EU: "Making hacking tools should be illegal"

If hacking tools are outlawed, then only outlaws will have hacking tools.<p>Meaning if you're a software developer or system admin in the EU, you better be on standby 24/7 to combat 0-day exploits.

"should be" is actually an "is" in Germany.<p>The fun thing about it: the german cia equivalent "BND" lets german developers develop hacking tools via ssh or rdp on boxes that sit in other countries to circumvent that law.<p>I'll provide a link as soon as i find a source other than one of the hackers i know.

The linked PDF is ambiguous, "penalisation of the production and making available of tools ... for committing the offences".<p>If this requires <i>mens rea</i>, i.e. they prove that your intent was for committing an offense, it's not such a big deal.<p>If it does not, i.e. your software merely could possibly be used to commit an offense, it's a <i>huge</i> deal.

Great, now we can have <i>even more</i> "illegal math".

Laws with unintended consequences should be illegal.

Your hacking tool is my security analysis tool.

Wouldn't it be simpler and more efficacious to simply ban sales of Windows in the EU, or mandate that they fix the security issues?<p>Not that I favor ludicrous bans of this sort, or that I think they will work. Because I manifestly don't. But geez, if you're going to be over-the-top Orwellian, at least do something that has a chance of achieving your stated goals.

What about vulnerability testing software? In principle those can be used as attack tools.<p>Maybe a line can be drawn... Design kits for viruses come to mind. But even then, it's a fine line, and history has shown once a mechanism is in place to outlaw something it will be extended and abused to apply to things that were not originally targeted.

Isn't the loophole for this obvious? Just include in your release:<p>"This tool is intended for educational use only. The Author is not responsible for any misuse."

Yes, it is illegal to financially damage a company, and many crackers do exactly that. This article and most of the comments here argue about the tools. As hackers we find it hard to understand why a hammer could be outlawed because it is good at breaking through the windows of houses.<p>Why does no one talk about the network that was broken into? Why does the general public believe that crackers are so good at their job it is impossible to secure a computer system? There are two possibilities that I can see here.<p>1. Most cracks happen because of a less-than-perfect system administrator. Either some subtle problem with a configuration file opened up a hole for the cracker or nobody bothered securing the network to begin with.<p>2. Most cracks happen because crackers have found a reliable method of discovering 0day exploits or our current computing model is fundamentally insecure.<p>In either case, I find it unjustifiable to declare cracking an act of terrorism without spending ANY effort reflecting back on our own security. If millions of us routinely use the same password (or a easy-to-guess pattern) for all of our accounts who is the terrorist? The people who take advantage of an easy opportunity, or the people who created that opportunity in the first place?<p>It is well known that users are stupid, and that two-factor authentication is much harder to break than static passwords. Bruce Schneider has been saying so for at least a decade. Why have we not moved on? As a system administrator, it should be an act of terrorism to NOT make two-factor authentication the DEFAULT way of using your service.

While I can't really see legitimate uses of some of the "hacking tools" - viruses, botnets, rootkits (yes, you, Sony!), etc. - I can't get rid of the feeling that there is another hand trying to get a grip on the free land of Internet, and I really don't like that.<p>On a completely tangential matter, I have a feeling this is going to be another one of that laws that cost a lot of money and have little to no effect... at least positive effect.

If you leave your wallet on the street in a bad neighborhood and come back, you'll probably never see it again.<p>The problem with such protection laws is that it doesn't take into account the ignorance or incompetence of service providers. It also holds back innovation and we end up with less security. Even if these vulnerable companies don't have the expertise they can hire a reputable security company to audit their system to plug the gaping holes.<p>Do we need to pass laws for companies to do security audits? Maybe for listed companies or companies that have services of a certain size, since they'll try to skimp on costs or executives don't understand IT needs.<p>Trying to criminalize the intent of developers even if they create tools solely for cracking is a slippery slope. While we're at it we should make defense contractors liable for war damages and execute the engineers responsible for creating weapons.<p>In Japan a closed source p2p software called Winny caused a lot of disorder with viruses and lots of government information and embarrassing private pictures leaked onto the net due to security issues. Unfortunately, the developer was busy fighting a trial based on whether he had intentions of violating copyright with his software (he was finally acquitted on appeal to a higher district court). If he at any point publicly endorsed copyright violations, he'd probably be locked up for a long time even if he didn't violent a single bit of copyrighted content. Needless to say the project is abandoned and full of holes. Good for the anti-virus industry though.<p><a href="http://en.wikipedia.org/wiki/Winny" rel="nofollow">http://en.wikipedia.org/wiki/Winny</a>

The full statement is available here[1].<p>[1] - <a href="http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/122516.pdf" rel="nofollow">http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdat...</a>

Like locksmiths, many of us have reasons for owning the most unlikely software.

There's a sensible reason for implementing a law of this kind - if they catch the guy that wrote Zeus, I'd like them to be able to prosecute him (not that they could, as he's probably not in the EU, but you get the idea). Of course, it does need to be carefully written to avoid collateral damage.

knives should be illegal, they may be used to kill people

This is already the case in the Netherlands. Hacking tools are only allowed for private use or research, e.g. for checking the security of your own network. Possession of hacking tools with the intention to harm other peoples' systems is not allowed.

Can anyone think of a situation where lines of code could ever be illegal?

These sorts of laws need to include exceptions for tools that have a non-criminal purpose. Otherwise, a broad reading could include things like NetCat, Curl, and Apache Bench.

What if I develop all my hacking tools in an SSH session to a box in russia? Is that illegal? What about VNC?<p>This kind of thing could well be a legal reality soon...

He has an IDE - get him!

hahaha. I spent a summer writing dissectors for ethereal/wireshark. I guess that's a hacking tool as well, eh.

This seems more like one of those ideas which end up being a law used to slap people a second time when they are nabbed for something rather than something that would be enforced on its own.

That's funny. First they talk about cyberwar and now they want to smelt down their weapons?

That is a desperate attempt to motivate Europe's lazy youth to actually hack something.