The Computer Misused Act

Tue, 01 Apr 2008 19:37:46 GMT

Both Ivan Ristic and Nathan McFeters has blogged about it so I wont waste your time with what they have already said. Go ahead and read their blogs. Instead, I would like to represent my view in this blog post.

Just as a background, I've already talked about the British Computer Misuse Act. Now, what really makes me worried is that this act wont fix anything. In fact, it will make the situation far worse. And Britain is the next example to follow Germany, which I am sure will be followed by The United States of America very soon, as it seems that they are the initiators of the recent anti-hacker craze.

Security though obscurity does not work!

The law cannot prevent the distribution of information. Have we get rid of the piracy problem? No! In fact, the piracy industry is now far welloff then in the past. You can probably notice that every movie or tv show is available online without the need to access bittorrent or any other distribution network. The music industry is much the same. As a result, bands such as Radiohead and Scissor Sisters, I believe, have offered their music for free because free does make an economic sense.

In a similar way, the Computer Misuse Act will make the availability to exploits far much easier then now. People wont stop publishing security information. They will switch the medium. Instead of posting info on personal blogs, they will do that on Wikipedia or any other site that allows anonymous contributions. The distribution of info on the Web is a breeze now-a-days with the existence of things such as RSS, ATOM and aggregation engines. The reach of information and availability of exploits and the fact that there are no opinion makers to shape the thinking of younger generations of information security experts, will make the situation unbearable, not only for those who don't deserver the punishment but also to companies and organizations who cannot protect themselves. Security is not a destination. It is a process. We cannot train a monkey to run a scanner. We need people who understand the risk to show us which of our assets are at stake. With that law in place we are actually reverting what we have already built with far too many sacrifices.

But this is just me thinking and expressing opinion. It is your say really.

Awesome AnDrEwAwesome AnDrEw
It is an awfully familiar concept, and makes sense, pdp. I'm sure you are correct when you say the United States will be following suit. Seems like just another "war", which will undoubtedly cause the exact opposite of what it was started for (War on Drugs, War on "Terror", et cetera).
IxIx
Can't let those Brits and Germans take our top place for, silly, goofy, and just plain wrong laws. We'll most likely get a similar law here, probably written worse too, and chances are it will happen like this. Clueless House member listens to clueless lobbyist who heard this Act will cut down on "evil" hacking, they then go on to spread the word to everyone they know and all of those people are clueless too, so when voting time comes we've got a lot of clueless people approving something they think is good even though it's likely going to be worse than the Computer Misuse Act. We get a new law then, and likely AnDrEw above me is right, so we wind up with the "War on Hackers" based on this new law. Security researchers find themselves either in a new line of work or meeting "Bubba" in the cell block, hackers go underground, and the police units to deal with cybercrime ultimately fail miserably since all the security researchers that could've trained them are missing for some reason. Heck, it wouldn't surprise me if our law is written so bad that a security researcher who sticks around and trains the cybercrime units winds up arrested after teaching one due to some miswritten clause in it.
Matt HillmanMatt Hillman
The amendment is indeed a scary prospect. We did a podcast discussing this issue at length and the potential problems, most of which are conjecture at the moment, but it leaves you with a scary sense of the unknown. You can grab the podcast at http://media.libsyn.com/media/sploitcast/sploitcast_25.mp3 I love the way you link this with the concept of security through obscurity. I never looked at it so directly as that before but I think you make a good concise point. (Conciseness being rather lacking in the podcast hehe).
TronyxTronyx
The interesting thing about this law it how shortsighted it is. Its only real interest appears to be a way to stop those that are interested in being publicly legitimate. The 'bad' hackers already break plenty of laws, what's one more? This law only affects those that care about the law to begin with. As these laws progress and get increasingly absurd, the more people will flagrantly ignore them (at least I suspect they will). Look at software and music piracy. There's a good helping of laws against those things, but they don't appear to be dying down now do they?
MarchinerMarchiner
I just want to say that i believe that all of us here were expecting something like this new laws. All the time we see that many authors of digital crimes are not going to be arrested because there are no "specifics laws" for this kind of "cyber crimes". And the government's are starting to create this mechanisms to prevent and punish people that take the bad way. But of course, as many others times they are making mistakes. They think that creating this new rules they will stop the thing " at startup" when you are just studying or learning about hacking, but as all you said "this will not happend". Pdp compared the situations to the media piracy scenarios, and what we have today? Yes... i am asking it to you. We have things like Emule, torrent and others... people using p2p networks to have acess to piracy media, software, ebooks, serials and other things. Is just a question of time until the exploits and hackin material databases go to the same way. But, i agree with Tronyx the "good guys" will be considered "bad guys" and all the comunits as gnucitizen are going to be considered "bad guys". Is that realy? Is that true? I don't think it so. And believe that you dont.. i really hope so. All this kind comunit´s do is act like white hat´s do. They study ways to find securiy holes and spread it to the web comunity.. respecting the company´s that have securty problems and giving time to they correct the bug until this go to web. Do you remember the PDF case last year? To sum up, i just want to say that " they need it" ... "they need us" .... and they need " ETHICAL HACKING ". Many companys that develop software don´t have time or professionals to develop something that really have security inside. Thats why i believe that they really need us. Can you see a word where security professionals are no able search or publish information about secuty holes? Becouse ... i dont!
pdppdp
The PDF case went out of control no matter which way you look at it.
MarchinerMarchiner
Pdp, -- ok.. the PDF case whent out of control as you said... i know! POCs come out and more... -- But please.. can´t you agree with me something? The "Adobe developers" and "Adobe PDF users" where not alerted about the security hole in time? This is not better than when you don´t have any idea of a security hole and someone is using it? Please dude.. as you see my english is a %#$#%! I hope that you are understanding what i type.
pdppdp
Marchiner, actually, I cannot understand your point. :) no hard feelings dude
ikonoklasmikonoklasm
I read this a few days ago and am terribly disturbed. It's just one more demonstration of the severely flawed logic used in the decision making process of (most) lawmakers and enforcers in countries today. The world of the technologist has progressed so far beyond that of the bureaucrat, and these laws heavily magnify the failings of their top-down ideology. Top-down fixes never work, the U.S education system is a blindingly obvious example, and it is akin to putting a band-aid on a bullet wound. Yet politicians are able to defend shortcomings through obscurity of the law, societal and departmental issues. In the face of technology, namely the internet, there are no societal and departmental boundaries to hide behind, which puts the crudeness of their “fix” strategy in the spotlight. I'm beginning to wonder if govt organizations just need fresh blood? As a developer, researcher, scientist, think of all the problems where you’ve worked hard to derive an optimal solution? Why aren’t we seeing this in govt? Am I just going off the deep end with this? My point is, I see more failure than progress, in comparison to a booming tech corporate sector. How can we get more critical thinkers, problem solvers, and people who understand technology into the places that matter? Egads - Maybe it’s not as bad as it seems. This just really ruffled my feathers.
Phil HubbardPhil Hubbard
Laws are like spider webs, they catch small flies, but allow wasps and hornets to escape. -Anacharsis