UK Law May Criminalize IT Pros

An anonymous reader writes "More worrying news from the UK. This time, a bill meant to fight cybercrime may make it illegal to use or make available network security tools available, just because they could be used by hackers." From the article: "Clayton cited the Perl scripting language, created by Larry Wall in 1987, as an example of a useful technology that could fall foul of the law. 'Perl is almost universally used on a daily basis to permit the Internet to function,' said Clayton. 'I doubt if there is a sysadmin on the planet who hasn't written a Perl program at some time or another. Equally, almost every hacker who commits an offense under section 1 or section 3 of the CMA will use Perl as part of their toolkit. Unless Larry is especially stupid, and there is very little evidence for that, he will form the opinion that hackers are likely to use his Perl system. Locking Larry up is surely not desirable.'" A note that this is equally confusing but separate from yesterday's story about the UK government wanting private encryption keys.

Do I see a pattern?

[alx5000]

From the country that criminalized privacy:

Let's convict Perl users.

I also heard that something called TPC or TCP is widely used by hax0rs to pwn remote servers. Wait till the UK Government can get their hands on it...

Re:Do I see a pattern?

[DarkShadeChaos]

So basically IT security experts can't test their own networks? I'm sure that will go a long way towards making the Internet more secure! Yeah I see a pattern, it's called ineffective and ignorant legislation... it seems to be quite popular these days.

Re:Do I see a pattern?

[Tackhead]

> From the country that criminalized privacy:
>
>Let's convict Perl users.

First they came for the COBOL programmers, and I was silent,
Because ADD KEYSTROKES TO SYNTAX GIVING OBFUSCATION was always lame.
They they came for the BASIC programmers, and I was silent,
Because I considered GOTO harmful,
Then they came for the C++ programmers, and I was silent,
Because I could still write FORTRAN in any language,
Then they came for the Perl programmers, and now the only way I can win an obfuscated programming contest is to write it in APL.

(First they ignore you, then they fight you, then they mock you, then they come for the Brainf*ck programmers and their heads explode.)

it's the nature of these tools

[yagu]

Just as these tools are useful diagnostic tools they are also handy tools for commiting crimes as described under this proposed law. That's the nature of networks and tools to manage them. To deem these tools and availability of such a crime because they could be used to commit a crime is insane.

This is akin to the recent proposal that all encryption key owners make their keys available to law enforcement. The expected eventual end result will be cautious users relinquishing valuable resources with criminals holding the trump card. This too is insane.

So, when an administrator gets the call to investigate what appears to be suspicious behavior, where do they go to troubleshoot the problem? Heck, peel away all the layers of this onion and it wouldn't be surprising to find hackers are behind this... get the government to suspend priveleges using FUD, and run rampant over the network infrastructure.

There is a hint of sanity from the article:

People who distribute networking vulnerability scanning tools such as nmap or Nessus could also be caught up in part (b), Clayton warned.

"The effect will be that people will stop offering these tools on their sites. Why should the only place to fetch Perl and nmap be from hacker sites in Eastern Europe, where the risk is that they carry Trojans? This makes the Internet less safe," argued Clayton.

I only hope the government will listen to that reasoning.

Re:it's the nature of these tools

[Jazzer_Techie]

I think the issue is that Perl code can be classified as a form of encryption.

Re:it's the nature of these tools

[lukas84]

Oh, they are quite familiar with listening.

Re:it's the nature of these tools

[Khomar]

If you replace the software with guns, you will begin to understand the position of those who want the right to bear arms (modifications have been made).

This is akin to the recent proposal that all gun owners give their guns to law enforcement. The expected eventual end result will be cautious users relinquishing valuable resources with criminals holding the trump card. This too is insane.

Can guns kill people? Sure they can, but so can many other things that the typical person owns (knives, drills, cars). Guns are also tools, and used well they can be of great help. Many families in my area (Montana) rely upon guns for hunting to support their families (cheap meat). Unfortunately, hunting rifles fall into the category of a "sniper rifle" which comes under attack as an unnecessary weapon. And do not underestimate the value of having a weapon for self defense.

Re:it's the nature of these tools

[Mistshadow2k4]

Hmmm, I have to respectfully disagree. Guns are made to be able to kill, whether in self-defense or not. This proposed law is more like outlawing surgeon's knives because Jack the Ripper (supposedly) used one, never mind that surgeons use them to save lives; network tools are used to hack networks but are also used to secure them. That's the most apt comparison I can think of.

Re:it's the nature of these tools

[IAmTheDave]

Some countries/areas already outlaw certain knives while allowing other, potentially just as deadly knives (chef's knives) to be carried around.

This is easy to break down. It's all about one thing - the next election. Perception is huge, and instead of governing for the common good, people govern for the incumbant good.

Take knives for example. Giant chef knives have the perception of being used to cook yummy food. Crazy blade shape dragon jewel encrusted lock blade half-the-size-of-chef-knives type knives carry the perception of being used only to harm others.

So lawmaker X decides to latch on to that perception and propose a bill that outlaws the greater of the two perceived evils and then brag about how he is a champion of the people come next election cycle.

This is one thing term limits are meant to stay off... to whatever effectiveness. Point is, outlawing "hacking" tools like this is simply a grab for the spotlight. Who cares if the details are ironed out. See, the likelyhood is it won't make it out of committe, but come election time, Mr. X can say "I proposed a bill that would have made it safer to surf the internet, but my opponent Mr. Y (a former network admin, but we won't mention that) STOOD AGAINST this potentially LIFE SAVING measure!!"

Politics, pure and simple.

Re:it's the nature of these tools

[mdielmann]

There is a presupposition in your statement that all killing is (equally) bad. Much of the world doesn't agree with this opinion. There are also far more categories than "self-defense" and "other". Again, there seems to be an implication with you associating "gathering food" and "murder" which I think much of the world would take issue with, as well.

Re:it's the nature of these tools

[malsdavis]

This story is ridiculous! It is implying something totally different from what the law actually states in order to attract horrified readers. I bet the website is getting massive amounts of hits at the moment, but lets look at what the bill actually says:

"A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article --
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3 [of the Computer Misuse Act]; or
(b) believing that it is likely to be so used."

This is a common-sense sense law which recognises software for what it is: a tool. It looks almost identical to the law which applies to other tools capable of being used to commit offences, i.e. knifes, hammers, axes, pieces of wood etc.. You don't see the police arresting people who use these, unless they use them to commit (or attempt to commit) a crime, so why would they suddenly arrest anyone who writes a pearl script?

I think it is good to see a government finally recognising software like the useful tool it is, but one which (like most tools) can be intentially misused to cause harm.

Re:it's the nature of these tools

[JesseMcDonald]

Except that the law in this case does not make any distinction between the primary use for a given piece of software, and the possible uses of the software. If the author believes that the software will be used to do something illegal at some point in the future -- which is pretty much a given for any general-purpose piece of software (compilers, operating systems, scripting languages, libraries) -- then creating that software would earn the author a criminal sentence. Perhaps they wouldn't choose to apply it that way, but there is no way to be sure. They certainly could choose to do so, under the current wording of the law, and that is what worries people (myself included). I would rather not see programming become a heavily regulated and licensed profession.

Disclaimer: IANAL

No shit.

[AoT]

And I thought it was getting bad here in the U.S.

I guess a written constitution does have some utility.

Using Perl Should Be A Crime

[Geldon]

... Or at least forcing someone to debug it should

Re:Using Perl Should Be A Crime

[Darby]

Come on now, that joke is getting really stale.

Seriously, who can't tell at a glance what this does just isn't paying attention:

#!/usr/bin/perl
                        +
                       @A=
                      (25,0
                     );@B=(0
                    ,24   +0)
                   ;@C=( 49,24
                  );@X=($")x(40
                 +9)         ;@_
                =(@X,       $/)x(
               25);$_[     $A[1*1]
              *50   +$A   [0]   ]=q
             /./;+ $_[$B [1*1] *1*50
            +$B[0]]=qq/./;$_[$C[1]*50
           +$C                     [0]
          ]="."                   ;@X=(
         $C[0*0]                 ,$C [1]
        );1   *1*               1*1   *1;
       while (394>             (join $",@_
      )=~y/.//){do{           $R=3*rand;@X=
     (((         int         (($         {(A
    ,B,C)       [$R]}       [0*0]       +$X[0
   ])/2+.5     )),int(     (${(A,B     ,C)[$R]
  }[1   *1]   +$X   [1]   )/2   +.5   +0)   ))}
while $_[$Z =$X[1 ]*50+ $X[0] +0]=~ /\./; $_[$Z
]=".";+system$^O=~/[wW]in/?"cls":"clear";pr int@_}

Well then...

[eosp]

Let's ban the English language because you can discuss crimes with it.

Re:Well then...

[dr_dank]

Then the criminals will use other languages

Hey Senor Bob, Let's robbo el banko!

This is great news for India!

This sort of news is great for nations like India, Singapore and Malaysia. The more the Western world places completely unnecessary and unjustifiable limits on its use of such technology, the better off the non-Western nations are.

A strong economy, and the higher quality of life it may bring, depends heavily on innovation and progress. That is clearly being hindered by those who support such legislation. Companies won't be able to take advantage of the productivity gains one gets from using the technology that may be restricted.

In the end, it comes down to a matter of freedom. Those nations who are now free to innovate will do so, and will eventually prosper. Those who seek restrictive legislation over free innovation will see their wealth and standard of living decline rapidly.

Doesn't make sense...

[gmiley]

To compare this to another industry:

Person 1: Hi, I make hammers, would you like to buy one? You can use them to "hammer" nails into things, really quite nice for building houses and such.

Person 2: Wow, this is nice. I'll take one!

Law: Woah woah woah! Hold on right here... This "hammer" you got here... yeah well that can be used to bash someone in the head, so... it's now illegal, you'll have to come with me now. That's right, hands behind your back.

I've never understood the idea that because a tool can be used to commit a crime, that it inherantly makes the tool evil.

Re:Doesn't make sense...

[turbod]

"The express purpose of guns, with the exception of hunting rifles, is to shoot people."

There are three incorrect assumptions here:

1) Historically, all guns were developed as a result of warfare. Most of the long range hunting rifles owe some of their development to military history. Guns were a followup development of previous projectile launching weapons used in war, when gun powder was made available. It probably wasn't too long after that some rich king or general decided that he could use it for the hunt too.

2) Guns are used often in sport --- handguns too! There are many people in countries where using a gun for self defense is banned. However, they still pay for their weapons and store them at a club, just so they can punch holes in paper targets. This is trully endless fun.

3) Handguns are often used in big game hunts as a back up weapon of choice, in case the hunter becomes the hunted. There are thousands of stories printed, and probably many more that are not, about people who had to use a 357 magnum or 44 Magnum to bring down a charging bear or boar, that they had intended to kill with a long gun, but somehow ended up on the receiving end of an attack.

Additionally, if guns could be made to magically not shoot people, I'd still love my guns. Too much fun on the range otherwise...

For self defense, I'd simply move to long bladed weapons (which are much more deadly in close combat). Oh wait, they are attempting to outlaw those in England too :)

TurboD

Shitty Government.

[Ckwop]

This is more sensationalist shit like the story about the RIPA. The law isn't very effective because the police can't force you to hand over keys that are used only to ensure the integrity of messages. This basically means that stuff like SSL, SSH and Zimmerman's Zphone are safe against seizure.

I submitted a story on this but obviously the Slashdot editors care more about exciting headlines than the sober truth. I wrote an essay in 2003 and you can read it here.

I've not read the act but I can already guess how useless it will be. The short and long of it is that it is very tough indeed to prove beyond reasonable doubt that someone that you put the software there. Believe me I know, I was a witness in a Child Porn case. The defence won because when we found the content we didn't follow CPS guidelines in the data recovery method.

Even worse, a hackers machine can look very much like a hacked machine. Hackers, after all, use one machine to get to the next. How are you going to prove they aren't the innocent bystander - BEYOND REASONABLE DOUBT.

Yet more time wasted by an incompetent government that can't even deport convicted foreign criminals.

Simon.

Make computers illegal!

[9mm+Censor]

Computer hackers tend to use computers to commit computer hacker crimes. The link between hackers and computer systems is enhertiently intrinsic, therefore banning the use and ownership of computer systems would greatly reduce computer crime!

It's easier to fight the tool than the person

[MikeRT]

Leftist leaders even more than right wing leaders tend to have a hard time accepting the fact that you can do bad things with different tools. They also have a hard time blaming the person for their use of it. Conservatives do it with drugs by blaming the drugs for the armed robbery to feed the habit. Leftists do it with weapons. It's easy to blame a drug, a gun or a scripting language for a crime. It allows you to not be "judgemental" toward a person who is just an asshole. Neither side likes to admit that these things are totally the person's fault, derived from some inner flaw in the person's character that causes them to get high and rob, shoot to murder someone or hack to steal a person's money.

Re:It's easier to fight the tool than the person

[ChristTrekker]

You're right, it's the current "politically correct" culture we live in. You don't want to be judgmental, you don't want to "discriminate", don't want to hurt anyone's feelings you know.

Sorry, but I'll call a spade a spade. If you're a jerk, then you are, and trying to shift blame onto your childhood/current circumstances doesn't fly with me. You had a choice. You made a bad decision. Tough cookies. Grow up and be responsible.

Bans Nmap Too

[fv]

TFA also states that "People who distribute networking vulnerability scanning tools such as Nmap or Nessus could also be caught up in part (b), Clayton warned.". A quick reading of section 41 seems to bear that out. As author and maintainer of the Nmap Security Scanner, I am more than a little concerned.

I'm certainly not going to let anything as silly as some U.K. law stop me from distributing Nmap, but I also don't want to become like Dmitry Skylarov the next time I give a presentation in England. And even if (as I would expect) the rest of the world ignores this, it could have a chilling effect on important security tools and research from U.K. citizens. Think of all the good research and tools that David Litchfield from London (NGS Software) has brought us. And my London friend Hoobie brought us the free Brutus password cracker, which appears to be prohibited by this bill.

The good news is that this is just a proposal. So I would join the chorus in urging our British friends to make their voice heard against this silly bill.

-Fyodor
Insecure.Org

Re:Bans Nmap Too

[Handpaper]

It's not just a proposal. It's more than halfway into law:

It was passed by the House of Commons earlier this month, and will be considered by the House Of Lords over the next couple of months

Once again we must rely on the Lords to stop the knee-jerk stupidity of the Commons foisting more draconian laws upon us. Let's hope they continue to do their job.

criminalizing possession

[ChristTrekker]

Criminalizing the mere possession of something just because it could potentially be used in a crime is pretty stupid. Until you do something that actually harms someone, where's the crime? "Innocent until proven guilty" remember? Just because someone has means, and could find opportunity, doesn't mean he has motive to commit a crime. Don't you need all three? Mens rea, anyone? All these sorts of laws do is make criminals out of normal, honest, otherwise-law-abiding people.

Until you stab someone, your knife is just a useful cutting tool. Until you shoot someone, your gun is just a useful self-defense and hunting tool. Until you crack something, your network analysis software is just another tool. There is nothing inherently bad/evil about them. Merely possessing them does not twist a normal person into a psychopathic criminal.

Anyone else think we'd have better lawmakers if we plucked some names at random from the phone book?

Re:Compilers and Debuggers?

[richieb]

I recomend you read the essay The Right To Read for a possible future.

Re:What is going on in the UK?!

[mickwd]

This may sound a little partisan and controversial, but the problem is basically Tony Blair.

Since coming to power, he's increasingly become a control freak.

He's emasculated the house of lords, under cover of "reform", while seemingly trying to block the option (favoured by many MPs) of a largely-elected house of lords (because a largely-elected second chamber would be a legitimate "check and balance" on his authority, as compared to a set of nominated place-men). (See for example here).

He's also marginalised parliament - his government carries out the minimum of "debate" there now, merely using it as the place to anounce previously-decided policies. There was a big fuss recently, little reported, about the government trying to pass a law allowing them to change legislation at will, without any debate at all, under cover of "reducing red tape" (see here.

Even within the cabinet, he seems to fire anyone who seems remotely a threat or who disagrees with him in any way (with the exception of Gordon Brown, the chancellor (and probably the next Labour leader), who is powerful enough to be left alone).

Since he's been prime minister, there have been dozens of crime bills, making hundreds of new criminal offences (e.g. see here.

He's increasingly making noises about the criminal justice system being "out of touch" (i.e. not automatically just doing what he says), in a seeming bid to further curtail their powers. For what he's already achieved, see, for example, here.

He himself is becoming increasingly irrational and out-of-touch to the extent where his party are starting to think of him as a liability, let alone what the country now thinks of him. The more out of touch he gets, the determined to get his own way he becomes. He's done a lot or damage to this country's constitutional processes, a lot of damage to its reputation (via Iraq), and the sooner he goes, the better.

from the UK

[ElephanTS]

I grew up in the 70s in London when the IRA were fairly routinely blowing stuff up. At no stage did anyone suggest compulsory ID to deal with this. Mainly the bins were taken off the trains and eventually a 'ring-of-steel' (meaning police checkpoints at increased presence) around the City Of London (our Wall St). Then somehow by the end of nineties we had become the most surveilled people on Earth.

Post 911 the talk of terrorism never went away. And then 7/7 came along and the paranoia and suspicion just went sky-high. Now we too lived in a country where any change of law could be carried off with the mere mention of the T-word. (Either that or the other one, the P-word, the Glitter-crime). This year Blair has is own little version of the Patriot act coming into force, one where he can issue laws without recourse to Parliament as long as they don't include tax increases or a prison penalty greater than 24 months.

Electronic sniffers are be trialed on a few parts of the underground smelling for explosive traces and there is a scheme in planning for a countrywide network of number plate recognition cameras recording all vehicles on a gigantic DB. Most London Transport users use RFID (oyster) in replacement for the old tickets and all this data is recorded. We will have RFID national ID soon at a cost of around £90 per person, compulsory. I could go on but here's a link or two to go on with.

http://www.no2id.net/

http://www.indymedia.org.uk/en/

So, as Orwell (real name: Eric Blair) predicted, we really are heading for a BB state. It's obvious that the UK is the USs puppy dog and we are in the 'endless' war just as long as you are. Really the UK is just another state of the USA. Maybe even quite a powerful and important one at that.

There is a saying in England "Watch America that's what here will be like in 10 years time" - now it seems we've just about caught up or even exceeded what's going on in the US.

Perl bug report

[mangu]

There is a bug in your program, in the last line "print" has been printed as "pr int".

See, Perl isn't hard to debug at all!