Tougher Hacking Laws Get Support in UK 189
rainbowhawk writes to tell us BBC News is reporting that new laws outlining harsher punishments for computer crimes are gaining support in the UK. From the article: "The move follows campaigning from Labour MP Tom Harris, whose ideas are now being adopted in the Police and Justice Bill. There will be a clearer outlawing of offenses like denial-of-service attacks in which systems are debilitated."
And how should it be enforced? (Score:4, Insightful)
Yes, one is a man made problem, the other one a natural catastrophe (albeit some might argue whether man made it worse... not the topic now), the problem is the same. You can make the law, but you cannot execute it.
You want the bot-brain? Good luck. If he has half a brain, the controlling computer is not his, and it's sitting in some country ending in -stan. If he has no brain, all you accomplish is to execute Darwin's law: Survival of the best.
You want the bot-drones? Well, while this does have my full support, you can already hear the outcry from computer illiterates who fell for the marketing hype around the 'net and "how easy it is to get on", only to realize now that if they don't have a clue what their computer is really doing on the net, they're now with one foot in jail when they even go online. Can you see the Sun headline already? "Granny charged with computer crime!"
So, how is this going to do ANYTHING meaningful against DDoSs or other computer related crime?
In turn, what it accomplishes is that there will be fewer and fewer people with relevant skills. Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two. If you threaten new and intelligent people with jail time comparable with premediated severe bodily harm (up to 10 years sentence here), they will go out and find some less "dangerous" hobbies.
And the price for good security experts in the UK will rise. Either that, or you have to import them from some country ending in -stan, because there they can still learn the tricks of the trade.
Hacking tools... (Score:5, Insightful)
Sony? (Score:5, Insightful)
And where will monstrosities such as Sony's rootkit fit into this? Surely our corporate overlords would be held just as accountable under these new laws as a poor 16 year old hacker in his parents' basement.
Awkward justice system (Score:5, Insightful)
Black? White? Grey? Define it! (Score:5, Insightful)
What they want is the perfectly safe and sane net. Which is by its very design impossible, the net itself is "dumb". It shuffles packets from A to B, not caring (too much) about their content. And that's its purpose.
Their idea seems to be that, if there is nobody who CAN hack, nobody DOES hack. But that's the same theory you can apply to guns. What happens if you outlaw guns?
Exactly.
The best defense against an attack is to have the better guns. Or, in terms of the 'net, the better hackers. If you outlaw them, if you outlaw learning the techniques and the tricks, which you pretty much do when you outlaw hacking altogether, since even a page about hacking can be labeled a "hacking tool", you do the equivalent of outlawing weapon development in your country.
And what happens when you do but other countries don't?
Exactly.
Re:And how should it be enforced? (Score:4, Insightful)
What happens when somebody complains about a thorough slashdotting?
Remember, google can be taken off the air when word of a DOS attack happens (I am a firm believer that 99% of DDOS attacks are curious web users on the grapevine testing a site supposed to be under sustained attack)
Re:And how should it be enforced? (Score:3, Insightful)
Simple. If, by luck, they ever manage to catch someone they now have a law to charge them with.
Until then, it helps keep MP's elected.
Re:Ambiguity (Score:5, Insightful)
This is one of those laws written by people with no clue about technology, and therefore hopelessly and dangerously broad. In this case, the text reads:
A loose but credible reading of the above seems to cover every mainstream operating system, every compiler or interpreter, every text editor, every communications tool, and more.
Re:What? (Score:3, Insightful)
Welcome to the new world (Score:5, Insightful)
Wrong?
From a moral point of view, yes.
From a human point of view, yes.
From a personal point of view, YES.
From a financial point of view, no.
You got 3 tries to guess which one counts.
Re:Script Kiddies go free ;-) (Score:3, Insightful)
This essentially makes British law inclusive, which is very bad . Instead of prohibiting a set of actions, it now appears okay to simply list what is okay, and assume blanket illegality for anything else.
But... (Score:2, Insightful)
Re:Rules need to exist for creators too (Score:3, Insightful)
You can harden Windows to a stage where it is very difficult to break into; equally, you can deploy UNIX, VMS and AIX in a fashion that is very open. The fact that someone uses something with insufficient knowledge to do so properly can not be blamed entirely on the manufacturer. If they knowingly and negligently allowed it to be released with unfixed flaws then yes it would be wrong, if they made errors in production that they then fixed you can not blame them for that.
Take a real world example of a car that is produced with a faulty seatbelt and airbag combo. If the manufacturer was selling knowing that it was unsafe then it is wrong. If they sold it, realized the problem and then recalled all the effected models to fix them, without charge there is not problem. You could not them blame them for someone driving the car into a cement wall and not surviving. Why then do we think it is Microsoft's fault when some idiot puts an un-patched NT 4 box on the internet and it is compromised in short order?
Re:And how should it be enforced? (Score:4, Insightful)
(A smokescreen of words can make any point look valid.)
The second part of your argument is that it will reduce the number of skilled people. However, I submit that market forces will make sure that as long as skills are in demand, a supply will be created. And it is extremely possible to obtain the relevant skills in a legal and ethical manner.
I don't know that this law is good or bad; I haven't really looked at it. (The laws do need to be carefully written to make sure it remains legal to provide all relevant security services, which based on other comments may be an issue with this law.) I'm just pointing out your arguments are specious.
Re:Ambiguity (Score:4, Insightful)
Re:Black? White? Grey? Define it! (Score:1, Insightful)
Exactly."
Um, if you outlaw guns, you get a place like Britain - same standard of life as the states but without huge numbers of gun-related homicides.
(I'm both British, and pro-gun, but this example was just stupid.)
An eyecatching initiative (Score:3, Insightful)
Things are only likely to change - anywhere - when a) there are more politicians who can tell a computer from a tennis racket, and b) the cost of computer crime is forcibly brought home to the politicians to the point where they will start hitting the safe havens with trade sanctions and the like. At the moment, much of that cost isn't above the surface, I would guess. Companies are reluctant to fess up les it reflect on them and computer crime is accorded a low priority compared to the various "wars" we are all meant to be fighting in these exciting, high-pressure times - the war on terror, the war on drugs, the war on yobs, the war on binge-drinking, the war on obesity, etc., etc. Just my 2 cents, but I can't see computer crime receding till the present generation of politicians has retired or (some might hope) been locked up.
Re:Black? White? Grey? Define it! (Score:2, Insightful)
Countries that have outlawed most firearms are currently the ones with the lowest gun violence -- as opposed to the U.S. where we lead the developed world in gun deaths per-year, and per-capita. Regardless of the initial feasability, making the act of DoS an illegal act is a step in the right direction. Bottom line is that without things like SPAM, viruses, and DoS attacks the net would be a nicer place by far.
And your outlawing analogy also fallls thru on the learning aspect -- it isn't illegal to DoS your own server. People can just learn to do this without harming others -- or they could go to college, either/or.
Your logic smells like the old cold-war logic -- we have to have the ability to strike because they have the ability to strike -- but guess what, "they" and "you" are just "them", the assholes who use DoS attacks. Good riddance to "them".
Re:And how should it be enforced? (Score:3, Insightful)
IMHO, DDoSs is like a boycott.
No it isn't, it's more like a denial of, say, a service. A boycott is you and your slashbuddies refusing to buy brand X. A DOS is you and your slashbuddies refusing to allow others to buy brand X. See the difference?
Re:Ambiguity (Score:2, Insightful)