UK Moves to Outlaw 'Hacker Tools' 308
twitter writes "New guidance rules for the UK's controversial Computer Misuse Act do not allay fears of impracticality, or of the banning of legitimate IT software: 'The government has come through with guidelines that address some, but not all, of these concerns about dual-use tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offense. This leaves the door open to prosecute people who distribute a tool, such as nmap, that's subsequently abused by hackers.'" Somewhat similar legislation recently became law in Germany.
Re:IDEs too? (Score:3, Informative)
Guidance text- rigged against free/open source (Score:3, Informative)
CMA = Computer Misuse Act
The whole thing seems to be rigged against free software/open source and heavily in favour of security through obscurity. Perhaps we should contact them and ask?
Everything below is copied from the guidance.
Prosecutors should be aware that there is a legitimate industry concerned with the security of computer systems that generates 'articles' (this includes any program or data held in electronic form) to test and/or audit hardware and software. Some articles will therefore have a dual use and prosecutors need to ascertain that the suspect has a criminal intent.
Whilst the facts of each case will be different, the elements to prove the offence will be the same. Prosecutors dealing with dual use articles should consider the following factors in deciding whether to prosecute:
* Does the institution, company or other body have in place robust and up to date contracts, terms and conditions or acceptable use polices?
* Are students, customers and others made aware of the CMA and what is lawful and unlawful?
* Do students, customers or others have to sign a declaration that they do not intend to contravene the CMA?
Section 3A (2) CMA covers the supplying or offering to supply an article "likely" to be used to commit, or assist in the commission of an offence contrary to section 1 or 3 CMA. "Likely" is not defined in CMA but, in construing what is "likely", prosecutors should look at the functionality of the article and at what, if any, thought the suspect gave to who would use it; whether for example the article was circulated to a closed and vetted list of IT security professionals or was posted openly.
In determining the likelihood of an article being used (or misused) to commit a criminal
offence, prosecutors should consider the following:
* Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
* Is the article widely used for legitimate purposes?
* Is the article available on a wide scale commercial basis and sold through legitimate channels?
* Does it have a substantial installation base?
* What was the context in which the article was used to commit the offence compared with its original intended purpose?
Re:IDEs too? Oh yes, and what about OO Design? (Score:2, Informative)
During my research, I struck upon a simple way of preventing identity theft. Freeze your credit. This means that no one could open a line of credit even if they did have your name, address, SSN, and date of birth (precisely my information that was somehow stolen). If you want to open a new line of credit or allow someone to check your credit (say, for a background check on a new job or for insurance), you temporarily unfreeze your credit and then the company can perform the action.
Unfortunately, right now, freezing/unfreezing your credit costs money. It varies per state, but here it's $5 per credit agency to freeze the credit and $5 per agency to unfreeze it. There are 3 agencies, so that's $15 for each freeze/unfreeze.
Why the cost? Mainly to deter people from freezing their credit. Why deter people from doing something that could help them? Easy. Frozen credit can't be checked by credit card companies for those "You're Preapproved" credit card letters. People with frozen credit are less likely to open a credit account by the register in a store for the 10% off their purchase. In short, credit agencies and credit card companies make less money off of you if you freeze your credit. This makes credit freezing bad in their not-so-honorable-opinion and they will do what they can to slow down adoption of it as a tool to fight ID theft.
But what of the ID theft fight? Wouldn't the credit card companies benefit from less ID theft? Perhaps, but they aren't seriously hurt by it either. Credit agencies don't care if that new card was really opened up by you. Credit card companies don't get too hurt by fraudulent purchases. Either the person pays the bill without looking or the company charges it back to the store and the store is the one left in the cold. They make more money from non-frozen credit than they lose to ID theft. And they'll fight tooth and nail to protect their profits over the credit security of the American public.
Re:IDEs too? (Score:4, Informative)