Hey guys,

I would like to know the opinion from the people here about this law in Germany which forbids the use of "hacking tools", such as nmap, ethercap, etc...

In my opinion, in a near future, the IT security in Germany will become a great hole, since the IT security professionals will be forbid to do their work.
In my opinion, as sysadmin, this is definitely not the way to solve security issues.

I know the German government is doing this because that problem with Latvia (The whole country became offline 'cause a DDoS attack), but this is NOT the solution, these crackers will not stop their "job", but if the Gov forbids the IT security staff to do their work, then the attacks will tend to grow!

Ok, now let us talk about the solutions:

1. The German government should think about ways of educating the youth IT security enthusiasts for the ethical hacking.

2. They should, despite forbidding "hacking tools", think about giving better training for the government security staff.

90% of it's attacks are successful 'cause there are negligent sysadmins maintaining these systems.

The security patches are online for downloading, they could just update their boxes, but they DON'T DO IT!

In my opinion, Good security policies, training and responsability by it's sysadmins would definitely solve the security problems.



Source (one of them): http://www.securityfocus.com/brief/567

Nmap doesn't hack computers. People hack computers.

In the US the RIAA is suing that the DMCA makes the shift key on keyboards illegal. They will have to build a lot of prisons.

Nmap doesn't hack computers. People hack computers.


This is exactly what they (the Gov) can't see (or maybe they don't wanna see?).

It's the same in France since maybe 2 years or something like this. Only security firms are allowed to check softwares or make penetration tests. You are not allowed to check your own network anymore, as a home user.

In practice, people have moved their servers out of this country and a lot has gone back to underground/private. Some people must be happy with this laws.
Great ideas from our politicians.

I'm moving this to General, as it isn't a GNU/Linux security issue.

That said, please don't let this dissuade you from having a constructive discussion.

Could be an issue for Groklaw this. I mean, how are these tools defined in the law? If someone changes the name and re-compile these tools, are they still covered by the law? Also, breaking into your own home is legal (e.g. if you have lost your keys or want to test how solid your door is), so how can they ban you from breaking into your own computer network?

I don't think there is any big risk involved in ignoring this law. I am not a law expert, but chances are this is a junk law created by politicians eager to show they know about IT issues. France and Germany both have solid constitutions, and chances are nobody could actually be convicted using these laws. If you are a criminal hacker breaking into other peoples networks, you are already breaking other laws in both countries, so this law would be largely irrelevant.

<- Big Law book needed and some help from Pamela J & co

As a German, I have been following the discussion about this for quite a while. Any number of tech-savvy advisors have spoken up against this law, which really is about as idiotic as laws can get, but our politicians don't care. Small surprise there.

The law does not define clearly what kind of software it refers to. If you ask me, the ping command itself is already covered by it. I suppose that clueless judges will in future have to define what exactly the clueless politicians were talking about.

It is forbidden to create, distribute and own software with the intention of using it to break into systems you have no business breaking into. The law states something about 'malicious intent', which might save administrators testing their own networks, but only actual practice will show what exactly this law will mean. AFAIK the first German security company has moved abroad already because of this law.

Robin

I wonder how long this approach can be maintained. Just the other day, I read that the German government is disgruntled (to put it mildly) after having found evidence that the network of Angela Merkel was broken into by the Chinese. How is this sort of law to protect them against international threats??? It seems that the Chinese are going to be a lot of fun in the future, by the way. They have recently announced their plans to take over Seagate and now the US government is seriously worried about the security risks involved. Maybe people should start considering a ban on Seagate drives?

These kind of laws dont help, because if youre using the tools to break into a network, youre doing something illegal already, the hackers ignore that, so why should they be bothered by this law.

The only way to stop networks from beeing hacked are good trained security admins. Who maintain it seriously, and aply patches.

My school for instance, has really low security, since im one of the few that can break it, it doesnt really matter because all of the people that could do it( 3ppl in total) talked to the admin and told him they would'nt abuse it, the bug is still not fixed though, basicly its waiting for someone less nice to find out how to crack it. People like that should be fired (kinda fun using admin login to check other computers and find out the admin was playing mine sweeper at the moment).

This is not openness, most of the tools are use by admin to secure and troubleshoot their networks.
If the country getting DDoS attacks let people know significance of security.
At the end for what the IT security staff is paid for to make their job easy.

I think it's not as dramatic as it sounds to most people.

Using the tools with the _intention_ to do something _illegal_ is the important part, as bitpicker said - not just "having nmap as a system administrator on your computer". Also, a passage was added making hacking into private person's computers illegal without their consent and if there is any kind of technical barrier to prevent such break-ins which until then just applied to companies and any kinds of administrational IT and infrastructure.

This does not make the law less absurd, of course and there's much room for really badly informed judges to to some real damage, but sadly this is all the national and global zeitgeist right now.

And all in all some legal regulation was due - it's not that surprising that all governments getting their hands more and more into Internet and/or IT affairs.

But overall government and police are still struggling to really grasp the "internetworking" idea - recently I had a federal police visit due to some TOR server stuff, but nothing really happened and no legal consequences of any kind came up - especially my stuff wasn't even been looked at I told them I'm working as an it journalist.

So we'll have to wait where to every day legal affairs will actually lead us.