Sam gets arrested because he's carrying burglary tools at 03:00 in the morning and gets charged with burglary.
Defending himself he appears before the judge and asks the judge if they're going to accuse him of rape as well.
The judge, somewhat surprised at the turn of events bellows: "Don't tell me that you raped a woman as well?"
Sam responds: "No, obviously not. But I was carrying my tools.".
--
Even if you had the worst of the worst hacking tools sitting around on your system, it should be the actual use of those tools against someone else's machine for which you have no permission to access that creates the offence.
Those that break in to systems are not going to be deterred by this at all and those that make a living doing penetration tests and such will be unable to do their job giving the bad guys a nice advantage.
Silly lawmakers making silly laws with the best of intentions are the worst thing that can happen. I really wished they would limit their lawmaking to areas where they have some expertise.
> Even if you had the worst of the worst hacking tools sitting around on your system, it should be the actual use of those tools against someone else's machine for which you have no permission to access that creates the offence.
It's not quite that simple. Consider firearms. You might argue it should be the use of a firearm — to threaten, maim, or kill another person — that ought to be legislated against, not mere possession. Plenty of people disagree, as exemplified by the numerous democratic countries around the world where possession of a firearm is illegal in one form or another.
The obvious retort — the "guns don't kill people, people kill people" argument, if you will — is that possession of a tool alone should not be illegal because mere possession is not inherently harmful. That's the point you seem to be making here.
Indeed, both hacking tools and firearms can, in addition to their more obvious harmful uses, also be used to alleviate and even prevent harm — authorised penetration testing being the obvious example in the former case.
Nevertheless, plenty of people are willing to forego those benefits in the case of firearms; why not the same for hacking tools?
Firearms are fairly well defined. Hacking tools are not, and most likely will not be well defined by the legislation. Is ping a hacking tool? Wireshark? tcpdump? a hex editor? telnet? all are used in hacking, but also have legitimate uses.
You might be interested to know that trivial metalworking can construct a piece of metal (known as a sear) that becomes legally classified as not just any firearm, but a heavily regulated machinegun -- because when placed in the corresponding firearm, replacing its original sear, it can make the firearm capable of full-auto fire.
The ATF also considers soda bottles to be suppressors, aka silencers, if there are any suspicious circumstances. Same for any metal tube that's threaded or otherwise easily attached to a firearm barrel. ("Silencer" is a misnomer; they are not silent; they generally reduce noise by roughly 20-30 dB.) Even possession of (1) a gun, (2) a soda bottle, and (3) duct tape, in close proximity, would motivate the ATF to charge you with a firearms crime. Unlike many european countries where such devices are sold without a license and it's considered rude to hunt without one, in the U.S., hysteria over organized and gang crime caused many things to be irrationally banned or strictly regulated, including suppressors and switchblades. [2]
There's also the "rifle" vs "short barreled rifle" classification. The term AR15 is a category of firearms that can range from stockless (nothing to rest against the shoulder) and very short barreled (circa 5-8"), to long range variants that have shoulder stocks and barrels 22" or more. If you buy a rifle variant of an AR15 and buy a short barrel, you've committed a crime. The receiver (the central metal piece that accepts the ammo magazine), because it was originally part of a rifle, is forever classified as a rifle receiver. By converting it into a handgun-like firearm, legally speaking you have converted it into a SBR, or short-barreled rifle, which requires beaucoup paperwork in order to be legal.
In contrast, if you start with a handgun-classified variant of the AR15 [1], no special paperwork is required.
tl;dr : there are some absurd classifications of objects as firearms, or firearms as more heavily regulated types of firearms, that a reasonable person would not understand or comprehend.
Regardless of the merits of firearms classifications, those distinctions are documented, and firearm design doesn't change nearly as quickly as computer technology. It seems unlikely that there can be a reasonable classification of "hacking tools" that would ever make the criminalization of mere possession make sense.
But gun laws are backwards and make little sense when considering the violent crime statistics (e.g. the US has plenty of gun crime while Canada has comparatively little even though both have a gun carrying population). Guns don't kill people, people do. Anti-gun laws don't stop killings, they just give gangs and the police a monopoly on the most violent type of crime.
Gun laws are one of those things where intelligent, well meaning people replace reality with their model of reality and end up with a backwards system which does nothing to address the root causes. Hint: the root cause of violent crime has a lot to do with inequality, not the number of guns in someone's basement.
Anti-gun laws don't stop killings, they just give gangs and the police a monopoly on the most violent type of crime.
And that's a bad thing? I suspect the number of casulties from six-year-olds shooting their classmates and teenage rampages would drop significantly if it weren't so easy to get at daddy's gun...
Gun laws are one of those things where intelligent, well meaning people replace reality with their model of reality
In contrast to all these omniscient people who don't argue from their mental model of reality?
and end up with a backwards system which does nothing to address the root causes.
Only because it doesn't address the root cause does not mean you should stop treating symptoms.
>And that's a bad thing? I suspect the number of casulties from six-year-olds shooting their classmates and teenage rampages would drop significantly if it weren't so easy to get at daddy's gun...
>In contrast to all these omniscient people who don't argue from their mental model of reality?
Some models are better than others.
>Only because it doesn't address the root cause does not mean you should stop treating symptoms.
In my opinion, it is by far more important to resolve the root causes of problems than it is to duct tape them in an effort to partially stop the bleeding. I thought this was obvious. Humanity has a bad habit of going for quick fixes where none exist and that is the root cause of many of the problems which plague us. Instead of thinking about "saving the children", how about we stop treating each other like crap and encourage people to cooperate not because a stick is being held over their heads but because they actually want to?
Besides, if violence begets violence then are we even duct taping the wound by using oppression to treat oppression or are we reinforcing those pesky root causes even further? Consider that the system which enforces these laws is inherently unfair in that the rich have orders of magnitude more leverage than the poor. How is reminding people who have stepped over that line and taken the inequality into their own destructive hands that they live in an unfair system going to help anyone? The duct tape has a sting of it's own.
I'm sure that the casualties from shootings would indeed go down. Casualties from knife injury on the other hand...
But guns are far superior tools than knifes if your intent is to kill. If the body count goes down, that's a win in my book...
Some models are better than others.
No argument there, but you haven't convinced me that yours is the better one.
how about we stop treating each other like crap and encourage people to cooperate not because a stick is being held over their heads but because they actually want to?
Because our monkey-brains are not wired for that. We're at least partly subject to the whims of the blind idiot god of evolution, and being an asshole has been a sound strategy for a long time and still largely is. Education can help with that, but is no cure-all.
Besides, if violence begets violence then are we even duct taping the wound by using oppression to treat oppression or are we reinforcing those pesky root causes even further?
There are many countries with stricter gun laws than the US, and I'd be surprised if most of their citizens would feel any more oppressed than their counterparts in the US.
How is reminding people who have stepped over that line and taken the inequality into their own destructive hands that they live in an unfair system going to help anyone?
How is restricting access to personal firearms a reminder of an unfair system if it applies equally to all citizens? Also, do you have any data on support of stricter gun control laws by income? It's nice to speculate about the opinion of the downtrodden masses, but some facts would be even better...
and cars are more superior tools than guns(how many died in car accidents this year? 10's of thousands?), but you don't see cars being outlawed... this tells us it's more an emotional reaction than a logical decision.
I think the difference, from the perspective of the regulator, is that a firearm is a tool with a limited scope of use, and that certain firearms (pistols) have a further limited scope of use that makes their existence noxious. In the US, the 2nd amendment makes this a controversial issue -- not so in most other jurisdictions.
Possession of burglary tools or drug paraphernalia is typically a modifier used to punish ill-intent. If I'm a carpenter walking home from work with a saw and hammer in my bag, I'm not going to be arrested for possessing burglar tools. If I'm trespassing on someone's property in the middle of the night with a crowbar, on the other hand, I'll probably be prosecuted for possessing burglar tools.
"Hacker tools" is sort of in the middle. A sysadmin with metasploit on his laptop is no different than a carpenter with his hammer. The Level-1 helpdesk technician pinched for stealing passwords is using it as a tool for doing "bad" things. The complication is that the line between "hacker tool" and "legitimate" software is thin or even overlapping.
So why criminalize possession if possession will only ever be prosecuted in the context of some other crime? If prosecutors or legislators think they need longer punishments for those crimes, why not just extend the sentence for the base crime, rather than tacking on a bunch of technical crimes like "possession of things we don't like"?
I think that the legal theory is that possession of certain items is indicative of bad intent.
If I carry x quantity of illegal drugs, I'm a user getting charged with a misdemeanor. If I carry x + y quantity of illegal drugs, I'm presumed to be a drug dealer.
I'm just explaining the thought process -- not agreeing with it. Unlike drug sales or burglary, the most important tool for hacking is whatever is in your head.
People using firearms often results in unintentional harm, just as people using 'hacking tools' does.
You forget to turn your packet sniffer off when on a public network, you accidentally port scan the wrong IP address, etc.
Obviously the use of hacking tools is unlikely to result in death or serious injury, but they cause real harm. Ask Stratfor what harm hacking tools can do...
Banning things is always a difficult and dangerous proposition, no matter how much harm those things can cause if misused.
For guns, knives, drugs, and other more routine contraband, law enforcement action required to maintain such bans have their own costs. Law enforcement can at best selectively enforce such laws, because contraband is almost always hidden. As a result, privacy erodes as politicians and law enforcement want more ability to discover who has contraband.
If something is harmful enough and also rare enough or requires substantial skill to procure, like nuclear weapons or biological weapons, then there's the argument that banning those things improves the safety of society. I am not convinced that the legality really matters; the economics of procurement provide a strong barrier to random ideologues and nutcases from procuring such weapons, and if they can anyway it's doubtful laws would stop them; there's also much more opportunity for anyone along the logistics chain to notice something strange about their buyer and report it to someone, even if the transaction were legal. That can't be done with firearms or knives with thousands being sold a day. However, the consequences of nuclear and biological weapon use is so horrific that despite the economics, it still might be in everyone's best interest to leave them effectively banned.
... and then half the scrolling length of this discussion thread was about guns. Great job!
Actually it's not your fault, it's just HN terrible threading algo again. Can't we just do what Reddit does and collapse things a littlebit? Because it seems there's always some top comment (not always the top-most) that dominates 90% of the discussion. And frankly it's very hit-and-miss whether that dominating comment is on-topic or not.
We could have so much more interesting discussions here on HN ...
Firearms are reifications of information, while hacking tools are information left incorporeal. Arguments founded on their equivalence are as devoid of meaning as those equating bits on a computer to cars on a lot.
Consider the following question: how long does a wire have to be before its ability to transfer information to me places that information in my possession? From both a philosophical and legal point of view, this question seems to permit no satisfying answer.
"Indeed, both hacking tools and firearms can, in addition to their more obvious harmful uses, also be used to alleviate and even prevent harm" they also have non-defense uses (Hunting, sports or network analysis in the other case). They are probably used for those things more than for criminal purposes.
I don't have to say that I am on the fence on certain aspect of gun control. Rules regulating storage (I'm from Canada) are in my view valid. So are rules on certain classes of guns. At the same time, any gun can kill so some of the restriction might not be useful but like I said I'm on the fence on a lot of these things.
Gun laws are only stupid in America because we have a Constitutional right to them. If the laws didn't get challenged based on their constitutionality, they'd be a lot more sane because they'd be a lot more broad.
Really many eu countries have liberal gun laws compared to the UK and the only reason that the UK doesn't is that the government panicked in the 20's around the time of the general strike and brought in gun laws to restrict ownership of guns before that we had effectively a similar second amendment right.
Self defense is a legitimate constructive use of a gun. Target practice is also legitimate constructive use, unless you also consider martial arts to be not constructive. Hunting, particularly for those who eat what they kill, or hunting varmints, is a legitimate constructive use, ethics of hunting being extra-topical and not relevant in a discussion specifically of firearms.
Maybe 99.99, maybe 99% of guns are also used or possessed for those good reasons, or simply collecting. Suppose 100 homicides a day are carried out in the U.S, although last I looked it's somewhat less than that. How many guns are used at firing ranges and for hunting? Perhaps 10,000, perhaps more.
That's true about knives. Yet the UK has banned carrying any knives other than non-locking pocketknives in public, even for utility. [1] The problem with no lock, is that the blade has a tendency to snap shut on your fingers.
I think an even better example are construction tools. Hammers, drills, saws, wrenches, grinders, welders, measuring tape, stud finders, etc. A bunch of these items can be used to break into various secured places and injure or kill someone. But most of the time, they're not, they're used to build or modify things. Most people don't think of a wire testing tool or a saw as a serious weapon and will see the ridiculousness of regulating away ping, wireshark or python.
> guns are not a good example. there is no way i can use a gun for constructive purpose.
That tells us more about you than it says about guns. It says is that you're either ignorant or a thug.
We can easily distinguish the two. How many people have you assaulted? If 0, you don't know that folks who use guns criminally have a history of other criminality. If not...
> think of a knife. 99.99% use the knife for good reasons.
Not really. I use and own many knives, and would never use one on a person, even in self-defense. No one wins in a knife fight. I use knives for cutting food in the kitchen, but also for cutting fishing line, rope, slicing through grass and undergrowth to get to the soil, shaving down wood to fit where I need it to fit, etc. Knives are a tool.
I use a gun to kill. That's its only purpose. Hunting/killing and target practice for hunting are the only things a gun is useful for. I can't use a gun to help me with the crops, to fish, or while working in the garage.
Knives can be used to construct. Guns can only be used to destruct. Not saying guns have no legitimate purpose (I use one for hunting many times per year), but that legitimate purpose begins and ends with killing or practicing to kill. It's a long leap from taking the life of a deer to taking the life of a human, but you use the exact same tool in the exact same way, the only way it can be used.
So are we ruling out target practice for the sake of target practice? I go shooting around once a month for the sole purpose of making a steel plate ring. I have no intention of hunting animals or killing a human being with the firearms that I use; The sole purpose is recreational target shooting. Of course, in a wild scenario such as home invasion that would be a different story, however the same can be said of any object used for defense purposes, be it a knife, pipe, flower pot, etc.
And lets be honest here, you would most definitely use a knife in self defense if it came down to that. It's a preposterous argument to say that in a life or death scenario, you'd opt for a lesser source of protection in order to not use a sharp object.
> And lets be honest here, you would most definitely use a knife in self defense if it came down to that. It's a preposterous argument to say that in a life or death scenario, you'd opt for a lesser source of protection in order to not use a sharp object.
Really?! Well, I guess it's different if, thanks to your gun laws there's a good chance the intruder might be carrying a firearm. No scratch that, if they got a gun, then you're still screwed with a knife.
First, do you know where to hit them to disable them at once? If not, you're now standing really close to a really angry, bleeding intruder.
Second, even if you do, they now bled on the walls, the furniture, everywhere. Have fun cleaning that up.
Third, you just killed a person. You can't really "disable" someone with a knife, either you kill them or you don't.
My advice? A big stick. Like the wooden handle of a broomstick or something. Keeps people with knives at a distance, you can hit them, poke them, and pin them to the ground while you call the police. (stick locks below the chin, behind the jawbone, base of the neck, pushing backwards. very uncomfortable)
I would not use a knife. There is an extremely high possibility that I would be injured by my own knife just as easily as I would be injured by the knife of my opponent. If someone held a knife to me and demanded my wallet, I would give it to him. If someone held a knife to me and demanded my life, I would attempt to disarm him/her with my hands, not my knife. Blades are dangerous in ways that guns can never be.
I covered target practice in "practicing to kill". Whether or not you intend to do so, a gun is used for killing, and practicing with a gun is practicing how to use a tool designed for killing. I understand this may not be your view, but this is reality the way I see it.
If that's true, the designers aren't very good because most guns aren't that useful for killing. Seriously - .22 is basically a joke for killing people.
> Hunting/killing and target practice for hunting are the only things a gun is useful for.
Unless you're claiming that hunting is "not constructive", you're disagreeing with "there is no way i can use a gun for constructive purpose."
> I can't use a gun to help me with the crops, to fish, or while working in the garage.
So? You can't use golf clubs or a book on python for any of those things either. Oh, and you can use a gun to kill fish. (You then scoop them up with a net.)
Do you honestly think 'hacking tools' are used primarily with good intentions (i.e. as part of authorised penetration testing, interception of network traffic, etc.) and that nefarious use is the exception?
Obviously it's nigh-on impossible to measure, but I'd suspect it is the other way round...
Problem is mostly with classification. Is ping a hacking tool? Is cmd.exe a hacking tool? (black window sure looks dangerous...) Is g++ a hacking tool? If not, can I carry around source code of a port scanner and a compiler on the same laptop? Is that the same as transporting disassembled gun?
(Any debugger is a killer cracking tool too)
I predict a big market for tetris clones with port scanning functionality...
I suspect that a fair number if not a majority of MEP's would like that. I think many are still are in the PTT mindset where the national phone company (owned by the state) provided all these sort of electronic services.
Of course people like me would still work for the GPO or DBP or ATT and have cool email addresses like c=uk cn=maurice - but subs like the rest of you would have email addresses that looked more like phone numbers.
BTW I used to have root on on the UK's ADMD - in internet terms this is the equivalent of having root on .com
> And there are very few countries that explicitly ban all fire arms even the Uk which has very stringent laws still allows shotgun licenses.
I'm from the UK myself, so I'm aware my perspective on firearms might be skewed somewhat.
Nevertheless, in my experience there seem to be very few people who see the restrictions on the possession of firearms as a case of throwing the baby out with the bath water.
There are plenty of people who, although acknowledging that more widespread firearm possession may have certain benefits, would nevertheless rather live in a society in which firearms are few and far between.
I agree with you that they probably aren't very smart, most of them anyway. However, if you bump up a cynicism level just a tad, here's what you get:
They don't need to stop people from possessing or using "hacking tools", they just need to make the tools illegal so they have one more stick with which to beat people into submission. In fact, it's better if people don't stop using the tools.
For example, say the government wants to do some extra-judicial harm to an annoying person or group (Wikileaks comes to mind). The company hosting the data won't cooperate, so the government "finds out" that they use unlicensed "hacking tools" as part of their business. Now the company is given a choice by the government: hand over the data we want (even though you aren't required to do so under the law) or we file charges for your possession of "hacking tools" and make life hell for your company and staff.
Now, don't get hung up on the details of my example. These sorts of situations are easy to think of and they happen all the time (article a while back about cops around St. Louis comes to mind).
The basic principle is that if everyone is a criminal, whether they intend to be or not, then the government has unlimited power over people through its ability to cut deals with criminals. It can coerce anyone to do anything regardless of constitutional or similar safeguards because it can punish anyone at any time.
Maybe you aren't that cynical (not sure I am, in fact), but I'd rather keep laws like this one off the books, just in case.
Maybe I'm just too cynical, but I believe they are smart enough to realize that and they just don't care. Lawmaking in modern society is inextricably tied to politics and this seems yet another politically motivated piece of legislation.
I agree. I hate this trend of criminalizing the use of tools, just like they wanted to criminalize the use of "circumvention tools" in SOPA, and if they keep this up in the future they'll probably want to criminalize encryption as well if it makes it hard for them to monitor the web with that NSA Utah datacenter or through some other ways.
> they'll probably want to criminalize encryption as well
I believe there are countries where that is the case. So it is not really that outlandish. Export of encryption software was illegal until 10 or 15 years or so ago.
In Germany there already is a law called "Hacker(tools)paragraf" (§ 202c StGB).
It roughly states, that if you provide, create, sell, or distribute tools, which can / will be used to commit / prepare a computer related crime, shall be punished with one year in prison or a fine.
The problem with this is the vague wording: If dual-use tools like nmap are affected is open to discussion.
Maybe someone else finds a better translation; you can find the original text here:
Almost all politicians in power today (1) didn't grow up with a pervasive Internet, and (2) truly don't understand information technology. For example, the median age of US Senators is currently 62 years [1], and not a single one of them is an engineer (let alone a software developer) [2].
Consider how the term "dangerous hacking tool" sounds to a 62 year-old person who doesn't have even a basic understanding of how software works. No wonder they want to outlaw these "weapons"!
Alas, it's probably too late and too difficult to teach these old dogs new tricks. Realistically, we should expect more idiotic political decisions to be made... until a new generation of politicians (with a better understanding of software and the Internet) gradually takes over.
It's not obvious that the next generation of politicians will be much better. Using computers, including iOS and Android devices, is not enough. Technically minded individuals who understand how those devices work below the surface are still unlikely to go into politics.
Brilliant. I commend the EU on its harsher stance on cyber security, cracking down on criminal computer usage and protecting the systems crucial to how we live our lives.</sarcasm>
So now we can't use penetration testing tools? I'm sure computer systems will be much more secure without the threat of security testing software, especially since the only threats we know of are from the EU.
I suspect it's much worse than that. Consider a tool like Wireshark, which is widely used by people developing and testing all kinds of networking software, which in turn handle small tasks like running every home and office network on the planet, not to mention the Internet. Of course, any protocol analyser that you can hook up to your switch/router/etc. to make sure it's sending the right traffic in the right directions could also be stuck on a laptop near any unsecured WiFi network and used to sniff other network users' unencrypted traffic.
The correct solution to this problem, if secure communications is your primary concern, is for the people who understand the technical and security implications to make networking secure by default. Get rid of unsecured WiFi and replace it with something using full-time encryption.
It's also important to educate users of insecure networks so they understand the risks and know what to look out for and what they should do and not do to protect themselves. Use HTTPS where it's available, check you've got the little padlock icon before you type private information into a web site, that kind of thing. Obviously much of this is good practice if you're using the Internet, even if your immediate connection is over an encrypted wireless link.
Of course, there is always option 3: do nothing about the technical vulnerability, but legislate to ban Wireshark and numerous other "hacking tools" like it in the hope that bad people won't exploit that vulnerability. Unfortunately we'll probably have to close down the Internet shortly afterwards and revert to connecting a printer to everyone's PC at the office so they can exchange documents, because no-one will be able to make any networking kit that actually works any more. But that's a small price to pay, for at least we will have stopped Evil Hackers from monitoring our networks!
(Obviously there's a little hyperbole in that last part. But only a little...)
EU internet laws has no effect. Look at the cookie legislation that made it impossible to set cookies on peoples machines without explicit consent. What is dangerous is that one day they may be put into use. But for now they are just largely ignored.
Actually I've already personally had the lawyers for a partner ram this one down my throat in the UK. It's absolutely ridiculous how out of their depth these legislators are. To take an idea that is readily implementable and enforceable at the browser level, but instead attempt to force every website operator in the world to implement it poorly at the server/application level is lunacy.
I'm all for privacy legislation, but in this case lawmakers' ignorance is only matched by their hubris.
In the UK, for example, the directive was implemented on 26 May 2011, but website owners were granted a 12 month grace period to 'get their house in order'.
From 26 May 2012 site owners will face penalties for non-compliance.
Yeah, german legislation for erveryone!</sarcasm> "Hacking tools" were made illegal 5 years ago in germany, resulting in a huge outcry and face palms from those involved in security research (and gnu-tool users)
Bold move but may undercut the knowledge base in EU in terms of Computer Security. Because in CompSec if you don't know how to break it, you don't know how to secure it.
Hacker( the other meaning ) community is a part of the internet and a quote as old as internet is:
The Net treats censorship as a defect and routes around it.
-- John Gilmore.
What is considered a hacking tool? Does it only affect highly automated, single purpose tools which can not be used in any legitimate way, or does it affect things like hexdump or nc?
Also, who makes the distinction? Is it eveluated on a case by case basis by the court or is there a list of "verboten" tools?
Let me guess, it is evaluated on per case basis and then it gets into the list.
Some stupid court in the middle of nowhere outlaws tcpdump and then every linux user is a criminat.
The temptation to pass laws like this (an unstoppable force) exists in fundamental opposition to the reality of tools as powerful, as versatile, as cheap, and as highly distributed personal computers (the immovable object).
This conflict is the essence of Cory Doctorow's thesis that all the superficially-unrelated tech related battles we've seen are simply proxy fights in the War on General-Purpose Computing.
I know that opinions about Cory vary considerably, but if there's one article that everyone should consider with an open mind, this is it: http://boingboing.net/2012/01/10/lockdown.html
The argument that this would hurt legitimate hacking is a bad one. The example given was white hats hacking into e-voting machines. You aren't allowed to break into government buildings to make sure they are secure, it's illegal.
As far as preventative laws go, I don't think they are right but they are widely accepted by most people as right. I'll use one that most people agree with as an example. Drunk driving in and of itself doesn't hurt anyone, and some people can do it their entire lives without ever getting in an accident. But we make it illegal to try and prevent people from killing each other.
Yes you can't break into government buildings to show they are insecure, but you could buy the same kind of door as they have, and show how insecure it is.
I think this is how a lot of the e-voting machine hacks are done.
It's already illegal in the UK to enter and/or use a computer system without permission, you don't even have to crack it. Presumably this is true in most of the EU too.
So, the only reason I can see that anyone would want this law is so you can prosecute without having to show someone committed a real crime. Kinda like having a law saying you could prosecute people for hit-and-run if they own a car.
If the "hacking tools" are capable of causing near instantaneous death then I think there's an argument for it. Otherwise this seems to be over-stretching the law to infringe on hackers liberties.
This type of legislation clearly stems from ignorance and a lack of understanding. It infuriates me that people can make judgements like this without actually understanding what they are making judgements on.
Well, I don't know what to say - this is just stupid. I hope it doesn't go through, but if it does, I'll just store all the potential "hacking tools" on a server in the US, or China, or Japan, or Brazil, or Australia... or encrypted UHS SD cards (it took them a while, but they already know about encrypted hard drives, you see :-)... Seriously, how is this even going to be enforceable (especially with the push for cloud storage)?
> While the law seems aimed at blackmarket tools that can be used to create malware infested sites, it’s also likely to criminalize tools used by researchers, developers and black hats alike – including tools like fuzzers, the Metasploit penetration testing tool and the wi-fi sniffing tool Wireshark. (Perhaps even the command line would be outlawed.)
They take away your guns, so that you can not rebel against them.
This seems like the obvious ban. If you outlaw computers, honest people won't be able to use them, leaving no systems for the dishonest people to hack into.
Yes and so are floppy disks - the only hacking (authorised) I had to do was to recover paswords for a customer and I used a floppy disk to extract the secrets from the nt machines.
So would Chrome and Mozilla have to disable "view source" and "developer mode"? Would Apple have to stop shipping Xcode? Would I have to register with an "authority" as a developer? Like a boxer registering his fists as "deadly weapons"?
Can i have a laptop with vi or nmap installed? I imagine most DOS attacks come from people with a pretty generic install, vi and an internet connection.
Everything is a hacking tool. Every programming language and every pre-existing piece of software, every computer and every phone is a potential hacking tool. Thought itself is the biggest hacking tool.
How are these fucking morons going to define legally what is and isn't a "hacking tool"?
The law has no trouble at all making fuzzy distinctions. They are attempting to keep the peace, not make orthogonal cuts into reality.
We programmers need absolute clarity because our systems are executed by machines with no insight. But in other fields where humans execute rules, everyone else just shrugs and deals with little inconsistencies, or make meta-rules about judging "intent", that sort of thing.
> The law has no trouble at all making fuzzy distinctions.
Actually, in most of Europe it does.
While the US, UK and Ireland's legal system is based on "Common Law", most of Europe uses "Civil Law", where the primary source of law is the law code, which is a systematic collection of interrelated articles that explain the principles of law, rights and entitlements, and how basic legal mechanisms work.
Of course there's still a lot of room for interpretation and pragmatics, but the point is that right from the start, you try to get your definitions down as clear as possible.
It's quite interesting to see how the fundamentals of our legal systems actually differ. I decided to look this up for the first time because at some point I read some thread where some US people were actively discussing interpretation of your Constitution or the Bill of Rights, as to whether something fairly trivial to define could be ruled or not--might even have had to do with the right to bear arms, but the specifics aren't important. I was just amazed that this centuries-old document was seriously being "consulted" as if somewhere between the lines would appear some sort of hidden meaning--except it was pretty obvious that the final decision would rest with the interpretation and political ideas of whatever judge got to rule it. Which completely amazed me, it's one thing if somnewhere, in some obscure corner of fiscal tax laws some particular exception to a rule isn't defined unambiguously, but the big-to-medium picture of the law is not supposed to be up for interpretation!
Except in the US, or more precisely in Common Law legal systems, that's pretty much the idea.
I'm not saying it's bad BTW, it's just different. And I'm just commenting on how surprised I was that there's other ways (in democratic countries) than to strictly codify your laws.
Ah, of course. How stupid of me to think that they would have an empirical definition or set of legal definitions that actually was robust and made coherent sense.
Why bother with the hard stuff when opinionated prejudice gets you where you want to go?
This is 'hacking' a la the popular meaning of the term (gaining unauthorised entry to a computer system), not the definition adopted by self-described 'hackers'.
Think port scanners, password crackers, vulnerability identification and exploitation tools. Any reasonable person would consider these to be 'hacking tools', and that's all a legal system needs for a definition.
As an ex network admin, not having port scanners and vulnerability testing tools would make me feel blind. Those tools have very legitimate uses. Port scanners don't even have to be used for security purposes, sometimes you can't access a machine and want to see what services are active and open to the world etc.
There will probably be a vague exception for legitimate professional use, the way there is for burglary tools. Varies based on the jurisdiction, but whether carrying a lockpick set is illegal depends a lot on factors like whether you're a locksmith, the circumstances in which you were carrying it, etc. The crime essentially boils down to something like: carrying a lockpick set while seeming suspicious and not having a good excuse.
Indeed. I often find myself using nmap on my own network to find out which IP address was assigned to a system when .local/mDNS name resolution is down and the DHCP server doesn't provide enough info to identify a specific computer.
"Think port scanners, password crackers, vulnerability identification and exploitation tools. Any reasonable person would consider these to be 'hacking tools'"
But, once again, these are all perfectly legitimate system engineering tools and are essential for hardening commercial or government or military sites, for example. You can't make something secure unless you know how easy or hard it will be to get past that.
It is like making dynamite illegal for civil engineers or morphine forbidden to medical practitioners or hammers and chisels denied to cabinet makers because they might hurt themselves. Ridiculous!
> It is like making dynamite illegal for civil engineers or morphine forbidden to medical practitioners or hammers and chisels denied to cabinet makers because they might hurt themselves. Ridiculous!
Described in those terms, what would you say to an exception that permitted possession by authorised information security personnel?
That's akin to the legislation we have in the UK with regards to explosives and controlled substances.
The problem with regulating possession of specific kinds of software is that they are entirely a product of the mind. You need specific precursor materials to create explosives and controlled substances, but anybody can imagine and create a good system administration tool.
There should never be a legal concept of an "authorized" information security person. It's about like defining a concept of an "authorized" painter or musician, since all are talents that can be developed in isolation.
There are no legal definitions for being a programmer. There are for being a medical practitioner or a civil engineer. Only practising doctors who are certified to practice may prescribe. Only legally certified civil engineers who after prerequisite training and certification are permitted to handle high explosives and blow things up. Having a degree alone in either of those two professions does most certainly NOT on its own qualify you to do either. Or anything much. So maybe a bad example.
But that's a whole different argument. At present it is "programmers" (self-taught or academic or industrially trained) who make things and routinely test them for hardness. You can't suddenly invent rules that say only certain types of programmer may use and deploy "hacking" tools. That won't work because there is no defined path to test suitability or career fitness in the majority of people who define themselves as "programmers". Too broad a church. Too many disciplines and areas of specialisation. And too few people qualified to legitimately or meaningfully assess that either way. Or are we going to say, for example, only Microsoft Certified Pros are allowed to test? God in heaven forbid!
Reputation (from both peers and clients) and demonstrated output that works is the only test for whether someone is a good or bad (read, fit or unfit) programmer.
And no, in answer to your question, we don't allow only certain government regulated individuals to have legal access to perfectly ordinary systems analysis tools. They are probably the last people you want doing it.
port scanners, password crackers, vulnerability identification tools, all have legitimate system engineering uses.
consider the black hole exploit kit, or the poison ivy RAT, or zeus. these are tools that have one purpose: exploit specific vulnerabilities, some of them unreported, and install monitoring software that allows a third party to take control of a system without that systems user or owners knowledge or consent.
surely the number of times that activity is going to be part of perfectly legitimate system engineering would be vanishingly small? when would you need to exploit a 0day vulnerability as part of legitimate system engineering?
okay, when would you need to purchase a 0day vulnerability from someone else to exploit thousands of other systems as part of legitimate system engineering?
Well, if working for a company where you are in charge of the security of thousands of systems, you might be asked to do exactly this.
If I was running a massive company, I would want my network security team to be buying up the latest cracking tech and checking it against as much of the corporate systems as possible.
Any corporation with any sense and lots of stuff they need to secure pays people to attack their corporate networks with anything and everything available, and then report back.
Huh? Same as what? We are talking about 0-day vulns. By definition if you think you have found a 0-day, you have little to compare it to.
Exploiting a bug on your system to verify that it is a bug that can be exploited would seem to be one of the very first things to do after verifying your backups, if you think you have found a 0-day vuln.
Otherwise, how would you know that it is what you think it is?
There is no general procedure you can run on code to check this for you other than actually checking it and seeing what it does.
Defending himself he appears before the judge and asks the judge if they're going to accuse him of rape as well.
The judge, somewhat surprised at the turn of events bellows: "Don't tell me that you raped a woman as well?"
Sam responds: "No, obviously not. But I was carrying my tools.".
--
Even if you had the worst of the worst hacking tools sitting around on your system, it should be the actual use of those tools against someone else's machine for which you have no permission to access that creates the offence.
Those that break in to systems are not going to be deterred by this at all and those that make a living doing penetration tests and such will be unable to do their job giving the bad guys a nice advantage.
Silly lawmakers making silly laws with the best of intentions are the worst thing that can happen. I really wished they would limit their lawmaking to areas where they have some expertise.