1

A question for "ethical hackers" or cyber security professionals. I am very interested in the world of cyber security and all aspects of it. I am genuinely interested in the security aspect of it and from a highly ethical and moral perspective. I have purchased "self-teaching" online courses for learning cyber security, this is also dubbed loosely "ethical hacking".

At this point we should not debate my intentions with such activities and I wish you to take them as genuinely ethical. I do understand that many high level organizations such as the NSA, Intelligence Agencies in many countries etcetera do monitor these activities heavily. Therefore I'm sure any such research would be monitored one way or another--- enough said on that.

My question here is, how is it possible to learn in this direction if my country and many others forbid even the possession of software for "hacking" despite intentions? This seems one of the main tools used to learn vulnerabilities and how to defend against them. For ones own security purposes as well as better security for others also and my own software development securities.

While I understand the intentions behind such laws being directed at nefarious intentions, what about progress in this direction, what about people who want to enter the field or simply learn for ethical reasons? According to the criminal code of Canada there is no grey area, see first link below.

An FYI of how I intended to go about learning "hacking" ethically. By using my computer to break into my old brick laptop and learning from there. I wouldn't use such software to hack anyone else unethically, just not interested.

References:

https://www.itworldcanada.com/blog/understanding-canadian-cybersecurity-laws-interpersonal-privacy-and-cybercrime-criminal-code-of-canada-article-4/440337

https://devcount.com/is-ethical-hacking-legal/

Criminal Code of Canada

RobbB
  • 123
  • 5

1 Answers1

6

...many [countries] forbid even the possession of software for "hacking" despite intentions

That is not the case in the where accessing a computer, and possessing the tools to do it, are only offences if the activity is unauthorised. In fact, private entities and government departments are encouraged to carry out authorised penetration tests to identify vulnerabilities in their systems.

[by] using my computer to break into my old brick laptop...

This is perfectly legal as you have authorised access to the brick.

The relevant offences are at s.1 to s.3A of the Computer Misuse Act 1990, in particular:

s.1 - Unauthorised access to computer material.

(1) A person is guilty of an offence if—

  • (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;

  • (b) the access he intends to secure, or to enable to be secured, is unauthorised; and

  • (c) he knows at the time when he causes the computer to perform the function that that is the case

[...]

Sections 2, 3 and 3ZA (not reproduced here to save space) follow similar wording for unauthorised access relating to such things as commiting other offences, impairing a computer's functionality, or creating serious damage to health, infrastructure etc.

s.3A - Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA

[...]

(3) A person is guilty of an offence if he obtains any article—

  • (a) intending to use it to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA, or

[...]

(4) In this section "article" includes any program or data held in electronic form.

[...]

So, hacking is not always unlawful - all it needs is the right permission from someone who is authorised to give it.

Edited To Add

This is also the case in (the subject of the OP's first linked article) where s.342.2 of the Criminal Code makes an exception for having a lawful excuse to possess "hacking tools":

(1) Every person who, without lawful excuse, makes, possesses, sells, offers for sale, imports, obtains for use, distributes or makes available a device that is designed or adapted primarily to commit an offence under section 342.1 or 430, knowing that the device has been used or is intended to be used to commit such an offence, is

  • (a) guilty of an indictable offence...

  • (b) guilty of an offence punishable on summary conviction.

[...]

(4) In this section, device includes

  • (a) a component of a device; and

  • (b) a computer program within the meaning of subsection 342.1(2).