Hacker tools- it comes down to responsibility

In Germany, there is a law considering so-called “hacker tools”, §202c (StGB). It prohibits using these tools “to prepare IT-related crimes”. Now, the problem with this law is that it is stated in a way which doesn’t really make clear whether it is forbidden to use this kind of tools IF you prepare other crimes or if using these tools is forbidden because it is considered preparing cybercrime. The text could be interpreted either way and there haven’t been any helpful court rulings on the subject so far.

Recently, the Chaos Computer Club (or CCC for short), a well-known German “hacker club” which also tries to convince people of the necessity of using technology in a responsible and knowledgeable way, has published a very interesting paper on this (unfortunately, the paper is available in German only).

In the paper, authors Constanze Kurz, Felix Lindner, Frank Rieger and Thorsten Schröder state that the law has a damaging effect on IT security in the commercial, hobby, research and education sector. Many people practicing IT security have become very careful about the things they do and say, websites have been moved to foreign servers, people delete or hide their tools and avoid speaking to each other openly about the matter. Certainly, this does not apply to everyone involved in the subject. Some people react defiantly or with a certain fatalism, try not to think about this problem at all or have decided to accept the risk. But the question remains: Why is it such a big question whether this kind of research can and should be practiced at all? If you consider that many of the people interested in this kind of thing want to help, want to use their knowledge for the benefit of others- don’t you have to ask yourself whether it can be right if they have to be afraid doing what they are good at, what they love doing? Shouldn’t a society which wants to keep up with technological progress support the people who can approach these new technologies with skill, curiosity and, sometimes, a healthy bit of scepticism?

The Chaos Computer Club deals with all these questions in a very thorough way. Their paper gives a good overview on why they think that the law in question should be edited to eliminate the possibility of criminalizing the mere possession or creation of “hacker tools” or their use for non-destructive purposes.

The authors start by explaining that it is very difficult to determine the “purpose” of software in general. As an example they say that if this kind of technique was available, every anti-virus program would use it to tell useful and malicious software apart. Naturally, this is not possible- and it is equally difficult (if not impossible) to come up with a sensible set of criteria for a “hacker tool”. Often, these programs have entirely harmless uses as well, and many apparently innocent programs like web browsers, Regedit or certain command line utilities (especially on Linux or Unix systems) can be used to prepare or even conduct attacks on other computers. This is also called “Dual Use” software and can be compared to other, not IT-related tools (because, basically, that’s what a piece of software is: a tool). Many things we use in our daily lives can be used for useful and important as well as destructive purporses. A hammer can be used to build a bookshelf, fix a nail for hanging up a picture or do other useful stuff. Just as well, someone could decide to knock his unpopular math teacher, his rich aunt or his wife’s lover over the head with the same hammer. It’s similar with a surgical knive which can be used by a doctor to perform a life-saving operation but also makes a good weapon for violent crimes or with a car which provides mobility but can also be used for an amok drive or can cause severe accidents in case of user (here: driver) mistakes. It would be easy to come up with much more examples of this.

What do all these things- including hacker tools- have in common? All of this can be used in many ways; some of them are beneficial, some the exact opposite. Only the use of the tool, the concrete decision of the person using it, makes the difference between creation and destruction, between helping and harming, between do-it-yourself-tool and murder weapon- or between responsible computer usage and cybercrime. More generally speaking: It depends on the context in which something (including a piece of software) is used. Only with this context can we come up with a sensible judgement of someone’s usage of a certain tool because this context allows us to determine which of the different potentials of a tools someone has used. Banning hacker tools altoghether would mean seeing only their destructive potential. That is just as wrong as prohibiting hammers, surgical knives or cars.

In relation to this there is another thing “everyday” tools and the hacker tools our government seems to fear so much have in common: They all ask the people who use them to conciously decide on a course of action- they ask for the adoption of a certain responsibility. By not jumping to possibilities to harm other people we adopt social responsibility. This is a vital part of a free society honoring the humanistic ideas of what defines a person. We all have the right to act freely- and we also have the right, and the duty, to make our own decisions. This should, no, must not be taken away from us without a very good reason. Only someone who has learned to take over responsibility can make a positive contribution to our democracy and only someone who is given some leeway (especially in professional matters where he or she has skills and the willingness to make an effort) can really use his talents to their full amount. With the possible restrictive interpretation of the “hacker tool law” people working in a certain field of expertise would be denied this freedom of action. People are not allowed (or trusted) to use these tools with their destructive potential even in a way which does not cause any damage. This is a very dangerous tendency which ultimately leads to a society which takes away more and more of our liberties.

The constructive use of these tools (which is not criminal in its intent or its consequences) is necessary (or even essential). This is stated by the CCC in its paper and it is also my personal conviction and experience.

Experimenting with hacker tools and exploits is an important part of research and necessary for coming up with new security systems. Errors in source code, which can lead to dangerous vulnerabilities, often show up only when someone makes a concious effort to trigger or exploit them. If this is forbidden, many errors stay hidden.

What is more, quite a few providers of buggy software or websites try to keep mistakes secret to save themselves the financial and personal trouble of fixing them and possible damage to their reputation. Since criminals have vast experience in finding this kind of vulnerability this way of “dealing” with errors and bugs can turn out to be very dangerous. Public interest demands that these bugs are fixed as quickly as possible. Often, this can only be achieved by publishing vulnerabilities and thereby exerting pressure on the companies in question (“Full Disclosure”). Of course, that would be highly problematic if the very possession of the software needed for this was already enough to get you in trouble with the law, especially since some companies would probably try to use this possibility to put hackers under pressure (to keep quiet).

Securing your own computer or network or that of your customers is also made more difficult by the current amount of legal uncertainty. Without effective attack tools it is much more difficult, often impossible, to conduct a really exhaustive search for errors. The uncertainty of potential customers also makes work for IT security experts more difficult. All this is confirmed by security professionals who were asked about their experiences for the paper.

Like finding bugs or securing a customer’s computers, publishing books or magazines about IT security is also made more difficult. IT magazines or other important media tend to narrow down their choice of topics and research methods to ones that won’t get them into trouble. Careful representatives of the legal department wanting to keep their publication out of harm’s way get very much of a say in what is published and what isn’t. While it is certainly pointless and unfair to find fault with the legal departments (after all, they’re only doing there job under the current difficult circumstances) such a development is by no means in the interest of the people hoping to get as much information as possible.

Education is also another branch which suffers from the current situation. Lecturers and participants in lessons are sometimes just as unsure about what they can and should do then university students and professors. Often, the content of lectures is altered accordingly. Sometimes, learners are even afraid to get into the “Security Mindset” (a term used by well-known security expert Bruce Schneier who uses it to describe a way of thinking which gets into the perspective of a possible attacker to discover weaknesses in a system’s security) because this is exactly the way of thinking which is implicitely made problematic by the “hacker tool law”. On the other hand, this way of thinking is exactly what makes a really good security expert.

So-called live-hacks are, of course, particularly problematic under the new legislation. On this kind of event, insecure systems are attacked to show the audience how it can be done and raise their awareness of security problems. Due to the show effect of this kind of event, some people may think they are of little scientifical value. However, from my point of view, this completely disregards the necessity to approach people on an understandable, non-patronizing level. If you don’t manage that, you’ll never really get people interested in the subject, which is in many ways a loss to society. If you have ever sat down next to a WEP-encrypted WiFi AP with your laptop and aircrack-ng, shortly afterwards presented the encryption key to a surprised audience and seen their thoughtful expressions, you probably think differently about this kind of thing- I do. For me, this kind of demonstration is part of our responsibility as experts.

For all those possibly destructive consequences, the current law doesn’t even provide the additional security politicians were obviously hoping for. Malicious software often comes from foreign countries and so do many attacks. In the case of teenagers experimenting with problematic tools and behavior, pushing them into a criminal corner will probably only increase the risk of their becoming real criminals. This kind of law only weakens our defences instead of minimizing attacks. Less liberty? Definitely. More security? In my opinion as well as the authors’ there is little evidence of that.

Certifying “trustworthy” experts wouldn’t solve the problem, either, since it wouldn’t take “hobby hackers” into account although they have often been the ones to give valuable impulses and come up with new ideas. What is more, many of the (typically individualistic) IT pros wouldn’t accept this kind of scheme at all.

Taking everything into account, it can be concluded that, as the CCC describes it: “For getting a detailed view of questions related to IT security, it is essential to familiarize oneself with, among others, technologies which can- in combination with criminal intention- cause severe damage.” Seeing this necessity for certain people to familiarize themselves with certain software, it has to be ensured that they can do this without having to fear negative consequences as long as they act in a responsible way.

There are many reasons why a country would want to achieve a maximum level of IT security. The most obvious reason for this would be protecting people from cybercrime which constitutes a huge (and still-growing) problem and is not going to be prevented by making it more difficult to research possible defences. Economical reasons play a role, too, since a country’s IT sector faces disadvantages in both professional work and education of young professionals if this kind of law is in place.

What is more, in a world where networking and technology play an ever more prominent role, many other important sectors are influenced by IT and IT security. The CCC mentions space travel and national defence as examples of branches which would have a particular benefit from, or are even dependent of, a sensible IT security level. One could add, for example, health care, police or the social system.

Individual people, of course, have the need (and the right) to protect their privacy as well. This, too, can sometimes lead to the need for certain tools for self-defense and testing purposes.

Therefore, it is important not to enforce blanket bans on certain kinds of security tools. German law should be altered accordingly and other countries should avoid copying our mistakes. Even in dangerous times- censorship and the impairment of research and knowledge can never be the answer.

Quote of the Day (07.01,2008)

“Terrorism is perceived to be a major threat to society. Yet the actual damage done by terrorist attacks is dwarfed by the secondary effects as target societies overreact. There are many topics here, from the manipulation of risk perception to the anthropology of religion.”
(Bruce Schneier, security expert)

Of fear, freedom- and votes

Recently, Charlie Black, an aide to Republican presidential candidate John McCain, said that, in his opinion, McCain would “benefit greatly” from a terror attack in the United States (mentioned for example in The Independent).

Okay, so we all agree this wasn´t a particularly sensitive thing to say (not to mention dumb, in a situation where the candidates´ every move is closely watched by the media). But that isn´t all there is to it. Much more interesting, in my opinion, are the basic concepts behind statements like this, the mechanisms, the way of thinking. McCain/Black give a good example of some facts that hold true for the vast majority of conservative politicians- and quite a few others. In brief: Why do I think that what Black said is completely true, and why don´t I like it?

The answer to all these questions, in a way, is security. Security is what people crave in a situation which seems uncertain and full of new dangers. This, of course, would prove even more true if there was another terror attack making peoples´ vulnerability even more clear to them in a drastic way.

Nowadays, security is one of the most important things many people want the government to be able to provide. Traditionally, they tend to think conservative politicians are more competent when it comes to national security- it´s like that in Germany, and it´s no different in the US.

Associated with this is a notion that many politicians (and other people like media guys, representatives of police and the secret services, and so on) never seem to get tired of passing on to the public: The concept that security and the preservation of personal liberties (especially those related to privacy and the protection of personal data) are opposites.

We have heard that often enough and many of us certainly think it´s true. This is why a politician like Mr. McCain, who has said more than once that he is willing to pass new surveillance laws in the name of national security, is considered to be a so much better provider of security for the country and its people than his more liberal opponent (true, in the case of Mr. McCain, he has other merits, as well, which make him seem competent in this area- but the general mechanism remains unchanged, and it´s the same just about anywhere in the so-called “Western World”).

Occasionally, this is also described as security and privacy being “a zero-sum game”- try to get more of one and you inevitably have to (at least partly) give up the other. Given this choice, many people will choose security- it´s natural. Security is a fundamental need essential to survival. Besides, it seems save to assume that no one wants to live in permanent fear.

So, are we doomed to live in a surveillance state, simply because we can´t face living in permanent insecurity instead? I don´t think so.

The security provided by more and more surveillance measures is often more felt than real. Surveys have shown that, for example, CCTV in public places doesn´t cut crime rates at all. Databases containing huge amount of personal data (for example related to ID cards, data retention schemes or lists of suspected terrorists) can actually cause a decline in security, putting peoples´ personal data more at risk from abuse or (cyber-)crime.

Still, most people think they are more at risk without (or with less) control and surveillance- to the point that I have spent hours having discussions with people who absolutely refused to even consider that more freedom and privacy didn´t necessarily mean anarchy and terror. The security people think they have seems to differ wildly from the security one would conclude is really there. When it comes to crime and terrorism people seem to feel much less secure than they really are. The great majority of people overestimates the risk of a terrorist attack and underestimates the risks related to the over-the-top counterterrorism measures employed, to varying extent, by practically all Western governments after 9/11. Logically this means many people will choose a very conservative policy when they´re trying to get as much security as they possibly can. It makes them feels secure, no matter if they really are.

The common belief that security and privacy are opposites is risky in many ways. It changes peoples´ behavior, making them give up personal liberties that seemed natural only ten years ago. It encourages politicians to think of even more invasive measures since this seems to be in line with the voters´ wishes. It prompts some politicians to use peoples´ fears for their own goals and even try to increase them, creating a culture of fear. In some cases it even helps the very people that we want to keep off by employing security measures by making us focus on some measures (those that make us feel secure) even if they are really totally ineffective and ignoring others (for example the protection of critical infrastructures from attacks).

Last but not least, these ideas prevent us from making informed choices. Fear is usually a bad decision-maker. We shouldn´t be scared and we shouldn´t think we have to choose between security and privacy. Security researcher Bruce Schneier, who has been (and still is) a great inspiration for me, puts it like this: “If you set up a false dichotomy, most people will choose security over privacy, especially if you scare them first. But it´s still a false dichotomy.” There is little to be added to that except that, unfortunately, some (mostly conservative) politicians hoping for extra votes take it on themselves to do the scaring.

Even though it may seem that some people benefit from the fear of terror attacks, it can only hurt us, our society and our values in the long run. Therefore the problem isn´t primarily a politician´s aide making a tactless comment- it´s the fact that this comment is so completely realistic. But the only thing that really helps with that is information, is looking behind what we are told and making informed choices. In Europe, a popular motto for privacy demonstrations is “Freedom not Fear”. This seems to be what it´s all about.

Hello world!

Since this is my first entry on this blog (and, in general, my first English-language blog entry) I think it is fitting to say a few things about this blog, the intentions behind it, and myself.

Maybe I should start with a few basic facts about myself since that makes it easier to explain my plans and ideas concerning this blog. Well, I`m a female twenty-something computer science student from a medium-sized city in Germany. As my course of studies suggests, I`m very interested in computers, especially IT security. But, unlike some of my fellow students and future colleagues, I also have a great interest in social and political questions, so both are certainly going to make their way into this blog.

Which brings us to the next topic: What am I going to write about? As I said, IT-related topics are going to play a major role and so are political topics. One of the most important developments in the last years is, in my opinion, the effect of new counter-terrorism laws on our society and our basic and civil rights, especially those related to privacy and the protection of personal data- more generally speaking, the topic is privacy, security and the effect they have on each other.

Since I`ve been writing about similar stuff for my German-language FreiheIT-Blog for about a year now, some of my articles will be translations of German articles I want to share with a broader audience. Of course, there will also be articles I write exclusively for this blog, for example texts about the situation in Germany aimed at people in other countries to explain what it`s like here or answers to other English texts.

Finally, a quick statement about the title I chose. First and foremost, it`s a tribute to Cory Doctorow`s novel Little Brother which I enjoyed reading very much and consider a great way to get people interested in privacy-related questions. It stands for normal, “little” people standing up to a government which abuses its position and impairs peoples` rights by sacrificing more and more basic values to invasive (and often hopelessly ineffective) counter-terrorism measures. Another aspect of the term I chose as my blog title is that it stands for the female point of view on IT, security and politics in general, a position which, unfortunately, is still a bit in the minority both in real life and the blogosphere.

Well, that`s everything I want to say for now. I`ll get back soon with something a bit more on topic (we`ll see which). Hope you enjoy reading!