If you’re not aware, in late May the German government passed a law making the possession of “computer programs whose aim is to commit a crime” illegal — a crime punishable with up to a year of jail time. Thereby treating computer programs in just the same way as guns. One translation of the law is as follows:
Whoever prepares a crime according to §202a or §202b and who creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to
* passwords or other access codes, that allow access to data or
* computer programs whose aim is to commit a crime
will be punished with up to one year jail or a fine.
That’s it, create or obtain a hacking tool and you could find yourself behind bars. No exclusion for security professionals, no definition of what exactly the ‘aim’ of a computer program means.
Let’s get it out of the way: Guns don’t kill people, people with guns kill people. People with hacking tools can steal your personal data, shut down your system and deface your web site — but is that any reason to ban them? I’ve got five good reasons why restricting hacking tools is not like gun control.
Reason Number One: It’s hard to know exactly if a given program is aimed at committing a crime. Is it enough to simply be a popular tool with criminals? A port scanner can help you find vulnerable ports in a computer which you can then either secure or exploit to gain access. How about password recovery tools — you can use them to determine an old password, or crack other’s passwords? Packet sniffers — network analysis or eavesdropping? There are a whole range of tools that are commonly used by hackers, both benign and malignant, that can be used to commit a crime — may in fact be intended to commit a crime — which have entirely legitimate and innocent uses as well.
Reason Number Two: Guns have a much smaller effective range than hackers. A local gun restriction law — if it works — can curb gun violence locally. A law restricting the use of hacking tools in Germany is going to do German businesses no good at all against a hacker from Nigeria, Russia, China or the United States (taking some countries semi-randomly), all it does is restrict their abilities to defend themselves. The Internet is global, national laws for protection are, at best, paper shields.
Reason Number Three: In the majority of countries that restrict possession of weapons, security professionals are licensed to carry them – there’s nothing like that in the German law. Only the most radical gun restriction proponents argue to strip police of their handguns, but many of the same people seem to have no problem with the blanket banning of “hacking tools”. Computer security professionals need to be able to use whatever tools they can find to protect their businesses, what good is penetration testing if you don’t use the same resources that an attacker would use?
Reason Number Four: It will cripple education. If you’re studying computer science how can you learn networking without using a port scanner? How can you study encryption without learning how it is broken? How can you learn application programming without understanding buffer overflowing? If the tools to research these kind of things are illegal, then the standard of programming and the level of knowledge of average, law abiding developers goes down. Worse, they might not even realise that there are gaps in their understanding.
Reason Number Five: It’s an oft repeated statistic that a gun in the house is more likely to kill a family member than an intruder — that is, many incidents of gun violence are not caused by criminals. Some are, sure, but it’s dead easy to shoot someone. Malicious hacking on the other hand is planned, premeditated and takes a great deal of knowledge and practise. Nobody can break into a safe in the heat of the moment, and you can’t set up a botnet by accident. One hundred percent of the people you want to stop using hacking tools are going to ignore this law because they know they’re breaking the law anyway. To put it simply, a law such as the German one just won’t work to cut down on electronic break ins.
Laws such as this help no one, and will, in the long run, do a lot of harm to the levels of computer security for local businesses and people in general. In short, the side effects of such a law include reducing local knowledge of security and businesses ability to protect themselves, and ultimately failure at stopping the kind of hackers the law is aimed at. To me the whole think stinks of making a law without asking anyone who knows anything about the subject. Keep an eye out, these laws could even now be heading to a politician near you.