@Dave
There are 3 clauses that have been added that deal with supply and guilt:
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(3) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
intent, belief and view really, they are more designed to let off the accidental bug writer than they are to protect penetration tool distribution.
If you are creating a pen tool, then you know full well that it could be used to commit an offence under section 1 or 3 of the computer misuse act. I don't think they will find it particularly hard proving that point to most people.
You can make pen tools though as long as you ensure they don't get used to commit an offence under section 1 or 3, you can try and distribute if you like but you will have a hard time proving you believed they could not be used, if they subsequently are.
You not being prevented from making or supplying, but you are being made liable if they get misused, therefore people will stop distributing these tools, the entire distribution chain is made liable.
So, the only logical way to get a pen test done on your system legitimately, note that is an authorised use of a computer system, is to hire people who have made their own tools.
Now, that is not something the law demands, it is a side effect of the risk in distributing tools, as soon as you distribute you lose control of the use of the tool, so the chance it could be used to commit an offence under section 1 or 3 increases to what are unacceptable levels to most developers and suppliers.
Sections 1 & 3 :
1. Unauthorised access to computer material.
3. Unauthorised modification of computer material.
As it stands people can use pen tools if they have authorisation to use the tool on a system.
But, the authors of these tools are now wondering what to do, if their tool is used to commit an offence they are now held liable, so it is likely but yet again not enforced that a lot of tools will be withdrawn because they now represent a potential risk too great.
Now, if you are working in a security consultancy as a developer, you probably don't want to hand out any of your tools, and if you do you probably want caveats to the nine written into the licence, I don't know armed guard on the person as they use the tool.
You certainly don't want to lose ownership as the law covers the maker (not the owner who will probably be made a co maker not sole maker), so you ain't going to want to be employed making this stuff under a conventional employment contract, as you are maker but not owner so lose control of the distribution.
And, say you are an open source distribution, anyone involved in the chain of distribution of a particular pen tool that is used to commit an offence is now liable, that goes from the author to the distro dev, to the mirror, to build server admin, but stops short of the user, unless the user is the misuser, or the user decides to turn into a distributor.
The point is users have not really been directly affected by this law, it starts with the authors who will be looking to reduce liability by stopping the distribution chain at source. And any part of the distribution chain is liable, so any distributor will be considering risk reduction in the removal of these tools. At some point the users will not have access to the tools, or if they do they will probably be breaking the law, not this law though, copyright, and licensing.
But, computer systems will still need to be pen tested, now instead of some joker with a copy of nessus wandering into a business, to test the defences, companies will have to look for people with the tools and who are willing to pen test using their own tools.
So, the eyes at the moment are on the developers of pen testing tools to see what they are going to do about controlling the distribution. My guess is most won't want to take the risk. And they're wise not to.
If there are no tools for the jokers, then the real security developers can command a much higher fee, and have a higher degree of autonomy, if they cut supply. They can then do the pen testing themselves and charge accordingly.