Tuesday, June 9, 2009


Security engineers use a set of tools to help them determine their organization's security. I used to be in charge of one that did this - it would run hundreds and hundreds of security tests against computers to see where there were security weaknesses. These scanners are a must-have item if you want to protect your computers.

But any tool can be used for good or for ill. The Bad Guys also run scanners, to identify likely targets. Security tools are very often hacker tools.*

So what happens when you try to outlaw "hacker tools?"
On August 10, 2007, a new section of the German Penal code went into effect. The statute, intended to implement certain provisions of the Council of Europe Treaty on Cybercrime, could be interpreted to make the creation or distribution of computer security software a criminal offense.
I make computer security software. I have for 15 years or more. Am I a criminal under Section 202(c) of the German Penal Code?

Less theoretically, how effective has the law been in prosecuting actual, you know, hackers?
In the wake of the statute, numerous computer security companies announced their relocation out of Germany. However, to date there have been no prosecutions under this provision, and only a small amount of reported litigation. So far, the statute that scared the bejeezus out of the legitimate security community has not deterred or diminished the spread of hacker tools in Germany or anywhere else and has created legal uncertainty about potential liability.
Not so much, it seems. Actually, that sounds better auf deutsch: nullpunkt.

* The parallels to firearms are obvious.

1 comment:

Lissa said...

I watched "Live Free or Die Hard" last night while doing kitchen work. Ever seen it? If so, what did you think of the fire-sale scenario and stealing SSNs?