Comments on: Hacking tools are legal for a little longer http://www.lightbluetouchpaper.org/2007/06/19/hacking-tools-are-legal-for-a-little-longer/ Security Research, Computer Laboratory, University of Cambridge Mon, 12 May 2008 02:25:34 +0000 http://wordpress.org/?v=2.5.1 By: Clive Robinson http://www.lightbluetouchpaper.org/2007/06/19/hacking-tools-are-legal-for-a-little-longer/#comment-22409 Clive Robinson Fri, 22 Jun 2007 09:43:20 +0000 http://www.lightbluetouchpaper.org/2007/06/19/hacking-tools-are-legal-for-a-little-longer/#comment-22409 @Richard, "the intent is to avoid overreaction by the secuity communty (cancelling training courses etc)" 'IF' the US response to 9/11 is anything to go by two side effects of this legislation will be, 1, Presure will be applied from the relavant authorities to have "registered" training schemes, with all the attendent increase in costs and disclosure of attendies details etc (with of course big fat fees). 2, A register or trade association will be proposed to make the teaching or practicing security effectivly a "closed shop" in order to keep the "appropriate standards" (again with big fat fees) Oh and plain simple investigation of security by your ordinary everyday "old school hacker" types will be severly curtailed by the fear of prosecution (similar to that over the DMCA etc). Which will give large software companies the excuse not to fix security faults because they will be able to keep the bad news quiet... All in all I precict that the result of these new laws will be less security overall, oh and as we have seen with previous ICT legislation in the U.K. a few silly court cases where legal types with insufficient technical ability will make fairly arbitary descisions based on mainly unfathonable argument that would not survive a blog posting let alone serious competent review... @Richard,

“the intent is to avoid overreaction by the secuity communty (cancelling training courses etc)”

‘IF’ the US response to 9/11 is anything to go by two side effects of this legislation will be,

1, Presure will be applied from the relavant authorities to have “registered” training schemes, with all the attendent increase in costs and disclosure of attendies details etc (with of course big fat fees).

2, A register or trade association will be proposed to make the teaching or practicing security effectivly a “closed shop” in order to keep the “appropriate standards” (again with big fat fees)

Oh and plain simple investigation of security by your ordinary everyday “old school hacker” types will be severly curtailed by the fear of prosecution (similar to that over the DMCA etc).

Which will give large software companies the excuse not to fix security faults because they will be able to keep the bad news quiet…

All in all I precict that the result of these new laws will be less security overall, oh and as we have seen with previous ICT legislation in the U.K. a few silly court cases where legal types with insufficient technical ability will make fairly arbitary descisions based on mainly unfathonable argument that would not survive a blog posting let alone serious competent review…

]]> By: Eric John http://www.lightbluetouchpaper.org/2007/06/19/hacking-tools-are-legal-for-a-little-longer/#comment-22391 Eric John Wed, 20 Jun 2007 16:07:38 +0000 http://www.lightbluetouchpaper.org/2007/06/19/hacking-tools-are-legal-for-a-little-longer/#comment-22391 As very rightly mentioned the brunt of legality involved in the use of security (!) tools will mostly be suffered by ethical hackers/penetration testers/tiger team members/legitimate security auditors. Also the concepts relating to the intentions of the actor is very vague in both CMA90 and PJA06, and so is the aspects relating to white/gray/black hat hacking. Even though the amendments to the CMA90, particularly the new Police and Justice Act 2006, deals with DDoS, I'm not quite sure how it is supposed to deal with the application of law and jurisdiction with reference to botnets spread across the world. Another interesting thing to note is that even though the Fraud Act 2006 has clauses to deal with crimes like Phishing, no one has been prosecuted or convicted reasons mostly attributed to well-known technical difficulties of properly gathering sufficient forensic evidence. As very rightly mentioned the brunt of legality involved in the use of security (!) tools will mostly be suffered by ethical hackers/penetration testers/tiger team members/legitimate security auditors. Also the concepts relating to the intentions of the actor is very vague in both CMA90 and PJA06, and so is the aspects relating to white/gray/black hat hacking.

Even though the amendments to the CMA90, particularly the new Police and Justice Act 2006, deals with DDoS, I’m not quite sure how it is supposed to deal with the application of law and jurisdiction with reference to botnets spread across the world.

Another interesting thing to note is that even though the Fraud Act 2006 has clauses to deal with crimes like Phishing, no one has been prosecuted or convicted reasons mostly attributed to well-known technical difficulties of properly gathering
sufficient forensic evidence.

]]> By: Richard Clayton http://www.lightbluetouchpaper.org/2007/06/19/hacking-tools-are-legal-for-a-little-longer/#comment-22384 Richard Clayton Tue, 19 Jun 2007 22:52:43 +0000 http://www.lightbluetouchpaper.org/2007/06/19/hacking-tools-are-legal-for-a-little-longer/#comment-22384 If you wrote a blog post about how to use nmap to commit a CMA offence with the explicit intent that the post should be copied and used by people for that criminal purpose, then you could indeed be prosecuted... though it might look a little thin if that's all that you've done. There have been similar cases relating to people who published books on how to grow cannabis <a href="http://www.thepulse.co.uk/lcc.scotland/news0396.htm#18th" rel="nofollow">http://www.thepulse.co.uk/lcc.scotland/news0396.htm#18th</a> IAstillNAL! but it's probably worth also noting that it is expected that the Director of Public Prosecutions will issue some public guidance on the circumstances in which prosecutions should proceed -- the intent is to avoid overreaction by the secuity communty (cancelling training courses etc) -- that advice is expected in "the summer". ie well before the new offences come into force. If you wrote a blog post about how to use nmap to commit a CMA offence with the explicit intent that the post should be copied and used by people for that criminal purpose, then you could indeed be prosecuted… though it might look a little thin if that’s all that you’ve done.

There have been similar cases relating to people who published books on how to grow cannabis

http://www.thepulse.co.uk/lcc.scotland/news0396.htm#18th

IAstillNAL! but it’s probably worth also noting that it is expected that the Director of Public Prosecutions will issue some public guidance on the circumstances in which prosecutions should proceed — the intent is to avoid overreaction by the secuity communty (cancelling training courses etc) — that advice is expected in “the summer”. ie well before the new offences come into force.

]]> By: Niall http://www.lightbluetouchpaper.org/2007/06/19/hacking-tools-are-legal-for-a-little-longer/#comment-22382 Niall Tue, 19 Jun 2007 20:59:43 +0000 http://www.lightbluetouchpaper.org/2007/06/19/hacking-tools-are-legal-for-a-little-longer/#comment-22382 Does this mean that doing something as simple as writing a blog post about using nmap or wireshark could get someone in deep water? Does this mean that doing something as simple as writing a blog post about using nmap or wireshark could get someone in deep water?

]]>