How Web Application Security and Guns are Common

In an attempt to do the right thing, the Germans aren't really helping themselves. News.com is reporting that "As of Saturday, it's a crime in Germany to build, sell, distribute or obtain so-called 'hacking tools' designed to allow access to protected data or promote other illegal acts." http://news.com.com/8301-10784_3-9759051-7.html There are a few scary things about this.

A lot of the "hacking tools" fall into a nebulous classification of neither good nor bad. They are more along the lines of how you use the tool. It's not evil if I'm using Nessus on my own network to determine where a vulnerability might exist. The same is true for any Web application testing software. When used within an environment I am testing or responsible for, the results are positive and not negative.

The same logic can be applied to many open source tools that are used for more generic purposes. Paros and nmap would both fall into the realm of "hacking tools." You might be using them safely but this law would outlaw them.

Web application testing solutions don't fall into a bad category by themselves. This law might work for protecting messaging environments; it makes tools like Send Safe (automated spam generator created and operated out of Moscow) and other Russian 'bot exploiters illegal. However, the law is too generic and would also apply to simple load testing tools. All it would take to quickly deluge a lot of people with junk is a purchased list of email addresses, Load Runner and a little time to format a spam message. All with a tool that I should be using to verify my system can work properly.

While the law might only be enforced in situations where most of us would agree it is warranted, it is not a clear cut case. And I wouldn't want to trust that some overzealous prosecutor is not looking to form his reputation by putting away "evil hackers," especially when the bulk of the public don't understand the difference.

- Mike Kazmierczak, Cenzic, Inc.