Security

Will banning hacker tools curb hacking?

The U.K. government is proposing a ban on the creation and distribution of "hacking tools" as a means to bolster its existing Computer Misuse Act.

The U.K. government is proposing a ban on the creation and distribution of "hacking tools" as a means to bolster its existing Computer Misuse Act.

An excerpt from TechWorld:

Computer security professionals have expressed concern about the drafting of the changes, however.

The most-discussed change, contained in Section 3A of the CMA, makes it illegal for someone to create an application that is "likely" to be used for hacking. But the precise definition of "likely" has prompted fears the law could potentially target those undertaking activities such as penetration testing.

The definition of "hacking software" is vague and may be up for interpretation. Security researchers and system administrators regularly use many tools that fit the above description for penetration testing and network monitoring.

While the government has come out with some guidelines on the "dual-use" tools, not all concerns have been allayed, especially concerning the open-source tools in this sector.

More information:

Expert: CPS hack tool guidance 'confused' (ZDNet)

New UK hacking laws make ‘hacking tools’ illegal (Tech Blorge)

UK Crown Prosecution Service publishes Computer Misuse Act guidance (Heise Security)

48 comments
deepsand
deepsand

Aside from the difficulty in defining a "hacking tool," one might look to the degree of success that has been made in such efforts as the "War on Drugs," "Mothers Against Drunk Driving," or the "Pure Prairie League."

alaniane
alaniane

You can't legislate behaviour effectively. Cracking is a behaviorial problem. If you ban tools you don't change the cracker's behaviour, so how will it eliminate cracking? The cracker is just going to: 1) ignore the illegality of the tools being used 2) use alternate tools to accomplish the same tasks.

cathar.gnostic
cathar.gnostic

Again it shows having idiots running countries has always been mankind's undoing. The real smart guys write their own tools. Maybe outlaw compilers, no, that doesn't go far enough, how about outlawing operating systems that can run these compilers or go even further, outlaw the computers that can run the operating systems that can run compilers that are used to make the tools that are outlawed, that will fix it!!

TheGooch1
TheGooch1

Just keep telling yourself that you live in a free country where the government serves the people. Repeat it enough times and people will eventually believe it. ( paraphrased from Nazi Director of Propaganda ( Gibbons, I think his name was ).

The Listed 'G MAN'
The Listed 'G MAN'

Just cite all the exact reasons that GUNS should not be banned in the USA, changing Guns to Tools....

JohnMcGrew
JohnMcGrew

When banning programming tools fails, will they then propose to ban the use of certain keystrokes? This reminds me of when Microsoft banned the inclusion of "reset buttons" on "Windows Certified" PCs because Windows doesn't crash anymore. It's reality implimented through wishful thinking.

jmgarvin
jmgarvin

Arg. This is just like trying to ban alcohol, porn, and music (ala DRM/DMCA). It's a waste of time and effort. The internet is not made of tubes and it is a dump truck.

CharlieSpencer
CharlieSpencer

how do you enforce the ban? So far no one has been able to stop spam, malware, phishing schemes, or kiddie porn. How will enforcement of this ban be any different?

Absolutely
Absolutely

[i]The most-discussed change, contained in Section 3A of the CMA, makes it illegal for someone to create an application that is "likely" to be used for hacking. But the precise definition of "likely" has prompted fears the law could potentially target those undertaking activities such as penetration testing.[/i] Statistically, it [b]is[/b] the most "likely" to be hacked.

normhaga
normhaga

Just how do you define a tool that is used for hacking and one that is used for security testing. All the tools have a dual use. How they are used depends on the individual using them. Legislators should refrain from writing laws in areas they know nothing about.

ManiacMan
ManiacMan

I don't think so. I use what can be considered "hacking tools" to run penetration tests on networks, run port scans to determine point of vulnerability, and have utilities to unlock forgotten admin passwords on various operating systems. Yes, these tools can both be used for ethical and unethical purposes, but for the morons in any gov't to outright ban this is like me advising the medical board on how to properly perform open heart surgery, something I have absolutely little to no knowledge about and am not qualified to even open my mouth on the subject matter. Even if it's banned, anyone seriously looking to do damage to a network will inevitably find these tools on warez sites and through torrent downloads, so what good does any of this accomplish? Go after the true unethical hackers who don't need these tools or toys, not after ethical hackers or IT security pros who use these tools to make a living.

Tig2
Tig2

Is that you would be undertaking a world wide standard, not just one that would be used by the UK. If not, you fail entirely. Security professionals who use "dual-use" tools would have to be the ones setting the ground rules, regardless. Otherwise we run smack into the age old problem where legislators, knowing nothing about IT, are making the rules. And it is up to technology to figure out how to comply. And in the end, you will find that people who have a real need to use those tools don't have access, while the criminal- who doesn't care much about the law to begin with- does have access and a clear path to develop new tools. You can't un-ring this bell. Legislation is not the answer. Common sense is.

jmgarvin
jmgarvin

A few years back, the mayor (a guy named Ravi Bhasker) of a town called Socorro, NM was arrested for DUI. He had just gotten done talking at a MADD meeting when he was pulled over. Not only was he drunk, but drunk RIGHT after being the KEY NOTE at a MADD meeting... Pissing into the wind is right...

Jaqui
Jaqui

prohibition. danged a ran away

Neon Samurai
Neon Samurai

It's been a while since I've seen someone make the distinction between "ethical hacker" (redundant) and "cracker" (what most people mean when they say hacker).

ManiacMan
ManiacMan

There was the Fuhrer, Hitler, Himler, Goerbals, and Mengele.

Absolutely
Absolutely

The 'G-Man': [i] NO BECASUE...Just cite all the exact reasons that GUNS should not be banned in the USA, [b]changing[/b] Guns to Tools.... [/i] That's not a change, it's a classification. Guns are already a type of tool, no "changing" is necessary. Their purpose is self-defense, and historically, hunting game, although that use is unknown to enough voters that many are not only willing but eager to totally relinquish to the police the right to bear arms. Ignorance of the purpose and function of the tool 'computer' is similarly responsible for the idiots' willingness to relinquish all rights to control its use to regulatory agencies, whose expertise they generally overestimate. Real-world G-Men are, let's just say, not all Jack Bauers.

Absolutely
Absolutely

"The internet is not made of tubes and [b]it is a dump truck[/b]." I'm about 95% confident that you meant to say "and it is [b]not[/b] a dump truck," but then, you are full of surprises.

JohnMcGrew
JohnMcGrew

But what they will do is use this statute as a mechanism to harass citizens in other ways, basically as a short-term end-run around habeas corpus; If some official wants to get to you in some way, all they have to do is claim that you have ?hacking tools? of some form, say ?edit? or ?sed? on your system. That should be convincing enough for your average non-techie judge. It?s this exact method that the FBI used to hold Richard Jewell after the Olympics bombing in ?96; the FBI found ?bomb making? materials in his home, like ?roofing nails? and ?cardboard tubes? (you know, from rolls of paper towels) and ?ammonia? (from cleanser); you know, stuff that would likely be found in, say, 150 million or so homes across America. Silly laws like this threaten everyone?s civil rights.

Absolutely
Absolutely

... because we will try so much harder, this time. :|

ben@channells
ben@channells

Many true hacking tools rely on Linux services or have been ported from Linux. I could name several true hacking tools that are only available for Linux (they may back date the offences)Even TCP port scanning tools do not give the same results as a Linux version (Windows does not support the TCP SYNC). The UK government has outsourced more IT than any other Gov. Any List of suspects would be lost (CapGemini: Child suport agency) or failed to be input on the database(Siemens:Home Office) You may remember Bill Gates made several visits to Tony Blair and Gordon Brown, to ensure actions were not taken to stop Microsoft monoply and ensure the UK Gov continue to keep buying Micrsoft products and stop Open source projects. UK police IT training of offices is said to very very low to implement the existing Computer laws. despite over ?400 million spend on IT training

ManiacMan
ManiacMan

because syringes are used by heroine junkies and scalpels can be used as weapons. I guess I made my point.

Neon Samurai
Neon Samurai

Maybe there was a 98% decline in cracking attempts in Germany after the law was instated (did it get passed into law there finally?) and that's what's inspiring legislators in the UK but somehow I doubt it. The only people who are going to respect the legislation are the law abiding security hackers that use the tools for auditing purposes. I fear it'll be a whole lot of polititions with little knowledge of computers and even less interest in listening too the consultants they question but a big need to look like they are doing something; even if it's the completely bass ackwards thing to do. Me thinks the emperor's new cloths are very nice but maybe they should consider real security instead of legislating obscurity as if it'll help.

Neon Samurai
Neon Samurai

If someone is cracking security are they really going to care that the program they use is illegal? Carrying a firearm in Canada without an FAC (if going to/from the range) or a license to carry (if just out and about) is illegal and yet those pesky criminals don't have any trouble finding them.

Absolutely
Absolutely

You're right; I'm tired of explaining this. You go.

Neon Samurai
Neon Samurai

Drunks Against Mad Mothers? :D (bad joke I know but it's just one of those days I guess. No offense intended to anyone out there.)

deepsand
deepsand

As early as 1855, 13 of the then 33 States had prohibtion laws. The "Anti-Saloon League," aka "Pure Praire League (from the name used in the 1939 Errol Flynn movie "Dodge City)," along with other organizations, such as the "Dry Chicago Federation" and the "Women's Christian Temperance Movement, brought sufficient political pressure to bear, with the result that, by 1916, 23 of the then 48 States had anti-saloon laws, and Congress had a 2:1 majority of "dry" members. But 1 year later, 1917, Congress sent the Prohibition Amendment to the State for ratification.

Neon Samurai
Neon Samurai

They lifted the portion of prohibition that covered alcohol but the twisty remain bound under the original prohibition law if I read my history correctly. Previous to prohibition, alcohol was frowned upon while the other was barely even noticed. Lifting the prohibition now won?t happen since it justifies so much of the FDA?s budget. Still, like the other over reaching laws, it doesn't seem to have much effect. (I read a lot of history from a wide selection of topics)

jmgarvin
jmgarvin

Ya, the missing not makes it seems like quite an odd comment... I think I'll leave it without the "not" to make me a little more mysterious and "cool." :-)

The Scummy One
The Scummy One

NOT! If we want the criminals and crackers to rule the Internet, then by all means, implement laws to ban hacking programs. These same tools that are used by crackers, are also used to help secure systems/networks. If the tools are banned, then networks will become less secure, while criminals will continue to make newer, better versions (or download them illegally).

jmgarvin
jmgarvin

Ban the guns, don't punish the criminals.

Tig2
Tig2

And I appreciate that you made that point. Laws only govern those who would act within the law.

deepsand
deepsand

And, if not, that you should be.

Neon Samurai
Neon Samurai

I wasn't meaning to detract from the other's who perfer to use the correct terms. This particular comment was just a very refreshing blast of air out of the blue. Seems the last week or so there's been a flood of "hackers will steel your ID and eat your babies" headlines the last few weeks. I made a point of not going off on my usual rant so when I stumbled across the comment after all the boggieman threads above, the contrast realy stuck out. (sidenote; that's still a fantastic nick)

Jaqui
Jaqui

that just tells you he doesn't read your posts ;)

Jaqui
Jaqui

is not from a missing word, it is from an extra word. the internet is a dump. since anyone can dump anything onto it. [ there wouldn't be a child porn problem on the internet if there was some way to stop it from being posted ]

Absolutely
Absolutely

[i]I think I'll leave it without the "not" to make me a little more mysterious and "cool."[/i] What's cool about an error? I find that comment difficult to understand. Suddenly I'm overwhelmed by insatiable curiosity about you, and ... oh, good one.

Neon Samurai
Neon Samurai

Between Shakespear's "What cracker danes.." line and the less than polite usage stemming from the use of whips in the American south I think the meaning is clear. I think the media should simply use the correct term "criminal" or "alleged criminal" or "attacker" or "assailant". They don't have the same "it must be cool 'cause it sounds computery" feel but why must we distinguish between a criminal who uses a crowbar and a criminal who uses Jack? Just my thoughts on the topic..

ManiacMan
ManiacMan

But if they start using terms like "crackers" on TV, they'll be called racists...LOL.

Neon Samurai
Neon Samurai

Sorry 'bout that.. works been kicking my (_|_) so I've barely had time to skim through the forums quickly as of late.

The Scummy One
The Scummy One

"and they write a lot about the romance lives of Hollywood actors when there are dry spells in alien abductions." Aint that the truth. But I hadnt quite thought of it like that... :)

Absolutely
Absolutely

I'll give you a hint: they call us computer criminals by using the word "hacker" incorrectly to refer to computer criminals, and they write a lot about the romance lives of Hollywood actors when there are dry spells in alien abductions.

Neon Samurai
Neon Samurai

The invevitable outcome of being raised on the recognizable names, Monty, Adder, Red Dwarf, .. It's really the dry sarcasm that does it for me though. Anyhow, that asside.. I'd hope that should such an usless law be passed, they would have the minimal good sence to do so the same way that locksmith tools are managed; If your a licensed locksmith, being stopped by police while carrying your tools should not be an issue. The concern is if they go the easy rather than rational route and ban them outright including for use by the digital locksmiths who rely on those tools. Really though, it's still banning the symptom not the cause. How is a law going to stop someone who is intentionally breaking laws in the first place. Best of luck too you in the same way I wish the more rational American's the best of luck in the next vote.

ben@channells
ben@channells

British Humour But shortly after Bill Gate meet the British PM large projects using Using Linux were switched to Windows at a sizeable cost of re-enginerring and licensing cost. That's NOT funny it's may taxes that are paying for UK IT. The UK home office spend ?18 Billion per year on crime prevention, yet cannot add the peadophiles caught overseas on to the sex offenders database, many are not arrested on entering the UK. After 2 years investigating the "Wonderland club" the offenders only got 2 years in prison, thoes that were caught in the USA got 20 years for similar offences. So yes you are right the tools are banned and the criminals are not punished. the Police could if passed into law send me to prison for having Microsoft's Baseline Security Analyser or Ethereal: That is NOT Funny. But since they are part of my work function then may be the CEO will go to prison, Now that's funny :-)

Neon Samurai
Neon Samurai

I may have just been in a good mood when I read it but I didn't think he was serious or was purposefully being sarcastic due to the knock at MS in the last paragraph. Now, if he was seriously suggesting that an OS should be banned simply because it's more powerful than Windows.. well.. that's a whole other kind of brain damage. :)

Editor's Picks