On August 10, 2007, a new section of the German Penal code went into effect. The statute, intended to implement certain provisions of the Council of Europe Treaty on Cybercrime, could be interpreted to make the creation or distribution of computer security software a criminal offense. In the wake of the statute, numerous …
Dangerous Stauble's Act
Isn't that the pattern lately?
1. Dog bites child, so a law is made to put down dogs that attack people.
2. But dogs still bite children, so they make it a crime to buy a dog with the INTENT of using it to attack.
3. The rozzers complain that it's difficult to prove intent, so the politicians make it a crime simply to own a dog that might attack a child. The dangerous dogs act!
4. Dogs continue to bite children. But lots of people are prosecuted anyway.
Seems to me that if they prosecute 100 people to prevent one 'dog bite child' headline then they are Wolfgang Stauble or Jacqui Smith and don't see the bigger picture. They are a danger to society because they are creating more harm than they fix.
Perhaps we need a Dangerous Stauble act?
@AC 10:26 re. Dangerous Stauble's Act
This would be the Dangerous Statutes Statute, intended to prevent stupid laws being passed. Unfortunately, whenever anyone tries it, nobody can agree on the wording and there are so many arguments about interpretation that it never gets a first reading.
No problem in the UK
Due to the 3000+ laws added in the last 12 years, courtesy of Zanu Labour and their collaborators in the Tory & Lib Dem parties, everyone in the UK is a criminal anyway.
The police/regulators/authorities don't waste their time going after the big criminals these days. Why bother when there's so much low level "crime" that has to be "reduced"? More prisons, more prisons. Not.
Tech is Complicated
Which is why the simpletons that make up most legislatures probably shouldn't be allowed near them!
... or perhaps a Dangerous Politician Act.
Seriously, there are so many politicians that avoid learning about technology but still have control over the legislation that governs the use of technology.
I suppose that using existing laws has become boring and involves too much thinking. It's like the law about driving while using a mobile, which criminalises someone because they might be capable of doing something dangerous rather than actively going after plain old dangerous drivers that can be seen on roads every day...
If the lawyers need some advice on how to look for the dangerous drivers on the net then i'm sure we'd have many volunteers on el reg...
In the UK, we used to have a "second chamber" whose main activity was to review change or block poor legislation.
This second chamber was seen as a bad thing by whichever group was in power. The fact that both conservatives and socialists disliked it proves to me that it was a good thing.
The problem is that since 1997, enormous steps have been taken to disable review, stifle dissent in Parliament and speed up the already huge flow of legislation.
This has given us more and poorer laws than ever before. We have been pushed into an unpopular, arguably illegal, war in Iraq. We have more restrictions on our freedom than ever found in a democratic country before. The world financial system may not be caused by this (left for cleverer people to discuss) but but it will be used for passing some more stupid laws.
The only good news in our politics recently has been that we have all seen what a bunch of arrogant fools those at the top are. This may have been going on for decades. Those of us in the public sector have trouble getting the costs of our training back. How long have we been paying for the cleaning out of their moats?
Scared of what they don't know
the imbeciles have taken over, now tech is out of a job, they can go for political ones.
The only thing is bitterness and revenge, over complicate the systems now could be an interesting move, they lower our standard of living we put theirs in the morgue.
"Perhaps we need a Dangerous Stauble act?"
That would likely cause a recursive loop that would destory the government.
"Similarly, Article 269(b) of the Polish penal code states that, 'whoever prepares, obtains, sells or makes available for other persons the computer devices or software tailored to the purposes of committing [a cybercrime], or prepares computer passwords, entry codes or other data that makes information stored in a computer system or network available' shall be guilty of a crime."
I sincerely hope that that is a bad translation (assuming the law is written in Polish). As quoted, every network administrator is guilty of a crime because they prepare computer passwords that make information stored on a network available. Being the network administrator, they are authorized to do so, and the prepared passwords are used to authenticate authorized users, but such wording (and thus intent) is missing from the quoted text. Can anybody confirm whether or not this is the case?
It seems to me it ought to be possible to determine the intention of one of these programs fairly easily. Surely there's a difference between detecting a vulnerability and actually exploiting it. A password cracker that scans for weak passwords and then reports which accounts are vulnerable only needs to display a score and lock the account out, it doesn't need to display the password it found. Similarly, there's a big difference between writing a tool that looks for SQL injection weaknesses and simply reports them, or one which then goes ahead to take over the system.
As for jail breaking iPhones and removing copy protection mechanisms in it being "ok because it's your phone", how is that any different from claiming that jail breaking a satellite receiver and removing protection within that is ok just because you bought the receiver?
Are you now, or have you ever been...
This is what happens, in every country including the UK, when you have politicians and bureaucrats - most of whom can't be trusted with their own data and email security - trying to legislate on IT matters. In fact on most matters they know nothing about, including terrorism and personal security - usually on the 'expert' advice of people with vested interests.
The way they see it, we need rules. Rules not working? Then - of course - we need even more rules with more little boxes on the forms to tick. And of course more jobsworths to enforce stupid and ill-thought laws. And if more members of the public are pointlessly criminalised, then that's a price worth paying - for the politicians. When we have enough forms, with enough squares, and they're all ticked, the world will be 100% safe and law abiding.
You know it makes sense...
Ah, yes, Schäuble, Germany's favourite insane politician...
Eh, the whole hacker tools laws are stemming from a lack of general computer expertise in governments. I mean banning hacker tools is like banning crowbars, because they can be used in burglaries! But if you lack the knowledge to understand the legitimate uses...
@ Dangerous Stauble's Act
I'm entirely in favor of a dangerous dog act. There's simply no justification to own an animal bred or trained for attack. While dogs may still continue to bite children, you entirely ignore that there is a difference in frequency overall, a difference in frequency of unprovoked bites, a difference in the severity of a dog biting once or twice defensively and one actively looking to harm or disable a person.
Perhaps the owner of the animal had no intent, but then it was unreasonable to own it. If you have no intent to fire a gun, do you load it with bullets and point it? If you fire the gun but didn't aim at anyone in particular, but you are in a crowded area and someone gets hit, aren't you a bit to blame and isn't it fair to say the gun should be taken away from someone who would do this?
An individual's rights have to be tempered by the rights of others to a bit of safety. I do not feel this safety from bodily harm is equivalent to safety from hacking a computer in the vast majority of cases so in the meantime I will take comfort in knowing I am a lot less likely to be attacked by a dog.
The Law is more of a problem than the criminals
The biggest danger to cybersecurity is well meaning journalists and politicians who's understanding of the subject is at the level of WOPR and "Global Thermonuclear War". They end up issuing diktats that do nothing to slow the criminals down but make is difficult for people to work against the criminals.
If they want to legislate something useful then let's see some standards that equipment can be certified against so that we can avoid things like the "ATM Runs XP, ATM gets Pwned" debacle reported elsewhere on this site.
Since when did black hat hackers obey the law anyway?
"oh no now there's a law that says I can't distribute my warez, I guess I'll just have to stop doing it now, as it's so likely that I'll be caught"
And as ever who does this law penalise the most? The decent law abiding citizens who have to stop what they're doing in the name of fighting the peadophiles/terrorists/hackers/[insert bogey man here]
The government should know you can't stop the hackers and you can't beat them either. You can only hope to stay 1 step ahead. And is that really so very hard?
Less laws, less politicians
More common sense............if only.
i cant beleive they have just driven out a load of legitimate tax and kept the bad guys.
Wether they like it or not this software will be developed over the border and then used by ze people !!
"The government should know you can't stop the hackers and you can't beat them either. You can only hope to stay 1 step ahead. And is that really so very hard?" .... By Bernie Posted Monday 8th June 2009 08:33 GMT
That is a forlorn and pointless hope unless one embraces the answer 42 have them working for you too, which is surely not really so hard. That way can you be light years ahead of any opposition and/or competition.
Was thirty pieces of silver ever better spent, for it can always be reduced to the supply of liquid cash for lavish spending to guarantee one cannot be beaten if one is trailing in such Great Game Plays.
The Idiot Savant, I suppose, would waste a Mountain of Resources on an Impossible Hope rather than Server to a Lead, which they are not Intelligent Enough themselves to Seed. But as we are all getting Smarter Quicker, and with some getting Smarter Quicker than Others and therefore Racing way ahead to Prepare for what Follows, is it inevitable that eventually they will be Smart enough to Venture forth with the Appropriate Correct Offer which will extraordinarily render them Relief and a Stable Comfort.
Re: Re: pointless
And further to the Posted Monday 8th June 2009 10:11 GMT post ..... Failure to Engage so Constructively, will Quickly and Smartly render what we would now think of as Government, as Dead and as Relevant as the Dodo and Dinosaur ........ as Events Driven by Technology [which would be the Wielders of Technology, if Virtual Machinery itself is discounted as being Responsible] expose their Myriad Failings to prove they are Unfit for Future Better Beta Purpose...... which would be Progress and a Pleasant Change.
@ Rolf Howarth Posted Sunday 7th June 2009 23:12 GMT
>>> It seems to me it ought to be possible to determine the intention of one of these programs fairly easily. Surely there's a difference between detecting a vulnerability and actually exploiting it. A password cracker that scans for weak passwords and then reports which accounts are vulnerable only needs to display a score and lock the account out, it doesn't need to display the password it found.
Well that depends. If your only interest is in knowing that there is a weak password, then you are right. But perhaps the admit would like to know WHY the password is weak, or HOW the user that set it thinks - because that is more likely to actually solve the problem than simply acting the bad guy (in teh users eyes) by educating them with a bit of "clue by four".
Or, the purpose of password cracking may be to gain access to your own equipment - perhaps you are the city public authority and your network admin has changed all the passwords across the whole city and won't tell you what they are.
>>> As for jail breaking iPhones and removing copy protection mechanisms in it being "ok because it's your phone", how is that any different from claiming that jail breaking a satellite receiver and removing protection within that is ok just because you bought the receiver?
There is a big difference there. Hacking a receiver is usually (but not always) done as a means to getting services for which you have not paid. That is NOT the case for unlocking/jailbreaking an iPhone - where your reasons are simply to allow you to use the device to run your choice of software on your choice of network supplier. Only if the purpose was to allow you to use (say) AT&T's network without paying AT&T a cent would your analogy be correct.
The locking stuff on iPhone is not there for any valid security reason, it is there simply to reduce user choice. See http://www.eff.org/cases/2009-dmca-rulemaking
You make some valid points, but I'm not sure I fully agree.
There's no good reason why a system administrator needs to know the user's password. Tell them their account's been disabled and that using common words but replacing 'e' with '3' doesn't constitute a good password - users will soon learn if they can't get on the system!
Some people certainly do jail break an iPhone to run it on another network, but plenty of others do so so they can run apps without paying for them, or to access services such as tethering which they haven't paid for. Apple couldn't care less about individuals jailbreaking their own iPhones though. It's companies doing it commercially that they're trying to stop.
"there's a big difference between writing a tool that looks for SQL injection weaknesses and simply reports them, or one which then goes ahead to take over the system"
Unfortunatly, it is not possible for a computer program to 'see' whether a door is open, it must instead give each door a push. In the case of a brute-force password check, that is fine, but for SQL injection, or similar, the only way to prove that something is vulnerable is to break it.
A better analogy might be checking the strength of a rope or shackle - pull it hard and see if it breaks - but you can't carry out the test without _some_ risk of damaging the article under test.
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK
- Worstall @ the Weekend BIG FAT Lies: Porky Pies about obesity