The Yin and Yang of Internet Security Research
A law that makes it a crime to host online or otherwise provide software that could be used in cyber attacks went into effect in Germany this month. While the reaction from Germany's hacker culture has been somewhat muted, the measure is already prompting changes within one of the world's most active computer security research and hacking communities.
The German Parliament passed the measure in June, as part of its ratification of the Council of Europe's Treaty on Cyber Crime, an agreement designed to harmonize computer crimes laws across law enforcement groups in more than 40 signatory nations. The German statute goes beyond the guidelines set by the treaty, and includes increased fines or up to one year in jail for any resident who provides access to, sells, or distributes passwords or computer programs with an aim to aid in a crime.
The trouble with this kind of law is that it's awfully difficult to pin down the definition of a computer program designed for malicious purposes. Hardly anyone would argue that releasing a computer virus or worm into the wild shouldn't be a crime. The same probably goes for computer programmers in Eastern Europe who write and offer support for malicious software marketed to criminals who break into computers.
But the forensic tools that are needed to find and close software and network security holes become a double-edged sword because they can almost always also be used by criminals to probe for or exploit potential weaknesses in a target.
The new law has forced a migration of sorts for researchers from Phenoelit, a German outfit whose members are credited with discovering (and reporting to affected software vendors) a decent number of software and hardware security holes. Back when German lawmakers were still debating the measure, Phenoelit member Felix Lindner - a.k.a. "FX" -- was invited to the parliament to speak as a subject matter expert.
Since the law's effective date on July 6, Lindner said, Phenoelit decided to disavow ownership of the site's content, the entirety of which has since been transferred from a Web host in Germany to one located in the United States. Among the most frequently accessed content on Phenoelit's site is probably the Web's most comprehensive listing of default user names and passwords that ship with hundreds of software and hardware products.
"Nobody really knows to what extent you have to separate yourself from this stuff," Lindner said in a telephone interview. "Some have decided that relocating content to a server outside the country but still owning the content would be safe enough for them, but we took the safer route."
Lindner said many fellow security researchers are curious whether the German authorities will react to content posted online during and after the Chaos Communication Camp, a five-day, open-air hacker conference being held next month in the countryside near Berlin. Typically, conference organizers post the technical details from each speaker's talk on their Web site (currently based in Germany), which may include infringing content, such as "proof-of-concept attacks" that demonstrate a previously unknown software security hole, or special forensics or hacking tools of the sort typically debuted at security conferences.
"Now that we have a new criminal law, that means a lot of people in law enforcement who are interested in this type of stuff are going to be looking for something good to take as their first case," Lindner said. "One has to be very careful to not become that."
If there is one German-based hacking group that has potential for becoming the inaugural poster child for this new law, it may be the "Helith Network," a group of concept virus writers mostly based in Germany. A member of the group recently told washingtonpost.com that it was in the process of relocating its servers to the United States in response to the new statute.
But that may be of little consolation to German authorities. Last month in an online posting the group claimed to have hacked into German financial giant Deutsche Bank's internal networks, and as "proof" posted the company's entire employee Lotus Notes e-mail database to BitTorrent, a popular online file-trading network known for its efficiency in moving large data files. A spokesperson for Deutsche Bank declined to comment on the matter, citing an ongoing police investigation.
The comments to this entry are closed.