German hacker-tool law snares...no-one

@AC 10:26 re. Dangerous Stauble's Act

This would be the Dangerous Statutes Statute, intended to prevent stupid laws being passed. Unfortunately, whenever anyone tries it, nobody can agree on the wording and there are so many arguments about interpretation that it never gets a first reading.

Tech is Complicated

Which is why the simpletons that make up most legislatures probably shouldn't be allowed near them!

Scared of what they don't know

the imbeciles have taken over, now tech is out of a job, they can go for political ones.

The only thing is bitterness and revenge, over complicate the systems now could be an interesting move, they lower our standard of living we put theirs in the morgue.

@AC

"Perhaps we need a Dangerous Stauble act?"

That would likely cause a recursive loop that would destory the government.

Bad translation?

"Similarly, Article 269(b) of the Polish penal code states that, 'whoever prepares, obtains, sells or makes available for other persons the computer devices or software tailored to the purposes of committing [a cybercrime], or prepares computer passwords, entry codes or other data that makes information stored in a computer system or network available' shall be guilty of a crime."

I sincerely hope that that is a bad translation (assuming the law is written in Polish). As quoted, every network administrator is guilty of a crime because they prepare computer passwords that make information stored on a network available. Being the network administrator, they are authorized to do so, and the prepared passwords are used to authenticate authorized users, but such wording (and thus intent) is missing from the quoted text. Can anybody confirm whether or not this is the case?

Well...

It seems to me it ought to be possible to determine the intention of one of these programs fairly easily. Surely there's a difference between detecting a vulnerability and actually exploiting it. A password cracker that scans for weak passwords and then reports which accounts are vulnerable only needs to display a score and lock the account out, it doesn't need to display the password it found. Similarly, there's a big difference between writing a tool that looks for SQL injection weaknesses and simply reports them, or one which then goes ahead to take over the system.

As for jail breaking iPhones and removing copy protection mechanisms in it being "ok because it's your phone", how is that any different from claiming that jail breaking a satellite receiver and removing protection within that is ok just because you bought the receiver?

Are you now, or have you ever been...

This is what happens, in every country including the UK, when you have politicians and bureaucrats - most of whom can't be trusted with their own data and email security - trying to legislate on IT matters. In fact on most matters they know nothing about, including terrorism and personal security - usually on the 'expert' advice of people with vested interests.

The way they see it, we need rules. Rules not working? Then - of course - we need even more rules with more little boxes on the forms to tick. And of course more jobsworths to enforce stupid and ill-thought laws. And if more members of the public are pointlessly criminalised, then that's a price worth paying - for the politicians. When we have enough forms, with enough squares, and they're all ticked, the world will be 100% safe and law abiding.

You know it makes sense...

Ban Stauble?

Ah, yes, Schäuble, Germany's favourite insane politician...

Eh, the whole hacker tools laws are stemming from a lack of general computer expertise in governments. I mean banning hacker tools is like banning crowbars, because they can be used in burglaries! But if you lack the knowledge to understand the legitimate uses...

@ Dangerous Stauble's Act

I'm entirely in favor of a dangerous dog act. There's simply no justification to own an animal bred or trained for attack. While dogs may still continue to bite children, you entirely ignore that there is a difference in frequency overall, a difference in frequency of unprovoked bites, a difference in the severity of a dog biting once or twice defensively and one actively looking to harm or disable a person.

Perhaps the owner of the animal had no intent, but then it was unreasonable to own it. If you have no intent to fire a gun, do you load it with bullets and point it? If you fire the gun but didn't aim at anyone in particular, but you are in a crowded area and someone gets hit, aren't you a bit to blame and isn't it fair to say the gun should be taken away from someone who would do this?

An individual's rights have to be tempered by the rights of others to a bit of safety. I do not feel this safety from bodily harm is equivalent to safety from hacking a computer in the vast majority of cases so in the meantime I will take comfort in knowing I am a lot less likely to be attacked by a dog.

The Law is more of a problem than the criminals

The biggest danger to cybersecurity is well meaning journalists and politicians who's understanding of the subject is at the level of WOPR and "Global Thermonuclear War". They end up issuing diktats that do nothing to slow the criminals down but make is difficult for people to work against the criminals.

If they want to legislate something useful then let's see some standards that equipment can be certified against so that we can avoid things like the "ATM Runs XP, ATM gets Pwned" debacle reported elsewhere on this site.

pointless

Since when did black hat hackers obey the law anyway?

"oh no now there's a law that says I can't distribute my warez, I guess I'll just have to stop doing it now, as it's so likely that I'll be caught"

And as ever who does this law penalise the most? The decent law abiding citizens who have to stop what they're doing in the name of fighting the peadophiles/terrorists/hackers/[insert bogey man here]

The government should know you can't stop the hackers and you can't beat them either. You can only hope to stay 1 step ahead. And is that really so very hard?

Less laws, less politicians

More common sense............if only.

Re: pointless

"The government should know you can't stop the hackers and you can't beat them either. You can only hope to stay 1 step ahead. And is that really so very hard?" .... By Bernie Posted Monday 8th June 2009 08:33 GMT

Bernie,

That is a forlorn and pointless hope unless one embraces the answer 42 have them working for you too, which is surely not really so hard. That way can you be light years ahead of any opposition and/or competition.

Was thirty pieces of silver ever better spent, for it can always be reduced to the supply of liquid cash for lavish spending to guarantee one cannot be beaten if one is trailing in such Great Game Plays.

The Idiot Savant, I suppose, would waste a Mountain of Resources on an Impossible Hope rather than Server to a Lead, which they are not Intelligent Enough themselves to Seed. But as we are all getting Smarter Quicker, and with some getting Smarter Quicker than Others and therefore Racing way ahead to Prepare for what Follows, is it inevitable that eventually they will be Smart enough to Venture forth with the Appropriate Correct Offer which will extraordinarily render them Relief and a Stable Comfort.

Re: Re: pointless

And further to the Posted Monday 8th June 2009 10:11 GMT post ..... Failure to Engage so Constructively, will Quickly and Smartly render what we would now think of as Government, as Dead and as Relevant as the Dodo and Dinosaur ........ as Events Driven by Technology [which would be the Wielders of Technology, if Virtual Machinery itself is discounted as being Responsible] expose their Myriad Failings to prove they are Unfit for Future Better Beta Purpose...... which would be Progress and a Pleasant Change.

Re: Well...

@ Rolf Howarth Posted Sunday 7th June 2009 23:12 GMT

>>> It seems to me it ought to be possible to determine the intention of one of these programs fairly easily. Surely there's a difference between detecting a vulnerability and actually exploiting it. A password cracker that scans for weak passwords and then reports which accounts are vulnerable only needs to display a score and lock the account out, it doesn't need to display the password it found.

Well that depends. If your only interest is in knowing that there is a weak password, then you are right. But perhaps the admit would like to know WHY the password is weak, or HOW the user that set it thinks - because that is more likely to actually solve the problem than simply acting the bad guy (in teh users eyes) by educating them with a bit of "clue by four".

Or, the purpose of password cracking may be to gain access to your own equipment - perhaps you are the city public authority and your network admin has changed all the passwords across the whole city and won't tell you what they are.

>>> As for jail breaking iPhones and removing copy protection mechanisms in it being "ok because it's your phone", how is that any different from claiming that jail breaking a satellite receiver and removing protection within that is ok just because you bought the receiver?

There is a big difference there. Hacking a receiver is usually (but not always) done as a means to getting services for which you have not paid. That is NOT the case for unlocking/jailbreaking an iPhone - where your reasons are simply to allow you to use the device to run your choice of software on your choice of network supplier. Only if the purpose was to allow you to use (say) AT&T's network without paying AT&T a cent would your analogy be correct.

The locking stuff on iPhone is not there for any valid security reason, it is there simply to reduce user choice. See http://www.eff.org/cases/2009-dmca-rulemaking

@Simon Hobson

You make some valid points, but I'm not sure I fully agree.

There's no good reason why a system administrator needs to know the user's password. Tell them their account's been disabled and that using common words but replacing 'e' with '3' doesn't constitute a good password - users will soon learn if they can't get on the system!

Some people certainly do jail break an iPhone to run it on another network, but plenty of others do so so they can run apps without paying for them, or to access services such as tethering which they haven't paid for. Apple couldn't care less about individuals jailbreaking their own iPhones though. It's companies doing it commercially that they're trying to stop.