As an American, I'm relieved to know that the United States is not unique in its propensity to dispense technology-related laws that make no sense. Last week, I wrote about how the Feds pointed the finger of blame at P2P software purveyors for its own security failings, rather than own up to the fact that they just don't know how to secure their own networks. This week, it's the German parliament that takes the prize for just not getting it. 

Germany's new anti-hacking law, approved in May and implemented last week, was designed to target dangerous attacks on computer networks in both the public and private sectors. The new law specifically highlights denial-of-service attacks and sabotage as punishable crimes, as well it should. If a hacker brings down a network, steals information, or causes a business or public agency to lose time and money, then that hacker should suffer the consequences.

But the problem with the well-intentioned law is that it defines "hacking”" as simply gaining access to secure data, even if nothing is stolen. The potential for trouble here is what has caused concern among the blogosphere on both sides of the Atlantic. It is well known among security experts and analysts that the "white hats" often use so-called hacker tools to test the security of a network, and expose vulnerabilities so that they can be corrected before the "black hats" get to them. Dissemination and use of these tools will now be illegal in Germany. The trouble is, the bad guys will stay there, and all the good guys that use hacking tools to protect, are now leaving Germany. KisMAC is one such group, which created a tool to detect security vulnerabilities in wireless networks. They are relocating in Netherlands. A notice on their German Web site (http://www.kismac.de) pulled no punches about how they feel about the new law, reading: "One of the major weapons exporters in the world prohibits production and distribution of security software (StGB Sec. 202c). From a nation of poets and thinkers to a nation of bureaucrats and ignoramuses. Visit KisMAC in the Netherlands soon." And Security4all (http://security4all.blogspot.com/2007/07/german-law-vs-security-tools-fallout.html) spotted the new opening page of the Chaos Computer Club (www.ccc.de), which puts tongue in cheek and says (in German) something to the effect of “The German government changed the Internet back into a flower meadow. Since there are no more security problems, we don't need any security tools any more. Should you see any security issues on your systems, it's only an illusion.” And Ars Technica (http://arstechnica.com/news.ars/post/20070528-germany-adopts-anti-hacker-law-critics-say-it-breeds-insecurity.html) quotes a Chaos Club spokesman as saying that legitimate research can now only take place in a "legal gray area." The Keyboard Samurais (http://keyboardsamurais.de/2007/07/06/german-law-criminalizes-programmers-admins/) blog suggests that doing a penetration test on one's network will now lead to prison time, and interestingly, points out that the German authority for IT security itself, the BSI, promotes the BOSS CD, which contains some of the very hacking programs that are being outlawed. http://security.itworld.com/4341/nlsblog070814/page_1.html