current exploits and make fixes for them. These individuals and organizations run mailing lists and websites where these programs are discussed and exchanged for the purposes of helping to find fixes for the vulnerabilities they exploit. If this treaty were passed, this kind of activity would be made illegal. This would not just have a negative effect on the ability of the computer industry to protect itself from crackers: it would basically destroy this ability. The reason is that by and large the entire industry relies, for protection, on the kinds of activity this proposed treaty seeks to outlaw. This is counterproductive legislation at its worse. Also of concern is the perceived tendency to take rights away from individuals and invest them solely in the government. Without a doubt, crackers would circumvent laws arising from this treaty by discussing exploits using encryption. Would encryption then be outlawed? This proposal takes an unacceptable step over the line of violating fundamental human freedoms. -Greg Billock
more laws.
;-)
however, i didn't see any mention of source. Which, technically wouldn't make BugTraq illegal for distributing source. this says a computer program, which by all rights is simply a compiled binary. Does a program compiled under Linux coun't as a program when stored on a windows box?
Additionally, even if source were to be made illegal, these beaurocrats have their thumbs so far up their asses that they would never stop to make mention of "working or unworking code!" If you want to submit plumberscrack.c on bugtraq. just make sure you forget a comma. Poof! you don't have working source anymore, and no one can accuse you of writing an illegal program cause A)It's source and B)It won't compile anyway.
Imagine it's like Haiku are now illegal. just make sure that A)You make sure the third line has 6 syllables, B)Tell the reader, if they want the haiku, to drop the last syllable.
A rose by any other name....
isn't illegal
FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network
"It is seldom that liberty of any kind is lost all at once." -David Hume
I have a feeling you're trolling, but I'll respond anyway.
If people could forget about being anally-retentive for a while, maybe it would be better to actually look at the treaty itself. Network admins would be exempt from the ban on "hacking tools" (poor choice of words), so they could carry on playing Quake and scratching their armpits without worrying about being arrested. The only people who would then be affected are those using these programs for unethical uses.
So how far does the definition of Network Administrator go? Does it include me? I run a Linux box that's open to the Internet, can I run nmap on it to see what ports are open? How about a student who finds security holes in their spare time, accross his own LAN, on his own computers, who's not a network admin? Should I be thrown in jail? Should that student be thrown in jail? nmap is an option of several Unix installs, should the people who install but don't use it be thrown in jail? What about a cracker who is also a sysadmin? He's a sysamin, so he should be able to use the hackers tools legally, but he cracked a box? What's up with that?
Plus there's the drug problem. Weed is illegal in the US. Does that stop people from smoking it? Does that stop it from being portrayed in movies and on TV? Not really. Warez is illegal. Does that stop people from downloading and using it? No, not really.
Just passing a law saying that nmap and other hackers tools are illegal unless you're a sysadmin won't do much of anything. There are people who use weed for it's medicinal purposes, too, even though it's illegal. There are also people who use it just to get high. I don't believe that those who use it for medicinal purposes should be arrested, and the same goes for hackers tools. Besides, cracking is already illegal in most places anyway. If you use hacker tools to crack into a box, you're already busted, aren't you? Why should we outlaw them outright?
My English teacher once told me that two positives don't make a negative. Two words for her: Yeah, right.
After all, drugs have been illegal so the police can arrest just about anyone for no reason (well, apart from possessing a plant). Now that the laws on drugs are going to go away soon (in uk we just had the first public backlash against tougher anti-drug laws), they need a new way to arbitrarily arrest people...
Pretty sure the average guy in the street will soon come to fear/hate/etc the guy who `broke into a website and stole thousands` as much as the `evil peddler of death, turning children into addicts of the evil reefer`...
Under the purposed billing you couldn't even "crack" for research purposes. For example, if you thought that your sendmail daemon had an undocumented "hole", under this bill, it would be illegal for you to research the possiablilty of the hole. It would be illegal for you to "crack" at it to see if the possiablily is real or not. Even if you are the current maintainer of sendmail!
And if you did find a hole, it would be illegal to tell others about it (so they can fix it or upgrade!)!
It might not be malice "cracking" or "hacking" whatever the best word is, but it would be illegal, even if you are doing it to protect yourself or others from malice "crackers"
If the OpenBSD was in the US, under this bill, it might be illegal for them to do code audits since, in a sense they are looking for crackable mistakes or holes in software. They are not doing this out of malice intent (actucally to prevent malice events on their software), but still it would probably be illegal under this law.
Please RTFA, it is really short and an easy read.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Welcome to my web page!
I had a stroke yesterday so I had to move my webcam to my hositpal room.
click here to raise the temperature in my room.
click here to have a lego mindstorm shake up a magic 8 ball.
click here to adjust the controls on my artifical heart.
click me to dose me with 10mg of mophine.
click here to turn the lights on.
click here to ring the buzzer and annoy the nurses
click here to fiddle with an unknown device hooked up to me. I think it controls breathing or something.
click here to send me spam.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Actually, this sounds a lot like current laws covering burglary tools. There are a lot of tools that can be used either for legitimate purposes or to help break into people's houses. It is not, in general, illegal to own those types of tools or use them for their legitimate legal function. If, however, you get caught using them to break into somebody's house, or IIRC if you're found in posession of stolen goods or other circumstantial evidence of burglarious activity and burglary tools, you can be charged for posession of burglary tools. Nobody gets in trouble just for having a crowbar in his garage; they do get in trouble for having a crowbar in their bag along with their neighbor's TV set.
Something similar is likely to apply to the computer equivalent. If you're a network administrator and happen to have a copy of nmap on your computer, the FBI isn't going to come and break down your door in the middle of the night for having cracking tools. After all, it has a significant, legitimate use in your work and hence doesn't fall under the heading of "[specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5;". If, OTOH, you're found with emails copied from somebody else's computer and a copy of nmap on your hard drive then you might find some additional charges leveled against you. In that case it's pretty clearly under the heading of "the possession of an item referred to in paragraphs (a)(1) and (2) above, with intent that it be used for the purpose of committing the offenses established in Articles 2 - 5." The bigger problem is that this is likely to have a chilling effect on the development of newer, more effective tools for security monitoring.
There's no point in questioning authority if you aren't going to listen to the answers.
As you seem so willing to share your sex life by protecting it as shodily as you did; we would like to skip the hassels of the courts and laws. As such, we have enclosed a check for $2500. BTW, we have encluded a copy of the CrackedPorn magazine in which your wife is the Cover star. We where thankfull for the pictures of yourself, your wife, and your 3 mistresses, and the story of you, the hooker, and the dog is one of the best we have published todate. CrackedPorn will be hitting the racks tommorow, be sure to tell your family and friends about it.
--The Editor
PS. Might I suggest that dogs prefer bacon fat over tartar sauce?
All jocks think about is sports. All nerds think about is sex.
It almost seems to me that in their rush to demand and lay down more broad laws and the potential for broad laws that several people are about to be stereotyped. Instead of starting down the road of actual bans of software, why not try to keep a majority of the problem from having access to the software or source? Have the source still be legal and the software still be legal but require knowledge testing to get gain access to it. The last time this nation adopted a philosophy of blind stereotypes to solve a problem we ended up fighting a bitter civil war that has left scars to this day.
If the corporate world cannot fix or patch the glaring security flaws in their software then maybe that software should not be used so seriously or taken seriously when it is comprimised. Obviously somebody else does not take that software seriously or else they would strive for secure and stable software. Major corporations and even the government should be giving thanks to the security industry instead of trying to bury them. By banning an entire community of geeks from making things better, you will be opening your system/software to the full attack of the people with the knowledge and malicious habits.
No matter what happens, somebody will come up with cracks and hacks, and those that have the knowledge and information who are responsible will then in turn find themselves taking more heat for the malicious. Who knows with the growing trend of removing freedoms and liberties in America...we just might find ourselves posting on new site that has been deemed worthy about how wonderful the new local hacker/cracker concentration camp is.
-1 Overrated (Too many big words for me to comprehend)
Wrong. You get the full protection of the DMCA. You have put a "device" that "controls access" to a "protected work" and people decrypting it are "circumventing" that device without the "authority of the copyright owner" (i.e. you). So you can sue them for a minimum of $250 per incident (minimum statutory damages - you only have to prove it is likely they did it - not prove harm or anything). You could get $2500 in statuatory damages if the court so chooses, or actual damages and profits of the violator.
But if DMCA protection is all you need just do a one byte XOR with 255. Easy to implement and STILL gives you DMCA protection.
Just because it CAN be done, doesn't mean it should!
And they can even corrupt the voting process. Make those acts felonies and ban felons from voting for life (both of these are true in many cases). Now if THEY don't like you they not only lock you up for a while, they have also revoked your right to vote. Now you have no voice at all, no influence on the gov't at all. If THEY do that to many people who think that way (people like US, the geeks/hackers), they can EASILY make the voting population be more supportive of them and their laws, just by eliminating the competition.
As for prisons filling up they have many choices. Build more, let criminals go after a short sentence (they've still killed your vote), let out the rapists and thieves to make room for the hackers and geeks (they'd want to leave some of them in there to harm the hackers/geeks - read the story about Bernie S) or some combination of the above.
Just because it CAN be done, doesn't mean it should!
I really wish people could get their goddamn terminology straight. Misuse of terms confuses the entire issue.
:) Cracking is merely an application of hacking, much like technology is merely an application of science. Things like bugtraq are an important part of the community. The act of cracking shouldn't be illegal, but if the end result is that some information was stolen with the intent to use it in some way, shape, or form, then I believe they should be held responsible.
Are we talking strictly hacking or cracking? Cracking, I, of course, can see, but hacking?? That's the dumbest thing I've ever heard. That's like saying you're not allowed to build certain things with your legos, you're only allowed to build the ones in the instruction manual. What fun would that be?
I could imagine my childhood if I was only allowed to build the racecar or helicopter instead of the cool mothership with 47 laser guns and huge engines and afterburners and wings and little compartments made out of those pieces that had hinges on it so I could keep prisoners in...
Oh yeah, but anyhow, yeah. I read the article now.
If this continues, they are adopting security by obscurity, which, as we all know, never works.
Mike
"I would kill everyone in this room for a drop of sweet beer."
I think of it as funny in the same way that Swift is funny. It's only funny because it's so damned true.
And scary.
The numbers most recently published by the US government on the issue of gun defense show that a gun is used slightly more often for a successful self defense than for homicide. I forget what the numbers are or where they came from, so I guess it's just my word, but it is an interesting statistic because some 90% or so of homicides are actually criminal activity with another criminal. A non-criminal is a law-abiding citizen. Law-abiding citizens account for practically zero percent of homicides, yet account for almost all legal self-defense uses. A legally owned gun, such as my personal Beretta is far, far more likely to see a personal defense in which not a single shot is fired than to actually commit an illegal homicide.
Fact is that I am more likely to kill someone with my car than with my gun, hence the Ted Kennedy crack. And, yes, I will never play with a gun drunk, but wait, I've never been drunk...
A society that will trade a little liberty for a little order will lose both and deserve neither. - Thomas Jefferson
I think this is another example of law-making based on media hype, rather than research. Where's the evidence that this ban would help? I want to see the data, not unsubstatiated generalizations. And why is it that law makers everywhere are so ready to ignore expert opinion? They don't seem, based on the article, to have consulted many computer scientists, programmers, researchers, etc. and have ignored the input they did receive. Sometimes I really think technocracy would be best.
Since it's quite likely that any attempts to dilute or change this now is likely to fall on deaf ears, we just have to accept it and get on with our own agenda.
I don't know about the rest of you but I'm now going to push for a new clause in the Open Source Definition/GPL to incorporate a WHISTLE BLOWERS' CHARTER
Something like the following:
From now on, in the next linux distro releases, software will only be considered free if it incorporates a clause like:
Licensee is granted the right to full public disclosure of any bugs or features in the software that may compromise the security of local installations or networks with this software installed. Licensor(s) warrant that they will not infringe on the licensee's right to such full disclosure. Further, it is a condition of this license that licensees accept that full disclosure of security issues is a fundamental aspect of maintaining good security practices in relation to the software, and agree not to hold the licensor or other licensees liable for any intrusion that follow from use of the software, in relation to their own installation.
Beyond that, if after software patents, UCITA, if people still want to use non-free software, well, as we say in my corner of the world:
Hell slap it intae them
If you knew you were absolutely be executed in 90 days after being convicted of murder then I would put real money on the murder rate going down.
You'd win. It's been proven time and again that the magnitude of punishment is virtually irrelevant as a deterrent.
What *does* deter is the perceived probability of punishment -- if you're pretty sure you'll get caught and punished, then you don't commit the crime, usually. So the most draconian laws in the world won't make any difference whatsoever as long as apprehension rates hover in the mid single digits like they do today and the chance of being punished even if apprehended is similarly low as well...
Agreed. While we're at it, though, perhaps we should add a few more things to the list:
- War
- Famine
- Racial Bigotry
- User Friendly
Assuming Linux is allowed. Depending on the level of draconian legislation this type of bullshit will produce, you might find that GPL'd or BSD licensed software is suddenly illegal, because it allows "hackers" to understand and exploit the code from the inside out. Efforts to tighten security from anyone outside the "core" of each developed platform could also be construed as illegal hacking activity.
In order to limit certain "blessed" individuals to "security techniques", they'll have to develop a licensing scheme. This will be done under the guise of "We can't easily keep track of the people who are supposed to have this type of power over computers. The only way to keep track of them is to license them through the Federal government, so that we can keep an accurate record of who should be allowed this type of control over computer systems."
In the end, Linus would have to be licensed to continue to work on the Linux kernel.
On a side note, gun control is a perfect analogy. None of this is about preventing or reducing crime: it's only about control - who has such.
- Xiombarg
Hypocrisy is the Vaseline of social intercourse. -- R. Heinlein
I've heard that .25% of the American population is now in prison. 1 in 400! Most of this is attributed to the mandatory sentencing laws for drug offenders.
If this doesn't seem like a huge portion of the population, consider this... America today has more incarcerated citizens per capita that Stalinist Russia did. (Not counting those executed outright by the state.)
I see this travesty as one of the major legacies of the Reagan/Bush administration. Thanks, Ron and Nancy! If the American congress does decide to finance a Reagan memorial in Washington, I'll make an annual trip to shit on the steps!
Funny how today we also have a story about Eric Corely who has been fairly vocal that is stupidity.
It is stupidity.
It's like not talking about bad things in hopes that they will go away. It's rediculous. How many *bad things* are good for learning? You learn more from a car crash than you do from driver's education... Our own government subjected people to radiation for years 'cause they didn't know any better. Now we know... just like running a red light or playing with atomic weapons, information about computers no matter what the content is vital to our learning. Especially now.
The more public we are about vulernabilities, the quicker they will get fixed. The more awareness we have, the more our colleges will start teaching applicable skills. The more vocal we are, the more we will benefit from technology, and the less likely will technology destroy us.
----
Meet the world's newest class of persecuted artists: computer hackers.
Would that be performance art?
The treaty makes it illegal to write or possess hacking software. Currently, both are legal in the U.S.
What could be considered hacking software? FTP?
The Council of Europe has promised to provide a list of exceptions to the treaty, and professional network administrators will likely end up exempt.
So we are all going to wind up using IE3.0 whilst "profesional" network admins RULE THE WORLD (manic laughter..etc....)
Dirty Pirate Hooker
Sounds like M$ is silently funding this, so they don't have to get bugs sent to them. It removes the step of "Ignore/Delete Bug".
.sigs??
What a timesaver!!
-- Don't you hate it when people comment on other people's
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Note that I just ran it through Word97 and exported to HTML, so don't expect the markup to be anywhere near half-decent.
On another note, does anyone else have a problem taking seriously a treaty originating from the "COMMITTEE OF EXPERTS ON CRIME IN CYBER-SPACE"? ;oP
... I was baffled at the overall stupidity of the issue, until I realized that this conference is being held in Amsterdam.
That explains much.
Barkeep, another gram of hash, please
-Those who dance are considered insane by those who can't hear the music.
What kind of sick joke is this?
It's an absurd form of security by obscurity... those who do illegal stuff will continue, but all honest people will not have any chance to stop it...
this makes me sick... urk...
/mdroid
Given this situation, all of the hackers whose hackles have been stirred over this story should take a good look around.
Are you doing anything about it (I mean, of course, other than complaining)? Are you organizing/participating in a technology labor movement? Are you funding special interest groups to look after "hacker's" rights?
No? Then live with it (I won't tell you to quit complaining). Live with government telling you what you can or can not do. Live with government restricting your rights in favor of the rights of those people/interest groups who are willing to organize and fund lobbying groups.
That's just the way things are, folks. No one listens to a bunch of geeks living on the fringes of the social norm. You want a voice? Make one for yourself. Spend a little money. Organize and fight back. Oh, yeah.. Complain a lot. I know we can do at least this...
Yeah, and you can't find a copy of DeCSS anymore either. The point is, when you make something illegal, only criminals will possess it. So am I expected to just throw out any "hacking" software I own after spending my hard earned money on it, or become a criminal just for possessing a CD ROM? I would accept tougher laws on cracking in the criminal sense, but by making it illegal to even find holes just so they can be patched, will leave the door wide open for those who could care less what the law says. And this doesn't affect anybody outside the US and Europe anyway. So, it actually removes from us the tools we need to protect ourselves from such attacks. I suppose now the gov'ts are going to organize a task force and discover all the security patches for us now? I doubt it. They will be up to the crackers to find now.
--I assume full responsibility for my actions, except the ones that are someone else's fault.
Another thing to consider with respect to this article is that enforcing this law would do nothing to stop people who really wanted to from stealing CC numbers, and it would reduce the number of people who would honestly look for chinks in the armor. There's no point in making useless laws, let alone detrimental ones.
UBU
I mean, yes, they are taking away all our rights, etc., but someone seems to have taken appropriate action to get them back. So this is good news on a generally bad-news day.
sulli
RTFJ.
It seems to have slipped everyone by that the UK goverment is now accepting electronic petitions which have more then 200 signatories (including name & address).
Anyone care to set up an electronic petition ?
-- Conexant/Rockwell Modem HOWTO http://linuxdoc.org/HOWTO/Conexant+Rockwell-modem
I have no real problem with making "cracking" other peoples boxen without permission illegal. Outlawing posession or construction of "hacking tools" or discussion of exploits is wrong, and dangerous. The US has already outlawed reverse-engineering, breaking of any encryption (if CSS simply negated every bit, that would be enough to warrant legal protection), and linking to sites that do. This seems like the next logical step. The only problem is, here we are preaching to the choir. We need to tell industry and our political figures that we WILL NOT stand for such things, and will fight them every step of the way! We need more big name places like 2600 gumming up the legal system so much that it becomes futile to sue over such things, and we are left alone.
"Evil beware: I'm armed to the teeth and packing a hampster!"
Lex orandi, lex credendi.
Debit cards on the other hand have no such liability limit on them.
You simply don't want to believe that the people in positions of authority might be deliberately malicious, I don't find that concept unthinkable.
If a law passed which allowed a judge to hold a red hot poker to my tongue I would be worried about that too.
The argument "the tool is not to blame", while entirely correct, is also not entirely complete.
One can argue that people can be killed by guns, knives, bottlecaps and thimbles of water. However, these items each have a character and a purpose for which they were developed.
Look closely at the firearm. It has been developed over the last few hundred years nearly exclusively for the purposes of killing other humans more effectively. One could argue a hunting rifle is just that, but assault weapons, machine guns, and handguns have pretty much evolved for the purpose of taking down and taking out our fellow men.
This suggests that the tool and the task to which it is put are linked, not entirely distinct from one another. A knife is a utility item which can be used to kill. A sword is a military weapon. Their _IS_ a distinction.
Now, before anyone jumps on me with the flamethrower going, I am a firearms enthusiast and a former member of the armed services. I do support civilian gun ownership. I just believe the arguments in favour of civilian gun ownership are based around the concept of personal freedoms and responsibilty and the existence of a force to help counterbalance oppressive regimes.
We don't need to argue that guns don't kill people or that that isn't what they were designed to do or that they are just a tool with no purpose. They were designed to kill people and they've been perfected (most of them) with that in mind. You can shoot targets with it, but its development has been inextricably linked and dominated by the requirement to injure or kill other humans.
There are times where this lethal tool can serve admirably in defence of the weak, the oppressed, and those who stand for freedom. But let us not mistake that the gun is an item devoid of purpose. We should be focused on WHY and WHEN we might want or need to use them for the purpose for which they were designed rather than arguing that they have no particular purpose...
Pleasure in the job puts perfection in the work.
There was never a genius without a tincture of madness.
Aris
This is another example of government and it's hunger for power. I am becoming more and more upset day by day. Our freedoms are being eroded away and the average joe has no clue. Those of us who are in the know are a very small group. I posted a rant on this matter on kuro5hin in a post called Has the US government become to hungry for power? Read it and you'll see what I mean.
I believe I will add this to the list of things that governments do to take away legitimate freedoms in the name of the greater good. I can only hope that the supreme court will see this as a free speech issue. The problem here is that non-techie people are making techie decisions about things they don't understand. When will the madness stop?
As far as I can see, the article is on "our" side. The treaty supports security through obscurity, not the article. And I have this sneaking suspicion you are really pissed off by that which the article is describing.
Sounds just like the same reason that governments don't legalize soft drugs (like pot, for instance). Because it can be grown at home and therefore isn't taxable. Result? No revenue stream. You get more money from charging people for possession of said substance.
If owning "hacking tools" is illegal, who is going to stop developers from releasing bug ridden "rush-ware"? If someone offers an "e-commerece" solution that has more holes in it than telnet with dictionary based passwords, a victim of a "crack" where by all their DMCA protected files and Credit Cards info were stolen, the developer who offered the "shit-ware" to them should be held accountable. Then I guarantee, you will see a dramatic increase in security. OpenBSD has shown, to some extent, that even a small group of developers can make a very secure default install.
Burn Hollywood Burn
If owning "hacking tools" is illegal, who is going to stop developers from releasing bug ridden "rush-ware"? If someone offers an "e-commerece" solution that has more holes in it than telnet with dictionary based passwords, a victim of a "crack" where by all their DMCA protected files and Credit Cards info were stolen, the developer who offered the "shit-ware" to them should be held accountable. Then I guarantee, you will see a dramatic increase in security. OpenBSD has shown, to some extent, that even a small group of developers can make a very secure default install.
Burn Hollywood Burn
ne1 know how this post appears twice in slashdot?
Burn Hollywood Burn
This is not a bill.
The United States is not part of the Council of Europe.
The FBI and U.S. Department of Justice aided the drafting of this treaty. I doubt that their assistance came under congressional oversight.
Defecation occurs.
It's an international (specifically European) treaty, not a bill. Congresspersons have very little they can or would do about this.
If someone started this bill, I can't trust that same demographic of people to stop that bill for all of its oversimplifications and shallow thought processes.
I, too, have an inherent mistrust of people who oversimplify and have shallow thought processes.
Obliteracy: Words with explosions
This year will go down in history. For the first time a civilized nation has full gun registration. Our streets will be safer, our police more efficient, and the world will follow our lead into the future
Just because the Nazis brought about the holocaust does not mean that every thing they did has been tainted by evil. It might be my imagination, but I do believe that German streets are safer than Amerian streets. Both before and after the war.
The most foolish mistake we could possibly make would be to allow the subjected people to carry arms. History shows that all conquerors who have allowed their subjected peoples to carry arms have prepared their own fall And the purpose of this quote is? This quote isn't about supressing citizens, it is about suppressing people you have conquered. There's a great deal of difference between the two. In the same way, Japan was denied a military establishment immediately after WW2 in order to prevent future reprisals and conflict with the U.S.
Using this quote is pure folly. It is not unique to the Nazis, and believing in the sense the quote makes does not make one a Nazi. As the quote says, it is merely _common sense_ that any halfway intelligent conquerer knows how to use.
Please tell me that not all geeks are blind to common sense, and that at least some are knowledgable enough about history and society to draw their own conclusions and not blindly follow propaganda. I know there's some, but after reading Slashdot for a while I'm really getting worried.
Just to drop a little FUD in there, they mentioned that the "honeypot" system was running RedHat which had "outdated DNS software with a known security bug". (They didn't mentioned a version... therefore, all RedHat has this bug that let a script kiddie in, and since RedHat *is* Linux... Linux therefore sucks - you should use Windows).
Riiight. We see a nice little case here of pure media cluelessness, that is not only designed to play on the fears of your typical citizen, but also to pair up anything that is open and free with "evil hacking".
The cumulative impact of all this is just too depressing for me to stand anymore. Where does it stop? When will the media be unbiased? When will politicians stop being stupid? When will the public get a clue? The Internet and all related technologies and culture are humankind's last bastion of TRUE free speech. It is HERE that we will find meaning. It is HERE that technology will advance most rapidly.
But, never before has the entire world been on the brink of such ground shaking change. (What? You mean we don't need money to get quality products anymore? You mean we don't have to pay for news? We can say anything we want and not be stigmatized for our opinions? There's more...?) Therefore, the idiots in large groups will do everything to hold the world where it is, by making those things which will change the world for the better "illegal".
*sigh* I wish I had time to do something about it. I wish I had time to read the draft indepth and formulate an education opinion on its points. But at the same time, I am caught up in the duties of my day to day life - distracted by things that must be done (school, work, etc). The bad part is, most people reading this are in similar positions. Meanwhile, things are flying right by in the real world that will drastically impact our lives. Yet, so little can be done about it.
*shakes head*
Look at footnote 9 in draft 22:
Several comments from industry indicated that the so-called "cracking-devices", to which Article 6 applies, may also be used legitimately to test system security. The explanatory report shall clarify that the conduct defined by Article 6, when undertaken with such legitimate purposes, would be considered to be "with right". Furthermore, the burden of proof of the unlawfulness of conduct under Article 6 would lie with the prosecution. In this context, reference should be made to the footnote under Article 2 concerning the meaning of "without right".
Given that the parties (ie, signer-states) would be required to implement (and implement and enforce are two different activities) laws to support the mandates in this treaty, it seems to me that a lot of the reaction here would be addressed by the definition of "without right".
I have found that knowing about various exploits has helped me to protect my box against them. By not knowing about them, people will be less prepared...
--
Jamie C
No one, it seems, has worked out the logical conclusion of this treaty: that programming itself would be thus illegal, as security and stability testing is a part of the development of any non-trivial program. This suggests a test case in which a programmer is arrested for 'hacking' a program he or she wrote.
Further, remember that Full Disclosure lists like BugTraq keep vendors honest. These lists force vendors not only to admit their bugs, but also pressures them to release fixes quickly and not sweep problems under the rug.
- Jay Beale, Lead Developer, Bastille Linux
Nevermind that the "War on Drugs" is the most blatent constitutional violation that ever existed. What I put into my own body is my own goddamn choice, thank you.
And you thought you lived in a free country.
Please, vote Libertarian and put an end to this madness.
You know why Windows can't keep the pace of Unix?
:)
Because it has more bugs? No. Because it is closed source? Noooooo. Because Microsoft owns it? Of course not.
Because Unix is much more manageable than Windows. That is what it makes Unix more secure. Even Linux has some ENORMOUS bugs on what concerns security. But here the reaction time is tremendously more faster than Windows. Even in times when Solaris was purely closed source, people managed to react more rapidly to any security threat.
Windows possesses a dumb interface that pretends to be "complete". However tons of backdoors/bugs are concealed inside this interface. You can't reach them in most cases because Windows interface is too restricted to allow control of many inner systems. So if one breaks in you can only face the fact.
Sincerly I was admired for a situation I fell in. When Windows ruled here, 1/3 of our Internet population played only one thing: "Hack Windows!" Because many found a series of backdoors and we couldn't do anything against that. Now, on Linux there was a HOLE that remained for approximately 6 monthes. You know? No one ever noted it. Why this? Because in the first month of Linux Era people got real hassled, as we reacted momentarly to any break. In the end, only 2-3 people out of 700 "crackers" remained. Btw ee don't touch them as we are afraid of the full extinction of this species...
Now most of this work is made 80% on the basis of analysis/studies/implementations of security systems. And this includes scanning & testing break-ins. Only a 5% are real "healing after the fire". If this law comes up, all this goes into the trashcan...
There's no such thing as a "hacking tool"... unless you count all computers as hacking tools. With time, patience, and skill, a hack can be performed in Notepad. (Done it... nothing significant, mind you, I'm not bragging, I'm just saying it can be done. Somehow the first byte of an MS-DOS executable got corrupted and I changed it back to "M" (as all MS-DOS exes start with the magic number "MZ" in ASCII).) To me, that's the real problem; the line is so fuzzy about what a "hacking tool" is, and there's no way to "de-fuzz" that line. This law stems from nothing but fear, and knee-jerf reactions to legislative fear tend to only make things worse.
You can compare an exploit to a fully-loaded weapon.
No you can not. A loaded gun will kill someone. Death, ends existance, heart discontinues to function. An exploit is used by script kiddies to change a webpage, piss off an admin.
This article pisses me off, it supports security through obscurity and that idea is horrible. Ugh. If I continue ranting anymore this will be -1 flamebait.
I came up with the statement listed below. Let me know what you think.
Sirs and Ladies,
I have read much of your proposal and found that while it takes into account many things that should be done to aid in the arrest of parties engaged in illegal access and destruction of computer data, it does not mention or protect the need for corporations and individuals to attempt to access data on their own computer systems so as to determine their systems vulnerability to attack.
There is concern that normal security checking software and knowledge of common or popular systems used to defeat security would be made illegal by the provisions of your treaty. I and many others feel that only with thorough knowledge of the weaknesses and strengths of any computer or system of computers, can those computers or systems of computers be made more secure. If provisions of your treaty make the use of security checking software legally questionable then only those with illegal intent will use such software.
I ask that you make provisions within your treaty for the use of security checking software by individuals and corporations. I would ask that you make clear that it is the intent to do damage or cause harm that is illegal, not the means by which that harm is caused.
Sincerely,
David P. Zimmerman Bachelor Of Electronics Engineering Technology
Jumping to correct solutions slowly is better than jumping to incorrect solutions quickly.
Dear Sir,
As the officer in charge of enforcing the new anti-hacking laws it is my duty to inform you that you are in violation of the law. No action will be taken at this time as we are trying to be nice and allow people an adjustment period. This note is part of that adjustment process. In the future you will have no warning.
To wit: you have been observed walking around your house seeking open windows and doors. Such activity can now only be legally done by a trained and licenced professional. Seeking possible illicit entry points into an abode is an obviously nefarious activity and will be prosecuted vigorously.
It has also come to our atttention that you possess not one, but several criminal devices known to the criminal world as "keys." Such devices whose only function is to circumvent high security mechanisms are blatently evidence of criminal intent and their possession * will not be tolerated.*
In the future you may call upon you local licenced security professional for dealing with such devices. Simply show your security access papers and proof of ownership of the security device and the dwelling to which they are attached, provide said security professional with fingerprints, and for a nominal fee he will " unlock" your security device.
Please be warned that we will be making followup calls on all persons employing such security professionals to make sure that everything remains on the up and up.
We appreciate your cooperation in these matters, but we're building a lot more jails just in case.
You have been warned.
They may make cracking illigal but they can't prohibit us from discussing computer security or posting exploits. You are working off of the assumption that when it comes to computers and computer security that these people are rational and really feel that the first applies. The simple fact is that they don't and the bad laws based off of their idea that computers are "different" are being upheld or at least not shot down yet. Think DMCA. They will erode as many rights as we let them which is way we need to be aware of things like this and *not* just take the attitude that it can't be done because it is silly on the face of it. If we don't fight it it can and will be done.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Hacking could be as simple as getting into hotmail from school, despite the smart filter. First of all, I don't think that schools should be allowed to filter out these... I like to send my links to my mail account so I can save money and print them out later. If I can't send them, how am I going to be able to remeber where they are?
What is in a name?
I am not exaggerating - think like a lawyer - compilers are the number one hacking tool. (And yes Mr. Pedant I know that it is possible to hack with an assembler. I am using 'compiler' in this context to mean any tool which allows a person to program a computer: compilers, assemblers, interpreters etc.) These would all be illegal under the terms of these laws. While licensed professionals i.e. Microsoft employees etc. might be allowed to use these tools under supervision - common folk such as us would be prohibited from even owning them. As a side effect, this will destroy Linux and BSD - what are those without gcc?
Wolfram and Hart style lawyer argument: "After all we license people to drive cars, why not require a license to program a computer."
The hour is growing very late - under the guise of 'protecting the Internet from hackers' governments are about to make it illegal to do anything of value for humanity with free software. When is everybody going to wake up?
Who do you want to control technology: people who understand it, or people who fear it and want to destroy it? We are badly outgunned, and most of us don't even realize we are in a fight for our lives.
We either draw a line in the sand and say NO or we stand to lose everything. It will soon become apparent (to everyone with an IQ above that of a pet turtle) that I have been right about the legal system all along. These people know exactly what they are doing. This is not a mistake, a misunderstanding, or anything else innocent; these laws are deliberate, well thought out and intentionally malicious.
--
The law, 100's of millions of lines of code, not one line of which has ever been tested to see if it works.
then only criminals will know about the exploits.
Of course, the knee-jerk reaction is to claim this treaty is unconstitutional by the First Amendment.
But really, couldn't this fall under the right to bear arms? There are many analogies between hacking and firearms, after all, most notably the same tools being involved in both the crime itself and the protection against it.
Is anyone else a little scared at the possibility of 2600 magazine and the NRA agreeing on an issue?
---
Oh well, as soon as some Russian kid breaks in to a corporate site and steals every CC there....errr..
shrug
Burn Hollywood Burn
The question is what are we going to do about it? Are we going to let this happen? Is this period of real freedom going to sustain, or, like democracy in ancient Greece, just shine brightly for a brief moment and then die out to be (hopefully)reborn in another millenia?
If Bugtraq is made illegal, the vendors wont have to release patches everytime someone finds a bug, and the general public (Including a lot of sysadmins) wont even know the bug is there. That sure would make the alot of software look better, more secure, and more reliable. ECommerce would bustle with the promise of "better, bug free software", and polititians would be there to take the credit. This of course would all be an illusion, and the consumer would suffer. On a personal note, If I had to sit around and wait for patches from my vendor without a forum like bugtraq, my server would be about as secure as a balsa wood shack with cheesecloth for a door.
... pry it out of my cold, dead hands. No, wait, that's my guns, but the principle is the same.
It's very disheartening to read about the cluelessness of these idiots. "Hacking" serves a very useful purpose in the computer world, and from skimming the MSNBC article, it's clear the lawmakers either don't know, or don't care, how horrible this treaty is.
Being in a network security class right now, I can definitely say that, were it not for hacking, in the original sense, very few networks out there would be secure. Reverse engineering protocols, examining the "oh shit"s in them, and publishing the results seem to be the only way to bring to light problems, and hopefully get them fixed. (I'm thinking s/key, securid, Firewall-1, etc here specifically, and know there are others.)
If it suddenly becomes illegal to post new vulnerabilities to mailing lists like BugTraq, if it suddenly becomes illegal to write or possess or use tools like nmap, or SATAN, or even traceroute and ping, will just serve to immediately make criminals out of a large percentage of the computer-literate population.
And let's face it, like any other such law which tries to "protect" law-abiding citizens by making something which can be used for both good and ill illegal, the end result is either creating more victims (in this case, because people won't know about the latest exploits, and be able to lock down their boxes), or creating more criminals (since I doubt, regardless of law, whether or not most people who use these tools, for good or ill, will stop using them).
Not to mention those engaged in illegal cracking activities now have no more incentive than they did before to stop.
I agree that the "massive wave of cybercrime" is likely nothing more than a bunch of script kiddies using well-known exploits to attack web sites and servers that, in all honesty, really should have been secured in the first place. Somehow, this all seems like the electronic equivalent of Columbine, where, because a certain type of tool was used to commit an illegal act, there are now more calls from talking heads and people with their own agendas to advance spouting off how evil these tools are, and how we have to protect the public.
Well, here's a news flash... The tools themselves have no inherent evil. It's only the use the individual users put the tools to that can be judged to be "good" or "evil". A hammer, a kitchen knife, a copy of gdb, or perl...they're all just tools. They sit there until someone takes it upon themselves to use said tools for a particular purpose. Just because someone used a kitchen knife to stab a person to death, or a copy of nmap to discover an idiot left the r* services on, is no reason everyone should be banned from owning kitchen knives or nmap, on the off-chance they themselves will be either perpetrator or victim in the future.
There is some hope, however. If this Draft Cybercrime Treaty is approved, I can only hope it will hasten the acceptance of other tools, such as the remailer networks, onion routing, freenet, etc. Yeah, we'll all probably technically be criminals at that point, but maybe then at least we'll be able to keep out both the script kiddies and the lawmakers, and get on with our lives, knowing at least we will be secure, while the rest of the (digital) world collapses under its own folly.
(can anyone tell me why I need to select "plain old text" to get html tags to work?!)
--
It's pretty pathetic when karma can drop when you do nothing
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
I live in the state with the second highest consentration of firearms (PA) and the whole state is filled with gangs of criminals and killers. I long for the safety of a gun free place like NYC of DC where I can feel safe.
And everytime I hear of a shooting in church, I can't help but think "This could have been prevented if only the killer was not allowed to take a gun into church". I mean, if the Columbine high school was a gun free school, then the killers there wouldn't have been able to take guns in. *sigh*, if only people would see the logic in banning things they do not like we would all be safer.
Finkployd
Oh yeah, it was "NORIGHTS"
It astounds me to watch on a daily basis the right of free speech being taken away.
And of course, all we're going to do is sit and whine about it on Slashdot. I, for one, haven't gotten out and done anything about it, and I would venture to say 99% of the people here haven't either.
And the people passing these laws know this, and we're gonna get screwed.
BilldaCat
I can't believe someone rated that a troll. It is a good idea to comment on this treaty. Ok, so I've now done so. So shoot me down for proposing changes instead of asking that it be scrapped....
3 5
g e/Caches/cache.html
Sirs:
the current draft of the cybercrime treaty is, as you must be well aware by now, greatly objectionable to computer security practitioners. I am writing to suggest a small number of changes which would make the treaty as drafted less objectionable.
I would suggest that Article 6 - 1 be changed to read:
a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5 [with the intent to cause such an offence];
(The last bracketed text is new). This is the only identified offence in the treaty where the prosecution is not required to prove intent, yet it is clearly not the intent of researchers, computer security professionals, and hobbyist computer security experts (such as the author of 'nmap'[1]) to cause such offence.
The inclusion of an exemption where intent does not exist would also enable the contribution of 'patches'[2] to existing 'open source'[3] security software under article 11(b), which would also become illegal under the terms of the draft treaty.
Article 9(b) and (c), as currently drafted, would explicitly prevent the development of software intended to monitor or prevent access to material banned under article 9. Specifically software programs, currently available, intended for use by corporations collecting evidence against employees accessing such material to back up a case for an industrial tribunal, would become illegal[4]. Similarly it would become impossible to develop software that attempts content blocking by image recognition, as use of a 'training' image database would become illegal[5]. Finally, it would make illegal the practice of 'cacheing'[6] internet traffic for performance reasons, in that passively storing temporary copies of such material would also become illegal. Such action would have an immediate deleterious effect on the performance of the internet.
With the exception of cacheing (which deserves specific exemption) it would not be onerous for software developers or corporations to register for exemption under article 9 with national regulatory bodies, such as currently happens in the UK under the Data Protection Act (1998)[7]. Such provision in the treaty would make it possible to produce software intended to help enforce the treaty, without which enforcement will be difficult if not impossible.
Yours,
[Name witheld from Slashdot]
The opinions in this message do not necessarily accurately
reflect those of my employer.
[1] http://www.insecure.org/nmap/
[2] http://earthspace.net/jargon/jargon_31.html#TAG13
[3] http://www.opensource.org/osd.html
[4] for example, http://www.websense.com/internet-filtering.cfm
[5] eg, using work described in http://inst.augie.edu/~swets/ACCV95.html
[6] http://webopedia.internet.com/Hardware/Data_Stora
[7] http://www.hmso.gov.uk/acts/acts1998/19980029.htm
I sent the following letter to my representative. You can email your representative easily by going here
____________________
To the Honorable Lamar S. Smith:
I am a database consultant in your district. I work at the Air Force Recruiting Service Headquarters at Randolph Air Force Base. My work there brings me in contact with technology and information system security issues on a daily basis.
I recently read an article about the Council of Europe's Draft Cybercrime treaty that frankly scared me. The article is available at this URL:
http://www.msnbc.com/news/480734.asp#BODY
Let me be clear: this treaty would be a disaster that would threaten national security and the health of electronic commerce. The idea of the treaty is dead wrong. "Full disclosure" of computer security flaws is essential for system administrators to protect there own systems and it is also critical to eliminate denial on the part of software vendors and to track the effectiveness of responding to security concerns. It is also a First Amendment right to have open discussion on security flaws.
I believe that the U.S. delegation to this treaty is incompetent and should be recalled before serious damage is done. They obviously have little understanding of what it is that they are regulating.
If only we can keep everybody uninformed about possible exploits we will have no more unauthorized entrances, no siree!
But wait, soon we will be ready for the next step: "security through stupidity" That's when nobody has the brains to behave in any other manner than our market research indicated. Yes, people it's true!
Actually a recent study by bullshit resarch inc suggested that an average IQ lowered by 20% would benefit our economy. How high IQ do you need to shop and wiew our approved movies anyway? Then some people may upgrade their childrens brains with our groundbreaking brain# (brain-sharp) treatment, giving them the skills neccessary to keep control of the sheep^H^H^H^H^Hpopulation.
All opinions are my own - until criticized
Hacking tools don't crack systems, people do.
... where it's illegal to possess a portscanner unless you have your MCSE.
c) the production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of depriving citizens of fair use rights, right to free expression, or other human rights as established by the Universal Declaration of Human Rights.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
That they're making cracking illegal.
They made drugs illegal a few years back, and it's really helped! You never see drugs, or hear about drugs anymore.
to tell industry and our political figures that we WILL NOT stand for such things, and will fight them
every step of the way!
That's the problem, though. We need to do this and we need to do that, but, when it comes right down to it, how many of us actually get off our fucking asses and do anything? How many people who constantly whine and bitch as their freedoms are slowly usurped from them also support the EFF through donations? How many write (not email, WRITE) their congressman every time a boneheaded bill is introduced? Judging by the outcome of trials and the passage of various and sundry laws in the past few years, I'm willing to bet the number is pretty damned low.
If bitching could really solve problems, slashdot would have ended world hunger by now.
- A.P. (and, yes, I support the EFF. You should too.)
--
* CmdrTaco is an idiot.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
There's something that some of y'all are missing here. The distinction between what a treaty is, and what a law is. Note that my use of the word "state" is synonymous with "nation" vis a vis "nation-state".
Basically: a treaty is an agreement between nations that amounts to a contract such that if X happens, then Y will occur. For example, one of the provisions of the NATO treaty is that if -any- member state is attacked, then retaliation is expected of all other members (ie: if Russia were to invade Germany, we'd be essentially obligated to wage war on Russia). Treaties can -also- state that each member state will agree to pass laws that will do X,Y,Z. That's what this one appears to be.
A Treaty -is not- a law. However, due to it's nature as a contract, it can seem like it.
A law, on the other hand, is legislation passed by the government of a given state. So, if the US were to sign on to this treaty (which thus far looks like it's primarily a European thing), we would be obligated by treaty to pass laws that meat the treaty's demands. The wonderful thing about the US signing treaties is that a treaty must be ratified by the Senate BEFORE the US will recognize our signature on the document as valid.
IANAL, but this is what I seem to recall.
The only thing that is objectionable (but is pretty damn objectionable) in the treaty is the two lines making illegal:
"the production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5;"
Everywhere else in the treaty actions are qualified so that you must also have had the _intent_ to break the law (breaking the law in this case is essentially causing criminal damage).
If that qualification was added to this particular clause the whole thing would be pretty unobjectionable, viz:
"the production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5, with the intent of causing such an offence;"
The lawyers would (as usual) have a field day with proving intent, though, but researchers/hobbyists/security specialists would be safe.
(Associated Press - Alcatraz) Today, in an effort to end the pampered style of geek prison life that so many convicted criminals have been accustomed to, The Rock was reopened for service today.
"Hey, these guys managed to get T3 lines into every cell, and the guard door system was a joke, we think that they managed to hack the system so that it would let the doors open whenever they wanted.", said Red Bull, the head of HACK (H)ackers (A)re (C)riminals (K)ill 'em.
"I wished that we could have continued using the death penalty against these evil terrorists and child pornographers, but the ACLU felt it necessary to defend these scumbags. Something about 'the punishment not fitting the crime' or other such nonsense"
"Look, these felons have it better in prison, hell, their cells are over 4 times as big as a typical cubicle is, and they get in house laundry, THEY DONT EVER HAVE TO WORRY ABOUT DOING LAUNDRY AGAIN, and look this doesnt seem like a big point, but I've been to busts on these evil hackers, and their laundry piles up to huge amounts before they decide to do it. It's inhuman, I tell you.
"I just wanted to make this prison term as much of a punishment as possible, so we are cutting these geeks off of their lifeline, and going back to all old-style technology. No computers, no net access, barely electricity.
Maybe now these felons will get what they deserve.
Ignorance is Strength!
Freedom is slavery!
Peace is War!
Hacking is Evil!
tagline
... hi bingo
Washington, D.C. - In a stunning development just announced today, the United States, along with twenty other European nations, will soon make 'yo mama' jokes illegal. Without any regard to issues of free speech or free thought, representatives at the meeting have decided to make the words 'yo mama', when used in a joking context, a felony punishable by up to 5 years in prison and/or a $100,000 (or 100.000 Euros) fine.
One stunned joker was quoted as saying "No way, dawg! Ain't no way they gonna take away my right to laugh at yo' mama!"
Neither US or European representatives from the summit could be reached for comment.
Please stay tuned for updates to this breaking story.
-----
Check out the text to the actual treaty here. Looks like the newest revision is only available as a Word doc, although there's a slightly older version available in HTML. Something worth noting, though: contrary to the implication of the article, the word "hack" or "hacking" does not appear anywhere in this draft. The "Illegal Access" section contains the phrase "A Party may require that the offence be committed either by infringing security measures or with the intent of obtaining computer data or other dishonest intent." IANAL, but I think this pretty much outlaws all white hat stuff.
One of the interesting things about this, also, is the fact that it's a treaty. It basically says that all nations who sign/agree to it will create a set of a laws that accomplish the goals laid out in it. The actual laws themselves will be created by the countries affected by it, and those are what are really going to make "hacking", "cracking" or anything else illegal.
End of lesson. You may press the button.
Do you really, really want to do something about this?
Then take off your asbestos underwear, sit down at your computer, read the actual draft treaty in it's current form, think about exactly why you feel this is a bad idea, write it out, revise it, proofread it, and send it to daj@coe.int for review by the people who are actually working on the treaty itself.
This is the wonder of the Internet, folks. They want your input on this one.
I can assure you, though, that they aren't scanning through Slashdot "this is so fscking typical" posts to get that feedback.
If you care about this issue, save your flames, write out a thoughtful letter, send it to the commission, and post it here for others to read and expand upon. But for crying out loud, do something that actually has some chance of making a difference.
Obliteracy: Words with explosions