Be careful what you joke about at the water cooler in Germany these days -- even a dig about a password stuck to a PC monitor could be considered breaking a new anti-hacker law that went into effect this month.
Under the new law, such a joke could be construed as making the password "accessible." And that's just the beginning. If a customer tells a sales clerk at a German office supply store that he's going to use his newly-purchased Windows XP software to hack into a bank, the clerk could get busted for selling him the OS.
These are the types of extreme scenarios being played out over and over by German security vendors and researchers who are still trying to figure out just what the controversial new Section 202c StGB of the country's computer crime laws really means to their business and their research.
Many security people say the law is so flawed and so broad and that no one can really comply with it. "In essence, the way the laws are phrased now, there is no way to ever comply... even as a non-security company," says researcher Halvar Flake, a.k.a. Thomas Dullien, CEO and head of research at Sabre Security.
...
Phenoelit, a German researcher Website that contained the default passwords of various network products, recently handed its content over to a U.S. site operator, mainly because the password list is now illegal under the new law.
The German law has even given some U.S. researchers pause as well. It's unclear whether the long arm of the German law could reach them, so some aren't taking any chances: The exploit-laden Metasploit hacking tool could fall under German law if someone possesses it, distributes it, or uses it, for instance. "I'm staying out of Germany," says HD Moore, Metasploit's creator and director of security research for BreakingPoint Systems.
"Just about everything the Metasploit project provides [could] fall under that law," Moore says. "Every exploit, most of the tools, and even the documentation in some cases."
Moore notes that most Linux distros are now illegal in Germany as well, because they include the open-source nmap security scanner tool -- and some include Metasploit as well.
No comments:
Post a Comment