Tougher Hacking Laws Get Support in UK 189
rainbowhawk writes to tell us BBC News is reporting that new laws outlining harsher punishments for computer crimes are gaining support in the UK. From the article: "The move follows campaigning from Labour MP Tom Harris, whose ideas are now being adopted in the Police and Justice Bill. There will be a clearer outlawing of offenses like denial-of-service attacks in which systems are debilitated."
And how should it be enforced? (Score:4, Insightful)
Yes, one is a man made problem, the other one a natural catastrophe (albeit some might argue whether man made it worse... not the topic now), the problem is the same. You can make the law, but you cannot execute it.
You want the bot-brain? Good luck. If he has half a brain, the controlling computer is not his, and it's sitting in some country ending in -stan. If he has no brain, all you accomplish is to execute Darwin's law: Survival of the best.
You want the bot-drones? Well, while this does have my full support, you can already hear the outcry from computer illiterates who fell for the marketing hype around the 'net and "how easy it is to get on", only to realize now that if they don't have a clue what their computer is really doing on the net, they're now with one foot in jail when they even go online. Can you see the Sun headline already? "Granny charged with computer crime!"
So, how is this going to do ANYTHING meaningful against DDoSs or other computer related crime?
In turn, what it accomplishes is that there will be fewer and fewer people with relevant skills. Let's face it, everyone, literally everyone, who is in the security biz today, from 'net security to virus analysis has some kind of record. Either a public one or (if he's good) at least one that didn't get public. But everyone has scratched and sniffed at a server or two. If you threaten new and intelligent people with jail time comparable with premediated severe bodily harm (up to 10 years sentence here), they will go out and find some less "dangerous" hobbies.
And the price for good security experts in the UK will rise. Either that, or you have to import them from some country ending in -stan, because there they can still learn the tricks of the trade.
Re:And how should it be enforced? (Score:4, Insightful)
What happens when somebody complains about a thorough slashdotting?
Remember, google can be taken off the air when word of a DOS attack happens (I am a firm believer that 99% of DDOS attacks are curious web users on the grapevine testing a site supposed to be under sustained attack)
Re:And how should it be enforced? (Score:2)
Imagine you're running a blog. On a small server with a so-so connection at a local provider. Then you find something important. Something outragous. You get quoted in newspapers, you get quoted on CNN or worse, you get quoted on
Result? DDoS at its finest.
Not even intentional. People just wanted to read your page.
Illegal?
Re:And how should it be enforced? (Score:3, Insightful)
Simple. If, by luck, they ever manage to catch someone they now have a law to charge them with.
Until then, it helps keep MP's elected.
So it's the answer to "DO SOMETHING!"? (Score:3, Interesting)
Re:So it's the answer to "DO SOMETHING!"? (Score:2)
Re:And how should it be enforced? (Score:2)
Re:And how should it be enforced? (Score:3, Interesting)
I disagree with this statement. Many people learned security the right way. There are places with servers designed for testing. You don't
Re:And how should it be enforced? (Score:3, Insightful)
IMHO, DDoSs is like a boycott.
No it isn't, it's more like a denial of, say, a service. A boycott is you and your slashbuddies refusing to buy brand X. A DOS is you and your slashbuddies refusing to allow others to buy brand X. See the difference?
Re:And how should it be enforced? (Score:3, Informative)
I do not see how you get from "scratching and sniffing" to a record. I, along with most reputable security folks, spend a large amount of my personal income on equipping my lab so I can try things out without doing it on other people's s
Re:And how should it be enforced? (Score:2)
Before someone asks, no, I do NOT advocate going out and trying to hack some machines that don't belong to you. What I DO highly advocate, though, is getting in touch with like minded people and trying to bring each other's defenses down. It's amazing how much you can learn that way, even if you've been in the biz for years. And it al
Re:And how should it be enforced? (Score:2)
Since I'm not sure if they get active on their own (very unlikely) or only after someone complains, I'll be better safe than sorry.
Re:And how should it be enforced? (Score:4, Insightful)
(A smokescreen of words can make any point look valid.)
The second part of your argument is that it will reduce the number of skilled people. However, I submit that market forces will make sure that as long as skills are in demand, a supply will be created. And it is extremely possible to obtain the relevant skills in a legal and ethical manner.
I don't know that this law is good or bad; I haven't really looked at it. (The laws do need to be carefully written to make sure it remains legal to provide all relevant security services, which based on other comments may be an issue with this law.) I'm just pointing out your arguments are specious.
Re:And how should it be enforced? (Score:2)
Yes, a law that catches dumb criminals is better than no law. I do, however, expect that the number of dumb people able to create the brain for DDoS attacks is rather small to nonexistant.
The second part should actually point towards the fear of doing something illegal and thus not doing it altogether. When you're new to the
Re:And how should it be enforced? (Score:2)
I'd point to examples like the Copyright, Designs and Patents Act, which contain explicit exemptions for security researchers and the security services. I would imagine that the government would insist on those same exemptions within the bill
Re:And how should it be enforced? (Score:2)
Re:And how should it be enforced? (Score:2)
That works quite well as long as the attacking (or in this case, controlling) computer can be reached by authorities. Have you ever tried to execute any kind of warrant in a still rather "approachable" country like Russia? Unless some interests in Russia are involved or it's a crime that could go at the very least to the EC supreme court, your chances of not even hearing back from them (and "you" being something like the UK go
Re:And how should it be enforced? (Score:2)
Or he lives in one of the two countries that name ends in "Korea".
Hint: Its not the nice one.
Re:And how should it be enforced? (Score:2)
I use -stan as the "generic unapproachable country where you can commit computer crimes" because there are quite many that end in -stan, most of them in an area that has better worries than whether someone used the 'net to actually get some money into the country, legally or not.
Re:And how should it be enforced? (Score:2)
Yes, one is a man made problem, the other one a natural catastrophe (albeit some might argue whether man made it worse... not the topic now), the problem is the same. You can make the law, but you cannot execute it.
You want the instigator? Good luck. If he has half a brain, the murder weapon is not his, and he used a hitman. If he has no brain, all you accomplish is to execute Darwin's law: Survival of the best.
You
ISPs only get active if it's in their interest (Score:2)
Drones, otoh, are a light weight for them. Yeah, from time to time they create some traffic. But none out of the ordinary. Occasionally, a flood of emails is sent from a drone. Ok. A short spike. Sometimes, a DDoS is running from them. Ok. Quite some traffic, but well distributed over time (you can't run a DDoS f
Slashdoting? (Score:5, Funny)
You think this is a joke? (Score:5, Interesting)
Actually, Slashdotting almost certainly would be regarded as a deliberate DDoS attack.
I would expect that if the Slashdot editorial staff continue to allow linking in articles without giving any sort of warning or (better) seeking consent from the linked service's admins, the first case will go against Slashdot in a matter of minutes, and there will be genuine consequences for the admins. Let's hope the more enlightened editorial policy zillions of Slashdotters have been advocating for years results.
Re:You think this is a joke? (Score:2)
Also, slashdotting is carried out by hundreds or thousands of users, of their own free will, clicking on a link, Ddos is done with zombie machines.
Re:You think this is a joke? (Score:5, Interesting)
Reading the proposed wording, there is no definition of "DDoS". The offences are defined in terms of denying access to a system, and you would simply have to make the case that the Slashdot editors had the requisite knowledge and intent. The knowledge is clear; the Slashdot effect is widely known, and it is not credible that the editorial staff are unaware of the likely effect of linking to a site on the front page of Slashdot. The intent is less clear, but I'm sure you'd find a lawyer who could make a strong case for it. We might refer to a "DDoS attack" in conversation, but the use of zombie machines or whatever is irrelevant to whether or not an offence is committed under the proposed law.
Re:You think this is a joke? (Score:2)
And so few people RTFA that it isn't a huge issue anymore :p
more info (Score:4, Informative)
Re:more info (Score:2)
Ambiguity (Score:5, Interesting)
What constitutes a hacking tool? A terminal emulator? Linux?
Re:Ambiguity (Score:2)
"Do you have a license for that C++ compiler, mate?"
Re:Ambiguity (Score:5, Insightful)
This is one of those laws written by people with no clue about technology, and therefore hopelessly and dangerously broad. In this case, the text reads:
A loose but credible reading of the above seems to cover every mainstream operating system, every compiler or interpreter, every text editor, every communications tool, and more.
Re:Ambiguity (Score:4, Insightful)
Re:Ambiguity (Score:2)
Re:Ambiguity (Score:2)
I think our anonymous friend has missed my point here. It doesn't say the article can't have other, legitimate uses. Simply being designed or adapted for use in connection with an offence suffices. Any communications software is designed or adapted for use in sending communications, which is how many of these offences will be initiated.
NB: I'm not saying this is a sensible interpretation of the wording, merely that it is a possible one. Courts have missed the point far more spectacularly in the past.
Re:Ambiguity (Score:2)
Making, suppling, adapting, or offering to supply something which is designed for, or adapted for allowing someone to cause a computer do anything with the intention of accessing any program or data that they (person using the program) know is unauthorised.
I'm having trouble even parsing what they're trying to say, let alone what it means -- this will probably be something which is interpreted differently by everyone who reads it.
After all, it's easier to define "accessing st
What? (Score:5, Funny)
Re:What? (Score:3, Informative)
Just FYI, we don't currently have degrees of murder here in the UK. If you commit murder, the only sentence available to the judge is life. (This is one reason why guilty of manslaughter is often the verdict returned instead; manslaughter carries the widest range of possible sentences of any crime in the UK.)
Re:What? (Score:2)
I'm not too keen on british law, so I was hoping someone would correct me. That's pretty frightening, if the definition is the same across the pond (deliberate, premeditated homicide). So a mafia killing is treated the same as say, a father murdering the kid-next-door who was messing around with his daughter?
Re:What? (Score:2)
Re:What? (Score:3, Informative)
Actually, I think it is the view of the British public but not mine. Here are two examples of murder that I strongly believe shouldn't have a mandatory life sentence:
1. Assisted suicide: the prosecuting authorities almost never bring a charge of murder but there would be no defence if they did.
2. Gross provocation: the whole business of pleading not guilty to murder but guilty to manslaughter "on the gr
Re:What? (Score:3, Informative)
Well... the thing is that in British law, life doesn't mean life.
I'm not an expert, but my citizen's understanding of it is that the judge also sets a tariff, which is a number of years after which you
Re:What? (Score:3, Interesting)
Re:What? (Score:2)
Re:What? (Score:2)
Re:What? (Score:2)
Actually, I think it would be classified as "sucide-by-cop" as they toe-tag your corpse at the scene.
Re:What? (Score:2)
Uh, which one are you saying is worse? Because I wouldn't have a problem with them both getting life.
Re:What? (Score:2)
Re:What? (Score:3, Insightful)
Re:What? (Score:2)
Hacking tools... (Score:5, Insightful)
Re:Hacking tools... (Score:2)
So, probably possession is illegal. I say "probably" because I do not understand exactly what they mean with "with a view to its being supplied for use to commit [...] an offen
Sony? (Score:5, Insightful)
And where will monstrosities such as Sony's rootkit fit into this? Surely our corporate overlords would be held just as accountable under these new laws as a poor 16 year old hacker in his parents' basement.
Re:Sony? (Score:2)
But I'm sure this can be settled somehow. After all, that 16 year old hacker doesn't have a good deal of your workforce in his grasp and could sack them with a moment's note. An international corp, otoh, doesn't care if it employs some people in the UK or elsewhere.
Re:Sony? (Score:2)
I'd settle for the biggest, most prominent members of the pool.
Beheaded and mounted on my wall, of course.
Awkward justice system (Score:5, Insightful)
Re:Awkward justice system (Score:3, Interesting)
Does anyone else find it COMPLETELY wrong someone like Milan Babic (former Croatian Serb leader who just commited suicide) serves 13 years for genocide crimes and hackers can serve as much for a little denial of service attack?
Yes. I live in the south-side of Glasgow, the area represented by Mr Harris. The issues here aren't, apparently, genocide and war: they are graffiti and "anti-social behaviour" (and now, presumably, ha><0ring). Meanwhile, Mr Harris's colleagues in the (Labour-controlled) c
Welcome to the new world (Score:5, Insightful)
Wrong?
From a moral point of view, yes.
From a human point of view, yes.
From a personal point of view, YES.
From a financial point of view, no.
You got 3 tries to guess which one counts.
Re:Welcome to the new world (Score:3, Interesting)
You make a valid point (that a DDoS attach has the potential to create real harm), but it's slighlty irrelevant: if, through dangerous driving, I crash a motor vehicle and kill someone I would, quite correctly be charged with manslaughter. It doesn't, however, equate to the deliberate and systematic mass murder of civilians and should not merit an equivalent sentence.
Re:Welcome to the new world (Score:2)
Besides, the potential harm from a DDoS on a hospital's network is minimal. If it IS a threat, it's time to reconsider the structures in the hospital. Human life isn't something you should entrust to something as instable and unreliable as the internet!
Guangdong China Hackers Look Out! (Score:2)
So we are to assume that the UK will send in 007 to extract and/or annihilate the hackers from China? [computerworld.com]
P.S. That would be " years " not " years' "
Re:Guangdong China Hackers Look Out! (Score:2)
Then you're mistaken, at least on the European side, as a few moments consulting any popular usage guide will confirm. (The first result of googling for "apostrophe usage" includes a related example, as do several further results from the first page.) This isn't even a stylistic point; failure to use the apostrophe is simply wrong according to British English.
We will always be at war with Oceania! (Score:2, Interesting)
My guess is that they're more worried about details of the Iraq misadventure will be found by activist hackers, or Members of the House of Lords or House of Commons visits to
Re:We will always be at war with Oceania! (Score:2)
Script Kiddies go free ;-) (Score:5, Interesting)
Re:Script Kiddies go free ;-) (Score:3, Insightful)
This essentially makes British law inclusive, which is very bad . Instead of prohibiting a set of actions, it now appears okay to simply list what is okay, and assume blanket illegality for anything else.
Approriate Law (Score:2)
Of course, better enforcement of currently laws would probably deter more crime than increasing the sentence.
Re:Approriate Law - OT: Solution? (Score:2)
What I find incredible is that this business of locking people in cages obviously doesn't work*, yet we continue to use this. Isn't insanity defined something like "doing the same thing over and over but expecting different results"? If the system work
Re:Approriate Law (Score:2)
Compare/Contrast... (Score:4, Interesting)
It'd be even more interesting to see a news outlet pick up a story on that. Anyone care to send a suggestion off to NPR?
Anyway... if the punishments for the electronic equivalents are more severe than the real world crimes, perhaps the lawmakers in question need to review their statutes about smoking crack and turn themselves in for appropraite punishment.
Re:Compare/Contrast... (Score:2)
Those are not equivalent offences.
When you shoplift a CD, the shop has lost property. When you make an illegal copy of something, no property has been lost.
When you shoplift a CD, you aren't enabling other offences. When you downlo
Re:Compare/Contrast... (Score:2)
Rules need to exist for creators too (Score:3, Interesting)
Companies that create software or firmware need to be held to a quality standard that creates a modicum of safety or security. There will always be people who will try to break into systems, but if the software is hardened to a certain extent then maybe the scr1pt k1dd13s will be kept out and reduce the number of compromises to those who actually can break in through their own work.
Re:Rules need to exist for creators too (Score:3, Insightful)
You can harden Windows to a stage where it is very difficult to break into; equally, you can deploy UNIX, VMS and AIX in a fashion that is very open. The fact that someone uses something with insufficient knowledge to do so properly can not be blamed entirely on the manufacturer. If they knowingly and negligently allowed it to be released with
Re:Rules need to exist for creators too (Score:2)
But... (Score:2, Insightful)
Re:But... (Score:2)
Is it official? (Score:3, Interesting)
Re:Is it official? (Score:2)
All for using "../" in a URL...
Good thing he didn't accidently leave off the end of a URL and get
Error: Directory Listing Denied. This Virtual Directory does not allow contents to be listed.
Explictly forbidden access! They'd throw the book at him!
Re:Is it official? (Score:2)
I agree justice wasn't done, but the law (as it stands) was enforced correctly. This was reflected during sentencing and is what gives rise to the statement "The law is an ass". This is actually one of the reasons the law needs updating.
The new bill give more precise definitions of what should be considered illegal (which
How long till Alan Cox moves? (Score:2)
I do hope there will be a modicum of common sense exhibited by the MP's when they toss this one into the trashcan of history, to be repeated at suitable intervals when there isn't anything else to stir up the sheeple with.
--
Cheers, Gene
Misinformation pays. (Score:2)
On h4x0ring to Ddos extorsion - equate to Banksy on "grafitti is not a crime. i am reminded of this by real criminals who find the idea of br
What about DOS by the ISP? (Score:2)
Will it be unlawful for an ISP to effectively disconnect a subscriber's web page (DOS another way), typically for disapproval-of-content reasons? Examples might be objections to politically incorrect (by legal free speech) statements by third parties, or simple laziness by not validating violation of copyright claims before dumping access.
An eyecatching initiative (Score:3, Insightful)
Things are only likely to change - anywhere - when a) there are more politicians who can tell a computer from a tennis racket, and b) the cost of computer crime is forcibly brought home to the politicians to the point where they will start hitting the safe havens with trade sanctions and the like. At the moment, much of that cost isn't above the surface, I would guess. Companies are reluctant to fess up les it reflect on them and computer crime is accorded a low priority compared to the various "wars" we are all meant to be fighting in these exciting, high-pressure times - the war on terror, the war on drugs, the war on yobs, the war on binge-drinking, the war on obesity, etc., etc. Just my 2 cents, but I can't see computer crime receding till the present generation of politicians has retired or (some might hope) been locked up.
Industry response? (Score:2, Interesting)
Given that the UK government runs a scheme for accreditation of pen testers and that this bill has been drafted in consultation with industry leaders, I feel it is unlikely that our activities will be deemed illegal. My understanding is that
10 Years for Hacking? (Score:2)
How the fuck do they justify 10 years for hacking?
Oh, and the slashdot summary is a little misleading. While it's true that tougher laws against hacking are gaining support, this particular bill has been widely criticised. It's right there in the link
Re:10 Years for Hacking? (Score:2)
Now in an ideal world, the legal system would use existing fraud, theft and manslaughter laws to convict said attacker, but since politicians aren't as clueful of computing as
Re:10 Years for Hacking? (Score:2)
What about spurious takedown notices? (Score:2)
So, now methinks, would that count as a
Black? White? Grey? Define it! (Score:5, Insightful)
What they want is the perfectly safe and sane net. Which is by its very design impossible, the net itself is "dumb". It shuffles packets from A to B, not caring (too much) about their content. And that's its purpose.
Their idea seems to be that, if there is nobody who CAN hack, nobody DOES hack. But that's the same theory you can apply to guns. What happens if you outlaw guns?
Exactly.
The best defense against an attack is to have the better guns. Or, in terms of the 'net, the better hackers. If you outlaw them, if you outlaw learning the techniques and the tricks, which you pretty much do when you outlaw hacking altogether, since even a page about hacking can be labeled a "hacking tool", you do the equivalent of outlawing weapon development in your country.
And what happens when you do but other countries don't?
Exactly.
Re:Black? White? Grey? Define it! (Score:2, Funny)
Permit me to state the obvious, and suggest that it's a grey area...
Re:Black? White? Grey? Define it! (Score:2)
People tend to think in black and white. Of course, breaking into a system and trashing it after leeching everything to be found on it is deep, dark black. Tinkering with your own system, tweaking it, finding a security bug, writing a multi page protocol, designing a bugfix and posting it all on as many bugtracking sites as you can is shiniest, cleanest white.
It's the many little shades in between that make the question interesting and that cause so many headaches. And that bring us the inane laws
Re:Black? White? Grey? Define it! (Score:2, Insightful)
Countries that have outlawed most firearms are currently the ones with the lowest gun violence -- as opposed to the U.S. where we lead the developed world in gun deaths per-year, and per-capita. Regardless of the initial feasability, making the act of DoS an illegal act is a step in the right direction. Bottom line is that without things like SPAM, viruses, and DoS attacks the net would be a nicer place by far.
And your outlawing analogy also fallls thru on the learning aspect -- it isn't illegal to DoS yo
Re:Black? White? Grey? Define it! (Score:2)
Economy rises like in the "real" cold war because both sides buy better guns. Only without the fear that you'll soon be living underground and your hairdo is looking weird.
Re:Black? White? Grey? Define it! (Score:2)
The advantage of a cold war over a hot is that at least people stay alive and development progresses, instead of people dying and lots of resources being wasted on the destruction of more resources.
Re:Black? White? Grey? Define it! (Score:2, Interesting)
US DOJ [usdoj.gov]
NewsMax [newsmax.com]
The Weekly Standard [weeklystandard.com]
Get off your "Britain is better" high horse, because it's completely wrong.
Re:Black? White? Grey? Define it! (Score:2)
How Slashdot has changed. (Score:2)
Just an observation...
The problem: Countries have other problems (Score:2)
In some countries they really still have some real problems. And they also have real crime. Where it's not only gang members that get mugged and shot regularely, but actually normal, ordinary people.
How many cops do you think they'll willingly divert towards solving the crime problems of other countries? After all, what do they get in return? It'
Re:Good Idea, but probably not going to work... (Score:2)
"What's that huge red blotch on the map?"
"Soviet Russia"
"And that tiny brown speck?"
"The great German Reich."
"Does the Führer know that?"
Re:Look out Sony - NT (Score:2)
No, no — they've already rooted NT.