This is the final part of a series of articles. The third part can be found here.
The Crown Prosecution Service, responsible for bringing prosecutions on behalf of the public, drafted guidance in an attempt to clarify some of these issues. They suggested the following test:
- Has the article been developed primarily, deliberately and for the sole purpose of committing a Computer Misuse Act offence?
- Is the article available on a widespread commercial basis and sold through legitimate channels?
- Is the article widely used for legitimate purposes?
- Does it have a substantial installation base?
- What was the context in which the article was used to commit the offence compared with its original intended purpose?
Question 1 is understandable, but questions 2 to 5 are somewhat outside of a software designer’s control. There are no hard and fast rules for prosecutions of this nature and it is up to individual prosecutors how they interpret matters. Is any legitimate penetration testing software available on a “widespread” commercial basis?
What of the penetration testing training courses? How can an organiser be assured that all of the users wish to be there for legitimate purposes?
The really interesting part of the amended Computer Misuse Act is that a person need only offer to supply the article. He need not actually even supply it to a potential hacker.
Given the dual use of many security software tools, it would always be open to a defendant to claim that the prohibited result was not his aim or that he did not know that the result was a virtually certain consequence of his actions. This could be arguable either way, however.
Software tools such as Nmap, used to evaluate the security of computers, and to discover services or servers on a computer network, are clearly in a grey area. The makers of Nmap continue to update their software, in order to keep it effective at finding insecurities in systems. Is it used by hackers? Certainly. Are the manufacturers aware of that? They must be. In the circumstances, the manufacturers of Nmap have committed an offence. It seems unlikely that they will be prosecuted for it, but they remain vulnerable.
Equally, posting password details to a security bulletin board believing that those details are likely to be used to commit a computer misuse offence would easily fall within the s.3A offence. This implicates those on Twitter bragging about the latest vulnerability they have found in the Microsoft Remote Desktop Services, are leaving themselves wide-open for prosecution.
The widespread distribution of the LOIC DDoS software and MetaSploit toolkits has hit the media headlines with regard to those using the software personally. However, it is evident that those distributing the software are equally susceptible to prosecution.
It is indeed a minefield out there. The reality is that prosecutions of this nature have historically been rare, and will probably remain so. With this in mind, it is still clear that those in the IT security world should be vigilant. In particular, make sure to obtain a clear indication of precisely what acts are authorised and which are unauthorised. Furthermore, if you believe that you are somehow supplying a hacker, consider how a potential prosecutor would consider your actions and modify your behaviour appropriately.
This is the final part of an article that first appeared in PenTest magazine. The previous parts were published on this blog on a weekly basis.