Saturday, January 05, 2008

Banning Hacking Tools

Here's another tale of government trying to stop crime by banning general purpose tools that are used in crime, as well as to protect against it. Security, network, and system administrators should regularly use tools to detect vulnerabilities. These tools are used by hackers (and so would be illegal). But this is precisely why they should be available to everyone. To level the playing field. Fortunately the law's guidance improves the situation slightly, but the overarching approach is fundamentally flawed.

As a deterrent it is almost wholly ineffective. If someone is already breaking into computers they are already disregarding the law. Another law prohibiting the use/distribution of the tools used in committing crime is only a deterrent in that it slightly increases the risk to the perpetrator by increasing the penalties if caught (like armed robbery vs. plain old robbery, although in this case, simple social engineering is probably as much or more effective than some of these tools). If the criminal already is willing to take the risk of jail time, then what's a little more added on?

It also is an attempt to simplify catching cyber criminals, I suppose. Tracking them through cyberspace is hard. Much easier if all you have to do is find people with "Evil" tools. Except for that niggling problem of justice. People not breaking into computers will have the tools, so how do you tell the two apart? Intent, it turns out. I'm sure that's nice and crisply defined.

Perhaps the law was intended to keep these tools out the hands of the bad guys in the first place? Even if you somehow banned the transfer of these tools into the UK, since it's the Internet, trying to stop the distribution of, well, anything, isn't exactly a cake walk. And if legit folks get to use the tools, then this law can do nothing to control the flow of these tools.

IT and security professionals need the tools to protect themselves. The criminals will have the tools whether you ban them or not. (They aren't going to give up their life of crime and take up professional knitting). They'll have other techniques like phishing (let's ban email!) and social engineering (cursed evil telephones!). So with laws that ban dual purpose tools, all you're really doing is tipping the balance in favor of criminals. Brilliant.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.