Meaning if you're a software developer or system admin in the EU, you better be on standby 24/7 to combat 0-day exploits.
Anyway, personally i'm quite adamant in the blanket statement that no software should be illegal.
Bongs are legal in the US. You just can't advertise them for use with pot. They are sold as water pipes.
More importantly, if security professional has never created any kind of malware he or she is probably pretty bad at infosec. The fields are just two sides of the same coin.
Laws aren't going to affect hackers off in Romania and Russia and China and the NSA/CIA.
But studying the code and testing it is overwhelmingly the best, and likely essential way to understand how to protect against security threats.
Mexico might be a good if rather simplistic "gun" analogy. Tons of illegal weapons flowing over from the U.S., arming drug runners and other criminals who are terrorizing (hmm, I suddenly realize the additional nuances that that word carries these days) the general population.
Back to computers: You can't make secure systems without having appropriate tools and research at your disposal. And we've yet to see any security effectively "legislated", especially world-wide.
So, make the jobs of those who are effective difficult or impossible -- or highly restricted and privileged through special sanctioning and/or the requirement of having very significant capital, investment, and influence -- while gaining no real security advantage. Yeah, that sounds like a good plan.
Power tends to corrupt and absolute power corrupts absolutely - lord baron acton
If this requires mens rea, i.e. they prove that your intent was for committing an offense, it's not such a big deal.
If it does not, i.e. your software merely could possibly be used to commit an offense, it's a huge deal.
Not that I favor ludicrous bans of this sort, or that I think they will work. Because I manifestly don't. But geez, if you're going to be over-the-top Orwellian, at least do something that has a chance of achieving your stated goals.
[1] - http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdat...
The relevant portion is Article 7
""" Member States shall take the necessary measure to ensure that the production, sale, procurement for use, import, possession, distribution or otherwise making available of the following is punishable as a criminal offence when committed intentionally and without right for the purpose of committing any of the offences referred to in Articles 3 to 6:
(a) device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences referred to in Articles 3 to 6;
(b) a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed. """
Which seems to be saying that, say, nmap isn't illegal, unless you download it with the intent to run it against a machine you're not supposed to, in which case you've broken the law (even if you never actually use it). Kind of like laws against 'burglary tools' in some parts of the US, the crime seems to be based on context/intent.
(Obvious disclaimer about how I'm not a lawyer, European, or a unicorn.)
const char *kiddie_pr0n = { 0xff, 0xd8, 0xff, 0xe0,
0x00, 0x10, 0x4a, 0x46,
0x49, 0x46, 0x00, 0x01, ... };
The fun thing about it: the german cia equivalent "BND" lets german developers develop hacking tools via ssh or rdp on boxes that sit in other countries to circumvent that law.
I'll provide a link as soon as i find a source other than one of the hackers i know.
Maybe a line can be drawn... Design kits for viruses come to mind. But even then, it's a fine line, and history has shown once a mechanism is in place to outlaw something it will be extended and abused to apply to things that were not originally targeted.
"This tool is intended for educational use only. The Author is not responsible for any misuse."
Why does no one talk about the network that was broken into? Why does the general public believe that crackers are so good at their job it is impossible to secure a computer system? There are two possibilities that I can see here.
1. Most cracks happen because of a less-than-perfect system administrator. Either some subtle problem with a configuration file opened up a hole for the cracker or nobody bothered securing the network to begin with.
2. Most cracks happen because crackers have found a reliable method of discovering 0day exploits or our current computing model is fundamentally insecure.
In either case, I find it unjustifiable to declare cracking an act of terrorism without spending ANY effort reflecting back on our own security. If millions of us routinely use the same password (or a easy-to-guess pattern) for all of our accounts who is the terrorist? The people who take advantage of an easy opportunity, or the people who created that opportunity in the first place?
It is well known that users are stupid, and that two-factor authentication is much harder to break than static passwords. Bruce Schneider has been saying so for at least a decade. Why have we not moved on? As a system administrator, it should be an act of terrorism to NOT make two-factor authentication the DEFAULT way of using your service.
On a completely tangential matter, I have a feeling this is going to be another one of that laws that cost a lot of money and have little to no effect... at least positive effect.
The problem with such protection laws is that it doesn't take into account the ignorance or incompetence of service providers. It also holds back innovation and we end up with less security. Even if these vulnerable companies don't have the expertise they can hire a reputable security company to audit their system to plug the gaping holes.
Do we need to pass laws for companies to do security audits? Maybe for listed companies or companies that have services of a certain size, since they'll try to skimp on costs or executives don't understand IT needs.
Trying to criminalize the intent of developers even if they create tools solely for cracking is a slippery slope. While we're at it we should make defense contractors liable for war damages and execute the engineers responsible for creating weapons.
In Japan a closed source p2p software called Winny caused a lot of disorder with viruses and lots of government information and embarrassing private pictures leaked onto the net due to security issues. Unfortunately, the developer was busy fighting a trial based on whether he had intentions of violating copyright with his software (he was finally acquitted on appeal to a higher district court). If he at any point publicly endorsed copyright violations, he'd probably be locked up for a long time even if he didn't violent a single bit of copyrighted content. Needless to say the project is abandoned and full of holes. Good for the anti-virus industry though.
This kind of thing could well be a legal reality soon...