Where does it end?

A few of the comments have already pointed out that hammers are used to break into houses (cars, vans, etc...) or may be used to bludgeon a person to death. Likewise, screwdrivers, chisels, planes and even spirit levels can cause significant damage if used inapropriately.

If I was walking home from B&Q with a new hammer and the police happened to stop me, I would expect them to at least ask me why I was walking through a residential area with a hammer but I wouldn't expect to be arrested for it. However if I was walking home with my laptop strung over my shoulder I would be rightly annoyed if I was stopped and questioned by the police.

As it happens, my laptop runs Linux and understandably so has an arsenal of security tools installed. They are essential to the course I am undertaking at University, which incidently is Computing Forensics and Network Security, under this new proposal, I guess it would then become fair game for me to be arrested for simply walking down the street carrying my laptop. After all, who is to say that my laptop isn't running in with the wireless enabled in monitor mode effecting a type of `war-driving'?...

On my systems, I must have half a dozen different versions of each `security' tool available for Linux, to say nothing of the number of Live disks I own, half of which are designed solely for the purpose of computing forensics and carry tools which are not always shipped with standard Linux distros. On top of this, I do a great deal of programming so have development libraries such as Crypt++ and pcap as well as languages such as PERL and Python installed on my system(s). Theoretically libraries and languages such as these can be used to write `hacking' sofware. Does this mean that I can be arrested for `intent to develop software for the purpose of carrying out malicious attacks against remote systems'?

There is a very fine line between what is classed as legal and illegal use of any tool no matter what trade you are in. As I walk home with my hammer, my intent is to get home and use it to drive nails in to wood for a new partitioning wall. However the police may percieve my intent as being that of breaking into that brand spanking new Mercedes Benz parked 300 yards up the road.

The keyword here is perception. The government sees network security tools as being a threat to the security of systems whether their own, commercial or personal. Crackers see security tools as a means to breaking into systems which they have no right to access, the average user doesn't even understand (or care) what these tools really are so will probably vote with the government regardless of which party proposed the bill and as for the rest of us, well I guess that makes us outlaws then.

The question is, with this bill in place, does that mean the government is going to imprison its own IT department? Or shut down MI5? Because I bet they use these tools every single day!

Re: Techies take things far too seriously sometimes....

Well, yes. The first law will be that we will nuke any country that harbours a hacker !!

Oops, wait !! I've just been attacked by a hacker from the US of A .....

Re: hmm.. most people on the reg cannot read it seems... including the reg themselves

@martin

"if one reads the 1990 act amendment, you'll notice that it states that the offence only applies IF the accused *knowingly* adapts or supplies the application for use in a criminal offence... i.e. it's not what the software can do for you, but what you are guilty of using it for, with intent..."

Reading Section 37 of The Police And Justice Act 2006

http://www.opsi.gov.uk/acts/acts2006/ukpga_20060048_en_7#pt5-pb2-l1g37

The word "knowlingly" doesn't appear.

The problem we face is with the new section 3A(2).

"A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence"

So I write a new improved vulnerability scanner. Can I circulate it around bugtraq for pier review? While I know it will be used responsibly by many people I also know that it will be used by some Bad Guys(TM) to find systems they can hack into.

The problem faced by the open source and free tool community is how to avoid "believing that it is likely to be used to commit an offence". If we create a tool and circulate it openly it *will* be picked up by someone and used to do bad things.

In the CPS guidance we see: "what, if any, thought the suspect gave to who would use it; whether for example the article was circulated to a closed and vetted list of IT security professionals or was posted openly". This seems to imply that posting a tool openly risks a charge under Section 3A.