Following industry lobbying the government has come through with guidelines that address some, but not all, of these concerns about "dual-use" tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offence. This leaves the door open to prosecute people who distribute a tool, such as nmap, that's subsequently abused by hackers.More details about amendments can be found here as well.
These guidelines join new language put into the German computer crime laws. In an article discussing the two laws:
This hope was important because earlier this year the German Government had introduced similar language into Section 202c StGB of the computer crime laws, which would have made the mere possession of (creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to) tools like John, Kismet, KisMAC, Nessus, nmap, and the ability to Google effectively a crime.The fallout from this is that a number of security related research and development groups have moved out of the country or closed up shop entirely. In an interesting quote (see previous link) from Stefan Esser (a PHP security activist) :
My feelings about this are quite mixed - seems like the overall notion of free speech and expression is being curtailed. The most significant issue with this not that there will be this large scale crackdown on security researchers of all types. Rather this places a powerful tool in the hands of law enforcement with regard to generating probable cause for wiretapping. This is most interesting in the context of international treaty."The law does not affect our freedom of speech to report and inform about security vulnerabilities and how to exploit them.
We are just not allowed to create/distribute/use software that could be used as "hacking tools". "
There are a number of other nations who have enacted or are looking to enact similar legislation including the US. I have blathered endlessly about the tedious chipping away of civil liberties in this country so this will be (mercifully) skipped. An interesting fact is the US has a treaty with the Council of Europe with regard to cybercrime issues. The EFF has a nice paragraph on it:
Have I managed to get across the point that there is an even greater legal apparatus in place than you probably ever imagined? Since most of my international experience seems to come out of Romania (a fascinating cybercrime region!) - a country which seems not to have entered into the agreement - I was unaware of this till today.The treaty requires that the U.S. government help enforce
other countries' "cybercrime" laws -- even if the act being
prosecuted is not illegal in the United States. Countries
that have laws limiting free speech on the Net could oblige
the FBI to uncover the identities of anonymous U.S. critics
or monitor their communications on behalf of foreign
governments. American ISPs would be obliged to obey other
jurisdictions' requests to log their users' behavior without
due process or compensation.
Notice that this entire effort seems to be geared toward the individual, or small group of individuals. What if it is a corporation or (gasp!) small nation state doing the attacking or creating/supplying the software. What if it is part of their regular business practice.
We might ask Sony about that one. I will not go on and on regarding what bullshit it is that if I lobbed a rootkit into thousands of windows boxes I would be prosecuted under a slew of (US) national and international laws. They got to say 'oops!' and pay out a bunch of money. Money is really not punishment.
Did our international corporate overlords learn much? Maybe enough to include a EULA in the process. Sears has introduced a new internet community. When you join, you get to install software on your system. Details include:
Sears.com is distributing spyware that tracks all your Internet usage - including banking logins, email, and all other forms of Internet usage - all in the name of "community participation." Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software ("the proxy") on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the "community," very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently.There is quite a but more here which describes in some detail what exactly is going on. But may annoyance today is about the clear disparity between what a company like Sony or Sears can seem to do without regard to users privacy. This is a rootkit, something illegal under law but not prosecuted as anything except a civil offense.
Must go, this is getting a little boring and I have dishes to do. Feh.
No comments:
Post a Comment