[ad]
This is sad news, it seems UK is considering following the lead of the Germans and their recently implemented hacking law 202(c) regarding the making of ‘hacking tools‘ illegal.
It’s almost like making baseball bats illegal because you can hit someone with it, doesn’t matter its made for playing sport and that’s what most people use it for..
The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called “hacking tools”.
The controversial measure is among amendments to the Computer Misuse Act included in the Police and Justice Act 2006. However, the ban along with measures to increase the maximum penalty for hacking offences to ten years and make denial of service offences clearly illegal, are still not in force and probably won’t be until May 2008 in order not to create overlap with the Serious Crime Bill, currently making its way through the House of Commons.
Sounds pretty ominous to me, even distributing said hacking tools can get you in trouble – that’s bad news for people like me that believe in sharing information, knowledge and hard to find tools.
I agree a revamp of the Computer Misuse Act is needed, but please making tools like Nmap illegal to create or distribute is just plain stupid.
Following industry lobbying the government has come through with guidelines that address some, but not all, of these concerns about “dual-use” tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offence. This leaves the door open to prosecute people who distribute a tool, such as nmap, that’s subsequently abused by hackers.
The Crown Prosecution Service guidance, published after a long delay on Monday, also asks prosecutors to consider if an article is “available on a wide scale commercial basis and sold through legitimate channels”. Critics argue this test fails to factor in the widespread use of open source tools or rapid product innovation.
It’s pretty messy – it could help malicious hackers be prosecuted effectively and gives a bit more ammo to law. But it also means over zealous lawyers could prosecute security consultants for actions they don’t really understand – which is the scary part for me.
I hope it gets distilled into something useful and fair for both sides.
Source: The Register
James says
How is making hacking tool illegal going to help? Im a white hat and if this law pass (and if I lived in England, I live in Ireland and im sure the twats here will copy the “Initiative”) I wouldn
Pantagruel says
I guess the only thing we can hope for sanity to kick in, if not adequate counseling and judge/jury who actually can grasp the security concepts. If not we might end up doing time simple because a software tool also can be used for not so nice things. This rather stupid concept can be applied to lots of real world tools (knife/car/screw driver) which can, depending on the (ab)user have multiple results.
It’s even more sick that spreading knowledge (in the form of software distribution) can be deemed punishable, sick.
It just feels damn silly that legislation is being created that limits a programmers creativity or ingenuity simply because the created software has dual usage properties. Guess we’ll shortly be doing a 7x DoD erase of our computers/laptops, I for sure have enough dual usage tools and do not feel compelled to find out if judge/jury might argue their purpose.
Nobody_Holme says
this sounds identical to banning sales of anything that can become an “improvised weapon”, unless its through shops and the like… well, i say sale, if the same was true for objects capable of being used in assaults, say i borrow my dad’s woodcutting axe and go cut a tree in my garden down, my dad can get 10 years for passing it over, and theres no way to defend against it in court, bar that i didnt intend to use it to carry out an assault… which i’m sure a good lawyer could make sound like a lie.
my opinion of british MPs just went down EVEN further, and i didnt think that was possible.
Pantagruel says
@Nobody_Holme
Completely true. I better get the bbq back that I gave as a present last summer, god forgive if he skewers something else.
Gob smacked by the fact that they where able to sink even further.
Sir Henry says
There needs to be more technical people in higher places who can clearly explain how this would affect things for the UK (or Germany, for that matter). Then again, even with technical people in place, it is that same lot of stodgy bastards who still think the kettle is a modern invention. The same goes here in the US. A fat lot of bloated and ego-maniacal bureaucrats who care not for security, not the ramifications of making such a law. They only care about the lobbyist who is lining their pockets.
Now, I would like to think that, given the number of companies in the US who provide services that, under this law, would be considered “hacker services”, the US would never attempt to pass a law of this sort. But, given that it appears ISPs are blatantly ignoring the FCC and simply stating that they are going to start filtering traffic, who knows what will happen. I do know that if something like this goes into effect in the US, the response will likely be nefarious and brutal. The latter, of course, will not help but to illustrate why the law should be in place.
/rant
Green Data says
Come on, this is totally insane!!
How can they differentiate between hacking and non hacking tools. I sometimes use nmap to see what open ports are there in my servers. am I hacking myself then? What about McAfee guys, will they put them into jail for selling Founstone appliances? How about sniffers? Yes you can use them to steal people’s passwords, but on the other hand they are a major building block in one of the most important security tools, which is IDS’s
Bogwitch says
Quite ironic, since CESG have used virus generation software for demonstration purposes.
Yeah, sure, we all understand dual use but as the software is distributed as a virus generation software, it’s intended use is obvious. Are CESG likely to end up in court?
goodpeople says
Everybody with at least half of a braincell can figure out that this is insane.
The English will of course say that this law is not intended to hunt down the security professionals, but that it will give them an extra ammo to bring down the bad guys.
I don’t know exactly how bad it is in Germany (anyone here who can comment on that?) but I believe that merely the posession of a linux CD/DVD makes you punishable. Has this been in court yet?
I hope that the lawmakers of the EU are smarter.
feversmash says
they might as well make computers illegal to make or distribute. the can have a dual purpose. you can use them for good or bad. cellphones too. spoons and forks too. this is extremely retarded of them to do. just how do they plan to enforce this law. sounds like complete dictatorship. no more freedom of any kind.
goodpeople says
@darknet
How does this affect you? You’re based in the uk..
dirty says
I dont really think it should affect darknet.
Darknet says
It won’t really effect me – I don’t live in UK and haven’t for the past 4 years. This site is not hosted in the UK either, so for me there should be no issues.
Nobody_Holme says
Thats a point… will it affect foreign security professionals who try to enter the country? could be annoying, methinks. Maybe i’ll go poke my MP… he at least listens to people some of the time.
Alfred says
Its very silly to make a law that they won’t be able to really be able to apply. Although they maybe able to make some “examples” they won’t truly be able to comb through and find everyone. Look at the RIAA they can’t truly stop anyone person. They have made a couple of “examples” that have made headlines but that has died down and people are still doing it. What it has made is a revenue streams for companies to say hey look at me we are doing this legally you only have to pay $xx.xx. Governments kill any creativity. The funny thing is the same tools that are used to “crack” are some of the same tools they use to find the crackers. Thats my rant for the day
>end<
Stu says
It is quite mad, and you are all not alone in thinking so. Cambridge University has been working har don this (or at least Richard Clayton has) — see here -> http://www.lightbluetouchpaper.org/category/legal/
They have with other academics, freelancers, and professionals, lobbied the home office. The Criminal Prosecution Services guidance, in my view, seems a little “slap-dash”.
I am studying English Law, my third year, I’m 32 and I have worked as an ethical hacker, a consultant and for the past four years have been managing information security. It is scary on the surface, and we are most definitely right to be worried. The UK was classed as the most observed society in the world in a recent report by privacy international. See here.
..and has very limited privacy laws, if any other than those we are arguably lucky enough to receive from Europe e.g.
Dual-use type tools, such as Perl (or lol, any programming language) can be used for innocent, benign, as well as malicious purposes. NMAP, Netcat etc, are dual use tools, but was is the legal test? – read the article and Richard Claytons work.
..some things to note, why has Open source not been taken into account, has Bill Gates letter from the homebrew computer club in the seventies really screwed things up this much? (tongue in cheek)…
Anyway I waffle on. Interesting times.
mumble says
That’s it! Bad country – no python for you…. no Nmap, no UnicornScan, no Wireshark, TCPDump, libpcap, libnet….
This is possibly the most insane piece of legislation I’ve seen recently. It’s right up there with the anti-circumvention measures in the US-DMCA for sheer jugheadedness. WTF are they thinking?
Nobody_Holme says
Looks like you’ll be okay with anything thats in general use already… but woe betide you if you custom build your pentest tools… *sigh*
goodpeople says
Germany already passed this law. I had hoped that by now one, or maybe even a few, of the larger IT companies (like IBM, Microsoft, HP, etc.) would have taken this to trail. That would clear up a lot of the smoke.
Same goes for the UK. The minute this law is passed, it should be taken to court.
hpavc says
Seems pretty odd, commercial products seem to have some escape mechanism and then those based on OSS would have oddities as well.
eM3rC says
The best way to fight hackers seems to use their tools to see how they get in and find a way to block it. Its like banning beer and expecting the number of drunks to immediately go down, especially for something that will be almost impossible to stop.
mumble says
I’m not quite sure what you would use as overriding law if you were trying to get this struck down in the UK. In the US, you can make arguments on constitutional grounds, but the UK is a parliamentary system, so I’m not sure that you have any worthwhile legal argument. This in only to say that while is is unquestionably batty, its kookiness may not prevent it from being enforcible.
In the US, there is the “code as speech” argument – where the freedom of expression aspects of writing code can sometimes override other considerations. There are fairly decent arguments here, but it’s far from settled law on either side. (See Bernstein v. United States for details)
Nobody_Holme says
The crowbar comment is a good way of putting it.
crk says
Who cares? The Uk police are cr*p. They are useless. Just dont get caught. They will never catch you. Useless bunch of uk police.
Nobody_Holme says
You think that, then you try to use such a tool while going about your daily buisness, and theres a copper investigating something else right behind you. Or the cyber-crime division are in at the same time you got called in to do your thing making people secure, and want to see how you do things. ka-boom, jail for you.
(oh, and also, crk, police > you. kthx)
Mike says
The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called
durpsquat says
by looking at the application time-stamp? you dumfucked nimwhit….
Darknet says
[sarcasm] Yah OS time-stamps are infallible – they can’t be changed. [/sarcasm]
Nobody_Holme says
*hands Darknet a cookie* nicely put.
goodpeople says
WHAT?!?!?!!?
can timestamps be changed?????
HOW?!?!?! Tell us.. Please! :-)
mumble says
Timestomp:
http://www.forensicswiki.org/wiki/Timestomp
There are Linux/BSD/Unix utilities which do essentially the same thing.
In DOS, I used to use a dumb little program which stored the system time/date, set the date/time to [whatever], munged timestamps, and restored the date/time.
Not, of course, to mention the fact that the filesystem documentation and a hex editor can have interesting effects…. :-) but that’s really oldskool.
Darknet says
There’s even (very simple) Windows tools to do it..it’s not hard. Most rootkits/log wipe programs have timestamp tampering ability too so you can set back .bash_history or the log files to the previous pre-tampered modification dates.
goodpeople says
‘cmon guys, you don’t actually believe that I didn’t know this.. don’t you?
Darknet says
Stranger things have happened :P
Nobody_Holme says
I’ve got to say… phrased like that? mind you, there are people out there who dont know this kind of stuff, so i guess its useful education. *frowns at durpsquat*
eM3rC says
Wow… Talk about hypocritical…
I just got back from vacation and I saw in a future post about the German police trojan.
All I can say is trying to outlaw something like this will be impossible. It is like trying to outlaw alcohol (looks at the passing of the 18th and 21st amendment for the US). Hacking software can be downloaded from anywhere and as a result would be impossible to monitor. It seems the only way one could control this on such a large scale is to destroy every computer in the UK and create terminals which store their information on some government server (which is constantly scanned for hacking software).
Another point I thought of is programming. Even if the government was somehow able to ban all the software, programmers could just write more. And what about the hackers working for the government? No new hackers could be hired due to a lack of experience resulting in the country being defe4nseless against hacke r attacks from other countries.
zupakomputer says
Just hack into their machines and delete all their files on any prosecuting cases. Take over their networks anyway. This drill is known.
mumble says
@zupakomputer
PAPER – you know the heavy, mostly white dead tree carcasses that legal cases are made out of.
Pantagruel says
@mumble
Yep, you might consider it a waste all those chopped down trees
@zupakomputer
Guess you’ll have to resort to arson as well ;)
zupakomputer says
Paper? That’d be printed off their Word apps (and yes, no doubt it won’t be 100% recycled nor tree-free). I wasn’t meaning by individual case, I was meaning crippling the whole thing.
As everyone here knows anyway – anyone who has any knowledge at all of computer security, ‘hacking tools’ are just modified versions or same versions of security tools. So they’d effectively be outlawing securing a computer or network properly – or do they expect people to use only old programs they downloaded prior to a law being passed, or use only tools people in other countries have written.
That’d be no use, you can’t rely every time on a tool written by someone else – and here I’m thinking in terms of also modifying open source OS code so that you have customised secure OSs – would this also then be illegal, say if you made it sniff out any intruders automatically so you could see who was wanting in. And old programs! – they go out of date fast when it comes to security. Businesses and so on would be staying on 20-year-old OSs because they’re not allowed to secure any new versions.
It’s insane to suggest such a legislation – what they mean to say is, they want it illegal to compromise a network or machine that you don’t own / haven’t permission to be on. Which is…..already illegal anyway. So – they don’t know anything about the topic and they’re trying to remove tools from everyone else so they know as little as possible also.
They would seem to believe that rather than do their job monitoring, they can take various tools away – yet, to monitor that means…..monitoring all network traffic, in the entire country, so tightly that every transaction is logged and checked – in case it was a hack tool being down or uploaded. Do they plan on renting out ECHELON for this? I hear they’re a bit busy chasing messages that might contain terrorist plans.
Do they really have the means to monitor the internet traffic in the UK to that extent – when they can’t monitor it to check for any actual intrusions.
If this does go ahead, I predict a huge increase in interest in encryption tools and digital signatures.
zupakomputer says
Let me tell ye something else besides: I recently checked with the cops and with some government folks about tracking online stalkers – so they knew that serious crime’s been committed, and (important point coming up here) they said that nothing could be done – because it was online. They had no way of checking any logs from any websites, even when given precise exact details of where to look and who to go to about it. Completely powerless, and they didn’t have a clue about the internet at all. They directed me to a website about – cyber-bullying, stuff like kids taking camera phone videos of them bullying other kids then putting it online.
Look – if an allegation is made against someone that they have tried to hack into something, then proof of that of some kind needs to be presented. Otherwise you can go around saying ‘so and so tried to hack into the Pentagon’ and they have to chase every one of these claims up, seize the computers and check them for any data, get court orders to your ISP to read all their logs…..it’s the same as it is now – if you’re caught trying to get in a network and they (whoever runs / owns the network) try to prosecute you, then you’d get into bother.
– as for distribution….well, who are these advisors here, and what do they know about security; about as much as many govt. advisors know on any subject they provide info on (like drugs for example) – and that’s either nothing, or it’s that they are blacker-than-black-hats. They stand to gain – usually financially – by outlawing something or otherwise encouraging stupidity to reign.
eM3rC says
@zupacomputer
Good points. The volume of computer traffic, software and computers in general they would have to monitor would be so immense that it might be considered impossible. Considering there is 1 computer per person for every household in the UK would take either an extremely large work force or a program to run through every computer. Also an operation this big would require a pretty large grace period between a computer being scanned and by doing so would result in free time to hack whatever you like after downloading hacking software from some site based in a country other than the UK.
I would like to also say that police laws are very very different when comparing places like the US to the UK. I don’t know if anyone was around during the oil embargo, but, the government (in Britain at least) decided to ration the oil. Unlike the US where police must get a warranty to search a person’s property, the British police were able to walk right in and check the thermostat for “excessive use of natural resources”.
I think it would be amazingly difficult, if not impossible, but I wouldn’t be surprised if the government tried.
Pantagruel says
If the bureaucrats think it’s a remotely viable option they will give it a shot . It’s not like they are paying it from their own pocket (it’s only the tax payers money, in the NL we’ve had some stupid idea’s worked out costing sizeable amounts of money).
They will always find a reason for more active interferance (martial law alike circumstances) and bend the laws to their liking to generate enough room to perform a search.
Al over Europe laws have been or are being passed concerning data retention on communications. So far it’s only data on who contacted whom (phone/fax/internet). As soon as it turns out that this is manageable they will start prompting for retention of the content of the communiction itself. Harddisk space is relatively cheap as most geeks know and official would very much like to be able to prove the actuall malicious nature of a communication.
J. Lion says
I could be wrong but isn’t making hacking tool illegal kinda like asking policemen to give up their guns and batons.
eM3rC says
@J. Lion
In Japan guns are outlawed for both police officers and citizens and that has been working almost flawlessly. It would be possible, just very very hard to do.
@Pantagruel
I see what you are saying about the politicians not losing anything for experimenting with this idea. They have nothing to lose.
I would also like to take a different perspective on this. Because of the size of traffic the government would be getting if they passed this law, is it possible that they are only doing this because they wish to have a way to persecute people who are caught hacking? For example if you take some of the famous mafia leaders during the prohibition in the US, they were not arrested for murder or smuggling, but tax evasion. By allowing the police forces to actually persecute black hacks for their deeds rather than some other minor crime. (I know it is a stretch but let me know how it sounds)
@Darknet
Post more controversial stories like these please! I really love discussing it with the community.
Pantagruel says
Well the British MP’s are really getting up to steam and are about to really put ‘Big Brother’ into place
http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article3353387.ece
J. Lion says
@eM3rC
It’s a matter of cultural differences. If everyone is law abiding and has high respect to law and government – we won’t be discussing this issue at all.
J. Lion says
@eM3rC
It’s a matter of cultural differences.
—
Making something illegal does not make it go away. It only makes it harder to find/acquire. With the internet (where almost everything is available – how do you propose that?)
Besides wasn;t there a motto – you are never guilty if you are never caught
Pantagruel says
@J. Lion
You’re innocent until proven guilty, but I guess they already start gathering evidence just in case they ever need to put you away behind bars for a yet to be determined reason. You might argue that if you’ve got nothing to hide you will have nothing to fear. I argue that if there is nothing worth recording why record it (waste of money, resources,space, trees,etc..) . This type of operation only serve one goal: gather info to be used in the nearby or distant future without a clear motive to do so.
eM3rC says
@Pantagruel
I just saw that article on the BBC and thought it was a really interesting approach to eliminating piracy. Only problem is, what if little 8 year old Timmy decides to download a song illegally and gets his internet cut and now his parents have no way to work on the computers (work). I know you could say the parents should be watching the kids but a lot of adults do not have a clue about illegal downloading.
eM3rC says
@J. Lion
You pretty much said the same thing in two different ways. People are not perfect and will never be perfect. We will always be greedy, violent and self centered.
Just the fact that something is illegal does not make it less wanted. Take illegal drugs for example. The drug lords are filthy rich and the crime rates are still just as high. Plus there’s the factor that many people do the drugs just for the rush of doing something bad.
Anyone wanna take up my perspective in the previous post?
eM3rC says
Sorry, didn’t see Pantagruel’s post for some reason. Good point and I’m glad someone else has a similar view to my own. Only downside is the cost of resources when comparing it to the amount of damage that will be reduced from hackers.
Fun fact
Russia is now the spam capitol of the world (as in where the masters of spam are)
zupakomputer says
I’m suprised the ISPs haven’t explained that they can’t feasibly be expected to monitor the download and upload contents of all data traversing their networks……or if they have so explained how impossible that’d be, it’s the usual pseudo-news reporting style that doesn’t bother to properly detail what the real story is.
Even on a tightly secured LAN, it’s only feasible to go as far as the likes of packet sniffers on routers – they can check for suspect frames going by their headers (senders, recievers, etc) and the size of packets, but even in that scenario they can’t actually have a router and/or separate server to check the contents of data packets or download them first, open them up and examine them (and then how do they determine if it is actually an illegal share?!), then forward them on to the actual file requester…..or they can – but these are like Fort Knox places with black-budget billions (from drug money, arms money, and taxes) to spend on dedicated 40GB fibre lines and 20 RAID 0 SCSIs so there’s no massive bottlenecks in their network cause they have to download and check everything before sending it on…
Another interesting aside to this – given it’s perfectly do-able to conceal data within other forms of data (like within an image file for example), how do they expect to check for things like that.
nb – comparing this to what Germany is doing overall with their networks isn’t a true comparison, because there it is not likely you’ll get free or unprotected wireless access, plus they are security-conscious in educational establishments and have switched over to Linux. The UK won’t be doing that!
zupakomputer says
So, does anyone know if these idiots have been informed yet that their legislation plans effectively make it illegal to secure any network, or check to see if a network is secure?
Are they going to issue certificates to security people, something like “So-and-so: licensed to pen-test”. Are they intending to fill up the courts with people having to explain why they have several pen drives all set to live boot varying OSs.
Pantagruel says
@Zupakomputer
I hope they where or will be informed, but I guess they will have a hard time getting to grips with the info. They usually are very capable of listening to spin-doctors but with real world info they tend to be a bit slow/find it rather incomprehensive
eM3rC says
Well I see Pantagruel and zupakomputer are really posting up a storm. Been working really hard the last couple of days so thats my excuse for not posting. Anywho, the conversation.
I’m sorry for any repeated points from previous posts but here’s what I believe. Passing legislation would be like the Patriot Act but much more deadly. With a law like this, the government would technically have an excuse to monitor anyones internet without a good reason (terrorist vs 8 year old downloading music… hrmmm… Who to watch…). Like zupakomputer said, actually tracking the data would be nearly impossible as well as classifying illegal content. There have been a lot of problem with groups such as child pornography people hiding their pics within encrypted files so it becomes amazingly hard to track. I also agree with the overflow in the courts with the odd explanations for the multiple OSs. Overall, it seems like allowing police to check any car they wish to make sure the car is working properly.
As one of my government teachers used to say “the best way to argue a point, is to argue both sides”. Here is my argument for a method of doing something like this, taxes. In the US at least, taxes are audited. For those of you who might know what this means, this is a rough translation. The government will randomly select tax forms and look at all the paperwork to make sure people are not cheating on their taxes. If caught the person gets huge fines as well as being forced to pay interest on the money they cheated. Relating this to the internet, the government could simply select random computers (yes I know there would be a lot of variables involved but bare with me). Another method would be flagging the torrenting/warez sites and when a computer visits those sites a certain number of times the government has enough reason to pay a little visit to the computer.
Feel free to argue both points although I bet it will be the outrageousness of this proposition (which I personally support).
zupakomputer says
Don’t argue both sides! That’s a ploy ‘They’ use cause they can’t think up their own ideas – so they encourage well-meaning folks to do it for them.
I can see the value in honing in on the actual providers of the shared files (that said – piracy used to mean making money off other people’s work, whereas now it’s given away for free..) but any kind of random searches are an awful breach of privacy. Why should anyone be expected to be monitored or checked out based purely on a lottery.
fever says
impossible to enforce.
grav says
The definition of a hacking tool is at best, blurred.
Can the UK take away your screwdriver?
It can be used for hardware hacking : )
or it can be used to make a fence.
Would that mean that the MSDOS would be banned as well?
Hacking can be done with just about any tool.
razta says
Theres a great podcast on this topic over at http://www.sploitcast.com/
Navin says
@ grav
Isn’t tht the point?? aren’t all thes so called hacking tools made for pen-testing rather than to fkcu up corporate servers?? ITs kinda stupid to launch such programmes/initiatives….instead the government should work more on catching crooks and punishing them more severely in order to send out a proper message to malicious hackers…..
But in the end wht can we do??U’d better start hiding your screwdrivers!!