Collegues,

The federal adminstration wants to change the law about cyber crime.

See also:

http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD 
(or especially Genehmigung und Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität  )

I think this includes some dynamite in the details

First of all: I think its time for the government to face the fact that there are many open ends (like the discussion we had with the order from Canton de Vaud). My biggest issue with facing CyberCrime is however that not the law is the issue but the ability of the police force to enforce the law. Mainly due to lack of knowledge and probably financial resources. CyberCrime is happening every day and is happening Quick. The processes on police work where maybe accurate 1960 but lack the needed speed of todays events. I had two incidents in my own company where it has clearly shown that the police has not the slightest clue what's happening on the internet, besides how to fix the issue. Costed me a hell of a lot of money at the end even it was a crystal clear case for me (as a techie...). But I must admit its not the fault of the law, its the fault of the execution of the law and the financial resources needed to follow those cases.

The law above however has a section which I think is dangerous and could affect our work:

Das materielle Strafrecht mit seinen am 1. Januar 1995 in Kraft getretenen Bestim- 
mungen im Bereich "Computerstrafrecht" vermag den Erfordernissen der Konventi- 
on über weite Strecken zu genügen. Anpassungsbedarf ergibt sich bezüglich des 
Straftatbestandes des unbefugten Eindringens in ein Datenverarbeitungssystem (Art. 
143bis des Strafgesetzbuches, sog. "Hacking"-Tatbestand). Hier wird vorgeschlagen, 
eine Vorverlagerung der Strafbarkeit vorzunehmen: Strafbar soll sich auch machen, 
wer Programme oder Daten zugänglich macht im Wissen, dass diese für das illegale 
Eindringen in ein Computersystem verwendet werden sollen. Daneben wird, ausser- 
halb der Erfordernisse gemäss Konvention, vorgeschlagen, das durch die Lehre 
verbreitet kritisierte Merkmal der fehlenden Bereicherungsabsicht in Artikel 143bis 
StGB zu streichen.  

Now what does that mean? It is basically what the germans have done under the "Hackerparagraph". It disallows software which could potentially be used for hacking to be distributed. The result of this was for example that in germany the WiFi tools to verify your WiFi security dissapeared. Why? because someone COULD use it for hacking. If you think this a bit further, you could use a C compiler to write a hacker tool, so it could be considered a tool to do hacking and we all very well know know someone can write hacking tools in C. So to bring this ad absurdum, it could theoretically forbid us to distribute a C compiler. Or think about Linux.

Of course this is a bit far reached but there are many gray zones in between. For example I use Wireshark, a great open source packet analyzer for my daily work because I develop network protocols or verify network protocols. Of course someone could use this for hacking to listen to passwords in cleartext (for example from old POP3 accounts). So if we publish a wireshark version on our server, we become criminal?

The result will be that security tools to verify your security will be forbidden. You will not be able to verify if your machine is crackable or not. The real bad boys out there (and I'm not saying a hacker is a bad boy by definition because most are honest and more in the area of security researcher than anything else) will not give a dam if they are allowed to distribute this hacking software because they per definition want to commit crime. So they will get hold of that software and just use it. And because no one was able to verify if POP3 cleartext passwords are floating on your lan, they will find it out for you but they will not help you to make your computer network a more secure world, they will simply abuse it to send spam, to take money from your bank account or whatever they want.

So the normal end user is getting tools removed to help fight crime. This is helping the bad boys instead of keeping them out.
Its like saying, you are not allowed to encrypt to protect your privacy simply because some bad boys encrypt to protect their evil plans.

I think the report from the EJPD was written by people who do not understand the technological impact of such laws.

I think we should respond to this proposal to keep above paragraph out of the law. Otherwise we wouldn't even be able to help the police if they are investigating because the tools to do this are also used by hackers sometimes.

Here is what I got first from EJPD.

----------- snip ----------
Ihre Kommentare sind willkommen. Sie finden die Unterlagen unter http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD (Geschäfte EJPD: Cybercrime). Das Verfahren läuft bis 30. Juni 2009.

Mit freundlichem Gruss

Andrea Candrian


Fachbereich Internationales Strafrecht
Stv. Chef
Bundesamt für Justiz / Federal Office of Justice
Bundesrain 20
CH-3003 Bern
Schweiz/Switzerland 
Tel. +41/31 322 97 92
Fax. +41/31 312 14 07
mailto:andrea.candrian@bj.admin.ch

----------- snip ----------







Andreas Fink

Fink Consulting GmbH
Global Networks Schweiz AG
BebbiCell AG
IceCell ehf

---------------------------------------------------------------
Tel: +41-61-6666330 Fax: +41-61-6666331  Mobile: +41-79-2457333
Address: Clarastrasse 3, 4058 Basel, Switzerland
E-Mail:  andreas@fink.org
www.finkconsulting.com www.global-networks.ch www.bebbicell.ch
---------------------------------------------------------------
ICQ: 8239353 MSN: msn1@gni.ch AIM: smsrelay Skype: andreasfink
Yahoo: finkconsulting SMS: +41792457333