Salut, Andreas,
On Tue, 17 Mar 2009 12:18:28 +0100, Andreas Fink wrote:
Now what does that mean? It is basically what the germans have done under the "Hackerparagraph". It disallows software which could potentially be used for hacking to be distributed. The result of this was for example that in germany the WiFi tools to verify your WiFi security dissapeared. Why? because someone COULD use it for hacking.
A similar problem might arise with tools like tcpdump and snoop (for Solaris), which are great for debugging various issues in TCP connections (MTU problems, stalled connections due to window size issues, firewall rule debugging, etc. pp.) but could of course reveal a plaintext password or two in the process. What I want to say with this is that it affects us all in some way or other, not just the developers and wifi fans.
Another example is: if you want to be eligible for certain infrastructural offerings (in public key infrastructures, for example, as a certificate reseller) or government contracts, it might be required in some case to get ISO certification for security. This process has to be conducted by an ISO certified IT security company. However, how do they do it if all of their tools are forbidden due to the new law? You'll have to find a company in a country where hacker tools are allowed, and fly them in just to perform a simple penetration test.
And even if you're just a relaxed person in terms of security and run Nessus or Metasploit against your machines every couple of monthes - those are hacker tools. You effectively have no way but to hope that you fixed all flaws in your system, and instead of proactivity, you have to let the bots break down your server first, then rescue the user data, reinstall and try again. This is painful and cost intensive.
I think we should respond to this proposal to keep above paragraph out of the law. Otherwise we wouldn't even be able to help the police if they are investigating because the tools to do this are also used by hackers sometimes.
I absolutely agree with this and would like to ask everybody here to submit his impression of the law to the EJPD as they demand. It is important for them to understand that there is a majority of the people they're trying to help with in this case who do not agree, and who already have developed much better processes. They must learn that this is not how IT security works.
So please take 30 minutes or an hour and make a submission.
Tonnerre