2007-05-28 21:59:25

German IT security industry sentenced to death

The german IT security industry was sentenced to death on Friday, May 18th, at 22:30.

Originally, the session was scheduled for 02:00 in the morning of Saturday, but apparently this appeared to be a bit overkill. On half past ten in the evening, the german federal council declared that it accepted the modifications to the criminal law regarding informatics unaltered. These modifications forbid the possession and use of tools which are mainly used to intercept, alter or gain access to data.

However, the german IT security industry depends heavily on the possibility to create and possess such tools. IT security is mainly created by finding security problems (e.g. data which is passed unencrypted, buffer overflows, information leaks), writing an example exploit in order to help understand the problem, and hand that to the vendor in order to have him fix it.

On the other hand, security on the user side can only be created if all of the example exploits are used against the user's system in order to determine whether or not it needs to be patched against something. Also, additional broad exploitation techniques are used to find applications that suffer from common problems. This is of course vital to a good security test of a customer's environment, because some programs may only reveal flaws in certain setups.

The decision of the german government is mainly guided by the belief that all IT security threats to german companies come from inside the country. This is however untrue. Most of the attacks are automated and come from foreign IP ranges (asian, american, etc.). This means that this law does not stop the attacks, but it takes away all means of defending against them, because the tools which are required to conduct security tests have just been outlawed.

Also, this law doesn't just impose problems on the IT security industry but also on large parts of the entire IT industry. For example, network operators heavily depend on sniffing tools to figure out parameter problems in their network flows. Falsely set parameters can slow down a network or even stop all traffic. Also, firewall rules can only be tested and debugged that way. In order to figure out network problems, it is inevitable to use the same sniffing software that could possibly be used to sniff user's passwords.

There is only one true solution to the IT security problems in this world. It is an absolute necessity to encrypt all, or at least all authenticated, traffic. Username and password authentication should also be eradicated and replaced by cryptographic challenge-response protocols, as demonstrated on the CAcert web site.

And the second necessary step is what is described as «eternal vigiliance». There is no way of avoiding this. If you want your enterprise to be reasonably safe, have an independent or even inhouse expert conduct regular security tests. Adopt security updates within a 24-hour timeframe. Avoid technologies which come with their own security problems but are advertised as bug-free (such as PHP, Java or .NET). Also, keep backups. If you do this consequently, you should be reasonably safe from attackers.

The entire legal proposal can be found under http://www.bmj.bund.de/media/archive/1317.pdf. The interesting parts are §§ 202b and c.

Posted by Tonnerre Lombard | Permanent link | File under: general, news, politics