Saturday, January 05, 2008

Has security testing just got a whole lot harder in the UK?

A lot of people are voicing the opinion that the answer is yes - UK security testing in general will be worse off. If you've missed this furore the cause is the changes in legislation which are bans creating and distributing tools that help hackers. This post in Web Pro News succintly puts the case for no. I don't agree with the conclusion that the UK security industry is dead but it puts the case clearly:

In what could be a bad day for United Kingdom penetration testers, stress testers, and other systems security folks, the UK is getting ready to ban the creation and distribution of tools that could be used by hackers. This generally unpleasant concept could make it not only impossible to create the next nessus or nmap by anyone in the UK, it could also send them to jail for distributing the tools they make as well. This ought to set back UK computer security by decades.
The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are subtle. The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car.
This should be quickly tested in the UK courts, the minute the ink is wet on the paper kind of legal testing. There are multiple programs, perl, c++, shell scripts in C, and other programs and tools that are made by people to do things. Dual use tools are tools that can be used for both good and evil. It will be difficult to determine the intent of the tool developer unless they leave behind incriminating e-mails saying the tool was created to rip off millions of people. Any form of distribution would also be included in the statutes, meaning the mere act of sharing a tool with your security friends could be bad for you continued security career. This is generally bad, and will hamper legitimate security workers and researchers. The state of the security industry in the UK is now dead. The hackers will win this one unfortunately, and there seems to be no way to stop this kind of legislation short of a court testing of its legitimacy.

Labels: , , ,