back to article Germany enacts 'anti-hacker' law

Germany has introduced draconian anti-hacker measures that criminalise the creation or possession of dual-use security tools. An update to the country's computer hacking laws makes denial of service attacks and hacking assaults against individuals clearly criminal. Gaining access to data, without necessarily stealing …

COMMENTS

This topic is closed for new posts.
  1. Mike Smith

    Farewell to German performance testing then...

    .. as any self-respecting load test tool can be configured to make a website collapse in a heap in very short order. That's one of the things they're designed to do.

    Hm, potentially no performance testing in Germany from now on. Wonder if Microsoft... oy, behave yourself young man.

  2. Anonymous Coward
    Anonymous Coward

    Ah well

    Also, we Germans lately inherited 40 years of total surveillance competence, and those people must be kept busy somehow. Moving to the NL seems like quite a good deal. Too bad they will be first to go thanks to global warming.

  3. yeah, right.

    re: Ah well

    There's hills on the eastern border of NL. Should be safe there. Or you could just re-occupy Alsace.

  4. Hein Kruger

    remind me

    ... not to take my laptop with me next time I go to Germany.

    Ozervize I might end up in ze prison cell, ja.

  5. Anonymous Coward
    Anonymous Coward

    re: re: Ah well

    What for, the food?

    Still thinking about the NL - one could run for those hills for more than one reason... water on the left, Stasi 2.0 on the right... row, row, row your boat...

  6. Morely Dotes

    Obviosuly, this is a law funded by Microsoft

    Since Windows is useless for anything other than playing games and running Microsoft Office; this law effectively eliminates all other operating systems, which *do* have security tools built-in or readily available.

  7. Dillon Pyron

    Re: remind me

    Yep, can't take any of my computers with me. Even my personal use computer has things like netstumbler on it.

    Hmm, I wonder. I've got a Windows laptop that only has the nessus client on it. Is that a "hacking tool". It doesn't do anything to the network. All it does is talk to a very large Linux box behind my firewall that can probe a network quite efficiently. But that's located in the US.

    Yet another poorly written law. That will have so many exceptions written into it that it become indecipherable and toothless. But it will keep computer crime out of Germany.

    I'm guessing that companies like ISS IBM will be bailing out of the German market.

  8. Keith T

    Other governments should follow the German lead

    The IT security industry has no formal ethical standards, so it is reaping what it has sown.

    You can only distribute lock-picking tools in the physical world to licensed locksmiths in most jurisdictions in the physical world. It should be the same in the cyber world.

    Lawmakers must do their elected duty and end the anarchy and lawlessness of the internet.

  9. Anonymous Coward
    Anonymous Coward

    Or you could just re-occupy Alsace.

    I am not sure if the dismantling of the democracy in Germany should be seen so lightly. We are still far away from a 2nd Hitler, but not as far anymore as we were a few years back.

    Searching secretly somebodies PC without a proper search warrant, or searching secretly somebodies PC even without prior suspicion. And both times with a Trojan... i leave it up to you what you think of it. I for my part hate it and i know that the Brits wouldn't even contemplate over this indiscriminate breach of all privacy rights. These are methods used by the Gestapo under Hitler or the Stasi in the old GdR and are methods used by any Dictator to supress the citizens.

    The new Hacker Laws are bad news for the economy. The law is defined extremely broad and can be applied very quickly to a person using nmap to test the own network for open ports. You have it, you use it, you go to prison for it. But great, i can now finally open my security scan company and make big money ;). SImply run nessus and send the raw output to the customer, then charge 10k for it. Total effective worktime < 10 minutes. I do it for 6 months and then go into retirement.

    I doubt that this is what your grandparents fought for during WWII. Do you want a Hitler 2.0 as neighbour? I don't. So far i was immigrant to the UK, but now i feel more and more as a political refugee. Sad but true.

  10. Anonymous Coward
    Anonymous Coward

    @Keith T

    It's an obvious troll, but I just have to say... I'm not a locksmith, but I can still buy a drill pretty much anywhere... :P

  11. peter

    Online Vulnerability Scanners

    Obviously something I will discuss with my lawyers, but what are your thoughts on the following:

    An online vulnerability scanning service that has tools located in another country has a scan requested by a server owner in Germany.

    * Should fear of extradition be a factor and service be denied to German customers?

    * Should this new law be seen as a possible marketing tactic as nobody in Germany is now allowed to run Nessus? :)

    * What if the German customer is based in Germany but his server is located in another country?

    Regards,

    hackertarget.com

  12. James

    @Keith T 2

    "Lawmakers must do their elected duty and end the anarchy and lawlessness of the internet."

    Lawmakers were elected to end the anarchy and lawlessness of the Internet? Wow. And here I figured we wanted them to do things like maintain the infrastructure, spend wisely, tax us less and try not to get into any wars. Man are my priorities messed up!

    I do agree, though ... any security personnel working with tools that could possibly be used to criminally hack a system need to subscribe to federal criminal databases (with IP addresses and MAC addresses and other distinctive electronic identifiers) in order to avoid letting their tools fall into evil hands. This includes paper clips, by the way, as they have been demonstrated to be valuable criminal hacking tools. (See earlier El Reg article, among others.) Also, the world need to strictly regulate and promptly prosecute anyone and everyone who has ever told someone else any of their passwords, as those can clearly be used for evil purposes. Oh ... and we definitely need robust laws on the books to curb the practice of not changing every password when an employee leaves a company because, you know, they could use those tools for evil. I'm sure there are more ...

  13. Keith T

    Any ethical security professional would welcome controls

    It is lame to resort to name calling "David".

    The Reg's article describes the software being outlawed is software as dual-use, not general purpose.

    I don't want to get to overly technical, but I do not believe the Germans are outlawing "IF" statements (which would be analogous to the multipurpose electrical drill).

    What the Germans should be doing is outlawing such dual-use security invading software in the hands of anyone other than a licensed security professional. I agree that completely outlawing it is going overboard.

    We all want our professions to be respected, and any actual ethical security professional would welcome the advent of ethics and controls for his/her profession (once he/she thinks about it).

    Registration of IT security professionals would protect the public, as it does with locksmiths, physicians, dentists, pilots, motor vehicle drivers, architects, and (in most developed countries) engineers.

    Registration would benefit the profession by initially helping stabilize billing rates, and as the profession hopefully gained respect, improving billing rates.

    James, the internet is part of the infrastructure you say we elected our elected representatives to maintain.

    If we agree on that, we largely agree. Internet security is but one of many concerns our elected officials should be actively addressing.

    It is true that many hobbiest hackers prefer no controls on security software. They see the internet as being in test mode, and they should be able to experiment. Unfortunately that conflicts with those who want to use the internet in production mode for commerce and communications.

  14. James

    @Keith T

    If you want your web site, or any internet connected service to be secure, then it is your job to secure it. You think that by licensing security professionals you're going to magically stop people from hacking into your site. HAH! Mate, are you living in a dream world? If I were to lookup yesterdays ssh attempts I can almost guarantee that 90% of them originated out of 3rd world countries.

    Also, do you think that by making security software licensable you're going to stop people from using those tools? Hands up how many people here have ever run an unlicensed version on windows?

  15. Anonymous Coward
    Anonymous Coward

    Goodbye German IT

    Well, hit is it - the effective end of german IT. Germany hosts many international companies and their data centres. If it's no longer legal to posess and exploit the tools needed to protect those centre from hackers, whether inside or outside of germany, the centres will move. There's already cost pressue from cheaper countries, now the beancounters will enlist the corporate lawyers to leverage the moves.

    Meanwhile these guys are legalising police snooping on private computers. Not good.

    Looks like it's time I found a new job before the rush. Anyoone need an english computer guy with years of experience and reasonable german? Bitte.

  16. Anonymous Coward
    Anonymous Coward

    Dual use or general purpose is almost the same...

    One can make a port scanner out of netcat (aka. network copy) or even from cmd and telnet (both are installed on every windows machine by default). For a dos tool, you could flood a dns server with nslookup (also a default windows program) with locally disabled caching. Most hacker tools are just normal programs used in a clever way. It's one thing to outlaw viruses and hacking kits, but they didn't do that. What the legislation is saying is that it's illegal to own software that could be used as a hacking tool. One such software is internet explorer, which can be used to craft malicious http requests (by typing them into the address bar) that could crash or hack a webserver. There are better, so called ready made kits but instead of outlawing them they just outlawed everything that has to do something with networks and can be used as a general purpose tool. (btw, there is a clever way to use internet explorer with some tricky scripting for mapping a remote webserver for unpatched security holes, so if they ever want to put this law into use, i suggest they should make all browsers illegal to own and make sure everyone deletes every os that has a browser built-in)

  17. James Osborne-Smith

    Trolling

    Keith - re-read David's post without your ego blinkers on. He's saying that his comment is an obvious troll, not you.

    The whole thing about lockpicks only being available to licensed locksmiths is a false comparison. Lockpicks are a physical object, only copyable with a certain (fairly high) level of skill. Security software is a virtual object and easily copied.

  18. Gregor Kronenberger

    Re: Keith T

    "What the Germans should be doing is outlawing such dual-use security invading software in the hands of anyone other than a licensed security professional. I agree that completely outlawing it is going overboard."

    While you have an interesting idea, I think that the LAST thing Germany needs is even more bureaucracy. A car is a dual-purpose tool: I can drive along the Autobahn at 250km/h and I can decide to steer it into the crowd gathere in the nearest predestrian precint. Clearly, one of these uses is legal the other is not. Why can we not apply this to performance and securtiy testing tools? Is a `dual-purpose' tool as dangerous as a gun?

    I need to figure out whom to write about this abomination of a law, so that it can get changed. But considering that a recent report showed that German politicians do not even know what a browser is, nor use the internet, it's clear how such a thing could get passed.

  19. Anonymous Coward
    Anonymous Coward

    Dual use, and professionalism

    I suppose it depends on the definition of "dual use". If it's been left deliberately vague (so it catches performance testers, as mentioned above) then it's a really poor law. If it's written well and only covers those things that are primarily for malicious purposes, but can be semi-plausibly claimed to be for legit purposes, then it's not too much of a stretch to consider a licensing regime.

    It shouldn't restrict "checking the door's locked" to computer professionals though.

  20. Stuart Van Onselen

    Controls?

    Dear Mr T (sorry, I couldn't resist...)

    I'm afraid you may be missing the point. The point is, just about anything can be defined as a "hacking tool", as the law is too vague. The point is, even a paper-clip can be a hacking tool (or a lock-picking tool.) The point is, there is no exclusion for certified professionals, leaving German networks vulnerable. "If hacking tools are outlawed, only outlaws will have hacking tools."

    OK, that's actually three points.

    But even if there was some exclusion for "certified professionals", it means that every network admin would have to fork out $$$ to check his network every time he reconfigured it, instead of just doing it himself. Also, these "certified professionals" would probably end being monitored by "the authorities" to such an intrusive degree that many would just look for other work, or other jurisdictions. In fact, such an exception would probably be totally unworkable, due to the difficulties in monitoring it.

    Not that they've even tried it...

  21. Thomas Fischer

    Online Vulnerability Scanners

    >>* Should fear of extradition be a factor and service be denied to German customers?<<

    The law is only applicable in Germany so you will be safe if you sit in another country. Only you can never go back to Germany for a visit. At least for 35 years. Extradition is an option but then i also want the extradition of spammers ;). The cahnces of getting an extradition are slim to non-existent. The use of nessus is not illegal in the UK therefore you didn't break any laws in the UK regardless of where the target system stands. And also the server owner contracted you to do this scan.

    >>* Should this new law be seen as a possible marketing tactic as nobody in Germany is now allowed to run Nessus? :)<<

    Surely somebody will base marketing based on this. ;)

    >>* What if the German customer is based in Germany but his server is located in another country?<<

    Doesn't matter, the law is broadly enough defined so you will be busted as long as you sit in Germany when you use the tool.

    God only knows what they thought when they introduced this law, but it certainly shows that the german government knows absolutely nothing about the technology. Also displayed in the suggested change of law with regards to secret online searches. I still wonder how they want to do this as there are very easy and effective methods to prevent this, which the determined terrorist will know for sure. So far they could storm into a house and size the equipment, boot the machine and read what is on the HDD. Now they will have to break very strong full HDD encryption and pre-boot authentication systems and will never read what is on the HDD. Ohhh well... stupidity never dies out.

    Is like sending a suspect a letter with 'We will search your home in one weeks time'.

  22. Anonymous Coward
    Anonymous Coward

    @ Keith T 3

    "It is lame to resort to name calling "David"."

    He wasn't name calling, Mr. so-called "Keith". He was referring to the statement he was about to make as "trolling", dumbass.

    Now *that's* name calling.

  23. Michael

    @ Keith

    "James, the internet is part of the infrastructure you say we elected our elected representatives to maintain."

    Here's the thing though. Who "owns" the internet? To what extent can/should a government regulate it?

    Should a law regulating the internet apply to German citizens in Germany? In which case, what about Germans abroad, and foreigners in Germany?

    How about all people in Germany? In which case, can I legally step across the border into France and then do whatever I wanted to do before?

    How about All Germans -- home or abroad? In which case, does the government retain the right to govern its citizens that are not resident within the country, and how would the government enforce such laws when the "perpetrator" is elsewhere?

    How about servers in Germany? In which case, if my web hosting service is based on Germany, am I prohibited from testing my own website?

    Or what about data transmissions going through Germany? In which case, can a Brit, testing a server in France, which happened to take a route across German data lines, be charged with a crime? And again, how could the government enforce this?

    The main reason governments shouldn't try to govern the internet, is becasue the internet doesn't belong to them. That and the fact that most governments are so painfully ignorant to modern technology that you could probably get them to pass a law banning air if you told them it was for internet security.

  24. Ekhart

    misinformation, gossip, lack of foreign language skills, etc.

    I can understand that ZDNet and other superficial news outlets make money mainly by spreading rumors, but i'd have thought the Register would do some serious investigating before claiming that the law indiscriminately criminalises the creation, possession, or even use of dual-use security tools.

    Maybe the problem is that almost no English speakers speak German (or any other foreign language) and that even most English-speaking journalists(!) don't speak German. And German politicians haven't had time to explain the new law to the rest of the world since even most Germans, even and especially geeks, haven't yet understood or wanted to understand it and/or want to disparage the law because it restricts their self-proclaimed "right" to enter other people's computers and/or because they love bashing Germany...

    The main problem is that the Internet started out and is still a Wild West and that the technology involved makes simple things look complicated and/or lets "experts" make it look complicated to normal users. Very few people would claim that it should be legal for people to try to physically break into businesses or that this would help prevent crime. Even if hordes of people were running around at night getting kicks and "glory" by trying to break into businesses, no amount of security experts could confuse normal people into believing this is a good idea. Normal users are beginning to understand enough about computers to see that most of the experts claiming the same kind of nonsense about attempts to break into business ICT networks are emperors without clothes. No wonder the politicians are finally doing something to clean up the mess that produces incredible profits for the security industry...

    http://www.gruene-bundestag.de/cms/default/dok/185/185882.gesetz_zur_computerkriminalitaet.htm

    Nun ist klargestellt: es werden nur solche Computerprogramme erfasst, die in erster Linie dafür hergestellt wurden, um damit Straftaten zu begehen. Dass sich ein Computerprogramm dazu lediglich "eignet", reicht nicht, um eine Strafbarkeit zu begründen - es muss sich der Sache nach um "Schadsoftware" handeln. Diese Klarstellung macht deutlich: dual-use-tools werden von der Strafnorm nicht erfasst, ihre Entwickler werden nicht kriminalisiert. Auch der branchenübliche befugte und gewollte Einsatz von Computerprogrammen durch Netzwerkadministratoren, mit denen diese z.B. die Sicherheit von eigenen oder Kundendatennetzen prüfen wollen, wird von der Strafnorm nicht erfasst. In Zweifelsfällen wird helfen, dass es sich um ein Antragsdelikt handelt - ohne Strafantrag des betroffenen Datennetzinhabers ist also ein Strafverfahren ausgeschlossen. Darüber hinaus war für uns Grüne die Klarstellung wichtig, dass das Gesetz in erster Linie auf professionelle Anbieter abzielt.

  25. James

    Hmmm ...

    By James

    Posted Tuesday 14th August 2007 07:05 GMT

    That wasn't me! I guess El Reg's registration system doesn't check for dupes ... hhrrm.

    But I do agree with Michael re: owning and governing the Internet (see, I capitalize "Internet", not like the "other" James). I do not believe it is any government's responsibility to police the Internet or, in this case, software tools. They are far too ignorant (I mean that in a nice way) to hope to understand the implications of any rulings they may make. In addition, legislators tend to read the Executive Summary, but not the details of any proposal, which is anathema to such a detail-oriented construct.

    Let's leave governing the Internet to the governance bodies already in place, who are working hard to do what's right for the global network. Let's leave pronouncements about "good" and "bad" software to those who use them.

    Go ahead and continue to prosecute anyone who uses those tools for evil purposes, but banning the tools themselves is ridiculous ... and I'd say that to any legislator who asked.

This topic is closed for new posts.