Source: Hansard - The official record of the proceedings of the
British Houses of Parliament, London, UK
http://tinyurl.com/yfpqef
10 Oct 2006
The Earl of Erroll: My Lords, I shall speak to this group, and
particularly to my Amendment No. 129A. First, I thank the
Government for taking into account some of the comments I made
about the difference between making and inventing the tools, and
supply and distribution of the tools, which is what they are
trying to hit.
However, I am afraid that their amendment does not quite go far
enough. It is a question of effectiveness and whether it works,
and I am afraid to say that it will not. I reassure the noble
Baroness, Lady Anelay of St Johns, that things like "script
kiddies" are quite common terms in the industry. Phishing is a
big worry at the moment; I was talking about it only last week.
The real problem probably stems from something we have just been
talking about. I have just been at dinner with the Hansard
Society in the Commons, talking about globalisation, regulation
and a few other things. This is a typical example. We think we
can regulate, but in a global, internet-based world we cannot.
People can host these things abroad. They can host sites which
will supply tools to allow you to do this, that and the other,
and there is nothing we can do to prevent it. They will be
hosted on servers abroad by foreign companies, and you cannot do
anything about it. If they were hosted on British servers you
could give them notice and tell them to remove them or even
prosecute them if you were lucky enough.
Will it work? It will not, I am afraid. It is one of those
things that sounds good but will do nothing. What it will do is
cause a lot of trouble to large companies that supply perfectly
legitimate tools to help people to carry out remote maintenance
or use remote access. It will not help parliamentary staff
because if someone supplies the tools to them, whereby they can
shadow you working on your own terminal in Parliament and
thereby help you solve the problem that you just got trapped in,
those sorts of tools might be forbidden under the supply rule.
The Home Office response to this is: "Well of course we won't
chase the good guys. We won't go after them. We are only after
the bad guys." The trouble with that is that it is all well
until an enforcer trying to achieve some other aim threatens
someone. I do not think that, as Parliament, we should be
passing laws that give power to enforcement agencies to
blackmail companies into doing other things for them because
they know they can use something like this against them. It is
too much of a blanket power.
Further, it is useful for penetration testing-for instance,
people testing to see whether their company systems can be
hacked. A typical example of this is phishing. Last week I was
sitting next door to a chap called Gary McKinnon, who is the
person the Americans are trying to extradite and put in jail for
60 years because he put post-it notes all over the Department of
Defense systems. Five years ago he got into their systems
because he thought it would be fun to see how good their
passwords were. He ran a little program and discovered that a
large number of people with Windows access had not bothered to
use passwords. For the Department of Defense in America not to
check that its stuff was moderately secure and that its senior
people at least had passwords to prevent access is stupid. So he
thought he would show them how stupid they were.
As a result of that Gary has got into hot water. I will not go
into the merits of the case or whatever, but the department
should have been using tools like this to ensure their own
security was all right long before Gary got there. And so should
we. However, it will make these things illegal and large groups,
large banks and so on should be testing that their systems are
secure. In fact Parliament should. But, under this provision,
whoever supplies you with that tool to test that will be
committing an offence. It is all very well to say, "They are the
good guys, we won't prosecute them", but I do not think that is
good enough. I have great trouble with laws that hand over
powers to the enforcers and say, "It is at our discretion
whether we are going to prosecute you".
I stand very strongly on that, having seen and heard of many
incidents where people have been told that unless they comply
with something else there is an obscure rule and they can throw
the book at a company for something else. I know that there will
be efforts made at the European level to reverse this provision
if we pass it in this form. I was informed of that by some
international companies.
I would prefer to see the amendment of the noble Earl, Lord
Northesk, go through and remove the provision altogether. I do
not think it will do any good. It is a waste of time. It will
not allow you to do anything effective against enforcing what
you want. However, I believe that the Minister will not allow
that. Therefore, I would suggest that you should either say
"more likely than not" if that is what you mean. I suggested
last time using the word "primarily"; this time I suggest using
"principally". We are looking at the objective of the people
supplying or trying to sell these tools. If it is principally to
sell it to the hacker community, I do not have a problem. In
which case say so in the Bill. We know these things are likely
to be used. If the Government mean that it is more likely than
not, then they should say more likely than not.
I would like to push this issue at some stage. I know that there
is only one more stage of the Bill. It concerns me greatly that
we should leave the matter in this form. Therefore, I would like
to hear what the Government have to say.
British Houses of Parliament, London, UK
http://tinyurl.com/yfpqef
10 Oct 2006
The Earl of Erroll: My Lords, I shall speak to this group, and
particularly to my Amendment No. 129A. First, I thank the
Government for taking into account some of the comments I made
about the difference between making and inventing the tools, and
supply and distribution of the tools, which is what they are
trying to hit.
However, I am afraid that their amendment does not quite go far
enough. It is a question of effectiveness and whether it works,
and I am afraid to say that it will not. I reassure the noble
Baroness, Lady Anelay of St Johns, that things like "script
kiddies" are quite common terms in the industry. Phishing is a
big worry at the moment; I was talking about it only last week.
The real problem probably stems from something we have just been
talking about. I have just been at dinner with the Hansard
Society in the Commons, talking about globalisation, regulation
and a few other things. This is a typical example. We think we
can regulate, but in a global, internet-based world we cannot.
People can host these things abroad. They can host sites which
will supply tools to allow you to do this, that and the other,
and there is nothing we can do to prevent it. They will be
hosted on servers abroad by foreign companies, and you cannot do
anything about it. If they were hosted on British servers you
could give them notice and tell them to remove them or even
prosecute them if you were lucky enough.
Will it work? It will not, I am afraid. It is one of those
things that sounds good but will do nothing. What it will do is
cause a lot of trouble to large companies that supply perfectly
legitimate tools to help people to carry out remote maintenance
or use remote access. It will not help parliamentary staff
because if someone supplies the tools to them, whereby they can
shadow you working on your own terminal in Parliament and
thereby help you solve the problem that you just got trapped in,
those sorts of tools might be forbidden under the supply rule.
The Home Office response to this is: "Well of course we won't
chase the good guys. We won't go after them. We are only after
the bad guys." The trouble with that is that it is all well
until an enforcer trying to achieve some other aim threatens
someone. I do not think that, as Parliament, we should be
passing laws that give power to enforcement agencies to
blackmail companies into doing other things for them because
they know they can use something like this against them. It is
too much of a blanket power.
Further, it is useful for penetration testing-for instance,
people testing to see whether their company systems can be
hacked. A typical example of this is phishing. Last week I was
sitting next door to a chap called Gary McKinnon, who is the
person the Americans are trying to extradite and put in jail for
60 years because he put post-it notes all over the Department of
Defense systems. Five years ago he got into their systems
because he thought it would be fun to see how good their
passwords were. He ran a little program and discovered that a
large number of people with Windows access had not bothered to
use passwords. For the Department of Defense in America not to
check that its stuff was moderately secure and that its senior
people at least had passwords to prevent access is stupid. So he
thought he would show them how stupid they were.
As a result of that Gary has got into hot water. I will not go
into the merits of the case or whatever, but the department
should have been using tools like this to ensure their own
security was all right long before Gary got there. And so should
we. However, it will make these things illegal and large groups,
large banks and so on should be testing that their systems are
secure. In fact Parliament should. But, under this provision,
whoever supplies you with that tool to test that will be
committing an offence. It is all very well to say, "They are the
good guys, we won't prosecute them", but I do not think that is
good enough. I have great trouble with laws that hand over
powers to the enforcers and say, "It is at our discretion
whether we are going to prosecute you".
I stand very strongly on that, having seen and heard of many
incidents where people have been told that unless they comply
with something else there is an obscure rule and they can throw
the book at a company for something else. I know that there will
be efforts made at the European level to reverse this provision
if we pass it in this form. I was informed of that by some
international companies.
I would prefer to see the amendment of the noble Earl, Lord
Northesk, go through and remove the provision altogether. I do
not think it will do any good. It is a waste of time. It will
not allow you to do anything effective against enforcing what
you want. However, I believe that the Minister will not allow
that. Therefore, I would suggest that you should either say
"more likely than not" if that is what you mean. I suggested
last time using the word "primarily"; this time I suggest using
"principally". We are looking at the objective of the people
supplying or trying to sell these tools. If it is principally to
sell it to the hacker community, I do not have a problem. In
which case say so in the Bill. We know these things are likely
to be used. If the Government mean that it is more likely than
not, then they should say more likely than not.
I would like to push this issue at some stage. I know that there
is only one more stage of the Bill. It concerns me greatly that
we should leave the matter in this form. Therefore, I would like
to hear what the Government have to say.
No comments:
Post a Comment