Collegues,
The federal adminstration wants to change the law about cyber crime.
See also:
(or especially Genehmigung und Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität )
I think this includes some dynamite in the details
First of all: I think its time for the government to face the fact that there are many open ends (like the discussion we had with the order from Canton de Vaud). My biggest issue with facing CyberCrime is however that not the law is the issue but the ability of the police force to enforce the law. Mainly due to lack of knowledge and probably financial resources. CyberCrime is happening every day and is happening Quick. The processes on police work where maybe accurate 1960 but lack the needed speed of todays events. I had two incidents in my own company where it has clearly shown that the police has not the slightest clue what's happening on the internet, besides how to fix the issue. Costed me a hell of a lot of money at the end even it was a crystal clear case for me (as a techie...). But I must admit its not the fault of the law, its the fault of the execution of the law and the financial resources needed to follow those cases.
The law above however has a section which I think is dangerous and could affect our work:
Das materielle Strafrecht mit seinen am 1. Januar 1995 in Kraft getretenen Bestim- mungen im Bereich "Computerstrafrecht" vermag den Erfordernissen der Konventi- on über weite Strecken zu genügen. Anpassungsbedarf ergibt sich bezüglich des Straftatbestandes des unbefugten Eindringens in ein Datenverarbeitungssystem (Art. 143bis des Strafgesetzbuches, sog. "Hacking"-Tatbestand). Hier wird vorgeschlagen, eine Vorverlagerung der Strafbarkeit vorzunehmen: Strafbar soll sich auch machen, wer Programme oder Daten zugänglich macht im Wissen, dass diese für das illegale Eindringen in ein Computersystem verwendet werden sollen. Daneben wird, ausser- halb der Erfordernisse gemäss Konvention, vorgeschlagen, das durch die Lehre verbreitet kritisierte Merkmal der fehlenden Bereicherungsabsicht in Artikel 143bis StGB zu streichen.
Now what does that mean? It is basically what the germans have done under the "Hackerparagraph". It disallows software which could potentially be used for hacking to be distributed. The result of this was for example that in germany the WiFi tools to verify your WiFi security dissapeared. Why? because someone COULD use it for hacking. If you think this a bit further, you could use a C compiler to write a hacker tool, so it could be considered a tool to do hacking and we all very well know know someone can write hacking tools in C. So to bring this ad absurdum, it could theoretically forbid us to distribute a C compiler. Or think about Linux.
Of course this is a bit far reached but there are many gray zones in between. For example I use Wireshark, a great open source packet analyzer for my daily work because I develop network protocols or verify network protocols. Of course someone could use this for hacking to listen to passwords in cleartext (for example from old POP3 accounts). So if we publish a wireshark version on our server, we become criminal?
The result will be that security tools to verify your security will be forbidden. You will not be able to verify if your machine is crackable or not. The real bad boys out there (and I'm not saying a hacker is a bad boy by definition because most are honest and more in the area of security researcher than anything else) will not give a dam if they are allowed to distribute this hacking software because they per definition want to commit crime. So they will get hold of that software and just use it. And because no one was able to verify if POP3 cleartext passwords are floating on your lan, they will find it out for you but they will not help you to make your computer network a more secure world, they will simply abuse it to send spam, to take money from your bank account or whatever they want.
So the normal end user is getting tools removed to help fight crime. This is helping the bad boys instead of keeping them out. Its like saying, you are not allowed to encrypt to protect your privacy simply because some bad boys encrypt to protect their evil plans.
I think the report from the EJPD was written by people who do not understand the technological impact of such laws.
I think we should respond to this proposal to keep above paragraph out of the law. Otherwise we wouldn't even be able to help the police if they are investigating because the tools to do this are also used by hackers sometimes.
Here is what I got first from EJPD.
----------- snip ---------- Ihre Kommentare sind willkommen. Sie finden die Unterlagen unter http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD (Geschäfte EJPD: Cybercrime). Das Verfahren läuft bis 30. Juni 2009.
Mit freundlichem Gruss
Andrea Candrian
Fachbereich Internationales Strafrecht Stv. Chef Bundesamt für Justiz / Federal Office of Justice Bundesrain 20 CH-3003 Bern Schweiz/Switzerland Tel. +41/31 322 97 92 Fax. +41/31 312 14 07 mailto:andrea.candrian@bj.admin.ch
----------- snip ----------
Andreas Fink
Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG IceCell ehf
--------------------------------------------------------------- Tel: +41-61-6666330 Fax: +41-61-6666331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: andreas@fink.org www.finkconsulting.com www.global-networks.ch www.bebbicell.ch --------------------------------------------------------------- ICQ: 8239353 MSN: msn1@gni.ch AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333
Salut, Andreas,
On Tue, 17 Mar 2009 12:18:28 +0100, Andreas Fink wrote:
Now what does that mean? It is basically what the germans have done under the "Hackerparagraph". It disallows software which could potentially be used for hacking to be distributed. The result of this was for example that in germany the WiFi tools to verify your WiFi security dissapeared. Why? because someone COULD use it for hacking.
A similar problem might arise with tools like tcpdump and snoop (for Solaris), which are great for debugging various issues in TCP connections (MTU problems, stalled connections due to window size issues, firewall rule debugging, etc. pp.) but could of course reveal a plaintext password or two in the process. What I want to say with this is that it affects us all in some way or other, not just the developers and wifi fans.
Another example is: if you want to be eligible for certain infrastructural offerings (in public key infrastructures, for example, as a certificate reseller) or government contracts, it might be required in some case to get ISO certification for security. This process has to be conducted by an ISO certified IT security company. However, how do they do it if all of their tools are forbidden due to the new law? You'll have to find a company in a country where hacker tools are allowed, and fly them in just to perform a simple penetration test.
And even if you're just a relaxed person in terms of security and run Nessus or Metasploit against your machines every couple of monthes - those are hacker tools. You effectively have no way but to hope that you fixed all flaws in your system, and instead of proactivity, you have to let the bots break down your server first, then rescue the user data, reinstall and try again. This is painful and cost intensive.
I think we should respond to this proposal to keep above paragraph out of the law. Otherwise we wouldn't even be able to help the police if they are investigating because the tools to do this are also used by hackers sometimes.
I absolutely agree with this and would like to ask everybody here to submit his impression of the law to the EJPD as they demand. It is important for them to understand that there is a majority of the people they're trying to help with in this case who do not agree, and who already have developed much better processes. They must learn that this is not how IT security works.
So please take 30 minutes or an hour and make a submission.
Tonnerre
Hi all,
It may be an idea to have a look at the treaty they have to implement : http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
The article about "hacker tool" is the 6th one and is actually less vague than the wording of the new 143b.2 article :
COE version : "designed or adapted primarily for the purpose of committing any of the offences" / "principalement conçu ou adapté pour permettre la commission de l’une des infractions" (no official german translation)
Proposed Swiss version : "doit présumer qu’ils doivent être utilisés" / "von denen er weiss oder annehmen muss, dass sie zu dem in Absatz 1 genannten Zweck verwendet werden sollen"
It is clear that the COE versions explains rules out tools that are *primarily* conceived to commit infractions, not just tools that *could* be used for hacking (as some have been saying).
So, when writing to the EPJD, you may suggest them to rephrase it in a similar way to the COE treaty. Remember that they have to propose a way to implement this treaty and that they don't have the possibility to just skip this article (which is the only one that require a change of the legislation).
thomas
2009/3/17 Andreas Fink afink@list.fink.org:
Collegues, The federal adminstration wants to change the law about cyber crime. See also:
http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD
(or especially Genehmigung und Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität )
I think this includes some dynamite in the details First of all: I think its time for the government to face the fact that there are many open ends (like the discussion we had with the order from Canton de Vaud). My biggest issue with facing CyberCrime is however that not the law is the issue but the ability of the police force to enforce the law. Mainly due to lack of knowledge and probably financial resources. CyberCrime is happening every day and is happening Quick. The processes on police work where maybe accurate 1960 but lack the needed speed of todays events. I had two incidents in my own company where it has clearly shown that the police has not the slightest clue what's happening on the internet, besides how to fix the issue. Costed me a hell of a lot of money at the end even it was a crystal clear case for me (as a techie...). But I must admit its not the fault of the law, its the fault of the execution of the law and the financial resources needed to follow those cases. The law above however has a section which I think is dangerous and could affect our work:
Das materielle Strafrecht mit seinen am 1. Januar 1995 in Kraft getretenen Bestim- mungen im Bereich "Computerstrafrecht" vermag den Erfordernissen der Konventi- on über weite Strecken zu genügen. Anpassungsbedarf ergibt sich bezüglich des Straftatbestandes des unbefugten Eindringens in ein Datenverarbeitungssystem (Art. 143bis des Strafgesetzbuches, sog. "Hacking"-Tatbestand). Hier wird vorgeschlagen, eine Vorverlagerung der Strafbarkeit vorzunehmen: Strafbar soll sich auch machen, wer Programme oder Daten zugänglich macht im Wissen, dass diese für das illegale Eindringen in ein Computersystem verwendet werden sollen. Daneben wird, ausser- halb der Erfordernisse gemäss Konvention, vorgeschlagen, das durch die Lehre verbreitet kritisierte Merkmal der fehlenden Bereicherungsabsicht in Artikel 143bis StGB zu streichen.
Now what does that mean? It is basically what the germans have done under the "Hackerparagraph". It disallows software which could potentially be used for hacking to be distributed. The result of this was for example that in germany the WiFi tools to verify your WiFi security dissapeared. Why? because someone COULD use it for hacking. If you think this a bit further, you could use a C compiler to write a hacker tool, so it could be considered a tool to do hacking and we all very well know know someone can write hacking tools in C. So to bring this ad absurdum, it could theoretically forbid us to distribute a C compiler. Or think about Linux. Of course this is a bit far reached but there are many gray zones in between. For example I use Wireshark, a great open source packet analyzer for my daily work because I develop network protocols or verify network protocols. Of course someone could use this for hacking to listen to passwords in cleartext (for example from old POP3 accounts). So if we publish a wireshark version on our server, we become criminal? The result will be that security tools to verify your security will be forbidden. You will not be able to verify if your machine is crackable or not. The real bad boys out there (and I'm not saying a hacker is a bad boy by definition because most are honest and more in the area of security researcher than anything else) will not give a dam if they are allowed to distribute this hacking software because they per definition want to commit crime. So they will get hold of that software and just use it. And because no one was able to verify if POP3 cleartext passwords are floating on your lan, they will find it out for you but they will not help you to make your computer network a more secure world, they will simply abuse it to send spam, to take money from your bank account or whatever they want. So the normal end user is getting tools removed to help fight crime. This is helping the bad boys instead of keeping them out. Its like saying, you are not allowed to encrypt to protect your privacy simply because some bad boys encrypt to protect their evil plans. I think the report from the EJPD was written by people who do not understand the technological impact of such laws. I think we should respond to this proposal to keep above paragraph out of the law. Otherwise we wouldn't even be able to help the police if they are investigating because the tools to do this are also used by hackers sometimes. Here is what I got first from EJPD. ----------- snip ---------- Ihre Kommentare sind willkommen. Sie finden die Unterlagen unter http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD%C2%A0(Gesch%C3%A4fte EJPD: Cybercrime). Das Verfahren läuft bis 30. Juni 2009.
Mit freundlichem Gruss
Andrea Candrian
Fachbereich Internationales Strafrecht Stv. Chef Bundesamt für Justiz / Federal Office of Justice Bundesrain 20 CH-3003 Bern Schweiz/Switzerland Tel. +41/31 322 97 92 Fax. +41/31 312 14 07 mailto:andrea.candrian@bj.admin.ch
----------- snip ----------
Andreas Fink Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG IceCell ehf
Tel: +41-61-6666330 Fax: +41-61-6666331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: andreas@fink.org www.finkconsulting.com www.global-networks.ch www.bebbicell.ch
ICQ: 8239353 MSN: msn1@gni.ch AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
* on the Wed, Mar 18, 2009 at 08:36:35AM +0100, Thomas Dagonnier wrote:
It may be an idea to have a look at the treaty they have to implement : http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
I concur, this treaty is shite. It criminalizes various tools instead of acts, tries to heavy-hand enforcement of monopolies, tries to invent new laws where old ones are quite clear (forgeries, fraud), tries to criminalize third parties ("aiding, abettig") and so on.
Shame on whoever came up with this, and on whoever signed this. You've just grossly violated democratic judical principles. In accordance to Henlons Razor (which assumes there is no malice if sufficiently explained by stupidity), you are morons.
Seegras
Peter Keel seegras@discordia.ch wrote:
- on the Wed, Mar 18, 2009 at 08:36:35AM +0100, Thomas Dagonnier wrote:
It may be an idea to have a look at the treaty they have to implement : http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
Shame on whoever came up with this, and on whoever signed this. You've just grossly violated democratic judical principles.
One important thing to keep in mind is that signatures under international treaties are *not* a commitment to do what the treaty says, they are only a declaration of intention to consider for ratification that particular version of the treaty.
The step through which a country promises to implement what the treaty says is ratification.
In Switzerland, ratfication of a treaty requires decisions of both Nationalrat and Staenderat and then there is the possibility of a referendum.
The reality is that we have quite extensive democratic rights and possibilities to influence what happens. Many officials in the federal administration don't really appreciate these democratic principles, and like to make everyone believe that Switzerland has to do certain things because the text of an international treaty says that we should, even if we haven't yet decided to agree to that international treaty. But we have real power in our hands.
As pointed out by Thomas, if the Swiss legislation mimics exactly what the treaty says in its article 6, the problems that we are concerned about will not occur. So at least that article of the convention is not a true problem. I haven't yet studied the convention in its entirety -- it might contain serious problems in other areas, but if it doesn't, we shouldn't oppose this CoE convention, but just demand that it should be implemented in a way which does not cause problems.
If they don't listen to this demand, there's always the possibility of doing a referendum campaign. Of course that'd be MUCH more work than simply sending in a comment during the present public comments period. Our main benefit from having the democratic possibility of doing a referendum campaign is that because we have this possibility, comments from all kinds of interested parties (like we are now invited to send in during the present public comments period) are going to be taken seriously.
Therefore, I'm pretty sure that the disaster with regard to the legality of security tools is going to be averted if we take appropriate action now. Therefore, please, everyone: Please make sure that your employer or some other organization that you're a member of sends a letter which states clearly that security tools must remain legal to possess and distribute, as long as this is done with a legitimate, non-criminal intention. (I'm writing such a letter, too, on behalf of SIUG, but IMO it's best when many concerned companies and other organizations all send a letter of their own.)
Greetings, Norbert
Two comments from a lawyer's point of view:
"One important thing to keep in mind is that signatures under international treaties are *not* a commitment to do what the treaty says, they are only a declaration of intention to consider for ratification that particular version of the treaty." That's an interesting thesis, but I don't agree 100 %.
Art. 6 of the Cybercrime Convention: I have analysed this provision in my thesis and I agree with the conclusion that the Article of the Convention is in principle acceptable. The implementation into national law has given rise to discussions in other countries. I have followed the German discussion, which revolved arount the same arguments as the discussion on this list.
I will carefully analyse the proposed changes in Swiss law, and I might even submit an opinion in the Vernehmlassungs-procedure.
Regards, Christa
________________________________
Von: swinog-bounces@lists.swinog.ch im Auftrag von Norbert Bollow Gesendet: Mi 18.03.2009 12:15 An: Peter Keel Cc: swinog@swinog.ch Betreff: Re: [swinog] Fwd: Re: "Hackerparagraph"
Peter Keel seegras@discordia.ch wrote:
- on the Wed, Mar 18, 2009 at 08:36:35AM +0100, Thomas Dagonnier wrote:
It may be an idea to have a look at the treaty they have to implement : http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
Shame on whoever came up with this, and on whoever signed this. You've just grossly violated democratic judical principles.
One important thing to keep in mind is that signatures under international treaties are *not* a commitment to do what the treaty says, they are only a declaration of intention to consider for ratification that particular version of the treaty.
The step through which a country promises to implement what the treaty says is ratification.
In Switzerland, ratfication of a treaty requires decisions of both Nationalrat and Staenderat and then there is the possibility of a referendum.
The reality is that we have quite extensive democratic rights and possibilities to influence what happens. Many officials in the federal administration don't really appreciate these democratic principles, and like to make everyone believe that Switzerland has to do certain things because the text of an international treaty says that we should, even if we haven't yet decided to agree to that international treaty. But we have real power in our hands.
As pointed out by Thomas, if the Swiss legislation mimics exactly what the treaty says in its article 6, the problems that we are concerned about will not occur. So at least that article of the convention is not a true problem. I haven't yet studied the convention in its entirety -- it might contain serious problems in other areas, but if it doesn't, we shouldn't oppose this CoE convention, but just demand that it should be implemented in a way which does not cause problems.
If they don't listen to this demand, there's always the possibility of doing a referendum campaign. Of course that'd be MUCH more work than simply sending in a comment during the present public comments period. Our main benefit from having the democratic possibility of doing a referendum campaign is that because we have this possibility, comments from all kinds of interested parties (like we are now invited to send in during the present public comments period) are going to be taken seriously.
Therefore, I'm pretty sure that the disaster with regard to the legality of security tools is going to be averted if we take appropriate action now. Therefore, please, everyone: Please make sure that your employer or some other organization that you're a member of sends a letter which states clearly that security tools must remain legal to possess and distribute, as long as this is done with a legitimate, non-criminal intention. (I'm writing such a letter, too, on behalf of SIUG, but IMO it's best when many concerned companies and other organizations all send a letter of their own.)
Greetings, Norbert
-- http://siug.ch/ Swiss Internet User Group (SIUG), eine Initiative der /ch/open
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Christa Pfister mail@c-pfister.ch wrote:
"One important thing to keep in mind is that signatures under international treaties are *not* a commitment to do what the treaty says, they are only a declaration of intention to consider for ratification that particular version of the treaty." That's an interesting thesis, but I don't agree 100 %.
I wonder if you would maybe be willing to help me find a formulation which you would support 100%, but which is nevertheless a reasonably short explanation of how the Swiss government can sign treaties such as this Convention on Cybercrime, which requires changes to the law that the government does not have authority to decide on its own?
I believe that in order to agree to be bound to a treaty of this type, there must be approval from Ständerat and Nationalrat and the possibility of a referendum!
[ As I see it, the challenge here particularly with regard to this particular treaty is that at least upon casual reading of the treaty text, I get the impression that (unlike e.g. the WIPO Internet Treaties) this would be one of the those treaties where signing the treaty is intended to be a form of expressing consent to be bound by the treaty, just like ratification. However, if for this treaty, that is the meaning of signing it, how can it be that Switzerland signed it in 2001, but only in 2008 it was proposed in parliament that Switzerland might ratify this treaty, and it is only this proposal of ratification that leads to discussion of the changes to the law which are necessary for implementing the treaty? As you are certainly aware, the international law of treaties, as codified in the Vienna Convention on the Law of Treaties, foresees both possibilities: Signature of a treaty can have the meaning of committing to do what the treaty says, but it isn't necessarily so. ]
Greetings, Norbert
Am 18.3.2009 19:43 Uhr, Norbert Bollow schrieb:
I believe that in order to agree to be bound to a treaty of this type, there must be approval from Ständerat and Nationalrat and the possibility of a referendum!
For that it would make sense, if we would get in contact with the political parties. At the moment, it seems that none of the parties in the parliament have an opinion on this issue.
Ihsan
we have to make sure that they get aware of the issue and that it is a big concern... LOBBYING...
On 19.03.2009, at 10:54, Ihsan Dogan wrote:
Am 18.3.2009 19:43 Uhr, Norbert Bollow schrieb:
I believe that in order to agree to be bound to a treaty of this type, there must be approval from Ständerat and Nationalrat and the possibility of a referendum!
For that it would make sense, if we would get in contact with the political parties. At the moment, it seems that none of the parties in the parliament have an opinion on this issue.
Ihsan
-- ihsan@dogan.ch http://blog.dogan.ch/
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Salut, Ihsan,
On Thu, 19 Mar 2009 10:54:28 +0100, Ihsan Dogan wrote:
For that it would make sense, if we would get in contact with the political parties. At the moment, it seems that none of the parties in the parliament have an opinion on this issue.
That is of course also very important. Firstly, politicians need to be educated on these issues; secondly, I would also dislike it if someone just calls me when he needs me to vote for something he wants and then leaves me alone again, without building up any relationship or explaining his thoughts. Feels a bit like abuse, eh?
Either way, the number one priority is still to submit a response to the proposal, then the lobbying can be #2 on the agenda.
Tonnerre
Hey guys, the law enforcement offices, sometime using hack/backdoor in skype or whatever (I've heard about it, rumors or reality?), they will/should be forced to provide a list of tool they are able to use/abuse to sound legitimate, isn't it? will be interesting to say the least. Anyway, this law will be hard to enforce, like anything in an non material media.
About the blacklist: tcpdumd/snoop and wireshark: no way, maybe metasploit on a gray line, mostly 0day stuff floating from irc to email to email etc are a real problem.
Cheers.
Salut,
On Fri, Mar 20, 2009 at 11:18:08PM +0100, Patrick Tybo wrote:
About the blacklist: tcpdumd/snoop and wireshark: no way, maybe metasploit on a gray line, mostly 0day stuff floating from irc to email to email etc are a real problem.
Can you give me a legal guarantee that tcpdump will in no case be considered as a hacker tool? No, you can't. It always depends on mood and understanding of the judge in question, and potentially other factors.
Tonnerre
On Mon, Mar 23, 2009 at 11:53:16PM +0100, Tonnerre LOMBARD wrote:
Salut,
On Fri, Mar 20, 2009 at 11:18:08PM +0100, Patrick Tybo wrote:
About the blacklist: tcpdumd/snoop and wireshark: no way, maybe metasploit on a gray line, mostly 0day stuff floating from irc to email to email etc are a real problem.
Can you give me a legal guarantee that tcpdump will in no case be considered as a hacker tool? No, you can't. It always depends on mood and understanding of the judge in question, and potentially other factors.
Actually this is the biggest risk of this law. Taking away "hacker tools" from sysadmins and software developers will decrease the security of the swiss IT infrastructure. It is like outlawing vaccination.
Salut,
On Tue, Mar 24, 2009 at 08:38:23AM +0100, Claudio Jeker wrote:
Can you give me a legal guarantee that tcpdump will in no case be considered as a hacker tool? No, you can't. It always depends on mood and understanding of the judge in question, and potentially other factors.
Actually this is the biggest risk of this law. Taking away "hacker tools" from sysadmins and software developers will decrease the security of the swiss IT infrastructure. It is like outlawing vaccination.
Exactly. (As already outlined in the Wiki page.)
In the meanwhile, I hope you all already sent your responses to the hearing?
Tonnerre
Am 20.3.2009 0:29 Uhr, Tonnerre Lombard schrieb:
For that it would make sense, if we would get in contact with the political parties. At the moment, it seems that none of the parties in the parliament have an opinion on this issue.
That is of course also very important. Firstly, politicians need to be educated on these issues; secondly, I would also dislike it if someone just calls me when he needs me to vote for something he wants and then leaves me alone again, without building up any relationship or explaining his thoughts. Feels a bit like abuse, eh?
Instead of educating politicians it would make more sense, if the IT people would be more involved in politics. The IT industry is doing more for the GDI (BIP) than the farmers, but unfortunately we are not organized.
Either way, the number one priority is still to submit a response to the proposal, then the lobbying can be #2 on the agenda.
Friday evening I was at an Apéro and I had personal contact with the FDP Nationalrat Markus Hutter. I've spoke with him and he promised me to bring up this topic at the "Rechtskomission".
Ihsan
Ihsan Dogan schrieb:
Instead of educating politicians it would make more sense, if the IT people would be more involved in politics. The IT industry is doing more for the GDI (BIP) than the farmers, but unfortunately we are not organized.
We also have no means to deliver kilo-gallons of slurry to the front-door of the parliament ;-) Also, farmers have much more means to apply pressure to the public - it's not easy to replace their goods & services on short-notice and they are mostly self-employed. Our work has been commoditized to the point where we are replaceable almost immediately - and most of us are employees. Those who are not are replaceable even easier.... And all the heavy-lifting of the infrastructure is done by big corporations that never go on strike or deny service to their customers (which is the usual way pressure groups like garbage-men and farmers get their agenda through).
A part of reality is also, of course, that most of what we do is not really essential - superfluous luxury so to speak. People need food, water, shelter (and garbage-collection). People can survive without email (though we work hard to convince them otherwise) ;-)
Rainer
Hi Folks,
I also thought today that even the Schools for IT should position in this discussion... I will try to reach the BBW Winterthur which I am a student of (and some apprentices of members of this mailinglist, too btw) I will also try to reach the TBZ in this purpose....
I think we should try to collect organisations which will work together, I can also speak for Gnupingu and the Lug Kreuzlingen
Silvan
Am 23.03.2009 um 17:44 schrieb Rainer Duffner:
Ihsan Dogan schrieb:
Instead of educating politicians it would make more sense, if the IT people would be more involved in politics. The IT industry is doing more for the GDI (BIP) than the farmers, but unfortunately we are not organized.
We also have no means to deliver kilo-gallons of slurry to the front-door of the parliament ;-) Also, farmers have much more means to apply pressure to the public - it's not easy to replace their goods & services on short-notice and they are mostly self-employed. Our work has been commoditized to the point where we are replaceable almost immediately - and most of us are employees. Those who are not are replaceable even easier.... And all the heavy-lifting of the infrastructure is done by big corporations that never go on strike or deny service to their customers (which is the usual way pressure groups like garbage-men and farmers get their agenda through).
A part of reality is also, of course, that most of what we do is not really essential - superfluous luxury so to speak. People need food, water, shelter (and garbage-collection). People can survive without email (though we work hard to convince them otherwise) ;-)
Rainer
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Michael Naef schrieb:
On Monday 23 March 2009, Rainer Duffner wrote: [..]
People can survive without email
I am tempted to doubt that. The reactions to mail outage suggest the contrary ;-)
Well, it depends. I survived a week without email on my holiday. ;-) But our customers' business sort-of depends on email-availability, yes.
Can you eat/drink email? Can you breath email? Can you email the garbage away? ;-)
Nope, it's fully virtual. Email's non-availability is only an issue, if you're the only one without it. If everybody else didn't have it, it wouldn't be such a problem.
Rainer
On 23.03.2009, at 18:28, Rainer Duffner wrote:
Michael Naef schrieb:
On Monday 23 March 2009, Rainer Duffner wrote: [..]
People can survive without email
I am tempted to doubt that. The reactions to mail outage suggest the contrary ;-)
Well, it depends. I survived a week without email on my holiday. ;-) But our customers' business sort-of depends on email-availability, yes.
Can you eat/drink email? Can you breath email? Can you email the garbage away? ;-)
Nope, it's fully virtual. Email's non-availability is only an issue, if you're the only one without it. If everybody else didn't have it, it wouldn't be such a problem.
Whole industries depend on it. Without e-mail my business would be dead. In todays world communication is a vital issue to the service industry.
On 23.03.2009, at 21:31, Andreas Fink wrote:
On 23.03.2009, at 18:28, Rainer Duffner wrote:
Michael Naef schrieb:
On Monday 23 March 2009, Rainer Duffner wrote: [..]
People can survive without email
I am tempted to doubt that. The reactions to mail outage suggest the contrary ;-)
Well, it depends. I survived a week without email on my holiday. ;-) But our customers' business sort-of depends on email-availability, yes.
Can you eat/drink email? Can you breath email? Can you email the garbage away? ;-)
Nope, it's fully virtual. Email's non-availability is only an issue, if you're the only one without it. If everybody else didn't have it, it wouldn't be such a problem.
Whole industries depend on it. Without e-mail my business would be dead. In todays world communication is a vital issue to the service industry.
The question I usually ask people is: "If I gave you a choice between taking down your email-system or your PBX, what would you choose?"
Everyone says to kill the phones.
I think that's a good measure of relevance.
Chris
On the Mon, Mar 23, 2009 at 09:37:30PM +0100, Chris Meidinger blubbered:
Hi.
Whole industries depend on it. Without e-mail my business would be dead. In todays world communication is a vital issue to the service industry.
The question I usually ask people is: "If I gave you a choice between taking down your email-system or your PBX, what would you choose?"
Everyone says to kill the phones.
I think that's a good measure of relevance.
Not necessarily.
For certain things, phonecalls are much better, because of the realtime aspect.
The reason for voting for email instead of phones is that mails can be read later. It does not so much interfere with work, unless you let yourself distract by blinking icons or whatever.
Any media has its pros and cons.
CU, Venty
On Tue, Mar 24, 2009 at 12:03:00AM +0100, Martin Ebnoether wrote:
On the Mon, Mar 23, 2009 at 09:37:30PM +0100, Chris Meidinger blubbered:
Hi.
Whole industries depend on it. Without e-mail my business would be dead. In todays world communication is a vital issue to the service industry.
The question I usually ask people is: "If I gave you a choice between taking down your email-system or your PBX, what would you choose?"
Everyone says to kill the phones.
I think that's a good measure of relevance.
Not necessarily.
For certain things, phonecalls are much better, because of the realtime aspect.
What!?! Email is not realtime? It sure is like chat. You press send and the other side gets the mail instantly. If the mail does not arrive within 10 sec the Internet is broken and you should call your ISP.
Salut,
On Tue, Mar 24, 2009 at 08:24:54AM +0100, Claudio Jeker wrote:
What!?! Email is not realtime? It sure is like chat. You press send and the other side gets the mail instantly. If the mail does not arrive within 10 sec the Internet is broken and you should call your ISP.
Are you talking about those mythical glorious days before greylisting?
Tonnerre
On Tuesday 24 March 2009, Claudio Jeker wrote: [..]
What!?! Email is not realtime?
I guess venty meant ansynchronous versus synchromous (..phone calls, which is the very distinction between them. A three way handschake to make "sure" about something over phones ist much faster. But just to report something a synchronous medium would be way too much :)
Michi
On the Mon, Mar 23, 2009 at 05:51:33PM +0100, Michael Naef blubbered:
People can survive without email
I am tempted to doubt that. The reactions to mail outage suggest the contrary ;-)
People will certainly not die of an email outage. But they suddenly remember they have a phone and call the sysadmin. This is great! Whenever you feel lonely, just issue a "postfix stop" and "/etc/init.d/cyrus stop" or whatever software powers your email system.
Be advised, you should have a BOfH excuse at hand.
CU, Venty
Am 23.3.2009 17:44 Uhr, Rainer Duffner schrieb:
Instead of educating politicians it would make more sense, if the IT people would be more involved in politics. The IT industry is doing more for the GDI (BIP) than the farmers, but unfortunately we are not organized.
We also have no means to deliver kilo-gallons of slurry to the front-door of the parliament ;-) Also, farmers have much more means to apply pressure to the public - it's not easy to replace their goods & services on short-notice and they are mostly self-employed. Our work has been commoditized to the point where we are replaceable almost immediately - and most of us are employees. Those who are not are replaceable even easier.... And all the heavy-lifting of the infrastructure is done by big corporations that never go on strike or deny service to their customers (which is the usual way pressure groups like garbage-men and farmers get their agenda through).
I don't agree on this. There are many small companies in Switzerland, which are depending on a good law system.
A part of reality is also, of course, that most of what we do is not really essential - superfluous luxury so to speak. People need food, water, shelter (and garbage-collection). People can survive without email (though we work hard to convince them otherwise) ;-)
You should also not forget, that all those companies are also tax payers and employers. So, there should be an interest, not to annoy them and keep them in Switzerland.
Ihsan
Salut,
On Mon, Mar 23, 2009 at 11:46:12AM +0100, Ihsan Dogan wrote:
Instead of educating politicians it would make more sense, if the IT people would be more involved in politics. The IT industry is doing more for the GDI (BIP) than the farmers, but unfortunately we are not organized.
That's maybe a good long term vision but I don't see that happen at this precise moment.
Either way, the number one priority is still to submit a response to the proposal, then the lobbying can be #2 on the agenda.
Friday evening I was at an Apéro and I had personal contact with the FDP Nationalrat Markus Hutter. I've spoke with him and he promised me to bring up this topic at the "Rechtskomission".
Very good! Just please ensure beforehand that he understood the issue. ;-)
Tonnerre
Salut,
Am 23.3.2009 23:13 Uhr, Tonnerre LOMBARD schrieb:
Instead of educating politicians it would make more sense, if the IT people would be more involved in politics. The IT industry is doing more for the GDI (BIP) than the farmers, but unfortunately we are not organized.
That's maybe a good long term vision but I don't see that happen at this precise moment.
I'm doing my best. :-) Switzerland allows us to have a direct influence in politics. We should use this right!
Either way, the number one priority is still to submit a response to the proposal, then the lobbying can be #2 on the agenda.
Friday evening I was at an Apéro and I had personal contact with the FDP Nationalrat Markus Hutter. I've spoke with him and he promised me to bring up this topic at the "Rechtskomission".
Very good! Just please ensure beforehand that he understood the issue. ;-)
I'm sure he understood the issue. Actually, it's not hard at all to understand this issue. The problem is, that most of the people are not aware about the problems.
Ihsan
Salut,
On Tue, Mar 24, 2009 at 05:01:08PM +0100, Ihsan Dogan wrote:
Instead of educating politicians it would make more sense, if the IT people would be more involved in politics. The IT industry is doing more for the GDI (BIP) than the farmers, but unfortunately we are not organized.
That's maybe a good long term vision but I don't see that happen at this precise moment.
I'm doing my best. :-) Switzerland allows us to have a direct influence in politics. We should use this right!
Sure, but in terms of fine-grained control over the process it does not really grant the people more rights than they have in any other country. Nevertheless, those rights suffice to make our mark, using either strategy. But you must admit that your suggestions are rather long-term while mine are mid-term.
I'm sure he understood the issue. Actually, it's not hard at all to understand this issue. The problem is, that most of the people are not aware about the problems.
Sure.
Tonnerre
* on the Wed, Mar 18, 2009 at 12:15:53PM +0100, Norbert Bollow wrote:
- on the Wed, Mar 18, 2009 at 08:36:35AM +0100, Thomas Dagonnier wrote:
It may be an idea to have a look at the treaty they have to implement : http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
Shame on whoever came up with this, and on whoever signed this. You've just grossly violated democratic judical principles.
One important thing to keep in mind is that signatures under international treaties are *not* a commitment to do what the treaty says, they are only a declaration of intention to consider for ratification that particular version of the treaty.
Yes, but they're a commitment to implement said articles, so if you sign this, you intent to:
"10.1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright,"
There are certain provisions which weaken this, further down but STILL this declares the intention to take out copyright infringement out of civil right into criminal right. Which is an outrageous step in the protection of artificial trade-monopolies.
Cheers Seegras
Copyright infringement IS already a criminal offence (Art. 67 URG - Bundesgesetz über das Urheberrecht) - nothing new there.
Regards, Christa
________________________________
Von: swinog-bounces@lists.swinog.ch im Auftrag von Peter Keel Gesendet: Mi 18.03.2009 13:41 An: swinog@swinog.ch Betreff: Re: [swinog] Fwd: Re: "Hackerparagraph"
* on the Wed, Mar 18, 2009 at 12:15:53PM +0100, Norbert Bollow wrote:
- on the Wed, Mar 18, 2009 at 08:36:35AM +0100, Thomas Dagonnier wrote:
It may be an idea to have a look at the treaty they have to implement : http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
Shame on whoever came up with this, and on whoever signed this. You've just grossly violated democratic judical principles.
One important thing to keep in mind is that signatures under international treaties are *not* a commitment to do what the treaty says, they are only a declaration of intention to consider for ratification that particular version of the treaty.
Yes, but they're a commitment to implement said articles, so if you sign this, you intent to:
"10.1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright,"
There are certain provisions which weaken this, further down but STILL this declares the intention to take out copyright infringement out of civil right into criminal right. Which is an outrageous step in the protection of artificial trade-monopolies.
Cheers Seegras -- "Those who give up essential liberties for temporary safety deserve neither liberty nor safety." -- Benjamin Franklin "It's also true that those who would give up privacy for security are likely to end up with neither." -- Bruce Schneier
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Andreas Fink afink@list.fink.org 2009-03-17:
Collegues,
The federal adminstration wants to change the law about cyber crime.
See also:
(or especially Genehmigung und Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität )
[...]
Note that according to the "Adressatenliste", SwiNOG was explicitly invited to comment on the proposed change of law.
I guess SwiNOG should comment on Art. 143bis Abs. 2 and request a clarification, in order to make sure that academical, commercial and private IT security research will not be affected by the change of law. The proposed wording of Abs. 2 currently does not adequatly honour the fact that security tools are dual-use goods by nature; i.e. they are not inherently good or evil. Or in other words, there is no practical way to distinguish a tool used by a professional penetration tester from a tool used by a blackhat. The difference between the two is not in the tools, it's in the contracts (i.e. approval of the target's owner).
I have a suggestion: I could draft a comment (regarding "hacking-tools") for the Vernehmlassung and submit it to the mailing-list for approval and input by SWINOG members. As the author of a doctoral thesis on Art. 143bis (the Swiss hacking provision), I might be able to add a certain academic weight to the SWINOG position.
I would be prepared to do this for free, it wouldn't be a paid "Gutachten", but rather a joint statement by an association of people who deal with this issues on a daily basis and a lawyer who has studied this provision in depth.
If SWINOG agrees (do you have any decision procedures?), I would submit a draft by 15 May 2009. The Vernehmlassung ends 30 June, so that would leave us enough time for discussion.
Regards, Christa
________________________________
Von: swinog-bounces@lists.swinog.ch im Auftrag von Daniel Roethlisberger Gesendet: Mi 18.03.2009 15:45 An: SWINOG Betreff: Re: [swinog] "Hackerparagraph" (fwd)
Andreas Fink afink@list.fink.org 2009-03-17:
Collegues,
The federal adminstration wants to change the law about cyber crime.
See also:
(or especially Genehmigung und Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität )
[...]
Note that according to the "Adressatenliste", SwiNOG was explicitly invited to comment on the proposed change of law.
I guess SwiNOG should comment on Art. 143bis Abs. 2 and request a clarification, in order to make sure that academical, commercial and private IT security research will not be affected by the change of law. The proposed wording of Abs. 2 currently does not adequatly honour the fact that security tools are dual-use goods by nature; i.e. they are not inherently good or evil. Or in other words, there is no practical way to distinguish a tool used by a professional penetration tester from a tool used by a blackhat. The difference between the two is not in the tools, it's in the contracts (i.e. approval of the target's owner).
-- Daniel Roethlisberger http://daniel.roe.ch/
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hi Christa
(do you have any decision procedures?)
I guess that the only decission would be, who pays you the beer/drink/prosecco or whatever. ;-)
Cheers Günti
________________________________ From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Christa Pfister Sent: Wednesday, March 18, 2009 4:22 PM To: swinog@swinog.ch Subject: Re: [swinog] "Hackerparagraph" (fwd)
I have a suggestion: I could draft a comment (regarding "hacking-tools") for the Vernehmlassung and submit it to the mailing-list for approval and input by SWINOG members. As the author of a doctoral thesis on Art. 143bis (the Swiss hacking provision), I might be able to add a certain academic weight to the SWINOG position.
I would be prepared to do this for free, it wouldn't be a paid "Gutachten", but rather a joint statement by an association of people who deal with this issues on a daily basis and a lawyer who has studied this provision in depth.
If SWINOG agrees (do you have any decision procedures?), I would submit a draft by 15 May 2009. The Vernehmlassung ends 30 June, so that would leave us enough time for discussion.
Regards, Christa
________________________________ Von: swinog-bounces@lists.swinog.ch im Auftrag von Daniel Roethlisberger Gesendet: Mi 18.03.2009 15:45 An: SWINOG Betreff: Re: [swinog] "Hackerparagraph" (fwd)
Andreas Fink afink@list.fink.org 2009-03-17:
Collegues,
The federal adminstration wants to change the law about cyber crime.
See also:
(or especially Genehmigung und Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität )
[...]
Note that according to the "Adressatenliste", SwiNOG was explicitly invited to comment on the proposed change of law.
I guess SwiNOG should comment on Art. 143bis Abs. 2 and request a clarification, in order to make sure that academical, commercial and private IT security research will not be affected by the change of law. The proposed wording of Abs. 2 currently does not adequatly honour the fact that security tools are dual-use goods by nature; i.e. they are not inherently good or evil. Or in other words, there is no practical way to distinguish a tool used by a professional penetration tester from a tool used by a blackhat. The difference between the two is not in the tools, it's in the contracts (i.e. approval of the target's owner).
-- Daniel Roethlisberger http://daniel.roe.ch/
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hi Christa
On Wednesday 18 March 2009, Christa Pfister wrote: [..]
I would be prepared to do this for free, it wouldn't be a paid "Gutachten", but rather a joint statement by an association of people who deal with this issues on a daily basis and a lawyer who has studied this provision in depth.
If SWINOG agrees (do you have any decision procedures?), I would submit a draft by 15 May 2009. The Vernehmlassung ends 30 June, so that would leave us enough time for discussion.
I'd appreciate that very much!
Michi
Hello Christa, I think that would be great to get an opinion from a lawyer which knows and speaks the lingo... After all the target audience are lawyers..
Thanks for your help - Markus
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Christa Pfister Sent: Wednesday, March 18, 2009 4:22 PM To: swinog@swinog.ch Subject: Re: [swinog] "Hackerparagraph" (fwd)
I have a suggestion: I could draft a comment (regarding "hacking-tools") for the Vernehmlassung and submit it to the mailing-list for approval and input by SWINOG members. As the author of a doctoral thesis on Art. 143bis (the Swiss hacking provision), I might be able to add a certain academic weight to the SWINOG position.
I would be prepared to do this for free, it wouldn't be a paid "Gutachten", but rather a joint statement by an association of people who deal with this issues on a daily basis and a lawyer who has studied this provision in depth.
If SWINOG agrees (do you have any decision procedures?), I would submit a draft by 15 May 2009. The Vernehmlassung ends 30 June, so that would leave us enough time for discussion.
Regards, Christa
________________________________
Von: swinog-bounces@lists.swinog.ch im Auftrag von Daniel Roethlisberger Gesendet: Mi 18.03.2009 15:45 An: SWINOG Betreff: Re: [swinog] "Hackerparagraph" (fwd)
Andreas Fink afink@list.fink.org 2009-03-17:
Collegues,
The federal adminstration wants to change the law about cyber crime.
See also:
(or especially Genehmigung und Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität )
[...]
Note that according to the "Adressatenliste", SwiNOG was explicitly invited to comment on the proposed change of law.
I guess SwiNOG should comment on Art. 143bis Abs. 2 and request a clarification, in order to make sure that academical, commercial and private IT security research will not be affected by the change of law. The proposed wording of Abs. 2 currently does not adequatly honour the fact that security tools are dual-use goods by nature; i.e. they are not inherently good or evil. Or in other words, there is no practical way to distinguish a tool used by a professional penetration tester from a tool used by a blackhat. The difference between the two is not in the tools, it's in the contracts (i.e. approval of the target's owner).
-- Daniel Roethlisberger http://daniel.roe.ch/
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Salut, Christa,
On Wed, Mar 18, 2009 at 04:22:13PM +0100, Christa Pfister wrote:
If SWINOG agrees (do you have any decision procedures?), I would submit a draft by 15 May 2009. The Vernehmlassung ends 30 June, so that would leave us enough time for discussion.
Thanks a lot for the offer. I'd be very glad to see something like that. At https://wiki.chaostreff.ch/Hackerparagraph we have so far collected a bit of stuff we found important, if you can use it and if it saves you some time.
Other than that, I'd like to join the club of people who owe you a drink of your choice.
Tonnerre
-
Andreas Fink -
Chris Meidinger -
Christa Pfister -
Claudio Jeker -
Daniel Roethlisberger -
Ihsan Dogan -
Markus.Bruetsch@swisscom.com -
Martin Ebnoether -
Michael Naef -
Norbert Bollow -
Patrick Tybo -
Peter Keel -
Rainer Duffner -
Robert.Guentensperger@swisscom.com -
Silvan Gebhardt -
Thomas Dagonnier -
Tonnerre Lombard -
Tonnerre LOMBARD