Collegues,
The federal adminstration wants to change the law about cyber crime.
See also:
http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD
(or especially Genehmigung und Umsetzung des Übereinkommens des
Europarates über die Cyberkriminalität )
I think this includes some dynamite in the details
First of all: I think its time for the government to face the fact
that there are many open ends (like the discussion we had with the
order from Canton de Vaud). My biggest issue with facing CyberCrime is
however that not the law is the issue but the ability of the police
force to enforce the law. Mainly due to lack of knowledge and probably
financial resources. CyberCrime is happening every day and is
happening Quick. The processes on police work where maybe accurate
1960 but lack the needed speed of todays events. I had two incidents
in my own company where it has clearly shown that the police has not
the slightest clue what's happening on the internet, besides how to
fix the issue. Costed me a hell of a lot of money at the end even it
was a crystal clear case for me (as a techie...). But I must admit its
not the fault of the law, its the fault of the execution of the law
and the financial resources needed to follow those cases.
The law above however has a section which I think is dangerous and
could affect our work:
Das materielle Strafrecht mit seinen am 1. Januar 1995 in Kraft
getretenen Bestim-
mungen im Bereich "Computerstrafrecht" vermag den Erfordernissen der
Konventi-
on über weite Strecken zu genügen. Anpassungsbedarf ergibt sich
bezüglich des
Straftatbestandes des unbefugten Eindringens in ein
Datenverarbeitungssystem (Art.
143bis des Strafgesetzbuches, sog. "Hacking"-Tatbestand). Hier wird
vorgeschlagen,
eine Vorverlagerung der Strafbarkeit vorzunehmen: Strafbar soll sich
auch machen,
wer Programme oder Daten zugänglich macht im Wissen, dass diese für
das illegale
Eindringen in ein Computersystem verwendet werden sollen. Daneben
wird, ausser-
halb der Erfordernisse gemäss Konvention, vorgeschlagen, das durch die
Lehre
verbreitet kritisierte Merkmal der fehlenden Bereicherungsabsicht in
Artikel 143bis
StGB zu streichen.
Now what does that mean? It is basically what the germans have done
under the "Hackerparagraph". It disallows software which could
potentially be used for hacking to be distributed. The result of this
was for example that in germany the WiFi tools to verify your WiFi
security dissapeared. Why? because someone COULD use it for hacking.
If you think this a bit further, you could use a C compiler to write a
hacker tool, so it could be considered a tool to do hacking and we all
very well know know someone can write hacking tools in C. So to bring
this ad absurdum, it could theoretically forbid us to distribute a C
compiler. Or think about Linux.
Of course this is a bit far reached but there are many gray zones in
between. For example I use Wireshark, a great open source packet
analyzer for my daily work because I develop network protocols or
verify network protocols. Of course someone could use this for hacking
to listen to passwords in cleartext (for example from old POP3
accounts). So if we publish a wireshark version on our server, we
become criminal?
The result will be that security tools to verify your security will be
forbidden. You will not be able to verify if your machine is crackable
or not. The real bad boys out there (and I'm not saying a hacker is a
bad boy by definition because most are honest and more in the area of
security researcher than anything else) will not give a dam if they
are allowed to distribute this hacking software because they per
definition want to commit crime. So they will get hold of that
software and just use it. And because no one was able to verify if
POP3 cleartext passwords are floating on your lan, they will find it
out for you but they will not help you to make your computer network a
more secure world, they will simply abuse it to send spam, to take
money from your bank account or whatever they want.
So the normal end user is getting tools removed to help fight crime.
This is helping the bad boys instead of keeping them out.
Its like saying, you are not allowed to encrypt to protect your
privacy simply because some bad boys encrypt to protect their evil
plans.
I think the report from the EJPD was written by people who do not
understand the technological impact of such laws.
I think we should respond to this proposal to keep above paragraph out
of the law. Otherwise we wouldn't even be able to help the police if
they are investigating because the tools to do this are also used by
hackers sometimes.
Here is what I got first from EJPD.
----------- snip ----------
Ihre Kommentare sind willkommen. Sie finden die Unterlagen unter http://www.admin.ch/ch/d/gg/pc/pendent.html#EJPD
(Geschäfte EJPD: Cybercrime). Das Verfahren läuft bis 30. Juni 2009.
Mit freundlichem Gruss
Andrea Candrian
Fachbereich Internationales Strafrecht
Stv. Chef
Bundesamt für Justiz / Federal Office of Justice
Bundesrain 20
CH-3003 Bern
Schweiz/Switzerland
Tel. +41/31 322 97 92
Fax. +41/31 312 14 07
mailto:andrea.candr...@bj.admin.ch
----------- snip ----------
Andreas Fink
Fink Consulting GmbH
Global Networks Schweiz AG
BebbiCell AG
IceCell ehf
---------------------------------------------------------------
Tel: +41-61-6666330 Fax: +41-61-6666331 Mobile: +41-79-2457333
Address: Clarastrasse 3, 4058 Basel, Switzerland
E-Mail: andr...@fink.org
www.finkconsulting.com www.global-networks.ch www.bebbicell.ch
---------------------------------------------------------------
ICQ: 8239353 MSN: m...@gni.ch AIM: smsrelay Skype: andreasfink
Yahoo: finkconsulting SMS: +41792457333
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog