By silicon.com, 22 May 2006 08:25
NEWS
IT and security professionals who make network monitoring tools publicly available or disclose details of unpatched vulnerabilities could be convicted under a proposed UK law, experts have warned.
The Police and Justice Bill will update the UK's existing Computer Misuse Act (CMA), bringing in new powers to address the rise of organised cyber-criminals and offences such as denial of service attacks. It was passed by the House of Commons earlier this month, and will be considered by the House Of Lords over the next couple of months.
Leading figures in the UK technology sector believe that the bill, as it currently stands, would outlaw a range of innocent activities.
Section 41 of the bill would amend the CMA to include a new offence of "making, supplying or obtaining articles for use in computer misuse offences".
It reads:
"A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article -
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3 [of the CMA]; or
(b) believing that it is likely to be so used.
Dr Richard Clayton of Cambridge University believes that section 41, part (b), as currently laid out, would catch a wide range of IT tools and activities that are not meant to be used in hacking but potentially could be.
Clayton cited the Perl scripting language, created by Larry Wall in 1987, as an example of a useful technology that could fall foul of the law.
He said: "Perl is almost universally used on a daily basis to permit the internet to function. I doubt if there is a sys-admin on the planet who hasn't written a Perl program at some time or another. Equally, almost every hacker who commits an offence under section 1 or section 3 of the CMA will use Perl as part of their toolkit.
"Unless Larry is especially stupid, and there is very little evidence for that, he will form the opinion that hackers are likely to use his Perl system. Locking Larry up is surely not desirable."
People who distribute networking vulnerability scanning tools such as nmap or Nessus could also be caught up in part (b), Clayton warned.
He argued: "The effect will be that people will stop offering these tools on their sites. Why should the only place to fetch Perl and nmap be from hacker sites in Eastern Europe, where the risk is that they carry Trojans? This makes the internet less safe."
Malcolm Hutty, regulation officer at the London Internet Exchange, shares Clayton's fears about the bill. He believes it would make people much more reluctant to make useful software tools available to the public.
Hutty said: "We are concerned that the scope of [section 41 of] the bill is too broad, and could criminalise a lot of innocent people."
He said organisations such as Linx have been urging the Home Office to have the bill altered. Some amendments were made following these lobbying efforts but Hutty believes the government should have gone further.
He also believes section 41 could be interpreted as including the supply of information about security vulnerabilities, as that advice could be used to commit a criminal offence.
Hutty said: "You could reveal details of a security flaw, and someone could hear that and decide that not everyone would be patched yet," adding that this could even include media outlets which reported on security flaws.
The Home Office denies suggestions the bill will criminalise systems administrators by outlawing software which could be used in cyber crime attacks.
A Home Office spokeswoman said: "There is a hacking amendment but it doesn't criminalise those innocent of hacking attacks. [It] shifts the emphasis on to those intending to deliberately develop tools for criminal use."
Graeme Wearden and Tom Espiner write for ZDNet UK
Comments
There are 4 comments. Join the discussion
1. anonymous
This is like saying that the man who makes crowbars, alias jemmies, should stop because they might be used by housebreakers. Selling one to some-one who you think is going to use it for housebreaking is not the same as selling one to a builder. And if you do not know how it is going to be used you have not committed an offence.
The Home Office wording seems perfectly clear. This is pedantry. And if the new law results in those running security website trying to record what downloads what and supplying that to law enforcement, just in case, that might be all to the good.
2. Graham Coles
History repeats itself again.
I seem to recall when the American DMCA law was introduced they claimed it would only be used against criminals.
One of its first uses was to threaten a professor at Princeton to prevent him giving a research presentation, and a string of similar threats have been used to restrict security research ever since.
I can't see this law doing any good. Criminals will simply share the tools among themselves while future IT security experts are either unable or unwilling to obtain the tools to do their job.
Another example of the law shooting itself in the foot by producing laws that criminalize everybody.
3. Roger Huffadine
Umm - so I won't be allowed to 'ping' an IP address to see if it responds - 'cos I might use the information for a criminal act. Sort of ties my hands behind my back at work. Here is a question - "when is a ping an act of hacking and when is it system maintenance?"
4. Radical Meldrew
This amendment to the bill is a clear infringement of the misuse of words act.
I know there isn't one but, without doubt, there should be.
Albeit with good intentions, successive governments have continuously issued badly worded bills and amendments which are open to misinterpretation. Is this caused by ignorance, apathy or both?