Whose Padlock is Being Tested? (Wiki)

The content of the Security Analogies wiki is now available here, under the GNU Free Documentation License 1.2.

Thanks to Copsewood for the content of this page.

This question gives us a useful analogy between laws affecting physical security and laws affecting computer security, and helps us know whether actions we are considering in connection with computers and networks are ethical or not. It also helps us understand some proposed and existing computing security laws by comparing these with better-understood older laws. This will help us to decide if new computing security laws are likely to be good or bad.

I can go to a hardware shop and buy a padlock and take it home to my workshop, and using safety goggles and gloves etc., see how long it takes me to break it using various tools, such as skeleton keys, an angle grinder, files, an electric drill, or bolt cutters. I can do this quite legally because once I have bought it, it is my padlock and I can do what I like with it, so long as this doesn't hurt or harm anyone else. But if I use the same tools to break the padlock on my neighbour's garden shed to see how strong this is, if my neighbour hasn't given me permission to do this in advance, then this is an offence and rightly so.

If you work as a security tester for a customer, and you think there might ever be confusion in anyone else's mind about whether you are authorised to test a customers security devices or not, you should get this permission from the customer in writing in advance of carrying out any security testing that might make someone who catches you doing it arrive at the wrong conclusions.

The same is true if I try to test the security of a computer system. If it is my system, or I have permission to do this by the owner of the system, then under the UK Computer Misuse Act I am not stopped from doing this, as this is a form of authorised access. Just as with my neighbour's padlock and garden shed, if I use the same computer tools to try to break into someone else's computer system without their permission or authorisation, this is an offence under the UK Computer Misuse act. It doesn't really matter whether I do this as a private individual or as the director of a large corporation. When Sony started selling music CDs with software which attacked the computers of those who bought and played these CDs, to the extent these people's computer security was made weaker by this software without their permission, the directors of Sony UK could have been charged with a criminal offence if anyone adversely affected by this had made a complaint.

Also to know whether the padlocks I am buying are any good, I have to be able to own and use the kind of tools I have described and maybe some other tools in order to test these padlocks and other security devices. Some of these tools might also have other legitimate uses, as well as for testing the security of things which I own. Laws which would make ownership of such tools a criminal offence would not be any good unless the court was also required to prove that the owner intended to use these for a crime. For example it isn't an offence to work as a chef or carpenter, and have knives or a crowbar in a bag on your way to work, because to work as a chef or carpenter you need to be able use these tools. But if a court can prove that you intended to rob someone with the knife, or burgle a house with the crowbar that would be another matter altogether. We can evaluate and decide whether proposed laws concerning possession of tools which can be used to attack computers are stupid or sensible in the same way. In practice even if a tool can only be used to attack a computer, we still need to have the right to use it to test our own computers, so we can see if these can be successfully attacked or not. If we don't know how to use these tools ourselves, we should still be able to employ someone else to use them to report how secure our computers are, because unless they are tested, we can't really know whether our computers are secure or not.

It is also going to be much easier for me to know whether or not a padlock offered for sale is any good if consumer product reviewers and previous customers who have already tested the same make and model of padlock are allowed to tell me about what they have discovered. But in the USA, the Digital Millennium Copyright Act (DMCA) might make it an offence to do this for software. You may have bought a security device and therefore think that by rights it is yours to do what you like with and tell others about what you discovered. But the DMCA prevents those living in the US or who might ever want to travel there from being able to say how weak certain computer security systems are and how these might be broken into, without risking being locked up in jail. This makes it possible for US companies to sell insecure software without customers being allowed to know that what they are buying is of poor quality, but it does not stop criminals from telling each other secretly how to break into weak computing security products.

WebSanity Top Secret