Comments on: Security Tool Controversy

By: Aodhhan

Aodhhan — Thu, 12 Jul 2007 13:01:40 +0000

I would consider applications incorporated with an operating system as “features” not security tools. Metaphorically, they would be equal to having a key/smart card to the locked door, thus wouldn’t require a hammer/screwdriver.

By: David Kierznowski

David Kierznowski — Wed, 11 Jul 2007 14:35:22 +0000

Playing Devils Advocate:

Adrian if I liken Aodhhan’s hammer and screwdrivers to OS tools like telnet, tftp and net, then banning other security tools still makes sense :)

By: Adrian Pastor

Adrian Pastor — Wed, 11 Jul 2007 13:45:55 +0000

“Due to the breadth of application development, focusing on applications/tools will lead to many gray lines and inconsistencies.”

I couldn’t agree more with Aodhhan. The question here is what makes the so called “hacking tools”.

Many of us believe that there is NOT such as thing as a hacking tool. Even the most intrusive tool such as a password bruteforcer could be used as a legitimate tool used for password autiding purposes. At the end of the day it’s about semantics and using language to manipulate thinking. i.e.: password cracker versus password autiding tool

For all I know even default Windows commands such as the “net” commands could be considered “hacking tools”.

By: Aodhhan

Aodhhan — Wed, 11 Jul 2007 13:02:03 +0000

I believe legislation needs to focus on intent or motive of a person/act rather than a tool. Due to the breadth of application development, focusing on applications/tools will lead to many gray lines and inconsistencies.

Most countries allow the use of hammers and large screwdrivers. Two tools which can be used to get passed physical security barriers. While these two tools may not be used in this manner by you and I, to some, they are considered the right tool for this particular job.

As security professionals, we should actively educate and lend technical support to legislators so they understand proper rationale. They are not the experts in this area, and ignorance will lead to problems. I encourage you to get involved and be heard, no matter what side you may fall on this issue.

If you are content in letting others make this decision without your involvement; don’t get upset later when laws are enacted contrary to your beliefs.

By: .mario

.mario — Wed, 11 Jul 2007 10:31:34 +0000

Translation: “The preparation of a crime via assembly, acquisition, disposal, abandonment, distribution or enabling of accessibility of passwords or miscellaneous security codes for data access as well as via suitable software tools will be avenged with penalty or imprisonment (one year maximum)”

The relation between tool and crime is pretty clear but at which point is the tool-author responsible?
The old kitchen-knife dilemma?

By: David Kierznowski

David Kierznowski — Wed, 11 Jul 2007 09:18:56 +0000

Mario, thanks for the correction. Maybe you could translate the crux of it, Google doesn’t do a great job :)

By: .mario

.mario — Wed, 11 Jul 2007 07:00:50 +0000

This not exactly correct. The critical part of the new article is Â§202c.

Quote from heise.de:

Danach soll die Vorbereitung einer Straftat durch Herstellung, Beschaffung, Verkauf, Ãœberlassung, Verbreitung oder ZugÃ¤nglichmachen von PasswÃ¶rtern oder sonstigen Sicherheitscodes fÃ¼r den Datenzugang sowie von geeigneten Computerprogrammen kÃ¼nftig mit Geldstrafe oder Freiheitsentzug bis zu einem Jahr geahndet werden.

Here’s a machine-translated version: http://66.249.91.104/translate.....dung/92334

But what the heck are Sicherheitscodes. Even as German I am not able to get the meaning of the word - so as long as the article stays as interpretable as the bible we have to wait for the first precedence case to occur. Bitter.

Greetings,
.mario