recent posts

Web Fraud 2.0: Distributing Your Malware
Opera Update Plugs Multiple Security Holes
Web Fraud 2.0: Digital Forgeries
Web Fraud 2.0: Validating Your Stolen Goods
Web Fraud 2.0: Cloaking Connections

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

The Yin and Yang of Internet Security Research

A law that makes it a crime to host online or otherwise provide software that could be used in cyber attacks went into effect in Germany this month. While the reaction from Germany's hacker culture has been somewhat muted, the measure is already prompting changes within one of the world's most active computer security research and hacking communities.

The German Parliament passed the measure in June, as part of its ratification of the Council of Europe's Treaty on Cyber Crime, an agreement designed to harmonize computer crimes laws across law enforcement groups in more than 40 signatory nations. The German statute goes beyond the guidelines set by the treaty, and includes increased fines or up to one year in jail for any resident who provides access to, sells, or distributes passwords or computer programs with an aim to aid in a crime.

The trouble with this kind of law is that it's awfully difficult to pin down the definition of a computer program designed for malicious purposes. Hardly anyone would argue that releasing a computer virus or worm into the wild shouldn't be a crime. The same probably goes for computer programmers in Eastern Europe who write and offer support for malicious software marketed to criminals who break into computers.

But the forensic tools that are needed to find and close software and network security holes become a double-edged sword because they can almost always also be used by criminals to probe for or exploit potential weaknesses in a target.

The new law has forced a migration of sorts for researchers from Phenoelit, a German outfit whose members are credited with discovering (and reporting to affected software vendors) a decent number of software and hardware security holes. Back when German lawmakers were still debating the measure, Phenoelit member Felix Lindner - a.k.a. "FX" -- was invited to the parliament to speak as a subject matter expert.

Since the law's effective date on July 6, Lindner said, Phenoelit decided to disavow ownership of the site's content, the entirety of which has since been transferred from a Web host in Germany to one located in the United States. Among the most frequently accessed content on Phenoelit's site is probably the Web's most comprehensive listing of default user names and passwords that ship with hundreds of software and hardware products.

"Nobody really knows to what extent you have to separate yourself from this stuff," Lindner said in a telephone interview. "Some have decided that relocating content to a server outside the country but still owning the content would be safe enough for them, but we took the safer route."

Lindner said many fellow security researchers are curious whether the German authorities will react to content posted online during and after the Chaos Communication Camp, a five-day, open-air hacker conference being held next month in the countryside near Berlin. Typically, conference organizers post the technical details from each speaker's talk on their Web site (currently based in Germany), which may include infringing content, such as "proof-of-concept attacks" that demonstrate a previously unknown software security hole, or special forensics or hacking tools of the sort typically debuted at security conferences.

"Now that we have a new criminal law, that means a lot of people in law enforcement who are interested in this type of stuff are going to be looking for something good to take as their first case," Lindner said. "One has to be very careful to not become that."

If there is one German-based hacking group that has potential for becoming the inaugural poster child for this new law, it may be the "Helith Network," a group of concept virus writers mostly based in Germany. A member of the group recently told washingtonpost.com that it was in the process of relocating its servers to the United States in response to the new statute.

But that may be of little consolation to German authorities. Last month in an online posting the group claimed to have hacked into German financial giant Deutsche Bank's internal networks, and as "proof" posted the company's entire employee Lotus Notes e-mail database to BitTorrent, a popular online file-trading network known for its efficiency in moving large data files. A spokesperson for Deutsche Bank declined to comment on the matter, citing an ongoing police investigation.

By Brian Krebs |  July 30, 2007; 12:34 PM ET From the Bunker , Misc.
Previous: Not-So-Friendly Greeting Cards | Next: Report: E-Voting Systems Hackable

Comments

Please email us to report offensive comments.



I saw today that the developer of the Mac based wireless discovery tool KisMAC is stopping development due to this change.

--Chris

Posted by: Chris Harrington | July 30, 2007 2:18 PM

This new legislation sounds like it will become a bad example of the law of unintended consequences.

As usual in such examples, the act itself (judging by the English translation online at http://www.coe.int) seems well meant. To be guilty under it, a hacker has to intentionally grab digitized information that is both protected and not meant for him. And a guilty software monger has to make software available whose "purpose" is to carry out cybercrime.

So, at first glance, it seems that maybe a legal disclaimer would be enough to protect Phenoelit lists and KisMAC. But like their creators, I wouldn't chance it. After all, the state will decide what constitutes evidence of "purpose" or "intent." Already, then, prior restraint is at work, cowing the good guys while doing little to stop the bad.

Even more extensive damage, however, could be done by German law enforcement. Just how are they going to police for this? Will the new legislation encourage them to investigate - even hack into - any site hosted in Germany or owned by a German resident, in search of hidden links to software that could be used to prepare or launch a cyberattack? Will they be allowed to archive data mined from such investigations whether or not they bear fruit?

Sound too Chicken-Little? It's important, I think, to bear in mind that the average 'Net tool is not very different from a kitchen utensil: both can be used for legitimate uses, but both can be misused for criminal purposes. Conceivably then, an overzealous state can label innocuous software criminal simply because it can be misused by hackers. If that occurs, the executive arm of the state will be able to prosecute the owner of any site that distributes software, no matter how innocent, as long as that software has ever been used in furtherance of a cybercrime.

The legislation leaves too many questions unanswered.

If similar laws are enacted in the U.S., watch out.

Posted by: Don | July 30, 2007 6:01 PM

"Hardly anyone would argue that releasing a computer virus or worm into the wild should be a crime."

Uh, I think it should be a crime to release viruses and worms into the wild. That's pretty different than research for defensive purposes. It looks like a typo to me.

Posted by: Aaron | July 31, 2007 12:52 PM

Aaron, you are correct. It should read "shouldn't". I will fix. Thanks very much.

Posted by: Bk | July 31, 2007 9:39 PM

Hola mardena!
falikotrepat

Posted by: AnferTuto | August 6, 2007 4:39 AM

The comments to this entry are closed.

 
 

©  The Washington Post Company