“Cyber attacks on IT systems would become a criminal offence punishable by at least two years in prison throughout the EU under a draft law backed by the Civil Liberties Committee on Tuesday. Possessing or distributing hacking software and tools would also be an offence, and companies would be liable for cyber attacks committed for their benefit.” Wait, what?
Oh my, I´d better remove Wireshark from my computer, they´ll never believe I´m only using it to sniff USB packets.
Civil Liberties Committee my ass.
It’s called doublespeak.
Don’t forget Tcpdump.
So what is a hacking tool ? nmap ? fping ? nc/telnet ? a compiler and API-documentation ? Any scripting language like Perl ?
“Hacking” really is just about sending the right series of bytes to a distination or maybe even a broadcast.
The recent Windows Remote Desktop vulnerability (MS12-020) is a perfect example and the instructions how to test for the vulnerability are:
nc SERVER 3389 < termdd_1.dat
It really is that simple.
Not only that, but I’m pretty sure we all have hacking tools built into Windows.
Using a simple batch script, its possible to “ping” a range of IP, then use “net view”. That can can be used to see shares even over the internet, sometimes entire drives being shared with read/write permissions. Thus giving 100% access to the remote PC using basic Windows ‘hacking tools’.
Not only that, but there are even more dangerous tools such as Windows Live Messenger that can be used to talk to said victim and ask for details of their password/security setup! :O That in itself maybe one of the worst hacking tools ever invented as it allows 100% social engineering capabilities.
AND lets not for get using email as well! Last week I got a email from a friend who got it forwarded on from her mum’s dad’s brothers, best friend’s uncle who works at MI5 in NASA who personally knows the guy who put the virus on everyones computer, it was totally by accident, but the email said to check for System32 in the Windows folder. If you have it, you got the virus so to delete it. I think I was too late because all the virus I deleted from the 4 computers here stopped working! I’m so glad the EU is going to ban email, its soo bad.
Also consider that an important means of “distributed hacking” are botnets, typically consisting of hijacked “Windows” PCs that are carrying out the orders of the attacker who can hide in the background. Those PCs are hacking tools (given the broad idea of the definition of what “hacking” and maybe “cracking” is supposed to be interpreted). So everyone having a PC at home is in possession of a hacking tool which should be taken away.
Hell, meanwhile even (networked) printers can be used for hacking networks!
Furthermore, add corporate PC fleets to the mix. They’re also a welcome means for performing DDoS attacks and sending spam, for committing industry espionage and data sabotage. As those also are hacking tools, they have to be removed from the offices.
Finally, everyone found guiltiy in having a hacking tool should pay. After all, getting the penalty fees is where the whole thing pays.
Do I see that correctly, or should I continue facing the telescreen telling me that WAR IS PEACE, FREEDOM IS SLAVERY, and IGNORANCE IS STRENGTH? 🙂
Who the heck is this “Civil Liberties Committee”?
A new agreement on the transfer of EU air passengers’ personal data to the US Department of Homeland Security was approved by the Civil Liberties Committee of the European Parliament on 27 March.
(from http://www.neurope.eu/article/civil-liberties-committee-narrowly-pa… )
It does not seem to me too much of a protection of EU citizens civil liberties, although their name doesn’t promise anything in that direction 😉
1. I can throw my security auditing tools.
2. Go raise goats.
More seriously, the French version is a little bit more accurate, to my point of view, by speaking about “tools to make cyber robbery”
… If I understand French correctly… O:-)
The French version makes extensive use of the word “piratage”, which is historically mostly about breaking into someone else’s systems, DDoSing, privilege escalation, and other forms of cyber-attacks.
However, as soon as digitally clueless politics get involved, vocabulary always gets badly hurt. As such, the term has also recently also been used for unrelated illegal activities like cracking software or making illegal copies of copyrighted content.
Thankfully, we still use a different word in French for stuff involving cool ships and black flags, which is “piraterie”. However, it’s maybe only a matter of time…
Anyway !
In the former meaning, this “hacking tools” expression could target stuff like password recovery tools, which are exclusively used to break computer security for legitimate or illegitimate purpose. In the latter meaning, it is worse, basically the computer equivalent of a generalized ban on carrying knifes around in public places because you can hurt people with them (I believe they have something like that in the UK).
Edited 2012-04-05 07:07 UTC
So “rooting” your phone is gonna be illegal in the EU ?
I guess it depends on two things :
1/Is your copy of your phone’s OS considered to be yours by EU law* ?
2/Can a rooting tool be used to root someone else’s phone without consent ?
* Or, to say it otherwise, are EULA clauses in the spirit of “all rights which are not explicitly stated in this licence agreement are reserved by EvilCompany inc.” legally binding ?
Edited 2012-04-06 04:37 UTC
I could rob you with a screwdriver.
This is an outrage! Those damn hardware stores must pay up!
I see the point:
Well trained goats are soooo dangerous !!
Guess I’ll just have to add ‘Pen. Testing’ to my job description and they’ll leave my need for wireshark and other tools alone?
If MPAA/RIAA were busted hacking into peoples computers and actually prosecuted and put in prison..
They are pretty bad about DDOS of computers they suspect of having copyrighted materials, and breaking into computers to get proof.. *sigh* I guess accountability and the law doesn’t apply to everyone, we have the best governments money can buy..
Question: How is a ‘hacking tool’ defined? it seems very much that one mans hacking tool is another mans tool used to test the security of their network.
“Question: How is a ‘hacking tool’ defined? it seems very much that one mans hacking tool is another mans tool used to test the security of their network.”
Good question, tools can be used for many purposes, legitimate and nefarious. What troubles me is that if taken seriously, a law like this criminalizes honest people who are educating themselves while doing absolutely nothing to stop the real criminals.
Most likely the law won’t be enforced very often, but it’s disturbing to have laws on the books that innocent people will break so easily. It enables authorities to use it as a catch-all law to snag people who aren’t doing anything wrong, but the authorities want to convict anyways. The real hackers are ALREADY breaking laws for real hacking offenses.
Depending on how broadly you define “hacking tool”, I could be arrested for doing my job. I repair computers these days, and some of my tools are for data recovery, password retrieval or resetting, and malware removal. Pretty much 80% of the software tools I use get shot down by functioning antivirus software, not because they’re infected, but because of the nature of the way they work to serve their purpose.
One particular tool I use is that NT password reset boot disc that I’m sure any good computer tech has, I’m sure that would be classed as a “hacking tool”. For similar situations, I also use Konboot, which bypasses the password once without a trace of it having been done. That’s certainly a “hacking tool” provided physical access to the machine.
I think you found the very reason for this law draft to exist.
Hacking tool? What’s more of a hacking tool than a computer?
So, we can’t use telnet anymore? GNU/Linux? Firefox/Chrome? You-name-it?
What a lousy attempt to stop hackers.
ping is a hacking tool!
Does this mean that Visual Studio, GCC and any tool that can be used to write malicious code will be outlawed too? Hooray for the brave European Union!!!
Taken at face value, possession of a Windows password reset disk or the Sysinternals Suite (now owned by Microsoft) could potentially result in a criminal record.
I’m sure many IT professionals have tools such as this to recover forgetful users or to remotely run commands in order to fix problems… I’m also sure most of those folk have only used these with good reason and never to attack systems they have no business touching.
You’d hope the so called “Civil Liberties Committee” had enough expertise to differentiate between legitimate use and attacks but then again, this is the EU so who knows the origins/agenda of this draft?
I was going to mention that too. Not a good idea. Vague and generic laws are the police states favourite weapon.
Taken at face value possession of Windows could could be criminal after all it comes with ping, tracert, pathping and nslookup all network hacking tools.
I suppose possession of a Unix box (OSX?) will mean they throw the key away.
I guess all the little kiddies will have to go outside and play now… The game of “Anonymous H4x0r” is over.
I wonder if the Ion Cannon doubles as a Slushy machine…
I always have a knife for cutting some things, even my fingers, when I was 4 years old. Still have a few knives, and thanks god 10 fingers, everyday I cut meat, bread, fruits etc. Four years ago, three gypsies attack me with a knife and get my money, documents and phone.
To criminalise possession of knives is more sane than what I just read.
I’m realy ashamed by this idiots with power.
I really hope they put together a list of “illegal” hacking tools and keep it up to date. That way I will know which ones to get and study. Funny, I didn’t think I would be able to say it was great to live in the USA on a computer tech issue…
One of the most widely used “hacking” tools is Google search (easiest way to find sites with common, easy-to-exploit vulnerabilities). So clearly this is part of a secret conspiracy led by Apple, with the goal of getting Google search outlawed… hey, it’s no more stupid than the claims that “Microsoft is secretly funding Psystar to undermine GPL” or that “Jail-breaking will crash cell towers”.
Seriously though, I’d love to know the origin of this legislation. Did the EU government take a look at SOPA and say to themselves “You call that a stupid and overreaching piece of legislation? Pffft, we can top that!”
Edited 2012-04-04 18:02 UTC
Dear world: making things outright illegal doesn’t make them go away, it just means that they will ONLY be used for Bad Things[tm] and never Good Things[tm].
You know there’d be no car wrecks if we outlawed vehicles. Good luck to people who nee ambulances, though.
Darn wrong post.
Edited 2012-04-04 19:49 UTC
I had my identity stolen and credit used and almost ruined. It took me two years to recover and countless hours and time spent on it. This crime seems to be harmless to juries but I’d give them 5 years for every person they hacked into. We just need to step up protection for the common person. It is time crooks get what they deserve. Yes, companies that allow these crooks to continue ought to pay also. I want my 2 years back. I want my $5000 back.
Possession of almost any tool used in a common crime is an offense.
Examples.
A spotlight in truck during hunting season.
Certain fishing nets in the boat.
Lock picking tools.
Metal bent to allow access to cars.
Metal bent to use as a way to open doors.
What? Like selling guns to crooks isn’t a crime also?
Maybe they ought to put signs on banks. Sign ought to read, “Please remove ski mask and unload shotgun before entering!”
IMHO, this only proves, one more time, that the way we currently use credit and debit cards online is fundamentally flawed. Which is precisely why I don’t own one of those.
So, you want to buy something. You put it in your virtual basket, log in, go to the billing page, then provide the website with all the information that is necessary to withdraw any amount of money from your bank account, at any time… wait, what ?
It is even worse when you realize that all those numbers are written on a single small physical object that may very easily be stolen.
All forms of online banking should work like paypal :
-At billing step, get redirected to your bank’s website.
-Check that you actually are on your bank’s website.
-Check the amount of money that is being withdrawn.
-Give your bank a one-time authorization to send exactly that amount of money to the target website, using login information that remains only shared between you and your bank.
-Go back to your online shopping.
I believe Thom once said that they have something like that in the Netherlands.
Edited 2012-04-05 07:20 UTC
I believe Thom once said that they have something like that in the Netherlands.
Yep, The Netherlands have that system. It’s called iDeal. The website puts in the payment request via a trusted broker to the bank, the bank asks the user for their secure credentials and then the payment is made.
That’s why you should use PayPal or similar services, with a strong password; the vendor never gets actual credit card details and cannot charge your account without you having to authorize it first.
I personally use PayPal exclusively these days, it is such a simple yet effective method of keeping your card details safe(r).
Criminal penalty for hacking? and what about TRACKING? Big corps can track you, but you can’t hack them? they can invade your privacy, but you can’t fight back?
And what about pentesters?
A real hacker will just build their own tools just like a murderer will buy a gun under the radar, worthless laws only effective against the honest people.
They are specifying that an IP address is like a person, which was debatable in recent P2P trial. This is preposterous.
Also,
Wrong analogy, computer and software company should be held liable for faulty product.
Too bad, it’s already voted.
Isn’t every operating system and every turing complete device a hacking tool?
Does this is only cover software? Because, when I hack, I use my computer…
What morons comes up with this shit? Seriosuly, are they even able to put on their trousers in the morning?
From the article:
True but unfortunately not a single item in the proposal seem to be remotely related to this example.
If there was it would be about making software makers responsible for failures in their products but we all know how likely that is to happen.
Wow, welcome to 1995. IP spoofing hasn’t been a big threat for a long while now since most ISP’s implement proper ingress and egress filters these days. Sure, there’s a remote chance that you could do it but it’s pretty slim. Not to mention that you’d also have to hijack a large part of the worlds BGP for it to be useful outside of your own ISP.
So pretty much any tool used to verify the security of your users passwords are now illegal. Brilliant.
I’m sure it’s all well-intented but for fscks sake, consult with someone with a clue and who doesn’t have a vested interest in this kind of stupid things.
You all should realize these websites don’t hack themselves. It’s the tools that do it! Having these tools makes you an immediate accessory to any hacking crimes. Just deal with it.
bnolsen,
“You all should realize these websites don’t hack themselves. It’s the tools that do it! Having these tools makes you an immediate accessory to any hacking crimes. Just deal with it.”
How exactly is someone an “immediate accessory” to hacking crimes for merely possessing network tools? That’s like saying I’m an “immediate accessory” to a robbery because I own a crowbar, which is one of the tools the robber used to gain entry.
The tools are not inherently good or bad, it’s what one does with them.
Edited 2012-04-06 07:05 UTC