Aug 31 2007

Catch 22 in Germany when it comes to IT-Security

Published by under Security

It’s seems that Germany are willing to legalize malicious software such as spyware and trojan horses according to an article posted by Herald Tribune as a necessary measure against terrorism. Question is just who will define what and when a crime would fall under terrorism and since this could eventually be hard to guarantee that it won’t be potential invasion of citizens’ privacy if this bill is passed. Interior Minister Wolfgang Schaeuble defended the tactic in an interview with n-tv television, calling the ongoing debate ”completely exaggerated,” underlining that judicial approval would be required before the measures could be used. ”It’s about a few isolated cases”.

Further more a verdict from Hamburg regional court, Germany last year stated that as an individual you have full responsibility for the activities going on via your wireless network that you have at home. Fair enough – but is it also fair that I have to be responsible for other peoples activities that goes on via my wireless network or my local network as well? That’s a really good question, in most cases I think that we all agrees to that one has the responsibility for ones own actions as a private person and when it comes to a company the company has to take responsibility for it’s employees. But what if some one downloads for example mp3 files via my network; would I still be responsible for this 3rd persons activities? Well, in Germany you would. According to German magazine Heise who had a story about this case the verdict from 2006.07.26 is built up around that approximately 244 mp3 files was downloaded during the end of 2005 via Gnutella peer network. This was obviously noticed by a music company who took the case to court and where the judge verdict was in favour for the music company. The judges states that as an individual is responsible and has to take legal measures to make sure that personal wireless access point is password protected and by that then make use of some kind of encryption to secure it.

So the big question now is when is an access point secured? Quite few users are still running with equipment that only supports WEP (Wired Equivalent Privacy or Wireless Encryption Protocol) encryption and this has been proved to be cracked in matter of minutes. Based on that, would the verdict still be the same if they’ve been using WEP-encryption to protect their network? Hopefully not, but quite a few would state that WEP encryption isn’t secure enough any more and since of that shouldn’t be used. To what extend do have to go to protect our self before we can feel safe against the law?

Using utilities to check the security status on it’s on network and from the outside would for the most people be recommended action. Problem is that Germany recently passed a law that defines this kind of activities as hacking and by that definition it’s not legal to use any kind of tools to scan for vulnerabilities and analyse system for weaknesses. Hacking has and is criminalized by the most countries one way or another; the definition might distinguish from country to country. But as Germany passed the law to avoid hacking attempts my humble question is then to German authorities and the people who wrote the bill; how do you plan to secure your own IT-infrastructure? German Chaos Computer Club says in an article published by that this new law makes it really problematic on how to define what is a hacking tool or not; the ping command for some is a great tool to check if there is a system in the other end when scanning a network segment and for other it’s just a tool to ping local system. So where do we draw the line for what is hacking tools?

What Germany ends up with is a catch 22 when it comes to security; you have to secure you own network, but your not able to use any utilities to check the security status. And about the suggested law regarding legalizing virus and trojan horses for spying on terror suspects – isn’t that a violation to the earlier passed laws – that it’s illegal to hack system?

Kim Haverblad

Note: Also Sweden has similar plans (Swedish article) to criminalise denial of service attacks. The bill that was issued by Swedish Department of Justice and was released March 2005 for circulation for comments. The bill was forwarded March 2007 as a proposition to the Swedish government for decision and this hasn’t been taken yet.

No comments

Trackback URI | Kommentars RSS

Leave comment