Re: application for an employment

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

I don't know why you are taking a private conversation back on-list, but
so be it.

On 2006-04-02 Craig Wright wrote:
> The European Convention on Cybercrime was adopted by the Minister
> Committee of the European Council on November 8, 2001. It was signed by
> Germany and other member states of the European Council. It is, however,
> yet to be ratified in Germany. This does not change the status of the
> bill.

I am aware of that.

> The Bill is open to horizontal action and an individual in Germany (or
> any other member state) could take the issue to the European court of
> justice to force the German Govt. to enforce the provisions. A person
> from any other member state could also enforce this against action from
> an individual in other member states. This does not help with action
> to/from non-member states.

I am aware of that either.

> In particular; Article 6: Misuse of devices/possession and misuse of
> systems and tools that are suitable for carrying out an action as in
> Article 2-5. 

You obviously fail to understand that for these articles to apply I have
to actually do something illigitmate. However, contrary to your belief
using a portscanner to find out what services a host provides, or even
using an open relay to send out mail (as long as it's not spam, but this
is covered by other laws), is NOT illegal.

> This article does not, however, refer to the unauthorized use of
> security tools that are used for protective purposes, such as
> penetration tests when authorised. However - this does forclude
> general use of the said tools without explicit authorization.

No. This is exactly the point where you are wrong. I do have the right
to access a host without getting explicit permission beforehand, so
these laws simply don't apply. 

Things would be different in a case where I try to break an encryption,
bypass an authorization mechanism or tamper with data. But I expressly
stated from the beginning that I was NOT talking about such cases.

> The fact that the German courts in 2000 dismissed a case based on port
> scanning as the CLCA did not have provisions for use of the tools used
> for port-scanning is irrelivant due to the signing of the convention in
> 2001.

Wrong. Even the Cybercrime Convention does NOT prohibit the use of port
scanners, nor does it require explicit permission to use them.

> As for access to any web server, Sec. 3 ZKDSG [prohibition of
> commercial intervention to circumvent access control services] covers
> this. Sec. 3 ZKDSG [prohibition of commercial intervention to
> circumvent access control services]: "1.) The production, import and
> distribution of circumvention facilities for commercial purposes, 2.)
> the possession, technical installation, maintenance and exchange of
> circumvention facilities for commercial purposes and 3.) the promotion
> of circumvention facilities are prohibited."

Irrelevant. This section applies only to commercial services and tools.
And I was explicitly NOT talking about cases where one would have to
bypass authorization mechanisms. That would indeed be trespassing and is
covered by german criminal laws (i.e. §§ 202a StGB).

> An access-controlled service is, for example, a password-protected WWW
> or FTP server. The purpose of a penetration test is to circumvent an
> existing security mechanism.

And I expressly said several times, that I am not talking about cases
where bypassing of security mechanisms was required. Why do you keep
ignoring what I'm saying?

> This means that as soon as tools are used to perform the penetration
> test (circumvention facilities), an infringement of the ZKDSG is
> unavoidable.

Wrong, because it only applies in commercial cases. This section of the
ZKDSG does not apply to private citizens.

> Thus it is advisable to obtain the relevant permission from the
> authorized user in case of any acts that could constitute a criminal
> offense.

Maybe advisable, but still not required in the cases we were discussing
here.

> There is an exclusion for valid testing services. This requires the
> express authorisation of the site owner in writing.
>
> I suggest that you have a read of the Treaty on European Union i.e. the
> Maastricht Treaty
> Also read the Single European Act (SEA) 1987
> The directives on rights
> Article I-33 of the constitution for Europe

I already suggested that you read them yourself, so you will understand
that none of these bear any (direct or remote) reference to the matter
discussed here.

> PPS I hate looking up German law.

Then don't bring them into the discussion.

> Grundgesetz, Artricle 18 in respect to artilce 14 on property rights.

You entirely failed to understand both article 14 and 18. Article 18
states that anyone using the listed rights to bring down the german
constitution (for lack of a better word, as our Grundgesetz is not
exactly a constitution) will forfeit them. Article 14 specifies that a
right of property exists, with its details and limitations being
specified by other laws.

However, I never claimed there was no right of property (though you seem
to assume that for some reason), but that a host put on the Internet is
no longer private property in the same sense e.g. the furniture in your
home is. We are talking about a situation where I'm walking through a
Mall. Looking at the stores or entering the stores is neither illegal,
nor does it require explicit permission, because there already is an
implicit permission. I may count the stores, I may make a list of
stores, I may even take stuff from the stores (like e.g. flyers). The
fact that I may be held liable when I try to trespass protected areas,
break windows or stuff in the store, or try to steal something from the
store, does in no way diminish the implicit rights mentioned above.

> Gesetz zum Schutz vor Misbrauch personenbezogener Daten bei der
> Datenverarbeitung

You also entirely failed to understand the purpose of the Bundesdaten-
schutzgesetz. It's intention is the protection of privacy. However, what
service a host on the Internet is running, does in no way qualify as
privacy-related data.

> Telekommunikationsgesetz (Telecommunications Act), see provisions under
> s.5

And sure enough you entirely failed to understand the purpose of the TKG
as well. Please (re-)read its first section:

| § 1 Purpose of the law
| 
| Purpose of this law is to regulate the competition in the field of
| telecommunications independently from technologies, to support
| [implementation of] efficient telecommunications infrastructure, and
| to guarantee sufficient and adequate [telecommunications] services all
| over the country.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------