What is a Hacker Tool and how do you ban it?
What exactly is a hacker tool? The answer to this question depends on who you ask. To McGyver it would probably everything, to a hacker it would be any suitable tool and to a politician it would be anything that cannot be easily understood. The English Wikipedia has no entry on hacker tool. So what is it and why should we care?
Care comes first. We have to care because the European Union is working on banning hacking tools. This is no news for some parts of Europe. Germany has tried to address the nebulous hacking tools issue in 2007. The law has drawn a lot of critic from security researchers. Some even moved their research abroad to avoid operating in a grey area of the law. There’s an open letter to the German Bundestag explaining the fears of criminalising security research. While the European proposal for banning software may be aimed at „blackmarket tools“ (whatever this may be, the term just adds one level of uncertainty) it may hit your own fuzzers, Metasploit, Wireshark, your operating system, compilers, cell phones, assemblers, ping, telnet, carrier pigeons, nmap and even more. We agree with EFF’s international rights director Katitza Rodriguez and ask legislators to take the intent of use into account. If this is not done, then even lawful interception measures might count as hacking tool and thus backfire on criminal investigations.
The law might even completely change the landscape of computing (apart from driving security conferences into non-existence). It’s interesting to read the quote by rapporteur Monika Hohlmeier (EPP, DE): „No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world.“ The analogy is great, but what do digital seat belts look like? Is it sufficient to present a pop-up with a warning sign? Do you need to lock the OS into a proprietary black box? We’ve seen a lot of seat belts break in the past years of DeepSec conferences. Yet no vendor/manufacturer has been held liable. The GSM network has been stripped of many seat belts to the point of being insecure, all without consequences for end user behaviour and manufacturers.
Since we deal a lot with hacking during and outside the DeepSec conference, we like to involve our speakers and all participants of DeepSec. We are monitoring the proposals, and we are in contact with members of parliament regarding the future of security research. Additionally if you have ideas on what hacker tools could be, let us know. The power of analogies is always useful to illustrate consequences.