Security Tool Controversy

Tue, 10 Jul 2007 22:29:08 GMT

Last year I discussed some of the hacking and security laws in the UK on michaeldaw.org; pdp also discussed this on GNUCITIZEN a few months back. Governments are looking at clamping down on security tool development and distribution to mitigate hacking risks. It looks like Germany are now following:

Whoever prepares a crime according to §202a or §202b and who creates, obtains or provides access to, > sells, yields, distributes or otherwise allows access to

  • passwords or other access codes, that allow access to data or
  • computer programs whose aim is to commit a crime>

will be punished with up to one year jail or a fine. Additionally, this new section is interwoven with other > laws, including the ones covering terrorism. The current interpretation includes the acceptance of others > committing a crime using your (or our) material as violation of §202c.

The main question in my mind when trying to remain objective about this, is whether IT security can be classified within the same category as Locksmiths. Would you feel safe in your home if an open community developed free tools to open various locking mechanisms and distributed those openly? Currently, only registered Locksmiths are allowed toolkits within the UK.

I also see the point that crackers will get the upper-hand as they don't care about such laws, it will be the security community that suffers.

Whether we like it or not, times "are a changing". I strongly believe in win-win situations, the question really is can there by one if the future moves in this direction and what with Net Neutrality.

.mario.mario
This not exactly correct. The critical part of the new article is §202c. Quote from heise.de:
Danach soll die Vorbereitung einer Straftat durch Herstellung, Beschaffung, Verkauf, Überlassung, Verbreitung oder Zugänglichmachen von Passwörtern oder sonstigen Sicherheitscodes für den Datenzugang sowie von geeigneten Computerprogrammen künftig mit Geldstrafe oder Freiheitsentzug bis zu einem Jahr geahndet werden.
Here's a machine-translated version: http://66.249.91.104/translate_c?hl=en&langpair=de%7Cen&u=http://www.heise.de/newsticker/meldung/92334 But what the heck are Sicherheitscodes. Even as German I am not able to get the meaning of the word - so as long as the article stays as interpretable as the bible we have to wait for the first precedence case to occur. Bitter. Greetings, .mario
David KierznowskiDavid Kierznowski
Mario, thanks for the correction. Maybe you could translate the crux of it, Google doesn't do a great job :)
.mario.mario
Translation: "The preparation of a crime via assembly, acquisition, disposal, abandonment, distribution or enabling of accessibility of passwords or miscellaneous security codes for data access as well as via suitable software tools will be avenged with penalty or imprisonment (one year maximum)" The relation between tool and crime is pretty clear but at which point is the tool-author responsible? The old kitchen-knife dilemma?
AodhhanAodhhan
I believe legislation needs to focus on intent or motive of a person/act rather than a tool. Due to the breadth of application development, focusing on applications/tools will lead to many gray lines and inconsistencies. Most countries allow the use of hammers and large screwdrivers. Two tools which can be used to get passed physical security barriers. While these two tools may not be used in this manner by you and I, to some, they are considered the right tool for this particular job. As security professionals, we should actively educate and lend technical support to legislators so they understand proper rationale. They are not the experts in this area, and ignorance will lead to problems. I encourage you to get involved and be heard, no matter what side you may fall on this issue. If you are content in letting others make this decision without your involvement; don't get upset later when laws are enacted contrary to your beliefs.
Adrian PastorAdrian Pastor
"Due to the breadth of application development, focusing on applications/tools will lead to many gray lines and inconsistencies." I couldn't agree more with Aodhhan. The question here is what makes the so called "hacking tools". Many of us believe that there is NOT such as thing as a hacking tool. Even the most intrusive tool such as a password bruteforcer could be used as a legitimate tool used for password autiding purposes. At the end of the day it's about semantics and using language to manipulate thinking. i.e.: password cracker versus password autiding tool For all I know even default Windows commands such as the "net" commands could be considered "hacking tools".
David KierznowskiDavid Kierznowski
Playing Devils Advocate:
Adrian if I liken Aodhhan's hammer and screwdrivers to OS tools like telnet, tftp and net, then banning other security tools still makes sense :)
AodhhanAodhhan
I would consider applications incorporated with an operating system as "features" not security tools. Metaphorically, they would be equal to having a key/smart card to the locked door, thus wouldn't require a hammer/screwdriver.
nemnem
The second I read the original article (i'm german), i just sat back relaxed and smiled. As Mario already pointed out, its open to interpretation. The strongest point here is: "... intention ...". So if i create a tool to breach security, in order to abuse it, its illegal. Do create it, claiming its a security testtool its big grins all the way :-)