Tougher Hacking Laws Get Support in UK

rainbowhawk writes to tell us BBC News is reporting that new laws outlining harsher punishments for computer crimes are gaining support in the UK. From the article: "The move follows campaigning from Labour MP Tom Harris, whose ideas are now being adopted in the Police and Justice Bill. There will be a clearer outlawing of offenses like denial-of-service attacks in which systems are debilitated."

Ambiguity

[kaleco]

The bill - which was being debated for the first time in the House of Commons on Monday - would also boost the penalty for using hacking tools.

What constitutes a hacking tool? A terminal emulator? Linux?

You think this is a joke?

[Anonymous+Brave+Guy]

Actually, Slashdotting almost certainly would be regarded as a deliberate DDoS attack.

1. It suddenly diverts massive numbers of requests to a particular system, resulting in an obvious denial of service.
2. The admins of that system are given no prior warning and have no particular reason to expect such a spike, so they can't do anything about it. (There goes the "if it's on the web, it's fair game" argument.)
3. The Slashdot admins know damn well about the Slashdot effect, and have consistently ignored public suggestions to improve their procedures.

I would expect that if the Slashdot editorial staff continue to allow linking in articles without giving any sort of warning or (better) seeking consent from the linked service's admins, the first case will go against Slashdot in a matter of minutes, and there will be genuine consequences for the admins. Let's hope the more enlightened editorial policy zillions of Slashdotters have been advocating for years results.

Re:You think this is a joke?

[Anonymous+Brave+Guy]

Reading the proposed wording, there is no definition of "DDoS". The offences are defined in terms of denying access to a system, and you would simply have to make the case that the Slashdot editors had the requisite knowledge and intent. The knowledge is clear; the Slashdot effect is widely known, and it is not credible that the editorial staff are unaware of the likely effect of linking to a site on the front page of Slashdot. The intent is less clear, but I'm sure you'd find a lawyer who could make a strong case for it. We might refer to a "DDoS attack" in conversation, but the use of zombie machines or whatever is irrelevant to whether or not an offence is committed under the proposed law.

Script Kiddies go free ;-)

[TekGoNos]

A person is guilty of an offence if--
    (a)
        he does any unauthorised act in relation to a computer; and
    (b)
        at the time when he does the act he has the requisite intent and
        the requisite knowledge.

So, if a script kiddy just tries everything without knowing what he does, he goes free?

Re:And how should it be enforced?

[Baseball_Fan]

In turn, what it accomplishes is that there will be fewer and fewer people with relevant skills. Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two.

I disagree with this statement. Many people learned security the right way. There are places with servers designed for testing. You don't have to crack the computers at U of State to learn security. You don't have hack the computers at GE to learn security.

Laws against DDoSs. Great idea. Btw, let's next outlaw Hurricanes from destroying properties.

DDoSs is different. IMHO, DDoSs is like a boycott. Unions did this before computers were invented. I can give you one example. A local shipping factory was going to take away health insurance from the truck drivers. The union voted to strike, and the compnay hired scabs. The truck drivers protested in front of the factory for a couple days, but realized they were not making progress. So what did they do? The truck drivers on strike got in their private trucks, vans, and whatever cars they could find, and they drove in a circle around the factory. This made it impossible for trucks to enter or leave the factory, and jammed up all the local intersections. But it was 100% legal. The police were called in, and the truck drivers were not breaking any laws. The company was forced to deal with the union.

Compare/Contrast...

[Greyfox]

It'd be interesting to see a comparison of the penalties for a real world crime and its computer equivalent. For example, what's the penalty for shoplifting a CD, where you've stolen actual physical property and downloading the same songs from bittorrent or wherever. Assuming you get caught in either case. Likewise what are the penalties for staging a DDOS, which is temporary, versus, say, a Miltonesque burning down of the building, which isn't? And are the penalties for dumpster diving and stealing thousands of credit card numbers any more or less than phishing for them on the internet. Although it seems phishers are pretty good at covering their tracks these days judging from the number of news stories there are about THEM getting caught.

It'd be even more interesting to see a news outlet pick up a story on that. Anyone care to send a suggestion off to NPR?

Anyway... if the punishments for the electronic equivalents are more severe than the real world crimes, perhaps the lawmakers in question need to review their statutes about smoking crack and turn themselves in for appropraite punishment.