Tougher Hacking Laws Get Support in UK

rainbowhawk writes to tell us BBC News is reporting that new laws outlining harsher punishments for computer crimes are gaining support in the UK. From the article: "The move follows campaigning from Labour MP Tom Harris, whose ideas are now being adopted in the Police and Justice Bill. There will be a clearer outlawing of offenses like denial-of-service attacks in which systems are debilitated."

And how should it be enforced?

[Opportunist]

Laws against DDoSs. Great idea. Btw, let's next outlaw Hurricanes from destroying properties.

Yes, one is a man made problem, the other one a natural catastrophe (albeit some might argue whether man made it worse... not the topic now), the problem is the same. You can make the law, but you cannot execute it.

You want the bot-brain? Good luck. If he has half a brain, the controlling computer is not his, and it's sitting in some country ending in -stan. If he has no brain, all you accomplish is to execute Darwin's law: Survival of the best.

You want the bot-drones? Well, while this does have my full support, you can already hear the outcry from computer illiterates who fell for the marketing hype around the 'net and "how easy it is to get on", only to realize now that if they don't have a clue what their computer is really doing on the net, they're now with one foot in jail when they even go online. Can you see the Sun headline already? "Granny charged with computer crime!"

So, how is this going to do ANYTHING meaningful against DDoSs or other computer related crime?

In turn, what it accomplishes is that there will be fewer and fewer people with relevant skills. Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two. If you threaten new and intelligent people with jail time comparable with premediated severe bodily harm (up to 10 years sentence here), they will go out and find some less "dangerous" hobbies.

And the price for good security experts in the UK will rise. Either that, or you have to import them from some country ending in -stan, because there they can still learn the tricks of the trade.

Re:And how should it be enforced?

[LiquidCoooled]

Laws against DDoSs. Great idea.

What happens when somebody complains about a thorough slashdotting?

Remember, google can be taken off the air when word of a DOS attack happens (I am a firm believer that 99% of DDOS attacks are curious web users on the grapevine testing a site supposed to be under sustained attack)

Re:And how should it be enforced?

[Daniel_Staal]

So, how is this going to do ANYTHING meaningful against DDoSs or other computer related crime?

Simple. If, by luck, they ever manage to catch someone they now have a law to charge them with.

Until then, it helps keep MP's elected.

Re:And how should it be enforced?

[Opportunist]

Certainly.

Imagine you're running a blog. On a small server with a so-so connection at a local provider. Then you find something important. Something outragous. You get quoted in newspapers, you get quoted on CNN or worse, you get quoted on /.

Result? DDoS at its finest.

Not even intentional. People just wanted to read your page.

Illegal?

Re:And how should it be enforced?

[Baseball_Fan]

In turn, what it accomplishes is that there will be fewer and fewer people with relevant skills. Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two.

I disagree with this statement. Many people learned security the right way. There are places with servers designed for testing. You don't have to crack the computers at U of State to learn security. You don't have hack the computers at GE to learn security.

Laws against DDoSs. Great idea. Btw, let's next outlaw Hurricanes from destroying properties.

DDoSs is different. IMHO, DDoSs is like a boycott. Unions did this before computers were invented. I can give you one example. A local shipping factory was going to take away health insurance from the truck drivers. The union voted to strike, and the compnay hired scabs. The truck drivers protested in front of the factory for a couple days, but realized they were not making progress. So what did they do? The truck drivers on strike got in their private trucks, vans, and whatever cars they could find, and they drove in a circle around the factory. This made it impossible for trucks to enter or leave the factory, and jammed up all the local intersections. But it was 100% legal. The police were called in, and the truck drivers were not breaking any laws. The company was forced to deal with the union.

Re:And how should it be enforced?

[Fatchap]

Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two.

I do not see how you get from "scratching and sniffing" to a record. I, along with most reputable security folks, spend a large amount of my personal income on equipping my lab so I can try things out without doing it on other people's servers and networks. The idea that to gain experience you have to break the law is absurd, it is a bit like saying to be a chef you have to have tried poisoning people!

The fact is that it is against the law to tamper with, or to attempt to tamper with computer equipment that does not belong to you. The end result of posts like this is a simple law becomes confused with faux moral claims like "I was experimenting" or even worse "I was testing it to try and help the owner". Ask Dan Cuthbert (http://news.bbc.co.uk/1/hi/england/london/4317008 .stm) if it's ok to hack boxes without permission.

Re:And how should it be enforced?

[Daravon]

I'll admit upfront that I don't fully understand the full implications of common carriet status, or if it even exists in the UK.

That being said, why not include in the laws that either ISPs HAVE to act upon complaints about computers on their network that are part of a botnet or that they have to monitor for common symptoms of being part of a botnet (this is tricky, but not impossible).

If an ISP can disable my internet access because I'm using Bittorrent to download the latest version of Fedora, then they can also disable Joe Sixpack's internet for maxing his upload to take down an internet server.

Enable access to only sections of the internet to help solve their problem (Ad-Aware, AVG, Windows Update, whatever), or at the very least block their access to whoever they're ping flooding.

While the initial extra bit of work might be troublesome, I'd imagine it to promote better server down the road. Less useless traffic from a virused computer leaves more space for intentional use of the internet. That alone could make users think that your service is better than the telco down the street. You'd also save on tech support calls down the line from helping users prevent viruses and spyware upfront.

That being said, I'm somewhat looking forward to wide deployment of Windows Vista because of the built spyware protection. Hopefully they can keep it working even half as well as it is now. While that may cut into my business's computer repair money we make, it'll also reduce the amount of time spent on the phone doing free tech support because someone downloaded Newdotnet and it fubar'd their connection.

Back on topic tho, at least if the laws help prevent or disable parts of the botnet, who cares if the main computer is in Xstan. Get S.Korea, US and the EU to enact laws to make ISPs work to prevent their users from being a part of the botnet, then you disable a large part of the homes for the botnets. So what if there's a dozen computers in Africa on dial-up that are sending out trash. It's the millions of computers in first world countries on broadband that we CAN affect.

Re:And how should it be enforced?

[Opportunist]

Hacking your own boxes has one severe but very easily overlooked shortcoming: You can of course make your box so secure that you cannot hack it (provided the system is secure).

Before someone asks, no, I do NOT advocate going out and trying to hack some machines that don't belong to you. What I DO highly advocate, though, is getting in touch with like minded people and trying to bring each other's defenses down. It's amazing how much you can learn that way, even if you've been in the biz for years. And it also works quite well to shrink your ego back to normal sizes in case you deem yourself secure.

Just make sure the other guy isn't trying to find someone dumb enough to hack for him. :)

Re:And how should it be enforced?

[Fatchap]

Yeah, most people call that a pen test, as long as you have permission there is no crime involved. How does this sort of activity have any impact on the current laws against computer misuse?

Re:And how should it be enforced?

[Opportunist]

Maybe the other way 'round, laws having some impact on that. I have a standing bet running with a guy in the UK, hacking each other's machines. First thing I'll do now is to send some written contract over to him, detailing that he has not only my permission but that I actually invite him to hack my machines. Don't wanna get him some trouble for actually doing me a service.

Since I'm not sure if they get active on their own (very unlikely) or only after someone complains, I'll be better safe than sorry.

Re:And how should it be enforced?

[Jerf]

The first part of your argument boils down, I believe without much loss, to "it won't catch smart criminals, so it won't catch them all". This is a dumb argument against law for reasons so obvious I hope I really don't have to spell them out. It applies equally to all laws.

(A smokescreen of words can make any point look valid.)

The second part of your argument is that it will reduce the number of skilled people. However, I submit that market forces will make sure that as long as skills are in demand, a supply will be created. And it is extremely possible to obtain the relevant skills in a legal and ethical manner.

I don't know that this law is good or bad; I haven't really looked at it. (The laws do need to be carefully written to make sure it remains legal to provide all relevant security services, which based on other comments may be an issue with this law.) I'm just pointing out your arguments are specious.

Re:And how should it be enforced?

[Fatchap]

It is a bit like you trying to break into his house to test his burglar alarm. If he wants you to then no problem, if you are trying without his knowledge the boys in blue may want a word. There probably does not need to be a written document in something that is informal as two friends trying to learn from each other.

Re:And how should it be enforced?

[pjt33]

You want the bot-brain? Good luck. If he has half a brain, the controlling computer is not his, and it's sitting in some country ending in -stan.

So? Existing Computer Misuse Act offences don't care where the computer(s) used are. If packets involving in a cracking attempt pass through the UK the cracker has committed an offence under UK law.

Re:And how should it be enforced?

Darwin's law: Survival of the best.

Nope. Darwin says if you survive long enough to copulate, you win.

Sadly, this makes most slashdotters Darwin's losers. (Or since this is slashdot, "loosers") ;)

More on-topic, although someone with a brain can get away with murder, I'd still rather have laws against murder on the books... just in case the cops get lucky and actually catch one.

Oh yeah... does this mean that Scuttle Monkey is going to a UK prison for DDoSing BBC news with his slashbots??

Re:And how should it be enforced?

[Opportunist]

The first part mostly focused on the problem that you cannot reach a good deal of the criminals. Either they're not in the country or they know how to make them appear to be from abroad.

Yes, a law that catches dumb criminals is better than no law. I do, however, expect that the number of dumb people able to create the brain for DDoS attacks is rather small to nonexistant.

The second part should actually point towards the fear of doing something illegal and thus not doing it altogether. When you're new to the trade, you can very easily accidently and without any bad intent hit the wrong machine. Wrong IP, there you go. Happened to me too (back then, nobody really cared about getting IP scanned, though). That might happen to you once, then you get some rather unfriendly mail telling you something that has an "or else" in the middle somewhere.

It's not so much that the law will outlaw learning. It will, though, make people think twice about it. Few people learn something just for the kick of doing something illegal. Most do it because it's fun or because it offers them some opportunity for a great job later.

If fun can turn into a jail sentence, you won't do it for fun.
And if the only thing you hear about is that it's illegal, you won't learn about it in hopes of a better career.

Re:And how should it be enforced?

[AngelofDeath-02]

Here in phoenix .. People would get ticketed for wasting a non renewable resource (40$ and no points on your license) and possibly hit with a no cruising law that they seem to have somewhere...

(they literally reduce the roads in certain parts of phoenix to 1 lane for each direction and do not allow left hand turns periodically to combat "cruising" ... I have no idea how that's supposed to work)

Re:And how should it be enforced?

[Opportunist]

Sure. And who is going to dig out that computer somewhere at the end of the world?

That works quite well as long as the attacking (or in this case, controlling) computer can be reached by authorities. Have you ever tried to execute any kind of warrant in a still rather "approachable" country like Russia? Unless some interests in Russia are involved or it's a crime that could go at the very least to the EC supreme court, your chances of not even hearing back from them (and "you" being something like the UK government) are quite good.

It's nice to know that you have the "right" to seize the offending computer, according to your country's law. If the country the computer is located in does not comply, your right vanishes into a puff.

Re:And how should it be enforced?

[pjt33]

IIRC "DDoS isn't illegal" has already been used as a defence in a prosecution brought under the Computer Misuse Act.

Re:And how should it be enforced?

[vertinox]

If he has half a brain, the controlling computer is not his, and it's sitting in some country ending in -stan.

Or he lives in one of the two countries that name ends in "Korea".

Hint: Its not the nice one.

Re:And how should it be enforced?

If he has half a brain, the controlling computer is not his, and it's sitting in some country ending in -stan.

Russistan?

Re:And how should it be enforced?

[Opportunist]

Ok, ok.
I use -stan as the "generic unapproachable country where you can commit computer crimes" because there are quite many that end in -stan, most of them in an area that has better worries than whether someone used the 'net to actually get some money into the country, legally or not.

Re:And how should it be enforced?

[mickwd]

Laws against murder? Great idea. Btw, let's next outlaw Hurricanes from destroying properties.

Yes, one is a man made problem, the other one a natural catastrophe (albeit some might argue whether man made it worse... not the topic now), the problem is the same. You can make the law, but you cannot execute it.

You want the instigator? Good luck. If he has half a brain, the murder weapon is not his, and he used a hitman. If he has no brain, all you accomplish is to execute Darwin's law: Survival of the best.

You want the knife-owner, the person who's kitchen knife was stolen to commit the murder? Well, while this does have my full support, you can already hear the outcry from survivalist illiterates who fell for the marketing hype around the kitchen and "how easy it is to cut up food and cook for yourself", only to realize now that if they don't have a clue what their kitchen utensils could really do in the hands of someone else, they're now with one foot in jail when they even go out to shop.

Your argument is ridiculous.

Re:And how should it be enforced?

[Ngwenya]

It's not so much that the law will outlaw learning. It will, though, make people think twice about it. Few people learn something just for the kick of doing something illegal. Most do it because it's fun or because it offers them some opportunity for a great job later.

I'd point to examples like the Copyright, Designs and Patents Act, which contain explicit exemptions for security researchers and the security services. I would imagine that the government would insist on those same exemptions within the bill when it hits the Commons. And even if it didn't, the Lords would stick the amendment in and the Commons would accept it.

Don't get me wrong - there's a hell of a lot wrong with UK laws right now - but cutting their noses off to spite their faces is not one of their faults. Research and the spooks will still remain legal.

--Ng

Re:And how should it be enforced?

[mistergin.net]

Ah ha!

So the $40 fines are the reason there are so many bums on Mill asking for money!

Re:And how should it be enforced?

[Fulcrum+of+Evil]

IMHO, DDoSs is like a boycott.

No it isn't, it's more like a denial of, say, a service. A boycott is you and your slashbuddies refusing to buy brand X. A DOS is you and your slashbuddies refusing to allow others to buy brand X. See the difference?

Re:And how should it be enforced?

[Opportunist]

As soon as it's able to kill someone through the 'net, I'll consider the argument.

Re:And how should it be enforced?

[Fulcrum+of+Evil]

The second part of your argument is that it will reduce the number of skilled people. However, I submit that market forces will make sure that as long as skills are in demand, a supply will be created. And it is extremely possible to obtain the relevant skills in a legal and ethical manner.

Quote:
You want the bot-drones? Well, while this does have my full support, you can already hear the outcry from computer illiterates who fell for the marketing hype around the 'net and "how easy it is to get on", only to realize now that if they don't have a clue what their computer is really doing on the net, they're now with one foot in jail when they even go online. Can you see the Sun headline already? "Granny charged with computer crime!"

Actually the second part argues that this will cast a wide net and pick up a bunch of non-criminals.

Re:And how should it be enforced?

[eosp]

Actually, I would imagine /.ers buying a lot of X.

Re:And how should it be enforced?

[Fatchap]

This is a case of the service being denied, but it is not an attack.

New Orleans suffered a load of damage after huricane Katrina this year and New York was damaged after 9/11. One was due to insufficient planning and contingency the other was an attack.

They key to the law is intent to harm. The difference between setting the fire alarm off on a crowded subway because you see smoke billowing from under the escalator and shouting "Fire!" so you can laugh at people running out.

I guess if /. posted a link to a site they did not like saying it had a really juciy article on it as a way of bringing it down it would be a DDoS Attack but otherwise not really.

Re:And how should it be enforced?

[jonwil]

The right answer is to force ISPs to do more.
Any ISP with even remotly competant technical people should be able to tell that customer x is spewing out 10000s of spam emails or participating in a DDOS attack.
Ergo, they can take action (including letting the customer know and giving them free removal tools).

Unfortunatly, the problem is that because of how the broken legal system works (in USA anyway) its may actually BETTER (legal/lawsuit wise) for ISPs to do nothing at all than for them to do something that helps solve the problem but doesnt go all the way.

Re:And how should it be enforced?

[alich]

The problem with laws that catch less smart outlaws and leave the rest of the group to use their super-skills without worry is that people that _aren't_ doing anything wrong will find the law just annoying!

Re:And how should it be enforced?

[g00p]

What next? ban the refresh button too?

Ok so, IT market run by = idiots;
jails filled with = intelligence;
streets filled with drug dealers and murderers because the jail's are too full of educated people.

Oh yeah and the UK laws? run by idiots too.

Nice one UK! You just criminalised your only hope of a secure economy...now you're in the safe hands of IE lovers and "security" guys who don't even know how to combat a Ddos themselves, you'll be just fine.

/me packs & leaves UK.

Black vs. White

[cpearson]

There need to be new laws to address hacking and computer crime. Let's just hope the UK has the insight to differentiate between white and black hats.

Wardiving Map

Re:Black vs. White

Sounds like these guys need to watch Fear of a Black Hat

Slashdoting?

[nexxuz]

Would that mean that there could be legal actions against slashdotting in the UK?

Re:Slashdoting?

[madnuke]

Yeah Slashdoting is often to thought to be a Ddos attack! :P

Re:Slashdoting?

[Yellow+Crane]

The issue here is intent -- /. would no more be liable than say CNN for running a story that drew many people's interest and that interest exceeding the hosting abilities of X website that is the subject of said story. The intent of /. is to inform people, and the intent of /. readers is to be informed.

In comparison, the perpertators of a DoS attack are not interested in gaining anything, but denying -- thus the term "Denial of Service" attack.

I'm also pretty sure they would excuse our secret pleasure of knowing our interest might occasionally overload a M$ server...

Good Idea, but probably not going to work...

[Marnhinn]

Problem with this is, it requires "International Cooperation".

I'm simply not sure how much cooperation you are liable to get from countries like Russia, China, and others where a lot of these people operate from.

For those wondering, pernicious means: highly injurious or destructive.

Re:Good Idea, but probably not going to work...

[Brad1138]

Problem with this is, it requires "International Cooperation".

It's easy if you use the U.S. model.:

If your not with us, your against us,
If your against us we'll blow you up.

Re:Good Idea, but probably not going to work...

[Opportunist]

Erhhhhh... I would think twice 'bout trying that with Russia and China. I mean, you know the old joke (and by the content you will realize it's OLD).

"What's that huge red blotch on the map?"
"Soviet Russia"
"And that tiny brown speck?"
"The great German Reich."
"Does the Führer know that?"

more info

[dotpavan]

Look at Part 5, sections 34 and 35 of this

Re:more info

[kaleco]

Remember: Don't forget your passwords.

Re:more info

Cool, so if someone browses your files without permission, they can go to jail for 2 years. Much easier than having to frame them for a serious crime. I wonder who's paying for all this policework, and whether it means the local plod will actually show up to take notes when you report someone poking around your shared directory...

Ambiguity

[kaleco]

The bill - which was being debated for the first time in the House of Commons on Monday - would also boost the penalty for using hacking tools.

What constitutes a hacking tool? A terminal emulator? Linux?

Re:Ambiguity

[Pantero+Blanco]

I hope the actual bill doesn't use the words "hacking tool". Then again, if it does, that makes it even more ridiculous and therefore easier to attack (and less likely to pass).

"Do you have a license for that C++ compiler, mate?"

Re:Ambiguity

[Anonymous+Brave+Guy]

This is one of those laws written by people with no clue about technology, and therefore hopelessly and dangerously broad. In this case, the text reads:

(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article-

(a) knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or

(b) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.

A loose but credible reading of the above seems to cover every mainstream operating system, every compiler or interpreter, every text editor, every communications tool, and more.

Re:Ambiguity

A loose but credible reading of the above seems to cover every mainstream operating system, every compiler or interpreter, every text editor, every communications tool, and more.

What? No it doesn't. Read it again:

knowing that it is designed or adapted for use in the course of or in connection with an offence

At what point does Microsoft make an operating system designed or adapted to commit an offence?

intending it to be used to commit, or to assist in the commission of, an offence

At what point do Microsoft intend for Windows to be used to commit an offence?

Re:Ambiguity

[kaleco]

This law is designed to make more people criminals. They can't examine an innocent person's computer, but if you're unwittingly breaking an arcane law, suddenly you're a criminal and the police can investigate all they like.

Re:Ambiguity

[Lordpaul1066]

hmmm. A 'hacking' tool, another term the government can use so broardly when it wants to its absurd.

Re:Ambiguity

[legirons]

What constitutes a hacking tool?

Making, suppling, adapting, or offering to supply something which is designed for, or adapted for allowing someone to cause a computer do anything with the intention of accessing any program or data that they (person using the program) know is unauthorised.

I'm having trouble even parsing what they're trying to say, let alone what it means -- this will probably be something which is interpreted differently by everyone who reads it.

After all, it's easier to define "accessing stuff without permission" than it is to define "creating a tool for use by someone who intends to access stuff without permission" -- does it cover general purpose tools? general purpose security tools?

Does anyone here know how they defined "unauthorised" in the original? (1990 computer misuse act) e.g. do you implicitly give someone permission to access a computer by configuring your software with a security hole left in it?

Re:Ambiguity

[LordSnooty]

At the very least it means that it would be illegal to even mirror nmap in the UK, never mind use it.

Re:Ambiguity

[Anonymous+Brave+Guy]

I think our anonymous friend has missed my point here. It doesn't say the article can't have other, legitimate uses. Simply being designed or adapted for use in connection with an offence suffices. Any communications software is designed or adapted for use in sending communications, which is how many of these offences will be initiated.

NB: I'm not saying this is a sensible interpretation of the wording, merely that it is a possible one. Courts have missed the point far more spectacularly in the past.

Re:Ambiguity

I think our anonymous friend has missed my point here. It doesn't say the article can't have other, legitimate uses.

I think you missed my point, Anonymous. I didn't argue that having other uses was the defence. I said that Windows (and any other benign software for that matter) isn't designed to commit an offence.

The law doesn't say "designed to be capable of committing an offence", it doesn't say "designed to be used for things that are necessary in order to commit an offence", it says "designed for use in the course of an offence". Microsoft, or whoever, have to have had DDoS attacks in mind when they designed their software in order to qualify. That's not a matter for court interpretation, that's basic English.

Re:Ambiguity

[DMoylan]

shhh.....!

its a good way to get ms word outlawed. no more vba viruses!

Re:Ambiguity

[a.d.trick]

On top of that there are a lot of things that might be considered hacking tools that have very valid uses. For example nmap or ethereal can be very useful for network analyis, but are often used to portscan or packet sniff without permission too. I think that having a penalty for 'hacking tools' is silly.I t would be like penalizing people for using knifes in kitchens because you can also use a knive to stab someone.

Re:Ambiguity

[Anonymous+Brave+Guy]

That's not a matter for court interpretation, that's basic English.

The problem is, everything is a matter for court interpretation.

It may be "obvious" to you and me that an operating system or comms tool wasn't designed to be used for cracking, but nevertheless these things can be used for that purpose, and proving lack of intent is rather difficult. Where do you draw the line? What about a tool that maps all the IP addresses on the Internet? What about a tool that cracks MS Office files that you may legitimately have and where you've forgotten the password?

Nothing is ever black and white where the law requires tests for reasonableness or intent. Hence explicit safeguards are required to protect those whose intentions might be miscontrued, where they have a legitimate reason to use a particular tool, but that tool also has less legitimate applications.

Re:Ambiguity

It may be "obvious" to you and me that an operating system or comms tool wasn't designed to be used for cracking, but nevertheless these things can be used for that purpose, and proving lack of intent is rather difficult.

Fortunately, it is the prosecutor that has to prove intent, not the other way around. Innocent until proven guilty.

How would a prosecutor go about proving that Microsoft designed Windows to commit offences of this nature?

Re:Ambiguity

[the_womble]

They can't examine an innocent person's computer

Oh yes they can

All those power the police have been given to supposedly fight terrorism means they can investigate anyone they like.

The same probably applies in other countries.

Re:Ambiguity

[mattpalmer1086]

I'm currently studying this law for an MSc in Information Security. Section 17 (5) (Interpretation) of the Computer Misuse Act states:

"Access of any kind by any person to any program or data held in a computer is unauthorised if-
(a) he is not himself entitled to control access of the kind in question to the program or data; and
(b) he does not have consent to access by him of the kind in question to the program or data from any person who is so entitled."

Having said that, the definition of "unauthorised access" is pretty tricky in some cases. The recent case where someone was let off a DDOS attack on his former employer's email system was due to the judge stating that since an email system is set up to receive emails, just sending a lot of them is not unauthorised. Hence why new legislation is being proposed to cover these loopholes.

Re:Ambiguity

I doubt it - the court would have to demonstrate intent, either on the part of the developer (adapting the software with the intent that it be used to commit an offence) or the distributor (offering the software with the intent that it be used to commit an offence). Include a disclaimer on your mirror page to the effect that "THIS SOFTWARE IS NOT DESIGNED OR OFFERED FOR ILLEGAL PURPOSES, DO NOT USE IT TO BREAK THE LAW" and you should be fine. It's stupid that you would have to say such a thing, but it's hardly the end of computer security as we know it.

What?

[voice_of_all_reason]

10 years for hacking? So you might as well take out the cops who are trying to bring you in. Assuming concurrent sentencing, you'll get the same time even with a few second-degree murders thrown in. Sorta like a bonus.

Re:What?

[Anonymous+Brave+Guy]

Just FYI, we don't currently have degrees of murder here in the UK. If you commit murder, the only sentence available to the judge is life. (This is one reason why guilty of manslaughter is often the verdict returned instead; manslaughter carries the widest range of possible sentences of any crime in the UK.)

Re:What?

[Pantero+Blanco]

I know you were joking, but that's actually a good point. The worse the sentence someone's going to get, the less that person has to lose by commiting further crimes.

Re:What?

[keyne9]

Where's the moderation, "+1 Scary, but true.." when you need it?

Re:What?

[voice_of_all_reason]

You win a Mace of Informative (+1)!

I'm not too keen on british law, so I was hoping someone would correct me. That's pretty frightening, if the definition is the same across the pond (deliberate, premeditated homicide). So a mafia killing is treated the same as say, a father murdering the kid-next-door who was messing around with his daughter?

Re:What?

[Expert+Determination]

Personally I think murder is murder. But that's not the view of the British public and things may change. You may find this story interesting.

Re:What?

[Haeleth]

I'm not too keen on british law, so I was hoping someone would correct me. That's pretty frightening, if the definition is the same across the pond (deliberate, premeditated homicide). So a mafia killing is treated the same as say, a father murdering the kid-next-door who was messing around with his daughter?

Well... the thing is that in British law, life doesn't mean life.

I'm not an expert, but my citizen's understanding of it is that the judge also sets a tariff, which is a number of years after which you are eligible for release, if you can convince a parole board that you've reformed and won't offend again. After release, you remain on parole for the rest of your life - if at any time you commit another crime, or if at any time it is suspected that you have begun to pose a threat to society again, then you can be recalled to prison very easily.

Obviously in the very worst cases (serial killers and the like) the judge will set a whole-life tariff, which really does mean life in prison. But a case that in America would be second-degree murder, translates in Britain to "life" with a tariff of 10-20 years, after which it is possible for a rehabilitated offender to be released and to rebuild some semblance of a life.

Re:What?

[voice_of_all_reason]

The "parole forever" part sounds really scary. In the US, anyone on parole can be stopped/searched at any time, sex offenders can't buy any porn -- a whole host of crap. You really can't rebuild some semblence of a life if you're not treated equally under the law any longer.

Re:What?

[AndersOSU]

Eh even in the US if you "take out the cops who are trying to bring you in" it's not 2nd degree murder, IANAL and all that, but I'm reasonably sure that killling a police officer who has identified himself is always first degree murder, and will likely earn you a needle in the arm if you are in a state that practices capital punishment.

Re:What?

[ElleyKitten]

>>So a mafia killing is treated the same as say, a father murdering the kid-next-door who was messing around with his daughter?

Uh, which one are you saying is worse? Because I wouldn't have a problem with them both getting life.

Re:What?

[flosofl]

will likely earn you a needle in the arm if you are in a state that practices capital punishment.

Actually, I think it would be classified as "sucide-by-cop" as they toe-tag your corpse at the scene.

Re:What?

[TeraCo]

The moral of the story? Don't kill anyone.

Re:What?

[hyfe]

Concurrent sentencing is not used in Europe.

Re:What?

[Shimbo]

Personally I think murder is murder. But that's not the view of the British public and things may change.

Actually, I think it is the view of the British public but not mine. Here are two examples of murder that I strongly believe shouldn't have a mandatory life sentence:

1. Assisted suicide: the prosecuting authorities almost never bring a charge of murder but there would be no defence if they did.

2. Gross provocation: the whole business of pleading not guilty to murder but guilty to manslaughter "on the grounds of diminished responsibility" unnecessarily medicalises cases. Battered wife cases often fall into this category, as does the Tony Martin case.

Re:What?

[ralphclark]

Don't know about continental Europem but concurrent sentencing *is* used in the UK

Re:What?

[Fulcrum+of+Evil]

The moral of the story? Don't kill anyone.

Killing is fine, just don't murder anyone.

Re:What?

Don't know about continental Europem but concurrent sentencing *is* used in the UK

Yeah, I messed up. GP meant consecutive sentencing and I didn't catch it (I hate languages)

Re:What?

[drsquare]

You've been given a LIFE sentence, you should be grateful you're outside at all. Occasionally being stopped and searched or being in a prison cell? I wonder which is preferable...

Hacking tools...

[advocate_one]

what will be illegal: possession or actual usage of them? cos technically speaking I'm in breach here simply for having several common utilities installed on this Ubuntu box. Tools I use to ensure my own systems are secure...

Re:Hacking tools...

[LiquidCoooled]

Aren't a lot of these tools installed by default with a Linux installation?
Or is this a bonus part of the plot.

Re:Hacking tools...

[TekGoNos]

(2)
    A person is guilty of an offence if he obtains any article with a view to
    its being supplied for use to commit, or to assist in the commission of,
    an offence under section 1 or 3.
(3)
    In this section "article" includes any program or data held in electronic
    form.

So, probably possession is illegal. I say "probably" because I do not understand exactly what they mean with "with a view to its being supplied for use to commit [...] an offence".
Does this mean that they are only illegal when you intend to hack something?

Re:Hacking tools...

I've got a Windows box. I think ping is installed by default and so is FTP. I think there's even a terminal emulator in there somewhere. Wait, aren't some SQL injection bits done using a browser? Didn't Microsoft insist their OS come with one of those too?

Re:Hacking tools...

[armb]

> Does this mean that they are only illegal when you intend to hack something?

Or when you intend to pass them on to someone who intends to hack something.

However, part 1 of clause 35 might make it illegal to create tools that might be useful even if you don't intend them to be used in an attack.
http://www.lightbluetouchpaper.org/2006/02/10/secu rity-research-may-become-a-crime-in-the-uk/

Re:Hacking tools...

[armb]

P.S. See also http://www.computerweekly.co.uk/Articles/2006/02/2 1/214269/ComputerMisuseActamendmentcouldcriminalis etoolsusedbyITprofessionals.htm

Sony?

[Lord_Dweomer]

"There will be a clearer outlawing of offenses like denial-of-service attacks in which systems are debilitated.""

And where will monstrosities such as Sony's rootkit fit into this? Surely our corporate overlords would be held just as accountable under these new laws as a poor 16 year old hacker in his parents' basement.

Re:Sony?

[aztec+rain+god]

Except, the 16 year old hacker probably hasn't bribed any politicians, and you can't very well arrest The Sony Corporation, take a mugshot, and throw it in prison. But corporations are people, remember!

Re:Sony?

[Opportunist]

Well, I'm sure if you can ship the Sony HQ somehow to a UK prison, they'd imprison Sony...

But I'm sure this can be settled somehow. After all, that 16 year old hacker doesn't have a good deal of your workforce in his grasp and could sack them with a moment's note. An international corp, otoh, doesn't care if it employs some people in the UK or elsewhere.

Re:Sony?

[voice_of_all_reason]

Fish much? Did you ever catch all the fish in the pond?

I'd settle for the biggest, most prominent members of the pool.

Beheaded and mounted on my wall, of course.

Re:Sony?

What are you, some kind of communist? Corporations are critical to the world economy. Any actions taken by them to safeguard important revenue streams are inherently correct. Acting otherwise would put them at the mercy of investor lawsuits. That is how capitalism works. Move to China if you don't like it.

16 year old hackers must be dealt with harshly by our justice system. One 16 year old hacker's actions could cost a corporation millions. DeCSS, Linux, and PostgreSQL have resulted in catastrophic losses in potential revenue for the MPAA, Microsoft, and Oracle.

Now, imagine thousands of 16 year old hackers running loose with their "C compilers", "revision control systems", and other criminal hacking tools. If we're going to be tough on crime, they ought to be safely locked away forever where they can no longer threaten our economy.

Re:Sony?

[aztec+rain+god]

A man can dream. . .

Awkward justice system

[GenKreton]

Does anyone else find it COMPLETELY wrong someone like Milan Babic (former Croatian Serb leader who just commited suicide) serves 13 years for genocide crimes and hackers can serve as much for a little denial of service attack?

Re:Awkward justice system

[I+confirm+I'm+not+a]

Does anyone else find it COMPLETELY wrong someone like Milan Babic (former Croatian Serb leader who just commited suicide) serves 13 years for genocide crimes and hackers can serve as much for a little denial of service attack?

Yes. I live in the south-side of Glasgow, the area represented by Mr Harris. The issues here aren't, apparently, genocide and war: they are graffiti and "anti-social behaviour" (and now, presumably, ha><0ring). Meanwhile, Mr Harris's colleagues in the (Labour-controlled) city council are closing council-run schools and swimming pools, and state-run hospitals. Unemployment in much of Glasgow is still a national disgrace, sectarian violence is still with us, and we still have our reputation as the sick man of Europe (the most polluted street in Europe is just around the corner from my workplace).

So I do feel it's completely wrong that Mr Harris and his cronies devote so much time to so little effect. I'd guess that Mr Harris et al feel that genocide isn't a vote-winning issue. I am slightly surprised to see a Glasgow Labour MP asserting himself: in Glasgow we elect telephone boxes because they're New Labour red. I guess Mr Harris is planning a career beyond Glasgow politics.

Disclaimer: I was a member of Mr Harris's party - Labour - until they went off the rails in 1996.

Re:Awkward justice system

[Muad'Dib129]

While I am complete in awe of DoS and DDoS, they do cripple entire businesses. Exectued the way the haxor(s) would like them to be executed, they would ruin lives (and cause suicides in Japan...akin to murder?). Maybe the penalty needs to be tiered to the severity of the damage instead of a flat 10 years?

Re:Awkward justice system

Years ago, I wrote a mIRC script that performed an operation that could cause another mIRC user's computer to freeze up for up to 90 seconds per attack. I gave this script to a few of my friends. Fortunately, I'm not serving 200+ years for these criminal actions (authoring, possessing, 14 counts of criminal use and 4 counts of distribution).

I'll be anonymous, now, thank you.

Re:Awkward justice system

[westlake]

Does anyone else find it COMPLETELY wrong someone like Milan Babic..serves 13 years for genocide crimes and hackers can serve as much for a little denial of service attack?

This is the argument made whenever a Geek faces a felony charge, the prospect of serving hard time. I am tired of hearing it, and I suspect your MP or Congressman is too.

Re:Awkward justice system

[Thwomp]

It is wrong. I would hope ten years is the maximum and that sentence length depends on the gravity of the crime.

Black? White? Grey? Define it!

[Opportunist]

Where does white stop and where does black begin? And, more important, do they care?

What they want is the perfectly safe and sane net. Which is by its very design impossible, the net itself is "dumb". It shuffles packets from A to B, not caring (too much) about their content. And that's its purpose.

Their idea seems to be that, if there is nobody who CAN hack, nobody DOES hack. But that's the same theory you can apply to guns. What happens if you outlaw guns?

Exactly.

The best defense against an attack is to have the better guns. Or, in terms of the 'net, the better hackers. If you outlaw them, if you outlaw learning the techniques and the tricks, which you pretty much do when you outlaw hacking altogether, since even a page about hacking can be labeled a "hacking tool", you do the equivalent of outlawing weapon development in your country.

And what happens when you do but other countries don't?

Exactly.

Re:Black? White? Grey? Define it!

[hotdiggitydawg]

Where does white stop and where does black begin?

Permit me to state the obvious, and suggest that it's a grey area...

Re:Black? White? Grey? Define it!

[Opportunist]

Well said.

People tend to think in black and white. Of course, breaking into a system and trashing it after leeching everything to be found on it is deep, dark black. Tinkering with your own system, tweaking it, finding a security bug, writing a multi page protocol, designing a bugfix and posting it all on as many bugtracking sites as you can is shiniest, cleanest white.

It's the many little shades in between that make the question interesting and that cause so many headaches. And that bring us the inane laws we're getting. Because to lawmakers, it's usually easier to lump anything not shining in clorine bleached white together.

Actually, in this case, they'd prolly lump my "white" example into the same can for exposing that bug altogether...

Re:Black? White? Grey? Define it!

"Their idea seems to be that, if there is nobody who CAN hack, nobody DOES hack. But that's the same theory you can apply to guns. What happens if you outlaw guns?

Exactly."

Um, if you outlaw guns, you get a place like Britain - same standard of life as the states but without huge numbers of gun-related homicides.

(I'm both British, and pro-gun, but this example was just stupid.)

Re:Black? White? Grey? Define it!

The best defense against an attack is to have the better guns.

And then you get a cold war.

Re:Black? White? Grey? Define it!

[Opportunist]

Cold computer war... Personally I think that's the way to go. I mean, imagine the options!

Economy rises like in the "real" cold war because both sides buy better guns. Only without the fear that you'll soon be living underground and your hairdo is looking weird.

Re:Black? White? Grey? Define it!

[PitaBred]

Nope. Just a much higher violent crime rate. Most people seem to think this is because of the lack of protection that a person in the UK definitely doesn't have, but a person in the US may or may not have. Additional links:

US DOJ
NewsMax
The Weekly Standard

Get off your "Britain is better" high horse, because it's completely wrong.

Re:Black? White? Grey? Define it!

s/Economy rises/Resources are wasted/

Re:Black? White? Grey? Define it!

[Yellow+Crane]

Countries that have outlawed most firearms are currently the ones with the lowest gun violence -- as opposed to the U.S. where we lead the developed world in gun deaths per-year, and per-capita. Regardless of the initial feasability, making the act of DoS an illegal act is a step in the right direction. Bottom line is that without things like SPAM, viruses, and DoS attacks the net would be a nicer place by far.

And your outlawing analogy also fallls thru on the learning aspect -- it isn't illegal to DoS your own server. People can just learn to do this without harming others -- or they could go to college, either/or.

Your logic smells like the old cold-war logic -- we have to have the ability to strike because they have the ability to strike -- but guess what, "they" and "you" are just "them", the assholes who use DoS attacks. Good riddance to "them".

Re:Black? White? Grey? Define it!

[Opportunist]

Worse than the resources wasted right now in a very real war without any benefit for science and no advancement and development?

The advantage of a cold war over a hot is that at least people stay alive and development progresses, instead of people dying and lots of resources being wasted on the destruction of more resources.

Re:Black? White? Grey? Define it!

[timbrown]

Most people? Got statistics (and I don't mean votes carried out by The Sun) to back this up.

Re:Black? White? Grey? Define it!

[timmyf2371]

Your post might have had more credibility if the BBC News article you linked to wasn't five years old. I don't know about protection, but I'd wager that Britain having the most number of CCTV camera per sq. mile certainly is some sort of deterrent.

Regardless of crime figures, I'd rather be in hospital with a broken leg or resting with a black eye than sleeping peacefully in a coffin.

As for firearms, I'm fairly confident the UK would rather not have mass shootings in its schools every now and in regards to your comments protection, I'm sure Mr de Menzes might have something to say about that; if he was still alive that is.

Get off your "Britain is better" high horse, because it's completely wrong.

Forgive me if I'm wrongly assuming you believe that the USA is "better"; it's not. To be perfectly honest, the UK and the USA are both as bad as each other in most if not all respects.

How Slashdot has changed.

[sgant]

A few years ago as story like this would have been prefaced not with "IT:" as it is now, but with "Your Rights Online:" and the censorship icon.

Just an observation...

Re:How Slashdot has changed.

[Fatchap]

Becuase it is your right to try hacking into other peoples boxes?

Guangdong China Hackers Look Out!

[digitaldc]

Anyone hacking a computer could be punished with 10 years' imprisonment under new laws.

So we are to assume that the UK will send in 007 to extract and/or annihilate the hackers from China?


P.S. That would be " years " not " years' "

Re:Guangdong China Hackers Look Out!

[Anonymous+Brave+Guy]

I'm not normally one to pick on grammar, but he's right about the apostrophe and you're wrong. Sorry.

Re:Guangdong China Hackers Look Out!

Do you live on the third side of the atlantic or something; I'm pretty sure that "years" is correct on the other two sides.

Re:Guangdong China Hackers Look Out!

[Anonymous+Brave+Guy]

Then you're mistaken, at least on the European side, as a few moments consulting any popular usage guide will confirm. (The first result of googling for "apostrophe usage" includes a related example, as do several further results from the first page.) This isn't even a stylistic point; failure to use the apostrophe is simply wrong according to British English.

You think this is a joke?

[Anonymous+Brave+Guy]

Actually, Slashdotting almost certainly would be regarded as a deliberate DDoS attack.

1. It suddenly diverts massive numbers of requests to a particular system, resulting in an obvious denial of service.
2. The admins of that system are given no prior warning and have no particular reason to expect such a spike, so they can't do anything about it. (There goes the "if it's on the web, it's fair game" argument.)
3. The Slashdot admins know damn well about the Slashdot effect, and have consistently ignored public suggestions to improve their procedures.

I would expect that if the Slashdot editorial staff continue to allow linking in articles without giving any sort of warning or (better) seeking consent from the linked service's admins, the first case will go against Slashdot in a matter of minutes, and there will be genuine consequences for the admins. Let's hope the more enlightened editorial policy zillions of Slashdotters have been advocating for years results.

Re:You think this is a joke?

[Nick+Harkin]

The purpose of slashdot is not to deny service to sites, the point of a Ddos is. Intent, and all that.

Also, slashdotting is carried out by hundreds or thousands of users, of their own free will, clicking on a link, Ddos is done with zombie machines.

Re:You think this is a joke?

[Firehed]

However, unlike a DDoS, a Slashdotting doesn't take place with intent to harm the server or network. It's just an unfortunate side-effect. A DDoS takes place for that sole purpose - screwing up network traffic (etc). Most good servers can handle a slashdotting anyways (of course that depends on content just as much as the server, a text article is going to hold up a lot better than a modding project log).

And so few people RTFA that it isn't a huge issue anymore :p

Re:You think this is a joke?

[Anonymous+Brave+Guy]

Reading the proposed wording, there is no definition of "DDoS". The offences are defined in terms of denying access to a system, and you would simply have to make the case that the Slashdot editors had the requisite knowledge and intent. The knowledge is clear; the Slashdot effect is widely known, and it is not credible that the editorial staff are unaware of the likely effect of linking to a site on the front page of Slashdot. The intent is less clear, but I'm sure you'd find a lawyer who could make a strong case for it. We might refer to a "DDoS attack" in conversation, but the use of zombie machines or whatever is irrelevant to whether or not an offence is committed under the proposed law.

Re:You think this is a joke?

[StikyPad]

1) # It suddenly diverts massive numbers of requests to a particular system, resulting in an obvious denial of service.

How is that obvious? You've provided your conclusion, but not the means of getting there.

2) The admins of that system are given no prior warning and have no particular reason to expect such a spike, so they can't do anything about it.

Nonsense. Slashdot introduced the dupe policy specifically to give admins notice that their sites were about to be hammered a second time.

3) The Slashdot admins know damn well about the Slashdot effect, and have consistently ignored public suggestions to improve their procedures.

Nonsense. Slashdot introduced the dupe policy specifically to give admins notice that their sites were about to be hammered a second time. Update: 03/08 02:01 GMT by SP: We covered this once before in Question 2.

We will always be at war with Oceania!

[WillAffleckUW]

Or some other excuse to crack down on hackers.

My guess is that they're more worried about details of the Iraq misadventure will be found by activist hackers, or Members of the House of Lords or House of Commons visits to .. um ... naughty websites ... nudge nudge wink wink ... you know ... than they are of hackers ganging up on website owners and demanding blackmail (which is already illegal and will already result in stiff jail terms).

Re:We will always be at war with Oceania!

[pjt33]

Breaking into a computer system as you suggest is already illegal, under the Regulation of Investigatory Powers Act. DOS attacks are not per se illegal, so if you leave out the blackmail you're not committing an offence.

Script Kiddies go free ;-)

[TekGoNos]

A person is guilty of an offence if--
    (a)
        he does any unauthorised act in relation to a computer; and
    (b)
        at the time when he does the act he has the requisite intent and
        the requisite knowledge.

So, if a script kiddy just tries everything without knowing what he does, he goes free?

Re:Script Kiddies go free ;-)

[KaareKveldsmat]

(2)
        A person is guilty of an offence if he obtains any article with a view to
        its being supplied for use to commit, or to assist in the commission of,
        an offence under section 1 or 3.
(3)
        In this section "article" includes any program or data held in electronic
        form.

He'd still be guilty of reading the offending article or downloading a kiddiescript.

Next step; round up all subscribers to bugtraq..

Re:Script Kiddies go free ;-)

[voice_of_all_reason]

I'd be more worried about he does any unauthorised act in relation to a computer

This essentially makes British law inclusive, which is very bad . Instead of prohibiting a set of actions, it now appears okay to simply list what is okay, and assume blanket illegality for anything else.

Re:Script Kiddies go free ;-)

[Fatchap]

Not quite true The Computer Misues Act 1990 says:

Unauthorised Access to computer material:

A person is guilt of an offense if-

• a) He causes a computer to perform any function with intent to secure access to any program or data held in any computer;
• b) The access he intends to secure is unauthorised; and?
• c) He knows at the time when he causes the computer to perform the function that that is the case.

So a script kiddie certainly does fall under it becuase they would have the intent to gain access that they know is unauthorised. As does the so called White Hat who is acting without permission.

Re:Script Kiddies go free ;-)

[mattpalmer1086]

It does not list what is legal or illegal. If you do this specifically, people will find sneaky ways around it. Better to state that any action which is not *authorised* is illegal and leave the definition of authorised to the particular context. This can be interpreted by the courts, as its meaning can vary considerably in different contexts.

The founder of Demon Internet was in court recently on charges that he and his system administrator spied on other board members emails. He tried to plead that his system administrator was *authorised* to configure the system in this way, so what he did was legal. The court disagreed - just because you have an ability to perform an action, and just because the person telling you to do it is the owner of the company, does not consitute proper authorisation.

This means we don't have to keep ammending the legislation every time a new attack is uncovered. Also note that the word "computer" is never defined in the computer misuse act, which was a piece of genius. We can still apply the same law to mobile phones, which weren't around when this law was being framed. A definition made at the time would almost certainly be out of date by now.

So it's the answer to "DO SOMETHING!"?

[Opportunist]

Bit like the reaction to the avian flu, hmm? We dunno what to do, we have no information about the topic at hand, but we have to do something to at least appear like we're in charge.

Re:So it's the answer to "DO SOMETHING!"?

[Daniel_Staal]

That's what it sounds like to me.

Approriate Law

[RedHatLinux]

Rather than constantly increasing the time for every crime committed, I wish legislators would determine the approriate punishment and stick with it, rather than jacking up the time served everytime some screams,"Won't someone please think of the children."

Of course, better enforcement of currently laws would probably deter more crime than increasing the sentence.

Re:Approriate Law

[soft_guy]

How about just not making things crimes that aren't really crimes?

Wikipedia

So, if Parliament acted the same way as some the U.S. Congress' staff did on Wikipedia, would they be subjected to these harsher penalties (since this is likely to be defined as "hacking" in their broad terms)?

Compare/Contrast...

[Greyfox]

It'd be interesting to see a comparison of the penalties for a real world crime and its computer equivalent. For example, what's the penalty for shoplifting a CD, where you've stolen actual physical property and downloading the same songs from bittorrent or wherever. Assuming you get caught in either case. Likewise what are the penalties for staging a DDOS, which is temporary, versus, say, a Miltonesque burning down of the building, which isn't? And are the penalties for dumpster diving and stealing thousands of credit card numbers any more or less than phishing for them on the internet. Although it seems phishers are pretty good at covering their tracks these days judging from the number of news stories there are about THEM getting caught.

It'd be even more interesting to see a news outlet pick up a story on that. Anyone care to send a suggestion off to NPR?

Anyway... if the punishments for the electronic equivalents are more severe than the real world crimes, perhaps the lawmakers in question need to review their statutes about smoking crack and turn themselves in for appropraite punishment.

Re:Compare/Contrast...

[Bogtha]

It'd be interesting to see a comparison of the penalties for a real world crime and its computer equivalent. For example, what's the penalty for shoplifting a CD, where you've stolen actual physical property and downloading the same songs from bittorrent or wherever.

Those are not equivalent offences.

When you shoplift a CD, the shop has lost property. When you make an illegal copy of something, no property has been lost.

When you shoplift a CD, you aren't enabling other offences. When you download illegally via BitTorrent, you are also enabling others to download illegally, as BitTorrent also uploads.

The consequences of these two offences are different. How much they differ by depends on the individual circumstances for each offence. It's very misleading to call them "equivalent".

Re:Compare/Contrast...

[flooey]

I figure I could answer some of these. I am not a lawyer, by the way, I just took a look at the laws in California.

For example, what's the penalty for shoplifting a CD, where you've stolen actual physical property and downloading the same songs from bittorrent or wherever.

The former would be petty theft, which is a criminal offense punishable by a fine of up to $1000 and/or up to six months in jail. Since the value is less than $50, the prosecutor could reduce it to a misdemeanor, which is punishable by a fine of $250, at his discretion. Downloading songs is copyright violation, which is a civil offense, thus you're only able to be sued. The government doesn't actually prosecute such things, it's considered an issue between you and whoever owns the copyright.

Likewise what are the penalties for staging a DDOS, which is temporary, versus, say, a Miltonesque burning down of the building, which isn't?

In the UK, it would appear you could get up to 10 years for a DDoS attack. In California, the penalty for burning down a building is 3-8 years; 5-9 years if "great bodily injury" was caused; and an additional 3-5 years is tacked on for several things (such as injuring emergency personnel). "Aggrivated arson", which is arson committed by a person who has a previous arson conviction, arson which causes more than $5.65 million in damage, or arson which damages 5 or more buildings, is 10 years to life, with a minimum of 10 years before parole.

And are the penalties for dumpster diving and stealing thousands of credit card numbers any more or less than phishing for them on the internet.

I believe both of these are the same crime (identity theft), so they'd be the same. The former might have a charge of trespassing or theft tacked on as well.

Re:Compare/Contrast...

[Greyfox]

That's kind of my point. If you shoplift a CD or DVD (especially as a minor) it seems as if you're opening yourself and your family to a lot less legal liability than you would be if you download a file on some P2P system and catch a civil suit from the RIAA or MPAA. If you then load that CD up on your MP3 player and then pass it around to your friends or send it across country or whatever, you're still doing a similar amount of damage to what you would have by uploading those songs with a P2P service. Shoplifting the CD or DVD also will not potentially bankrupt your family and will likely not even dip into your college fund.

Am I encouraging people to do this? No. I'm just pointing out that there's a ridiculous disparity in the consequences of the two actions. One should consider the potential consequences of all his actions.

Personally I'd suggest supporting independant artists, who are actually cool, unlike the latest fake pop star the RIAA's pooped out. Indy artist's CDs usually cost a fraction of what the RIAA artist's do. Or go International. Or both. Hell if you have even a shred of musical talent start a garage band and upload your own damn songs to the Internet. Even if you suck you can be happy in the fact that you've got more talent than the latest soulless creation from the RIAA cloning labs. That'd be a lot better than taking to a life of crime to avoid bankrupting your family anyway.

Re:Compare/Contrast...

[westlake]

I am not a lawyer, by the way, I just took a look at the laws in California.

Downloading songs is copyright violation, which is a civil offense, thus you're only able to be sued. The government doesn't actually prosecute such things, it's considered an issue between you and whoever owns the copyright.

Copyright is granted and protected under the Constitution.

Criminal prosecutions are fundamentally a federal and not a state responsibility.

Rules need to exist for creators too

[TWX]

Honestly, I don't think that malevolent use of technology would be nearly as much of a problem if it were designed better. I'm looking at you, Microsoft, who have continued to provide us with software that is insecure both on the system and via network, and who never ever gets the software truly fixed. The next version may fix many of the previous version's problems, but it itself introduces new vulnerabilities that again, aren't fixed until the next version.

Companies that create software or firmware need to be held to a quality standard that creates a modicum of safety or security. There will always be people who will try to break into systems, but if the software is hardened to a certain extent then maybe the scr1pt k1dd13s will be kept out and reduce the number of compromises to those who actually can break in through their own work.

Re:Rules need to exist for creators too

[Fatchap]

There will always be people who will try to break into systems, but if the software is hardened to a certain extent then maybe the scr1pt k1dd13s will be kept out

You can harden Windows to a stage where it is very difficult to break into; equally, you can deploy UNIX, VMS and AIX in a fashion that is very open. The fact that someone uses something with insufficient knowledge to do so properly can not be blamed entirely on the manufacturer. If they knowingly and negligently allowed it to be released with unfixed flaws then yes it would be wrong, if they made errors in production that they then fixed you can not blame them for that.

Take a real world example of a car that is produced with a faulty seatbelt and airbag combo. If the manufacturer was selling knowing that it was unsafe then it is wrong. If they sold it, realized the problem and then recalled all the effected models to fix them, without charge there is not problem. You could not them blame them for someone driving the car into a cement wall and not surviving. Why then do we think it is Microsoft's fault when some idiot puts an un-patched NT 4 box on the internet and it is compromised in short order?

Re:Rules need to exist for creators too

[TWX]

In marketing their software to the masses and in gaining a monopoly in the method that they have, they should be obligated to provide some minimum quality standard. In my eyes that means figuring out what can and should be secure out of the box, and implementing a proper security model. Integrating Internet Explorer and ActiveX into the shell to the level that it has the ability to make system calls was STUPID. Requiring users to basically have administrator level access on any given computer in order to really use it is STUPID. Not back-patching software that's still heavily in use is STUPID.

Yes, I'm aware that it's possible for Linux, BSD, OSX, and any other OS to be configured badly, but many distributions that try to cater to the masses instead of to administrators or techies make a decent effort to turn off stuff that's not necessary, and they also work to minimize the amount of time someone needs to be root in order to do something. Apple's OSX did it beautifully by simply prompting when superuser access was necessary.

Re:Rules need to exist for creators too

[Fatchap]

So not moving to a later version that is more secure is not STUPID, but a vendor not patching software when they have given plenty of notice of its withdrawl is. Riiiight.

Of course the fact that it most of the ISVs that have developed the applications that require admin access not Microsoft is something that we wont talk about here.

Welcome to the new world

[Opportunist]

Babic killed people. Hackers kill shareholder values.

Wrong?
From a moral point of view, yes.
From a human point of view, yes.
From a personal point of view, YES.

From a financial point of view, no.

You got 3 tries to guess which one counts.

Re:Welcome to the new world

[flooey]

Babic killed people. Hackers kill shareholder values.

Just for reference, we had an article only a few weeks ago about how a DDoS attack shut down a hospital's computer network. Luckily, no one was hurt as a result and the hospital was ready to fall back on less technological methods, but the potential for harm is there.

Re:Welcome to the new world

[I+confirm+I'm+not+a]

You make a valid point (that a DDoS attach has the potential to create real harm), but it's slighlty irrelevant: if, through dangerous driving, I crash a motor vehicle and kill someone I would, quite correctly be charged with manslaughter. It doesn't, however, equate to the deliberate and systematic mass murder of civilians and should not merit an equivalent sentence.

Re:Welcome to the new world

[Opportunist]

There is POTENTIAL harm. Granted. It's not like Babic POTENTIALLY killed.

Besides, the potential harm from a DDoS on a hospital's network is minimal. If it IS a threat, it's time to reconsider the structures in the hospital. Human life isn't something you should entrust to something as instable and unreliable as the internet!

But...

[Bill+Hayden]

...what about cracking?

Re:But...

[pjt33]

Already covered between the Computer Misuse Act and the Regulation of Investigatory Powers Act.

Re:But...

DIY cracking is illigal in the UK, unless you can prove your equipment passes the 1975 Waste Oil Directive.

Coke burnoff is definately a no-no, as any good cracker will tell you. It really stinks out the neighborhood.
Home cracking for gaseous fuel will get you arrested too, assuming there are any smouldering bits of you remaining to arrest.

Re:But...

[Bill+Hayden]

Sorry to see you modded down, I thought that was pretty funny. I guess it went over the average Slashdotter's head.

It reminds me of another joke I heard on Slashdot that most people missed. The topic was about clean hydrogen-burning cars and how hydrogen could be more conveniently transported. Someone suggested a novel hydrogen transport method: long-chain hydrocarbons.

Re:But...

As an anonymous coward I start at zero anyway, so I don't think there is any criticism implied.

"Someone suggested a novel hydrogen transport method: long-chain hydrocarbons."

That's a good one.

One day I will work out a pun that combines 'cracking' with the old English use of 'hacking' as synonymous with 'hiking'. Then they'll be sorry. Oh yes.

Plus *intent* is subjective

"The offences are defined in terms of denying access to a system, "

How many times have people made comments here:

"Oh wouldn't it be terrible (nudge nudge wink wink) if everyone was to visit [fill in bad persons website URL] to download [long file] and see for yourself."

That would become a criminal offence instead of a petty nuisence. It's pretty stupid given blocking annoying traffic is trivial.

ISPs only get active if it's in their interest

[Opportunist]

Shutting Bittorrent connections is. Because first of all, depending on your country they could be made liable if they don't shut you down. And second, it creates trememduous traffic (if done right).

Drones, otoh, are a light weight for them. Yeah, from time to time they create some traffic. But none out of the ordinary. Occasionally, a flood of emails is sent from a drone. Ok. A short spike. Sometimes, a DDoS is running from them. Ok. Quite some traffic, but well distributed over time (you can't run a DDoS from a drone at full bandwidth, or the user owning the machine will notice).

Drones don't really cost them that much. At least less than hunting and finding them, then guiding their clueless customers through lengthy conversations concerning the importance of firewalls, packet filters and virus utilities (remember, we're talking those people who get up to close some windows when you tell them to. Yes, they DO STILL exist!). Especially that last part is extremely expensive.

Cutting you off because of using BT is peanuts compared to it. You don't bother a customer service rep for more than a minute because he needn't explain anything to you except "You're using BT, we cut you off. Have a nice day".

Re:Approriate Law - OT: Solution?

[dwandy]

Rather than constantly increasing the time for every crime committed, I wish legislators would determine the approriate punishment and stick with it, rather than jacking up the time served everytime some screams,"Won't someone please think of the children."

What I find incredible is that this business of locking people in cages obviously doesn't work*, yet we continue to use this. Isn't insanity defined something like "doing the same thing over and over but expecting different results"? If the system worked, the US would have among the lowest crime rate anywhere...
I don't specifically have answers as to what to do, but I have heard of non-jail-type-stuff like where criminals meet with their victims and such. While I don't know if it's effective, or if there are better solutions, I just think we're crazy to keep going down this lock-people-up path, when the results are so obviously lacking...

*I define a working corrections system not as punishment system - we can do that easily enough with a big stick, applied frequently and liberally. I am, however interested in making people into contributing members of society, so they add value instead of chewing up resources...

Is it official?

[Jon+Luckey]

Is the Lynx browser now officially against the law in the UK?

Re:Is it official?

[timbrown]

That's not exactly what happened... In that case, the individual concerned acknowledged that he tried things that could be construed as an attempt to compromise the system. The judge acknowledged that his intent wasn't to cause loss, but could not find him innocent and as a result gave him the most lenient sentence he could. In relation to this new law, I think the intent aspect could do with clarification.

Re:Is it official?

[Jon+Luckey]

"acknowledged that he tried things that could be construed as an attempt to compromise the system

All for using "../" in a URL...

Good thing he didn't accidently leave off the end of a URL and get

Error: Directory Listing Denied. This Virtual Directory does not allow contents to be listed.

Explictly forbidden access! They'd throw the book at him!

Re:Is it official?

[timbrown]

From a technical perspective, "../" is clearly understood to be a method of directory traversal which is a known class of vulnerability. However he did more than that as I understand it.

I agree justice wasn't done, but the law (as it stands) was enforced correctly. This was reflected during sentencing and is what gives rise to the statement "The law is an ass". This is actually one of the reasons the law needs updating.

The new bill give more precise definitions of what should be considered illegal (which I support) but doesn't go far enough in discussing intent or server operators obligations in defining unauthorised access.

Re:Is it official?

[Shimbo]

The judge acknowledged that his intent wasn't to cause loss, but could not find him innocent and as a result gave him the most lenient sentence he could.

He did not; the most lenient sentence would be an absolute discharge. He gave a smallish fine because the defendent hadn't admitted the offence when questioned and then pleaded not guilty at trial.

LMAO! MOD UP!

Mod up! LMAO!

How long till Alan Cox moves?

[Almost-Retired]

He's said that GB has the best legal environment for a coder. I don't think he can continue to say that if this becomes law.

I do hope there will be a modicum of common sense exhibited by the MP's when they toss this one into the trashcan of history, to be repeated at suitable intervals when there isn't anything else to stir up the sheeple with.

--
Cheers, Gene

Sketchy logic....

[In+Fraudem+Legis]

Hacking != Cracking Damn politicians, they're all alike.

Misinformation pays.

[matt+me]

The fact is, many users are still in the 80s and don't appreciate our current situation. Even this week I read that "garage geeks are responsable for the viruses and trojans (known as malware) that brings multinational corporations down". Like that was ever true. Garage geeks are trying to save us from the current "cure pays better than prevention cycle" users are fed.

On h4x0ring to Ddos extorsion - equate to Banksy on "grafitti is not a crime. i am reminded of this by real criminals who find the idea of breaking into a secured building to take nothing but leave your name in ten foot high letters absolutely ludicrous".

Viruses and trojans are not graffitti, but an organised armed robbery masterminded by real criminals, not out of teenage angst, but for PROFIT without regards to anyone. The UK doesn't have a problem, we need tougher enforcement in Poland, Czech and Russia and to chase this abuse out.

These things don't work

[packetmill]

These laws don't make the prospect of hacking alot dimmer for the skiddie, or any scarier for the experienced security buff who knows what he's doing. It might just tempt them (or should I say us) to be more careful about their proxies..etc.

You cannot stop unauthorized access. You can't put a pile of gold in front of a guy and tell him not to take it. Threats are great, but for the politically minded hacker - and most of them are - it just makes it more glamorous.

I bet you all my karma a UK site will get hacked soon.

The problem: Countries have other problems

[Opportunist]

You can enforce computer crime in halfway "civilized" countries. Where citizens worry about things like the latest fashion or that their favorite TV show host died.

In some countries they really still have some real problems. And they also have real crime. Where it's not only gang members that get mugged and shot regularely, but actually normal, ordinary people.

How many cops do you think they'll willingly divert towards solving the crime problems of other countries? After all, what do they get in return? It's not like you can DDoS or do some Phishing attack on Russian banks. At least if you want money.

What about DOS by the ISP?

[bagofbeans]

So it becomes unlawful to conspire to effectively disconnect an ISP (or website) by deliberately overloading its pipe (or other technique).

Will it be unlawful for an ISP to effectively disconnect a subscriber's web page (DOS another way), typically for disapproval-of-content reasons? Examples might be objections to politically incorrect (by legal free speech) statements by third parties, or simple laziness by not validating violation of copyright claims before dumping access.

An eyecatching initiative

[FishandChips]

The problem at least in the UK is that this act, if passed into law, is unlikely to be used against the professionals or the mythical Mr Big. They will continue as before from their foreign havens while some luckless amateur sadsack in a bedsit is busted to headlines and mucho self-satisfaction from the cops.

Things are only likely to change - anywhere - when a) there are more politicians who can tell a computer from a tennis racket, and b) the cost of computer crime is forcibly brought home to the politicians to the point where they will start hitting the safe havens with trade sanctions and the like. At the moment, much of that cost isn't above the surface, I would guess. Companies are reluctant to fess up les it reflect on them and computer crime is accorded a low priority compared to the various "wars" we are all meant to be fighting in these exciting, high-pressure times - the war on terror, the war on drugs, the war on yobs, the war on binge-drinking, the war on obesity, etc., etc. Just my 2 cents, but I can't see computer crime receding till the present generation of politicians has retired or (some might hope) been locked up.

Industry response?

[timbrown]

As a UK pen tester and developer of security software, this bill directly affects me. My initial response was outrage, but having discussed this with colleagues over the last month or so, I can see the counter point that UK computer security law is in need of updates.

Given that the UK government runs a scheme for accreditation of pen testers and that this bill has been drafted in consultation with industry leaders, I feel it is unlikely that our activities will be deemed illegal. My understanding is that providing that you can demonstrate that you wrote the tool in good conscience for reasons other than the compromise of systems without authorisation then you'll be okay.

Having said this, personally I'll be pressing my bosses for a precise legal explanation of the consequences of these changes to the law in relation to the work I'm currently engaged in.

Re:Industry response?

[geekoid]

"My understanding is that providing that you can demonstrate that you wrote the tool in good conscience for reasons other than the compromise of systems without authorisation then you'll be okay.
"

Based on example in the US, it can be quite difficult to determine your intent when writing something.
Hopefull that is different in Britian, but I have my doubts.

Governments

[jlebrech]

They usually punish more heavily crimes that are less likely to get caught for, as a disuasion.

Re:Look out Sony - NT

[ettlz]

Look out Sony - NT

No, no — they've already rooted NT.

Hmmm

[GregNorc]

Isn't one of the reasons Britain got rid of it's "stole a loaf of bread? DEATH. Adultery? DEATH. Assault? DEATH" type laws that people figured "Hey... I die if I steal from you... might as well kill you too! What they gonna do, kill me twice?". I think an earlier poster touched on this. I really think while it won't get to that extreme, people will start to ignore the law if we continure to make them these types of laws, a smaller effect could be seen. For example, petty crimes such as littering, speeding, assault, etc will increase, because something being immoral is not always illegal, and vice versa. Right now, with a few exceptions, the law is viewed as being more than just "the law", it's a sort of moral code. If people lose faith in the law, why would they obey? I doub most people don't commit murder because they don't want to go to jail: they see it as immoral.

10 Years for Hacking?

[Tim+C]

I was wondering how that compared to the average sentence for rape or murder, so I did a little googling, and came up with this page from the parliament website. Going by those figures, you're looking at an average of 7 years for rape, 3 for robbery, and so on.

How the fuck do they justify 10 years for hacking?

Oh, and the slashdot summary is a little misleading. While it's true that tougher laws against hacking are gaining support, this particular bill has been widely criticised. It's right there in the linked-to article...

Re:10 Years for Hacking?

How do they get off calling it hacking. Hacking is good. Cracking is the criminal activities. Hacking is what most computer nerds do all the time.

Main Entry: hack
Pronunciation: 'hak
Function: verb
4 a : to write computer programs for enjoyment

Re:10 Years for Hacking?

[timbrown]

You're comparing average term against maximum proposed term. Look at it this way, in theory a DoS or system compromise may cost millions of pounds worth of damage or could result in the loss of life.

Now in an ideal world, the legal system would use existing fraud, theft and manslaughter laws to convict said attacker, but since politicians aren't as clueful of computing as /. geeks they deem to offences to be somehow different.

Re:10 Years for Hacking?

[Tim+C]

You've already lost that fight.

What about spurious takedown notices?

[Ngwenya]

OK, it's frivolous, but worth a laugh. DMCA takedown notices have no legal effect within the UK, but they are certainly issued to UK citizens (usually by US lawyers not paying enough attention, for things like running BitTorrent trackers). Now, the intent of a DMCA takedown notice is certainly to deny service (by closing it off via threat of litigation). Remember - the proposed law covers threats to deny service unless financial settlement is reached (DoS blackmail).

So, now methinks, would that count as a denial of service attack, and therefore a criminal offence? For crimes which carry 10 year jail terms, the USA would be bound to honour extradition requests; so would carelessly issued C&D letters or takedown notices which had no force of law become the way that the British courts could jail sloppy Hollywood lawyers?

Yeah, like that'll happen. But I can still dream.

--Ng

Re:What about spurious takedown notices?

7 years for rape? Right now in the UK you can get as little as 12 weeks for murder if you imply it wasn't intentional.

Safe for who?

/me strokes metaphorical goatee

Re:Black vs. White vs. Rainbow

"Let's just hope the UK has the insight to differentiate between white and black hats."

Somehow i don't think they will.

It seems that the UK have to sing Baa Baa Rainbow Sheep from now on.

http://news.bbc.co.uk/1/hi/education/4782856.stm

From now on everyone will be upgraded to Rainbow Hats.

What a load of bollocks.

[Space+cowboy]

From your DOJ article: "The higher volume of crime in the United States is due, at least in part,to the greater population size of the United States. A more meaningful comparison is between the crime rates of the two countries."

The UK is has a far higher density of population than the USA. There are ~65 million people in the UK, and ~320 million in the USA. 4x the people, 50x the area. A "more meaningful" comparison would take that into account.

An additional reason for the UK to have higher violent crime is that the victim often survives in the UK. Even if attacked with a knife. You are far more likely to end up dead in the USA, so the figures are artifically low when comparing the two.

The USA has just sustained a huge drop [warning: PDF] in murder rates/year (in 2002, the latest figures I could find, it was ~5 murders per 10,000 people per year). During the time period you linked to in the "higher violent crime rate", it was ~8 murders per 10,000 people per year. Or, put another way ~260,000 murders. In the UK in 2003/2004 there were 853. In the period you linked to, it was ~700.

853 x4 is nowhere near 160,000 (both recent figures). The UK is no panacea, but to paint it as more-violent than the USA is just plain wrong.

Simon

Re:What a load of bollocks.

[Space+cowboy]

Ok, sorry to respond to my own post, but the figures I was quoting for the USA were per 100,000 population, not per 10,000. Mea culpa.

The conclusion is still the same though:

853x320/65 (to normalise population) =~4200
~5.5 per 100,000 = 17600.

Or a factor of ~4.

Simon

Well...

[Elemenope]

To be perfectly honest, the UK and the USA are both as bad as each other in most if not all respects.

For one thing, your Parliament is way more fun than our Congress. Seriously, if ANY of our politicians had to endure that much direct questioning from the opposition leader, they would have a meltdown. I'm sure your political system has its foibles, but at least your politicians can articulate off the cuff with some impressive verbal dexterity.

Not "awkward" -- oppressive

The correct term to describe a punishment which doesn't fit the crime is oppressive. And I agree, the law is completely backwards in many instances. For example, here in the US, we have non-violent drug dealers serving more time than violent rapists.

Re:Approriate Law - OT: Solution?

It doesn't work in the sense of discouraging future crimes, but it works in two other important senses:

(1) many people regard imprisonment as just, and the goal of the legal system is arguably to give people a sense of justice rather than to reduce crime (otherwise you could easily reduce crime by making murder legal, for example)
(2) most of the crimes people commit while locked up are against other people who are locked up, so imprisonment concentrates the effects of crime on a minority of the population for whom most people have little sympathy

Personally I'd rather be flogged than imprisoned, and I imagine it would have a stronger deterrent effect, but Western societies have come to the consensus that corporal punishment is barbaric while imprisonment is humane. While I might not agree with the latter it's probably not the right decade to be questioning the former, in case we end up with both.