Comments on: Changes in the British Computer Misuse Act

By: The Computer Misused Act | GNUCITIZEN

The Computer Misused Act | GNUCITIZEN — Tue, 01 Apr 2008 20:22:17 +0000

[...] as a background, I’ve already talked about the British Computer Misuse Act. Now, what really makes me worried is that this act wont fix [...]

By: Security Tool Controversy | GNUCITIZEN

Security Tool Controversy | GNUCITIZEN — Tue, 10 Jul 2007 22:29:28 +0000

[...] some of the hacking and security laws in the UK on michaeldaw.org; pdp also discussed this on GNUCITIZEN a few months [...]

By: Switch/Twitch

Switch/Twitch — Tue, 15 May 2007 16:05:46 +0000

[...] pdp has an interesting post from last month about amendments to the British Computer Misuse Act that specify the illegality of “making, supplying or obtaining articles for use in computer misuse offences”. Time to make a “terms and conditions” for this site. martin @ 5:06 pm [filed under WebSec] [...]

By: Switch/Twitch

Switch/Twitch — Tue, 15 May 2007 16:00:03 +0000

By: Daniel

Daniel — Mon, 30 Apr 2007 12:43:30 +0000

Dinis did tell me you were, my bad, im blonde :p

The first thing the coppers would do would be to take the machine he used and do some shitty forensics on it. Now if the perp didn’t know he was being raided, it would be unlikely that he cleared his cache, wrote zero’s to the disk and reinstalled, if that wasn’t the case they would use EnCase (the gentlemans choice when in the police force) and get the forensic evidence of all traffic sent from that machine,

If they really wanted to be anal, they could goto the ISP and request the logs. For all those who think that ISP’s don’t log traffic, haha err think again. Ever since the kiddy fiddlers started getting clever, ISP’s have been under increasing pressure to conform.

Then all they would need to do is join the dots.

By: pdp

pdp — Mon, 30 Apr 2007 11:21:42 +0000

actually, I am UK based but I am not British, which does not make that much of a difference… these changes apply to me as well and I heard that they will be implemented in all EU countries.

One thing that I cannot see how it is going to work is that if someone compromises a network claiming that they did that through whatever tool… how that can be proved. I mean, yes, someone can say that they used XSSDB on GNUCITIZEN to perform the stunt but they cannot prove their statement.

By: Daniel

Daniel — Mon, 30 Apr 2007 11:13:38 +0000

It will be interesting to see how they do this. As everyone says, they develop tools NOT meant to be used in a malicious manner, but how do you prove that?

Lets use your XSS archive as an example:

you never meant people to use it in a bad manner, but some idiot went and defaced a site and he admitted (ok sexist in a way, but Joanna and the rest of the female community out there won’t mind me saying this i hope..) that he got the knowledge from pdp and gnucitizen.org.

The archive has now been used in a malicious manner and you as the author are responsible, under this act*

The key bits seem to be:

knowledge - … supply any article- knowing that it is designed or adapted for use …
intended use - … for use in the course of or in connection with an offence …
breach - … offence under section 1 or 3 …

yes you aren’t UK based, so you have nothing to worry

By: pdp

pdp — Mon, 30 Apr 2007 10:32:18 +0000

This is such a bad idea. So you are saying that the British Hi-tech crime unit will target security researchers just to prove that they are doing something? This is madness.

By: Daniel

Daniel — Mon, 30 Apr 2007 08:34:39 +0000

“Heavily” is one comment from a friend at the seckret net police (a.k.a hi-tech crime unit)

Thing is they have to be shown that they are doing something, but in reality they cannot catch the serious criminals as they have no clue, so it’s the smaller cases which attract the headlines.

By: pdp

pdp — Mon, 30 Apr 2007 08:25:48 +0000

I guess the main idea of CMA is look for someone to blame when it is required. If you happen to be the wrong person at the wrong time you get nailed for things you probably don’t even understand. This way, companies can justify their loss across their investors. I wonder to what extent these changes will be applied.

By: Daniel

Daniel — Mon, 30 Apr 2007 08:13:46 +0000

Obviously I have a fair amount of experience with the CMA and fighting it in court and these changes are typical of the way the law was initially drafted and also in showing the knowledge of the people involved.

Lets take an example of this CMA in action. Under the CMA, if you visit a website and enter your name and the site borks (ASP.NET error, JSP page throwing a wobbly, or something else) you have basically made the site do something it was not intended to do by the owner.

Doing the above can have you arrested and charged for causing a computer to perform an action that was not intended.

The CMA is a sorry state of the UK’s approach to the web, rushed, confused and overall, bad for anyone using the web in the uk

By: David Kierznowski

David Kierznowski — Sun, 29 Apr 2007 19:58:31 +0000

Had some interesting feedback from Daniel on this when I brought it up as a discussion point last year, see: http://michaeldaw.org/news/news-021206/

By: /nul

/nul — Sat, 28 Apr 2007 15:08:41 +0000

Seems like Germany/France adopted the same legislation… http://www.metasploit.org/arch.....01912.html

By: NakedCleaner.com » Blog Archive » UK Computer Misuse act

NakedCleaner.com » Blog Archive » UK Computer Misuse act — Fri, 27 Apr 2007 17:29:02 +0000

[...] I’ve just read over on GNUCitizen about the changes the government has introduced to the Computer Misuse Act (UK). Making, supplying or obtaining articles for use in computer misuse offences [...]