Slashdot Mirror
UK Moves to Outlaw 'Hacker Tools'
twitter writes "New guidance rules for the UK's controversial Computer Misuse Act do not allay fears of impracticality, or of the banning of legitimate IT software: 'The government has come through with guidelines that address some, but not all, of these concerns about dual-use tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offense. This leaves the door open to prosecute people who distribute a tool, such as nmap, that's subsequently abused by hackers.'" Somewhat similar legislation recently became law in Germany.
That list of every IP address I posted a while back.
So if I hack something while running my custom application in debug mode from an IDE like Eclipse or VS.Net, would that not make Eclipse and VS.Net hacker tools that should be stripped from the land?
These laws are just retarded knee jerk reactions made by people who have no idea about what it is they are legislating on.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
By the same logic, arrest anyone that distributes money, because criminals can use it to buy guns and kill people.
...and find solace in Europe, where reasonable government and personal liberty reign supreme! ...wait, what?
"Ask not what your country can do for you." --John F. Kennedy
What is it with politicians??! Keep your nose out of business you don't understand and, uh, maybe secure the governments damn servers (a big problem in the US, at least). Maybe mandate security for banks, etc. The policy could be written by, gasp, someone who knows what they are talking about. Somehow, I don't feel like holding my breath till then...
Where I work we just survived a security audit. Hopefully this will make it so impractical for the security companies to stay in business we will never have to go through on ever again. Then we can get away with producing a slipshod product that leaks personal private data left right and central.
I dont read
If you outlaw security tools, then only outlaws will be secure!
Well, at least the courts have to demonstrate mens rea... /sarcasm
Bought the ticket, taking the ride.
Better ban IRC servers (popular for zombies) and Windows boxes in general (also popular for zombies)
“Common sense is not so common.” — Voltaire
Every now and then I get to look at some OTHER country's heavy-handedness.
SJW: Someone who has run out of real oppression, and has to fake it.
Don't visit the United Gulag.
P.S.: Fuck Blair AND Bush.
Cheers.
Also, applies only to property you do not own is wrong, they're talking about distributing the tools.
Pretty much on par for the UK, as far as I can tell. Now, fess up: Who gave the gov't there copies of 1984?
Don't believe for a minute this is about security, it's about control. And those who regulate access to information, control those who consume it. Next steps? Mandatory spyware and BigBrother remote control software. To make it easier to spot the criminals/terrorists/boogeyman du jour, of course.
I mean really, are there any legitimate reasons to use something like nmap?
...and yes, that "ladies" part was a joke too.
Yes, ladies and gents, that was sarcasm.
What doesn't kill you only delays the inevitable
I can not believe myself when i saw the word "hacker" misused here. It should be replaced with "cracker". Hackers are not crackers. Even slashdot publishes this means where can i talk abt it? Am i wrong or something? humbly, a hacker wannabe. against all crackers.
MI5 (CIA of the UK) have been working on a custom trojan for the last year or so. I wonder how this will affect them? Are they above the law?
So what countries are friendly for hosting "hacker tools"? Time to find a not so friendly webhost in another country.
From TFA behind the TFA:
Whilst the law was going through Parliament the Home Office suggested that "likely" would be a 50% test.. Anyway, that guidance is now out -- and there's no mention, surprise, surprise, of "50%"
If over 50% of the laws they make are nonsense, can we ban the politicians?
My little Linux and tech blog
This is ridiculous. It reminds me of the "Index Librorum Prohibitorum" (Roman Catholic list of banned books). The Roman Catholics banned books because they believed that they could be used as a tool against their power, and not simply for the purpose of knowledge. That's the same thing the UK is trying to do now - they're trying to ban software because it might be able to be used for naughty purposes. Why don't you ban the C programming language while you're at it UK? I hear those buffer overflows could be dangerous.
Hopefully this mistake won't take 400 year to remedy.
In the US, completely insane laws, like this one, typically sit on the books for a year before a prosecution, get appealed to the Supreme Court of the US, and are killed by the legal system. Germany and UK both seem to have some terribly misinformed laws regarding encryption and security. Do these countries also have a judicial process for fixing laws, similar to that in the USA?
The judicial system really is great, because the laws politicians pass to buy votes or appease contributors/lobbyists are, for the first time, subject to intense debate and logical analysis. If only such a process were applied before the bill becomes a law, we would have a much more just system...
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
How about if such tools were only legal for licensed/certified IT and Information Security professionals?
Yes, this would mean our having to get certified as at least minimally competent at what we do, much like hairdressers and engineers.
The idea is analogous to how, in New York at least, it's illegal for random people to carry lockpicks.
Well, they may as well outlaw all of software development, because any software tool can be put to malicious purposes.
What they should focus on instead are the actual actions taken by individuals to compromise someone's computer or network, not the tools they use to do it with. For instance, there's already a number of tools on the market and in FOSS that can do DDoS attacks -- but they are normally used to stress-test a web site or some other network application.
The whole "intent" bit is always a slippery slope, ready for Kangaroo Court time. Obviously, these idiot politicians never saw or read "Minority Report", where going after "pre-crime" turnned out to cause more problems than it solved.
Yes, the governments of the world are not unlike a bunch of monkeys with dangerous toys -- total unbridled power, without the wisdom nor the precision to use it properly.
Ruby Neural Evolution of Augmenting Topologies
I am an undercover **AA investigator.
These are not the tools you are looking for.
The solution: ban brains.
Outside the sarcasm tags, I wonder how long it will be before some moron tries that.
"osake no hou ga, biiru yori ii" to omotteiru.
Frankly, this is absolutely ridiculous. Wait for all the data security breaches because sysadmins were too afraid to run nessus against their own systems. Perhaps the UK government is trying to make their IT security look no worse than anybody elses by banning non-governmental entities from running tools to check for possible security issues.
i think the legislation doesn't understand a difference either, which is why the retarded law is being talked about in the first place.
It's always a great idea to clip the wings of the defenders before the attack. Also, possibly the bigwigs didn't quite grasp that the internet stretches even some length beyond the UK's borders...
The solution to the internet problems is to trash ICANN and hand over all power to a global force, something alike the UN. And then regulate its use with a fist of iron. A logical first move would be to cut of major sources of misuse, the USA, Russia and China for starters. Once they have their shit together, they may apply to rejoin. Maybe then the politicians would start to take the internet seriously.
What is a 'legitimate' computer program? There are many people who make a living as consultants paid to test how hard it is to break into a company's systems. They might well need to use even the most dastardly and underhanded 'hacking tool' to do their work. Indeed the police and security services also use programs that help them get unauthorized access to computers. What grounds are there for criminalizing any computer program?
-- Ed Avis ed@membled.com
If you outlaw hacker tools, then only outlaws will have hacker tools.
Perhaps the real idea is to restrict access to these tools to licensed practitioners or those with a valid reason to posess them. You cannot buy dymanite over the counter, but people with a blasting tickets can still buy it.
Engineering is the art of compromise.
Legitimate security professionals, i.e. hackers, use these tools, too.
If it was only about cracking tools, there'd be no problem, but many tools are dual-use. Sure, you can use them for something bad, but you can do that with a lot of things.
Great idea!! If we outlaw hacker tools, only outlaws will have hacker tools!
Then we can just arrest everybody who has them, and we'll have our systems broken into by the black hats we missed, while those who would have protected us have their hands tied.
And that's while using the popular meaning of "hacker", rather than the correct one.
Please correct me if I got my facts wrong.
Everyone knows that a pencil when sharpened can be used to maim or injure! I mean you could loose an eye! Paperclips can be used to pick simple locks! They facilitate breakins! These deadly and criminal tools must be outlawed! Hurry! Arrest the employees of Office Depot and Staples for purveying these items, and enabling the criminal underclass!
I guess we should just arrest everyone that has a bad thought.
WIth 'bad' being relative to the administration in charge at the time in said country.
Will they be outlawing FTP or HTTP as well?
---- Booth was a patriot ----
Only outlaws will carry hammers.
...
Well, and carpenters.
And plumbers.
And people doing home repair.
And
Oh, screw it. It's a stupid idea.
Don't prosecute people for making, distributing, or owning tools. Prosecute people for how the tools are *used*. If there truly is only one possible use for a tool, I could perhaps see some justification, but most of these supposed "hacker tools" (nmap is a good example) are very clearly useful for all sorts of beneficial purposes, and it makes no sense to stifle their development or distribution. If you want to make a better lock, it makes sense to learn how ordinary locks are defeated by such tools as a lock pick. We need to know what the "bad guys" might use.
So much easier to pretend you're taking action than to actually take effective action. The rubes are impressed because they don't have a clue while those who do have clue, know more than enough to get around whatever has been done.
If you break this law, do it in Scotland.
(4)
A person guilty of an offence under this section shall be liable--
(a)
on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
(b)
on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;
Just what is a Hacker Tool Anyway?
(This is not a troll, I have been in the IT Industry for 26 years and still haven't found the answer to this one. I guess the politicians figured it out.)
-- The same knife used to butter your bread, could be used to kill someone if used incorrectly. Therefore outlaw all knives. --
your timely reply. Please notice the "and" in the sentence.
Oh, wait, this is a registered poster I'm responding to. Mod points: Wow.
Why stop at nmap or wireshark? Sure, your basic networking book refers to both of these, but in a world without malhackers, which is what you want if you support this law (you don't support law breakers who want to hurt children, do you?), why do you need to understand networking? Why stop there, you can glean a good amount of information with malicious intent off of a TCP header, you don't want your computers and phones hacked do you, ban TCP, UDP, MAC addresses, finger, traceroute, ping. While we are at it, we could still have a local hacker, we should ban keyboards too! Cat5 cables can be used to bind someone, you don't support kidnapping, do you? Damn, I'm not even a PhD and I have solved computer security forever. Stop ripping on these good lawmakers, they know whats best for you. A nerf world, we need a plug-and-play nerf world!
Will it actually come down to arresting me for code pieces like a TCP/IP transport routine that I contributed to an open source application - that somehow has been tied to whatever crime committed because they copied my source?
When did my peers and people of my parent's age become such softcore fascists?
Give it up. Nobody uses "cracker". Just like many other words in the English language, the term "hacker" has multiple meanings. One usage means "good" programming work, and another means "evil" programming work, and yet another means whacking at something with a sharp implement. The context will help you figure out which one is being used in each case.
Some relevant bits follow.
......
.....
....
CMA = Computer Misuse Act
The whole thing seems to be rigged against free software/open source and heavily in favour of security through obscurity. Perhaps we should contact them and ask?
Everything below is copied from the guidance.
Prosecutors should be aware that there is a legitimate industry concerned with the security of computer systems that generates 'articles' (this includes any program or data held in electronic form) to test and/or audit hardware and software. Some articles will therefore have a dual use and prosecutors need to ascertain that the suspect has a criminal intent.
Whilst the facts of each case will be different, the elements to prove the offence will be the same. Prosecutors dealing with dual use articles should consider the following factors in deciding whether to prosecute:
* Does the institution, company or other body have in place robust and up to date contracts, terms and conditions or acceptable use polices?
* Are students, customers and others made aware of the CMA and what is lawful and unlawful?
* Do students, customers or others have to sign a declaration that they do not intend to contravene the CMA?
Section 3A (2) CMA covers the supplying or offering to supply an article "likely" to be used to commit, or assist in the commission of an offence contrary to section 1 or 3 CMA. "Likely" is not defined in CMA but, in construing what is "likely", prosecutors should look at the functionality of the article and at what, if any, thought the suspect gave to who would use it; whether for example the article was circulated to a closed and vetted list of IT security professionals or was posted openly.
In determining the likelihood of an article being used (or misused) to commit a criminal
offence, prosecutors should consider the following:
* Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
* Is the article widely used for legitimate purposes?
* Is the article available on a wide scale commercial basis and sold through legitimate channels?
* Does it have a substantial installation base?
* What was the context in which the article was used to commit the offence compared with its original intended purpose?
My little Linux and tech blog
I play Diablo alot and *use* hacks alot..I wonder if that would count and if so what would happen.
why cause it places my tools which are secretly stored as gold mines. /end sarcasm
Also if the uk and germany go poof lets have the usa do that, and canada keep it free. All the rest of us can then become the top hackers and get teh best security jobs while the rest of you become ( no offense ) NOOBS at SECURITY.
Yes gov't control is sweet, drives all under ground and makes the people willing to do it in htose prospective countries more ridgid and crazy. AKA the crackheads, bikers and maffia's will now be only ones with such stuff. Great news for the UK. Also gets rid of script kiddie crap.
Look about ten years in future as the only places now getting hacked are banks and your credit card sites. Other sites will be tests.
CHRoNoSS
Chair
United Hackers Association
It will be possible to give multiple shells on boxes located in countries that have not gone loco. Hopefully, Canada, Australia, or even France will come to the rescue. Sadly, it will not be America. I am quite sure that we will shortly try to pass a similar bill on our way to enabling bills. Stars anyone?
I prefer the "u" in honour as it seems to be missing these days.
Not to throw too much fuel onto this fire, but the UK has a large precedent with the concept that TOOLS are the problem rather than the USERS. Look at guns. Is the phrase "guns kill people" really that much different than "hacking tools break into computers"? Not in my book. In fact, they are so similar as to be scary. Both assume that intent is not relevant, the person behind the tool is not responsible for his/her actions, and that these tools cause crime to be committed. Come on guys... If we start banning tools that *could* be used to commit a crime you had better come lock me up now. I've got a whole garage full of hammers, screwdrivers and other tools... and I know how to use them! :-)
... only outlaws will have hacker tools.
I think it's about time people got over the semantics of the word 'hacker'. Given that 'crackers' don't call themselves 'crackers' they call themselves 'hackers' and they call what they do 'hacking', the word has *CHANGED ITS MEANING*. This is not uncommon for languages. Really. Just look at words like 'gay' for instance or even 'computer'. Go and find the original definition of that one!
Get over the semantic drift already, we're not all mired in some rose-spectacled view of the technoutopia where you have to have hacked solenoids under a model railway at MIT in order to qualify for the term.
I don't read your sig, why do you read mine?
Please don't use my state as a paragon of freedom. Oh, wait, it's *security* you want? Try moving to some nice secure country where everything is prohibited, including crime.
Certifications don't protect the public. They protect the certified against competition.
Don't piss off The Angry Economist
They can have my ping client when they pry it from my cold, dead hands.
Don't piss off The Angry Economist
The status quo being more malware and more loss of dollars and privacy due to lack of computer/network security each and every year.
People love to throw around analogies about computer security. Door knocking and opening are thrown around a lot. Here's the proper analogy:
A computer on the internet is analagous to a house with a door on every street in every nation of the planet. If someone breaks down your door and pillages your house, it's quite likely they don't even live in a jurisdiction where you could attempt to find them criminally liable. And that's assuming you manage to find out who and where they are in the first place.
Creating these various computer crimes has only made research more difficult and added another layer of BS so that the creators of these insecure hardware and software systems can point blame at someone other than themselves.
If you truly want secure computers on a secure Internet, then decriminalize all hacking/cracking, we'll have a secure Internet within 5 years of this occuring.
Only very few people refer to unauthorised computer attackers as "crackers". The rest of the world (including the crackers, the mainstream media, and me) aren't going to change their terminology just to please a few programmers who, for whatever reason, want to call themselves hackers. The majority rules when it comes to use of language.
It's the third Twitter journal entry posted by Zonk in a week period.
Can we have a checkbox in preferences to disable it ? His negative karma already filters his comments just fine, but he seems to have found a away to be read after all.
Go to nearest store. Are they selling computers? Arrest the staff.
therefore also the people that make them either are too poor to pay for licensing and note that many of the authors knowing the dual purpose like to remain as anonymous as possible. You can't have your cake and eat it too. The gov't wants to have only gov't make tools and anyone they authorize. /fantasy-vision-starts.... one day i envision another war. The war on corporate terror. Where we the citizens have to fight the corporates armies ( Black Water ring a bell ) /end-conspiracy or is it the end?
As i can attest gov't coders are lame sad and very poor at creativity. The kind of personality that creates hacker tools is not one that leads itself to a gov't job.
Now the UK and 4 other countries are on that WORST privacy list. When there becomes a massive abuse and it goes public, then people may question if they live in a democracy or a facist state. It was hitler who bruned knowledge ( books ) .
BIG BROTHER is here folks. The question now is do you trust politicians that are lobbied to power by mpaa/riaa/BREIN/corporates. AT least in the cold war the corporations had to make it look like capitalism was better then communism. Now that the cold war is over it would be interesting to see how are rights are being widled away and the corporate power grows.
It is an apocalyptic war that will have them with all the tech and if we don't hold onto the hacker tools and texts we will all lose.
Certifications don't protect the public. They protect the certified against competition.
Good idea! In that case when they (the government) ask us to check the security of a network we can just say: "sorry I can't legally do that, I'm not certified. cya later".
OK being a bit sarcastic there.
Bitter and proud of it.
When did my peers and people of my parent's age become such softcore fascists?
When they got scared.
The real truth is that there is no bogeyman, and that there's nothing to fear but fear itself. Even my four-year old knows that. ("[Girl Name], what do we have to be afraid of?" "Being afraid.")
And now, some "crimes" are nearly impossible to prosecute. How can someone in the UK file suit against a "cracker" from Atiqua or Afghanistan? They could potentially steal your bank account information and steal your life savings, buy a handgun, rob a bank, and put you on death row. Now, when you assume - note that word - that the backwards savages outside your home country have to have help to break in, then clearly someone with brains - I mean a white guy - er, I mean someone from the homeland - er, someone reachable by our police - must have helped them. That's complete junk, but to some the point is valid. The bad guys must have help, so let's go after the help. Never mind that the "bad guys" get paid more than I do.
And people are scared because they think things are the worst they've ever been. The fact is, the good old days were never here. Terrorists have been around since at least the Romans. We survive. The day of judgment will never come.
But that's not enough. You can't tell people to calm down - you have to show them that you're doing something, anything.
Seriously - people are attempting to legislate abstract concepts that they don't know about. I've seen laws suggesting watermarks in A/D conveters. One of the US Senators honestly thinks the Interweb is a series of tubes. He might not even be familiar with the concept of electricity. Imagine Ancient Greeks trying to pass legislation on the use of titanium in groundwater near nuclear power plants. If I give an opinion on civil engineering, I could be fined up to $25,000. If a politician does, he gets rewarded.
Instead of demanding the removal of the clueless, people just revote for the same guy as last time - if they even voted - or "stay the course". When those in charge have literally no consequences for their actions and get paid to pass legislation from special interest groups. Is copyright theft something that ordinary people really care about? Are there people who are thinking, "man, I'd love to go to work today, but I'm afraid that someone, somewhere, is copying a DVD to take the ads out. If only our government would pass some laws to fix that problem." Okay, maybe if the guy works making DVDs, but that's not a normal guy.
When the victims became criminals. Look at identity theft - it could be prevented with 100% accuracy if the credit bureaus updated their computers. All they have to do is add a picture to your report and require an automatic phone call to the last known phone number any time you want a change. That's it. It's now impossible to steal someone's ID. Of course, it's your fault for not buying title insurance, paying Equifax $25 a month for credit checks, and using your "internet thing" for banking.
When people started getting used to the idea of "I have nothing to hide". You do. Everyone does. I have skeletons in my closet, and I want them to stay there.
So what it really boils down to is that people are in general afraid of something, but they don't know what it is. So, they turn their wrath on anything that can possibly hold their ire. Immigrants, Hackers, ID thieves, the Russians, terrorists, etc. As long as the eye isn't on them, then they're fine. Torture the sandnigger or the hacker. They're the ones who made the world such a fucked up place. It's all their fault.
They're really afraid of themselves. How long will it be until the bank comes calling, or the boss cans them, or the spouse will leave with the kids?
It's a scary thought - we're lead by clueless, corrupt, whores who run the place by tacit consent from people who are too afraid to interrupt their routine.
This isn't exactly what I meant to say, but I think the power here has become unreliable. There's a lot of wind outside.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Dan would later learn that there was a time when anyone could have debugging tools. There were even free debugging tools available on CD or downloadable over the net. But ordinary users started using them to bypass copyright monitors, and eventually a judge ruled that this had become their principal use in actual practice. This meant they were illegal; the debuggers' developers were sent to prison.
-- Richard Stallman, The Right To Read
I'm wondering if "anti-hacking" laws like this will conflict with data retention laws that are also brutally oppressive, to the point where admins will be required to do things they can't possibly do without tools that are illegal to possess. Sounds like the sort of thing one would expect from China.
But it was the mainstream media who usurped the use of the word from the "few" good programmers. The media lumped the majority of the good (using their own word) in with the few bad.
Now you have wanky terms like 'white hat' and 'black hat' hackers. I'm not a fucking white hat hacker. I have nothing against black people and I don't like wearing bedsheets or burning crosses.
That just doesn't seem funny any more... :-(
Seriously, though, we're seeing a lot of this: the notion that any funny stuff, be it computer software, electronic goodies, chemistry, what have you, is a priori for bad purposes. Somehow due process has gotten lost in the shuffle, the user is apparently guilty until proven innocent, and must be dealt with accordingly.
Tragic.
...laura
But it was the mainstream media who usurped the use of the word from the "few" good programmers. The media lumped the majority of the good (using their own word) in with the few bad.
Well, typically hacking in the legitimate sense isn't substantially different from the illegitimate sense. Normally I understand hackers to be getting a system to do something it wasn't meant to do. Installing Linux on a camera and obtaining access to a corporate server through an exploit both fit this definition. I'd also point out that "The Hacker's Handbook" was published in 1985. The term had only been first recorded two years earlier and was mainly a piece of technology jargon. Furthermore, the first computer infiltrators were hackers in both senses of the word. All were capable programmers and keen on exploring.
Now you have wanky terms like 'white hat' and 'black hat' hackers. I'm not a fucking white hat hacker. I have nothing against black people and I don't like wearing bedsheets or burning crosses.
Okay... that's a weird argument. What do black and white hats have to do with black and white people? It's an old cowboy film metaphor!
Yay, now I can feel it! The day they outlaw knives, crowbars, stethoscopes, matches and sleep pills is nigh!
You just got troll'd!
But always remember :
Guns don't kill people, physics kills people Perhaps we should outlaw physics. Or physics textbooks - which might be quite popular?I live in NY too...
Certifications provide a baseline clue as to whether or not your has proven at some point to meet certain minimum requirements of knowledge and/or skill.
I agree though that certifications don't protect the public- such professionals would have to be bonded for that.
What kind of tools/software are they banning? Is it even feasible???? listen_to_slashdot
The ISC2 and SANS (GIAC) are making too much money to do anything like that. If certification is made to be a requirement to legally possess and use the software tools needed to do IT security work, you can bet your ass that the cost to obtain and maintain certification will rise considerably. The community of CISSPs and GIACs will also become very protective of their certifications. I am a CISSP, and right now to me having that certification is not really accomplishing much in the way of added value to my career, in fact it's a bit of a liability since my employer does all kinds of unsecure IT stuff behind my back or hides it from me, which may jeopardize the safety of the network I'm in charge of. However if the day comes that holding this cert actually gives me some real authority to go along with my responsibility, you can be assured I'll milk it for all it's worth. It'll be the next best thing to belonging to a trade union.
...and we all know that prohibition works so well.
I mean all one has to do is look at the prohibition of alcohol in the United States. Not only did that fail, but the police were involved in the manufacture and distribution of various types of the liquid drug. And speaking of drugs; The War on Drugs hasn't really paid off either. The amount of money/time spent on such an endeavor hasn't been worth the effort.
That being said and back to the topic at hand, last time I checked my server logs, Asia was the origin of ALL the attacks. Now, not only have Germany (and possibly the UK) made these tools illegal, but they have effectively left themselves vulnerable to attacks from outside of their countries/continents. Those areas outside of their borders are not going to abide by the laws they set for their own people. The western world is becoming a fascist, oppressive, police state.
Confucius say: "Man who associates with smarter men than himself is smarter than the men he associates with."
Immigrants, Hackers, ID thieves, the Russians, terrorists
You seem to be implying that none of these things are worth the public's attention or concern. On the contrary.
To stay on topic, let's consider hacking. A frankly ridiculous amount of critical economic infrastructure is dependent on computers that are vulnerable to hacking, whether that vulnerability is due to operator incompetence or poor design. The hackers are constantly improving in sophistication and skill, and they are motivated by financial incentives. The next decade will see increasingly spectacular network attacks that cause massive amounts of economic damage and, indirectly, even deaths. The public should be concerned about this.
Toronto-area transit rider? Rate your ride.
I'm sympathetic to your viewpoint, but I think you are exaggerating somewhat. There are things out there that a reasonable person should fear. There are criminals, there are terrorists. We should be reacting to them. We just need to not overreact.
:-) Good luck!
"One of the US Senators honestly thinks the Interweb is a series of tubes. He might not even be familiar with the concept of electricity."
No, one of our Senators used a clumsy analogy. None of them really think the net is composed of tubes. Yes, they are legislating issues they don't understand... but they aren't retarded. I'm quite sure the majority of congressmen have above average IQs. They may be corrupted or arrogant, ignorant of tech issues, but not stupid.
I'm not really arguing with you, I just think you're passionate and letting some of your rhetoric get a little carried away. Take your own advice: "We survive. The day of judgment will never come."
"This isn't exactly what I meant to say, but I think the power here has become unreliable. There's a lot of wind outside."
I spent a moment trying to figure out what your metaphor meant... is "Wind" our political climate? Then I realized you're literally talking about 'power' and 'wind.'
Indeed. The fix for poor software security is to create requirements for implementation, not punishments for breach. Those breaching don't care about UK or US policy. They are by definition scofflaws. And yes, I am directly stating here that it's not the cracker's fault the bank is easy to get into. It's the bank's fault and they deserve to lose the money. (Does YOUR bank use two-factor authentication, or do they make you think you're safe by asking those personal questions?)
When you build your code by hiring the lowest bidder with the least qualifications, then you should be liable. If a bridge building contractor didn't keep blueprints and didn't hire a qualified crew, then they would be sued or imprisoned. I can't just go and build a stadium or an overpass just because I think there should be one there.
If you do that with software - even software potentially worth billions of dollars - you get more contracts. Of course, it's not like anyone died as a result of bad software... oh, right. Any idiot can grab a book on teaching yourself programming and think they're an expert in 24 hours.
I have the knowledge to visit your reservoir and shut it down. (I'd have to actually visit it in person, but it's not like it's under guard.) That's just damned irresponsible programming on the part of the SCADA guys. Oops, your fecal chloroform count is way too high. Passport applications in Canada were compromised by bad coding, and last year the Canadian tax system shut down due to a glitch.
It is damned irresponsible to punish someone for making an nmap program publicly available when the institutions don't put on basic security measures. The cops say it's my fault if I don't lock my car. Why is this any different?
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Who here actually thinks that a person who distributes a "hacker tool" isn't going to be behind about 7 proxys when he hosts it. All this leads down to is a circle of lawyers screaming "Who in the hell do I sue?!"
That means everyone who's written a web browser is obviously guilty of some serious crimes against humanity!
I thought the backlash against the web ended in 2005
I used NMAP today to find spare addresses and forgotten equipment on my internal (private) networks.
1+1=10
Stupidest fucking law ever making tools that can be abused illegal and prosecuting the author utter bullshit. A hammer can be abused too you know but it's also a useful tool. Now it'll be much more difficult for white hat hackers to make sure bank servers etc are secure. On top of that it'll kill innovation in that country as people may be too scared to experiment. Attention cluebies who do not under stand IT technology laws like this do not make you safer if anything they'll make you even more insecure.
You pretty much summed it up I couldn't put it any better myself.
Comeon people, The usage of this word is very important for kids like me who wants to follow the right path of computation. I made a search in cambridge dictionary . it is too bad. they too have a problem with this. What can we do abt it? But since we all here in slashdot know what it means this need not be a big subject matter. Thank you all for the reply.
If you're not allowed to use the tools until you are?
.. I had a copy of DEBUG.EXE sitting around on a floppy.
/theeye
What? What? You want some?
The eternal struggle of good vs. evil begins within one's self.
This is my business and our claim to fame is cost of delivery based on OSS toolkits to some extent. When we can't use them any more we'll just license commercial tools and pass the cost on you AS WILL EVERYONE ELSE, or, better yet we'll all the work remotely from a foreign country in lieu of hiring you silly Brits locally.
Good luck with that. And it's hard to believe you lost the Empire. B>)
I think 'whacking at something with a sharp implement' was part of the intention of using it to describe coding was apt...
But it does piss me off when I need to describe what I do. "Hacker" gives you dirty looks, etc... and nothing else quite fits. I'm not a classical nerd or geek.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Can we have an 'Amen!' here folks?
"The more corrupt the state, the more numerous the laws."
Seems to apply so often to legislation discussed on Slashdot, and elsewhere...
Too bad Senators, MP's, et al don't seem to get it.
Replying to this anonymously since my wife doesn't want this story tied to our real name. I was recently a victim of identity theft. I was lucky in that I caught it early and shouldn't suffer any real financial loss (despite the time and energy spent removing a fraudulently opened credit card from my credit history).
During my research, I struck upon a simple way of preventing identity theft. Freeze your credit. This means that no one could open a line of credit even if they did have your name, address, SSN, and date of birth (precisely my information that was somehow stolen). If you want to open a new line of credit or allow someone to check your credit (say, for a background check on a new job or for insurance), you temporarily unfreeze your credit and then the company can perform the action.
Unfortunately, right now, freezing/unfreezing your credit costs money. It varies per state, but here it's $5 per credit agency to freeze the credit and $5 per agency to unfreeze it. There are 3 agencies, so that's $15 for each freeze/unfreeze.
Why the cost? Mainly to deter people from freezing their credit. Why deter people from doing something that could help them? Easy. Frozen credit can't be checked by credit card companies for those "You're Preapproved" credit card letters. People with frozen credit are less likely to open a credit account by the register in a store for the 10% off their purchase. In short, credit agencies and credit card companies make less money off of you if you freeze your credit. This makes credit freezing bad in their not-so-honorable-opinion and they will do what they can to slow down adoption of it as a tool to fight ID theft.
But what of the ID theft fight? Wouldn't the credit card companies benefit from less ID theft? Perhaps, but they aren't seriously hurt by it either. Credit agencies don't care if that new card was really opened up by you. Credit card companies don't get too hurt by fraudulent purchases. Either the person pays the bill without looking or the company charges it back to the store and the store is the one left in the cold. They make more money from non-frozen credit than they lose to ID theft. And they'll fight tooth and nail to protect their profits over the credit security of the American public.
Do you walk around in body armor or with body guards? No? Well, you deserved to be mugged or brutally beaten to death.
Or maybe your logic just isn't.
I'm not sure most people honestly think they have nothing to hide. They've been trained, however, to think that failure to act like one has nothing to hide will reveal what they have to hide.
I think it's likely a result of a culture obsessed with cop fantasy shows in which the cops can do pretty much anything they want to solve the crime, justified by depictions of the people the fantasy cops zero in on as nearly always guilty.
Kythe
The possibility of misuse is horrible.
Bummer.
Most people aren't thought about after they're gone. "I wonder where Rob got the plutonium" is better than most get.
And how do you verify that you are YOU in order to unfreeze (or freeze) your credit?
What stops the 'bad guys' from getting that info and un-freezing your credit as soon as you freeze it?? Or, alternately, what's to stop a 'bad guy' from going around messing with people by falsely freezing their credit??
Flamebait!? If anything, it's praise-bait.
"abused by hackers"
Abused. Presumably, it can also be used by hackers in legal ways.
They only keep them out of the hand of people that use them for good.
How do they get to be so wrong about these things, though?
Seriously, what adviser tells them that it's at all possible to filter the Internet reliably? Or that DRM will ever work? Or that there is such a thing as a "hacker tool", with no legitimate, legal use?
And, given technology is apparently important enough for them to legislate about, why do they not listen thoroughly enough to understand the opposing views? I don't mean they have to understand what a debugger actually does, but how do we get asshats like Tubes Stevens?
Don't thank God, thank a doctor!
Who, besides fourteen-year-olds, says "gay" to mean anything other than actual homosexuality? (Or joyousness, if being quaint...)
And while I realize these fourteen-year-olds are our future, I also realize that by the time they're twenty-four, they have at least one or more gay friends, so they have the decency not to use the word that way.
But it's not so much the original "crackers" who changed the meaning. If that were the case, I now declare myself a Man, so anyone who is male and not me is a Boy, because the word "Man" has CHANGED ITS MEANING to refer to me.
No, it's the news media, who really didn't have a clue anyway. They might as easily have called them "developers", or even "phreaks". The reason why "hackers" is so frustrating is that, like "developers", it has another meaning. It's not so troublesome that there's a new word for "cracker", but that there is now no word that covers the original meaning of "hacker".
That said, I've now grown up and started calling myself an "engineer"...
Don't thank God, thank a doctor!
Run Anywhere!!! Dear gods, what is this awful language Java which runs both on a hackers computer and also a government server.... Ban it, ban it now!!! Meh
Comment removed based on user account deletion
Say goodbye to GCC. That should prevent a fair amount of hacking, experimentation, and circumvention.
-- Posted from my parent's basement
"Look at identity theft - it could be prevented with 100% accuracy if the credit bureaus updated their computers. All they have to do is add a picture to your report and require an automatic phone call to the last known phone number any time you want a change. That's it. It's now impossible to steal someone's ID. Of course, it's your fault for not buying title insurance, paying Equifax $25 a month for credit checks, and using your "internet thing" for banking."
:)
What a bunch of shit. Identity theft can't be prevented pretty much period. But it can be discovered and remediated much more easily then the current system (in the US anyways) allows it to be. As for the rest, you lost me with the use of the word sandnigger. I thought that a joke was required when using that word.
Microsoft Internet Explorer
So - how about getting rid of MSIE at all in UK?
In an actual democracy, you can replace the sitting politicians with better ones. If there aren't any better ones to choose from, you can run yourself. The problem (well, inoring problems with the system for now) is getting the voting public to see that you are right and the others are wrong. Politicians get away with predictably ineffective, wrong-headed, or sometimes just plain evil laws because they can make the public at large believe they're actually good ideas.
Ban black hat tools? Sure! Nobody wants their computer broken into, right? So everything that stops that is welcome. And what matters in the political game is that it _sounds_ like it would help to an ignorant observer. Not that it will actually is a good idea in reality.
Perhaps a mandatory recording of the stated goal of a law and a mandatory asesssment of the effectiveness of that law in achieving that goal, as well as its overall cost, followed by a repeal or at least amendment of the law and a black mark for the politicians who proposed and supported it if it turns out to have had more harmful effects than goal-achieving ones would help here.
Please correct me if I got my facts wrong.
I'm sympathetic to your viewpoint, but I think you are exaggerating somewhat. There are things out there that a reasonable person should fear. There are criminals, there are terrorists. We should be reacting to them.
For criminals we have the police who, despite what you see on TV, are doing an excellent job most of the time in both clearing up and deterring crime. In the more civilized countries of the world at least.
Reacting to terrorists? Honestly, fuck'em. We lose more people to food poisoning. I'm more than happy to take the risk and anyone who says different is, imnsho, an utter coward.
Now cue the ominous threat that cavemen with turbans and their nutty "rogue-state" friends will detonate a nuclear device in a large metropolitan area. If you're really that gullible and afraid, your problem is medication, not terrorists.
Except we don't have the death penalty in the UK
No civilized country does. The US is in a pretty fun, little exclusive club there.
Analogy time.
Arson is a crime and should be punished, demanding the public's attention and concern. So far we can agree. This law proposes matches to be banned, but not lighters. Both are "dual use" (who comes up with this shit) and one is made by basement hackers (the matches) while the other is made by sophisticated programmers (lighters).
For a determined arsonist, how hard will it be to start a fire?
And I'm ignoring the fact that with this internet thing here, the arsonist can start the fire from a far away place, where these laws don't have any impact.
Still, crackers as well as arsonists are bad people who cause damage, so we need to do something about them. You were hinting at financial incentives, which is exactly where these laws should be pointing their arrows. It's also more feasible to do something about shady investors (or whatever) even if they are abroad. Let's say the cracker is Russian, how will this new law affect him? It won't.
Then there's the economy of scale. Cracking causes "massive amounts" of damage. Spamming, yes. Cracking, I don't know. If a virus hits your big corp and takes out all the computers, that would cause damage. If we're saying copies that weren't bought by consumers because of serialzz, I call the RIAA defense (not every copied copy would be a bought copy).
Still, there are more pressing matters to attend to. Healthcare, war on whatever, education, etc. These matters concern WAY more people more directly. Too bad these people aren't lobby groups or rich firms...
>They may be corrupted or arrogant, ignorant of tech issues, but not stupid.
Doesn't that make it worse?
How about moving the "hacking" tools to a server in another country. As long there is country in this world that has different laws regarding security / encryption tools there will be services that allow hosting that tools there. Or if you can't find any services just do what any good black hat hacker does: do not keep compromising files on your machine, install rootkits or other stuff on remote compromised servers and carry your attacks from there.
Deleted
People who build buildings that kill people after an earthquake are perfectly certified engineers who have passed all their exams and satisfy all their conditions for certification.
The word hacker is being abused by criminals who don't want to call themselves criminals, so we call them with the correct name for them: crackers.
There's a difference in legitimate language change and language abuse.
It is a great honour to be called a hacker and everyone should pursue such an honour.
Once upon a time there was an enchanted prince in his wonderful kingdom. Everyone trusted this prince, so nobody said anything when he proposed to enact a law forbidding free speech in order to catch criminals who used it for spreading lies about false stock investment opportunities. Every resident thought that since the prince is so good, even the most fascist law is assured to be used only for good in his hands.
So, the law was enacted, the criminals were caught, and the prince kept his promise and remained a good ruler. He never misused the law. However, after many years, when the populace had come to see the law as a normal part of their lives and thought of it as a necessary instrument for a safe society, the country was invaded by a foreign army.
The prince tried to defend his country and his populace, but the invaders won a decisive battle, sent the prince into exile, and decided to put their warlord in his post. The warlord checked the existing laws and decided that they perfectly suited his purposes. Most of the populace was still fighting the war against the invaders even after the defeat of the prince, so the warlord went to the capital city and announced himself as the new ruler and promised that he would keep all laws intact if the populace would accept him as the new legitimate ruler of the land.
The populace at first was distrustful of the warlord, but slowly it started to think that since the prince was now gone there is no other choice, and since the warlord promises to not change any law then life could continue as normal. They believed that since both the prince and the warlord would follow exactly the same laws, the warlord would be effectively as good as the prince. So, the populace agreed to stop the war and accept the warlord as the new ruler.
The warlord then started applying the law according to its letter and sent all political enemies and the most dangerous fighters into exile. The populace was too slow to take notice, because it was used to seeing the anti-freespeech law as an integral part of civil society under the prince's rule. The warlord quickly turned the kingdom into a slavery society, all thanks to the ready laws which he found when he took over the country. If he had to introduce the anti-freespeech laws himself, the populace wouldn't accept him, but with the laws of the previous legitimate government ready, his coup d' etat was able to conquer the land without much of the populace understanding what was going on.
The warlord later died of cancer, and the prince returned to his land and freed the populace. He then promised the populace never to enact any anti-freedom law again, no matter how bad the criminal problem was, because as he said while he was known to use his laws for helping the society, future rulers of the land could use the same laws for harming the populace. He didn't want to give ready tools to future invaders or rulers, so he kept his promise and his kingdom was remained free for ever.
Supposedly laws exist to protect the victims. Who is the victim if a person has nmap in their PC and uses it for the right purposes? The victim is surely not a server operator, since the nmap user only uses nmap in their internal network. The victim is surely not the state, for the same reason. Who is the victim? There's no victim. Nobody is hurt if a kid carries a USB key with nmap in it and uses it only on computers they own. But if the law makes possession of such software illegal (and there are no safeguards against misuse - note that I haven't read the law), then if that kid gets caught they will have problems, even though they never created any problems to anyone. In cases where there is no victim, I cannot see why law should be involved. Laws prohibiting possession of anything open the road to misuse against unfortunate innocent people who may be doing their job, protecting their own computers, just playing, or merely downloading something for fun just out of curiosity. Not to say that now everyone is threatened by people who for any reason may want to destroy you by copying a "cracker tool" onto your hard disk while you aren't looking and then calling the police.
Sure agreed, this is why it is good that Judges can overturn rubbish laws.
I think the problem is partly caused by the rapid change in technology. There are some really smart older people into tech, but on the whole, those being born now are far more likely to understand technological issues than the older generations who sit in parliament and the higher ranks of the civil service. It takes time for this stuff to work its way through the population. Aeroplane regulation took a long of iterations before anyone could actually take off in country A and land in country B.
I think it is also a problem when you have politicians who have never worked outside of politics. Those who have worked in industry before they enter politics know about how bad laws affected their business, so are more inclined to thread carefully and are more willing to listen to industry participants.
My little Linux and tech blog
It is obvious that governments around the world are doing more and more stupid things, are becoming more and more authoritative, and are curtailing more and more of our freedoms. The drivers behind the governments are most of the times big corporations, that want to gain and legitimize more and more power. Politicians follow either because of ignorance and stupidity, or because of being directly or indirectly bribed.
:-(
But there is nothing the public can do for that. As long as all votes are between 2-3 parties, and the "hot issues" are just a couple of things chosen by PR firms and "analyzed" in generic and emotional words, we can't react.
The only solution I see is for the people to vote on specific *issues*, instead of parties and persons. But I can't see that happening
Does anyone has any ideas? Please people, lets do something because it is already getting too late.
34
so if one were to use a screwdriver to break into a computer case then the hardware store that sold (distributed) the screwdriver would be liable? this means that the uk has mandated open hardware!
To freeze your credit, you need to write a letter (by certified mail usually) to each of the three agencies and provide a good deal of personally identifying information. More than your typical identity thief would have. (More info here: http://www.state.nj.us/dobi/division_consumers/finance/creditfreeze.htm )
When you freeze your credit, you get a PIN number. To temporarily unfreeze your credit, you must provide the PIN number via overnight mail or "secure electronic mail" (from the link above, not sure what that is) and then wait 3 days for the lift to take effect.
The 'bad guys' technically could keep tabs on you or phish you to such a degree that they could gain enough knowledge to freeze/unfreeze your credit without your knowing, but most identity thieves don't do that. Most just get a person's name, current address, SSN, and DOB, open a credit line in the victim's name, and max it out as much as possible before disappearing. It's kind of similar to how a firewall/router doesn't guarantee that your computer won't be hacked, but it does add significant security to your system and will prevent something like 90% of hack attempts.
One light - You're afraid of pedos who fly planes?
One odd and a tad more serious - If pedos needed a license to use the tools they need to get their fix (I don't really see that, but just sayin'), then I imagine training and certification courses would see a substantial influx of massively motivated students. I can't figure if that would be good or bad.
Winning Olympic medals doesn't count? Hunting doesn't count? Collecting them as art, records of mechanical achievement, and historical artifacts doesn't count?
Tell that to the tens of thousands of handgun hunters in the U.S.
I don't need a car that goes over 70mph. I don't need more than 300 square feet in which to live. But I like having them and I don't hurt anyone with them. Legally-owned, full-auto weapons, in the U.S., are never used in crime. (OK, there have been, like, 3 instances in the last 50 years. Those are dismissible as statistical anomalies.) They are, however, a whole bunch of fun if you can afford to keep them fed. Google "Knob Creek Machine Gun Shoot", look at a few pictures and vids, read about the event, and then tell me, honestly, doesn't that look like fun? So what's wrong with some loud, harmless fun?
http://www.gnu.org/philosophy/right-to-read.html
Every O/S manufacturer and/or distributor is in violation of a law like this for the development and distribution of "hacking tools".
Everyone provides "tcpdump".
...in a counterstroke of impracticality, hackers have moved to outlaw the UK.
I have a garage full of tools that could be used for burglary..and I do loan one now and then to my neighbors. The possession of tools that are exclusively used for harming or stealing is one thing but leaving it up to the imagination of law enforcement authorities to decide what is dual use is scary. But getting in trouble for distributing or just having tools points does not seem to cover those who know how to MAKE the tools. There is another analogy the I don't see addressed in this this UK "guidance": its illegal to carry an unlicensed or concealed handgun but nobody has any way to monitor or regulate the hands and feet of a highly trained martial arts master. So if I just happen to know how to code, basically from scratch, my own packet sniffers, key loggers, root kits, binary disk file editors, sneaky event handlers buried in image file formats etc etc and I hire myself out to random customers or employers, what can the authorities do?
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Were you born gullible or did you have a skepticion performed? Your theory is a great theory (it's the one promulgated by the certifier, so it's suspect for that reason alone) but it doesn't explain why doctors (certified by the government) need to pay malpractice insurance.
Sorry about the gullible remark, but I just HAD to make up the word skepticion.
Don't piss off The Angry Economist
Yes, I do wear body armour. I'm wearing some right now, in fact.
I've got steel-toed boots that I wear at the shop. I also wear earplugs when I'm in there, and safety glasses when I'm looking at the machines or when I'm soldering.
When I bike, I wear armoured gloves and a helmet.
When I go diving, I wear the right gear and I bring a "buddyguard".
You wear the right clothing for the right time. If I was walking around in a war zone, I'd wear body armour and have a lot of armed guards with me. If I was walking around with a gold brick in a bad neighbourhood, moving slowly (they're heavy)n and complaining, "this gold is sooooo heavy, ow, I can hardly move," then, yeah, I'd deserve to get beaten up.
In other words, you have to prepare yourself for dangers, get ready ahead of time, and be alert. Take some personal responsibility for yourself.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
By that standard, the thing which displays pictures is a "computer", the big box is the "hard drive" (aka "CPU"), and the blue e icon on the desktop is "the internet". If we let ignorance scramble the meanings of words, then what are we going to use when we want to mean something?
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Not terribly sophisticated, at least one intentional error, but then I really don't have any intention of creating a useful hacking tool.