There are some amendments in the new Police and Justice Act to the Computer Misuse Act and some of them do not sound like good news for the UK Penetration testing & Security Research community.
Looking at Section 37 of the Act you get this
(1) A person is guilty of an offence if he makes, adapts, supplies or offers
to supply any article intending it to be used to commit, or to assist in
the commission of, an offence under section 1 or 3.
(2) A person is guilty of an offence if he supplies or offers to supply any
article believing that it is likely to be used to commit, or to assist in the
commission of, an offence under section 1 or 3.
(3) A person is guilty of an offence if he obtains any article with a view to
its being supplied for use to commit, or to assist in the commission of,
an offence under section 1 or 3.
(Offences in section 1 or 3 is basically unauthorised access to computer resources).
To my mind that leaves people publishing exploit code in the UK in serious trouble along with anyone selling or making open source Penetration testing software. It'd would be pretty hard to argue that you didn't believe it was likely that a tool that could be used for Pen testing could also be used by someone to break into a system, as the only thing that's really different is the intent !
The act also covers DoS (or reckless impairment of the operation of a computer as the act calls it) so would it follow that software which stress tests systems would also fall foul of the act?
I expect that what'll happen is that we'll get some chat from government officials that "legitimate security professionals won't be targeted" but I for one really don't like the idea that I could be committing an offence and I'm relying on someones definition of "legitimate" to avoid being prosecuted!
