Tuesday, March 17, 2009

CyberCrime and the wrong way to bring it down

The swiss federal adminsitration wants to change the law about cyber crime.

See also:

(or especially Genehmigung und Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität )

I think this new proposed law includes some dynamite in the details

First of all: I think its time for the government to face the fact that there are many open ends (like the discussion we had with the order from Canton de Vaud). My biggest issue with facing CyberCrime is however that not the law is the issue but the ability of the police force to enforce the law. Mainly due to lack of knowledge and probably financial resources. CyberCrime is happening every day and is happening Quick. The processes on police work where maybe accurate 1960 but lack the needed speed of todays events. I had two incidents in my own company where it has clearly shown that the police has not the slightest clue what's happening on the internet, besides how to fix the issue. Costed me a hell of a lot of money at the end even it was a crystal clear case for me (as a techie...). But I must admit its not the fault of the law, its the fault of the execution of the law and the financial resources needed to follow those cases. That's the real problem. If it takes 6 months to get police help from another country, it will take 6 months to stop the spammer. Well the spammer is changing its servers daily. So what does that help? Anyway...

The law above however has a section which I think is dangerous and could affect our work:

Das materielle Strafrecht mit seinen am 1. Januar 1995 in Kraft getretenen Bestim-
mungen im Bereich "Computerstrafrecht" vermag den Erfordernissen der Konventi-
on über weite Strecken zu genügen. Anpassungsbedarf ergibt sich bezüglich des
Straftatbestandes des unbefugten Eindringens in ein Datenverarbeitungssystem (Art.
143bis des Strafgesetzbuches, sog. "Hacking"-Tatbestand). Hier wird vorgeschlagen,
eine Vorverlagerung der Strafbarkeit vorzunehmen: Strafbar soll sich auch machen,
wer Programme oder Daten zugänglich macht im Wissen, dass diese für das illegale
Eindringen in ein Computersystem verwendet werden sollen. Daneben wird, ausser-
halb der Erfordernisse gemäss Konvention, vorgeschlagen, das durch die Lehre
verbreitet kritisierte Merkmal der fehlenden Bereicherungsabsicht in Artikel 143bis
StGB zu streichen.

Now what does that mean? It is basically what the germans have done under the term "Hackerparagraph". It disallows software which could potentially be used for hacking to be distributed. The result of this was for example that in germany the WiFi tools to verify your WiFi security dissapeared. Why? because someone could use it for hacking. If you think this a bit further, you could use a C compiler to write a hacker tool, so the compiler could be considered a tool to do hacking and we all very well know know someone can write hacking tools in C. So to bring this ad absurdum, it could theoretically forbid us to distribute a C compiler. Or think about Linux with all the built in tools.

Of course this is a bit far reached but there are many gray zones in between. For example I use Wireshark, a great open source packet analyzer for my daily work because I develop network protocols. So I use it to verify my own written network protocols for accuracy or use it for troubleshooting on other networks. Of course someone could use this for hacking to listen to passwords in cleartext (for example from old POP3 accounts). So if the new law passes and we publish a wireshark version on our server, we become criminal?

The result will be that security tools to verify your security will be forbidden. You will not be able to verify if your machine is crackable or not. The real bad boys out there (and I'm not saying a hacker is a bad boy by definition because most are honest and more in the area of security researcher than anything else) will not give a dam if they are allowed to distribute this hacking software (they just use it anyway) because they per definition want to commit crime. So they will get hold of that software and just use it. And because no one was able to verify if POP3 cleartext passwords are floating on your LAN, they will find it out for you but they will not help you to make your computer network a more secure world, they will simply abuse it to send spam, to take money from your bank account or whatever they want.

So the normal end user is getting tools removed to help fight crime. This is helping the bad boys instead of keeping them out. Its like saying, you are not allowed to encrypt to protect your privacy simply because some bad boys encrypt to protect their evil plans.

The report from the EJPD was clearly written by lawyers, people who do not understand the technological impact of such laws. And thats why I think its pretty dangerous.

I think we should respond to this proposal to keep above paragraph out of the law. Otherwise we wouldn't even be able to help the police if they are investigating because the tools to do this are also used by hackers sometimes.

Here is what I got first from EJPD.

----------- snip ----------
Ihre Kommentare sind willkommen. Sie finden die Unterlagen unter http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD (Geschäfte EJPD: Cybercrime). Das Verfahren läuft bis 30. Juni 2009.

----------- snip ----------

There's also contact details on that URL there.

So feel free to make your voice heard or remain silent forever.

No comments: