
EU wants to criminalize "Hacking Tools" - drKarl
http://www.wired.com/threatlevel/2012/04/hacking-tools/
======
jacquesm
Sam gets arrested because he's carrying burglary tools at 03:00 in the morning
and gets charged with burglary.

Defending himself he appears before the judge and asks the judge if they're
going to accuse him of rape as well.

The judge, somewhat surprised at the turn of events bellows: "Don't tell me
that you raped a woman as well?"

Sam responds: "No, obviously not. But I was carrying my tools.".

\--

Even if you had the worst of the worst hacking tools sitting around on your
system, it should be the actual use of those tools against someone else's
machine for which you have no permission to access that creates the offence.

Those that break in to systems are not going to be deterred by this at all and
those that make a living doing penetration tests and such will be unable to do
their job giving the bad guys a nice advantage.

Silly lawmakers making silly laws with the best of intentions are the worst
thing that can happen. I really wished they would limit their lawmaking to
areas where they have some expertise.

~~~
aes256
_> Even if you had the worst of the worst hacking tools sitting around on your
system, it should be the actual use of those tools against someone else's
machine for which you have no permission to access that creates the offence._

It's not quite that simple. Consider firearms. You might argue it should be
the _use_ of a firearm — to threaten, maim, or kill another person — that
ought to be legislated against, not mere possession. Plenty of people
disagree, as exemplified by the numerous democratic countries around the world
where possession of a firearm is illegal in one form or another.

The obvious retort — the "guns don't kill people, people kill people"
argument, if you will — is that possession of a tool alone should not be
illegal because mere possession is not inherently harmful. That's the point
you seem to be making here.

Indeed, both hacking tools and firearms can, in addition to their more obvious
harmful uses, also be used to alleviate and even _prevent_ harm — authorised
penetration testing being the obvious example in the former case.

Nevertheless, plenty of people are willing to forego those benefits in the
case of firearms; why not the same for hacking tools?

~~~
snambi
guns are not a good example. there is no way i can use a gun for constructive
purpose.

think of a knife. 99.99% use the knife for good reasons. However, some use it
to harm others. Does it make sense to outlaw knives?

I use wireshark often to see what goes into the request. A lot of developers
use it. I think it is mostly used for good intentions.

~~~
anamax
> guns are not a good example. there is no way i can use a gun for
> constructive purpose.

That tells us more about you than it says about guns. It says is that you're
either ignorant or a thug.

We can easily distinguish the two. How many people have you assaulted? If 0,
you don't know that folks who use guns criminally have a history of other
criminality. If not...

> think of a knife. 99.99% use the knife for good reasons.

That's true of guns as well.

~~~
freehunter
Not really. I use and own many knives, and would never use one on a person,
even in self-defense. No one wins in a knife fight. I use knives for cutting
food in the kitchen, but also for cutting fishing line, rope, slicing through
grass and undergrowth to get to the soil, shaving down wood to fit where I
need it to fit, etc. Knives are a tool.

I use a gun to kill. That's its only purpose. Hunting/killing and target
practice for hunting are the only things a gun is useful for. I can't use a
gun to help me with the crops, to fish, or while working in the garage.

Knives can be used to construct. Guns can only be used to destruct. Not saying
guns have no legitimate purpose (I use one for hunting many times per year),
but that legitimate purpose begins and ends with killing or practicing to
kill. It's a long leap from taking the life of a deer to taking the life of a
human, but you use the exact same tool in the exact same way, the only way it
can be used.

~~~
fein
So are we ruling out target practice for the sake of target practice? I go
shooting around once a month for the sole purpose of making a steel plate
ring. I have no intention of hunting animals or killing a human being with the
firearms that I use; The sole purpose is recreational target shooting. Of
course, in a wild scenario such as home invasion that would be a different
story, however the same can be said of any object used for defense purposes,
be it a knife, pipe, flower pot, etc.

And lets be honest here, you would most definitely use a knife in self defense
if it came down to that. It's a preposterous argument to say that in a life or
death scenario, you'd opt for a lesser source of protection in order to not
use a sharp object.

~~~
tripzilch
> And lets be honest here, you would most definitely use a knife in self
> defense if it came down to that. It's a preposterous argument to say that in
> a life or death scenario, you'd opt for a lesser source of protection in
> order to not use a sharp object.

Really?! Well, I guess it's different if, thanks to your gun laws there's a
good chance the intruder might be carrying a firearm. No scratch that, if they
got a gun, then you're still screwed with a knife.

First, do you know where to hit them to disable them at once? If not, you're
now standing really close to a really angry, bleeding intruder.

Second, even if you do, they now bled on the walls, the furniture, everywhere.
Have fun cleaning that up.

Third, you just killed a person. You can't really "disable" someone with a
knife, either you kill them or you don't.

My advice? A big stick. Like the wooden handle of a broomstick or something.
Keeps people with knives at a distance, you can hit them, poke them, and pin
them to the ground while you call the police. (stick locks below the chin,
behind the jawbone, base of the neck, pushing backwards. very uncomfortable)

------
dlsym
In Germany there already is a law called "Hacker(tools)paragraf" (§ 202c
StGB).

It roughly states, that if you provide, create, sell, or distribute tools,
which can / will be used to commit / prepare a computer related crime, shall
be punished with one year in prison or a fine.

The problem with this is the vague wording: If dual-use tools like nmap are
affected is open to discussion.

Maybe someone else finds a better translation; you can find the original text
here:

<http://de.wikipedia.org/wiki/Hackerparagraf>

~~~
pagekalisedown
I would hate to be someone teaching networking in Germany right now. This
"paragraph" is throwing out the baby with the bath water.

~~~
jk4930
After criticism they made clear that the good-intended use of those tools is
legal.

------
cs702
Almost all politicians in power today (1) didn't grow up with a pervasive
Internet, and (2) truly don't understand information technology. For example,
the median age of US Senators is currently 62 years [1], and not a single one
of them is an engineer (let alone a software developer) [2].

Consider how the term "dangerous hacking tool" sounds to a 62 year-old person
who doesn't have even a basic understanding of how software works. No wonder
they want to outlaw these "weapons"!

Alas, it's probably too late and too difficult to teach these old dogs new
tricks. Realistically, we should expect more idiotic political decisions to be
made... until a new generation of politicians (with a better understanding of
software and the Internet) gradually takes over.

I wish I could be more optimistic about this.

[1]
[http://en.wikipedia.org/wiki/List_of_current_United_States_S...](http://en.wikipedia.org/wiki/List_of_current_United_States_Senators_by_age)

[2] <http://www.senate.gov/reference/resources/pdf/R41647.pdf>

~~~
harshreality
It's not obvious that the next generation of politicians will be much better.
Using computers, including iOS and Android devices, is not enough. Technically
minded individuals who understand how those devices work below the surface are
still unlikely to go into politics.

------
dguido
This article is a little bit sensationalist. Here is analysis of the actual
text of the law:

[http://blog.c22.cc/2012/03/29/eu-legislation-digging-
below-t...](http://blog.c22.cc/2012/03/29/eu-legislation-digging-below-the-
fud-line/)

[http://blog.c22.cc/2012/03/29/eu-legislation-digging-
below-t...](http://blog.c22.cc/2012/03/29/eu-legislation-digging-below-the-
fud-line-cont/)

------
TazeTSchnitzel
Brilliant. I commend the EU on its harsher stance on cyber security, cracking
down on criminal computer usage and protecting the systems crucial to how we
live our lives.</sarcasm>

So now we can't use penetration testing tools? I'm sure computer systems will
be much more secure without the threat of security testing software,
especially since the only threats we know of are from the EU.

Oh wait.

------
jiggy2011
Wouldn't this in effect make credit card handling software etc impossible to
create within the EU?

I'm fairly sure part of "due diligence" would be to perform some form of
security audit / penetration test which this would render illegal.

~~~
Chris_Newton
I suspect it's much worse than that. Consider a tool like Wireshark, which is
widely used by people developing and testing all kinds of networking software,
which in turn handle small tasks like running every home and office network on
the planet, not to mention the Internet. Of course, any protocol analyser that
you can hook up to your switch/router/etc. to make sure it's sending the right
traffic in the right directions could also be stuck on a laptop near any
unsecured WiFi network and used to sniff other network users' unencrypted
traffic.

The correct solution to this problem, if secure communications is your primary
concern, is for the people who understand the technical and security
implications to make networking secure by default. Get rid of unsecured WiFi
and replace it with something using full-time encryption.

It's also important to educate users of insecure networks so they understand
the risks and know what to look out for and what they should do and not do to
protect themselves. Use HTTPS where it's available, check you've got the
little padlock icon before you type private information into a web site, that
kind of thing. Obviously much of this is good practice if you're using the
Internet, even if your immediate connection is over an encrypted wireless
link.

Of course, there is always option 3: do nothing about the technical
vulnerability, but legislate to ban Wireshark and numerous other "hacking
tools" like it in the hope that bad people won't exploit that vulnerability.
Unfortunately we'll probably have to close down the Internet shortly
afterwards and revert to connecting a printer to everyone's PC at the office
so they can exchange documents, because no-one will be able to make any
networking kit that actually works any more. But that's a small price to pay,
for at least we will have stopped Evil Hackers from monitoring our networks!

(Obviously there's a little hyperbole in that last part. But only a little...)

------
jjoergensen
EU internet laws has no effect. Look at the cookie legislation that made it
impossible to set cookies on peoples machines without explicit consent. What
is dangerous is that one day they may be put into use. But for now they are
just largely ignored.

~~~
zalew
Yeah, except recently our govt (Poland) got to this 'brilliant' idea
<http://hackerne.ws/item?id=3794883>

//edit: original to translate in case the above doesn't work
[http://www.tvn24.pl/-1,1740364,0,1,rzad-bierze-sie-za-
ciaste...](http://www.tvn24.pl/-1,1740364,0,1,rzad-bierze-sie-za-
ciasteczka,wiadomosc.html)

~~~
FreeFull
That link only gives me an empty page

~~~
DougWebb
Maybe that's now the only legal kind of web page in Poland?

------
lvh
This is a dupe. Original source: <http://news.ycombinator.com/item?id=3797026>

When the original got posted, I already called the MEP in question:

<http://news.ycombinator.com/item?id=3797114>

TL;DR: They already know this is silly and the final law text will not
criminalize tools being used in a research/penetration testing context.

Nothing to see here, move along...

------
fratido
Yeah, german legislation for erveryone!</sarcasm> "Hacking tools" were made
illegal 5 years ago in germany, resulting in a huge outcry and face palms from
those involved in security research (and gnu-tool users)

------
perlpimp
Bold move but may undercut the knowledge base in EU in terms of Computer
Security. Because in CompSec if you don't know how to break it, you don't know
how to secure it. Hacker( the other meaning ) community is a part of the
internet and a quote as old as internet is: The Net treats censorship as a
defect and routes around it. \-- John Gilmore.

------
drKarl
I wonder if they include most of the unix/linux command line tools like nmap,
netcat, etc...

Laws about computers made by computer illiterates...

~~~
nitrogen
I believe I've heard that there are virus scanners that will immediately
delete any copy of netcat they come across.

------
adsr
What is considered a hacking tool? Does it only affect highly automated,
single purpose tools which can not be used in any legitimate way, or does it
affect things like hexdump or nc?

Also, who makes the distinction? Is it eveluated on a case by case basis by
the court or is there a list of "verboten" tools?

~~~
guard-of-terra
Let me guess, it is evaluated on per case basis and then it gets into the
list. Some stupid court in the middle of nowhere outlaws tcpdump and then
every linux user is a criminat.

------
alexqgb
The temptation to pass laws like this (an unstoppable force) exists in
fundamental opposition to the reality of tools as powerful, as versatile, as
cheap, and as highly distributed personal computers (the immovable object).

This conflict is the essence of Cory Doctorow's thesis that all the
superficially-unrelated tech related battles we've seen are simply proxy
fights in the War on General-Purpose Computing.

I know that opinions about Cory vary considerably, but if there's one article
that everyone should consider with an open mind, this is it:
<http://boingboing.net/2012/01/10/lockdown.html>

------
phn
Well, a computer itself is an hacking tool, no?

~~~
m0skit0
In fact your brain is a hacking tool, so everyone born with a working brain
could go to jail.

~~~
bullseye
Which means politicians would once again be exempt from the laws they create.

------
doki_pen
The argument that this would hurt legitimate hacking is a bad one. The example
given was white hats hacking into e-voting machines. You aren't allowed to
break into government buildings to make sure they are secure, it's illegal.

As far as preventative laws go, I don't think they are right but they are
widely accepted by most people as right. I'll use one that most people agree
with as an example. Drunk driving in and of itself doesn't hurt anyone, and
some people can do it their entire lives without ever getting in an accident.
But we make it illegal to try and prevent people from killing each other.

~~~
mattstreet
Yes you can't break into government buildings to show they are insecure, but
you could buy the same kind of door as they have, and show how insecure it is.

I think this is how a lot of the e-voting machine hacks are done.

------
pbhjpbhj
It's already illegal in the UK to enter and/or use a computer system without
permission, you don't even have to crack it. Presumably this is true in most
of the EU too.

So, the only reason I can see that anyone would want this law is so you can
prosecute without having to show someone committed a real crime. Kinda like
having a law saying you could prosecute people for hit-and-run if they own a
car.

If the "hacking tools" are capable of causing near instantaneous death then I
think there's an argument for it. Otherwise this seems to be over-stretching
the law to infringe on hackers liberties.

------
experiment0
This type of legislation clearly stems from ignorance and a lack of
understanding. It infuriates me that people can make judgements like this
without actually understanding what they are making judgements on.

------
fromhet
In my newly awaken state I first thought this was from The Onion. That's where
it should be, at least.

------
jakeonthemove
Well, I don't know what to say - this is just stupid. I hope it doesn't go
through, but if it does, I'll just store all the potential "hacking tools" on
a server in the US, or China, or Japan, or Brazil, or Australia... or
encrypted UHS SD cards (it took them a while, but they already know about
encrypted hard drives, you see :-)... Seriously, how is this even going to be
enforceable (especially with the push for cloud storage)?

------
godDLL
> While the law seems aimed at blackmarket tools that can be used to create
> malware infested sites, it’s also likely to criminalize tools used by
> researchers, developers and black hats alike – including tools like fuzzers,
> the Metasploit penetration testing tool and the wi-fi sniffing tool
> Wireshark. (Perhaps even the command line would be outlawed.)

They take away your guns, so that you can not rebel against them.

------
richieb
Isn't a computer a "hacking tool"?

~~~
randomdata
This seems like the obvious ban. If you outlaw computers, honest people won't
be able to use them, leaving no systems for the dishonest people to hack into.

------
siculars
So would Chrome and Mozilla have to disable "view source" and "developer
mode"? Would Apple have to stop shipping Xcode? Would I have to register with
an "authority" as a developer? Like a boxer registering his fists as "deadly
weapons"?

The insanity continues...

------
verelo
How far doe this go?

Can i have a laptop with vi or nmap installed? I imagine most DOS attacks come
from people with a pretty generic install, vi and an internet connection.

------
antihero
If you are in the UK, please consider writing to your MEP(s):

<http://www.writetothem.com>

------
redbeard0x0a
What about hacking tools that have been installed on your machine without your
knowledge, i.e. malware that runs DDoS attacks?

------
archgoon
The Low Orbit Ion Cannon isn't a DDoS tool, it's a crowd sourced network
stress testing utility!

------
urza
We need to reinvent the law making! The current system is simply outdated.

------
rosser
"Perhaps even the command line would be outlawed."

Jesus, Wired. Sensationalize much?

------
mgogov
I live in the EU and this is simply ridiculous.

------
Craiggybear
Everything is a hacking tool. Every programming language and every pre-
existing piece of software, every computer and every phone is a potential
hacking tool. Thought itself is the biggest hacking tool.

How are these fucking morons going to define legally what is and isn't a
"hacking tool"?

~~~
aes256
This is 'hacking' _a la_ the popular meaning of the term (gaining unauthorised
entry to a computer system), not the definition adopted by self-described
'hackers'.

Think port scanners, password crackers, vulnerability identification and
exploitation tools. Any reasonable person would consider these to be 'hacking
tools', and that's all a legal system needs for a definition.

~~~
nkassis
As an ex network admin, not having port scanners and vulnerability testing
tools would make me feel blind. Those tools have very legitimate uses. Port
scanners don't even have to be used for security purposes, sometimes you can't
access a machine and want to see what services are active and open to the
world etc.

~~~
_delirium
There will probably be a vague exception for legitimate professional use, the
way there is for burglary tools. Varies based on the jurisdiction, but whether
carrying a lockpick set is illegal depends a lot on factors like whether
you're a locksmith, the circumstances in which you were carrying it, etc. The
crime essentially boils down to something like: carrying a lockpick set while
seeming suspicious and not having a good excuse.

