Your Right to Know About Hacking

Posted by: Rea Maor In: Security and Prevention - Sunday, September 9th, 2007

Germany has gotten itself into the spotlight lately with the new computer crime law. The law is so broad and vague that almost anything to do with software could be considered a violation. Since it addresses the intent of usage, it can apply to any program. The text editor I type this in could be used to write a Javascript exploit. The web browser you’re reading this in could serve as an agent of a site exploit.

Germany is home to quite a large share of the world’s computing security research, and so this law is threatening to cripple the research field as well. The process of ensuring that a software system is secure involves such methods as “penetration testing“. You don’t have to be a hacker to understand the concept: if you lock your door after you leave your house, you might grab the doorknob and try to turn it or shake it to insure that the lock is fastening. There, you’ve tested a security feature. Likewise, if you purchased a new alarm system for your car, you might set the alarm and then deliberately push and rock the car to see how sensitive the alarm is to being tripped.

In countries where marijuana usage is illegal but where shops are allowed to sell what we call “bongs”, those devices are commonly labeled as “water pipes” or “hookahs”, and are frequently advertised as “for smoking tobacco”. In the United States, drug control agents go undercover into these “head shops” to listen for unwary customers who refer to the devices in the context of smoking marijuana – if so, they can be arrested or detained on suspicion! Similarly, the German law could make it a crime to sell you any program, if you state that you’re going to use it for “hacking”.

Let alone the tools which are specifically designed for hacking. The Open Source Security Testing Methodology Manual, for instance, makes no bones about it – it is expressly for the purpose of performing security tests. Now, is this tool illegal under German law? You could use it to test your own system, or you could use it to look for holes in a target’s system. Likewise, if you have discovered a security hole and decide to blog about it, that in itself could also be construed as a crime – regardless of your intent.

As you might expect, experts are anticipating that the law will do nothing to stop real cybercrime, while at the same time it will tie up the kind of people who inform and teach about ways to prevent cybercrime. It is “Security through Obscurity“, a notoriously bad practice, only now it’s enforced by a law. The problem with this practice could be no more well demonstrated than by the Great Digg Revolt when Digg tried to suppress the printing of that HD-DVD encryption key.

If any readers find themselves blocked from the web by attempts to censor security information, their best bet is still Tor, the anonymous browsing tool. Just like United States users have to if they want to search TorrentSpy!

Related Posts:

Leave a Reply