What is a Hacker Tool and how do you ban it?
What exactly is a hacker tool? The answer to this question depends on who you ask. To McGyver it would probably everything, to a hacker it would be any suitable tool and to a politician it would be anything that cannot be easily understood. The English Wikipedia has no entry on hacker tool. So what is it and why should we care?
Care comes first. We have to care because the European Union is working on banning hacking tools. This is no news for some parts of Europe. Germany has tried to address the nebulous hacking tools issue in 2007. The law has drawn a lot of critic from security researchers. Some even moved their research abroad to avoid operating in a grey area of the law. There’s an open letter to the German Bundestag explaining the fears of criminalising security research. While the European proposal for banning software may be aimed at „blackmarket tools“ (whatever this may be, the term just adds one level of uncertainty) it may hit your own fuzzers, Metasploit, Wireshark, your operating system, compilers, cell phones, assemblers, ping, telnet, carrier pigeons, nmap and even more. We agree with EFF’s international rights director Katitza Rodriguez and ask legislators to take the intent of use into account. If this is not done, then even lawful interception measures might count as hacking tool and thus backfire on criminal investigations.
The law might even completely change the landscape of computing (apart from driving security conferences into non-existence). It’s interesting to read the quote by rapporteur Monika Hohlmeier (EPP, DE): „No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world.“ The analogy is great, but what do digital seat belts look like? Is it sufficient to present a pop-up with a warning sign? Do you need to lock the OS into a proprietary black box? We’ve seen a lot of seat belts break in the past years of DeepSec conferences. Yet no vendor/manufacturer has been held liable. The GSM network has been stripped of many seat belts to the point of being insecure, all without consequences for end user behaviour and manufacturers.
Since we deal a lot with hacking during and outside the DeepSec conference, we like to involve our speakers and all participants of DeepSec. We are monitoring the proposals, and we are in contact with members of parliament regarding the future of security research. Additionally if you have ideas on what hacker tools could be, let us know. The power of analogies is always useful to illustrate consequences.
Pingback: Unlearn to Hack? –
I don’t think the talk should be on defining the term “hacker tool” as even notepad could be used (for writing code, saving data, etc) or Internet to search for different software.
It’s like trying to define a kill tool: can the knife that I have hurt someone? For sure! But that doesn’t necessary mean that I would do that. I could also build myself a special knife that helps me to better cut the fish, but as long as I don’t use it to intentionally hurt someone, then it’s ok.
The same with the hacker tool: can I use Wireshark to sniff the traffic inside someone else network? Yes! Again, that doesn’t imply I WILL DO that. I could also build a special software tool that could help me in better testing my web application’s security and get the passwords stored on the server. I could use it against any other web application and then erase data, but then again it doesn’t mean that for sure I would do that.
There are already laws that define illegal activities like the ones I’ve mention so I see no reason on why the EU would want to define hacker tool as it will fail successfully. You have to look at the intent: has the tool x (no matter the name or the initial purpose of the tool) been used for hacking into someone’s network, without some consent? If yes, then we have a problem.