Germany Declares Hacking Tools Illegal

dubbelj writes "Germany has updated their computer crime law to declare 'hacking tools' illegal. This will place most of the professionals in the network admin and computer security fields in a sort of legal grey area. 'The new rules tighten up the existing sanctions and prohibit any unauthorized user from disabling or circumventing computer security measures to access secure data (see the law, sections 200 and following [in German]). Manufacturing, programming, installing, or spreading software that can circumvent security measures is verboten, which means that some security scanning tools might become illegal.' We discussed a similar measure in January when Australia considered the same kind of legislation. How will this affect Linux distribution in Germany, as most standard Linux distributions come with these kind of 'hacking tools' installed by default?"

man ping

[Anonymous Coward]

ping - a hacker tool used for detecting computers connected to the internet for the purpose of breaking in to them

Who is ...

[BosstonesOwn]

Default and why is he installing hacking tools in Linux distro's ?

On a serious note doesn't this basically make watching dvds on a linux computer illegal as well ? Sounds to me like this can be wide open for abuse much like our beloved DMCA.

Can't RTFA since the laws are in German.

Bablefish of the CCC article

[davecb]

Prohibition of computer safety tools opens Bundestrojaner door and gate

May 25, 2007 (46halbe)
The Bundestag has today the prohibition of computer safety tools invariably durchgewunken (criminal law law of change for the fight of the computer criminality, more again 202 StGB). To be punished is in particular a manufacturing, a programming, a leaving, a spreading or providing software, which is urgently necessary for the daily work of network administrators and safety experts.

The Bundestag has today the prohibition of computer safety tools invariably durchgewunken (criminal law law of change for the fight of the computer criminality, more again 202 StGB). To be punished is in particular a manufacturing, a programming, a leaving, a spreading or providing software, which is urgently necessary for the daily work of network administrators and safety experts.

With it the delegates acted against the express advice of the experts belonged in the committees with the consultation of the law out of science and practice. Also on the part of the InterNet economy and from the Upper House of Parliament the law change had been criticized sharply. With exception of the Party of Democratic Socialism and a lonely SPD delegate now the completely large coalition that votierte notion lots to make Germany the professional disqualification zone for computer safety experts.

By expressed far version law becomes possession, which production and the spreading of preventive tools, with which security can be examined by computers, in Germany punishable. These tools are however essential, in order to ensure the security from computer systems to. The general prohibition of this software is to be forbidden about as helpfully as the production and the sales of hammers, because sometimes thereby also damages are accomplished.

Andy Mueller Maguhn, speaker of the chaos computer club, commentated: "the prohibition of the possession of computer safety tools opens also for the employment of the Bundestrojaners door and gate industry and citizen systematically the possibility is taken of examining their systems adequately for security. This prohibition endangers the security of the IT location Germany."

As the automobile industry, is examined in the computer industry the system security makes its vehicles with Crashtests safer by the controlled employment by attack programs. It will be legally no longer free of doubts possible in the future for sensitive computer systems will test whether they are safe or not.

On the yearly congress of the federal office for security in the information technology (BSI) Minister of the Interior Schaeuble announced planned certifying "more trustworthily" to Sicherheitsdienstleister. With this step obviously the abilities and the knowledge, which are necessary for effective safety examinations of computer systems, are into which hands by yard suppliers handread out by the government are monopolized, while the independent computer safety research can be kriminalisiert as desired selectively.

CCC speaker Mueller Maguhn in addition: "the explanations of the Minister of the Interior for computer security are pure lip-service. Here systematically the legal and organizational framework is created, in order to make citizens and enterprises defenseless opposite computer attacks, restaurant economics and also the Bundestrojaner. Safety research can take place only in an unacceptable legal gray area."

IE illegal?

[rasteri]

You can use a browser to hack poorely written web apps (some forum software springs to mind). Doesn't this effectively make all browsers illegal?

Like banning guns

[Grishnakh]

This sounds like banning guns in a hypothetical country where there's a lot of gun violence, and people commonly wear bulletproof vests. (Note the "hypothetical" here; this is just for the sake of argument.) Suddenly, a new law banning guns is passed, and the vest-making companies can't develop new vests because they have no way of testing them.

Brilliant.

Another parallel: this is like making it illegal to wreck a car, whether by accident or intentionally. With a law like this, cars can't be crash-tested, and auto crash safety research comes to a stop.

Of course, in the real world, computer simulations can be used to get around these problems. But with this new real-world law, the simulations themselves are illegal!

Re:what made the list?

[Xtense]

There is also the problem of using these "only useful to hackers" tools to evaluate your security. If this is outlawed, how can you keep yourself secure legally, if these tools are basically churned off daily, with newer and newer methods of attacking? This is basically suicide for legal safety. If this law is passed, I can actually see German government websites being hacked on a daily basis not long from now.

Re:Wait, what?

[Randseed]

You could make the argument that "netstat" is a hacking tool. Which, I suppose, makes the C library a hacking tool, and the C compiler a hacking tool, and the kernel... Agggggh. Make it stop.

Re:man ping

[blowdart]

Better than that;

Manufacturing, programming, installing, or spreading software that can circumvent security measures is verboten

Because of XSS that has just made all browsers illegal. Microsoft, Opera and Mozilla must report for prosecution.

DRM?

[Anonymous Coward]

Digital Rights Management (ahem, excuse me, "Digital Consumer Enablement") technologies can be used to obtain private information from my system, to prevent certain parts of my system from functioning, and to install unwanted and potentially malicious executable code on my system, all without my knowledge or consent.

Sounds to me like DRM "can be used for hacking," and is therefore now illegal in Germany.

Keep leading the way, Germany!

Re:man ping

[MightyMartian]

Hah! I have Firefox and Internet Explorer, to determine if a webserver is running on a computer. I have telnet to test if any TCP ports are open on any host.

Re:Lock Hacking

[inviolet]

Hacking tools are more like guns: make them illegal and only the criminals will have them.

The parallel doesn't end there.

After the end of the Civil War, southern states passed gun-control laws that made it illegal to carry guns, or sometimes even to own them. These laws had to be written in general terms: the North would not countenance* a law written specifically to disarm blacks. But the local legislatures and the police understood that they were to be enforced only against blacks. Or perhaps the law was written to allow the sheriff 'discretion' in issuing permits to private citizens carry a gun, which meant the sheriff could simply choose to issue permits only to whites.

Later, the 'understanding' was forgotten, and now those laws are applied to all of us.

Sysadmins in Germany are now like the whites (white-hats?) after the Civil War: they expect to be overlooked by the enforcers, but how many years will it take for that understanding to be forgotten?

And another thing. Police love it when people accept a "It's understood that we good guys are going to break the law, because the law was written overbroad" law. Like speed limits. They love it because the policeman's only power is to crack down on lawbreakers... and oh what fun it is when the good guys -- once arrogantly immune to the policeman's intimidations -- are now required to break the law, and to place themselves on the defensive, in their normal course of business.

*My isn't it an addictive rush, feeling virtuous at someone else's expense.

Re:Lock Hacking

[Greyfox]

Yup, if one of those professors or even another student had been carrying a gun the massacre could have been stopped much earlier. People think the police are there to protect you but that is not the case. The police are there to clean up and figure out what happened after a crime takes place. There is no way they can protect all citizens, even in the police state that we're moving toward. Your safety is your responsibility.

Wrong Approach

[Greyfox]

How about requiring any software manufacturer that sells software in the country make public a detailed log of security testing that went into their product and require citizens to be responsible for the security of their home systems? You wouldn't need to have much of a penalty for citizens, perhaps something like a traffic violation where you have to attend a class on how to secure your computer if your system is found to have been compromised and used to attack some other party?

Back in the 90's when I was working at Data General I was on a team of people who were reading the source code to every function in the C library, operating system and utilities. For each function we wrote a document saying roughly "Here's what the function does, here are any potential side effects, here is the source code we used to make sure the function didn't break or compromise security in interesting ways." Data General was a pretty small company and yet they managed to find the resources to do this. I'm sure Microsoft or Intel would have no problem assembling a team that could do this. This would improve security of systems worldwide a lot more than some foolhardy attempt to prevent a set of applications from being developed.

As a resident of the German People's Republic

[vorlich]

and of course Scottish*, (but legally Bavarian) I do hope you will continue to post material like this that demonstrates a complete lack of understanding of
A) The Germans.
B) The German political system
C) The German Psyche.
D) That anyone who was 20 in 1945 is 82 this year.
and
E) Todays Germans are a composite of changes in the population that occurred after WWII (ie they're different!)

Slight Technical Aside
The change to the law is pretty much the same as the Scottish Crime (readers who don't think Scotland is a country with a separate legal system should stop reading at this point.) of "going equipped to commit a theft or housebreaking" The article in German is just a scrape of The Register and other pages and the Babelfish rip is typical of the gobblydegook that is internet translatation.
Google always translates Ich weiss (I know) as I white, which is sub-Noam-Chomsky-stupid.
German is a language that lends itself not to dumb dictionary look up programs. The word compile for example never comes out as 'list' in a dictionary - apart from the larger Duden English/Deutsch. Usually it is 'collect together' and sorgen (to worry) becomes 'ensure' although in print dictionaries it is usually translated hilariously as 'solicitious' which when used in an essay on Digital Media is just too funny for words.

So keep up the good work because for me it means:
A) Going snowboarding for 18 Euros instead of going to the pub on Friday night for 60 Euros plus hangover because the alps are on my doorstep.
B) Wine for 1.49 a bottle (Euro/Dollar about the same, dude.)
C) More holidays than you can poke with a stick
D) Working half the hours I did back in Bonnie Scotland.
E) A country full of beautiful people, almost every single one of whom is liberal (see if Google can translate that.)
F) I get to be that British guy who explains why the USA is not the Great Satan and what 'Dude', 'Geek' or 'excellent' means.

Just as long as you keep scaring away all the English speaking part of the world.
Cheers!

*Kiltwearingpennypinching
haggisbashingporridge
eatingbraveheartwatching
worldcuplosingbagpipepla ying
harddrinking buckfastloving
snpvotingballotpaperspoilingstereo typefulfilling.

Re:The Facade of Law

[qazsedcft]

They are deliberately transferring power from the Judicial Branch to the Executive Branch in order to appear "tough" on crime. When it's impractical to enforce a law that is broken by many people, the Executive Branch doesn't enforce it, unless they need an excuse to bust someone they don't like, or to search someone they're suspicious of. This gap between what is commonly enforced and what CAN be enforced, I like to call "The Facade of Law" as opposed to "The Rule of Law".

Actually, this is common practice in totalitarian governments such as countries from the former communist block. Over here in Poland we still have left over laws like this. Some are self-contradictory. Some exist only to allow police and government workers to get bribes. I hear that in neighboring Russia and Belarus these things are even more common than here. One funny example I heard recently was the obligation, in Russia, to have a first aid kit in your car. But hold on! The kit must contain a condom and must be purchased in Russia. Obviously, people driving across the border for the first time are screwed.