Slashdot Mirror
EU Ministers Seek To Ban Creation of Hacking Tools
alphadogg writes "Justice Ministers across Europe want to make the creation of 'hacking tools' a criminal offense, but critics have hit back at the plans, saying that they are unworkable. Ministers from all 27 countries of the European Union met on June 9 to discuss European Commission proposals for a directive on attacks against information systems. But in addition to approving the Commission's text, the ministers extended the draft to include 'the production and making available of tools for committing offenses.' This is problematic, as much legal and legitimate software could be put to criminal use by hackers. The draft mentions 'malicious software designed to create botnets or unrightfully obtained computer passwords,' but goes no further in attempting to clarify what 'tools' might be subject to criminal sanctions."
They'd never abuse this law by using it against people using legitimate software for legitimate purposes.
Not a professional security researcher (as narrowly defined by law?) You're not allowed to possess or create tools that help find security vulnerabilities. That means you, Joe Blow who writes webapps -- you can't run attacks against your own server because the tools are illegal, and you can't build your own tools either. I guess you'll have to release that software untested in certain ways, then hope the black hats decide to follow the same laws as you.
They obviously don't understand even the elementals of coding. Now if they really want to get these guys there are better ways of doing it. But trying to stop Axe murderers by taking them away from all Firemen is just retarded.
End of Line.
You can't just ban software. There is absolutely no practical way to stop people from sharing code, and there fucking shouldn't be. If you ban these tools, the only people seriously affected will be the white hats.
They mean "hacking tools" like tor and pgp/gpg, right? Of course, first they'll come for metasploit, then nmap, then... but we all know what the end game is.
Put that compiler down and step back. Slowly!
Have gnu, will travel.
Penetration testing is a necessary application hardening process that depends on access to the SAME TYPE OF TOOLS that black hats use to break an application. Think of it like viral inoculation: You need some of the enemy code in order to build an effective defense.
"Let's ensure that only those willing to break the law will have access to these tools."
It still amazes me how people seek legislative solutions to what are purely technical problems. Hey politicians: you're doing it wrong. If you're going to legislate something, then legislate the use of memory safe programming languages and proof carrying code. Security problems would be mostly solved, and software would have fewer bugs overall to boot.
Higher Logics: where programming meets science.
Can't find the people who are smart enough to download and use My First Password Cracker, but I'm sure you'll totally catch the people who were smart enough to create it.
Why do these bureaucrats waste people's time? Instead of focussing in things that really do damage, like pollution or financial fraud with an example of an agency that sabotaged investigations, they waste time on non-issues.
Hacking can [sometimes] be good for the society at large.
For example, I would like to delete all information from one social networking site but I cannot. Hacking would be my only 'rescue'. And that's bad?
I think we should have a stupid idea court for bureaucrats and politicians, and when they are found guilty, they are immediately taken out back and shot.
The world's burning. Moped Jesus spotted on I50. Details at 11.
And thus you have discovered what Skynet decided about humanity and started the extermination of the human race...
DRM will be our downfall....
Do not look at laser with remaining good eye.
judge deeds. it's utterly stupid and unproductive to focus onto the tools instead focusing onto the deeds.
.Play.Open.Minded.
like requiring all programmers to register with a government authority
Better yet, we can set up the Operating Systems so they can only run programs that have been downloaded from special App Stores! Hey! What an idea!
If you've got a steel-backed IBM Model M, it already is.
That's maybe what they have in mind, unfortunately that's not what they have in the law proposal.
That's the problem here, politicians try to make a law concerning something they don't even have the foggiest clue about. They imagine some CSI-esque "click here for big kaboom" Flashgame interface, but the law they propose would hit a lot of tools used to actually secure networks. The problem here is that the same tools that tell me whether I'm secure (from nmap to wireshark) are also the tools used to compromise that security. Making the tool illegal and not the use is a slippery slope at best.
"If you outlaw X, only criminals will have X" has rarely been more apt than this time. Because if I'm out to break a much more serious law, why'd I bother to worry about illegal possession of the tool? If I planned to rob a bank, would I care about illegal possession of firearms? If I wanted to hack the European Central Bank, would I worry about the slap on the wrist I'd get if I was found in the possession of nmap? If I want to secure my network, I certainly WILL worry about that slap, because my job as CISO hangs on my police record being spotless.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's a pretty weak law if it can be wholly bypassed by a statement from the software developer saying that it's a security tool and not a hacking tool, though. In reality what this boils down to is yet another law they can use to lock you up if they really want to but otherwise have no good cause. "We assume you're up to no good, we can't find any evidence but... erm... look! you have some software that could be used for naughty stuff. Take him away!"
or make bullet proof vests illegal
Nullius in verba
As Richard Stallman put it in The Right to Read:
There were ways, of course, to get around the SPA and Central Licensing. They were themselves illegal. Dan had had a classmate in software, Frank Martucci, who had obtained an illicit debugging tool, and used it to skip over the copyright monitor code when reading books. But he had told too many friends about it, and one of them turned him in to the SPA for a reward (students deep in debt were easily tempted into betrayal). In 2047, Frank was in prison, not for pirate reading, but for possessing a debugger.
Dan would later learn that there was a time when anyone could have debugging tools. There were even free debugging tools available on CD or downloadable over the net. But ordinary users started using them to bypass copyright monitors, and eventually a judge ruled that this had become their principal use in actual practice. This meant they were illegal; the debuggers' developers were sent to prison.
Programmers still needed debugging tools, of course, but debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers. The debugger Dan used in software class was kept behind a special firewall so that it could be used only for class exercises.
Yes, it's a piece of dystopian writing, but what makes that so scary is how plausible it all is.
I am officially gone from
They'll ban butterflies too.
Dan would later learn that there was a time when anyone could have debugging tools. There were even free debugging tools available on CD or downloadable over the net. But ordinary users started using them to bypass copyright monitors, and eventually a judge ruled that this had become their principal use in actual practice. This meant they were illegal; the debuggers' developers were sent to prison.
Programmers still needed debugging tools, of course, but debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers. The debugger Dan used in software class was kept behind a special firewall so that it could be used only for class exercises.
Fuck stallman and his depressing tendency to be right when he's cynical.
http://www.gnu.org/philosophy/right-to-read.html