Slashdot Mirror
EU Ministers Seek To Ban Creation of Hacking Tools
alphadogg writes "Justice Ministers across Europe want to make the creation of 'hacking tools' a criminal offense, but critics have hit back at the plans, saying that they are unworkable. Ministers from all 27 countries of the European Union met on June 9 to discuss European Commission proposals for a directive on attacks against information systems. But in addition to approving the Commission's text, the ministers extended the draft to include 'the production and making available of tools for committing offenses.' This is problematic, as much legal and legitimate software could be put to criminal use by hackers. The draft mentions 'malicious software designed to create botnets or unrightfully obtained computer passwords,' but goes no further in attempting to clarify what 'tools' might be subject to criminal sanctions."
They mean text editors (as opposed to word processors), compilers, interpreters, etc. Pretty much anything with a command line.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
When will we get some politicians who have backgrounds in what they're actually working in. Zzzz
They'd never abuse this law by using it against people using legitimate software for legitimate purposes.
Oh, wait...
What would Richard Feynman do, if he were here right now? He'd do some math and he'd follow through!
An axe?
Not a professional security researcher (as narrowly defined by law?) You're not allowed to possess or create tools that help find security vulnerabilities. That means you, Joe Blow who writes webapps -- you can't run attacks against your own server because the tools are illegal, and you can't build your own tools either. I guess you'll have to release that software untested in certain ways, then hope the black hats decide to follow the same laws as you.
They obviously don't understand even the elementals of coding. Now if they really want to get these guys there are better ways of doing it. But trying to stop Axe murderers by taking them away from all Firemen is just retarded.
End of Line.
How does one define "hacking tools?" Debuggers are pretty useful for hackers, as are things like netcat/socat, any of dozens of programming languages, and just about anything that lets you work at a low level. This does not even get into the legitimate uses of pen testing tools.
Oh, wait, let me guess: people will have to register with the government to use any of the above?
Palm trees and 8
i mean, clearly, emacs is a threat to national security.
You can't just ban software. There is absolutely no practical way to stop people from sharing code, and there fucking shouldn't be. If you ban these tools, the only people seriously affected will be the white hats.
So would evolution be ok then?
(Since most coding of such programs is more of an evolutionary thing than created in 6 days and then stays the same for over 6015 years
How would this help? It would only make the illegal actions more illegal while preventing good security audits, thereby making security problems worse!
They mean "hacking tools" like tor and pgp/gpg, right? Of course, first they'll come for metasploit, then nmap, then... but we all know what the end game is.
Compilers, Dictionaries, Debuggers, Keyboards, Computers, Internet, ... and whatever revision system the kernel hackers use.
-Woof woof woof!
Put that compiler down and step back. Slowly!
Have gnu, will travel.
No more axes! Not only do they hack at trees, they could be used to break into a co-lo.
More Caffeine. NOW
"Let's ensure that only those willing to break the law will have access to these tools."
You mean Canada invading the US? I'm all for it; it's been a minute since we had a war on American soil.
Screwdrivers, pliers, wrenches (can take servers apart and remove disk drives)
Drills, saws, punches (can cut holes in locked server cabinets to remove individual machines
Water jet equipment (such as those from Flow Industries; can cut holes in data center walls to get into server rooms)
Jack hammers; air hammers; diamond rock cuttings saws (can be used to cut holes in the walls of data center buildings
Bulldozers; front end loaders; heavy trucks with snowplows attached (can be used to tear off the corner of a data center building and expose sensitive servers
Trucks, trailers, trains, boats, barges, airplanes, blimps, bicycles, backpacks (can be used to carry stolen servers from broken in data centers
Your human body and mind (can be used to initiate hacks)
God (who invented all of us and gave us the ability to hack)
Most Respectfully Yours Mark Allyn Bellingham, Washington
It still amazes me how people seek legislative solutions to what are purely technical problems. Hey politicians: you're doing it wrong. If you're going to legislate something, then legislate the use of memory safe programming languages and proof carrying code. Security problems would be mostly solved, and software would have fewer bugs overall to boot.
Higher Logics: where programming meets science.
Can't find the people who are smart enough to download and use My First Password Cracker, but I'm sure you'll totally catch the people who were smart enough to create it.
Why do these bureaucrats waste people's time? Instead of focussing in things that really do damage, like pollution or financial fraud with an example of an agency that sabotaged investigations, they waste time on non-issues.
Hacking can [sometimes] be good for the society at large.
For example, I would like to delete all information from one social networking site but I cannot. Hacking would be my only 'rescue'. And that's bad?
Yes!
Lets make sure professionals can't test their own security, and only people in foreign countries can attack our infrastructure!
This is such a good idea, I wonder how nobody has thought of it multiple times every year for the past 15 years!
Blessed are the pessimists, for they have made backups.
"but [the draft] goes no further in attempting to clarify what 'tools' might be subject to criminal sanctions". Why would it? By leaving it open ended, they're free to enforce the ban whenever they feel it's fitting for them; picking and choosing any "offending" software when they feel it's warranted.
It's common knowledge that people and companies only do the minimum effort they can get away with so I expect systems to become weaker over time if this is enforced.
So please bring it on.
Criminals will not be affected by this law at all, they are already breaking other laws, they aren't going to care about breaking one more. Meanwhile, people who follow procedure and legitimately need to do penetration testing on their own systems and services will be handcuffed. The result of this will be criminals tools will only get better, and "hacking" tools, used for legitimate purposes will be left in the stone age as developers have to jump through hoops just to get any security tests done.
Here is the real solution: Spend the time, money, and effort to make your shit secure, and hold people accountable who store sensitive information in a careless way. Almost anything could be considered a hacking tool, good luck enforcing that.
If what I just said sounded like a troll, it was probably just a failed attempt at humor.
and it doesn't stop their use, why would banning their possession stop them? I fail to grasp how anyone can come to the conclusion that someone intent on criminal activities would mend their ways simply because another facet of their operation is made illegal. Guns aren't the problem, network security tools aren't the problem. People are the problem. If you want to solve the problem you're going to have to ban them.
Two of my imaginary friends reproduced once
If the Apple iOS/app store model is any indication of things to come, pretty soon PC's will be as locked down as consoles and cellphones. You won't have to worry about running any unauthorized code because the good folks at Apple, Dell, etc. will force you to get all your software through their app store.
SJW: Someone who has run out of real oppression, and has to fake it.
judge deeds. it's utterly stupid and unproductive to focus onto the tools instead focusing onto the deeds.
.Play.Open.Minded.
I wonder how long before they decide my keyboard is a weapon too.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Microsoft Word contains a macro language so I guess it'll be banned too.
Coder's Stone: The programming language quick ref for iPad
Now we know why Google is removing the bar from Chrome!
Sorry if this has been thought of already...
"If hacking tools are made illegal, only criminals will have hacking tools."
Today is a good day to bribe a high-ranking public official.
This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
Just so we can time how long it takes for the entire IT Industry in the EU to collapse so completely scientists will be studying it for singularity effects.
I'll meet you at the intersection of "Should be" and "Reality"
"Read My Lips: No New AXES"
Seriously. Banning the creation of 'hacking tools' will only stop the 'cybercriminals' who obey the law.
Any insufficiently advanced magic is indistinguishable from technology.
These tools that people use for hacking can also be used by security professionals to test the security of the network. I assume that most security companies do use them, and so these governments pushing this through the EU will have to put all of their security contractors in jail. Hackers will have a field day then, and WikiLeaks will have more information than it knows what to do with!
So if you successfully pull this one off, then what's next?
Companies not allowed too manufacture... weapons because they can be used maliciously... vehicles because they can be used maliciously...
Retarded idea.
... EU Ministers ban the production of wire clothes hangers, screwdrivers, and hammers to stop car stereo thefts.
I8-D
The concept of banning "hacking tools" is just silly. What would these people consider a hacking tool? SSH terminals since they allow people to connect to compromised systems or to connect to machines with "hacker tools"? Or what about IRC servers since many bot networks have used them or offer the ability to let people talk about hacking?
Even some of the biggest "hacker tools" are used for real network and server analysis like winshark and the like.
This is simply the wrong approach to fix a problem. This is in fact the worst way to approach the problem. The real solution is to charge software companies for making insecure software. Don't fine the hackers for finding the exploits, fine the developers for not finding them. The software developers are the ones making money off the software, if they cause people to lose data or have their systems compromised they should be the ones that should be held responsible, not the person who found it.
Instead of trying to remove the ability to make "hacker tools" why not remove the ability or need of these tools by making more secure software. I guess that would be too easy though.
TruePunk | Games
Why should the public be allowed to have software/web development tools? Where are the tax revenues in that? Where are the profits for big business? Writing your own software and designing your own website are like theft!
Quidnam Latine loqui modo coepi?
Ah yes, the EU. Bringing freedom to the people of Europe.
These people are complete morons. Anyone with Firefox and a couple HTML dev addons can perform the exact same hacks that have been going on against Sony, Software Companies, and FBI contractors. Who the fuck lets people with no understanding of the issue legislate it?
The onus of the hack rests SOLELY on the person managing the network, and not at all on the people who stumbled upon a URL that lets them see passwords and usernames. The problem part of 'hacking' is that you assume unauthorized access to a computer system. All of the information gained thus far has been gained through publicly-visible pages which requires no unauthorized access. By making a publicly-visible page(often indexed by Google) containing your sensitive information, it is YOU who should be going to jail for improper security measures.
Trying to make out like the hackers are evil geniuses is bullshit. I taught my 14 year old little sister how to modify a URL for directory traversal or SQL injection. It's simple shit that the developers should have taken care of, but were too lazy or understaffed/underpaid to complete. You should be thanking these people for pointing out your security shortcomings instead of knee-jerking all of the potentially useful development and anti-hacker tools out of existence.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
We have a law like that in Canada, only it has a provision that if you have a legal reason to create or use those tools you are fine.
So it must be proven that the tools are being created or used for criminal purposes in order to be prosecuted.
Another angle to this story is that it's yet another attempt by government at pre-crime.
The cops should stick to arresting people for the actual crimes they commit when hacking, like: unauthorized intrusion, damage to service, theft of data, etc. They don't need to ban tools that can be used for good or for bad. That's silly. Stay away from banning things further up the pipeline and focus on the actual crime itself. That gives the highest degree of freedom to the people, while giving government the narrowest and least necessary power.
This is akin to banning guns, for example, instead of sticking to the laws already on the books against assault or murder. Stick to the action that harms another party, and not whatever inanimate objects are involved.
"There were ways, of course, to get around the SPA and Central Licensing. They were themselves illegal. Dan had had a classmate in software, Frank Martucci, who had obtained an illicit debugging tool, and used it to skip over the copyright monitor code when reading books. But he had told too many friends about it, and one of them turned him in to the SPA for a reward (students deep in debt were easily tempted into betrayal). In 2047, Frank was in prison, not for pirate reading, but for possessing a debugger.
Dan would later learn that there was a time when anyone could have debugging tools. There were even free debugging tools available on CD or downloadable over the net. But ordinary users started using them to bypass copyright monitors, and eventually a judge ruled that this had become their principal use in actual practice. This meant they were illegal; the debuggers' developers were sent to prison.
Programmers still needed debugging tools, of course, but debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers. The debugger Dan used in software class was kept behind a special firewall so that it could be used only for class exercises."
http://www.gnu.org/philosophy/right-to-read.html
i mean, that's where it all originates from in the first place! what about command prompts? most hacking wouldn't possible be possible without those. but then again.. neither would my job... ...
besides, most of these tools double as IT and development aids (e.g. wireshark). further, what a few people use for malicious attacks other people use to understand where the loopholes are and close them. all this would accomplish is fewer people being educated about security and those who already know to operate with less obstacles...
yay for politicians who can probably barely use email making app dev laws!!
In physical security, you should always assume everyone has a lockpick. Likewise, in internet security you should assume everyone has metasploit, nmap, wireshark, etc. Building systems that are secure from cracking is not hard (protecting against a DDoS attack effectively is much more difficult). If you hire the cheapest external developers and contractors you can find to build your financial services website, don't be surprised if it's easily hacked. Good engineers should have no difficulty analyzing systems to find holes like this. If they understand the protocols and software they are working with, and avoid adding layer upon layer of "security software" that ends up obfuscating real holes while blocking non-existent problems (why would virus scanning text input be useful? Is your software really stupid enough to execute it?) then they'll have no problem writing secure software.
The problem from a business perspective, I think, is that an executive can't simply buy a product to secure their software. They instead must hire good engineers (potentially at a higher salary). In fact, there's a plethora of tools on the market for executives to buy which haven't been tested for security, and which can't be verified by internal developers but which are sold as speeding up development. Plus, of course security testing (like all testing) will always get shaved down to the minimum so that you can meet arbitrary release dates set by those who couldn't manage a Hello World program but think they understand development.
The right to protest the State is more sacred than the State.
Seems to convenient that LulzSec is attacking so many big name and government websites all of a sudden, Seems more likely that it's a little covert government intervention to make sure some new laws against hacking get passed by Europe, Canada, Japan and the USA. I don't put it past them. I have foil at home, but really, I didn't make a hat out of it....
Dumbass legislators: "Let's make posession of $THING a crime to prevent $BEHAVIOR!"
Sorry, it doesn't work, and it fscks over law abiding people for any values of $THING and $BEHAVIOR that I'm aware of.
Now nmap, tcpdump, telnet and the like will all be banned! :|
Oh, they said hacking tools. Great, no more C(++), java, assembly etc.
Well, i'll go back to lego now.
As a network engineer and someone who uses BackTrack at least once a week for penetration testing, it is obvious to bme that the people who come up with these laws have no idea about anything related to the field of network and server security. Why are these morons making the decisions?
"I hope you know how very lucky you are to know me, because I am so incredibly incredible."
That's maybe what they have in mind, unfortunately that's not what they have in the law proposal.
That's the problem here, politicians try to make a law concerning something they don't even have the foggiest clue about. They imagine some CSI-esque "click here for big kaboom" Flashgame interface, but the law they propose would hit a lot of tools used to actually secure networks. The problem here is that the same tools that tell me whether I'm secure (from nmap to wireshark) are also the tools used to compromise that security. Making the tool illegal and not the use is a slippery slope at best.
"If you outlaw X, only criminals will have X" has rarely been more apt than this time. Because if I'm out to break a much more serious law, why'd I bother to worry about illegal possession of the tool? If I planned to rob a bank, would I care about illegal possession of firearms? If I wanted to hack the European Central Bank, would I worry about the slap on the wrist I'd get if I was found in the possession of nmap? If I want to secure my network, I certainly WILL worry about that slap, because my job as CISO hangs on my police record being spotless.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Thieves use them to smash shop windows.
http://www.acetonestudio.com
Because banning handguns worked so well, as we all know.
Which one it would be?
Will I be a criminal for using nmap or wireshark? those are clearly hacking tools...oh wait... now they're weapons!
I just find this situation ridiculous
Regards
"European Ministers Are Morons".
Software developers are now illegal?
Hope is the currency of fools
When their ban includes every existing programming language and these guys can't play their Farmville...
"Be polite, be professional, but have a plan to kill everybody you meet." General James Mattis
From TFA:
'The draft mentions "malicious software designed to create botnets or unrightfully obtained computer passwords," but goes no further in attempting to clarify what "tools" might be subject to criminal sanctions.'
So, it seems like this bill is only focused on computer proggies running on a laptop, not hardhacks. In other words, the Bus Pirate, Chumby, Arduino, etc. crowds are all safe. Oh yeah...and I'm sure no one has ever written hardware executable code on any of these devices that could interfere with computer operation.
Man do I love it that governments are about 20 years behind the times when it comes to tech.
1) Ask legislator what would keep their opponent from using the law in an unjust way.
2) ???
3) Profit?
"I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
...is now a felony. Whereas before it was just a misdemeanor.
I thought that the most important tools in this was always a brain, so if 'creation of hacking tools' is going to be made illegal, will it immediately extend to the real 'creation' of hacking tools and make fucking without protection illegal as well?
You can't handle the truth.
Yes if it is handled badly it will be a farce. Anyone can make something with Notepad, let alone any sort of programming language environment.
However I do recall back in my university days seeing things like VML (Virus Mutation Labs or something like that), which were basically just programs that would create virus based on what the user wished to do. Anyone with a mediocre knowlege could use it. This sort of thing is where script kiddies come from. Which is exactly the thing that commercial grade security and antivirus can defeat pretty easily (Norton and the rest).
Most other "hacker" tools such as "sniffers", and other network inspection tools have legitimate uses also and should not be targeted. To be honest, I don't anything they do will be of much deterrence to an actual hacker, as their knowlege is actually their weapon, not some tool or suite. Realistically many of the hackers probably work within a related field such as security or networking and as such would have ample tools and knowlege to do as they please.
This would likely help reduce the nuisance script kiddies, but really they are not the problem that is trying to be addressed, so then why even bother.
then you may consider tools!
a tool is a tool is a tool
somebody no knowing this is a fool
with a tool you can create and destroy in contrast to a weapon!
So dear minister, concentrate on weapons!
So would this make sendmail illegal?
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Didn't germany once ban wireshark? I think they quickly reversed that
Does that mean Web Browsers will be banned. In a lot of cases thats the only "tool" needed now. I suggest actually training these "leaders" to some level of technical proficiency.
Here comes the worst decision possible.....can you make hack stuff using visual studio, of course you can, guess what, you now have made the use and selling of visual studio illegal.....they are such dolts its not funny! I hate politicians that have no knowledge of technology! They should have specialists following them around explaining them these things....we would have less wasted time at our costs (tax payers) over stupid things like this.
Why on Earth would they want to shut down those silly enough to publish such tools? These are wonderful education tools for those working the industry, fighting to keep hacker punks at bay. This would be like during the cold war if the Soviets published all of their weapons technologies, or the US for that matter. It would be giving the opposition a golden chance on a silver platter to gain quite the advantage.
Surely the intel people are going to advise these ministers STFU.
Take the Red Pill.