Slashdot Mirror
Strict German Computer Crime Law Now in Effect
SkiifGeek writes "With little fanfare, section 202c of the German computer crime laws came into effect over the weekend. Worryingly for Security professionals, the laws make the mere possession of (creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to) many useful tools illegal. A similar law was proposed for the UK, however it was modified prior to passing through parliament due to the outcry from the industry. Phenoelit, KisMAC, the CCC, and the Month of PHP Bugs are just some of the relatively high profile projects and groups to have already taken measures to remove or modify content under this law."
Germany is making sure that when they start a new world war, there will be no legal tools to crack their enigmas!
Looks like I'm a criminal in Germany then. Wonder when they're gonna demand my extradition...
Understanding the scope of the problem is the first step on the path to true panic.
Well intentioned, this is the sort of reason why lawmakers need an education in how improvements are made in software and hardware. You can't stanch curiousity by outlawing it. The German software industry gave us improvements to Linux from SuSE, Project LiMux, and a raft of excellent tools for debugging, general hacking, and just plain good creative code.
Now a Damocles sword hangs over the head of the genuinely interested German hacker. And hacks will continue across the rest of the planet, because improvements are iterative lessons learned from mistakes.
Why not instead develop infrastructure that allows ISPs to eliminate machines controlled by bots? Or find a way to make a better international citizen out of PTT-behaving Deutche Telekom/T-Mobile? Or perhaps learn the lessons from the fear-engendering legislation that's now law.....
---- Teach Peace. It's Cheaper Than War.
Classy way to claim first post.
Back to the topic, though; the internet should simply be declared a public place and laws pertaining to such public places shttp://www.dslreports.com/hould be applied, rather than creating a whole new set of laws for the internet. There are enough laws already; furthermore, laws everywhere are different; it just causes undue conflict.
Of course, sites which require the user to click a link indicating that they agree to a set of terms (door) or to login (lock) should be treated as private property and those laws should apply.
Here's the fun part: get every country with internet access to go along with this.
Hell, I'd be happy if they just did it in the US.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
First they came for the botnet scripts, and I said nothing, because I was not a script kiddie
Then they came for the portscanners, but I said nothing, because I was not trying to hack boxes
Then they came for the packet sniffers, but I said nothing because I thought my firewall was strong enough
Then they came for SATAN, and I didn't speak up because I wasn't an admin
And then, they came for my elite box, and I had to go back to using my mom's e-Machine, and I cried and cried
Hopefully I didn't put any [] around my words.
First they came for thread_id 0051, but I printed nothing to the console because that was not my thread.
Then they came for process_id 0050, but I did not SIGTRP because I did not depend on that process.
Then they came for process_id 0003, but I did not SIGALRM because my timer had not yet expired.
When they came for me, there were no processes left from which to spawn.
germany is now going to be a REALLY easy place to hack.
how will they manage to prevent EVIL hackers in germany from downloading their evil hacker tools from https://someip.org/hackertools/ ?
They won't even notice the URL. It'll be encrypted under SSL.
Well according to the law that is legal, but just make sure you don't engrave the source code in an axe...
Don't you mean 'double sided double density hacker tool'?
(thanxx to Jerry Pournelle for that one...)
Understanding the scope of the problem is the first step on the path to true panic.
Likely, people with a good reason to posess hacker tools (eg. legitimate anti-virus folk) will be allowed controlled tools - much like how the people who design kevlar vests are allowed to have automatic weapons etc for legitimate test purposes.
Engineering is the art of compromise.
Does anyone have a link to a good English translation and legal analysis of the new law? The Phenoelit page translates the law as affecting "computer programs whose aim is to commit a crime". That doesn't cover Nmap, which I designed for security professionals. But of course some blackhats use it too, and I don't want to bet my freedom on being able to convince a technologically illiterate judge in Germany of my intent.
I hope groups like the CCC (which is apparently quite powerful in Germany) are able to get this overturned! If legitimate German admins are afraid to use Nmap and other security tools while the crackers retain full access to them, that won't be a pretty sight!
-Fyodor
Insecure.Org
Let us pause for a moment from discussing the "government versus people" debate, and (just for the sake of the argument) assume that we are living in an utopia where the government passes laws to protect citizens, not oppress them.
OK, so we ignore the potential for abuse. But that still leaves the question: how, exactly, is the law supposed to protect anyone?
- The possession of this software is virtually undetectable unless some kind of crime has been committed using them (such as using it to actually attack someone else's machine). Well guess what, attacking someone else's machine has ALREADY been illegal (and justly so).
- People who were and are willing and able to use these tools to attack other machines have already risked punishment far greater than the punishment meted out for merely possessing the equipment.
- Think about this analogy: If you outlaw the possession of crowbars (because they are used by burglars), who will suffer more, the burglar or the construction worker who also happens to need a crowbar? Of course the construction worker -- the burglar operates in secret and the worker in open; and if caught, the punishment for burglary is significantly bigger to the point that someone willing to perform a burglary will not care for the (relatively small) additional punishment given for the possession of the crowbar. But for the construction worker, this law means losing his job.
- Some people would see an analogy between this law and advocation of gun control (less guns = supposedly less violence). But unlike gun control, where restricting guns (at least theoretically) makes it harder for criminals to obtain them, this law cannot possibly do anything to prevent the obtainment of these "hacking" tools, which can only be detected ex post facto.
So, if this law...
- Does nothing to reduce the availability of these tools
- Does nothing to reduce the potential destructive purpose of these tools
- Does not provide a serious deterrent to would-be abusers of these tools
- DOES, however, significantly limit the LAWFUL use of these tools by security professionals
Then why the heck is it needed? Heck, if I was a blackhat, I'd be very, very happy that security auditors got the shaft, meaning I have a much better chance of finding exploits which the good guys didn't get a legal chance to find and close first.
It seems that the quote "those who sacrifice liberty for security deserve nothing and lose both" never held truer, because not only liberty is sacrificed, but from any possible perspective hacking has became EASIER as a result of this law, not harder.
At least you can still attend Defcon and put yourself on their network for a free penetration test from all of the friendly attendees. No illegal haxor tools needed.
A criminal tool is something that a DA can stand in front of twelve randomly chosen citizens with no particular knowledge, and convince them that, not only that it can be used as a criminal tool, but that the defendant should have known that and did it anyway.
Germany's taking the noted Ravenous Bugblatter Beast of Traal approach to security. By removing the things that lets you know if you're vulnerable or compromised, you're obviously secure! Screaming "la la la, I can't see you or hear you" is optional.
Ive seen security analysts demonstrating breaking into websites with a web browser, you dont need specific hacking tools in many cases because what is available will often do the job just fine.
There is arguably a valid reason to prohibit tools which PRIMARY PURPOSE is to commit crimes. You correctly stated that almost any tool CAN be used to commit a crime, but there is a difference between the two.
I'm not going to use guns as a metaphor because of the whole "gun control" debate, and also because guns have the valid use of self-defense... So let's use something more aggressive, say, hand grenades.
There is no valid reason for a non-military person to be able to own a hand grenade. The grenade cannot be used for any peaceful purpose, nor for self defense, because of it's extremely high collateral damage. Even if there is a _potential_ valid use (I dunno, maybe throw it down a mole hole in your backyard to kill the pesky mole, LOL), the destructive potential vastly outweights any valid use, and therefore I accept as valid the restriction of owning a hand grenade by the average person.
The other option is to own, say, a knife or pickaxe. Yes, some people can (and do) use those as weapons for illegal purposes, but this does not stop the tool from having a valid, legal use (in fact, it's primary design is indeed a legal one). Therefore, outlawing pickaxes because some idiot happened to kill someone else with one, is not a valid move.
The German law is a prime example of the second option. As I explained in my other comment on this thread, the damage done to valid users is much bigger than any possible achieved restriction on criminals.
But in this case you won't know for sure if the cat is dead until the German police kick in your door to look.
This issue is a bit more complicated than you think.
And I've just run an nmap scan of bundestag.de .
I await the knock on my door with interest.
Except that possession of 'criminal tools' such as lock picks, bump keys, etc if one is not a licensed locksmith is a criminal offense.
That depends on where you are. I live in Canada. In a former life I was a Sheriff. And I had a nice set of lock picks, a very slick pick gun, and a couple of slide hammers. Most of which were stamped "law enforcement use only". I was never a locksmith, though....
If you're a zombie and you know it, bite your friend!
Back to the topic...
No, you're eternally off-topic for responding to a troll post just to get a higher placement.
Those are my principles. If you don't like them I have others. -Groucho Marx
The THC (The Hackers Choice) group has already been forced to discontinue some of it's best projects due to this absurd law.
http://www.thc.org/Silenced are THC's Credit, Hydra, Scan and War-Drive. Hydra will be the most missed, as it was one of the best authentication bruteforcers. Not dwelling on this defeat to freedom of information and the security community, I suggest everyone in the security community begin resisting this trend towards silencing the messenger of insecurities.
We should be working to create new tools and better means by which to distribute information and code, both securely and anonymously. The foolish politicians and companies who think they can dare enforce security by ignoring the problem and silencing individuals should be shown that this strategy does not work. This is yet another challenge to all the security researchers and programmers, will you allow others to dictate your creativity?
--postmodern
If I am creating a shield against hand grenades, and it is not legal under any circumstances to have a hand grenade, then how shall I test my product?
Don't worry, it will be translated before it's issued in your country.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So while in theory, the German govt. thought they were outlawing computer hacking, they actually outlawed computer security.
Oops.
We have been through all of this Red Herring before and it won't make any difference. There is no point trying to understand how unimportant this discussion is if you don't understand today's Germany. Germany is the biggest exporting nation on Earth and it is the biggest player in the EU - which is the biggest market on Earth. Post war Germany actively chose the social democrat model for their economy and political system. It has the finest constitution in Europe (modelled on the US but containing substantially more pages!) the welfare state supports everyone and the growing economy provides the work that creates the wealth that pays for all this. It is normal for such a society to create a bunch of laws odd to English speakers - but then my own country doesn't even have a written constitution and our councils tax the individuals home. The present day German is focussed on career, personal improvement and health and very little else.
It is an unusual characteristic of Germany that everyone suffers from angst (fair enough, they invented the word) but the angst is all about really unlikely events (acrylimide in barbeque food causing cancer for example) and yet they throw caution to the winds the moment they get in a car.
This angst condition is so endemic I have christened it "Fright Club". Only a few weeks ago they were obsessed with "wifi smog" people were switching of their routers and phones to protect themselves from this new scourge. It didn't appear to stop them from watching television or listening to the radio, but there you go - science and magic confused or just interchangeable.
Coupled with this angst is another curious condition called Gründlichkeit or thoroughness. Gründlichkeit is just so much part of the German character. Back in Scotland you could read the important parts of the Blue Book tax guide in the bookshop and easily identify any new legal tax avoidance strategies. You couldn't do that with the German Tax Books because there are about 127 of them (the last time I tried to count them). My accountant just photocopies pages out and sticks them in the tax return. You have to pay canal tax but there's no canal and you don't get one either.
In Germany when you change your address, you have to inform the special municipal department -Wohnanmeldegungamt- (department of names and addresses)of the change and fill in three forms. A group of students could not understand how this did not exist in Britain or USA. "What's to stop you getting on a plane, flying to the UK, robbing a bank and then flying home?" was their completely serious question and my answer: "Even German bank robbers don't normally use their identity cards or leave a forwarding address during the robbery," leaves them completely unconvinced.
Conversation with Wohnamt Official:
Official:"What is your father's occupation?"
"He's dead, what difference does it make?"
Official:"I have a space in the form for it"
"which job would you like?"
Official:"His last one..."
Official:"What religion are you?"
(proudly) "Agnostic"
Official:"You can have: Catholic, Protestant or atheist."
"But I'm an agnostic"
Official: Ticks 'atheist'
As for thoroughness, Non-German partners are often very surprised when they clean the entire house from top to bottom only to have their partner point out that they forgot the single cup they drank their post cleaning coffee in which is standing on the immaculate sink - dirty. There is no mention of all the good work, because the concept of balancing good things against negative things (one good thing outweighs loads of bad things) is rather specific to English speakers. German anthropology uses the concept of a linear measure of perfection (or distance from it!) and the streets are so clean you could eat your dinner off them. Well, almost but this is the real reason behind this action, more national character than conspiracy.
Posts, MyBio or Sig, may contain satire, sarcasm, bolded nouns be sardonic or even witty & be Church of SD
Let me simplify this a bit more. Everything that happens online which does not require the user to log in is happening in public. Anyone can come by and see or read it. If you post something online, have no expectation of privacy regarding that something unless you put it behind lock and key (by which I mean an authentication process you are in control of). Just like in the real world; if it's not locked up, don't expect it to be private.
Further, you're not an IRC user, are you? Script-kiddies (with the same mentality of the people concealed-carry laws were created to protect us from) almost ALWAYS try to get their way by carrying their weapons where they can be seen. Immature, yes; but that doesn't make it any less common.
To paraphrase the analogy I originally made; a page requiring the user to agree to a set of terms before entry is liken to a door, a page requiring them to log in is liken to a lock. Anything behind a door is inherently safe from people who do not want to see it. Anything behind a locked door is inherently safe from those who are not allowed to see it. Anything else is happening in public view.
Yes, break-ins are possible. That's precisely why existing laws should apply; to protect those who secure their systems form those wishing to access them, rather than to protect those who go out in public looking for trouble. We have public areas, we have private areas, we have laws regarding those areas. Why make new laws when the existing ones apply just as well?
Why should someone who would be arrested for their actions, were they on the street, go free simply because it's the internet?
Simply put, if they are acting in a public area of the internet, they shouldn't.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
http://dejure.org/gesetze/StGB/202c.html
...
202c
Vorbereiten des Ausspähens und Abfangens von Daten
-> Preparation to spy out or intercept data.
(1) Wer eine Straftat nach 202a oder 202b vorbereitet, indem er
-> Anyone preparing a criminal offense according to 202a or 202b by
1. Passwörter oder sonstige Sicherungscodes, die den Zugang zu Daten ( 202a Abs. 2) ermöglichen, oder
-> collecting passwords or similar security codes, which allow access to data ( 202a / 2), or
2. Computerprogramme, deren Zweck die Begehung einer solchen Tat ist, herstellt, sich oder einem anderen verschafft, verkauft, einem anderen überlässt, verbreitet oder sonst zugänglich macht, wird mit Freiheitsstrafe bis zu einem Jahr oder mit Geldstrafe bestraft.
-> produe, supply or sell Computer Software with aims at perpetrating such offenses, is punishable by one one year in prison or a fine.
Where 202a/b basically define the crime "getting at data you are not supposed to get at"
I think the real problem is the first sentence "Anyone preparing a criminal offense according to 202a or 202b by..." which creates a circular dependency. I really don't understand even from the German text if that means that 202c 1/2 only comes into effect if you really are preparing to actually hack someone specific (202a/b) of if it's the other way around.
I don't give that law a lot of time before it is changed. (At least I hope so)
I think this whole fuss is somehwat overblown... my finacee is a german law student... pased her first state exams, about to go and do the "on the job learning" part. She's been translating the law for me (she wants to defend her country against all this fuss). Some points she made:
I understand that there's a lot of concern about how the laws will be applied, but this is hardly unique to Germany, tech crime is generally difficult for law enforcement agencies to deal with, we'll see what happens with that. My fiancee thinks that part of the problem is that most of us English speakers don't have a basic understanding of the German legal system
NB IANAL, my fiancee isn't(yet) and she's not your lawyer.todo - The developer's equivalent of confession: "Forgive me Father, for I have sinned..."
I am German and I am potentially affected by the new law as I publish exploit code from time to time. I have written a blog entry about it, including a translation of the relevant section and some thoughts about the consequences.
OS Reviews: Free and Open Source Software