German Security Professionals in the Mist
German Information Security professionals were hopeful after proposed changes to the UK Computer Misuse Act Police and Justice Act amendments were suspended due to the fact that if certain clauses were enacted, it would effectively make the entire Information Security industry in the UK criminals. This hope was important because earlier this year the German Government had introduced similar language into Section 202c StGB of the computer crime laws, which would have made the mere possession of (creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to) tools like John, Kismet, KisMAC, Nessus, nmap, and the ability to Google effectively a crime.
Despite all efforts to peer through the mist about whether changes would be made to the proposed law, as of today it became active legislation. Penalties under the law include up to 12 months imprisonment, a fine, and potential linkage to terrorism related activities (at least as per sections 202a and 202b of the law).
Despite some observers fearing a 'Kristallnacht' in the near future, and while it is likely there will be some abuses of the law (DMCA, for example), the overall effect to Information Security work and research in Germany is not likely to be all that great.
That doesn't mean that changes aren't already happening. A number of security related products and groups have either closed up shop or relocated to countries of convenience, such as the Netherlands.
KisMAC, an OS X wireless network discovery tool has ceased development and will soon be reappearing in the Netherlands. This was one of the first tools to suddenly cease production in a public manner.
Phenoelit have also closed their German presence, though it may be possible to find their content available online in other locations.
Those who can read German can see the response from the CCC, who are currently holding their Chaos Communications Camp 2007 near Berlin (think of DefCon, in a field, with tents). The CCC have decided that since the German Government took this move, that it means that there are no more security problems facing computer users.
Stefan Esser, the noted PHP Security activist, has withdrawn all of the exploit code that originally accompanied the Month of PHP Bugs project. As Stefan points out:
"The law does not affect our freedom of speech to report and inform about security vulnerabilities and how to exploit them.
We are just not allowed to create/distribute/use software that could be used as "hacking tools". "
Like many other legislative attempts to address real or perceived problems with computer-based activity, the law fails to account for reality. Others have pointed out that it is only those already engaged in illegal activity that are using 'hacking tools'. The legitimate security industry is using 'diagnostics' and other useful utilities. Already it seems that the law will have the unintended consequence of making legitimate research just that much harder, only deterring the legitimate researchers and the opportunistic attacker. The serious criminal will just keep on going with their malicious activity, probably a little bit bolder - safe in the knowledge that the German Government has just made it a little bit more difficult for them to be found.
12 August 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.