Security Tool Controversy

Last year I discussed some of the hacking and security laws in the UK on michaeldaw.org; pdp also discussed this on GNUCITIZEN a few months back. Governments are looking at clamping down on security tool development and distribution to mitigate hacking risks. It looks like Germany are now following:

Whoever prepares a crime according to §202a or §202b and who creates, obtains or provides access to, 
sells, yields, distributes or otherwise allows access to

* passwords or other access codes, that allow access to data or
* computer programs whose aim is to commit a crime

will be punished with up to one year jail or a fine. Additionally, this new section is interwoven with other 
laws, including the ones covering terrorism. The current interpretation includes the acceptance of others 
committing a crime using your (or our) material as violation of §202c.

The main question in my mind when trying to remain objective about this, is whether IT security can be classified within the same category as Locksmiths. Would you feel safe in your home if an open community developed free tools to open various locking mechanisms and distributed those openly? Currently, only registered Locksmiths are allowed toolkits within the UK.

I also see the point that crackers will get the upper-hand as they don’t care about such laws, it will be the security community that suffers.

Whether we like it or not, times are a changing. I strongly believe in win-win situations, the question really is can there by one if the future moves in this direction and what with Net Neutrality.

Comments

.mario responds:

This not exactly correct. The critical part of the new article is §202c.

Quote from heise.de:

Danach soll die Vorbereitung einer Straftat durch Herstellung, Beschaffung, Verkauf, Überlassung, Verbreitung oder Zugänglichmachen von Passwörtern oder sonstigen Sicherheitscodes für den Datenzugang sowie von geeigneten Computerprogrammen künftig mit Geldstrafe oder Freiheitsentzug bis zu einem Jahr geahndet werden.

Here’s a machine-translated version: http://66.249.91.104/translate.....dung/92334

But what the heck are Sicherheitscodes. Even as German I am not able to get the meaning of the word – so as long as the article stays as interpretable as the bible we have to wait for the first precedence case to occur. Bitter.

Greetings,
.mario

David Kierznowski responds:

Mario, thanks for the correction. Maybe you could translate the crux of it, Google doesn’t do a great job :)

.mario responds:

Translation: “The preparation of a crime via assembly, acquisition, disposal, abandonment, distribution or enabling of accessibility of passwords or miscellaneous security codes for data access as well as via suitable software tools will be avenged with penalty or imprisonment (one year maximum)”

The relation between tool and crime is pretty clear but at which point is the tool-author responsible?
The old kitchen-knife dilemma?

Aodhhan responds:

I believe legislation needs to focus on intent or motive of a person/act rather than a tool. Due to the breadth of application development, focusing on applications/tools will lead to many gray lines and inconsistencies.

Most countries allow the use of hammers and large screwdrivers. Two tools which can be used to get passed physical security barriers. While these two tools may not be used in this manner by you and I, to some, they are considered the right tool for this particular job.

As security professionals, we should actively educate and lend technical support to legislators so they understand proper rationale. They are not the experts in this area, and ignorance will lead to problems. I encourage you to get involved and be heard, no matter what side you may fall on this issue.

If you are content in letting others make this decision without your involvement; don’t get upset later when laws are enacted contrary to your beliefs.

Adrian Pastor responds:

“Due to the breadth of application development, focusing on applications/tools will lead to many gray lines and inconsistencies.”

I couldn’t agree more with Aodhhan. The question here is what makes the so called “hacking tools”.

Many of us believe that there is NOT such as thing as a hacking tool. Even the most intrusive tool such as a password bruteforcer could be used as a legitimate tool used for password autiding purposes. At the end of the day it’s about semantics and using language to manipulate thinking. i.e.: password cracker versus password autiding tool

For all I know even default Windows commands such as the “net” commands could be considered “hacking tools”.

David Kierznowski responds:

Playing Devils Advocate:

Adrian if I liken Aodhhan’s hammer and screwdrivers to OS tools like telnet, tftp and net, then banning other security tools still makes sense :)

Aodhhan responds:

I would consider applications incorporated with an operating system as “features” not security tools. Metaphorically, they would be equal to having a key/smart card to the locked door, thus wouldn’t require a hammer/screwdriver.

GNUCITIZEN Products

Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.

Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.

Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.

Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.

Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.

Visit the GNUCITIZEN Network for a complete listing of all GNUCITIZEN initiatives, products and partnering organizations.

GNUCITIZEN

Navigation