UK Looks To Make Denial Of Service Attacks Illegal — But Does It Go Too Far?
from the about-time dept
Last year, we noted that denial of service attacks apparently were not illegal in the UK, based on current law. While some have tried to convince the courts that such attacks really were illegal, most seemed to realize that the current computer crimes law was inadequate to cover more modern-day threats. Along come politicians to the rescue, with a new bill designed to make all sorts of new computer crimes illegal. However, as with other times that politicians try to deal with new computer ills, it seems like the new law could go a bit too far. Among the provisions is that it would be illegal to “make or supply hacking tools” which seems a bit broad, as this would appear to include all sorts of legitimate tools that security researchers use to bypass security systems or crack passwords. It’s great that updates are being made to the existing law, but politicians should be careful that they don’t go too far in the other direction, outlawing plenty of perfectly reasonable activities.
Comments on “UK Looks To Make Denial Of Service Attacks Illegal — But Does It Go Too Far?”
No Subject Given
A bit scary for any penetration testers in the UK..
is disassembling also hacking?
“hacking” – what exactly do they mean by “hacking”? Does that also mean disassembling tools? Such as a tool that might be used to modify a program away from it’s original design… for example, as how most people customize their current operating system’s display using a 3rd-party utility to manipulate the OS code to make it look unlike how it was ever intended to look…
hmmmm – hacking could also mean that you are disassembling something as simple as a genetic code so you could manipulate it into something better… only if it was a computer though.
Why do the get invovled with things, they know next to nothing about? They never really listen to any advisors they bring on board.
No more laws, please
The issue with this is that over time, technologists find solutions to the emerging problems rather more quickly than the law can keep up. Moreover, parliamentary draftsmen find it hard enough to handle the complexity of company law or land law, never mind the inner working of networks, processors and protocols.
This is an area best left alone by the politicians. By the time they get a law through, the world has moved on enough to render it obselete. At best it gives us laws that are irrelevant. At worst, we end up having to jump through legal hoops to do legitimate stuff, whilst the bad guys are playing in whole new areas.
Police and Justice Bill.
35 Making, supplying or obtaining articles for use in computer misuse offences
After section 3 of the 1990 Act insert–
“3A Making, supplying or obtaining articles for use in offence under section 1 or 3
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article–
(a) knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or
(b) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(2) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
(3) In this section “article” includes any program or data held in electronic form.
Look closely at 1a (above) as this seems to affect legitimate security work, e.g. testing that a Website is secure against people using “hacker tools”, by simulating an attack.
Re - Giafly
No, that isn’t what it says. You have to read all of the words in section 1a: “… course of or in connection with an offence”
A legitimate pen test isn’t the same as committing an offense.
Re: Re - Giafly
It is in the eyes of the law, if you sent a DoS attack on a network which is not on the internet eg internal before it is hooked up to the outside world, it is still illegal. Soon enough configuring linux will be illegal let along registary editing!
Re: Re - Giafly
You get in trouble via incomplete quoting… Your half-quote means exactly what you say it does, but the first half of the sentence, “knowing that it is designed or adapted for use” clearly states that committing the offence is not a requirement. Making, adapting, supplying or offering to supply a tool that the law deems “designed or adapted” for breaking the law would mean that the makers of Ethereal (or your sniffer of choice) is headed for jail, because hackers most definitely have adapted network sniffers for illegal use.
Re: Re: Re - Giafly
You are correct, I should have used another means of highlighting the important portion.
However, I’ll still say that the item requires comission of a crime.
I am married to someone with legal training, but IANAL myself.
Re: Re: Re: Re - Giafly
Yes, it would require the commission of a crime, but this protects no-one from the consequences of such a crime being committed. I use nmap routinely to check the internal and external security of my servers. Fyodor (the creator of nmap) would be as aware as anyone that every penetration testing tool can be used for testing, or as a live tool for use in reconnaissance for malicious purposes.
Therefore, as this bill appears to be worded, Fyodor is ‘guilty’ of knowing that some people will use his tool for ill and some for good.
New Labour insanity, like every half-baked piece of so-called legislation they introduce for the sake of a headline…
List of hacking tools
Heres a short list of some hacking tools:
Calculator w/Hexidecimal conversion button
Books about Hacking
Email clients with macro support
Pretty much anything could be used as a hacking tool. Lets ban the Earth.
No Subject Given
Taking a ‘real-world’ analogy … shouldn’t it then be illegal to manufacture things like gun-powder, arsenic, nitro-glicerine, knowing that these are tools which can be used to commit murder or terrorism?
Another question … should telnet be outlawed because it can be used as a hacker tool?
It would be like making baseball bats illegal because they can be used to assault people.
I live in England at the moment, glad to be leaving soon, hoping that this way of thinking doesn’t catch on in other parts of the world, especially the one that I am moving to… crazy world
We produced a program called SpyMon…
We are aware that people could use our tool for purposes that it was not intended for, stopping them would be impossible.
We have had no choice but to withdraw our product. Our product is aimed at making sure your children are safe on the internet by allowing you to monitor their activites. But in the wrong hands…
We cannot afford the possibility of a legal battle against the state, with the possiblilty of directors being imprisoned if we lose.
But the new law poses interesting questions as to what depth does the new law extend. For example if I wrote a tool to say, crack a password. Are the operating system routines (50% of the tool) also illegal? All a keylogger is a program that sends data from a keyboard hook to another location. 90% is OS software calls. Are Microsofts hooking calls now illegal?