Hi all, It may be an idea to have a look at the treaty they have to implement : http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
The article about "hacker tool" is the 6th one and is actually less vague than the wording of the new 143b.2 article : COE version : "designed or adapted primarily for the purpose of committing any of the offences" / "principalement conçu ou adapté pour permettre la commission de l’une des infractions" (no official german translation) Proposed Swiss version : "doit présumer qu’ils doivent être utilisés" / "von denen er weiss oder annehmen muss, dass sie zu dem in Absatz 1 genannten Zweck verwendet werden sollen" It is clear that the COE versions explains rules out tools that are *primarily* conceived to commit infractions, not just tools that *could* be used for hacking (as some have been saying). So, when writing to the EPJD, you may suggest them to rephrase it in a similar way to the COE treaty. Remember that they have to propose a way to implement this treaty and that they don't have the possibility to just skip this article (which is the only one that require a change of the legislation). thomas 2009/3/17 Andreas Fink <[email protected]>: > Collegues, > The federal adminstration wants to change the law about cyber crime. > See also: > > http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD > > (or especially Genehmigung und Umsetzung des Übereinkommens des Europarates > über die Cyberkriminalität ) > > I think this includes some dynamite in the details > First of all: I think its time for the government to face the fact that > there are many open ends (like the discussion we had with the order from > Canton de Vaud). My biggest issue with facing CyberCrime is however that not > the law is the issue but the ability of the police force to enforce the law. > Mainly due to lack of knowledge and probably financial resources. CyberCrime > is happening every day and is happening Quick. The processes on police work > where maybe accurate 1960 but lack the needed speed of todays events. I had > two incidents in my own company where it has clearly shown that the police > has not the slightest clue what's happening on the internet, besides how to > fix the issue. Costed me a hell of a lot of money at the end even it was a > crystal clear case for me (as a techie...). But I must admit its not the > fault of the law, its the fault of the execution of the law and the > financial resources needed to follow those cases. > The law above however has a section which I think is dangerous and could > affect our work: > > Das materielle Strafrecht mit seinen am 1. Januar 1995 in Kraft getretenen > Bestim- > mungen im Bereich "Computerstrafrecht" vermag den Erfordernissen der > Konventi- > on über weite Strecken zu genügen. Anpassungsbedarf ergibt sich bezüglich > des > Straftatbestandes des unbefugten Eindringens in ein Datenverarbeitungssystem > (Art. > 143bis des Strafgesetzbuches, sog. "Hacking"-Tatbestand). Hier wird > vorgeschlagen, > eine Vorverlagerung der Strafbarkeit vorzunehmen: Strafbar soll sich auch > machen, > wer Programme oder Daten zugänglich macht im Wissen, dass diese für das > illegale > Eindringen in ein Computersystem verwendet werden sollen. Daneben wird, > ausser- > halb der Erfordernisse gemäss Konvention, vorgeschlagen, das durch die > Lehre > verbreitet kritisierte Merkmal der fehlenden Bereicherungsabsicht in Artikel > 143bis > StGB zu streichen. > > Now what does that mean? It is basically what the germans have done under > the "Hackerparagraph". It disallows software which could potentially be used > for hacking to be distributed. The result of this was for example that in > germany the WiFi tools to verify your WiFi security dissapeared. Why? > because someone COULD use it for hacking. If you think this a bit further, > you could use a C compiler to write a hacker tool, so it could be considered > a tool to do hacking and we all very well know know someone can write > hacking tools in C. So to bring this ad absurdum, it could theoretically > forbid us to distribute a C compiler. Or think about Linux. > Of course this is a bit far reached but there are many gray zones in > between. For example I use Wireshark, a great open source packet analyzer > for my daily work because I develop network protocols or verify network > protocols. Of course someone could use this for hacking to listen to > passwords in cleartext (for example from old POP3 accounts). So if we > publish a wireshark version on our server, we become criminal? > The result will be that security tools to verify your security will be > forbidden. You will not be able to verify if your machine is crackable or > not. The real bad boys out there (and I'm not saying a hacker is a bad boy > by definition because most are honest and more in the area of security > researcher than anything else) will not give a dam if they are allowed to > distribute this hacking software because they per definition want to commit > crime. So they will get hold of that software and just use it. And because > no one was able to verify if POP3 cleartext passwords are floating on your > lan, they will find it out for you but they will not help you to make your > computer network a more secure world, they will simply abuse it to send > spam, to take money from your bank account or whatever they want. > So the normal end user is getting tools removed to help fight crime. This is > helping the bad boys instead of keeping them out. > Its like saying, you are not allowed to encrypt to protect your privacy > simply because some bad boys encrypt to protect their evil plans. > I think the report from the EJPD was written by people who do not understand > the technological impact of such laws. > I think we should respond to this proposal to keep above paragraph out of > the law. Otherwise we wouldn't even be able to help the police if they are > investigating because the tools to do this are also used by hackers > sometimes. > Here is what I got first from EJPD. > ----------- snip ---------- > Ihre Kommentare sind willkommen. Sie finden die Unterlagen > unter http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD (Geschäfte EJPD: > Cybercrime). Das Verfahren läuft bis 30. Juni 2009. > > Mit freundlichem Gruss > > Andrea Candrian > > > Fachbereich Internationales Strafrecht > Stv. Chef > Bundesamt für Justiz / Federal Office of Justice > Bundesrain 20 > CH-3003 Bern > Schweiz/Switzerland > Tel. +41/31 322 97 92 > Fax. +41/31 312 14 07 > mailto:[email protected] > > ----------- snip ---------- > > > > > > > Andreas Fink > Fink Consulting GmbH > Global Networks Schweiz AG > BebbiCell AG > IceCell ehf > --------------------------------------------------------------- > Tel: +41-61-6666330 Fax: +41-61-6666331 Mobile: +41-79-2457333 > Address: Clarastrasse 3, 4058 Basel, Switzerland > E-Mail: [email protected] > www.finkconsulting.com www.global-networks.ch www.bebbicell.ch > --------------------------------------------------------------- > ICQ: 8239353 MSN: [email protected] aim: smsrelay Skype: andreasfink > Yahoo: finkconsulting SMS: +41792457333 > > > > > > > _______________________________________________ > swinog mailing list > [email protected] > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > > _______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
