I'd be curious to find out as well. It's a very fine line between a luhn10 checker, and a luhn10 sniffer--the law's wording would need to be very precise to avoid criminalizing legitimate business software.
(Section 251 Making, selling, or distributing or possessing software for committing crime)
[1] "liable to imprisonment for a term not exceeding 2 years"
[2] The requirement is "the sole or principal use of which he or she knows to be the commission of a crime". However, gaining unauthorised or unlawful access to a computer system is a crime meaning exploits qualify.
This sounds mostly reasonable at first glance. I'd have to dig a lot more into how it's played out in practice to have a fully-valid opinion, of course.
The one thing you mention that worries me, though, is dropping 0day. Would this include full disclosure? Would this include developing an 0day as part of a pentest? How does this affect things even as far reaching as responsible/coordinated disclosure? If a law makes doing the right (let's use open disclosure, whether full and immediate or coordinated and timed just to mean "right" while selling 0days for ostensibly criminal purposes as "wrong" for the sake of this conversation) thing as difficult (or even more difficult) to do than the wrong thing, then the law will only bolster the black market.
These are open questions which have never been resolved since section 251 was introduced in 2003. Note that this is NZ law only and I am not sure of the situation internationally.
"Although most cases of legitimate have been covered, not all have. Section 251 does potentially raise some interesting issues around concepts that many security professionals are supportive of, the sharing of information and full disclosure..."
"On the face of it, such criticisms may be justified. Whether or not the Amendment Act will actually have this effect will only become clear through the passage of time. In this regard, “good” users of such information may have to rely (tentatively) on the police's discretion whether or not to prosecute a particular case."
Most likely this will lead to official certification and registration of pen testers like locksmiths and alarm system installers are required to have in some states..
Yeah, this is pretty likely. It's a dangerous road to go down, however, as regulatory bodies can be far from impartial.
It's a difficult issue to properly address. I think the right method to go about it is to punish actions, rather than possession of tools. On some level, simply having the ability to write software makes one suspect, if you start scrutinizing tools. Actions (compromising boxes and running exploits without permission of the owner of the host, advertising explicitly criminal use of software) are easy enough to define, and it's easier to define an exclusive list of "bad" actions, than to come up with generalizable rules.
