I want to start a hacking course, what are the legalities?

[ThatDevAaron]

so, I want to start a website on, teaching people how to hack, which wouldn't involve showing people, or encouraging illicit activity, but rather, detailing methodologies, and providing code samples etc.

Primary USP: Tutors are previously convicted cyber criminals (who obviously no longer partake in such activity)

Here are some website samples so you can see what it is i'm trying to create:

 

[cjd]

So this would be unlawful in numerous ways - teaching people how to be better criminals is pretty obviously a short way to get arrested.

But there are ways to do this sort of thing and they all start with you contacting either the police - the Met take the lead on cybercrime - or GCHQ - before you do ANYTHING.

 

[JEREMY HAWKE]

I recon they will come and get you hang you and throw away the key

This is pure dubdifus, skulduggery

 

[UKSBD]

I would say it's all about the wording.

You don't teach how to hack, you teach how to combat hacking

Lose the bit about learning from convicted cyber criminals (or word differently) and I don't see a problem with it.

 

[Gecko001]

@ThatDevAaron said:

"Primary USP: Tutors are previously convicted cyber criminals (who obviously no longer partake in such activity)"

Their business model is probably not one you should try to copy - not unless you like prison food.

 

[Gecko001]

To be serious though, surely the ex-con hackers who become tutors will run their courses closely supervised by law enforcement or actually working as part of a law enforcement team.

 

[ThatDevAaron]

To be serious though, surely the ex-con hackers who become tutors will run their courses closely supervised by law enforcement or actually working as part of a law enforcement team.

Hacking isn't illegal, hacking systems you don't own, is.

So we teach you offensive tactics, by experts, which you can use to better yourself in your cyber security career.

There would not be any promotion of illegal hacking etc, would be purely ethical.

If we do ask you to hack something, it would be a controlled network that we operate.

The terms we use are vital - let me know if you think this is a bad idea.

Take a look on Udemy, they have similar stuff, only difference is, we're bespoke and don't need to give udemy a share of our money or expose our client list to third parties.

 

[ThatDevAaron]

So this would be unlawful in numerous ways - teaching people how to be better criminals is pretty obviously a short way to get arrested.

But there are ways to do this sort of thing and they all start with you contacting either the police - the Met take the lead on cybercrime - or GCHQ - before you do ANYTHING.

any specific departments to contact?

 

[ThatDevAaron]

I would say it's all about the wording.

You don't teach how to hack, you teach how to combat hacking

Lose the bit about learning from convicted cyber criminals (or word differently) and I don't see a problem with it.

no - we teach how to hack, and also, how to combat it // offensive & defensive.

Def and Offen lessons aren't illegal as they can be used completely legally, its more a case of, the UK has quite dystopian computer laws, that have not been updated and are not really fit for modern use.

 

[Gecko001]

So it looks like you want to form a cybersecurity firm. Isn't that quite a big sector with lots of big players.

Before doing anything, I would investigate whether you can get professional indemnity insurance.

 

[UKSBD]

no - we teach how to hack, and also, how to combat it

Yes, I know that
What I was saying is, you want to put a little more thought in to how you word things.

 

[ThatDevAaron]

Yes, I know that
What I was saying is, you want to put a little more thought in to how you word things.

the wording is kinda vital, the USP is that tutors are convicted cyber criminals

 

[ThatDevAaron]

So it looks like you want to form a cybersecurity firm. Isn't that quite a big sector with lots of big players.

Before doing anything, I would investigate whether you can get professional indemnity insurance.

not a cybersec firm, a education-type of business.

do we need indemnity insurance for this?

 

[Gecko001]

not a cybersec firm, a education-type of business.

do we need indemnity insurance for this?

Legally you do not need it, but it would be useful to have it.

Also, talking to insurance brokers about your proposed project will give you an insight into some of the risks you face. BTW, you will have to be totally honest with insurers about what you will be teaching. Just getting general tutoring insurance, will probably not be much use to you.

 

[ThatDevAaron]

Legally you do not need it, but it would be useful to have it.

Also, talking to insurance brokers about your proposed project will give you an insight into some of the risks you face. BTW, you will have to be totally honest with insurers about what you will be teaching. Just getting general tutoring insurance, will probably not be much use to you.

do you think this is something that can possibly cause criminal action? that is what i want to be wary of.

 

[ThatDevAaron]

do you think this is something that can possibly cause criminal action? that is what i want to be wary of.

criminal action towards the company/tutors etc from the police etc

 

[ThatDevAaron]

I had a few people tell me this, so i stopped working on the project for a few months, but I figured you guys would have better answers

 

[Mark T Jones]

Legally you do not need it, but it would be useful to have it.

Also, talking to insurance brokers about your proposed project will give you an insight into some of the risks you face. BTW, you will have to be totally honest with insurers about what you will be teaching. Just getting general tutoring insurance, will probably not be much use to you.

That's where it becomes circular - you can't insure against criminal activity and any legal case is likely to revolve around whether the OP was intact engaged in criminal activity teaching people to hack systems.

 

[Gecko001]

That's where it becomes circular - you can't insure against criminal activity and any legal case is likely to revolve around whether the OP was intact engaged in criminal activity teaching people to hack systems.

Yes you cannot be insured for criminal activity, in the sense that insurers will not pay your fines or losses as the result of going to prison. They will only insure you for legal costs involved in defending yourself.

 

[Gecko001]

Looking at the bigger picture, and I mean no offence here, the tutors who are ex-criminals are just in a different league to @ThatDevAaron. They will have had multiple interviews with legal teams, crime investigators and no doubt prison rehabilitation staff, as well as being monitored by probation officers They know the system and all the pitfalls They will also, probably, have people inside the cybersecurity business and cybercrime investigation who they can call upon for any advice they need.

So we are in do-not-touch-with-barge-pole territory in my view.

 

[ThatDevAaron]

Looking at the bigger picture, and I mean no offence here, the tutors who are ex-criminals are just in a different league to @ThatDevAaron. They will have had multiple interviews with legal teams, crime investigators and no doubt prison rehabilitation staff, as well as being monitored by probation officers They know the system and all the pitfalls They will also, probably, have people inside the cybersecurity business and cybercrime investigation who they can call upon for any advice they need.

So we are in do-not-touch-with-barge-pole territory in my view.

I don't understand the term `do-not-touch-with-barge-pole`

you think its legally risky?

 

[fisicx]

Pentesting and infosec skills are already covered in a number of qualifications. For example:

CREST Registered Penetration Tester

The CREST Registered Penetration Tester (CRT) exam is recognised by Governments and regulators around the globe.

www.crest-approved.org

Would you be seeking accreditation?

 

[ThatDevAaron]

Pentesting and infosec skills are already covered in a number of qualifications. For example:

CREST Registered Penetration Tester

The CREST Registered Penetration Tester (CRT) exam is recognised by Governments and regulators around the globe.

www.crest-approved.org

Would you be seeking accreditation?

We would likely offer certificates, but I doubt they would be government backed etc - our certificates would be pretty useless outside of being proven to've undertaken and completed our courses, which would only retain value, if the brand grows etc, but it wouldn't be a major part of our selling point.

 

[fisicx]

If they aren’t accredited the legality of such a course could be questionable. GCHQ would no doubt be very interested as to why you want to do this.

 

[ThatDevAaron]

If they aren’t accredited the legality of such a course could be questionable. GCHQ would no doubt be very interested as to why you want to do this.

its not a hard concept, in the world of education, those who've done, are the best teachers.

Ergo, in the hacking landscape, perhaps people who've previously actually committed certain acts could offer the best teaching/knowledge.

Simply a way to gain information and perspective.

 

[DontAsk]

its not a hard concept, in the world of education, those who've done, are the best teachers.

Actually we say those who can, do. Those who can’t, teach.

Those who can’t teach join ofsted.

 

[fisicx]

its not a hard concept, in the world of education, those who've done, are the best teachers.

A fallacy in many cases. The ability to do doesn’t mean an ability to educate.

If you want to educate don’t call it hacking. Educate in pen testing and infosec. Show students how to identify hacking attempts, find zero day vulnerabilities, harden servers and so on.

Offering a hacking course will attract all the wrong people. Because their first question will be: where can I get ransomware.

 

[GLAbusiness]

Think about your target customers. Are they people who would go on to use the skills for illegal purposes or are they the people who want to defend against illegal hacking. The tailor you pitch to the target audience

 

[ThatDevAaron]

So most of your concerns are relating to the usage of the term hacking?

and when I say, those who've done, I mean in this specific use-case, is cyber crime, and obviously, our tutors aren't reoffenders.

 

[ThatDevAaron]

keep in mind our USP is ex-cybercriminals as tutors

 

[ThatDevAaron]

Because their first question will be: where can I get ransomware.

we may offer ransomware tutorials and offer brief code samples, but we wouldn't at all provide malicious resources or any resources outside of our scope.

 

[Gecko001]

I don't understand the term `do-not-touch-with-barge-pole`

you think its legally risky?

A barge pole is a very long pole use by barge operators to push barges away from the river bank or obstacles. So do not touch it with a barge pole, means to keep away from something as it could be trouble.

Can you be sure that what your students learn will be used just to make systems more secure. Can you be sure that a student will not use what they learn to commit cybercrime. That is more of an ethical matter than a legal one.

 

[DontAsk]

obviously, our tutors aren't reoffenders.

Their word is their bond?

 

[Frank the Insurance guy]

What are your students looking to do? Are they looking to build a legitimate business using what they learn?

You need to aim your course at "Ethical Hacking" training - so they can provide penetration testing etc, using what they have learned from rehabilitated cyber criminals.

The training needs to be clear and the emphasis must be on Ethical Hacking - anything else and you are likely to be in trouble!

As for Professional Indemnity Insurance - it is available, but won't be cheap (likely unviable for a start-up).

 

[HFE Signs]

Interesting concept - Its a bit like teaching someone how to shoot a person so they know how not to get shot.

 

[ThatDevAaron]

Interesting concept - Its a bit like teaching someone how to shoot a person so they know how not to get shot.

You tell me, are soldiers better than civilians at dodging bullets? I'd like to think so

 

[fisicx]

You tell me, are soldiers better than civilians at dodging bullets? I'd like to think so

No, soldiers are better at not being seen. If the enemy can see you your chances are the same as a civvie.

 

[Gecko001]

Who do you think will be your typical student? Is it the individual who wants to learn something to help them in their career, or is it people sent by their employers to find out more about cybersecurity?

 

[Newchodge]

criminal action towards the company/tutors etc from the police etc

While there are some bad apples, most police officers do not commit criminal action!

 

[Newchodge]

So most of your concerns are relating to the usage of the term hacking?

and when I say, those who've done, I mean in this specific use-case, is cyber crime, and obviously, our tutors aren't reoffenders.

Haven't yet been convicted of re-offending.