New German Hacking Law
There has been much written about the new German hacker-tool law, which went into effect earlier this month.
Dark Reading has the most interesting speculation:
Many security people say the law is so flawed and so broad and that no one can really comply with it. “In essence, the way the laws are phrased now, there is no way to ever comply… even as a non-security company,” says researcher Halvar Flake, a.k.a. Thomas Dullien, CEO and head of research at Sabre Security.
“If I walked into a store now and told the clerk that I wish to buy Windows XP and I will use it to hack, then the clerk is aiding me in committing a crime by [selling me] Windows XP,” Dullien says. “The law doesn’t actually distinguish between what the intended purpose of a program is. It just says if you put a piece of code in a disposition that is used to commit a crime, you’re complicit in that crime.”
Dullien says his company’s BinNavi tool for debugging and analyzing code or malware is fairly insulated from the law because it doesn’t include exploits. But his company still must ensure it doesn’t sell to “dodgy” customers.
Many other German security researchers, meanwhile, have pulled their proof-of-concept exploit code and hacking tools offline for fear of prosecution.
[…]
The German law has even given some U.S. researchers pause as well. It’s unclear whether the long arm of the German law could reach them, so some aren’t taking any chances: The exploit-laden Metasploit hacking tool could fall under German law if someone possesses it, distributes it, or uses it, for instance. “I’m staying out of Germany,” says HD Moore, Metasploit’s creator and director of security research for BreakingPoint Systems.
“Just about everything the Metasploit project provides [could] fall under that law,” Moore says. “Every exploit, most of the tools, and even the documentation in some cases.”
Moore notes that most Linux distros are now illegal in Germany as well, because they include the open-source nmap security scanner tool—and some include Metasploit as well.
The law basically leaves the door open to outlaw any software used in a crime, notes Sabre Security’s Dullien.
Zoller says the biggest problem with the new law is that it’s so vague that no one really knows what it means yet. “We have to wait for something to happen to know the limits.”
tk. • August 28, 2007 2:11 PM
The most obvious flaw that I see with the law is that it hampers a company’s ability to test the security of their network, externally or internally, since using nmap or, certainly, Nessus is a violation. This will either lead to severe and inane IT policies inside the companies or– more likely– it will leave them in a poor security standing.
This, of course, will make them an easier target. Presumably, that’s the opposite of the intended effect…