lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Sep 2007 17:37:38 +0100
From: "worried security" <worriedsecurity@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: 
	n.runs AG puts §202 law to the test - Tools back online

On 9/26/07, Thierry Zoller <Thierry.Zoller@...ns.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Dear List,
> You may or may not have noticed but a lot of German companies and
> researches have pulled their tools from their website in fear of
> litigation.


 I don't think it was necessary for folks scramble to remove existing tools.
if you got arrested, you could show the police that your tool was uploaded
to the server before the law was introduced. in short, folks should of been
mass uploading as much code as they could before the law came into force on
August 10th, not removing it.

If servers are still letting people download but the upload was done before
August 10th, then it shouldn't count as a criminal act, even if the download
is available after August 10th. Only uploads to servers should be illegal
after August 10th, and why just go after folks hosting the tools, why not go
after the folks downloading the tools too.

In the bigger picture of things, its the folks downloading the tools who are
the criminals, but how do you distribute those tools to legitimate
researchers, who only want to progress the journey of explotiation
development to safer the systems people want to compromise?

not all downloaders are the criminal, so why target the host of the tools,
when you can use your intelligence agency to monitor folks downloading tools
from servers and watching what they do with them.

it looks like the german intelligence services are trying to do a short cut
by outlawing all cyber security research activity, than having control
mechanisms in place to kick out the rogue researchers from the true
researchers.

i know a lot of people who are german, and i know the german mentallity,
they have said *oh cyber security, this seems like non sense, we only want
to concentrate on real life bomb intelligence services activity, to cut
costs on monitoring cyber security legitimate research, lets outlaw it, so
its far easier on our resources and is less costly for us*.

germany, you need dedicated cyber security teams, germany you need to invest
millions of money into cyber security. i'm sorry this whole internet thing
and security is hard to come to terms with, but yeah, deal with it.

undo your law, spend the millions of money you wish you could spend on other
things. the internet is here to stay and without cyber security research,
there won't be any cyber security in your country.

and you wonder why china was able to break into your government systems,
you'll never know if your dumb law has prevented a security researcher from
speaking out against a vulnerability on your government networks. so the
vulnerability was left unpatched and the chinese government used it to
compromise your systems.

have a nice day germany,

n3td3v

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists