Re: [Full-disclosure] n.runs AG puts §202 law to the test - Tools back online

["worried security" <worriedsecurity () googlemail com>]

On 9/26/07, Thierry Zoller <Thierry.Zoller () nruns com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Dear List,
> You may or may not have noticed but a lot of German companies and
> researches have pulled their tools from their website in fear of
> litigation.


 I don't think it was necessary for folks scramble to remove existing tools.
if you got arrested, you could show the police that your tool was uploaded
to the server before the law was introduced. in short, folks should of been
mass uploading as much code as they could before the law came into force on
August 10th, not removing it.

If servers are still letting people download but the upload was done before
August 10th, then it shouldn't count as a criminal act, even if the download
is available after August 10th. Only uploads to servers should be illegal
after August 10th, and why just go after folks hosting the tools, why not go
after the folks downloading the tools too.

In the bigger picture of things, its the folks downloading the tools who are
the criminals, but how do you distribute those tools to legitimate
researchers, who only want to progress the journey of explotiation
development to safer the systems people want to compromise?

not all downloaders are the criminal, so why target the host of the tools,
when you can use your intelligence agency to monitor folks downloading tools
from servers and watching what they do with them.

it looks like the german intelligence services are trying to do a short cut
by outlawing all cyber security research activity, than having control
mechanisms in place to kick out the rogue researchers from the true
researchers.

i know a lot of people who are german, and i know the german mentallity,
they have said *oh cyber security, this seems like non sense, we only want
to concentrate on real life bomb intelligence services activity, to cut
costs on monitoring cyber security legitimate research, lets outlaw it, so
its far easier on our resources and is less costly for us*.

germany, you need dedicated cyber security teams, germany you need to invest
millions of money into cyber security. i'm sorry this whole internet thing
and security is hard to come to terms with, but yeah, deal with it.

undo your law, spend the millions of money you wish you could spend on other
things. the internet is here to stay and without cyber security research,
there won't be any cyber security in your country.

and you wonder why china was able to break into your government systems,
you'll never know if your dumb law has prevented a security researcher from
speaking out against a vulnerability on your government networks. so the
vulnerability was left unpatched and the chinese government used it to
compromise your systems.

have a nice day germany,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/