Under the Computer Misuse Act, the United Kingdom has outlined rules that will essentially ban legitimate IT software. Though pressured, the Home Office refused to back down on its stance of making distribution of such tools and offense. It is, therefore, now illegal to create or distribute software tools that could be used for hacking.
The controversial measure is among amendments to the Computer Misuse Act included in the Police and Justice Act 2006. However, the ban along with measures to increase the maximum penalty for hacking offences to ten years and make denial of service offences clearly illegal, are still not in force and probably won’t be until May 2008 in order not to create overlap with the Serious Crime Bill, currently making its way through the House of Commons.
The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are subtle. The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car.
One man’s security tool is another’s hacking and cracking tool. The law should state clearly that there are legitimate uses for such tools and that each case be decided on its own merit. You cannot make blanket laws without injuring the innocent. This is a clear case of “if guns are outlawed, then only outlaws will have guns.” If you outlaw legitimate IT tools, then there will no longer be a way to check for vulnerabilities, leaving the “outlaws” with the only tools to break into systems that can no longer be secured.
Following industry lobbying the government has come through with guidelines that address some, but not all, of these concerns about “dual-use” tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offence. This leaves the door open to prosecute people who distribute a tool, such as nmap, that’s subsequently abused by hackers.
We are again faced with people making laws about things that they do not have any idea about how they work. They assume that, because a piece of software can be used illegitimately, then it must be bad and, therefore, banned. They still don’t know the difference between a hacker, cracker, phreaker, and script kiddies.
All this does is make a vain attempt at security through obscurity, something that has never worked well. The next, logical step, is to create certificates, whereby only certified IT professionals may obtain the use of such tools. However, that takes the common user out of the picture, particularly one that might want to use a program, such as nmap, to locate free wifi connections.
It is clear that the British government looks at the tools as the devices of illegal activity and not the users. You are thus claiming that the individual is not responsible for his or her actions. It is the program’s fault and, therefore, the program should be banned.