Good
A company deciding that I'm a security threat and hacking my PC are breaking the law and must continue to be breaking the law.
Seems to me that aspect of the Computer Misuse Act is doing its job.
Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform
British infosec businesses are celebrating the 30th birthday of the Computer Misuse Act 1990 by writing to Prime Minister Boris Johnson urging reform of the elderly cybercrime law. The Computer Misuse Act (CMA) received Royal Assent on 29 June 1990, before "the concept of cyber security and threat intelligence research," the …
-
-
-
-
Monday 29th June 2020 15:15 GMT Anonymous Coward
Re: Good
The later amendments to the CMA are especially poor. Most notably, The Police and Justice Act 2006 Section 37 (Making, supplying or obtaining articles for use in computer misuse offences) created a new section 3A in the CMA which effectively makes a lot of cyber security tools illegal in the eyes of a well-motivated prosecutor.
-
-
-
Monday 29th June 2020 12:22 GMT Cynic_999
The law is fine and doesn't need changing
If a "security person" wants to "test" the vulnerabilities of someone's computer, then they should ask permission from the owner of the computer before conducting such testing. Otherwise anyone could claim after being caught that he was a "white hat" merely "testing security".
If the police want to secretly infect a suspect's computer with software that gathers evidence that may aid their investigation, or to download data without the suspect's approval or knowledge, then to do so legally requires that they first obtain a warrant that grants permission for them to do so (called an "interference to equipment" warrant). If they do not obtain such a warrant, then they are quite rightly guilty of breaking the computer misuse act. The warrant provides judicial oversight to ensure that the unauthorised access to the suspect's computer is fair and proportionate, and the police are not abusing their powers. See https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715479/Equipment_Interference_Code_of_Practice.pdf
-
Monday 29th June 2020 12:35 GMT Hans Neeson-Bumpsadese
Re: The law is fine and doesn't need changing
If a "security person" wants to "test" the vulnerabilities of someone's computer, then they should ask permission from the owner of the computer before conducting such testing. Otherwise anyone could claim after being caught that he was a "white hat" merely "testing security".
Agreed. All the times I've been involved with security testing, there's been paperwork agreed between the client and the testers with words to the effect of "you're going to do something naughty, but it's OK because we've asked you to (so that we know how to detect/stop other people from being naughty)" and that makes common sense. Therefore there is no "unauthorised" activity.
I've always been a bit mystified as to why people who, without any solicitation, try to break into networks and snoop around are in some way considered to be heroic in their actions because they are highlighting weaknesses in someone's security. Outside of cyberspace, it's the equivalent of going down the street trying to pick doorlocks to get into peoples' houses, just so you can tell someone that they need to replace their aging Yale....something which feels both wrong and creepy in equal measure.
-
Monday 29th June 2020 14:07 GMT Anonymous Coward
Re: The law is fine and doesn't need changing
I did a pen testing course a while back and we were constantly told to make sure we had an air tight contract signed by as senior a person as possible before we started doing any work at all even just recon to make sure we were covered by the law. If they had their way, all CEOs would agree to pen tests in blood just to make it completely iron tight
I've also got multiple stories of people in IT or security who decided to investigate someone doing something dodgy internally without permission and getting fired themselves even though they caught the person in the act because they weren't permitted to do what they'd done!
-
Monday 29th June 2020 16:02 GMT Cederic
Re: The law is fine and doesn't need changing
Yeah, I've had several occasions where I've had to tell colleagues to stop immediately and report it to less capable people in another department, entirely because of who had legal authority to investigate and fix things.
Even where the Infosec team trust and ask me to do things I'll sit and shadow them while they do the work, using their credentials on their keyboard with me in a purely advisory role (where the advice may be, "..and now type this.")
If you want unrestricted access to hack away without fear, go and join the NSA.
-
Monday 29th June 2020 16:08 GMT Drew Scriver
Re: The law is fine and doesn't need changing
One of the problems is that customers currently have no recourse if they find (or suspect) a vulnerability and that companies care very little. How about a branch manager of one of the top-3 banks in the USA who had never even heard of PCI-DSS...? Or one of the top-10 banks I called to report that it was possible to gain access account holders' accounts - only to be told that they had no process for escalating my findings to their Cyber Security department?
Worse, if a customer suspects an issue they don't have a legal means to dig a little deeper to see if their data may in fact be at risk.
To compound the problem, some companies go to great lengths to hide their problems rather than to address them. Remember the bank (!) that formally asked (forced?) Qualys to disallow the public from running an SSL-test on their main domain because it kept returning an "F"?
I would propose three actions as part of fixing the general security legislation:
1) A (government) clearinghouse/database where the public can report issues. Reports are to be automatically made public after x days, or at the very least it should be public where the company is failing. Receiving even general flags like "PCI-DSS violation, OWASP-violation, NIST-violation, unpatched systems, runs EOL-software", would most likely spur companies into action.
2) A (government) agency where members of the public can register themselves, report suspected issues and be given clearance to investigate (within white-hat boundaries) a specific issue.
3) Make executives personally liable for breaches that are the result of demonstrated decisions to do due diligence. That should all but eliminate those instances where people "on the floor" are flagging an issue only to be rebuffed by the corporation.
-
Tuesday 30th June 2020 04:24 GMT amanfromMars 1
Re: The law is fine and doesn't need changing says Nero Fiddlers as Rome burns
To compound the problem, some companies go to great lengths to hide their problems rather than to address them .... Drew Scriver
And what do you think happens whenever the problem compounding is some countries going to great lengths to hide their problems rather than to address them? Apart from the fact that it be a classic recipe for disaster in orders of magnitude of epic proportions unfolding at relative breakneck speed.
Law changing is gonna do diddly squat, as in sweet FA, to divert or restrain that grand monster.
-
-
-
-
Monday 29th June 2020 18:24 GMT Pier Reviewer
Re: The law is fine and doesn't need changing
No, it’s not fine. It would help if people bothered themselves to read the act (as amended) to see what it actually criminalises rather than thinking “hacking bad, so law good”.
The entire thing is so widely drafted it’s ripe for abuse. However the truly awful provision is s.3A - http://www.legislation.gov.uk/ukpga/1990/18/section/3A.
Creating, sharing or possessing a tool that *could* assist in an offence under s.1 etc is an offence. So, you want to test how many of your servers are vulnerable to a recent zero day? You write a script to scan your own estate. Bad news. You just committed an offence. You want to share it with your contacts in your suppliers etc so they don’t get popped? Again, criminal. Share it with the wider community to help as many ppl as possible? Same.
Okay, so you put a disclaimer on it (“must not use without permission of network owner”). Bad news. That’s not a defence - that’s evidence the CPS will use against you to show you knew it could assist in the commission of an offence.
How about you want to make a product like Nessus, Qualys etc? Yeah no - criminal in the UK.
But those ppl won’t get prosecuted you say. That there is the problem - you have a law that basically makes using a networked computer criminal, and leaves the decision to prosecute to a bunch of people who may or may not have the best interests of society as their priority. Pissed off the wrong ppl? Criminal record says hi!
There’s a reason there is a paucity of security research in the UK - it’s grotesquely high risk even as a white hat, and a criminal record basically ends your career. If you report an issue to someone who simply wants it to go away the CMA will do that nicely.
The CMA is a bad law with a good purpose. It needs to be changed. It could create highly skilled jobs in the UK if done right, but Ofc nothing will change as MPs have no knowledge of the field and no desire to learn.
-
Monday 29th June 2020 20:48 GMT Anonymous Coward
Peer Reviewer...
Sorry for the downvote but after you've used "ppl" so many times because you obviously can't be arsed to type those extra Three Fekkin Characters in a multi paragraph post it made me want to smack you upside the head with a foam pool noodle filled with frozen fetid fish guts.
Friends don't let friends do txt spk. ;-)
-
-
Monday 29th June 2020 21:36 GMT cbars
Re: The law is fine and doesn't need changing
Yes, but this isn't just people lobbying. If you were an infosec company, wouldn't it be nice to be able to cold call and say "hey, you've got a problem you need someone to fix... FYI we fix this stuff..."
Thats where this is coming from. Also, another avenue for giving the plod a pass on creepy powers, while dressing it up as security, so home sec will love the idea of reform.
-
-
Monday 29th June 2020 13:21 GMT steelpillow
Don't change the ban, change the insurance policy.
The law is right to keep pen testers with unknown-coloured hats at bay. The problem is obtaining permission to carry out defensive screening. Emailing the hapless outfit with "Hi, can I run a fake cyberattack on you?" can hardly have a good response rate.
We need a regulatory regime where insurance companies put your permission in the small print and are then able to delegate the research to approved cybersecurity operations.
-
This post has been deleted by its author
-
Monday 29th June 2020 15:00 GMT amanfromMars 1
Such as an abdication has one almost speechless ......
So far Boris hasn't got round to replying.
FFS, Boris, IT isn't to be Ignored for you are Beholding to All of their Services. Are you gonna step in line or crash out of leading following Colossal Future Events?
What do assorted super-talented weirdos and misfits with odd skills to exercise for Government think of such as silence as an adequate response to a virtual emergency ..... with Myriad Psychotic Global Episodes to Remotely Control with Almighty Commands .... in Simple Texts Relaying Instructions to Future Directors of Present Promotions ..... for Other Worldly Views Depicting the States of Current Progress in NEWS Broadcasts.
The premise is simple ...... Creating brave new smarter worlds virtually with and for human assets, with programming which seamlessly morphs and introduces multiple practical realisations in the physical mainstream, is the Future Way to Go ....... with a Vital Blighty Source ‽ .
Tell us all here there's No Flash Slush Fund Cash for Targeted Disbursement for/to Any of those Sorts of Operations, and you'd be surely wrong ? :-)
For the Likes of a DARPA or National Cyber Force is such a facility and ability sort of essential, methinks, for to aid guarantee of Operational Program Success in environments requiring Capital Churn ...... Generative Expensive Expansive Spends.
-
-
Monday 29th June 2020 20:03 GMT amanfromMars 1
Re: Such as an abdication has one almost speechless ......
When you get psychologically tortured, and told ‘no more nukes’, you kind of get the message that Blowjo and Cumming’s aint interested in paying the slush fund dues amFM ... ..... Cliff Thorburn
I suppose it is fortunate then that the likes of they are not needed nor heeded by that and those in control of such novel stealthy, stay healthy and wealthy decisions, CT, as reward one with such a facility for utilities beyond most normal supernatural abilities.
-
-
-
Monday 29th June 2020 16:33 GMT Version 1.0
How effective has the law been?
I see attempts to log into our mail server every 10-20 seconds from all over the world, illegal under this act but what's the point of even bothering to call anyone about it? Nobody cares, in terms of stopping crime I think it's less than one milli-percent effective.
-
Monday 29th June 2020 17:57 GMT IGotOut
It would have to be very carefully worded.
Many here have said "Don't change it', but for example, a port scan then logging in with a default IoT piece of crap could, in theory, get you arrested. So do you contact HappyLuckyDevicesMakeYouExcellelent to tell them you intend to check for security holes?
And if they say " No", do you leave that heap of crap just sitting out there being used as a botnet?
On the flip side, if you say it's ok to login and check, the bad guys can say "Hey we were looking for security holes. No intention of doing anything bad'.
It's not a case of yes or no.
-
-
Tuesday 30th June 2020 13:27 GMT Anonymous Coward
Re: Strewth! ......
Once upon a time, a long time ago, and a long way away.......a CIO hired white hats to do a penetration test on the IT infrastructure. So...."Yes" people do know that these tests are being done.
*
Sad to say, the CIO's expectation of a clean bill of health was not fulfilled. In fact, ANOTHER member of the Board of Directors (the legal one) was reading a copy of the CIO's email inbox within a few hours.
*
.....and a couple of years later, when the test was repeated....with the same outcome.....(more junior) people were fired out of hand.
*
.....makes one wonder what the state of play in that large corporation might be today!
-
Biting the hand that feeds IT
