back to article Maryland: Make malware possession a crime! Yes, yes, researchers get a free pass

A US state that was struck by a ransomware attack last year is now proposing a local law that would ban possession of malicious software. Local news website the Baltimore Fishbowl reported that Maryland's Senate heard arguments on Senate Bill SB0030, a proposition that would "label the possession and intent to use ransomware …

  1. MiguelC Silver badge
    Mushroom

    Banning malware is not an option!

    The only way to fight bad guys with malware is good guys with malware!

    This post is approved by the NRA (National Ransomware Association)

    1. b0llchit
      Devil

      Re: Banning malware is not an option!

      You are mistaking. The good guys already have lots of malware. Just take a look at their computers. It is as simply as that. Therefore, the proposed wording is slightly off. Fixed version:

      "label the possession and intent to use of ransomware in a malicious manner as a misdemeanor"

      Then you simply start, randomly, to arrest and convict people you do not like and put them away for 10 years. That also solves the problem of "...making something illegal doesn't help unless you can catch and prosecute those who break the law". You are all criminals. You know it, I know it, we all know it. Now, get with the program.

      1. Yet Another Anonymous coward Silver badge

        Re: Banning malware is not an option!

        Couldn't we just make being a criminal illegal?

        1. chivo243 Silver badge
          Coat

          Re: Banning malware is not an option!

          I don't recognize your authority... by which standards? Crime is determined by the state...

      2. Karl Vegar

        Re: Banning malware is not an option!

        And since the at least the early versions of ransomware utilized builtin encryption mechanisms, any encryption tool can also be considered a ransomware tool... And the feds go wild.

        1. Swiss Anton

          Re: Banning malware is not an option!

          And clearly being in possession of tools that can be used to write ransomware must also be a crime.

          1. jake Silver badge

            Re: Banning malware is not an option!

            Clearly. Such tools would have to include a blank piece of paper, scissors, an already printed publication, and glue.

  2. Twanky Bronze badge
    Flame

    How about...

    ...making it illegal to run a public computer system which is susceptible to known malware.

    I'm feeling generous: perhaps the authorities could endorse a register of known vulnerabilities which must be fixed or the CxO gets a vacation in the big house. If you get caught by a new one then there could be leniency - as long as you had a response plan.

    1. KittenHuffer Silver badge

      Re: How about...

      And how about wearing a loud shirt, in a built up area, during the hours of darkness?

      1. Twanky Bronze badge

        Re: How about...

        Or possession of an offensive *wife?

        (*Alternative spouses are available - depending on where you live).

        1. Anonymous Coward
          Anonymous Coward

          Re: How about...

          I don't possess a wife, she posses me.

          Anonymous Coward - obviously

  3. Mark 85 Silver badge
    Facepalm

    Have to love governments.

    Seems they think making something illegal will solve the problem. Never has, never will. It just makes the legislators fools for wasting time and money.

    I think the facepalm is appropriate.

    1. jake Silver badge

      Re: Have to love governments.

      The legislators aren't making it illegal in order to actually stop crime, silly! They are doing it to be seen doing something by their electorate. All it is is a somewhat sad plea for re-election.

      Sadly, it seems to work. And it will continue to work as long as the only prerequisite for voting is the age of the voter.

    2. Doctor Syntax Silver badge

      Re: Have to love governments.

      "Seems they think making something illegal will solve the problem."

      Let's try a little thought experiment. Let's make murder legal. Somebody kills your nearest & dearest. What are TPTB going to do about it? And will you be happy with that?

      1. jake Silver badge

        Re: Have to love governments.

        But it's not murder, it's extortion. Which is already illegal and yet still happens. We don't need new laws for this kind of thing, we need the existing laws to be enforced.

        Put another way, I could kill you with a hammer. Shall we make all hammers illegal? What about screwdrivers? Pointy sticks? Rocks?

    3. Cynic_999 Silver badge

      Re: Have to love governments.

      To be fair, such seemingly useless laws do give a "fallback" law in cases where a perpetrator has been caught, but there is insufficient evidence to prove that they actually carried out the ransomware attack. A bit like convicting a burglar for "going equipped" because you cannot prove beyond reasonable doubt that he had actually broken into any houses.

      Unfortunately such "fallback" laws tend to get mis-used by police as a primary law in order to convict people who are entirely innocent of any malicious intent. Like using the knife law to convict an entirely innocent van driver who had a knife in the van to use as a tool. Or twisting loosely-worded anti-terrorist legislation to convict a cyclist for taking a short-cut over DoD owned land (which would otherwise be simple trespass which is not a criminal offence).

  4. Malcolm Weir Silver badge

    I read the bill as permitting the possession of ransomware as long as you are researching how to make lots of money from infecting people with it....

  5. jake Silver badge

    Interesting.

    "“Computer” means an (...) organic, or other data processing device or system that performs logical, arithmetic, memory, or storage functions."

    The way I read it, bacon or cheese is "malware" if it leads to distracting a dog.

    1. Not Enough Coffee

      Re: Interesting.

      And does this mean bacteria can sue me for taking an antibiotic?

    2. Doctor Syntax Silver badge

      Re: Interesting.

      Forget defining "computer" - how do they define "possess"? Catch malware and you not only get your computer scrambled, you now find yourself in possession of something that can get you 10 years in clink.

      1. Jimmy2Cows Silver badge

        Re: Interesting.

        Came here to say the same. Certainly easier than trying to find the authors. This way the guilty come to the cops and openly confess, detection and conviction rates for "possession" of malware soar, and everyone's happy. Well except the victims.

  6. jason_derp

    Great job!

    Another gleeful group of idiots walking around with red hand marks on their backs from all the patting they've received from themselves. Later next week, they're going to go to the cafeteria to make obesity-contributing nutrients and salmonella illegal. That'll show those carbs and bacteria!

    1. katrinab Silver badge
      WTF?

      Re: Great job!

      My city regularly prosecutes businesses for having filthy kitchens, and I think it does work to keep food hygiene standards high.

      1. jason_derp

        Re: Great job!

        That's good! I'm assuming they know who works there though, which is different than people on the internet anonymously and maliciously using malware. I didn't mean to say they weren't holding the people running the kitchens accountable. I was saying they were making bacteria illegal instead, then not bothering to deal with the people behind the counter, the real problem. Which is insane, because it's untenable.

  7. paulll

    "It's important to establish so criminals know it's a crime."

    Usually takes quite a lot of beer to make my head spin this much.

    1. PapaD

      I especially like the idea that

      If it's not currently a crime, they aren't criminals, so by making it a criminal offence you are creating new criminals.

      So, what should have been said is 'making perpetrators aware that this is a crime'

      The thing is, it already is a crime - so they are already a criminal. However, in Maryland they can now prosecute the same individual for two crimes, not one, for each individual offence - which means more time in prison (assuming they were daft enough to commit their crime in the USA whilst they are actually in the USA), more profit made by the private prison services, and in theory more corporate taxes paid by them.

      Everyone is happy (Except the criminal, who doesn't really care because chances are they aren't in the USA and have no intention of ever physically being there)

      Convoluted - yes, pointless - probably.

  8. skeptical i
    Devil

    Maryland is now a social-media-free zone?

    Get thee behind me, Satan! And take all that damn advert/ marketing/ nonsense trackware and its residues with you!

  9. EnviableOne Silver badge

    old news

    Correct me if i am wrong, but this is a waterd down version of a section 3 offense in the CMA90

  10. ortunk
    Devil

    BOFH Says

    So if you get infected by ransomware it will be considered misdemeanor and you pay a fine.

    That might really improve security actually.

    Sends HR and Law departments scurrying.

    1. Cynic_999 Silver badge

      Re: BOFH Says

      No, it won't improve security BUT it will stop people reporting that they have been hacked. Which means that the statistics will "prove" that it reduced the number of such crimes ...

      Just as we have "impoved" crime rates by disuading people from reporting crimes.

  11. Pirate Dave
    Pirate

    Yeah, ummm

    "Strangely enough, most ransomware gangs go to great lengths to ensure their victims can't work this out. "

    Considering the struggle most of their typical "victims" go through to simply turn-on the PC, I think the ransomware gangs could safely reconsider the necessity of this.

  12. ThinkingMonkey

    What's the problem here?

    I'm not sure why the title of the article says "Make malware possession a crime!" sarcastically because in the article it spells out that the proposed legislation seems to want to punish "intent to use" the ransomware in a malicious way more so than "possession of malware".

    For example, in some states if you're caught driving around suspiciously in a neighborhood late at night and the police search your trunk and find certain things, you can be charged with what is called "possession of burglary tools". While these normal tools, crowbar, big screwdriver for prying windows, etc. are nothing more than that, normal tools, the suspicion of the person's intent to use said tools for malicious purposes is the problem, not the tools.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020