Forgot your password?
typodupeerror

Tougher Hacking Laws Get Support in UK 189

Posted by ScuttleMonkey
from the be-careful-of-blanket-statements dept.
rainbowhawk writes to tell us BBC News is reporting that new laws outlining harsher punishments for computer crimes are gaining support in the UK. From the article: "The move follows campaigning from Labour MP Tom Harris, whose ideas are now being adopted in the Police and Justice Bill. There will be a clearer outlawing of offenses like denial-of-service attacks in which systems are debilitated."
This discussion has been archived. No new comments can be posted.

Tougher Hacking Laws Get Support in UK

Comments Filter:
  • by Opportunist (166417) on Tuesday March 07, 2006 @03:03PM (#14868609)
    Laws against DDoSs. Great idea. Btw, let's next outlaw Hurricanes from destroying properties.

    Yes, one is a man made problem, the other one a natural catastrophe (albeit some might argue whether man made it worse... not the topic now), the problem is the same. You can make the law, but you cannot execute it.

    You want the bot-brain? Good luck. If he has half a brain, the controlling computer is not his, and it's sitting in some country ending in -stan. If he has no brain, all you accomplish is to execute Darwin's law: Survival of the best.

    You want the bot-drones? Well, while this does have my full support, you can already hear the outcry from computer illiterates who fell for the marketing hype around the 'net and "how easy it is to get on", only to realize now that if they don't have a clue what their computer is really doing on the net, they're now with one foot in jail when they even go online. Can you see the Sun headline already? "Granny charged with computer crime!"

    So, how is this going to do ANYTHING meaningful against DDoSs or other computer related crime?

    In turn, what it accomplishes is that there will be fewer and fewer people with relevant skills. Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two. If you threaten new and intelligent people with jail time comparable with premediated severe bodily harm (up to 10 years sentence here), they will go out and find some less "dangerous" hobbies.

    And the price for good security experts in the UK will rise. Either that, or you have to import them from some country ending in -stan, because there they can still learn the tricks of the trade.
    • by LiquidCoooled (634315) on Tuesday March 07, 2006 @03:13PM (#14868730) Homepage Journal
      Laws against DDoSs. Great idea.

      What happens when somebody complains about a thorough slashdotting?

      Remember, google can be taken off the air when word of a DOS attack happens (I am a firm believer that 99% of DDOS attacks are curious web users on the grapevine testing a site supposed to be under sustained attack)
      • Certainly.

        Imagine you're running a blog. On a small server with a so-so connection at a local provider. Then you find something important. Something outragous. You get quoted in newspapers, you get quoted on CNN or worse, you get quoted on /.

        Result? DDoS at its finest.

        Not even intentional. People just wanted to read your page.

        Illegal?
    • So, how is this going to do ANYTHING meaningful against DDoSs or other computer related crime?

      Simple. If, by luck, they ever manage to catch someone they now have a law to charge them with.

      Until then, it helps keep MP's elected.

    • In turn, what it accomplishes is that there will be fewer and fewer people with relevant skills. Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two.

      I disagree with this statement. Many people learned security the right way. There are places with servers designed for testing. You don't

      • IMHO, DDoSs is like a boycott.

        No it isn't, it's more like a denial of, say, a service. A boycott is you and your slashbuddies refusing to buy brand X. A DOS is you and your slashbuddies refusing to allow others to buy brand X. See the difference?

    • Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two.

      I do not see how you get from "scratching and sniffing" to a record. I, along with most reputable security folks, spend a large amount of my personal income on equipping my lab so I can try things out without doing it on other people's s
      • Hacking your own boxes has one severe but very easily overlooked shortcoming: You can of course make your box so secure that you cannot hack it (provided the system is secure).

        Before someone asks, no, I do NOT advocate going out and trying to hack some machines that don't belong to you. What I DO highly advocate, though, is getting in touch with like minded people and trying to bring each other's defenses down. It's amazing how much you can learn that way, even if you've been in the biz for years. And it al
    • by Jerf (17166) on Tuesday March 07, 2006 @04:00PM (#14869168) Journal
      The first part of your argument boils down, I believe without much loss, to "it won't catch smart criminals, so it won't catch them all". This is a dumb argument against law for reasons so obvious I hope I really don't have to spell them out. It applies equally to all laws.

      (A smokescreen of words can make any point look valid.)

      The second part of your argument is that it will reduce the number of skilled people. However, I submit that market forces will make sure that as long as skills are in demand, a supply will be created. And it is extremely possible to obtain the relevant skills in a legal and ethical manner.

      I don't know that this law is good or bad; I haven't really looked at it. (The laws do need to be carefully written to make sure it remains legal to provide all relevant security services, which based on other comments may be an issue with this law.) I'm just pointing out your arguments are specious.
      • The first part mostly focused on the problem that you cannot reach a good deal of the criminals. Either they're not in the country or they know how to make them appear to be from abroad.

        Yes, a law that catches dumb criminals is better than no law. I do, however, expect that the number of dumb people able to create the brain for DDoS attacks is rather small to nonexistant.

        The second part should actually point towards the fear of doing something illegal and thus not doing it altogether. When you're new to the
        • It's not so much that the law will outlaw learning. It will, though, make people think twice about it. Few people learn something just for the kick of doing something illegal. Most do it because it's fun or because it offers them some opportunity for a great job later.

          I'd point to examples like the Copyright, Designs and Patents Act, which contain explicit exemptions for security researchers and the security services. I would imagine that the government would insist on those same exemptions within the bill

    • You want the bot-brain? Good luck. If he has half a brain, the controlling computer is not his, and it's sitting in some country ending in -stan.
      So? Existing Computer Misuse Act offences don't care where the computer(s) used are. If packets involving in a cracking attempt pass through the UK the cracker has committed an offence under UK law.
      • Sure. And who is going to dig out that computer somewhere at the end of the world?

        That works quite well as long as the attacking (or in this case, controlling) computer can be reached by authorities. Have you ever tried to execute any kind of warrant in a still rather "approachable" country like Russia? Unless some interests in Russia are involved or it's a crime that could go at the very least to the EC supreme court, your chances of not even hearing back from them (and "you" being something like the UK go
    • If he has half a brain, the controlling computer is not his, and it's sitting in some country ending in -stan.

      Or he lives in one of the two countries that name ends in "Korea".

      Hint: Its not the nice one.
      • Ok, ok.
        I use -stan as the "generic unapproachable country where you can commit computer crimes" because there are quite many that end in -stan, most of them in an area that has better worries than whether someone used the 'net to actually get some money into the country, legally or not.
    • Laws against murder? Great idea. Btw, let's next outlaw Hurricanes from destroying properties.

      Yes, one is a man made problem, the other one a natural catastrophe (albeit some might argue whether man made it worse... not the topic now), the problem is the same. You can make the law, but you cannot execute it.

      You want the instigator? Good luck. If he has half a brain, the murder weapon is not his, and he used a hitman. If he has no brain, all you accomplish is to execute Darwin's law: Survival of the best.

      You
  • by nexxuz (895394) <williamNO@SPAMwilliampenton.com> on Tuesday March 07, 2006 @03:03PM (#14868614) Homepage Journal
    Would that mean that there could be legal actions against slashdotting in the UK?
  • more info (Score:4, Informative)

    by dotpavan (829804) on Tuesday March 07, 2006 @03:06PM (#14868646) Homepage
  • Ambiguity (Score:5, Interesting)

    by kaleco (801384) <{moc.tenretnitb} {ta} {2llahsram.gierg}> on Tuesday March 07, 2006 @03:07PM (#14868652)
    The bill - which was being debated for the first time in the House of Commons on Monday - would also boost the penalty for using hacking tools.

    What constitutes a hacking tool? A terminal emulator? Linux?

    • I hope the actual bill doesn't use the words "hacking tool". Then again, if it does, that makes it even more ridiculous and therefore easier to attack (and less likely to pass).

      "Do you have a license for that C++ compiler, mate?"
    • Re:Ambiguity (Score:5, Insightful)

      by Anonymous Brave Guy (457657) on Tuesday March 07, 2006 @03:25PM (#14868834)

      This is one of those laws written by people with no clue about technology, and therefore hopelessly and dangerously broad. In this case, the text reads:

      (1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article-

      (a) knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or

      (b) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.

      A loose but credible reading of the above seems to cover every mainstream operating system, every compiler or interpreter, every text editor, every communications tool, and more.

      • Re:Ambiguity (Score:4, Insightful)

        by kaleco (801384) <{moc.tenretnitb} {ta} {2llahsram.gierg}> on Tuesday March 07, 2006 @04:02PM (#14869185)
        This law is designed to make more people criminals. They can't examine an innocent person's computer, but if you're unwittingly breaking an arcane law, suddenly you're a criminal and the police can investigate all they like.
      • At the very least it means that it would be illegal to even mirror nmap in the UK, never mind use it.
    • What constitutes a hacking tool?

      Making, suppling, adapting, or offering to supply something which is designed for, or adapted for allowing someone to cause a computer do anything with the intention of accessing any program or data that they (person using the program) know is unauthorised.

      I'm having trouble even parsing what they're trying to say, let alone what it means -- this will probably be something which is interpreted differently by everyone who reads it.

      After all, it's easier to define "accessing st
  • What? (Score:5, Funny)

    by voice_of_all_reason (926702) on Tuesday March 07, 2006 @03:08PM (#14868668)
    10 years for hacking? So you might as well take out the cops who are trying to bring you in. Assuming concurrent sentencing, you'll get the same time even with a few second-degree murders thrown in. Sorta like a bonus.
    • Re:What? (Score:3, Informative)

      Just FYI, we don't currently have degrees of murder here in the UK. If you commit murder, the only sentence available to the judge is life. (This is one reason why guilty of manslaughter is often the verdict returned instead; manslaughter carries the widest range of possible sentences of any crime in the UK.)

      • You win a Mace of Informative (+1)!

        I'm not too keen on british law, so I was hoping someone would correct me. That's pretty frightening, if the definition is the same across the pond (deliberate, premeditated homicide). So a mafia killing is treated the same as say, a father murdering the kid-next-door who was messing around with his daughter?
        • Personally I think murder is murder. But that's not the view of the British public and things may change. You may find this story [bbc.co.uk] interesting.
          • Re:What? (Score:3, Informative)

            by Shimbo (100005)
            Personally I think murder is murder. But that's not the view of the British public and things may change.

            Actually, I think it is the view of the British public but not mine. Here are two examples of murder that I strongly believe shouldn't have a mandatory life sentence:

            1. Assisted suicide: the prosecuting authorities almost never bring a charge of murder but there would be no defence if they did.

            2. Gross provocation: the whole business of pleading not guilty to murder but guilty to manslaughter "on the gr
        • Re:What? (Score:3, Informative)

          by Haeleth (414428)
          I'm not too keen on british law, so I was hoping someone would correct me. That's pretty frightening, if the definition is the same across the pond (deliberate, premeditated homicide). So a mafia killing is treated the same as say, a father murdering the kid-next-door who was messing around with his daughter?

          Well... the thing is that in British law, life doesn't mean life.

          I'm not an expert, but my citizen's understanding of it is that the judge also sets a tariff, which is a number of years after which you
          • Re:What? (Score:3, Interesting)

            The "parole forever" part sounds really scary. In the US, anyone on parole can be stopped/searched at any time, sex offenders can't buy any porn -- a whole host of crap. You really can't rebuild some semblence of a life if you're not treated equally under the law any longer.
        • Eh even in the US if you "take out the cops who are trying to bring you in" it's not 2nd degree murder, IANAL and all that, but I'm reasonably sure that killling a police officer who has identified himself is always first degree murder, and will likely earn you a needle in the arm if you are in a state that practices capital punishment.
          • will likely earn you a needle in the arm if you are in a state that practices capital punishment.

            Actually, I think it would be classified as "sucide-by-cop" as they toe-tag your corpse at the scene.
        • >>So a mafia killing is treated the same as say, a father murdering the kid-next-door who was messing around with his daughter?

          Uh, which one are you saying is worse? Because I wouldn't have a problem with them both getting life.
    • I know you were joking, but that's actually a good point. The worse the sentence someone's going to get, the less that person has to lose by commiting further crimes.
    • Re:What? (Score:3, Insightful)

      by keyne9 (567528)
      Where's the moderation, "+1 Scary, but true.." when you need it?
    • by hyfe (641811)
      Concurrent sentencing is not used in Europe.
  • Hacking tools... (Score:5, Insightful)

    by advocate_one (662832) on Tuesday March 07, 2006 @03:09PM (#14868678)
    what will be illegal: possession or actual usage of them? cos technically speaking I'm in breach here simply for having several common utilities installed on this Ubuntu box. Tools I use to ensure my own systems are secure...
    • (2)
      A person is guilty of an offence if he obtains any article with a view to
      its being supplied for use to commit, or to assist in the commission of,
      an offence under section 1 or 3.
      (3)
      In this section "article" includes any program or data held in electronic
      form.

      So, probably possession is illegal. I say "probably" because I do not understand exactly what they mean with "with a view to its being supplied for use to commit [...] an offen

  • Sony? (Score:5, Insightful)

    by Lord_Dweomer (648696) on Tuesday March 07, 2006 @03:11PM (#14868696) Homepage
    "There will be a clearer outlawing of offenses like denial-of-service attacks in which systems are debilitated.""

    And where will monstrosities such as Sony's rootkit fit into this? Surely our corporate overlords would be held just as accountable under these new laws as a poor 16 year old hacker in his parents' basement.

    • Well, I'm sure if you can ship the Sony HQ somehow to a UK prison, they'd imprison Sony...

      But I'm sure this can be settled somehow. After all, that 16 year old hacker doesn't have a good deal of your workforce in his grasp and could sack them with a moment's note. An international corp, otoh, doesn't care if it employs some people in the UK or elsewhere.
  • by GenKreton (884088) on Tuesday March 07, 2006 @03:11PM (#14868699) Journal
    Does anyone else find it COMPLETELY wrong someone like Milan Babic (former Croatian Serb leader who just commited suicide) serves 13 years for genocide crimes and hackers can serve as much for a little denial of service attack?
    • Does anyone else find it COMPLETELY wrong someone like Milan Babic (former Croatian Serb leader who just commited suicide) serves 13 years for genocide crimes and hackers can serve as much for a little denial of service attack?

      Yes. I live in the south-side of Glasgow, the area represented by Mr Harris. The issues here aren't, apparently, genocide and war: they are graffiti and "anti-social behaviour" (and now, presumably, ha><0ring). Meanwhile, Mr Harris's colleagues in the (Labour-controlled) c

    • by Opportunist (166417) on Tuesday March 07, 2006 @03:31PM (#14868910)
      Babic killed people. Hackers kill shareholder values.

      Wrong?
      From a moral point of view, yes.
      From a human point of view, yes.
      From a personal point of view, YES.

      From a financial point of view, no.

      You got 3 tries to guess which one counts.
  • Anyone hacking a computer could be punished with 10 years' imprisonment under new laws.

    So we are to assume that the UK will send in 007 to extract and/or annihilate the hackers from China? [computerworld.com]


    P.S. That would be " years " not " years' "
  • Or some other excuse to crack down on hackers.

    My guess is that they're more worried about details of the Iraq misadventure will be found by activist hackers, or Members of the House of Lords or House of Commons visits to .. um ... naughty websites ... nudge nudge wink wink ... you know ... than they are of hackers ganging up on website owners and demanding blackmail (which is already illegal and will already result in stiff jail terms).
  • by TekGoNos (748138) on Tuesday March 07, 2006 @03:20PM (#14868798) Journal
    A person is guilty of an offence if--
        (a)
            he does any unauthorised act in relation to a computer; and
        (b)
            at the time when he does the act he has the requisite intent and
            the requisite knowledge.
    So, if a script kiddy just tries everything without knowing what he does, he goes free?
    • I'd be more worried about he does any unauthorised act in relation to a computer

      This essentially makes British law inclusive, which is very bad . Instead of prohibiting a set of actions, it now appears okay to simply list what is okay, and assume blanket illegality for anything else.
  • Rather than constantly increasing the time for every crime committed, I wish legislators would determine the approriate punishment and stick with it, rather than jacking up the time served everytime some screams,"Won't someone please think of the children."

    Of course, better enforcement of currently laws would probably deter more crime than increasing the sentence.

    • Rather than constantly increasing the time for every crime committed, I wish legislators would determine the approriate punishment and stick with it, rather than jacking up the time served everytime some screams,"Won't someone please think of the children."

      What I find incredible is that this business of locking people in cages obviously doesn't work*, yet we continue to use this. Isn't insanity defined something like "doing the same thing over and over but expecting different results"? If the system work

    • How about just not making things crimes that aren't really crimes?
  • Compare/Contrast... (Score:4, Interesting)

    by Greyfox (87712) on Tuesday March 07, 2006 @03:27PM (#14868856) Homepage Journal
    It'd be interesting to see a comparison of the penalties for a real world crime and its computer equivalent. For example, what's the penalty for shoplifting a CD, where you've stolen actual physical property and downloading the same songs from bittorrent or wherever. Assuming you get caught in either case. Likewise what are the penalties for staging a DDOS, which is temporary, versus, say, a Miltonesque burning down of the building, which isn't? And are the penalties for dumpster diving and stealing thousands of credit card numbers any more or less than phishing for them on the internet. Although it seems phishers are pretty good at covering their tracks these days judging from the number of news stories there are about THEM getting caught.

    It'd be even more interesting to see a news outlet pick up a story on that. Anyone care to send a suggestion off to NPR?

    Anyway... if the punishments for the electronic equivalents are more severe than the real world crimes, perhaps the lawmakers in question need to review their statutes about smoking crack and turn themselves in for appropraite punishment.

    • It'd be interesting to see a comparison of the penalties for a real world crime and its computer equivalent. For example, what's the penalty for shoplifting a CD, where you've stolen actual physical property and downloading the same songs from bittorrent or wherever.

      Those are not equivalent offences.

      When you shoplift a CD, the shop has lost property. When you make an illegal copy of something, no property has been lost.

      When you shoplift a CD, you aren't enabling other offences. When you downlo

      • That's kind of my point. If you shoplift a CD or DVD (especially as a minor) it seems as if you're opening yourself and your family to a lot less legal liability than you would be if you download a file on some P2P system and catch a civil suit from the RIAA or MPAA. If you then load that CD up on your MP3 player and then pass it around to your friends or send it across country or whatever, you're still doing a similar amount of damage to what you would have by uploading those songs with a P2P service. Shop
  • by TWX (665546) on Tuesday March 07, 2006 @03:28PM (#14868867)
    Honestly, I don't think that malevolent use of technology would be nearly as much of a problem if it were designed better. I'm looking at you, Microsoft, who have continued to provide us with software that is insecure both on the system and via network, and who never ever gets the software truly fixed. The next version may fix many of the previous version's problems, but it itself introduces new vulnerabilities that again, aren't fixed until the next version.

    Companies that create software or firmware need to be held to a quality standard that creates a modicum of safety or security. There will always be people who will try to break into systems, but if the software is hardened to a certain extent then maybe the scr1pt k1dd13s will be kept out and reduce the number of compromises to those who actually can break in through their own work.
    • There will always be people who will try to break into systems, but if the software is hardened to a certain extent then maybe the scr1pt k1dd13s will be kept out

      You can harden Windows to a stage where it is very difficult to break into; equally, you can deploy UNIX, VMS and AIX in a fashion that is very open. The fact that someone uses something with insufficient knowledge to do so properly can not be blamed entirely on the manufacturer. If they knowingly and negligently allowed it to be released with
      • In marketing their software to the masses and in gaining a monopoly in the method that they have, they should be obligated to provide some minimum quality standard. In my eyes that means figuring out what can and should be secure out of the box, and implementing a proper security model. Integrating Internet Explorer and ActiveX into the shell to the level that it has the ability to make system calls was STUPID. Requiring users to basically have administrator level access on any given computer in order to
  • But... (Score:2, Insightful)

    by Bill Hayden (649193)
    ...what about cracking?
  • Is it official? (Score:3, Interesting)

    by Jon Luckey (7563) on Tuesday March 07, 2006 @03:50PM (#14869087)
    Is the Lynx browser [slashdot.org] now officially against the law in the UK?
  • He's said that GB has the best legal environment for a coder. I don't think he can continue to say that if this becomes law.

    I do hope there will be a modicum of common sense exhibited by the MP's when they toss this one into the trashcan of history, to be repeated at suitable intervals when there isn't anything else to stir up the sheeple with.

    --
    Cheers, Gene

  • The fact is, many users are still in the 80s and don't appreciate our current situation. Even this week I read that "garage geeks are responsable for the viruses and trojans (known as malware) that brings multinational corporations down". Like that was ever true. Garage geeks are trying to save us from the current "cure pays better than prevention cycle" users are fed.

    On h4x0ring to Ddos extorsion - equate to Banksy on "grafitti is not a crime. i am reminded of this by real criminals who find the idea of br
  • So it becomes unlawful to conspire to effectively disconnect an ISP (or website) by deliberately overloading its pipe (or other technique).

    Will it be unlawful for an ISP to effectively disconnect a subscriber's web page (DOS another way), typically for disapproval-of-content reasons? Examples might be objections to politically incorrect (by legal free speech) statements by third parties, or simple laziness by not validating violation of copyright claims before dumping access.
  • by FishandChips (695645) on Tuesday March 07, 2006 @04:46PM (#14869568) Journal
    The problem at least in the UK is that this act, if passed into law, is unlikely to be used against the professionals or the mythical Mr Big. They will continue as before from their foreign havens while some luckless amateur sadsack in a bedsit is busted to headlines and mucho self-satisfaction from the cops.

    Things are only likely to change - anywhere - when a) there are more politicians who can tell a computer from a tennis racket, and b) the cost of computer crime is forcibly brought home to the politicians to the point where they will start hitting the safe havens with trade sanctions and the like. At the moment, much of that cost isn't above the surface, I would guess. Companies are reluctant to fess up les it reflect on them and computer crime is accorded a low priority compared to the various "wars" we are all meant to be fighting in these exciting, high-pressure times - the war on terror, the war on drugs, the war on yobs, the war on binge-drinking, the war on obesity, etc., etc. Just my 2 cents, but I can't see computer crime receding till the present generation of politicians has retired or (some might hope) been locked up.
  • Industry response? (Score:2, Interesting)

    by timbrown (578202)
    As a UK pen tester and developer of security software, this bill directly affects me. My initial response was outrage, but having discussed this with colleagues over the last month or so, I can see the counter point that UK computer security law is in need of updates.

    Given that the UK government runs a scheme for accreditation of pen testers and that this bill has been drafted in consultation with industry leaders, I feel it is unlikely that our activities will be deemed illegal. My understanding is that
  • I was wondering how that compared to the average sentence for rape or murder, so I did a little googling, and came up with this page from the parliament website. [parliament.uk] Going by those figures, you're looking at an average of 7 years for rape, 3 for robbery, and so on.

    How the fuck do they justify 10 years for hacking?

    Oh, and the slashdot summary is a little misleading. While it's true that tougher laws against hacking are gaining support, this particular bill has been widely criticised. It's right there in the link
  • OK, it's frivolous, but worth a laugh. DMCA takedown notices have no legal effect within the UK, but they are certainly issued to UK citizens (usually by US lawyers not paying enough attention, for things like running BitTorrent trackers). Now, the intent of a DMCA takedown notice is certainly to deny service (by closing it off via threat of litigation). Remember - the proposed law covers threats to deny service unless financial settlement is reached (DoS blackmail).

    So, now methinks, would that count as a

"Right now I feel that I've got my feet on the ground as far as my head is concerned." -- Baseball pitcher Bo Belinsky

Working...