Listen to that high keening sound in the distance - that is the
sound of the choir singing to itself. Ignore the fact that it's
largely self-interest they are going to do their best to convince
the media that it is all in the service of righteousness, or some
such nonsense, writes Marcus
Ranum, chief security officer at
Tenable Network
Security.
I am referring, of course, to the headlines like,
"Computer Misuse Act
could ban security tools" and so forth. Oh, dear golly gosh,
are they going to make computer security tools illegal? Spare
me.
I am not deeply familiar with how the UK's justice system works,
but in most of the world under the rule of law does not implement
sweeping programmes of arrest and punishment whenever a minor law
is tweaked. In fact, simple bureaucracy helps prevent abuse because
of the inherent inability of the justice system to prosecute
everyone. Remember when they made dope illegal? It is not as if the
jackbooted thugs went door-to-door and dragged off everyone who had
ever inhaled.
The ground-level reality of implementing justice is that there
is a prosecutor who has to decide whether or not the government has
a good enough case to justify prosecution. The choir is trying to
get you up in arms as if there is some "ban" on some security tools
and that the waterboarding is going to start next week, but the
fact is that real security practitioners haven't got anything to
worry about.
I teach how to use the Nessus Vulnerability Scanner as part of
my job, and no prosecutor on earth is going to try to touch me for
distributing hacking tools, because they are not an automated
system that just attacks everyone who has got a potential dual-use
technology they are people who would be putting their careers on
the line if they brought a shoddy case in front of a judge and
jury.
Before you swallow the hype about "OMG! They are banning
security tools!" engage your brain for a second and look at where
the noise is coming from, and why. You might find that the bulk of
the choir consists of vulnerability pimps who make their living
combing through software so they can
sell security flaws on the open market.
What does a day-zero fetch nowadays? $10,000? You might find
that they are worried about a "ban" because they have been dancing
back and forth in a very profitable grey area between being part of
the problem, or part of the solution.
Let me be clear: there are "security researchers" who have been
playing on both sides of the fence - and making a lot of money
doing so - while they maintain a whitewashed reputation in the
security community. Before you swallow the hype about the "ban"
please bear in mind that those day-zeros that our friends collect a
bounty for are the same vulnerabilities that will be used to jack
your system with spyware next month.
Let me be clear: I do not believe in banning the dissemination
or gathering of knowledge. I do, however, believe it is proper for
society to hold people accountable for the consequences of their
actions. The reason that we are seeing changes to the computer
crime laws in so many first-world nations is because it is
necessary.
Remember that clarifying the layout of the grey zone between
"absolutely right" and "always wrong" doesn't immediately result in
a law-enforcement clampdown. Usually, it has the useful effect of
making the people who profit in the grey area pause to think for a
second.
Learn from mistakes made in US security >>