A law criminalising denial of service attacks and the supply of hacking tools has been brought into force in England and Wales after a number of delays. The law was already in force in Scotland. Denial of service (DoS) attacks involve the simultaneous sending of millions of messages or page requests to an organisation's servers …
How stupid are the UK government...
Why dont they render webbrowsers illegal, afterall they can be used to conduct hacking attacks.
This is the death of the security professional in the UK, because they have made it illegal to distribute the tools security professionals use TO DO their jobs. Sysadmins will no longer be able to implement decent security meausres on their infrastrucuture becaue its illegal to obtain a port scanner to test your systems.
eeye will no longer be able to distribute their vulnerability checkers because the tool could be used by a hacker.
These idiots are beyond moronic.
..Mailstorm.exe, I assume that covered under this ruling?
I use Mailstorm quite a bit to do long running load tests over messaging systems, bulk tests, flood tests, etc etc.
What about Outlook Macros that send messages multiple times?
How many messages constitute a DoS...I know some old Exchange boxes that fall over after just 1 or 2 messages.
Paris....she seems as confused as the rest of us.
I looked at the URL and thought "about bloody time" but it turns out it's DoS, not DOS...
>any article which is likely to be used
Are they mad? That covers just about anything.
Telnet clients are "likely" to be used in DoS attacks, at least as a forerunner.
Perl and C are pretty likely to get used as well.
I'm tempted to write a DoS attack using VB in Excel just to get orifice declared a criminal tool.
This definitely covers C compilers:-
"A person is guilty of an offence if he supplies or offers to supply any article believing that it is
likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3."
In fact a C compiler is pretty much guaranteed to be appropriated for criminal activities
at some point.
WTF is going on in Section 5 as well? -
"(5) A person guilty of an offence under this section shall be liable—
(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
(b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; "
So a resident of Scotland committing the same crime as a resident of England is subject to half the sentence?
wget --mirror is now illegal !
elReg DDoS effect?
Does this mean the next time a URL gets posted to a small site the boys in blue will be busting down the doors as we perform our usual DDoS attack of wanting to see what is there?
This law is nonsense. I understand the need for a law against DoS attacks but why does it need to include the software?
A gun is a weapon designated for killing people and can even kill its owner just accidentally, and therefore requires a license. A hammer is a tool of brute force and can be used as a deadly weapon, but it does not mean one needs a hammer license! The same goes for knives and other deadly objects.
So why is it necessary to declare the software as illegal? It is not as life-threatening as a gun or a knife, but anyone who would require hacking tools for test purposes would need to get a license first. A small bug can turn a harmless piece of software into a hacking tool and programmers could be facing lawsuits because of it, while on the other side (of the attack) there are bugs that enable DoS attacks and do not count as illegal. Not to mention the boards where people report about security bugs - an endless supply of information for finding holes in software.
If any piece of software can be declared as illegal because it makes DoS attacks possible then the victims' software has to be declared as illegal, too, because it also makes DoS attacks possible.
Um, excuse me?
I went and read the text of these new amendments to 'the Law' (if indeed it can still be called that). It seems to me that this means that a variety of the things I do in the course of my employment as a sysadmin are now going to be illegal.
So, if I decide that the system desperately needs an IPL (its almost a reboot ,for you windoze users), and cant seek authorisation before doing so, I'm temporarily stopping access to the system and could be liable for 10 years imprisonment. Or if a user makes a data request, and they've not got authorisation, then I might be liable for 10 years imprisonment!
If I write a piece of software with no purpose but to break into XYZ's system, then I might be liable for 2 years imprisonment. This government are lacking in sense, ask an IT person what the implications are before you change IT laws, PLEASE!
My computer science homework can get me a 2 year sentence? That's quite spiffy.
Paris, because even she knows when she is getting screwed.
So are white-hat hackers now criminals?
The only difference between white and black-hat hackers is ethics and application, which this law doesn't seem to distinguish from when it comes to hacking tools.
I look forward to
The authors of this page : http://www.foundstone.com/us/resources-free-tools.asp being extradited to Britain to face charges related to 'hacking'.
Russians and the Chinese are really going to give a flying hoot aren't they.
ping -f anyone ?
So just about every unix machine made since the dawn of tcp/ip network probably contravines this law.
Windows obviously had the forethought to kneecap this dangerous denial of service tool many years ago.
Goodbye Bill Gates, you're going down for 10 years!
If it is now an offence to "make..any article..likely to be used etc.", presumably it is also an offence to "make...any article...that is *actually* used" to commit a hacking or DoS offence. Which makes the manufacturer of the computer (or the processors or software used in the computer) used by the hacker liable to 10 years in chokey as well.
Why can't Parliament employ some competent legal draughtsmen who draft laws which don't make everyone a criminal, and are thus unenforceable except when Big Sister and her minions in the the Met decide they want to jail some irritating punter.
'Computer Misuse Act has also been changed to make it an offence to make, adapt, supply or offer to supply any [program] which is "likely ... to assist in the commission of, [a hacking or unauthorised modification or DoS] offence'
Umm ? There goes everything from ping to nmap ... their 'likely to assist', right ?
...'an offence to make, adapt, supply or offer to supply any article which is "likely to be used to commit, or to assist in the commission of, [a hacking or unauthorised modification or DoS] offence"'
DOS code, network scanner, DNS service, Whois, assembler, ftp client, telnet client, compiler, email client, email relay, web proxy, netcat, ping, vi, notpad, gedit, rm, chmod and other commands, telephone, mobile telephone, wifi card, laptop, desktop, broadband connection, dozens of books, fingers, eyes, brain, coffee, pizza etc.
Everyone with a computer has at at least one tool/item/article that is necessary for dos or hacking, technically this law has just criminalised everyone with a computer .
"The Computer Misuse Act has also been changed to make it an offence to make, adapt, supply or offer to supply any article which is "likely to be used to commit, or to assist in the commission of, [a hacking or unauthorised modification or DoS] offence". It is also an offence to supply an article "believing that it is likely" to be used to commit such an offence."
They really don't know how to write this stuff do they? And what it means is, if they don't like you, they can stuff you under one of their 'laws' which is so wide and vague that any copy of windows/linux/computer etc can put you inside. Yes its ridiculous. Both ways.
Shot in the foot.
I'm looking forward to hearing how interviews in 5 years + go for security experts for the gov't
MI5 IT security manager of 30 years - "So, how developed is your previous experience within network security fields..?"
Post Grad - "I can use Active Directory"
Manager - "..anything further? I mean, have you had no practice in becoming a security expert??"
PG - "No Sir, you arrested my fellow students 5 years ago for trying to learn about that stuff.."
...thats probably not the sort of wording they'd use...oh well....Doors Officially Open, well done the Law, now you can employ even more underqualified idiots to look after your country! Here, take my tax and give it to them!
You couldn't make it up
The govt creates endless databases and then passes a law that removes pen testing tools from the sysadmins' toolboxes.
Where's the "utter genius" icon when you need one?
"There is now a new offence of doing anything without authorisation with intent to impair, or with recklessness as to impairing, the operation of a computer."
Can we apply this law against hidden DRM malware?
And their wording covers more
The wording does seem to cover another angle as well. Since de-drmed music/video/games/whatever is unlawful access to information, being in the possession of cracks/keymakers/drm-defang-software is illegal aswell.
So journalists are now not allowed
to use the tools of their trade?
Well I can see why, it is a travesty the gushing bilge that often spews from the dark tools of their hacking trade.
Ban the typewriter, pencil, paper and the word processor, the world would be a safer place.
I knew those hacks of journalist would someday be legislated against and that day has finally come.
Well not quite the death of security
It is a good thing really.
A lot of the security consultants out there cannot code for toffee, they are script kiddie security consultants. Now the law should stop those in their tracks as they are cut off from their script supply, it will be interesting to see what the authors of NMAP and Nessus do to the licence.
So, say we drop 80% of the security consultants, I think that is a fair number, the other 20% will just use their own tools they don't distribute, and assume supply demand is parallel the cost will increase 5 times for a security consultant.
Now, the bad boyz, they have a 80 20 split as well say, a good number in the 20% will jump ship and for sake of argument say the numbers are the same, so security consultants grow by 10% to 30%, so wage will be around about 3.5 times more.
And to not have the idiots in the industry would be brilliant. If you cannot code in Assembly, C, Perl, Python, Erlang, Haskell, understand socket coding, concurrency, state machines, and have in depth knowledge of unix systems coupled with insurance and incident response knowledge, get out of the house, and take your cheap MS suit and your crappy little Dell laptop with you, don't let your hopefully now illegal copy of nmap or nessus hit your arse as you leave.
Another plus, is the big security companies will find it hard as well, no one is going to want to write pen tools for them, as the liability now extends to the creator, and if one of those morons uses the program illicitly it falls back on the creator, especially if the program was given willingly.
As to actually stopping cracking directly, you have to be kidding me, they won't bother about this law, they are already doing something illegal, they will just make an illegal copy of whatever, the author will claim they are not distributing to them and in many cases they won't be.
This law attacks the script kiddie security consultants not the script kiddie crackers, so still one virtue we should all be happy about.
more proof that you should never help your fellow man. Just don't do it, it's not worth it.
Where were you lot...
When they banned most firearms in the UK? Those are just tools as well, right?
My point is that banning the tools themselves, whether firearms or security-related software misses the boat completely - making a tool suddenly illegal isn't going to stop a snot-nose who thinks he can get away with it. The *misuse* of that tool is what should be illegal - not the tool itself, or the use thereof.
AC about security consultants: epic FAIL
It is illegal to *make* the tools as well as to distribute them. 100% of the security guys (moronic or not) will be breaking the law. And, as stated above, arguably 100% of computer-owning people could be prosecuted, too. And the coffee/pizza companies will have to pretend they don't know their products are likely to be used during a DoS attack.
Way to go UK! Reminds me of the French law against piracy, which if enforced would get anyone running any non-MS software prosecuted.
That's Vista screwed then.
"There is now a new offence of doing anything without authorisation with intent to impair, or with recklessness as to impairing, the operation of a computer."
With tossers like these, what do you expect?
When senior "IT Security" experts in industry tell you that you cannot access a networked PC without logging onto it, and that nobody can write data to someone else's hard disk without permission, and have never heard of Windoze' "Map Network Drive" tool, and can't tell the difference between User data/files and OS files, and these are the so-called "experts" that NuLabour rely on when drafting crappy regulations like this, you get what they pay for.
@Paul Donnelly; surely an IPL is a reboot? After all, you are stopping and restarting the OS so where does that differ from a Windoze reboot?
Another country after Germany going this way.. what a sad day for the computer field... I guess now your data will be more vurneable to the bad guys, as we know they will never stop. I predict in the future we will be running software only after it's authorized by governments, more control this is where we are going and this will not stop as long as we have those huge governments... maybe it's a time for a change?
Re: That's Vista screwed then.
I the UK, Microsoft is no longer allowed to impair Vista, even if they think it's an "illegal" copy. Hopefully someone will have the ability to take MS to court the when their fully bought and paid for system is impaired after a hard-drive addition or RAM upgrade ...
awesome so ping is now illegal and whoops its part of windows guess that means MS is the biggest uber hax0rs of em all, hang on what about all thos free software types theres this telnet thing built into linux with that evil haxors can telnet in and attack me! it r a hacking toool call the SS
@Pierre Epic Failure On Understanding English Law
Oh Pierre, it is not illegal to make the tools, it is just that if distributed and used for illicit purposes the author is liable.
See, what happens is no one wants to author and then distribute the tools, as they are taking liability in law. The idea is the virus and root kit authors would be held liable for the use of their software, though that precedent had already been set many years ago.
You can author as much as you like, if you don't distribute then you are not liable if someone uses your software for illicit purposes, in fact you could probably sue under copyright, but if it can be proven you willingly distributed then you are liable for the other person's actions. If it can be shown you took enough precaution in not allowing your software to be distributed then you are not liable.
If you author and you use your own tools to break the law, then I suppose you could be held liable twice, once for the direct infringement and once for the authoring of a tool used to commit a crime.
And you can still DoS a machine you have authority over, that is not illegal, it is doing it to a machine you don't have authority over that is. So, each organisation will need clear guidelines of computer use, and they always get it wrong as well, so it just cuts into their profits or they don't bother.
There are some caveats, but they are only requests for consideration, they don't remove liability they will just get interpreted on a case by case basis, so you will be taking a risk developing software intended for pen testing and then subsequently DISTRIBUTING for others to use.
Fine details in the wording of the law...
"A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3."
Does this mean that if I DON'T believe that it will be used to commit an offence then it's not illegal ?
As long as I remain ignorant of what people actually use a hacking tool for then I'm in the clear. And, of course, if I use the tool for legitimate reasons then I have a good defense because I would believe that other people would do the same.
My belief of how it would be used would have to depend on who was downloading the tool and since I don't know who is downloading the tool I can't form any opinion about them.
Report yourselves to the police...
if everyone of us just went to the local cop shop w. our PCs and Windows only (any version) and insisted that they book us based on this law, wouldn't that bring this into proper perspective and force them to change it.
AC FAIL at English law
You say "Oh Pierre, it is not illegal to make the tools, it is just that if distributed and used for illicit purposes the author is liable." but I read in the article "The Computer Misuse Act has also been changed to make it an offence to make, adapt, supply or offer to supply any article which..."
You apparently don't need to ditribute it, m'dear. Be careful with these pen testing tools of yours.
There are 3 clauses that have been added that deal with supply and guilt:
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(3) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
intent, belief and view really, they are more designed to let off the accidental bug writer than they are to protect penetration tool distribution.
If you are creating a pen tool, then you know full well that it could be used to commit an offence under section 1 or 3 of the computer misuse act. I don't think they will find it particularly hard proving that point to most people.
You can make pen tools though as long as you ensure they don't get used to commit an offence under section 1 or 3, you can try and distribute if you like but you will have a hard time proving you believed they could not be used, if they subsequently are.
You not being prevented from making or supplying, but you are being made liable if they get misused, therefore people will stop distributing these tools, the entire distribution chain is made liable.
So, the only logical way to get a pen test done on your system legitimately, note that is an authorised use of a computer system, is to hire people who have made their own tools.
Now, that is not something the law demands, it is a side effect of the risk in distributing tools, as soon as you distribute you lose control of the use of the tool, so the chance it could be used to commit an offence under section 1 or 3 increases to what are unacceptable levels to most developers and suppliers.
Sections 1 & 3 :
1. Unauthorised access to computer material.
3. Unauthorised modification of computer material.
As it stands people can use pen tools if they have authorisation to use the tool on a system.
But, the authors of these tools are now wondering what to do, if their tool is used to commit an offence they are now held liable, so it is likely but yet again not enforced that a lot of tools will be withdrawn because they now represent a potential risk too great.
Now, if you are working in a security consultancy as a developer, you probably don't want to hand out any of your tools, and if you do you probably want caveats to the nine written into the licence, I don't know armed guard on the person as they use the tool.
You certainly don't want to lose ownership as the law covers the maker (not the owner who will probably be made a co maker not sole maker), so you ain't going to want to be employed making this stuff under a conventional employment contract, as you are maker but not owner so lose control of the distribution.
And, say you are an open source distribution, anyone involved in the chain of distribution of a particular pen tool that is used to commit an offence is now liable, that goes from the author to the distro dev, to the mirror, to build server admin, but stops short of the user, unless the user is the misuser, or the user decides to turn into a distributor.
The point is users have not really been directly affected by this law, it starts with the authors who will be looking to reduce liability by stopping the distribution chain at source. And any part of the distribution chain is liable, so any distributor will be considering risk reduction in the removal of these tools. At some point the users will not have access to the tools, or if they do they will probably be breaking the law, not this law though, copyright, and licensing.
But, computer systems will still need to be pen tested, now instead of some joker with a copy of nessus wandering into a business, to test the defences, companies will have to look for people with the tools and who are willing to pen test using their own tools.
So, the eyes at the moment are on the developers of pen testing tools to see what they are going to do about controlling the distribution. My guess is most won't want to take the risk. And they're wise not to.
If there are no tools for the jokers, then the real security developers can command a much higher fee, and have a higher degree of autonomy, if they cut supply. They can then do the pen testing themselves and charge accordingly.
As you say,
"(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offense under section 1 or 3."
Methink it's really easy to shoehorn custom-made pen tools in this. Meaning that just writing your own tools (even if you don't distribute, use, or even compile them) could put you in trouble depending on how good the adverse lawyer is at convincing the court of your intentions.
This brings down your whole "woohoo for the real hackers" stuff.
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Special Report How Britain could have invented the iPhone: And how the Quangocracy cocked it up
- Analysis Microsoft's licence riddles give Linux and pals a free ride to virtual domination
- Massive! Yahoo! Mail! outage! going! on! FOURTH! straight! day!
- Bring it on, stream biz Aereo tells TV barons – see you in Supreme Court