Security Tool Controversy
published: July 10th, 2007
partners:
Last year I discussed some of the hacking and security laws in the UK on michaeldaw.org; pdp also discussed this on GNUCITIZEN a few months back. Governments are looking at clamping down on security tool development and distribution to mitigate hacking risks. It looks like Germany are now following:
Whoever prepares a crime according to §202a or §202b and who creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to * passwords or other access codes, that allow access to data or * computer programs whose aim is to commit a crime will be punished with up to one year jail or a fine. Additionally, this new section is interwoven with other laws, including the ones covering terrorism. The current interpretation includes the acceptance of others committing a crime using your (or our) material as violation of §202c.
I also see the point that crackers will get the upper-hand as they don’t care about such laws, it will be the security community that suffers.
Whether we like it or not, times are a changing
. I strongly believe in win-win situations, the question really is can there by one if the future moves in this direction and what with Net Neutrality.
comments
This not exactly correct. The critical part of the new article is §202c.
Quote from heise.de:
Here’s a machine-translated version: http://66.249.91.104/translate.....dung/92334
But what the heck are . Even as German I am not able to get the meaning of the word - so as long as the article stays as interpretable as the bible we have to wait for the first precedence case to occur. Bitter.
Greetings,
.mario
Mario, thanks for the correction. Maybe you could translate the crux of it, Google doesn’t do a great job :)
Translation: “The preparation of a crime via assembly, acquisition, disposal, abandonment, distribution or enabling of accessibility of passwords or miscellaneous security codes for data access as well as via suitable software tools will be avenged with penalty or imprisonment (one year maximum)”
The relation between tool and crime is pretty clear but at which point is the tool-author responsible?
The old kitchen-knife dilemma?
I believe legislation needs to focus on intent or motive of a person/act rather than a tool. Due to the breadth of application development, focusing on applications/tools will lead to many gray lines and inconsistencies.
Most countries allow the use of hammers and large screwdrivers. Two tools which can be used to get passed physical security barriers. While these two tools may not be used in this manner by you and I, to some, they are considered the right tool for this particular job.
As security professionals, we should actively educate and lend technical support to legislators so they understand proper rationale. They are not the experts in this area, and ignorance will lead to problems. I encourage you to get involved and be heard, no matter what side you may fall on this issue.
If you are content in letting others make this decision without your involvement; don’t get upset later when laws are enacted contrary to your beliefs.
“Due to the breadth of application development, focusing on applications/tools will lead to many gray lines and inconsistencies.”
I couldn’t agree more with Aodhhan. The question here is what makes the so called “hacking tools”.
Many of us believe that there is NOT such as thing as a hacking tool. Even the most intrusive tool such as a password bruteforcer could be used as a legitimate tool used for password autiding purposes. At the end of the day it’s about semantics and using language to manipulate thinking. i.e.: password cracker versus password autiding tool
For all I know even default Windows commands such as the “net” commands could be considered “hacking tools”.
Adrian if I liken Aodhhan’s hammer and screwdrivers to OS tools like telnet, tftp and net, then banning other security tools still makes sense :)
I would consider applications incorporated with an operating system as “features” not security tools. Metaphorically, they would be equal to having a key/smart card to the locked door, thus wouldn’t require a hammer/screwdriver.