Germany Declares Hacking Tools Illegal

dubbelj writes "Germany has updated their computer crime law to declare 'hacking tools' illegal. This will place most of the professionals in the network admin and computer security fields in a sort of legal grey area. 'The new rules tighten up the existing sanctions and prohibit any unauthorized user from disabling or circumventing computer security measures to access secure data (see the law, sections 200 and following [in German]). Manufacturing, programming, installing, or spreading software that can circumvent security measures is verboten, which means that some security scanning tools might become illegal.' We discussed a similar measure in January when Australia considered the same kind of legislation. How will this affect Linux distribution in Germany, as most standard Linux distributions come with these kind of 'hacking tools' installed by default?"

Lock Hacking

[TheLazySci-FiAuthor]

How are hacking tools really different from locksmith's tools?

I certainly have found a locksmith to be very useful in very legal ways - but then again, I'm the kind of person who has key problems ;)

So....

[Nick Driver]

...when will they start requiring computer professionals to have to become licensed by the govt in order to to possess and use the tools necessary for them to do their jobs?

Wait, what?

[Xtense]

So how they are going to distinguish hacking tools from security software? Nmap can be used as both, and I sincerely cannot imagine securing anything without it. Next, packet loggers. Will Ethereal be banned too? It's one of the best tools IMO that gives a user the power to see exactly what he is sending or receiving, showing potential problems and vurnabilities, but it, of course, can be also exploited beyond any limits. And it's the case with all the rest of popular networking software.

Here's something legislators never learn

[Rosco P. Coltrane]

As with firearms, it's the shooter that commits a murder, not the gun. In this case, it's hackers that commit hacking, not the tool. And just as with guns, when they outlaw hacking tools, only outlaws will have them, and the new laws will just annoy the shit out of legit users.

what made the list?

[Original Replica]

I imagine the list of tools useful only to hackers is pretty short. And I imagine that german hackers will find ways to use "legit" software to their ends.

On another note, expect little in the way of secure software innovation out of Germany in the next few years.

RMS is right

[Akaihiryuu]

Sure, some people think he sounds paranoid...but he's right. It'll take time for things to get really bad...but they will get there, slowly.

http://www.gnu.org/philosophy/right-to-read.html [gnu.org]

Re:Lock Hacking

[morgan_greywolf]

Yes, actually. Hacking tools like nmap, ethereal, dictionary crackers (i.e., cracklib), etc. are absolutely necessary in securing a network. There is no way I could lock down a network without scanning to see what ports are open or determine the security of traffic on a network without a packet sniffer. Heck, packet sniffers are useful in determining problems in misbehaving networked applications. How could I check the security of my users' passwords without a dictionary cracker?

Hacking tools are more like guns: make them illegal and only the criminals will have them.

Our brains...

[Etherwalk]

Brains are the best hacking tools of them all, and the only ones necessary--anything else can be rebuilt from scratch, or worked around. (Though it would take a while, in some cases.)

So they've outlawed brains.

Brilliant. =)

Re:Lock Hacking

[Hatta]

How are hacking tools really different from locksmith's tools?

Not at all. If you are against the prohibition of network security analysis tools you must also be against the prohibition of locksmithing tools.

End of Days||Daze

[packetmon]

That's humorous (in a scary way) considering the following:

The commission communication "towards a general policy on the fight against cyber crime" [europa.eu]

There is no agreed definition of "cyber crime". From a strictly legal point of view, it can be questioned whether there is any need for the term at all - it could be argued that "cyber space" is just a new specific instrument used to commit crimes which are not new at all. The term may thus be most interesting from an operational point of view, i.e. the operational instruments and procedures to fight against this type of crime must be developed.

With that said, as an American, I can almost indicate any connection to me as being an illegal one and cost the German taxpayers a bucketload of money with false claims. Let's consider the following scenario.. Ping. Simple administrative tool, can also be used for DoS attacks. Suppose I start a business ... eFishSkinSales.com that sells fish skins... I find a German counterpart GermanFishSkin.com... I take their IP addressing and spoof a pingflood to my routers and send German authorities the logfiles. Would they know what a spoof is for one. How about the following... A German websurfer visits my page and does not close his browser. For the next nMinutes where n equals the amount of time he has his browser on my page, he will make repeated GET's thus resulting in a DoS attack of the lamest kind. What then. Are browsers hacking tools?

Let's take it a step further into XSS (cross site scripting)... The browser IS THE TOOL. Should all browsers be banned now. Oh those Germans. I know... What about a German, with a shell on a server in America developing tools. Now those tools don't reside ANYWHERE in Germany then what. I would have laughed that law all the way to the bitbucket. But... You're likely dealing with e-Incompetent lawmakers driving Beamers and Benz' who care little about the advances in LIFE as a whole thanks to computing both good and bad (malicious hacking has forced companies to improve themselves).

Sounds good on paper

[Anonymous Coward]

But as the technically educated know, many tools that can be useful for diagnostics, troubleshooting, performance optimization, and usage monitoring can also be used for hacking. This, like many laws, will likely be arbitrarily enforced based on criteria not specified in the law.

Knives are tools that can be used to stab people, but we do not make them illegal. If we *did* make them illegal (defining the item as "tools that can be used to stab people") then in actual practice the law will only be used to increase the charges already leveled against someone, or to target someone who has otherwise broken no law but is doing something of which the powers-that-be disapprove (such as...i dunno...criticizing this or that government official or policy).

Re:Lock Hacking

[X10]

Hacking tools are more like guns: make them illegal and only the criminals will have them.

That is sooooo untrue. In countries where guns are illegal, criminals don't use guns very often. In countries where guns are legal, deranged college students use them to kill their fellow students.
If you pick a metaphore, pick one that works.

Reply: Well, no phreaking problem folks...HAVEFUN.

[OldHawk777]

Well anyway, I am not going to phreak out about hacker tool being illegal. Funny part: For the foreseeable future, any nation without citizens having, using, and learning hacker/cracker/phreaker/... tools (with hands-on experience) is defenseless in case of war/threat. Nations will need as many phreaked crackers, cracked phreakers, 31337 draftees/recruits as they can find (including the wheelchair, gay, and grandma ones).

In a MAD dash governments globally will make all "Hacker Tools" illegal. Zoll Gestapo will be contracted and trained by the US Government, then deployed to Russia, China, USA, France, Canada... All heidi-holes, small/large dark crevices, and generally anything that can be screwed will be looked into.

"Hacker Tools" from telnet, ping, TFTP ... to PGP, RMON, Tripwire, C++ compilers ... eventually all technology will be confiscated and most people will be in jail where they belong. Yes, the Germany government of the EU is proving to be as bright as the government of Mississippi in the USA.

Luddites love politics; because they are not required to know or do, anything right, and are paid anyway. Politics has become a form of welfare for the wealthy incompetent of the US, EU, Iran, Saudi, Russia, China, Egypt, India, Sudan, Mexico.... Politicians in any country are a pitiable basket of low intelligence, corrupt ethics, and fetid morals.

US, EU, and many others are in troubled/stupid times.

Re:Wait, what?

[Anonymous Coward]

So how they are going to distinguish hacking tools from security software?

Finally, a question which even I am qualified to answer.

It's simple -- who provided the tool?

If I install a rootkit on your computer, it's a hacking tool.

If Sony installs a rootkit on your computer, it's a perfectly legal way of enforcing their digital rights.

In simpler terms, it's a combination of gross annual income and number of legislators purchased.

Coordinated International Effort

[mpapet]

To criminalize so-called hackers.

Most policy wonks that deal with this sector have already spread the word that computers are dangerous tools in the wrong hands. So, step 1 is to make the tools illegal. For example, "Your honor we found hacking applications wireshark installed on the defendants computer." No questions about approved uses are allowed because that makes things too complicated.

Don't bother with legal challenges, the objective is to make computers a content delivery device. Anything else is too threatening to governments, regardless of their borders.

Best case scenario as other posts have pointed out, the government gives out licenses that allow you to use/own "hacking" software. In the U.S., probably a process similar to getting a clearance would be required. This is happening internationally.

Since this is the /. echo chamber, no one will do anything but whine and go back to their work/entertainment.

Required reading for Americans unhappy with their political process: http://www.vanityfair.com/politics/features/2007/0 6/murphy200706?printable=true&currentPage=all [vanityfair.com]

So called malicious software

[stardyne]

Even programs that contain keyboard loggers have their uses. Most automated software testing tools use keyboard logging as part of the testing process. Viruses have their uses, as well. On a limited network, I have heard of admins using viruses that are "mutated" so they install patches without any user intervention.

Re:Lock Hacking

[Rakishi]

Uhm, can you comprehend basic english or not?
He is perfectly right, by definition if you make guns illegal the only people who own guns would be criminals (and law enforcement but then its not a total ban on guns). There may be many or a few of them but by definition his statement holds true.

Anyway in some of those places they use knives instead and kill more people than they did when they had guns. After all, why would they bother with a gun when they know their victim doesn't have one? Not only is the knife perfectly legal unlike a gun (convicted criminals can't legally own guns in most if not all of the US) but in a knife fight the criminal is probably much better off than in a gun fight. Remember that criminals are in better shape, younger, less prone to fear and are free to train with knives as much as they want (unlike guns which they can't train much with) compared to their victims.

In other places they all use guns since the main source of crime is gangs and they escalate the weapons used accordingly (their "victims" have guns in that case). Washington, DC bans almost all guns and there are tons of shootings there, the highest murder rate in the US by far actually.

In countries where guns are legal, deranged college students use them to kill their fellow students.

Bringing guns onto the VT campus was/is illegal. As a result the only persons who had guns there were law enforcement and the deranged college student. Interestingly enough there is one case where a different deranged college student was shot dead by other students before he could do much damage.

So please heed your own advice and don't use statements that don't work.

Re:Here's something legislators never learn

[ravenshrike]

Yes, because defending yourself isn't a positive thing at all. Sooo, have you put "No Guns Here" signs outside your house yet?

Re:Problem Solved

[garry_g]

Well, according to German politicians and security "experts", voting machines are secure, too --- because tampering with them is illegal and forbidden!

Any questions?

Sometimes I wonder if politicians are descendants from a certain Golgafrincham space ship's inhabitants ...

Re:Here's something legislators never learn

[Dan Ost]

I'm not a big guy, but when armed, I have the means to effectively defend myself and my loved ones against those who might otherwise do us harm.

How is that not a positive use?

Bullshit law

[nukem996]

My university(in America) has the same rule for any computer connected to there network. I have always had etherape, ethereal, nmap, tcpdump, etc on my computers since I do computer repair. I decided to leave them on and just never tell anyone. Once I got a job in the CS department I noticed everyone had the same tools and really no one cared. Germany will probably do the same thing, no one will care about you having "hacking tools" until they really want you to go away, then you'll be charged for every program that can do anything that would manipulate data. Anyway shouldn't they have made cracking tools illegal?

Re:Lock Hacking

[CastrTroy]

Set the password strength policy too strong, and make them change it too frequently and the following will happen

1. Dictionary attacks become easy because it's easy to guess how users will pick passwords to conform to "rules". For instance, if it must have 1 symbol, and 1 letter, then you can bet that those characters will be at the end or the beginning of the password. Also, if the minimum length is 8 characters, then you can bet that most passwords will be exactly 8 characters.
2. Users will forget their passwords
3. Users will write their password down on a post-it beside their monitor so they don't forget it.

Unenforceable

[sizzzzlerz]

Just like attempts to outlaw pornography, this one will fail as well. What is pornography is one person's eye is art in another. Just what is a hacking tool? Who gets to say? If it has some socially redeeming value, is it still a hacking tool? Although I don't read German, it didn't appear there were any specific programs specified in the law so I suspect this is one of those "I don't know how to define it, I just know when I see it" kind of laws.

When will politicians ever learn? sigh...

Re:man ping

[2Paranoid]

When will law makers figure out that it is what you do with the tool that should be illegal, not the tool itself? Otherwise knives and cars should be illegal, because both have been used to kill.

The Facade of Law

[Anonymous Coward]

There are 2 possibilities.

1. The lawmakers mean well, but don't understand the technology or the implications of this law.

2. They are deliberately transferring power from the Judicial Branch to the Executive Branch in order to appear "tough" on crime. When it's impractical to enforce a law that is broken by many people, the Executive Branch doesn't enforce it, unless they need an excuse to bust someone they don't like, or to search someone they're suspicious of. This gap between what is commonly enforced and what CAN be enforced, I like to call "The Facade of Law" as opposed to "The Rule of Law".

As long as the masses believe they are safe and the system is just, they won't riot/revolt. "Justice" is just an illusion to provide political and economic stability to a group of social (and hence moral) animals. (In my opinion)

Re:Lock Hacking

[Rakishi]

I live in Australia. We have fairly restrictive gun control, and consequently we have very low gun crime.

...joy, so are you one of those insane people who doesn't care what the homicide rate as long as it's not guns doing the killing? Because that is what your statement seems to imply and I don't see what else it could possibly mean rationally. It doesn't matter if someone is stabbed, shot, hanged or set on fire to death as in the end they're all just as dead.

Also mass killing are so rare in the developed world that they're only important to those people who are so media crazed as to be nearly brain dead which I must admit is most of the developed world. Not to mention that some of the most memorable mass killing in the US (and the world as a whole, look at the middle east) were not done at once or were done using explosives.

Sure, some criminals do have handguns, but that's all they can really get.

With the possible exception of RPGs: http://www.theaustralian.news.com.au/story/0,20867 ,20707130-5001561,00.html [news.com.au]

Anything bigger becomes harder to conceal.

In VT two handguns were perfectly capable of killing many people. Handguns are more dangerous because they can be concealed, larger weapons aren't a big problems unless you have gang wars that resemble small wars (ie: Mexico).

The person is completely legal holding the automatic one step outside the campus.

Automatic? He used two perfectly normal semi-automatic handguns save for using extra large magazines:
http://en.wikipedia.org/wiki/Walther_P22 [wikipedia.org]
http://en.wikipedia.org/wiki/Glock_19 [wikipedia.org]

It's odd how people keep wanting to ban all these weapons because of the VT shooting which were not at all involved in it.

Re:man ping

[jafac]

This really IS the modern-day equivalent of "if your eye offends thee, pluck it out."