UK cybercrime overhaul finally comes into effect

Maybe..

if the use of nmap were made compulsory among network professionals the instances of security breaches might be reduced ?

Certainly one of the most useful pieces of security software around, hell, its even useful for non security stuff as well........

have they

actually gotten around to properly defining unauthorised access yet? As it is, it's so vague that i could probably fall foul of that at work by clicking on the wrong desktop icon.

The Sin of Omission ..... when All are Born Equal and Unique

Do Regulations Comply or Impinge with Independent Joint Movements in CyberSpace ..... http://www.cyberconf.org/~cynbe/cyberdecl.html.

I don't Suppose they have even been Considered and Factored In. :-)

re. doubly illegal

Is that the same as 'double plus ungood'? If so, you need to remove some words from your vocabulary.

Bad Peter bad! Bad Trixie Bad!

"(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, OR TO ENABLE SUCH ACCESS TO BE SECURED."

i.e. it makes it a crime to perform an act that enables someone else to misuse a computer. Where 'Enable' is left so vague as to be meaningless. i.e. punish Peter because something he does enabled Paul to do something illegal.

Section 3 is changed to add the 'enable' thing too. To remove the requirement of physical damage and to change the definition of 'act' to enable Peter to be locked up if Paul did the act.

Section 3A makes it a crime to make cracking tools, networks sniffers etc. To sell or distribute tools that can be used to misuse a computer. Or even *DATA*, i.e. information is covered here, it's better to only discuss security holes outside of the UK.

As before 'unauthorized' doesn't exclude ownership, so you can own the computer and still the access can be unauthorized.

Further down there's a real mega wozzers:

"(8)If the impression conveyed by a pseudo-photograph is ..... and so shall a pseudo-photograph where the predominant impression conveyed is that the person shown is a child notwithstanding that some of the physical characteristics shown are those of an adult."

So pictures a flat chested women dressed up in school uniforms will now get you prison time and a sex offenders registry entry. Another 'Jacqui Smith really hates men' thing.

s36: Unauthorised acts with intent to impair operation of computer

Up to 10 years in prison if I borrow your keyboard without asking...

Equally, it could apply to failing to read a manual, so, some users may well be going away for a long time.

My compliments to the draftsman.

There must be...

..some valid justification to give less time in Jail to a convicted rapist than to someone who throws a few angry packages about.....

....surely??

....Nah.

Umm...

If:

"1 (1) A person is guilty of an offence if

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, [Text added 2007-10-01 (Scotland) by Police and Justice Act 2006 s.35(2).] [Not yet in force elsewhere in the UK.] [This addition to be cancelled by Serious Crime Act 2006 s.61(2).] or to enable any such access to be secured ;"

Does this mean Vistas illegal in Scotland until its amended out??

RE Bad Peter bad! Bad Trixie Bad!

"i.e. it makes it a crime to perform an act that enables someone else to misuse a computer. Where 'Enable' is left so vague as to be meaningless. i.e. punish Peter because something he does enabled Paul to do something illegal."

Peter's modification to enable Paul's access would need to constitute an authorised modification in its own right. Otherwise, the loophole in the original Act remains that, if Peter, without authority, creates a privileged account on a system (for example), and then passes the details to Paul to carry out the exploit, Peter could not be charged under the Act.

In any case, s61, Serious Crime Act 2007, repeals s35(2) of the Police and Justice Act 2006, so this provision does not come into force.

"Section 3A makes it a crime to make cracking tools, networks sniffers etc. "

No, it does not. The drafting is not perfect, but, it is a criminal offence to create a tool "intending it to be used to commit, or assist in the commission of, a [computer misuse act] offence." If you write a packet sniffer for testing your network, the burden on proof would be on the prosecution to prove that you intended to use it to commit an offence. It has the element of "intention" - a mental state - and is not absolute.

It's not perfect by a long shot, but, it's not as bad as you point out, at least to my mind.

The drafting of s37(3), sadly, is entirely incomprehensible to me.

Computers get rights

stuff the human operators, it is all about the computers now.

The law is crazy, and no doubt there will be workarounds.

But really it means no one will distribute pen testing software to the UK.

And a lot of authors will add a clause saying this software cannot be distributed to the UK, so that copy of nmap you have in your bottom draw may very well be illegal if not under this act, but under copyright and licence agreement. Be interesting to see how that all plays out.

So say you are a computer security company, you get a telephone call to check out a security problem, you wade on in, fire up nmap to check for any weaknesses, at that point you probably have committed some sort of crime (civil or perhaps criminal), when that comes up in court the defence may use that to say the evidence obtained was obtained in an unlawful manner.

That's the real problem, this law actually makes forensics much harder to achieve, oh well.