Salut, Andreas, On Tue, 17 Mar 2009 12:18:28 +0100, Andreas Fink wrote: > Now what does that mean? It is basically what the germans have done > under the "Hackerparagraph". It disallows software which could > potentially be used for hacking to be distributed. The result of > this was for example that in germany the WiFi tools to verify your > WiFi security dissapeared. Why? because someone COULD use it for > hacking.
A similar problem might arise with tools like tcpdump and snoop (for
Solaris), which are great for debugging various issues in TCP
connections (MTU problems, stalled connections due to window size
issues, firewall rule debugging, etc. pp.) but could of course reveal a
plaintext password or two in the process. What I want to say with this
is that it affects us all in some way or other, not just the developers
and wifi fans.
Another example is: if you want to be eligible for certain
infrastructural offerings (in public key infrastructures, for example,
as a certificate reseller) or government contracts, it might be
required in some case to get ISO certification for security. This
process has to be conducted by an ISO certified IT security company.
However, how do they do it if all of their tools are forbidden due to
the new law? You'll have to find a company in a country where hacker
tools are allowed, and fly them in just to perform a simple penetration
test.
And even if you're just a relaxed person in terms of security and run
Nessus or Metasploit against your machines every couple of monthes -
those are hacker tools. You effectively have no way but to hope that
you fixed all flaws in your system, and instead of proactivity, you
have to let the bots break down your server first, then rescue the user
data, reinstall and try again. This is painful and cost intensive.
> I think we should respond to this proposal to keep above paragraph
> out of the law. Otherwise we wouldn't even be able to help the police
> if they are investigating because the tools to do this are also used
> by hackers sometimes.
I absolutely agree with this and would like to ask everybody here to
submit his impression of the law to the EJPD as they demand. It is
important for them to understand that there is a majority of the people
they're trying to help with in this case who do not agree, and who
already have developed much better processes. They must learn that this
is not how IT security works.
So please take 30 minutes or an hour and make a submission.
Tonnerre
signature.asc
Description: PGP signature
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
