Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
EU Security IT

EU Ministers Seek To Ban Creation of Hacking Tools 248

Posted by CmdrTaco from the oh-yeah-that'll-work dept.
alphadogg writes "Justice Ministers across Europe want to make the creation of 'hacking tools' a criminal offense, but critics have hit back at the plans, saying that they are unworkable. Ministers from all 27 countries of the European Union met on June 9 to discuss European Commission proposals for a directive on attacks against information systems. But in addition to approving the Commission's text, the ministers extended the draft to include 'the production and making available of tools for committing offenses.' This is problematic, as much legal and legitimate software could be put to criminal use by hackers. The draft mentions 'malicious software designed to create botnets or unrightfully obtained computer passwords,' but goes no further in attempting to clarify what 'tools' might be subject to criminal sanctions."
This discussion has been archived. No new comments can be posted.

EU Ministers Seek To Ban Creation of Hacking Tools More

EU Ministers Seek To Ban Creation of Hacking Tools

Comments Filter:

  • text editors, compilers (Score:2, Insightful)

    by vlm ( 69642 )

    They mean text editors (as opposed to word processors), compilers, interpreters, etc. Pretty much anything with a command line.

    • No. They mean "malicious software designed to create botnets or unrightfully obtained computer passwords." The wording is certainly vague, but that wouldn't include text editor or compilers.
      • ...so in your world, nobody uses a text editor or a compiler to create a botnet?

        • Yes, but they're not designed to create such things. Usually.

          Not that I agree with the plan.

          • I'm pretty sure EMACS was designed to create a botnet. If, by botnet, you mean global distributed AI intent on world domination...
          • It's a pretty weak law if it can be wholly bypassed by a statement from the software developer saying that it's a security tool and not a hacking tool, though. In reality what this boils down to is yet another law they can use to lock you up if they really want to but otherwise have no good cause. "We assume you're up to no good, we can't find any evidence but... erm... look! you have some software that could be used for naughty stuff. Take him away!"

      • Re:text editors, compilers (Score:5, Interesting)

        by Anonymous Coward on Wednesday June 15, 2011 @10:14AM (#36450918)

        Penetration testing is a necessary application hardening process that depends on access to the SAME TYPE OF TOOLS that black hats use to break an application. Think of it like viral inoculation: You need some of the enemy code in order to build an effective defense.

        • Ah, but if they ban the tools the bad guys use, then there's no need for the tools the good guys use - it's obvious! While they're about it, they should ban theft and then make locks illegal because they're no longer required. Oh, wait...

      • Re: (Score:2)

        by LWATCDR ( 28044 )

        that is a dangerous rule. I have used password crackers on my own server passwords to see how secure my users are. I have used tools that check for exploits to check my owner servers as well.
        Sure I would love to not have hackers but those tools can be used for as a way to test servers as a way to exploit hacks.

      • Phew. So MITM-Phishing is still ok, I guess, as long as I don't take the passwords but only change a few bits of the data transmitted (like, say, the receiving account and amount).

        Face it, no matter how you word it you won't even come close to hitting everything without hitting anything that should definitely remain legal.

    • i mean, clearly, emacs is a threat to national security.

      • Re: (Score:2)

        by dkf ( 304284 )

        i mean, clearly, emacs is a threat to national security.

        Trouble is, they'll ban vi at the same time. Would you want to have to write code in Microsoft Word??? (Shudder)

        • Re: (Score:2)

          by PhilHibbs ( 4537 )

          I've been saying for a long time that any code in italics should be treated as a comment, and anything in bold should be an assertion. Rather than insist that it all be indented the same like Python does, just colour your lines in the same colour as the condition or loop.

        • Re: (Score:2)

          by McNihil ( 612243 )

          Why not. Even MS Office... because then they can ban it too. Libre Office and all the like as well. ...a mass of reasoning discarded... They need to ditch IPv4 so that they can impinge a total control IPv6 on the populace.

    • As Richard Stallman put it in The Right to Read [gnu.org]:

      There were ways, of course, to get around the SPA and Central Licensing. They were themselves illegal. Dan had had a classmate in software, Frank Martucci, who had obtained an illicit debugging tool, and used it to skip over the copyright monitor code when reading books. But he had told too many friends about it, and one of them turned him in to the SPA for a reward (students deep in debt were easily tempted into betrayal). In 2047, Frank was in prison, not for pirate reading, but for possessing a debugger.

      Dan would later learn that there was a time when anyone could have debugging tools. There were even free debugging tools available on CD or downloadable over the net. But ordinary users started using them to bypass copyright monitors, and eventually a judge ruled that this had become their principal use in actual practice. This meant they were illegal; the debuggers' developers were sent to prison.

      Programmers still needed debugging tools, of course, but debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers. The debugger Dan used in software class was kept behind a special firewall so that it could be used only for class exercises.

      Yes, it's a piece of dystopian writing, but what makes that so scary is how plausible it all is.

    • They'll ban butterflies too.

  • Don't worry... (Score:5, Insightful)

    by Anonymous Coward on Wednesday June 15, 2011 @09:57AM (#36450650)

    They'd never abuse this law by using it against people using legitimate software for legitimate purposes.

    • Re: (Score:2)

      by Hartree ( 191324 )

      No, you'll just have to buy a computer that has lots of hardware based DRM and will only run "approved" apps and OS's.

      Oh wait. We've already got some of those and people are willing to wait in long lines and pay a premium for the newest models.

    • Re: (Score:2)

      by idobi ( 820896 )
      Banning computers would put too many companies out of business. We should just ban operating systems. That way all these other tools won't work, and we only put a handful of companies out of business... none of them from the EU.

  • Wow, what a great way to hurt security (Score:2, Insightful)

    by Anonymous Coward

    Not a professional security researcher (as narrowly defined by law?) You're not allowed to possess or create tools that help find security vulnerabilities. That means you, Joe Blow who writes webapps -- you can't run attacks against your own server because the tools are illegal, and you can't build your own tools either. I guess you'll have to release that software untested in certain ways, then hope the black hats decide to follow the same laws as you.

    • Thank god it's in my job description, so I might actually get the hazmat endorsement. But what about the next generation of security researchers? Will we only get the garbage that gets out of "security colleges"? People who "learned" security research but never "felt" it? Who are used to learning by the book instead of hunting down flaws, who never learned how to actually find the resources needed?

      Security is all about NOT going by the book, pushing the envelope and thinking outside the box. And all that is

  • They obviously don't understand even the elementals of coding. Now if they really want to get these guys there are better ways of doing it. But trying to stop Axe murderers by taking them away from all Firemen is just retarded.

    • This is people in management positions in all levels of society. They are mentally incapable of differing to anyone smarter to them because, in their mind, they are the best and the brightest. It's not hyperbole to say that western civilisation is in crisis because of the hubris at the top (in the boardroom and in the legislatures).

      • Oh, I do not assume that management people are "dumb". I certainly do not want to trade with them and they would most likely blow me out of the water in anything related to marketing, legal or business administration. I dabble in those three fields to some degree (ok, at least the latter two, I only have to "sell" security to my manager), but I certainly wouldn't hold a candle in these fields to them.

        I'm not smarter than my CEO. But I have a different field of expertise, and luckily, he knows that, understa

    • But trying to stop Axe murderers by taking them away from all Firemen is just retarded.

      good one, I have to remember that

    • But trying to stop Axe murderers by taking them away from all Firemen is just retarded.

      Or perhaps just requiring anyone who owns an axe to register with the government? Even further, perhaps only allowing people who work for a particular agency (the fire department) to own an axe? You already see this approach taken with things like guns, and with people refusing to shut about about "cyberwarfare," it is only a matter of time before they start equating programming and debugging tools with firearms.

      • Re: (Score:2)

        by mlts ( 1038732 ) *

        Here in the US, we already had that happen. ITAR classified cryptosystems as munitions, and the same criminal penalties applied back then as exporting nukes.

        Same crap all over again... we had discussions of exactly this on the cypherpunks list in the mid 1990s. The only difference was that the Four Horsemen of the Infocalypse were theories for the most part, not something happening in reality.

        Sad thing is that pulling "hacking tools" will not stop the intrusions. They will still happen -- only the white

      • Re: (Score:2)

        by metlin ( 258108 )

        The analogy fails because guns can only do one thing -- hurt. Their primary (and often, only) purpose is to kill and maim. That they may be a deterrent is an epiphenomenon because first and foremost, they are weapons with one intent.

        Tools are different. That they can be used to harm is incidental. Their purposes are many and varied, but often productive.

        A better analogy would be knives. You regulate those in areas where they could be used to cause harm (e.g. planes), but allow them elsewhere (e.g. kitchens)

        • Dammit, I've been missing all the maiming and killing in the biathlon and modern pentathlon events in the Olympics?

          Jocks can and do enjoy the skill involved in target shooting without wanting to kill or maim, in exactly the same way that nerds can enjoy the skill involved in white-hat hacking, without wanting to steal and destroy.

    • Re: (Score:2)

      by Lumpy ( 12016 )

      "is just retarded."

      you now understand politicians.. ALL OF THEM are retarded. Every word out of their mouths. WE only elect the ultra rich, and for some reason all ultra rich that have political aspirations are retarded.

      • Re: (Score:2)

        by Hatta ( 162192 )

        for some reason all ultra rich that have political aspirations are retarded.

        That's easy enough to explain. If you're ultra-rich and smart, you'll spend the rest of your life on an island getting blown by native chicks. If you're ultra-rich and still human enough to feel guilty about what you've done to get that way, you'll be a philanthropist. Only the ultra-rich, sociopathic, AND stupid end up in politics.

      • Why do you only elect the super rich? The MEP that I voted for (and who got in, and is now serving her third term) is an active member of the FFII and campaigns against this kind of crap. She's the only one of my elected representatives that I don't feel that I need to chase to actually represent my interests - whenever I write to her with concerns about EU decisions, I get a brief reply saying 'already working on it'.
        • Why does anyone elect the super rich? They control the media, either directly, or through advertising, or through the old boys' network, and the average person doesn't read much beyond the headlines in their tabloid of choice before deciding which way to vote. The handful of people who do weigh up all the available evidence (and even there it's skewed by those with the money to get their message out) are not present in sufficient numbers to prevent the distorting effect of everyone else.

  • Uhh.. (Score:2, Interesting)

    by betterunixthanunix ( 980855 )
    How does one define "hacking tools?" Debuggers are pretty useful for hackers, as are things like netcat/socat, any of dozens of programming languages, and just about anything that lets you work at a low level. This does not even get into the legitimate uses of pen testing tools.

    Oh, wait, let me guess: people will have to register with the government to use any of the above?

    • Re: (Score:2)

      by Zerth ( 26112 )

      Just do it the same way we define "burglary tools". If you have it on you and you are committing burglary, it's a burglary tool. Otherwise, no big deal.

      I can carry a flashlight most of the time and not get hassled. But if I'm walking out of a business late at night with a sack of computer bits that don't belong to me and get caught, I'll be charged with theft and possession of burglary tools(the flashlight).

      Software that is the equivalent of lockpicks(dunno, wardriving kit?) should still be legal, but som

  • Pointless and harmful (Score:5, Insightful)

    by Ptolom ( 2191478 ) on Wednesday June 15, 2011 @10:04AM (#36450784)
    You can't just ban software. There is absolutely no practical way to stop people from sharing code, and there fucking shouldn't be. If you ban these tools, the only people seriously affected will be the white hats.
    • The end game may be more sinister. The goal is not to ban software, but to make a legal requirement that people register with the government to use certain kinds of software. This is naturally a good thing for large software companies, who will face less competition from smaller organizations and open source projects. It will also give law enforcement agencies one more way to arrest people who dare to write scripts or use debuggers without the proper paperwork.

      In the end, everyone except the general p

  • So would evolution be ok then?

    (Since most coding of such programs is more of an evolutionary thing than created in 6 days and then stays the same for over 6015 years

    • Re: (Score:2)

      by arth1 ( 260657 )

      So would evolution be ok then?

      Obviously not, as you can use it to send e-mails with malicious content.

  • "Hacking Tools" (Score:5, Insightful)

    by bsDaemon ( 87307 ) on Wednesday June 15, 2011 @10:08AM (#36450830)

    They mean "hacking tools" like tor and pgp/gpg, right? Of course, first they'll come for metasploit, then nmap, then... but we all know what the end game is.

    • They mean "hacking tools" like tor and pgp/gpg, right? Of course, first they'll come for metasploit, then nmap, then... but we all know what the end game is.

      If their end game is to get everyone to get on Blacknets, they're doing a good job.

  • Compilers, Dictionaries, Debuggers, Keyboards, Computers, Internet, ... and whatever revision system the kernel hackers use.

    • certainly any OS that comes from "open source" should be banned as it can modified to do bad things. Why, I happen to gentoo can even do bad things to a network right out of the box just by typing in an address already in use. Good people would never use such a system

  • Ok buddy.... (Score:5, Funny)

    by PPH ( 736903 ) on Wednesday June 15, 2011 @10:11AM (#36450868)

    Put that compiler down and step back. Slowly!

  • In other words... (Score:5, Insightful)

    by PoochieReds ( 4973 ) <jlayton.poochiereds@net> on Wednesday June 15, 2011 @10:15AM (#36450928) Homepage

    "Let's ensure that only those willing to break the law will have access to these tools."

    • Re: (Score:2)

      by lpp ( 115405 )

      This. It amazes me that people still think that registering folks for access to what are considered dangerous tools or even worse, banning them altogether, is some sort of panacea that will magically protect everyone from the presumed harmful effects. If I ban guns, then only criminals will have guns. If I ban "hacker tools" (whatever the hell that's supposed to mean), then only criminals will have hacker tools. If I ban bad car analogies, well, you get the picture.

      It comes down to laziness on the part of l

  • I'm still amazed (Score:3)

    by naasking ( 94116 ) <(naasking) (at) (gmail.com)> on Wednesday June 15, 2011 @10:19AM (#36450960) Homepage

    It still amazes me how people seek legislative solutions to what are purely technical problems. Hey politicians: you're doing it wrong. If you're going to legislate something, then legislate the use of memory safe programming languages and proof carrying code. Security problems would be mostly solved, and software would have fewer bugs overall to boot.

    • If you're going to legislate something, then legislate the use of memory safe programming languages and proof carrying code. Security problems would be mostly solved, and software would have fewer bugs overall to boot.

      That'd drive up the cost of software development. People write buggy, insecure code because it's fast and cheap, and that's all the end user is willing to pay for.

      • Re: (Score:2)

        by naasking ( 94116 )

        That'd drive up the cost of software development. People write buggy, insecure code because it's fast and cheap, and that's all the end user is willing to pay for.

        I doubt very much that this cost would be less than creating legislation, enforcing it via criminal investigations, trying the accused in our overburdened courts, and housing these criminals in overflowing prisons. Legislation should always be the *last* recourse, not the first one.

      • Depends. I wouldn't object to a law requiring formal verification for financial systems, because the banks just pass the costs of compromises on to their customers and so the people making the purchasing decisions are not the same as the ones who will pick up the bill for bugs. For consumer software, it just wouldn't make sense.

  • Can't find the people who are smart enough to download and use My First Password Cracker, but I'm sure you'll totally catch the people who were smart enough to create it.

  • I thought Europeans were more pragmatic (Score:3)

    by bogaboga ( 793279 ) on Wednesday June 15, 2011 @10:19AM (#36450966)

    Why do these bureaucrats waste people's time? Instead of focussing in things that really do damage, like pollution or financial fraud with an example of an agency that sabotaged investigations [telegraph.co.uk], they waste time on non-issues.

    Hacking can [sometimes] be good for the society at large.

    For example, I would like to delete all information from one social networking site but I cannot. Hacking would be my only 'rescue'. And that's bad?

    • Why do they waste time? Because Politics is about emotion.

      Let's be clear here folks. By and large the majority of the readers here are programmers before any political affiliation is factored in. That puts us all in an uneasy tension with politicians because we and our industry are, at heart, antithetical to everything they are and stand for. Understand this please -- political science is a study of emotion, and the use of those emotions to sway mindless masses of people. Programming is a study of logic, a

  • Yes!

    Lets make sure professionals can't test their own security, and only people in foreign countries can attack our infrastructure!

    This is such a good idea, I wonder how nobody has thought of it multiple times every year for the past 15 years!

  • and it doesn't stop their use, why would banning their possession stop them? I fail to grasp how anyone can come to the conclusion that someone intent on criminal activities would mend their ways simply because another facet of their operation is made illegal. Guns aren't the problem, network security tools aren't the problem. People are the problem. If you want to solve the problem you're going to have to ban them.

  • If the Apple iOS/app store model is any indication of things to come, pretty soon PC's will be as locked down as consoles and cellphones. You won't have to worry about running any unauthorized code because the good folks at Apple, Dell, etc. will force you to get all your software through their app store.

  • judge deeds. it's utterly stupid and unproductive to focus onto the tools instead focusing onto the deeds.

  • Microsoft Word contains a macro language so I guess it'll be banned too.

  • Today is a good day to bribe a high-ranking public official.

  • Just so we can time how long it takes for the entire IT Industry in the EU to collapse so completely scientists will be studying it for singularity effects.

  • "Read My Lips: No New AXES"

    Seriously. Banning the creation of 'hacking tools' will only stop the 'cybercriminals' who obey the law.

  • ... EU Ministers ban the production of wire clothes hangers, screwdrivers, and hammers to stop car stereo thefts.

  • The concept of banning "hacking tools" is just silly. What would these people consider a hacking tool? SSH terminals since they allow people to connect to compromised systems or to connect to machines with "hacker tools"? Or what about IRC servers since many bot networks have used them or offer the ability to let people talk about hacking?

    Even some of the biggest "hacker tools" are used for real network and server analysis like winshark and the like.

    This is simply the wrong approach to fix a problem. Th

    • Don't fine the hackers for finding the exploits, fine the developers for not finding them. The software developers are the ones making money off the software

      In what bizarro world are you living? Most developers make money by collecting salaries, not selling software. Do you think our income is tied to revenue? I WISH! If you want to hold companies responsible as a whole, great. You want to impose penalties on companies for security problems that affect people, great. You want to impose fines on me, person

  • These people are complete morons. Anyone with Firefox and a couple HTML dev addons can perform the exact same hacks that have been going on against Sony, Software Companies, and FBI contractors. Who the fuck lets people with no understanding of the issue legislate it?

    The onus of the hack rests SOLELY on the person managing the network, and not at all on the people who stumbled upon a URL that lets them see passwords and usernames. The problem part of 'hacking' is that you assume unauthorized access to a com

  • We have a law like that in Canada, only it has a provision that if you have a legal reason to create or use those tools you are fine.

    So it must be proven that the tools are being created or used for criminal purposes in order to be prosecuted.

  • In physical security, you should always assume everyone has a lockpick. Likewise, in internet security you should assume everyone has metasploit, nmap, wireshark, etc. Building systems that are secure from cracking is not hard (protecting against a DDoS attack effectively is much more difficult). If you hire the cheapest external developers and contractors you can find to build your financial services website, don't be surprised if it's easily hacked. Good engineers should have no difficulty analyzing syste

  • Dumbass legislators: "Let's make posession of $THING a crime to prevent $BEHAVIOR!"

    Sorry, it doesn't work, and it fscks over law abiding people for any values of $THING and $BEHAVIOR that I'm aware of.

  • Now nmap, tcpdump, telnet and the like will all be banned! :|

    Oh, they said hacking tools. Great, no more C(++), java, assembly etc.

    Well, i'll go back to lego now.

  • As a network engineer and someone who uses BackTrack [backtrack-linux.org] at least once a week for penetration testing, it is obvious to bme that the people who come up with these laws have no idea about anything related to the field of network and server security. Why are these morons making the decisions?

  • Because banning handguns worked so well, as we all know.

  • "European Ministers Are Morons".
    Software developers are now illegal?

Slashdot Top Deals

2 pints = 1 Cavort

Close