

EU: "Making hacking tools should be illegal" - dmc
http://www.theregister.co.uk/2011/06/14/making_hacking_tools_should_be_criminal_act_say_eu_ministers/

======
jarin
If hacking tools are outlawed, then only outlaws will have hacking tools.

Meaning if you're a software developer or system admin in the EU, you better
be on standby 24/7 to combat 0-day exploits.

~~~
TamDenholm
I find myself quite torn by this statement, because while I dont think hacking
tools should be illegal, this is the exact same argument pro-gun people make,
and i'm quite anti-gun (I'm from UK). Then again, in America drug
paraphernalia is illegal but in the UK its not and i personally dont think you
should be locked up for having a bong because theoretically you might only use
it for tobacco.

Anyway, personally i'm quite adamant in the blanket statement that no software
should be illegal.

~~~
burgerbrain
There is a pretty easy philosophical workaround for your unease. Support
banning _doing_ things, not _having_ things.

~~~
jgranby
Pretty easy, and superficially appealing, but I find that there must surely be
exceptions to a rule such as this. Nuclear weapons (and similarly, some
chemical weapons) are the obvious special case.

Edit: reminded reading a comment below that child pr0n is another one that the
general moral consensus has problems with (I refer to the 'consensus' not
because I think it is always correct but simply as it provides cases worth
thinking about), and also handling stolen goods (although this can be
justified through property rights).

~~~
burgerbrain
Seems kind of like the "Godwin's law" of rule of law. The fact of the matter
is that we simply don't encounter these sorts of situations often enough for
myself to understand using them as policy setters.

------
Roritharr
"should be" is actually an "is" in Germany.

The fun thing about it: the german cia equivalent "BND" lets german developers
develop hacking tools via ssh or rdp on boxes that sit in other countries to
circumvent that law.

I'll provide a link as soon as i find a source other than one of the hackers i
know.

------
bellaire
The linked PDF is ambiguous, "penalisation of the production and making
available of tools ... for committing the offences".

If this requires _mens rea_ , i.e. they prove that your intent was for
committing an offense, it's not such a big deal.

If it does not, i.e. your software merely could possibly be used to commit an
offense, it's a _huge_ deal.

~~~
koenigdavidmj
Case in point on the latter:
[http://www.schneier.com/blog/archives/2007/08/new_german_hac...](http://www.schneier.com/blog/archives/2007/08/new_german_hack.html)

------
burgerbrain
Great, now we can have _even more_ "illegal math".

------
Isamu
Laws with unintended consequences should be illegal.

~~~
hugh3
Yes, I can't see any way that could possibly go wrong.

~~~
burgerbrain
And I certainly can't see any way the way we _currently_ do it could possibly
go wrong either...

~~~
hugh3
I do believe my point was that no law is free of unintended consequences,
particularly not your law that outlaws laws with unintended consequences, thus
your law outlaws itself.

The outlawing of the law against laws with unintended consequences by the law
against laws with unintended consequences would undoubtedly be considered yet
another unintended consequence of the law against laws with unintended
consequences.

~~~
burgerbrain
Just make the law _"any law with unintended consequences is illegal"_ , then
embrace any possible "consequence" of this law (such as perhaps laws you
otherwise like being declared illegal), then the law should fail to outlaw
itself. Any consequences would be by definition intended.

Anyway, I don't buy the suggestion that no law can be free of unintended
consequences. If you construct a sufficiently formal definition of the system
of law, and each law itself, then making a law without unintended consequences
is simply (lol :P) a matter of proving the law. Quite similar to how programs
can in fact be proven correct (contrary to the popularly held opinion that no
program can be free of flaws.)

Is this practical? With our current setup, no. Hypothetically? Maybe...
certainly at least worth pursuing the idea I would say.

~~~
TeMPOraL
Until you find laws that can be formulated in your formal system, but cannot
be proven - say hello to Gödel incompleteness theorems :).

(also, I love when discussions go meta :))

------
zoowar
Your hacking tool is my security analysis tool.

------
Bud
Wouldn't it be simpler and more efficacious to simply ban sales of Windows in
the EU, or mandate that they fix the security issues?

Not that I favor ludicrous bans of this sort, or that I think they will work.
Because I manifestly don't. But geez, if you're going to be over-the-top
Orwellian, at least do something that has a chance of achieving your stated
goals.

~~~
jjcm
It seems naive that you assume that banning Windows would decrease the rate of
successful malicious attacks on machines. Every piece of software has holes -
the largest of which is the user. If everyone in the EU switched off of
Windows, you'd just have a large percentage of the population using linux or
OSX without understanding how security works on those systems (many of whom
would gladly enter their root password to install a spyware program, so long
as they can keep playing farmville or whatever it promises to do).

------
linuxhansl
What about vulnerability testing software? In principle those can be used as
attack tools.

Maybe a line can be drawn... Design kits for viruses come to mind. But even
then, it's a fine line, and history has shown once a mechanism is in place to
outlaw something it will be extended and abused to apply to things that were
not originally targeted.

------
Jach
Isn't the loophole for this obvious? Just include in your release:

"This tool is intended for educational use only. The Author is not responsible
for any misuse."

------
num1
Yes, it is illegal to financially damage a company, and many crackers do
exactly that. This article and most of the comments here argue about the
tools. As hackers we find it hard to understand why a hammer could be outlawed
because it is good at breaking through the windows of houses.

Why does no one talk about the network that was broken into? Why does the
general public believe that crackers are so good at their job it is impossible
to secure a computer system? There are two possibilities that I can see here.

1\. Most cracks happen because of a less-than-perfect system administrator.
Either some subtle problem with a configuration file opened up a hole for the
cracker or nobody bothered securing the network to begin with.

2\. Most cracks happen because crackers have found a reliable method of
discovering 0day exploits or our current computing model is fundamentally
insecure.

In either case, I find it unjustifiable to declare cracking an act of
terrorism without spending ANY effort reflecting back on our own security. If
millions of us routinely use the same password (or a easy-to-guess pattern)
for all of our accounts who is the terrorist? The people who take advantage of
an easy opportunity, or the people who created that opportunity in the first
place?

It is well known that users are stupid, and that two-factor authentication is
much harder to break than static passwords. Bruce Schneider has been saying so
for at least a decade. Why have we not moved on? As a system administrator, it
should be an act of terrorism to NOT make two-factor authentication the
DEFAULT way of using your service.

------
tomp
While I can't really see legitimate uses of some of the "hacking tools" -
viruses, botnets, rootkits (yes, you, Sony!), etc. - I can't get rid of the
feeling that there is another hand trying to get a grip on the free land of
Internet, and I really don't like that.

On a completely tangential matter, I have a feeling this is going to be
another one of that laws that cost a lot of money and have little to no
effect... at least positive effect.

------
flocial
If you leave your wallet on the street in a bad neighborhood and come back,
you'll probably never see it again.

The problem with such protection laws is that it doesn't take into account the
ignorance or incompetence of service providers. It also holds back innovation
and we end up with less security. Even if these vulnerable companies don't
have the expertise they can hire a reputable security company to audit their
system to plug the gaping holes.

Do we need to pass laws for companies to do security audits? Maybe for listed
companies or companies that have services of a certain size, since they'll try
to skimp on costs or executives don't understand IT needs.

Trying to criminalize the intent of developers even if they create tools
solely for cracking is a slippery slope. While we're at it we should make
defense contractors liable for war damages and execute the engineers
responsible for creating weapons.

In Japan a closed source p2p software called Winny caused a lot of disorder
with viruses and lots of government information and embarrassing private
pictures leaked onto the net due to security issues. Unfortunately, the
developer was busy fighting a trial based on whether he had intentions of
violating copyright with his software (he was finally acquitted on appeal to a
higher district court). If he at any point publicly endorsed copyright
violations, he'd probably be locked up for a long time even if he didn't
violent a single bit of copyrighted content. Needless to say the project is
abandoned and full of holes. Good for the anti-virus industry though.

<http://en.wikipedia.org/wiki/Winny>

------
dmc
The full statement is available here[1].

[1] -
[http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdat...](http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/122516.pdf)

~~~
randombit
The actual directive seems to be 14436/10 which is available here -
[http://register.consilium.europa.eu/pdf/en/10/st14/st14436.e...](http://register.consilium.europa.eu/pdf/en/10/st14/st14436.en10.pdf)

The relevant portion is Article 7

""" Member States shall take the necessary measure to ensure that the
production, sale, procurement for use, import, possession, distribution or
otherwise making available of the following is punishable as a criminal
offence when committed intentionally and without right for the purpose of
committing any of the offences referred to in Articles 3 to 6:

(a) device, including a computer program, designed or adapted primarily for
the purpose of committing any of the offences referred to in Articles 3 to 6;

(b) a computer password, access code, or similar data by which the whole or
any part of an information system is capable of being accessed. """

Which seems to be saying that, say, nmap isn't illegal, unless you download it
with the intent to run it against a machine you're not supposed to, in which
case you've broken the law (even if you never actually use it). Kind of like
laws against 'burglary tools' in some parts of the US, the crime seems to be
based on context/intent.

(Obvious disclaimer about how I'm not a lawyer, European, or a unicorn.)

------
JoeAltmaier
Like locksmiths, many of us have reasons for owning the most unlikely
software.

------
Zakharov
There's a sensible reason for implementing a law of this kind - if they catch
the guy that wrote Zeus, I'd like them to be able to prosecute him (not that
they could, as he's probably not in the EU, but you get the idea). Of course,
it does need to be carefully written to avoid collateral damage.

------
dr_win
knives should be illegal, they may be used to kill people

~~~
viraptor
In UK, it's illegal to sell knifes to under-18s in many places. Yet, you'll
have to live on your own if you go to school away from home before that age...
Another silly rule that doesn't actually stop people from stabbing each other.

------
asomiv
This is already the case in the Netherlands. Hacking tools are only allowed
for private use or research, e.g. for checking the security of your own
network. Possession of hacking tools with the intention to harm other peoples'
systems is not allowed.

~~~
tomjen3
There seems to be a big difference between that law and this one in that this
would outlaw all posessions of "Hacking tools".

~~~
pnathan
Lockpicks in my state in the US are permitted, except for having them with
burglorious intent.

Same thing IMO.

~~~
corin_
That just isn't at all the same thing... this suggested law is the equivilent
of making it illegal to create lockpicks at all. Regardless of intent.

------
antihero
Can anyone think of a situation where lines of code could ever be illegal?

~~~
rwmj

        const char *kiddie_pr0n = { 0xff, 0xd8, 0xff, 0xe0,
                                    0x00, 0x10, 0x4a, 0x46,
                                    0x49, 0x46, 0x00, 0x01, ... };
    

and undoubtedly many other cases.

------
jvanenk
These sorts of laws need to include exceptions for tools that have a non-
criminal purpose. Otherwise, a broad reading could include things like NetCat,
Curl, and Apache Bench.

~~~
skymt
Which would render the whole shebang useless. All tools used for breaking into
computers have legitimate uses for security professionals, not the least of
which is penetration testing.

~~~
younata
"I wasn't trying to hack you, I was giving you guys a free impromptu
penetration test!"

------
JonnieCache
What if I develop all my hacking tools in an SSH session to a box in russia?
Is that illegal? What about VNC?

This kind of thing could well be a legal reality soon...

------
tgrisfal
He has an IDE - get him!

~~~
doyoulikeworms
Oh, whew. False alarm. He has the standard "EU-IDE: Certified Developer
Edition". Gonna have to write him up for not updating to the latest version,
though.

------
orenmazor
hahaha. I spent a summer writing dissectors for ethereal/wireshark. I guess
that's a hacking tool as well, eh.

------
mrcharles
This seems more like one of those ideas which end up being a law used to slap
people a second time when they are nabbed for something rather than something
that would be enforced on its own.

~~~
mindstab
ha or used to cluelessly or maliciously persecute any one giving them trouble.

------
leon_
That's funny. First they talk about cyberwar and now they want to smelt down
their weapons?

------
ignifero
That is a desperate attempt to motivate Europe's lazy youth to actually hack
something.

