Criminalisation of security tools

[juan at reverselabs.com (Juan Aurelio Naranjo)]

I know this does not make sense but the Britain's anti-hacking law may make
a person guilty for use security tools. According to The Register:

http://www.theregister.co.uk/2006/11/22/cma_could_ban_security_tools/

"The new Act will make a person guilty of an offence 'if he supplies or
offers to supply any article believing that it is likely to be used to
commit, or to assist in the commission of, [a hacking offence]'. The word
'article' is defined in the Act to include 'any program or data held in
electronic form'. Some software tools commonly used by IT security
professionals can also be used for malicious purposes, making the new
legislation a cause for concern. This applies particularly to dual use tools
like nmap..."

Regards,

Juan A. Naranjo
Reverse Labs

-----Original Message-----
From: Joerg Weber [mailto:packetshinobi at googlemail.com] 
Sent: 27 March 2007 19:37
To: framework at metasploit.com
Subject: Re: [framework] Criminalisation of security tools

Hi there,

Germany has a law in the pipeline doing what's described below indeed.
I dunno wether it's of any use for you but if it's helpful I'll dig
out some articles. They'll be in German, so you'd have to babelish 'em
but in essence they'll explain that german legislation is about to do
exactly that. It has cause quite a stir inside the IT Security
Community, so wether the proposal will actually become a law remains
to be seen.

It's amazing enough that nonsense like that even gets considered these
days as serious proposals.

Cheers,

PS

2007/3/27, 0x90 at hushmail.com <0x90 at hushmail.com>:
> Framework 3.0 release is all over the news. I came across
> http://www.heise-security.co.uk/news/87442 and what I found
> interesting is the last paragraph that states:
>
> "However, recent amendments to information security legislation,
> which include the criminalisation of the manufacture, provision,
> distribution or procurement of hacker tools will make the use of
> tools such as Metasploit problematic. It could even become unlawful
> to perform internal tests to check the security of your system or
> to check whether vendor patches really fix vulnerabilities as
> promised."
>
> Going back to typical "Security through obscurity" approach?
> Anyway, I never heard about such legislation. If true, which
> state(s) will adopt it? Anyone has more info?
>
> Cheers,
> /0x90
>
> PS: HD Moore, thank you very much for such a great tool.
>
> --
> Click to lower your debt and consolidate your monthly expenses
> http://tagline.hushmail.com/fc/CAaCXv1QPRU4j5lRLXhxvOi6lWkA5NZe/