Re: OK, all you EU guys who took the CEH just wasted your money

[Vic Vandal <vvandal () well com>]

EU laws were already passed 5 years ago that made the production, downloading (possession), purchasing (possession), or 
distribution of hacking tools a criminal offense.  As far as I know no ethical InfoSec professionals have been tossed 
in jail over that.  The possession of hacking tools has to be with intent of performing a criminal act in order to gain 
any sort of conviction, regardless of poor original wording in the laws themselves. 

It's not illegal to possess a tire iron (as mentioned in the email below), but that makes a decent segue to a similar 
point.  It is a crime in the state where I live to have lockpicking tools in your possession - if you're illegally 
breaking and entering with them.  But if you're a locksmith and you're not illegally breaking and entering, you can 
carry those tools every day and never be worried about being found guilty of a crime.

Bottom line:
If your job is to do pen-testing (and you can prove it), then you have nothing to worry about in simply possessing 
tools to do your job.  If you are in school studying InfoSec (and you can prove it), then you have nothing to worry 
about in simply possessing tools related to your studies.  If you're also using those tools illegally, well....
Lawmakers may be short-sighted, but then there are courts, judges, and juries that have to take all the facts under 
consideration before handing down a sentence.  That's where the rubber hits the road, and is why no InfoSec pro need 
lose any sleep over this.  

I would personally also "hope" that no person who doesn't have an InfoSec job or isn't formally studying InfoSec, but 
is trying to learn on their own ,doesn't have to worry about this, and that judges and juries would exonerate them if 
wrongfully charged.  But I can't make that statement with the same assurance that InfoSec pros and formal students get.

Furthermore if organizations (and government agencies) are prevented from having their systems tested for 
vulnerabilities then the criminals will run rampant over those non-audited networks.  Make that "more rampant" than 
they already are.  Even short-sighted lawmakers don't want that, and fittingly their networks and systems would be 
pwned alongside all the rest.

The U.S. Department of Defense isn't so short-sighted.  CEH was added to one of its network defense directives in 2010. 
 And DoD is quite big on offensive as well as defensive InfoSec-related practices.  As long as coders write shoddy code 
and admins aren't ultra diligent in hardening network systems, that posture will not change.

NOTE: I'm not promoting CEH, which was loosely used as a reference in this thread's start by someone other than myself. 
 That acronym and cert is just along for the ride here, but could be dropped from the thread.

-Vic

----- Original Message -----
From: "Valdis Kletnieks" <Valdis.Kletnieks () vt edu>
To: "Vic Vandal" <vvandal () well com>
Cc: funsec () linuxbox org
Sent: Friday, March 30, 2012 4:04:51 PM
Subject: Re: [funsec] OK, all you EU guys who took the CEH just wasted your money

On Fri, 30 Mar 2012 12:46:04 -0700, Vic Vandal said:
> "Ethical" (the "E" in CEH) hackers would only attack systems that belong to
> organizations that gave them written permission to do so.  The new laws would be
> inapplicable to that scenario.

> From the fine article's first paragraph:

"Possessing or distributing hacking software and tools would also be an offence,"

Got a copy of Metasploit or Nessus on your laptop? Better not visit the EU with
that laptop in your possession.  And what will pen-testers use to run
pen-tests, if they can't have hacking software and tools?

I don't know the exact wording proposed - "possession or distribution with
intent to commit a crime" would be a heck of a lot easier to deal with.  The devil
is in the details.  Consider that almost every car has a tire iron - and they're not
weapons until you try to use them on something other than your own car's tires.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.