Hi all,
It may be an idea to have a look at the treaty they have to implement : http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
The article about "hacker tool" is the 6th one and is actually less vague than the wording of the new 143b.2 article :
COE version : "designed or adapted primarily for the purpose of committing any of the offences" / "principalement conçu ou adapté pour permettre la commission de l’une des infractions" (no official german translation)
Proposed Swiss version : "doit présumer qu’ils doivent être utilisés" / "von denen er weiss oder annehmen muss, dass sie zu dem in Absatz 1 genannten Zweck verwendet werden sollen"
It is clear that the COE versions explains rules out tools that are *primarily* conceived to commit infractions, not just tools that *could* be used for hacking (as some have been saying).
So, when writing to the EPJD, you may suggest them to rephrase it in a similar way to the COE treaty. Remember that they have to propose a way to implement this treaty and that they don't have the possibility to just skip this article (which is the only one that require a change of the legislation).
thomas
2009/3/17 Andreas Fink afink@list.fink.org:
Collegues, The federal adminstration wants to change the law about cyber crime. See also:
http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD
(or especially Genehmigung und Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität )
I think this includes some dynamite in the details First of all: I think its time for the government to face the fact that there are many open ends (like the discussion we had with the order from Canton de Vaud). My biggest issue with facing CyberCrime is however that not the law is the issue but the ability of the police force to enforce the law. Mainly due to lack of knowledge and probably financial resources. CyberCrime is happening every day and is happening Quick. The processes on police work where maybe accurate 1960 but lack the needed speed of todays events. I had two incidents in my own company where it has clearly shown that the police has not the slightest clue what's happening on the internet, besides how to fix the issue. Costed me a hell of a lot of money at the end even it was a crystal clear case for me (as a techie...). But I must admit its not the fault of the law, its the fault of the execution of the law and the financial resources needed to follow those cases. The law above however has a section which I think is dangerous and could affect our work:
Das materielle Strafrecht mit seinen am 1. Januar 1995 in Kraft getretenen Bestim- mungen im Bereich "Computerstrafrecht" vermag den Erfordernissen der Konventi- on über weite Strecken zu genügen. Anpassungsbedarf ergibt sich bezüglich des Straftatbestandes des unbefugten Eindringens in ein Datenverarbeitungssystem (Art. 143bis des Strafgesetzbuches, sog. "Hacking"-Tatbestand). Hier wird vorgeschlagen, eine Vorverlagerung der Strafbarkeit vorzunehmen: Strafbar soll sich auch machen, wer Programme oder Daten zugänglich macht im Wissen, dass diese für das illegale Eindringen in ein Computersystem verwendet werden sollen. Daneben wird, ausser- halb der Erfordernisse gemäss Konvention, vorgeschlagen, das durch die Lehre verbreitet kritisierte Merkmal der fehlenden Bereicherungsabsicht in Artikel 143bis StGB zu streichen.
Now what does that mean? It is basically what the germans have done under the "Hackerparagraph". It disallows software which could potentially be used for hacking to be distributed. The result of this was for example that in germany the WiFi tools to verify your WiFi security dissapeared. Why? because someone COULD use it for hacking. If you think this a bit further, you could use a C compiler to write a hacker tool, so it could be considered a tool to do hacking and we all very well know know someone can write hacking tools in C. So to bring this ad absurdum, it could theoretically forbid us to distribute a C compiler. Or think about Linux. Of course this is a bit far reached but there are many gray zones in between. For example I use Wireshark, a great open source packet analyzer for my daily work because I develop network protocols or verify network protocols. Of course someone could use this for hacking to listen to passwords in cleartext (for example from old POP3 accounts). So if we publish a wireshark version on our server, we become criminal? The result will be that security tools to verify your security will be forbidden. You will not be able to verify if your machine is crackable or not. The real bad boys out there (and I'm not saying a hacker is a bad boy by definition because most are honest and more in the area of security researcher than anything else) will not give a dam if they are allowed to distribute this hacking software because they per definition want to commit crime. So they will get hold of that software and just use it. And because no one was able to verify if POP3 cleartext passwords are floating on your lan, they will find it out for you but they will not help you to make your computer network a more secure world, they will simply abuse it to send spam, to take money from your bank account or whatever they want. So the normal end user is getting tools removed to help fight crime. This is helping the bad boys instead of keeping them out. Its like saying, you are not allowed to encrypt to protect your privacy simply because some bad boys encrypt to protect their evil plans. I think the report from the EJPD was written by people who do not understand the technological impact of such laws. I think we should respond to this proposal to keep above paragraph out of the law. Otherwise we wouldn't even be able to help the police if they are investigating because the tools to do this are also used by hackers sometimes. Here is what I got first from EJPD. ----------- snip ---------- Ihre Kommentare sind willkommen. Sie finden die Unterlagen unter http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD%C2%A0(Gesch%C3%A4fte EJPD: Cybercrime). Das Verfahren läuft bis 30. Juni 2009.
Mit freundlichem Gruss
Andrea Candrian
Fachbereich Internationales Strafrecht Stv. Chef Bundesamt für Justiz / Federal Office of Justice Bundesrain 20 CH-3003 Bern Schweiz/Switzerland Tel. +41/31 322 97 92 Fax. +41/31 312 14 07 mailto:andrea.candrian@bj.admin.ch
----------- snip ----------
Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG IceCell ehf
Tel: +41-61-6666330 Fax: +41-61-6666331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: andreas@fink.org www.finkconsulting.com www.global-networks.ch www.bebbicell.ch
ICQ: 8239353 MSN: msn1@gni.ch AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog