18.11.15
Snooper's Charter could impede computer security workers in UK
From Ars Technica.
As Glyn Moody and George Danezis point out, the draft bill effectively makes it a crime to reveal the existence of government hacking. Along the way, the new law would also make it illegal to discuss the existence or nature of warrants with anyone under any circumstances, including in court or with your MP, no matter what’s been happening. The powers are sweeping, absolute, and carefully put beyond public scrutiny, effectively for ever. There’s no limitation of time.
Let’s say I’m a security researcher, digging into some unusual behaviour in a router on behalf of a major telecoms client. I discover a security hole into which somebody has installed a backdoor. Whoever it was didn’t leave a calling card: they rarely do.
What would I do if I found that backdoor today? The ethical thing is to check my results with trusted colleagues, tell my client, determine what the best remedial action is, tell whoever is in charge of that aspect of the router software, allow time for a patch to propagate out, then tell the world what happened. It’s interesting, but not immediately important, to work out who did the attack. Fix first, ask questions later.
Let’s look at that in a world where the Snooper's Charter has become law. I find the backdoor and tell a colleague. She doesn’t answer my e-mail, but I get a knock at the door—turns out that GCHQ was behind the attack. I am now banned forever from mentioning to anyone what I found—or that I found anything. The backdoor is later exploited by the bad guys and my client is hit. Why didn’t you find it, they ask? I can only shrug. Soon, my consultancy is in disarray. If I’m sued for incompetence, I cannot defend myself. I can write no papers, warn no people.What would I do if I found that backdoor today? The ethical thing is to check my results with trusted colleagues, tell my client, determine what the best remedial action is, tell whoever is in charge of that aspect of the router software, allow time for a patch to propagate out, then tell the world what happened. It’s interesting, but not immediately important, to work out who did the attack. Fix first, ask questions later.