Updates to the ageing Computer Misuse Act (CMA) finally come into force in England and Wales on Wednesday (1 October). Modifications to the CMA - which was enacted in 1990 before the advent of the interweb - were included in the Police and Justice Act 2006. These changes were then themselves amended by the Serious Crime Act 2007 …
could someone remind, me its two wrong that make a right isn't it??
if the use of nmap were made compulsory among network professionals the instances of security breaches might be reduced ?
Certainly one of the most useful pieces of security software around, hell, its even useful for non security stuff as well........
Since a brief search reveals that the tort of trespass has its origins in an ancient form of action of English common law from the 13th century, I'm quite surprised to find that the US has earlier legislation on which to base their version.
My surcoat please.
actually gotten around to properly defining unauthorised access yet? As it is, it's so vague that i could probably fall foul of that at work by clicking on the wrong desktop icon.
make it illegal to distribute hacking tools....
as most tools hackers use have a legitimate background, and a lot of the tools used to combat hackers are the tools hackers use themselves.... who says whats not illegal and what is...
the government needs to actually get educated in the way IT actually works, and not just take the word of some small group of contractors employed by the government to advise on all that is IT. these contractors first job is to protect there own contracts and tend to tell the government what they want to hear...
The Sin of Omission ..... when All are Born Equal and Unique
Do Regulations Comply or Impinge with Independent Joint Movements in CyberSpace ..... http://www.cyberconf.org/~cynbe/cyberdecl.html.
I don't Suppose they have even been Considered and Factored In. :-)
Re: have they
"actually gotten around to properly defining unauthorised access yet?"
What is wrong with the existing definition?
The existing definition consists of two parts:
- the access is unauthorised, that is, the owner has not given permission
- you know the access is unauthorised
The knowledge of what access is unauthorised is a combination of explicit notices and commonly accepted attitudes. If necessary it is a jury that decides.
In a similar way, I don't have a notice on my car listing the people who are allowed to drive it. But, just because the door is unlocked and the key in the ignition it doesn't give you permission to drive it away. This is a commonly accepted attitude. It doesn't need a definition in the law.
re. doubly illegal
Is that the same as 'double plus ungood'? If so, you need to remove some words from your vocabulary.
Bad Peter bad! Bad Trixie Bad!
"(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, OR TO ENABLE SUCH ACCESS TO BE SECURED."
i.e. it makes it a crime to perform an act that enables someone else to misuse a computer. Where 'Enable' is left so vague as to be meaningless. i.e. punish Peter because something he does enabled Paul to do something illegal.
Section 3 is changed to add the 'enable' thing too. To remove the requirement of physical damage and to change the definition of 'act' to enable Peter to be locked up if Paul did the act.
Section 3A makes it a crime to make cracking tools, networks sniffers etc. To sell or distribute tools that can be used to misuse a computer. Or even *DATA*, i.e. information is covered here, it's better to only discuss security holes outside of the UK.
As before 'unauthorized' doesn't exclude ownership, so you can own the computer and still the access can be unauthorized.
Further down there's a real mega wozzers:
"(8)If the impression conveyed by a pseudo-photograph is ..... and so shall a pseudo-photograph where the predominant impression conveyed is that the person shown is a child notwithstanding that some of the physical characteristics shown are those of an adult."
So pictures a flat chested women dressed up in school uniforms will now get you prison time and a sex offenders registry entry. Another 'Jacqui Smith really hates men' thing.
article 3A (4)
(4) In this section "article" includes any program or data held in electronic form.
So you can code on paper and post it to someone. Reminds me of PGP. Power up the racks of printers and start buying stamps.
s36: Unauthorised acts with intent to impair operation of computer
Up to 10 years in prison if I borrow your keyboard without asking...
Equally, it could apply to failing to read a manual, so, some users may well be going away for a long time.
My compliments to the draftsman.
There must be...
..some valid justification to give less time in Jail to a convicted rapist than to someone who throws a few angry packages about.....
"1 (1) A person is guilty of an offence if
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, [Text added 2007-10-01 (Scotland) by Police and Justice Act 2006 s.35(2).] [Not yet in force elsewhere in the UK.] [This addition to be cancelled by Serious Crime Act 2006 s.61(2).] or to enable any such access to be secured ;"
Does this mean Vistas illegal in Scotland until its amended out??
RE Bad Peter bad! Bad Trixie Bad!
"i.e. it makes it a crime to perform an act that enables someone else to misuse a computer. Where 'Enable' is left so vague as to be meaningless. i.e. punish Peter because something he does enabled Paul to do something illegal."
Peter's modification to enable Paul's access would need to constitute an authorised modification in its own right. Otherwise, the loophole in the original Act remains that, if Peter, without authority, creates a privileged account on a system (for example), and then passes the details to Paul to carry out the exploit, Peter could not be charged under the Act.
In any case, s61, Serious Crime Act 2007, repeals s35(2) of the Police and Justice Act 2006, so this provision does not come into force.
"Section 3A makes it a crime to make cracking tools, networks sniffers etc. "
No, it does not. The drafting is not perfect, but, it is a criminal offence to create a tool "intending it to be used to commit, or assist in the commission of, a [computer misuse act] offence." If you write a packet sniffer for testing your network, the burden on proof would be on the prosecution to prove that you intended to use it to commit an offence. It has the element of "intention" - a mental state - and is not absolute.
It's not perfect by a long shot, but, it's not as bad as you point out, at least to my mind.
The drafting of s37(3), sadly, is entirely incomprehensible to me.
Computers get rights
stuff the human operators, it is all about the computers now.
The law is crazy, and no doubt there will be workarounds.
But really it means no one will distribute pen testing software to the UK.
And a lot of authors will add a clause saying this software cannot be distributed to the UK, so that copy of nmap you have in your bottom draw may very well be illegal if not under this act, but under copyright and licence agreement. Be interesting to see how that all plays out.
So say you are a computer security company, you get a telephone call to check out a security problem, you wade on in, fire up nmap to check for any weaknesses, at that point you probably have committed some sort of crime (civil or perhaps criminal), when that comes up in court the defence may use that to say the evidence obtained was obtained in an unlawful manner.
That's the real problem, this law actually makes forensics much harder to achieve, oh well.
so.... everyone who writes code...
and does not fix every possible vulnerability to that code is breaking the law...
to go on further.... every time a new hole is found in windows and it has been exploited, microsoft is going to end up in court?
I thought not !!!
mine's the one with all the patches...
Re: Bad Peter bad! Bad Trixie Bad!
"he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable such access to be secured"
It's not as clear as it could be. I assume it means "he causes a computer to perform any function with intent (i) to secure access, or (ii) (with intent) to enable such access to be secured". Thus, whether you're actually performing the function, or merely enabling it to be performed, it's the _intent_ that matters. Otherwise, indeed, most programmers would be guilty (not just for vulnerabilities; any program that accesses data can be used with intent to access data without permission)!
- Put down that Oracle database patch: It could cost $23,000 per CPU
- DAYS from end of life as we know it: Boffins tell of solar storm near-miss
- The END of the FONDLESLAB KINGS? Apple and Samsung have reason to FEAR
- Pics It's Google HQ - the British one: Reg man snaps covert shots INSIDE London offices
- Bose decides today IS F*** With Dre Day: Beats sued in patent spat