A recent update to the German criminal code has outlawed so called “hacking tools.” This move has raised angry responses from security experts worldwide who have branded it as “ill considered and counterproductive.”
The overhaul was designed to tighten up legal definitions in order to make actions like wireless sniffing and denial of service attacks irrefutably illegal. Previously, only attacks directed towards government organisations or corporate entities were felonious. The new regulations also make it an offence for “unauthorised users to bypass computer security protection to access secure data.”
Why the big fuss? Surely it’s a good thing — cracking down on the bad guys and making the world a safer place. The problem is with the way that the new regulations are worded. Under these regulations the creation, installation, or distribution of “hacking tools” is strictly forbidden.
An interpretation by arstechnica.com states, “Manufacturing, programming, installing, or spreading software that has the primary goal of circumventing security measures is verboten.” Obviously this is primarily targeting creators, distributors, and users of trojans, malware, “botnets,” and the like. However, with this rather loose description fitting almost every security-related application in a system administrator’s toolkit, it quickly becomes clear that there’s a problem. Chaos Computer Club spokesman Andy Müller-Maguhn was obviously unhappy with the new legislation — he told arstechnica, “Forbidding this software is about as helpful as forbidding the sale and production of hammers because sometimes they also cause damage”. He also went on to point out that “safety research can [now] take place only in an unacceptable legal grey area.”
If it’s illegal to create, distribute, and use legitimate security auditing tools then security analysts and system administrators can’t assess the security of their systems nor track down potential vulnerabilities. When you actually think about the huge array of programs that can be used for both legitimate auditing or potentially illegal activities, the list is endless. The use of powerful penetration testing tools like Nessus is most certainly questionable; even a simple port scanner could be considered malicious software. If administrators were unable to use tools like these to check their systems for exploitable entry points, then surely security as a whole would suffer and cyber crime would win. You can be sure that the new legislation won’t deter serious criminals from continuing to develop malicious software and exploiting vulnerable systems. I can’t see that this leaves administrators with any choice other than to continue working as usual in the hope that common sense will prevail.
While I’m sure this matter will eventually be clarified, it raises some interesting questions. Can somebody certify that a system is secure without using software to try and circumvent it? Should lawmakers be required to take more of an effort to understand the real-world implications of their bills? An even bigger question is: can you ever really ban software? I don’t think many of the computer viruses in the wild are “legal” but they are still prevalent.