
EU: Possession/distribution of hacking tools to be made a criminal offence - zacharyvoase
http://www.europarl.europa.eu/news/en/pressroom/content/20120326IPR41843/html/Hacking-IT-systems-to-become-a-criminal-offence
======
PixelRobot
If you outlaw hacking tools only criminals will have hacking tools.

This would make the EU less safe, since security experts will not be able to
know what they're facing or check the security of their own systems against
real attacks until they're really being attacked. Another clueless law that
does the opposite of what it's supposed to do. Either that or it will be
completely ignored.

~~~
wisty
I don't like this logic for guns, because most criminals (especially the less
professional street gangs) get guns by stealing them from law abiding people.

I do like this logic for hacking tools, because most criminals make their
tools themselves, or get them freely through distribution channels which are
impossible to shut down.

If guns could be freely cloned, and sent through the mail for free (in locked
boxes which the post office couldn't see into), it would be unbelievably
stupid to ban them.

~~~
talmand
I require a source on your claim that most criminals get guns by stealing them
from law-abiding people. I guess this might depend upon where you live but
I've never heard this claim in the US. Even if it were true, are we saying a
law-abiding citizen shouldn't have access to a legal firearm because a
criminal might steal it?

I personally don't like any rules of this nature because the major problem
becomes who defines what is a "hacking" tool? It's much like how the
definition of burglary tools can be so broad that just having duct tape and a
screwdriver in your trunk can be considered possessing burglary tools. Just
for the sake of slapping another charge onto somebody during an arrest.

~~~
phillmv
I think the argument goes, the more weapons out there period the easier it is
for people to smuggle them into the hands of criminals.

You can't just build a handgun in your basement; you need a tool and die
machine, know-how, etc. In other words, a factory.

If you live in a state where it's relatively easy to buy a handgun and the
registration requirements are limited and so on, you're going to find it a lot
easier to procure one on the black market than say, here in Canada where you
need to take a course and file a report every time you want to take it out of
your house.

~~~
talmand
I've always felt the difference in attitudes towards guns in Canada versus the
US is more about culture then it is about laws.

~~~
doktrin
Culture tends to impact laws, but that wasn't the parent's point.

The general availability of a given product in a given area affects said
products availability in said area's black market.

In this case, more guns in circulation = more guns on the black market. This
isn't to say that all black market guns originated from the legal (market),
but supply does trickle down.

------
zacharyvoase
Here is my concern: that the EU will make an exemption for security
researchers/white-hat hackers, but only those recognised by a certain
qualification or professional body. Governments around the world already
mandate professional licenses for many industries, and IT is so critical that
it's only a matter of time until we see a 'License to Code'.

~~~
unimpressive
I'm going to be clear with you; I've lost sleep over this. I _continue_ to
lose sleep over this.

The thing is, no matter how much I wish it were so. I don't feel that (and in
reality I do not.) I have the financial or political capital to really do
anything in the realm of significance about this. I'm not articulating the
prior points because I seek pity or want to hear similar views from people who
sympathize with my position. I instead would like a simple question answered:

What's the best thing I can do to stop things like this from happening?

~~~
phillmv
Well… of course you do. You're a well educated, well informed professional
capable of using the internet who is solidly in the middle class. People like
you are the core of every group of people seeking change.

What do you do? You form an organization, a lobbying group. Organizations are
the base unit of power.

You throw up a website, you get as many like minded people as possible
(literally, thousands) to sign up for your mailing list and you badger every
single person you can find across the political spectrum on the issue. You
write letters to politicians, you write software that makes phone calls, you
get people who run companies who would be affected by the issue to give you
financial and moral support, and you try to talk directly to every politician
or candidate to be a politician on the issue.

Ideally, albeit hard on this weird technocratic issue, you get some mass
public outrage on the topic. With some luck, you can go: small company CEO who
knows a medium company CEO who hangs out with someone higher up who can have a
one on one with people who actually vote on the issue.

The catch is, before this is over it will be a more-than-full-time-job but…
it's a startup like any other.

This is how any issue becomes mainstream: there are a bunch of people working
round the clock on it. Think about illegal trade unions in Poland in 1978 or
gay people going from being beaten indiscriminately by the cops in 1969 to
being on the verge of legalizing marriage across the West.

In the meantime, get started by having you and all of your friends write
personal letters and call your eurodeputies (not having clicked on TFA I
assume that's the body in question).

~~~
ajuc
There needs to be some angle that matters for regular people. With Polish
strikes it was crashing economy and big regulated prices increase - freedom
and truth in TV was important, and there were always people in opposition, but
bread was the impulse that made the most people go to the strike.

Recent example - ACTA outrage.

There were people alerting public for years about the danger (Piotr Vaglewski
comes to mind). Public just ignored them. Then Megaupload was shut down, and
suddenly ACTA was everybody business (even thought it wasn't ACTA fault:) )

~~~
ajuc
Eh, can't edit, he's name is Piotr Waglowski of course, I always mix it with
his nick.

------
tobiasu
Looks like the infamous German "Hackerparagraph" §202c StGB. A toothless piece
of feel-good legislature since all the tools can also be used for "good" (pen-
testing etc.).

[https://en.wikipedia.org/wiki/Strafgesetzbuch#.C2.A7_202c:_P...](https://en.wikipedia.org/wiki/Strafgesetzbuch#.C2.A7_202c:_Preparation_of_data_espionage_or_data_interception)

Like most tools (kitchen knifes are the obvious example), intent and actual
use is far more important to the law.

To my knowledge, there has not been a single ruling that declared simple
possession of e.g. nmap a punishable offence.

Edit: [http://www.gesetze-im-
internet.de/englisch_stgb/englisch_stg...](http://www.gesetze-im-
internet.de/englisch_stgb/englisch_stgb.html#StGBengl_000P202c) §202c in
English

~~~
jellicle
What happens is that these charges are used in place of "real" charges when
the police want to convict.

For instance, it is in general illegal to possess "burglary tools", with no
definition thereof. You might think that that would penalize only people with
specialized tools modified for burglary. You would be wrong to think that. An
unmodified hammer, screwdriver, wrench, knife or anything like that can be
charged as a burglary tool, if the police feel you are a bad person. And yes,
people routinely go to prison for possessing a regular unmodified screwdriver.
Using it for burglary is not required at all under the law.

It doesn't matter even a tiny bit if the tools can also be used for good.

So when your house gets raided and the police find no actual evidence that
you've done anything wrong, but you possess hacking tools, well... if they
don't lay any charges that means they were dumb for making the raid in the
first place.

~~~
J3L2404
>people routinely go to prison for possessing a regular unmodified screwdriver

Citation needed.

~~~
jellicle
Google, I feel lucky:

[http://www.independentmail.com/news/2012/mar/22/clemson-
poli...](http://www.independentmail.com/news/2012/mar/22/clemson-police-
charge-man-possession-burglary-tool/)

~~~
J3L2404
I guess someone will have to follow up and see if he does jail time. He might
if he is on probation for car theft, otherwise it seems unlikely.

------
lvh
I have just done the due diligence and actually contacted the MEP in
question's office.

The spokesperson was able to confirm that this issue has been raised already
and in the final text there will be explicit provisions that research and
testing is still allowed.

~~~
PixelRobot
Then why don't they just make the use of hacking tools for criminal purposes a
criminal offence and not the possession and distribution of said tools?

~~~
lvh
I can't judge the MEP's intent, but my best guess is that tobiasu has it right
on the money when he says it's "toothless feel-good" stuff.

~~~
PixelRobot
OK. I feel better now thinking it's just a useless law that will change
nothing.

~~~
StavrosK
I don't. Why pass these laws in the first place? I don't like junk in my legal
system.

~~~
talmand
Why pass such things? It's just another silly law to allow for applying
another charge to someone during the arrest. In several cases you can see that
the authorities slap on all kinds of charges in which most of them are
eventually dropped. Kind like the throw pasts on the wall theory of law
enforcement, something's bound to stick.

Plus it allows them to pick and choose who they arrest in any group when
almost everyone in that group is possibly breaking a law they are not aware
of.

~~~
StavrosK
So, totalitarian tactics. Nobody should stand for this, even if it's
"toothless".

------
joeybaker
This is really just an example of lawmakers not understanding what they're
legislating. "hacking tools" are also known as 'development tools'.

This sort of proposal is only made when completely oblivious about the
operation of computers/the Internet/two-side coins.

------
stephengillie
> "No car manufacturer may send a car without a seatbelt into the streets. And
> if this happens, the company will be held liable for any damage. These rules
> must also apply in the virtual world" she added.

The difference here is _who_ the law applies to. This is more like arresting
people with the tools to remove airbags from cars.

True, carrying lock-picking tools is illegal in many places, but the act of
picking locks isn't always illegal when performed by a locksmith.

------
scanr
This is the sectools list of 'hacking tools':

* <http://sectools.org>

Here's the intersection of that list with what I have installed on my machine:

* Firefox

* Netcat

* Curl

* tcpdump

* Wireshark

* OpenSSH / SSH

* Ping/telnet/dig/traceroute/whois/netstat

* Perl/Python/Ruby

* Google (ha, ok, perhaps not installed on my machine)

* VMware

* OpenSSL

* Firebug

* GDB

~~~
ez77
That was my first thought. Will downloading tcpdump get you in trouble? What
if it's "homemade"? Compilers will be next, since the enable the creation of
these tools...

------
dave1010uk
Are full details of the "draft law" visible to the public?

From the article:

    
    
        The proposal also targets tools used to commit
        offences: the production or sale of devices such as 
        computer programs designed for cyber-attacks, or which
        find a computer password by which an information system
        can be accessed, would constitute criminal offences.
    

Many tools can be used to "find a computer password by which an information
system can be accessed". For example a browser's view source function could
expose passwords in a (really insecure) site.

Depending on how the law is worded, tools like curl, wget (or even telnet)
could be defined as hacking tools.

~~~
tomjen3
Plus it is going to be illegal to produce them. What are you going to do?
Remove my C compiler? Only allow visual basic?

~~~
hereonbusiness
I'm afraid VB will be the first one to go. It's gotten too much attention
because of people using it to create GUI interfaces to track IP addresses :D

~~~
tomjen3
(I realise that you are joking)

Won't matter. As long as one language exist, one can write a compiler for any
other language in that language. Hopefully something other than Maelbolge will
be the surviving language.

------
fauigerzigerk
It's things like this seatbelt comparison that leave me scratching my head
about politicians sometimes. How can you even argue with people who lack the
most basic appreciation of the issue at hand?

------
vilya
I started R'ing TFA and thought the title of the post was just editorialising,
until I got to this:

"The proposal also targets tools used to commit offences: the production or
sale of devices such as computer programs designed for cyber-attacks, or which
find a computer password by which an information system can be accessed, would
constitute criminal offences."

I've known numerous sysadmins who regularly run a password cracker over their
login database, so that they can warn people who have weak passwords. This
helps out the individuals concerned and increases the overall security of the
system, yet it looks like this would become a criminal offence as a result of
this bill.

------
guard-of-terra
I can totally imagine a court in e.g. some backcountry town in the middle of
nowhere declaring some standard utility bundled with Ubuntu a "hacking tool",
and immediately every linux user in EU is a criminal.

------
droithomme
<sarcasm>That should really improve security!</sarcasm>

Explanation: Obviously black hats will continue to do as before. White hats
not being able to analyze threats though will be a serious problem. It's not
sufficient to claim that special licenses will be given to worthy white hat
operations with the proper certifications, protocols and willingness to bow to
the man since nearly all vulnerability reports come from small operations and
private parties that will be off the radar. These folks will simply stop.

------
hereonbusiness
Banning software, seriously?

I get that most of them obviously have a very limited competency in regards to
technology in general (seatbelts?), but they do have advisors who should know
better. What is next on the agenda? Banning BitTorrent/p2p clients, media
players, cd/dvd ripping software, video/audio capture software to fight
piracy?

~~~
andrewflnr
Quite possibly, if they don't get burned on this one.

------
eneveu
I guess my timing was off when I first submitted this two days ago at
<http://news.ycombinator.com/item?id=3787597> I'll repost here the links from
my comment there:

HN discussion from last year on this subject:
<http://news.ycombinator.com/item?id=2654346>

Blog posts with some more analysis and links to draft reports / amendments:

[http://blog.c22.cc/2012/03/29/eu-legislation-digging-
below-t...](http://blog.c22.cc/2012/03/29/eu-legislation-digging-below-the-
fud-line/)

[http://blog.c22.cc/2012/03/29/eu-legislation-digging-
below-t...](http://blog.c22.cc/2012/03/29/eu-legislation-digging-below-the-
fud-line-cont/)

------
Freestyler_3
"No car manufacturer may send a car without a seatbelt into the streets. And
if this happens, the company will be held liable for any damage."

I don't see the resemblance between that and this:

"Cyber attacks on IT systems would become a criminal offence" :|

------
mih
What does this mean for the future of distros such as Backtrack Linux? Could
anybody comment. It's still unclear as to what exactly they refer to by
hacking tools. Such things were always a two-edged knife.

------
ggwicz
So every single computer owner will be a criminal?

------
itsuart
> [...] computer programs [...] which find a computer password by which an
> information system can be accessed, would constitute criminal offences.

So, possessing 'net use' and 'ssh' now criminal offense in EU? Oh wait, so do
all password recovering tools! One better never forget passwords or risk be
prosecuted.

------
tomelders
we are governed by idiots.

------
m0skit0
Nonsense. As such tools cannot be used to find and patch vulnerabilities. And
even if banned, real hackers can code such apps themselves, while sysadmins
are not that skilled and will be stuck with no weapons at all.

~~~
quadhome
Weapons?

------
anty
Where does it state in the article that possession of hacking tools is made a
criminal offence?

------
mariuolo
What about double-use tools, like network diagnostics and the likes?

~~~
vlisivka
What about your brain, the best hacking tool?

------
sasoon
So possesion of a knife should also be a criminal offence...

------
telemekus
So Notepad++ and Vi/Vim will be outlawed now then?

------
voodoochilo
propaganda, fear, technical ignorance, prevention-mania and centralistic
tendencies lead to such legisation. i'm ashamed to be a eu citizen.

