could someone remind, me its two wrong that make a right isn't it??
Updates to the ageing Computer Misuse Act (CMA) finally come into force in England and Wales on Wednesday (1 October). Modifications to the CMA - which was enacted in 1990 before the advent of the interweb - were included in the Police and Justice Act 2006. These changes were then themselves amended by the Serious Crime Act …
make it illegal to distribute hacking tools....
as most tools hackers use have a legitimate background, and a lot of the tools used to combat hackers are the tools hackers use themselves.... who says whats not illegal and what is...
the government needs to actually get educated in the way IT actually works, and not just take the word of some small group of contractors employed by the government to advise on all that is IT. these contractors first job is to protect there own contracts and tend to tell the government what they want to hear...
"actually gotten around to properly defining unauthorised access yet?"
What is wrong with the existing definition?
The existing definition consists of two parts:
- the access is unauthorised, that is, the owner has not given permission
- you know the access is unauthorised
The knowledge of what access is unauthorised is a combination of explicit notices and commonly accepted attitudes. If necessary it is a jury that decides.
In a similar way, I don't have a notice on my car listing the people who are allowed to drive it. But, just because the door is unlocked and the key in the ignition it doesn't give you permission to drive it away. This is a commonly accepted attitude. It doesn't need a definition in the law.
"(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, OR TO ENABLE SUCH ACCESS TO BE SECURED."
i.e. it makes it a crime to perform an act that enables someone else to misuse a computer. Where 'Enable' is left so vague as to be meaningless. i.e. punish Peter because something he does enabled Paul to do something illegal.
Section 3 is changed to add the 'enable' thing too. To remove the requirement of physical damage and to change the definition of 'act' to enable Peter to be locked up if Paul did the act.
Section 3A makes it a crime to make cracking tools, networks sniffers etc. To sell or distribute tools that can be used to misuse a computer. Or even *DATA*, i.e. information is covered here, it's better to only discuss security holes outside of the UK.
As before 'unauthorized' doesn't exclude ownership, so you can own the computer and still the access can be unauthorized.
Further down there's a real mega wozzers:
"(8)If the impression conveyed by a pseudo-photograph is ..... and so shall a pseudo-photograph where the predominant impression conveyed is that the person shown is a child notwithstanding that some of the physical characteristics shown are those of an adult."
So pictures a flat chested women dressed up in school uniforms will now get you prison time and a sex offenders registry entry. Another 'Jacqui Smith really hates men' thing.
"1 (1) A person is guilty of an offence if
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, [Text added 2007-10-01 (Scotland) by Police and Justice Act 2006 s.35(2).] [Not yet in force elsewhere in the UK.] [This addition to be cancelled by Serious Crime Act 2006 s.61(2).] or to enable any such access to be secured ;"
Does this mean Vistas illegal in Scotland until its amended out??
"i.e. it makes it a crime to perform an act that enables someone else to misuse a computer. Where 'Enable' is left so vague as to be meaningless. i.e. punish Peter because something he does enabled Paul to do something illegal."
Peter's modification to enable Paul's access would need to constitute an authorised modification in its own right. Otherwise, the loophole in the original Act remains that, if Peter, without authority, creates a privileged account on a system (for example), and then passes the details to Paul to carry out the exploit, Peter could not be charged under the Act.
In any case, s61, Serious Crime Act 2007, repeals s35(2) of the Police and Justice Act 2006, so this provision does not come into force.
"Section 3A makes it a crime to make cracking tools, networks sniffers etc. "
No, it does not. The drafting is not perfect, but, it is a criminal offence to create a tool "intending it to be used to commit, or assist in the commission of, a [computer misuse act] offence." If you write a packet sniffer for testing your network, the burden on proof would be on the prosecution to prove that you intended to use it to commit an offence. It has the element of "intention" - a mental state - and is not absolute.
It's not perfect by a long shot, but, it's not as bad as you point out, at least to my mind.
The drafting of s37(3), sadly, is entirely incomprehensible to me.
stuff the human operators, it is all about the computers now.
The law is crazy, and no doubt there will be workarounds.
But really it means no one will distribute pen testing software to the UK.
And a lot of authors will add a clause saying this software cannot be distributed to the UK, so that copy of nmap you have in your bottom draw may very well be illegal if not under this act, but under copyright and licence agreement. Be interesting to see how that all plays out.
So say you are a computer security company, you get a telephone call to check out a security problem, you wade on in, fire up nmap to check for any weaknesses, at that point you probably have committed some sort of crime (civil or perhaps criminal), when that comes up in court the defence may use that to say the evidence obtained was obtained in an unlawful manner.
That's the real problem, this law actually makes forensics much harder to achieve, oh well.
and does not fix every possible vulnerability to that code is breaking the law...
to go on further.... every time a new hole is found in windows and it has been exploited, microsoft is going to end up in court?
I thought not !!!
mine's the one with all the patches...
"he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable such access to be secured"
It's not as clear as it could be. I assume it means "he causes a computer to perform any function with intent (i) to secure access, or (ii) (with intent) to enable such access to be secured". Thus, whether you're actually performing the function, or merely enabling it to be performed, it's the _intent_ that matters. Otherwise, indeed, most programmers would be guilty (not just for vulnerabilities; any program that accesses data can be used with intent to access data without permission)!