Slashdot Mirror
UK Moves to Outlaw 'Hacker Tools'
twitter writes "New guidance rules for the UK's controversial Computer Misuse Act do not allay fears of impracticality, or of the banning of legitimate IT software: 'The government has come through with guidelines that address some, but not all, of these concerns about dual-use tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offense. This leaves the door open to prosecute people who distribute a tool, such as nmap, that's subsequently abused by hackers.'" Somewhat similar legislation recently became law in Germany.
That list of every IP address I posted a while back.
So if I hack something while running my custom application in debug mode from an IDE like Eclipse or VS.Net, would that not make Eclipse and VS.Net hacker tools that should be stripped from the land?
These laws are just retarded knee jerk reactions made by people who have no idea about what it is they are legislating on.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
...and find solace in Europe, where reasonable government and personal liberty reign supreme! ...wait, what?
"Ask not what your country can do for you." --John F. Kennedy
What is it with politicians??! Keep your nose out of business you don't understand and, uh, maybe secure the governments damn servers (a big problem in the US, at least). Maybe mandate security for banks, etc. The policy could be written by, gasp, someone who knows what they are talking about. Somehow, I don't feel like holding my breath till then...
If you outlaw security tools, then only outlaws will be secure!
Better ban IRC servers (popular for zombies) and Windows boxes in general (also popular for zombies)
“Common sense is not so common.” — Voltaire
Every now and then I get to look at some OTHER country's heavy-handedness.
SJW: Someone who has run out of real oppression, and has to fake it.
Also, applies only to property you do not own is wrong, they're talking about distributing the tools.
Pretty much on par for the UK, as far as I can tell. Now, fess up: Who gave the gov't there copies of 1984?
Don't believe for a minute this is about security, it's about control. And those who regulate access to information, control those who consume it. Next steps? Mandatory spyware and BigBrother remote control software. To make it easier to spot the criminals/terrorists/boogeyman du jour, of course.
I mean really, are there any legitimate reasons to use something like nmap?
...and yes, that "ladies" part was a joke too.
Yes, ladies and gents, that was sarcasm.
What doesn't kill you only delays the inevitable
From TFA behind the TFA:
Whilst the law was going through Parliament the Home Office suggested that "likely" would be a 50% test.. Anyway, that guidance is now out -- and there's no mention, surprise, surprise, of "50%"
If over 50% of the laws they make are nonsense, can we ban the politicians?
My little Linux and tech blog
This is ridiculous. It reminds me of the "Index Librorum Prohibitorum" (Roman Catholic list of banned books). The Roman Catholics banned books because they believed that they could be used as a tool against their power, and not simply for the purpose of knowledge. That's the same thing the UK is trying to do now - they're trying to ban software because it might be able to be used for naughty purposes. Why don't you ban the C programming language while you're at it UK? I hear those buffer overflows could be dangerous.
Hopefully this mistake won't take 400 year to remedy.
How about if such tools were only legal for licensed/certified IT and Information Security professionals?
Yes, this would mean our having to get certified as at least minimally competent at what we do, much like hairdressers and engineers.
The idea is analogous to how, in New York at least, it's illegal for random people to carry lockpicks.
Well, they may as well outlaw all of software development, because any software tool can be put to malicious purposes.
What they should focus on instead are the actual actions taken by individuals to compromise someone's computer or network, not the tools they use to do it with. For instance, there's already a number of tools on the market and in FOSS that can do DDoS attacks -- but they are normally used to stress-test a web site or some other network application.
The whole "intent" bit is always a slippery slope, ready for Kangaroo Court time. Obviously, these idiot politicians never saw or read "Minority Report", where going after "pre-crime" turnned out to cause more problems than it solved.
Yes, the governments of the world are not unlike a bunch of monkeys with dangerous toys -- total unbridled power, without the wisdom nor the precision to use it properly.
Ruby Neural Evolution of Augmenting Topologies
The solution: ban brains.
Outside the sarcasm tags, I wonder how long it will be before some moron tries that.
"osake no hou ga, biiru yori ii" to omotteiru.
What is a 'legitimate' computer program? There are many people who make a living as consultants paid to test how hard it is to break into a company's systems. They might well need to use even the most dastardly and underhanded 'hacking tool' to do their work. Indeed the police and security services also use programs that help them get unauthorized access to computers. What grounds are there for criminalizing any computer program?
-- Ed Avis ed@membled.com
Perhaps the real idea is to restrict access to these tools to licensed practitioners or those with a valid reason to posess them. You cannot buy dymanite over the counter, but people with a blasting tickets can still buy it.
Engineering is the art of compromise.
Great idea!! If we outlaw hacker tools, only outlaws will have hacker tools!
Then we can just arrest everybody who has them, and we'll have our systems broken into by the black hats we missed, while those who would have protected us have their hands tied.
And that's while using the popular meaning of "hacker", rather than the correct one.
Please correct me if I got my facts wrong.
Everyone knows that a pencil when sharpened can be used to maim or injure! I mean you could loose an eye! Paperclips can be used to pick simple locks! They facilitate breakins! These deadly and criminal tools must be outlawed! Hurry! Arrest the employees of Office Depot and Staples for purveying these items, and enabling the criminal underclass!
I guess we should just arrest everyone that has a bad thought.
WIth 'bad' being relative to the administration in charge at the time in said country.
Will they be outlawing FTP or HTTP as well?
---- Booth was a patriot ----
Some relevant bits follow.
......
.....
....
CMA = Computer Misuse Act
The whole thing seems to be rigged against free software/open source and heavily in favour of security through obscurity. Perhaps we should contact them and ask?
Everything below is copied from the guidance.
Prosecutors should be aware that there is a legitimate industry concerned with the security of computer systems that generates 'articles' (this includes any program or data held in electronic form) to test and/or audit hardware and software. Some articles will therefore have a dual use and prosecutors need to ascertain that the suspect has a criminal intent.
Whilst the facts of each case will be different, the elements to prove the offence will be the same. Prosecutors dealing with dual use articles should consider the following factors in deciding whether to prosecute:
* Does the institution, company or other body have in place robust and up to date contracts, terms and conditions or acceptable use polices?
* Are students, customers and others made aware of the CMA and what is lawful and unlawful?
* Do students, customers or others have to sign a declaration that they do not intend to contravene the CMA?
Section 3A (2) CMA covers the supplying or offering to supply an article "likely" to be used to commit, or assist in the commission of an offence contrary to section 1 or 3 CMA. "Likely" is not defined in CMA but, in construing what is "likely", prosecutors should look at the functionality of the article and at what, if any, thought the suspect gave to who would use it; whether for example the article was circulated to a closed and vetted list of IT security professionals or was posted openly.
In determining the likelihood of an article being used (or misused) to commit a criminal
offence, prosecutors should consider the following:
* Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
* Is the article widely used for legitimate purposes?
* Is the article available on a wide scale commercial basis and sold through legitimate channels?
* Does it have a substantial installation base?
* What was the context in which the article was used to commit the offence compared with its original intended purpose?
My little Linux and tech blog
Not to throw too much fuel onto this fire, but the UK has a large precedent with the concept that TOOLS are the problem rather than the USERS. Look at guns. Is the phrase "guns kill people" really that much different than "hacking tools break into computers"? Not in my book. In fact, they are so similar as to be scary. Both assume that intent is not relevant, the person behind the tool is not responsible for his/her actions, and that these tools cause crime to be committed. Come on guys... If we start banning tools that *could* be used to commit a crime you had better come lock me up now. I've got a whole garage full of hammers, screwdrivers and other tools... and I know how to use them! :-)
I think it's about time people got over the semantics of the word 'hacker'. Given that 'crackers' don't call themselves 'crackers' they call themselves 'hackers' and they call what they do 'hacking', the word has *CHANGED ITS MEANING*. This is not uncommon for languages. Really. Just look at words like 'gay' for instance or even 'computer'. Go and find the original definition of that one!
Get over the semantic drift already, we're not all mired in some rose-spectacled view of the technoutopia where you have to have hacked solenoids under a model railway at MIT in order to qualify for the term.
I don't read your sig, why do you read mine?
Please don't use my state as a paragon of freedom. Oh, wait, it's *security* you want? Try moving to some nice secure country where everything is prohibited, including crime.
Certifications don't protect the public. They protect the certified against competition.
Don't piss off The Angry Economist
They can have my ping client when they pry it from my cold, dead hands.
Don't piss off The Angry Economist
When did my peers and people of my parent's age become such softcore fascists?
When they got scared.
The real truth is that there is no bogeyman, and that there's nothing to fear but fear itself. Even my four-year old knows that. ("[Girl Name], what do we have to be afraid of?" "Being afraid.")
And now, some "crimes" are nearly impossible to prosecute. How can someone in the UK file suit against a "cracker" from Atiqua or Afghanistan? They could potentially steal your bank account information and steal your life savings, buy a handgun, rob a bank, and put you on death row. Now, when you assume - note that word - that the backwards savages outside your home country have to have help to break in, then clearly someone with brains - I mean a white guy - er, I mean someone from the homeland - er, someone reachable by our police - must have helped them. That's complete junk, but to some the point is valid. The bad guys must have help, so let's go after the help. Never mind that the "bad guys" get paid more than I do.
And people are scared because they think things are the worst they've ever been. The fact is, the good old days were never here. Terrorists have been around since at least the Romans. We survive. The day of judgment will never come.
But that's not enough. You can't tell people to calm down - you have to show them that you're doing something, anything.
Seriously - people are attempting to legislate abstract concepts that they don't know about. I've seen laws suggesting watermarks in A/D conveters. One of the US Senators honestly thinks the Interweb is a series of tubes. He might not even be familiar with the concept of electricity. Imagine Ancient Greeks trying to pass legislation on the use of titanium in groundwater near nuclear power plants. If I give an opinion on civil engineering, I could be fined up to $25,000. If a politician does, he gets rewarded.
Instead of demanding the removal of the clueless, people just revote for the same guy as last time - if they even voted - or "stay the course". When those in charge have literally no consequences for their actions and get paid to pass legislation from special interest groups. Is copyright theft something that ordinary people really care about? Are there people who are thinking, "man, I'd love to go to work today, but I'm afraid that someone, somewhere, is copying a DVD to take the ads out. If only our government would pass some laws to fix that problem." Okay, maybe if the guy works making DVDs, but that's not a normal guy.
When the victims became criminals. Look at identity theft - it could be prevented with 100% accuracy if the credit bureaus updated their computers. All they have to do is add a picture to your report and require an automatic phone call to the last known phone number any time you want a change. That's it. It's now impossible to steal someone's ID. Of course, it's your fault for not buying title insurance, paying Equifax $25 a month for credit checks, and using your "internet thing" for banking.
When people started getting used to the idea of "I have nothing to hide". You do. Everyone does. I have skeletons in my closet, and I want them to stay there.
So what it really boils down to is that people are in general afraid of something, but they don't know what it is. So, they turn their wrath on anything that can possibly hold their ire. Immigrants, Hackers, ID thieves, the Russians, terrorists, etc. As long as the eye isn't on them, then they're fine. Torture the sandnigger or the hacker. They're the ones who made the world such a fucked up place. It's all their fault.
They're really afraid of themselves. How long will it be until the bank comes calling, or the boss cans them, or the spouse will leave with the kids?
It's a scary thought - we're lead by clueless, corrupt, whores who run the place by tacit consent from people who are too afraid to interrupt their routine.
This isn't exactly what I meant to say, but I think the power here has become unreliable. There's a lot of wind outside.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
I'm wondering if "anti-hacking" laws like this will conflict with data retention laws that are also brutally oppressive, to the point where admins will be required to do things they can't possibly do without tools that are illegal to possess. Sounds like the sort of thing one would expect from China.
That just doesn't seem funny any more... :-(
Seriously, though, we're seeing a lot of this: the notion that any funny stuff, be it computer software, electronic goodies, chemistry, what have you, is a priori for bad purposes. Somehow due process has gotten lost in the shuffle, the user is apparently guilty until proven innocent, and must be dealt with accordingly.
Tragic.
...laura
I live in NY too...
Certifications provide a baseline clue as to whether or not your has proven at some point to meet certain minimum requirements of knowledge and/or skill.
I agree though that certifications don't protect the public- such professionals would have to be bonded for that.
I'm sympathetic to your viewpoint, but I think you are exaggerating somewhat. There are things out there that a reasonable person should fear. There are criminals, there are terrorists. We should be reacting to them. We just need to not overreact.
:-) Good luck!
"One of the US Senators honestly thinks the Interweb is a series of tubes. He might not even be familiar with the concept of electricity."
No, one of our Senators used a clumsy analogy. None of them really think the net is composed of tubes. Yes, they are legislating issues they don't understand... but they aren't retarded. I'm quite sure the majority of congressmen have above average IQs. They may be corrupted or arrogant, ignorant of tech issues, but not stupid.
I'm not really arguing with you, I just think you're passionate and letting some of your rhetoric get a little carried away. Take your own advice: "We survive. The day of judgment will never come."
"This isn't exactly what I meant to say, but I think the power here has become unreliable. There's a lot of wind outside."
I spent a moment trying to figure out what your metaphor meant... is "Wind" our political climate? Then I realized you're literally talking about 'power' and 'wind.'
Indeed. The fix for poor software security is to create requirements for implementation, not punishments for breach. Those breaching don't care about UK or US policy. They are by definition scofflaws. And yes, I am directly stating here that it's not the cracker's fault the bank is easy to get into. It's the bank's fault and they deserve to lose the money. (Does YOUR bank use two-factor authentication, or do they make you think you're safe by asking those personal questions?)
When you build your code by hiring the lowest bidder with the least qualifications, then you should be liable. If a bridge building contractor didn't keep blueprints and didn't hire a qualified crew, then they would be sued or imprisoned. I can't just go and build a stadium or an overpass just because I think there should be one there.
If you do that with software - even software potentially worth billions of dollars - you get more contracts. Of course, it's not like anyone died as a result of bad software... oh, right. Any idiot can grab a book on teaching yourself programming and think they're an expert in 24 hours.
I have the knowledge to visit your reservoir and shut it down. (I'd have to actually visit it in person, but it's not like it's under guard.) That's just damned irresponsible programming on the part of the SCADA guys. Oops, your fecal chloroform count is way too high. Passport applications in Canada were compromised by bad coding, and last year the Canadian tax system shut down due to a glitch.
It is damned irresponsible to punish someone for making an nmap program publicly available when the institutions don't put on basic security measures. The cops say it's my fault if I don't lock my car. Why is this any different?
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
I do this all the time.
I have basic DHCP server that gives out dynamic IP addresses. I also have a couple of machines without monitors which I can connect to via VNC or SSH such as a G4 Mac which I use for running OS 9 applications which never got ported to the Intel OS X world, on boot it starts the VNC server. I can then use nmap to find out the IP address and log into it graphically from my main Linux computer.
My little Linux and tech blog
Replying to this anonymously since my wife doesn't want this story tied to our real name. I was recently a victim of identity theft. I was lucky in that I caught it early and shouldn't suffer any real financial loss (despite the time and energy spent removing a fraudulently opened credit card from my credit history).
During my research, I struck upon a simple way of preventing identity theft. Freeze your credit. This means that no one could open a line of credit even if they did have your name, address, SSN, and date of birth (precisely my information that was somehow stolen). If you want to open a new line of credit or allow someone to check your credit (say, for a background check on a new job or for insurance), you temporarily unfreeze your credit and then the company can perform the action.
Unfortunately, right now, freezing/unfreezing your credit costs money. It varies per state, but here it's $5 per credit agency to freeze the credit and $5 per agency to unfreeze it. There are 3 agencies, so that's $15 for each freeze/unfreeze.
Why the cost? Mainly to deter people from freezing their credit. Why deter people from doing something that could help them? Easy. Frozen credit can't be checked by credit card companies for those "You're Preapproved" credit card letters. People with frozen credit are less likely to open a credit account by the register in a store for the 10% off their purchase. In short, credit agencies and credit card companies make less money off of you if you freeze your credit. This makes credit freezing bad in their not-so-honorable-opinion and they will do what they can to slow down adoption of it as a tool to fight ID theft.
But what of the ID theft fight? Wouldn't the credit card companies benefit from less ID theft? Perhaps, but they aren't seriously hurt by it either. Credit agencies don't care if that new card was really opened up by you. Credit card companies don't get too hurt by fraudulent purchases. Either the person pays the bill without looking or the company charges it back to the store and the store is the one left in the cold. They make more money from non-frozen credit than they lose to ID theft. And they'll fight tooth and nail to protect their profits over the credit security of the American public.
Do you walk around in body armor or with body guards? No? Well, you deserved to be mugged or brutally beaten to death.
Or maybe your logic just isn't.
I'm not sure most people honestly think they have nothing to hide. They've been trained, however, to think that failure to act like one has nothing to hide will reveal what they have to hide.
I think it's likely a result of a culture obsessed with cop fantasy shows in which the cops can do pretty much anything they want to solve the crime, justified by depictions of the people the fantasy cops zero in on as nearly always guilty.
Kythe
Say goodbye to GCC. That should prevent a fair amount of hacking, experimentation, and circumvention.
-- Posted from my parent's basement
Which is actually its original meaning, which is why the word has changed
That's why you get lots of kids at school sniggering when old stories are read: they mention being "happy and gay" using the old meaning of "happy and joyous" rather than being "happy and homosexual".
Deleted
I have a garage full of tools that could be used for burglary..and I do loan one now and then to my neighbors. The possession of tools that are exclusively used for harming or stealing is one thing but leaving it up to the imagination of law enforcement authorities to decide what is dual use is scary. But getting in trouble for distributing or just having tools points does not seem to cover those who know how to MAKE the tools. There is another analogy the I don't see addressed in this this UK "guidance": its illegal to carry an unlicensed or concealed handgun but nobody has any way to monitor or regulate the hands and feet of a highly trained martial arts master. So if I just happen to know how to code, basically from scratch, my own packet sniffers, key loggers, root kits, binary disk file editors, sneaky event handlers buried in image file formats etc etc and I hire myself out to random customers or employers, what can the authorities do?
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.