Tougher Hacking Laws Get Support in UK

rainbowhawk writes to tell us BBC News is reporting that new laws outlining harsher punishments for computer crimes are gaining support in the UK. From the article: "The move follows campaigning from Labour MP Tom Harris, whose ideas are now being adopted in the Police and Justice Bill. There will be a clearer outlawing of offenses like denial-of-service attacks in which systems are debilitated."

And how should it be enforced?

[Opportunist]

Laws against DDoSs. Great idea. Btw, let's next outlaw Hurricanes from destroying properties.

Yes, one is a man made problem, the other one a natural catastrophe (albeit some might argue whether man made it worse... not the topic now), the problem is the same. You can make the law, but you cannot execute it.

You want the bot-brain? Good luck. If he has half a brain, the controlling computer is not his, and it's sitting in some country ending in -stan. If he has no brain, all you accomplish is to execute Darwin's law: Survival of the best.

You want the bot-drones? Well, while this does have my full support, you can already hear the outcry from computer illiterates who fell for the marketing hype around the 'net and "how easy it is to get on", only to realize now that if they don't have a clue what their computer is really doing on the net, they're now with one foot in jail when they even go online. Can you see the Sun headline already? "Granny charged with computer crime!"

So, how is this going to do ANYTHING meaningful against DDoSs or other computer related crime?

In turn, what it accomplishes is that there will be fewer and fewer people with relevant skills. Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two. If you threaten new and intelligent people with jail time comparable with premediated severe bodily harm (up to 10 years sentence here), they will go out and find some less "dangerous" hobbies.

And the price for good security experts in the UK will rise. Either that, or you have to import them from some country ending in -stan, because there they can still learn the tricks of the trade.

Re:And how should it be enforced?

[LiquidCoooled]

Laws against DDoSs. Great idea.

What happens when somebody complains about a thorough slashdotting?

Remember, google can be taken off the air when word of a DOS attack happens (I am a firm believer that 99% of DDOS attacks are curious web users on the grapevine testing a site supposed to be under sustained attack)

Re:And how should it be enforced?

[Daniel_Staal]

So, how is this going to do ANYTHING meaningful against DDoSs or other computer related crime?

Simple. If, by luck, they ever manage to catch someone they now have a law to charge them with.

Until then, it helps keep MP's elected.

Re:And how should it be enforced?

[Baseball_Fan]

In turn, what it accomplishes is that there will be fewer and fewer people with relevant skills. Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two.

I disagree with this statement. Many people learned security the right way. There are places with servers designed for testing. You don't have to crack the computers at U of State to learn security. You don't have hack the computers at GE to learn security.

Laws against DDoSs. Great idea. Btw, let's next outlaw Hurricanes from destroying properties.

DDoSs is different. IMHO, DDoSs is like a boycott. Unions did this before computers were invented. I can give you one example. A local shipping factory was going to take away health insurance from the truck drivers. The union voted to strike, and the compnay hired scabs. The truck drivers protested in front of the factory for a couple days, but realized they were not making progress. So what did they do? The truck drivers on strike got in their private trucks, vans, and whatever cars they could find, and they drove in a circle around the factory. This made it impossible for trucks to enter or leave the factory, and jammed up all the local intersections. But it was 100% legal. The police were called in, and the truck drivers were not breaking any laws. The company was forced to deal with the union.

Re:And how should it be enforced?

[Fatchap]

Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two.

I do not see how you get from "scratching and sniffing" to a record. I, along with most reputable security folks, spend a large amount of my personal income on equipping my lab so I can try things out without doing it on other people's servers and networks. The idea that to gain experience you have to break the law is absurd, it is a bit like saying to be a chef you have to have tried poisoning people!

The fact is that it is against the law to tamper with, or to attempt to tamper with computer equipment that does not belong to you. The end result of posts like this is a simple law becomes confused with faux moral claims like "I was experimenting" or even worse "I was testing it to try and help the owner". Ask Dan Cuthbert (http://news.bbc.co.uk/1/hi/england/london/4317008 .stm) if it's ok to hack boxes without permission.

Re:And how should it be enforced?

[Jerf]

The first part of your argument boils down, I believe without much loss, to "it won't catch smart criminals, so it won't catch them all". This is a dumb argument against law for reasons so obvious I hope I really don't have to spell them out. It applies equally to all laws.

(A smokescreen of words can make any point look valid.)

The second part of your argument is that it will reduce the number of skilled people. However, I submit that market forces will make sure that as long as skills are in demand, a supply will be created. And it is extremely possible to obtain the relevant skills in a legal and ethical manner.

I don't know that this law is good or bad; I haven't really looked at it. (The laws do need to be carefully written to make sure it remains legal to provide all relevant security services, which based on other comments may be an issue with this law.) I'm just pointing out your arguments are specious.

Re:And how should it be enforced?

[Fulcrum+of+Evil]

IMHO, DDoSs is like a boycott.

No it isn't, it's more like a denial of, say, a service. A boycott is you and your slashbuddies refusing to buy brand X. A DOS is you and your slashbuddies refusing to allow others to buy brand X. See the difference?

Slashdoting?

[nexxuz]

Would that mean that there could be legal actions against slashdotting in the UK?

more info

[dotpavan]

Look at Part 5, sections 34 and 35 of this

Ambiguity

[kaleco]

The bill - which was being debated for the first time in the House of Commons on Monday - would also boost the penalty for using hacking tools.

What constitutes a hacking tool? A terminal emulator? Linux?

Re:Ambiguity

[Anonymous+Brave+Guy]

This is one of those laws written by people with no clue about technology, and therefore hopelessly and dangerously broad. In this case, the text reads:

(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article-

(a) knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or

(b) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.

A loose but credible reading of the above seems to cover every mainstream operating system, every compiler or interpreter, every text editor, every communications tool, and more.

Re:Ambiguity

[kaleco]

This law is designed to make more people criminals. They can't examine an innocent person's computer, but if you're unwittingly breaking an arcane law, suddenly you're a criminal and the police can investigate all they like.

Re:Ambiguity

[a.d.trick]

On top of that there are a lot of things that might be considered hacking tools that have very valid uses. For example nmap or ethereal can be very useful for network analyis, but are often used to portscan or packet sniff without permission too. I think that having a penalty for 'hacking tools' is silly.I t would be like penalizing people for using knifes in kitchens because you can also use a knive to stab someone.

What?

[voice_of_all_reason]

10 years for hacking? So you might as well take out the cops who are trying to bring you in. Assuming concurrent sentencing, you'll get the same time even with a few second-degree murders thrown in. Sorta like a bonus.

Re:What?

[Anonymous+Brave+Guy]

Just FYI, we don't currently have degrees of murder here in the UK. If you commit murder, the only sentence available to the judge is life. (This is one reason why guilty of manslaughter is often the verdict returned instead; manslaughter carries the widest range of possible sentences of any crime in the UK.)

Re:What?

[keyne9]

Where's the moderation, "+1 Scary, but true.." when you need it?

Re:What?

[Haeleth]

I'm not too keen on british law, so I was hoping someone would correct me. That's pretty frightening, if the definition is the same across the pond (deliberate, premeditated homicide). So a mafia killing is treated the same as say, a father murdering the kid-next-door who was messing around with his daughter?

Well... the thing is that in British law, life doesn't mean life.

I'm not an expert, but my citizen's understanding of it is that the judge also sets a tariff, which is a number of years after which you are eligible for release, if you can convince a parole board that you've reformed and won't offend again. After release, you remain on parole for the rest of your life - if at any time you commit another crime, or if at any time it is suspected that you have begun to pose a threat to society again, then you can be recalled to prison very easily.

Obviously in the very worst cases (serial killers and the like) the judge will set a whole-life tariff, which really does mean life in prison. But a case that in America would be second-degree murder, translates in Britain to "life" with a tariff of 10-20 years, after which it is possible for a rehabilitated offender to be released and to rebuild some semblance of a life.

Re:What?

[voice_of_all_reason]

The "parole forever" part sounds really scary. In the US, anyone on parole can be stopped/searched at any time, sex offenders can't buy any porn -- a whole host of crap. You really can't rebuild some semblence of a life if you're not treated equally under the law any longer.

Re:What?

[Shimbo]

Personally I think murder is murder. But that's not the view of the British public and things may change.

Actually, I think it is the view of the British public but not mine. Here are two examples of murder that I strongly believe shouldn't have a mandatory life sentence:

1. Assisted suicide: the prosecuting authorities almost never bring a charge of murder but there would be no defence if they did.

2. Gross provocation: the whole business of pleading not guilty to murder but guilty to manslaughter "on the grounds of diminished responsibility" unnecessarily medicalises cases. Battered wife cases often fall into this category, as does the Tony Martin case.

Hacking tools...

[advocate_one]

what will be illegal: possession or actual usage of them? cos technically speaking I'm in breach here simply for having several common utilities installed on this Ubuntu box. Tools I use to ensure my own systems are secure...

Sony?

[Lord_Dweomer]

"There will be a clearer outlawing of offenses like denial-of-service attacks in which systems are debilitated.""

And where will monstrosities such as Sony's rootkit fit into this? Surely our corporate overlords would be held just as accountable under these new laws as a poor 16 year old hacker in his parents' basement.

Awkward justice system

[GenKreton]

Does anyone else find it COMPLETELY wrong someone like Milan Babic (former Croatian Serb leader who just commited suicide) serves 13 years for genocide crimes and hackers can serve as much for a little denial of service attack?

Re:Awkward justice system

[I+confirm+I'm+not+a]

Does anyone else find it COMPLETELY wrong someone like Milan Babic (former Croatian Serb leader who just commited suicide) serves 13 years for genocide crimes and hackers can serve as much for a little denial of service attack?

Yes. I live in the south-side of Glasgow, the area represented by Mr Harris. The issues here aren't, apparently, genocide and war: they are graffiti and "anti-social behaviour" (and now, presumably, ha><0ring). Meanwhile, Mr Harris's colleagues in the (Labour-controlled) city council are closing council-run schools and swimming pools, and state-run hospitals. Unemployment in much of Glasgow is still a national disgrace, sectarian violence is still with us, and we still have our reputation as the sick man of Europe (the most polluted street in Europe is just around the corner from my workplace).

So I do feel it's completely wrong that Mr Harris and his cronies devote so much time to so little effect. I'd guess that Mr Harris et al feel that genocide isn't a vote-winning issue. I am slightly surprised to see a Glasgow Labour MP asserting himself: in Glasgow we elect telephone boxes because they're New Labour red. I guess Mr Harris is planning a career beyond Glasgow politics.

Disclaimer: I was a member of Mr Harris's party - Labour - until they went off the rails in 1996.

Black? White? Grey? Define it!

[Opportunist]

Where does white stop and where does black begin? And, more important, do they care?

What they want is the perfectly safe and sane net. Which is by its very design impossible, the net itself is "dumb". It shuffles packets from A to B, not caring (too much) about their content. And that's its purpose.

Their idea seems to be that, if there is nobody who CAN hack, nobody DOES hack. But that's the same theory you can apply to guns. What happens if you outlaw guns?

Exactly.

The best defense against an attack is to have the better guns. Or, in terms of the 'net, the better hackers. If you outlaw them, if you outlaw learning the techniques and the tricks, which you pretty much do when you outlaw hacking altogether, since even a page about hacking can be labeled a "hacking tool", you do the equivalent of outlawing weapon development in your country.

And what happens when you do but other countries don't?

Exactly.

Re:Black? White? Grey? Define it!

[hotdiggitydawg]

Where does white stop and where does black begin?

Permit me to state the obvious, and suggest that it's a grey area...

Re:Black? White? Grey? Define it!

[Yellow+Crane]

Countries that have outlawed most firearms are currently the ones with the lowest gun violence -- as opposed to the U.S. where we lead the developed world in gun deaths per-year, and per-capita. Regardless of the initial feasability, making the act of DoS an illegal act is a step in the right direction. Bottom line is that without things like SPAM, viruses, and DoS attacks the net would be a nicer place by far.

And your outlawing analogy also fallls thru on the learning aspect -- it isn't illegal to DoS your own server. People can just learn to do this without harming others -- or they could go to college, either/or.

Your logic smells like the old cold-war logic -- we have to have the ability to strike because they have the ability to strike -- but guess what, "they" and "you" are just "them", the assholes who use DoS attacks. Good riddance to "them".

You think this is a joke?

[Anonymous+Brave+Guy]

Actually, Slashdotting almost certainly would be regarded as a deliberate DDoS attack.

1. It suddenly diverts massive numbers of requests to a particular system, resulting in an obvious denial of service.
2. The admins of that system are given no prior warning and have no particular reason to expect such a spike, so they can't do anything about it. (There goes the "if it's on the web, it's fair game" argument.)
3. The Slashdot admins know damn well about the Slashdot effect, and have consistently ignored public suggestions to improve their procedures.

I would expect that if the Slashdot editorial staff continue to allow linking in articles without giving any sort of warning or (better) seeking consent from the linked service's admins, the first case will go against Slashdot in a matter of minutes, and there will be genuine consequences for the admins. Let's hope the more enlightened editorial policy zillions of Slashdotters have been advocating for years results.

Re:You think this is a joke?

[Anonymous+Brave+Guy]

Reading the proposed wording, there is no definition of "DDoS". The offences are defined in terms of denying access to a system, and you would simply have to make the case that the Slashdot editors had the requisite knowledge and intent. The knowledge is clear; the Slashdot effect is widely known, and it is not credible that the editorial staff are unaware of the likely effect of linking to a site on the front page of Slashdot. The intent is less clear, but I'm sure you'd find a lawyer who could make a strong case for it. We might refer to a "DDoS attack" in conversation, but the use of zombie machines or whatever is irrelevant to whether or not an offence is committed under the proposed law.

We will always be at war with Oceania!

[WillAffleckUW]

Or some other excuse to crack down on hackers.

My guess is that they're more worried about details of the Iraq misadventure will be found by activist hackers, or Members of the House of Lords or House of Commons visits to .. um ... naughty websites ... nudge nudge wink wink ... you know ... than they are of hackers ganging up on website owners and demanding blackmail (which is already illegal and will already result in stiff jail terms).

Script Kiddies go free ;-)

[TekGoNos]

A person is guilty of an offence if--
    (a)
        he does any unauthorised act in relation to a computer; and
    (b)
        at the time when he does the act he has the requisite intent and
        the requisite knowledge.

So, if a script kiddy just tries everything without knowing what he does, he goes free?

Re:Script Kiddies go free ;-)

[voice_of_all_reason]

I'd be more worried about he does any unauthorised act in relation to a computer

This essentially makes British law inclusive, which is very bad . Instead of prohibiting a set of actions, it now appears okay to simply list what is okay, and assume blanket illegality for anything else.

So it's the answer to "DO SOMETHING!"?

[Opportunist]

Bit like the reaction to the avian flu, hmm? We dunno what to do, we have no information about the topic at hand, but we have to do something to at least appear like we're in charge.

Compare/Contrast...

[Greyfox]

It'd be interesting to see a comparison of the penalties for a real world crime and its computer equivalent. For example, what's the penalty for shoplifting a CD, where you've stolen actual physical property and downloading the same songs from bittorrent or wherever. Assuming you get caught in either case. Likewise what are the penalties for staging a DDOS, which is temporary, versus, say, a Miltonesque burning down of the building, which isn't? And are the penalties for dumpster diving and stealing thousands of credit card numbers any more or less than phishing for them on the internet. Although it seems phishers are pretty good at covering their tracks these days judging from the number of news stories there are about THEM getting caught.

It'd be even more interesting to see a news outlet pick up a story on that. Anyone care to send a suggestion off to NPR?

Anyway... if the punishments for the electronic equivalents are more severe than the real world crimes, perhaps the lawmakers in question need to review their statutes about smoking crack and turn themselves in for appropraite punishment.

Rules need to exist for creators too

[TWX]

Honestly, I don't think that malevolent use of technology would be nearly as much of a problem if it were designed better. I'm looking at you, Microsoft, who have continued to provide us with software that is insecure both on the system and via network, and who never ever gets the software truly fixed. The next version may fix many of the previous version's problems, but it itself introduces new vulnerabilities that again, aren't fixed until the next version.

Companies that create software or firmware need to be held to a quality standard that creates a modicum of safety or security. There will always be people who will try to break into systems, but if the software is hardened to a certain extent then maybe the scr1pt k1dd13s will be kept out and reduce the number of compromises to those who actually can break in through their own work.

Re:Rules need to exist for creators too

[Fatchap]

There will always be people who will try to break into systems, but if the software is hardened to a certain extent then maybe the scr1pt k1dd13s will be kept out

You can harden Windows to a stage where it is very difficult to break into; equally, you can deploy UNIX, VMS and AIX in a fashion that is very open. The fact that someone uses something with insufficient knowledge to do so properly can not be blamed entirely on the manufacturer. If they knowingly and negligently allowed it to be released with unfixed flaws then yes it would be wrong, if they made errors in production that they then fixed you can not blame them for that.

Take a real world example of a car that is produced with a faulty seatbelt and airbag combo. If the manufacturer was selling knowing that it was unsafe then it is wrong. If they sold it, realized the problem and then recalled all the effected models to fix them, without charge there is not problem. You could not them blame them for someone driving the car into a cement wall and not surviving. Why then do we think it is Microsoft's fault when some idiot puts an un-patched NT 4 box on the internet and it is compromised in short order?

Welcome to the new world

[Opportunist]

Babic killed people. Hackers kill shareholder values.

Wrong?
From a moral point of view, yes.
From a human point of view, yes.
From a personal point of view, YES.

From a financial point of view, no.

You got 3 tries to guess which one counts.

Re:Welcome to the new world

[I+confirm+I'm+not+a]

You make a valid point (that a DDoS attach has the potential to create real harm), but it's slighlty irrelevant: if, through dangerous driving, I crash a motor vehicle and kill someone I would, quite correctly be charged with manslaughter. It doesn't, however, equate to the deliberate and systematic mass murder of civilians and should not merit an equivalent sentence.

But...

[Bill+Hayden]

...what about cracking?

Is it official?

[Jon+Luckey]

Is the Lynx browser now officially against the law in the UK?

An eyecatching initiative

[FishandChips]

The problem at least in the UK is that this act, if passed into law, is unlikely to be used against the professionals or the mythical Mr Big. They will continue as before from their foreign havens while some luckless amateur sadsack in a bedsit is busted to headlines and mucho self-satisfaction from the cops.

Things are only likely to change - anywhere - when a) there are more politicians who can tell a computer from a tennis racket, and b) the cost of computer crime is forcibly brought home to the politicians to the point where they will start hitting the safe havens with trade sanctions and the like. At the moment, much of that cost isn't above the surface, I would guess. Companies are reluctant to fess up les it reflect on them and computer crime is accorded a low priority compared to the various "wars" we are all meant to be fighting in these exciting, high-pressure times - the war on terror, the war on drugs, the war on yobs, the war on binge-drinking, the war on obesity, etc., etc. Just my 2 cents, but I can't see computer crime receding till the present generation of politicians has retired or (some might hope) been locked up.

Industry response?

[timbrown]

As a UK pen tester and developer of security software, this bill directly affects me. My initial response was outrage, but having discussed this with colleagues over the last month or so, I can see the counter point that UK computer security law is in need of updates.

Given that the UK government runs a scheme for accreditation of pen testers and that this bill has been drafted in consultation with industry leaders, I feel it is unlikely that our activities will be deemed illegal. My understanding is that providing that you can demonstrate that you wrote the tool in good conscience for reasons other than the compromise of systems without authorisation then you'll be okay.

Having said this, personally I'll be pressing my bosses for a precise legal explanation of the consequences of these changes to the law in relation to the work I'm currently engaged in.