Don't panic over 'ban' on security tools

Oh, dear golly gosh, are they going to make computer security tools illegal? Spare me.

Listen to that high keening sound in the distance - that is the sound of the choir singing to itself. Ignore the fact that it's largely self-interest they are going to do their best to convince the media that it is all in the service of righteousness, or some such nonsense, writes Marcus Ranum, chief security officer at Tenable Network Security.

I am referring, of course, to the headlines like, "Computer Misuse Act could ban security tools" and so forth. Oh, dear golly gosh, are they going to make computer security tools illegal? Spare me.

I am not deeply familiar with how the UK's justice system works, but in most of the world under the rule of law does not implement sweeping programmes of arrest and punishment whenever a minor law is tweaked. In fact, simple bureaucracy helps prevent abuse because of the inherent inability of the justice system to prosecute everyone. Remember when they made dope illegal? It is not as if the jackbooted thugs went door-to-door and dragged off everyone who had ever inhaled.

The ground-level reality of implementing justice is that there is a prosecutor who has to decide whether or not the government has a good enough case to justify prosecution. The choir is trying to get you up in arms as if there is some "ban" on some security tools and that the waterboarding is going to start next week, but the fact is that real security practitioners haven't got anything to worry about.

I teach how to use the Nessus Vulnerability Scanner as part of my job, and no prosecutor on earth is going to try to touch me for distributing hacking tools, because they are not an automated system that just attacks everyone who has got a potential dual-use technology they are people who would be putting their careers on the line if they brought a shoddy case in front of a judge and jury.

Before you swallow the hype about "OMG! They are banning security tools!" engage your brain for a second and look at where the noise is coming from, and why. You might find that the bulk of the choir consists of vulnerability pimps who make their living combing through software so they can sell security flaws on the open market.

What does a day-zero fetch nowadays? $10,000? You might find that they are worried about a "ban" because they have been dancing back and forth in a very profitable grey area between being part of the problem, or part of the solution.

Let me be clear: there are "security researchers" who have been playing on both sides of the fence - and making a lot of money doing so - while they maintain a whitewashed reputation in the security community. Before you swallow the hype about the "ban" please bear in mind that those day-zeros that our friends collect a bounty for are the same vulnerabilities that will be used to jack your system with spyware next month.

Let me be clear: I do not believe in banning the dissemination or gathering of knowledge. I do, however, believe it is proper for society to hold people accountable for the consequences of their actions. The reason that we are seeing changes to the computer crime laws in so many first-world nations is because it is necessary.

Remember that clarifying the layout of the grey zone between "absolutely right" and "always wrong" doesn't immediately result in a law-enforcement clampdown. Usually, it has the useful effect of making the people who profit in the grey area pause to think for a second.

Learn from mistakes made in US security >>

Read more on Antivirus, firewall and IDS products