“Get safe online” how?
Digital Forensics and Security
Just a couple of thoughts, as I’m resting after a long long time working on my ongoing PhD and the new CSI module I’m taking…
The “Get Safe Online” (http://www.getsafeonline.com) week-long campaign by the British government began this week…
The page (and campaign) itself supposedly deals with some rather interesting questions by providing rather simplified (but ones which I think even the PC-World-certified public in this country can somewhat understand) answers…
Don’t get me wrong, here…I really really think its a good idea and a lovely way to raise the UK public’s non-existent security consciousness, devoting a whole week (I mean, come on, JUST a week??!!) (and not advertising it) to security.
Or, rather, it would be a good idea if the Computer Misuse Act had not been recently ammended to be a security-research-killer (good The Register coverage: http://www.theregister.co.uk/2008/11/14/dos_criminalised/).
So, other than criminalising DoS/DDoS attacks, which is pointless (since they can’t actually find the attackers, DUH! And if, in some miraculous way they do, they don’t have the firepower to take them on!!) in a knee-jerk-reaction sort of way, they’ve managed to also criminalise genuine and legitimate network security research and network security development.
From The Register’s article on the Computer Misuse Act ammendments: “The Computer Misuse Act has also been changed to make it an offence to make, adapt, supply or offer to supply any article which is “likely to be used to commit, or to assist in the commission of, [a hacking or unauthorised modification or DoS] offence”. It is also an offence to supply an article “believing that it is likely” to be used to commit such an offence.
The meaning of “article” includes any program or data. The provisions would cover the supply of DoS or virus toolkits. Anyone convicted of breaking this section of the Act could be jailed for up to two years.” (from http://www.theregister.co.uk/2008/11/14/dos_criminalised/)
But the Police and Justice Act 2006 (with the mods enabled) reads:
”
37 Making, supplying or obtaining articles for use in computer misuse offences
After section 3 of the 1990 Act there is inserted—
“3A Making, supplying or obtaining articles for use in offence under section 1 or 3
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(3) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
(4) In this section “article” includes any program or data held in electronic form.
(5) A person guilty of an offence under this section shall be liable—
(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
(b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;
(c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.”
” (http://www.opsi.gov.uk/Acts/acts2006/ukpga_20060048_en_7#pt5-pb2-l1g35)
So (and please correct me if I’m getting/reading this wrong!!), its not JUST about DoS/DDoS/Virii tools/toolkits (ummm….eg. the ping utility???!!).
And, of course, this can be easily, if converted into lawyerspeak (legalese) by the CPS (Crown Prosecution Service), be applied to pretty much everything under the sun, if my Legal Issues and Evidence Recovery and my CSI training taught me anything…
So, how would they actually trial it by fire (test the case in a court of law)? Easiest and by far the most productive way would be to nab some sort of newbie (of any age) who accidentally opened an e-mail attachment containing a virus or downloaded a bad bad security tool virus/DDoS toolkit to check their home network, villify them, find a technically illiterate jury (dead easy, in this country) take them through the painful experience of a trial, throw them with an Anti-Social Behavior Order (all the rage in the UK, nowadays) or some other “caution” for being a first offender (they wouldn’t actually dare to put them in prison, would they?), slap a fine on them, destroy their lives, and ZAPPO instant prior casework is established!!!
What this will do to legitimate security research conducted by people without the backing of big security software houses? Most likely either drive them underground (VERY deep underground) or drive them off this country… What this would do to academic research? Gods only know!
And, just as a reminder, these lone and unbacked legitimate security researchers are the ones who actually invent the algorithms, write the code, and test and debug the code that ultimately finds its way to the big security firms’ labs and thus products… Without them, how will the public “Get safe online”? Buy a copy of a big-name brand internet security suit, install it on their Windows XP/Vista hole-ridden computers (after cleaning them up from the 999*10^100 different types of virii they contain) and be made to feel safe in their little snake-oil secure environment.
If my PhD wasn’t on the line, I’d sit back and have a good laugh about it. Since it is, and since I’d have to (as a DF Scientist/Investigator?) shift through legitimate security researchers’ stuff to find the bad bad security tool virus or DoS/DDoS toolkit sometime in the future…. I will just sit back, pray to my deity it all starts happening AFTER I get my PhD, and watch the steady and unavoidable death of Network Security Research in this country I’ve up till now chosen to live and work in….
As always, flames > /dev/null !
DarkSYN @ November 18, 2008