[ISN] German antihacker law could backfire, critics warn

From: InfoSec News (alerts@private)
Date: Tue Aug 14 2007 - 01:04:30 PDT


http://www.infoworld.com/article/07/08/13/German-antihacker-law_1.html

By John Blau
IDG News Service
August 13, 2007

Germany's new antihacker law could open the door to more cybercrime and 
not less, security experts warn.

The law, which the German government approved in May and put into effect 
on Saturday, aims to crack down on the sharp rise in attacks on 
computers in the public and private sectors.

Although Germany already has approved numerous laws to curb attacks on 
IT systems, the most recent one aims to close any remaining loopholes. 
Punishable cybercrimes include DOS (denial-of-service) attacks and 
computer sabotage attacks on individuals, which would extend the 
existing law that limited sabotage to businesses and public authorities.

The new law defines hacking as penetrating a computer security system 
and gaining access to secure data, without necessarily stealing data. 
Offenders are defined as any individual or group that intentionally 
creates, spreads or purchases hacker tools designed for illegal 
purposes. They could face up to 10 years in prison for major offenses.

"Dual use is at the root of the problem with the new law," said Andy 
Mller-Maguhn, a spokesman for the German hacker club Chaos Computer 
Club. "You can develop tools, for instance, to test the security of a 
network system but you can use the very same tools to hack a system. Our 
concern is that if a person has to go to court for having a hacker tool 
on his system, he will have to prove his good intentions."

The legal uncertainty created by the new law will make the work of 
security experts in Germany more difficult, according to Mller-Maguhn.

"The law is counterproductive," said Marcus Rapp, product specialist at 
the German subsidiary of Finnish security vendor F-Secure. "It will make 
the security situation worse, not better."

Rapp is concerned about what he calls the law's "broad interpretation" 
of hacking and the legal uncertainty it creates.

"We use hacker tools to test the security of computer systems; that's an 
essential part of our business," he said. "Could our use of these tools 
get us in trouble someday? That's what we don't know."

Russian rival Kaspersky Lab shares a similar opinion.

Hacker tools are "constantly" used by vendors of security software to 
close security holes, wrote Andreas Lamm, managing director of Kaspersky 
Labs in an e-mail. It's also "unrealistic" to believe, he added, that 
the new law will eliminate the illegal use of these tools as clever 
criminal hackers will continue to find ways to operate under the police 
radar.

Several groups of computer experts that develop hacking tools to test 
the security of computers and network systems have already pulled the 
plug on their operations in Germany, either calling its quits for good 
or relocating to countries without antihacking legislation.

Rapp referred to the situation as "not encouraging."

KisMAC , a self-described "good" hacker group that offers a tool to 
detect security holes in wireless networks, stopped its work in Germany 
and plans to resume in neighboring Netherlands.

Phenoelit , another hacker group, has ended its operations in Germany 
and is also considering the Netherlands as a possible relocation site.

 
____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Tue Aug 14 2007 - 01:20:30 PDT