Slashdot Mirror
Germany Declares Hacking Tools Illegal
dubbelj writes "Germany has updated their computer crime law to declare 'hacking tools' illegal. This will place most of the professionals in the network admin and computer security fields in a sort of legal grey area. 'The new rules tighten up the existing sanctions and prohibit any unauthorized user from disabling or circumventing computer security measures to access secure data (see the law, sections 200 and following [in German]). Manufacturing, programming, installing, or spreading software that can circumvent security measures is verboten, which means that some security scanning tools might become illegal.' We discussed a similar measure in January when Australia considered the same kind of legislation. How will this affect Linux distribution in Germany, as most standard Linux distributions come with these kind of 'hacking tools' installed by default?"
This is going to stop a lot of software companies from opening up German software houses. Just trying to maintain any computer network for regular developers would probably be illegal under these rules, because a lot of network maintanence tools could be considered "hacking tools" under this definition. Without those tools, it would be prohibitive to try to support an enterprise infrastructure.
Beware of bugs in the above code; I have only proved it correct, not tried it.
Last time I looked into it numerous U.S. states required certification before you could legally be in possesion of certain types of locksmithing tools. These certs were incrediblly easy to obtain (basically cash and a short course), making the whole thing look like yet another set of rules designed to increase cash flow for an industry.
From the N.C. statute:
" 74F-2. Purpose.
Locksmiths have the knowledge and tools to bypass or neutralize security devices in
vehicles, homes, and businesses. The laws of this State do not protect citizens from the
unscrupulous use and abuse of this knowledge and these tools by persons who are
untrained or have criminal intent. Therefore, the licensing of locksmiths is necessary to
protect public health, safety, and welfare."
Regards.
If I'm an admin, I'm probably authorized to test my own network's security. I hack and probe my server constantly to determine my own security. The real gray area is if I'm guilty simply because I possess these tools or if I'm unauthorized to do something with those tools.
Mr. Universe: "They can't stop the signal, Mal. They can never stop the signal."
It's nothing but crumpled porno and Ayn Rand.
You can take it even farther than that. Guns don't really have a positive use. No one is really hunting for survival anymore. Many hacking tools were created with sysadmins in mind. I personally have run into a situation where I either have to reinstall IRIX from scratch (licensing and all) or run john the ripper on the root password for a while. Yes, there is a way around in this case, but completely legitimate use of John the ripper saved me tons of time. I don't even want to think where I'd be without the likes of tcpdump, nmap, or other tools. We would have to guess our systems are secure without actually knowing.
Prohibition of computer safety tools opens door and gate for Federal trojans*.
May 25, 2007 (46halbe)
The Bundestag has today waved through, unchanged, a ban again computer safety tools (Bill for the change of Criminal law in order to fight computer criminality, new 202 StGB). Chiefly targeted is the manufacturing, programming, leaving (for someone), distribution, or procurement of software, which is urgently necessary for the daily work of network administrators and safety experts.
With this decision the delegates acted against the express advice given by experts from research and business to the committees consulting on the proposal. The law was also sharply criticised by the Internet economy sector and the Upper House of Parliament. With exception of the Party of Democratic Socialism and a lonely SPD delegate, the complete Great Coalition of the Clueless now voted to make Germany a professional disqualification zone for computer safety experts.
Through the markedly broad scope of the law, the possession, production and distribution of preventive tools with which to examine computer security will become punishable in Germany. These tools are, however, essential in order to ensure the security of computer systems. Banning this software is about as helpful as banning the production and the sales of hammers because sometimes these are also used to cause damages.
Andy Mueller-Maguhn, speaker of the Chaos Computer Club, commented: "banning the possession of computer safety tools leaves the door wide open for the use of Federal Trojans. Industry and citizens are systematically being robbed of the possibility of examining their systems adequately for security. This prohibition endangers the security of the German IT sector."
As the automobile industry makes its vehicles safer with crash tests, so does the computer industry test its system security through the controlled employment of attack programs. It will in future no longer be possible be to test sensitive computer systems for security in ways that are without a doubt legal.
At the yearly congress of the Federal Office for Security in the Information Technology (BSI), Minister of the Interior Schaeuble announced plans to certify "trustworthy" security providers. With this step, the abilities and knowledge necessary for effective safety examinations of computer systems shall apparently be monopolised by handpicked government suppliers, while the independent computer safety research can be selectively criminalised as desired.
CCC speaker Mueller-Maguhn added: "the explanations of the Minister of the Interior for computer security are pure lip-service. A legal and organizational framework is being systematically created here in order to make citizens and enterprises defenseless against computer attacks, industrial espionage and also Federal trojans. Safety research can take place only in an unacceptable legal gray area."
*N.B. "Bundestrojaner", which I've translated as Federal Trojans, are the programs the police/gov't use to search through people's computers remotely (newly legalised, or given greater scope, I believe)
Antiquis temporibus, nati tibi similes in rupibus ventosissimis exponebantur ad necem.
http://www.bmj.bund.de/media/archive/1317.pdf
And the relevant words in english (my translation)
German penal code section 202c
Whosoever prepares a felony according to section 202a or section 202b by
Note: sections 202a and 202b are both about gaining access to data meant for somebody else.
And those are tools that are at least definable that you installed yourself. Mac OSX comes with netcat installed. As the "swiss army knife" of hacking what are owners of Apple computers supposed to do? Return them to Apple, destroy their computers, or just march directly to jail?
Has anybody pointed out yet this law is still just a draft and not through yet? Germany has not declared hacking tools illegal and according to the harsh and devastating critics of germany's IT industry on this law it probably never will. Bye.