Re: [Full-disclosure] n.runs AG puts §202 law to the test - Tools back online

[gjgowey () tmo blackberry net]

Right now I'm having flash backs of Joclyn elders (former American surgeon general under the Clinton administration) 
saying how "we need to make safer guns and safer bullets".  Gotta love how logic gets overrided by emotions when it 
comes to laws.

Geoff



Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "worried security" <worriedsecurity () googlemail com>

Date: Wed, 26 Sep 2007 17:37:38 
To:full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure]
        n.runs AG puts §202 law to t
        he test - Tools back online


On 9/26/07, Thierry Zoller <Thierry.Zoller () nruns com <mailto:Thierry.Zoller () nruns com> > wrote: -----BEGIN PGP 
SIGNED MESSAGE-----
Hash: SHA1


Dear List,
You may or may not have noticed but a lot of German companies and 
researches have pulled their tools from their website in fear of litigation. 
  
 
I don't think it was necessary for folks scramble to remove existing tools. if you got arrested, you could show the 
police that your tool was uploaded to the server before the law was introduced. in short, folks should of been mass 
uploading as much code as they could before the law came into force on August 10th, not removing it. 
  
If servers are still letting people download but the upload was done before August 10th, then it shouldn't count as a 
criminal act, even if the download is available after August 10th. Only uploads to servers should be illegal after 
August 10th, and why just go after folks hosting the tools, why not go after the folks downloading the tools too. 
  
In the bigger picture of things, its the folks downloading the tools who are the criminals, but how do you distribute 
those tools to legitimate researchers, who only want to progress the journey of explotiation development to safer the 
systems people want to compromise? 
  
not all downloaders are the criminal, so why target the host of the tools, when you can use your intelligence agency to 
monitor folks downloading tools from servers and watching what they do with them. 
  
it looks like the german intelligence services are trying to do a short cut by outlawing all cyber security research 
activity, than having control mechanisms in place to kick out the rogue researchers from the true researchers. 
  
i know a lot of people who are german, and i know the german mentallity, they have said *oh cyber security, this seems 
like non sense, we only want to concentrate on real life bomb intelligence services activity, to cut costs on 
monitoring cyber security legitimate research, lets outlaw it, so its far easier on our resources and is less costly 
for us*. 
  
germany, you need dedicated cyber security teams, germany you need to invest millions of money into cyber security. i'm 
sorry this whole internet thing and security is hard to come to terms with, but yeah, deal with it. 
  
undo your law, spend the millions of money you wish you could spend on other things. the internet is here to stay and 
without cyber security research, there won't be any cyber security in your country. 
  
and you wonder why china was able to break into your government systems, you'll never know if your dumb law has 
prevented a security researcher from speaking out against a vulnerability on your government networks. so the 
vulnerability was left unpatched and the chinese government used it to compromise your systems. 
  
have a nice day germany, 
  
n3td3v _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/