This week’s Security Blog Log roundup starts with Germany’s stunning move to ban hacking tools. I use the word stunning because I don’t see how any government could possibly enforce such a thing.
According to The Register, Germany is updating its criminal code to define denial-of-service attacks and attempts to spy on third-party wireless networks as criminal actions. Punishment would include a fine and up to 10 years in jail. The regulations also make it a crime to bypass computer security defenses to access sensitive data. As part of all this, it becomes illegal to make, use or distribute hacking tools.
Before the changes, only direct attacks against companies and government organizations were considered indictable offenses, the report noted.
As security professional Dave Lewis puts it in his Liquidmatrix blog, this sounds like a bad idea on so many levels.
“Think of the countless sysadmins that use ‘hacking’ tools to make sure their systems are secure,” he wrote. “I must admit this seems absurd. This will not preclude attackers from using them, of course, which would put the ‘defenders’ on very unstable footing. Now, I’m curious if this would encompass tools like EnCase and Forensic Toolkit?”
Lewis isn’t the only one who thinks the move is crazy. Chaos Computer Club spokesman Andy Mueller Maguhn has been quoted in several publications, including the Chaos Computer Club site, saying that “safety research can [now] take place only in an unacceptable legal gray area.” The group also worries the new legislation will make it easier for police to obtain information by hacking—something that was outlawed by the courts a few months back.
These are good points. And whether the good guys or bad guys decide to break the law and use their hacking tools, one has to wonder how any government could enforce such a ban. I’m interested in any thoughts readers may have on this.
Reaction to Google security moves
There’s plenty of blogosphere buzz about Google’s recent security activities. Last week, I wrote about how Google has started its own security blog, and Wednesday I wrote of Google’s acquisition of GreenBorder Technologies.
In general, bloggers think Google is moving in the right direction, though they are still trying to get a clearer idea of the search giant’s larger motives.
The Darknet blog said it seems as though Google is moving heavily into Web applications and application security with a specific focus on malware defense.
“It’ll be interesting to see what happens to [GreenBorder] after the acquisition and if they get merged into Google’s existing product folio (Google Toolbar?) or [if] Google will develop it further,” the blog said.
In SearchSecurity.com’s own Security Bytes blog, my colleague Dennis Fisher wrote that Google seems to be on the right track, though it’s still unclear to him what the company’s intentions are in regards to security.
“Will they be releasing Web security tools for users and webmasters to implement? Or will the security folks just be working behind the scenes on in-house projects?” he asked. “It’s probably too early to tell, but if the recent past has taught us anything about Google, it’s that the company doesn’t do anything halfway or without a lot of forethought. That might portend more sleepless nights for security vendors who already have to worry about Microsoft encroaching on their turf and now have the considerable shadow of the Googleplex hanging over them.”
Was too much made of Estonia attacks?
The blistering cyberattacks against the Baltic nation of Estonia in recent weeks has gotten plenty of media attention, and
You might remember that the Russian government was initially thought to be the instigator of the attacks, but that researchers eventually determined that ragtag groups in command of botnets were the culprits.
Graham vented his disgust over the media’s rush to judgment in the Errata Security blog.
“Journalists love the story and have been blindly repeating it,” he wrote. “This story reflects the general paranoia of the Internet. Whenever anything happens, people seek to uncover the ‘plan’ behind it. In reality, most bad things that happen on the Internet occur by happenstance, without any plan or conspiracy behind them.”
Unfortunately, he added, “happenstance” is not a legitimate story angle that reporters can report on.
How vendors should handle flaw findings (or not)
Here’s an amusing item from Dave Goldsmith in the Matasano Chargen blog on reporting a flaw in the Web 2.0 world.
Here’s his account of what happened when he reported a vulnerability on a Web site developed by a popular Web 2.0 company:
“Step #1: I send in a vulnerability report. I explain the vulnerability in a concise email and include repro steps.
Thanks for the tip, David. It’s been noted.
Can you give me some guidance on your response guidelines to security vulnerabilities? Is there a timeframe that you try and have vulnerabilities fixed by?
Hi David, We’re always looking for new ideas and fixes to roll out in future updates but as as rule we don’t comment on possibilities or timeframes.
How will I know when this vulnerability is fixed?
Actually, they don’t reply at all.”
Maybe the company in question will have a starring role in the next “month-of” disclosure project.
Network for security bloggers
If you keep regular track of the security blogosphere as I do, there’s a network you might find useful that was started by Alan Shimel from StillSecure. The Security Bloggers Network includes an RSS feed that lets people subscribe to all the member blogs.
Shimel noted in his blog that the network is up to 74 members. They include the Watchfire Application Security blog by Ory Segal, Jeremiah Grossman of White Hat Security; Mike Rothman of Security Incite; Amrit Williams and Ryan Russell of Big Fix; the “blogging guys” from nCircle; Richi Jennings; Chris Hoff of Crossbeam and others.