By John Leyden for The
Register.
This story has been reproduced with permission.
The revamp to the German criminal code is designed to tighten
definitions, making denial of service attacks and attempts to sniff
data on third-party wireless networks, for example, clearly
criminal. Attacks would be punishable by a fine and up to 10 years
imprisonment.
Previously, only attacks against companies and government
organisations were indictable offences. The regulations, passed
last week, also make it illegal for unauthorised users to bypass
computer security protection to access secure data.
Under these provision it becomes an offense to create, use or
distribute so-called "hacking tools". Critics point out that many
of these tools are used by system administrators and security
consultants quite legitimately to probe for vulnerabilities in
corporate systems.
The distinctions between, for example, a password cracker and a
password recovery tool, or a utility designed to run denial of
service attacks and one designed to stress-test a network, are not
properly covered in the legislation, critics argue. Taken as read,
the law might even even make use of data recovery software to
bypass file access permissions and gain access to deleted data
potentially illegal.
"Forbidding this software is about as helpful as forbidding the
sale and production of hammers because sometimes they also cause
damage," Chaos Computer Club spokesman Andy Müller-Maguhn
told Ars Technica. "Safety research can [now] take
place only in an unacceptable legal gray area."
While making life more difficult for security consultants and
sys admins, the new laws will, paradoxically, make it easier for
police to use hacking tactics in gathering intelligence on
suspects. The practice – declared verboten by German courts earlier
this year - could be reinstated under the new laws, according to
Müller-Maguhn.
© The Register
2007
