Schneier on Security
A blog covering security and security technology.
« Mission Creep at Counterterrorism "Fusion Centers" |
| Thieves Steal Drug-Sniffing Dog »
August 28, 2007
New German Hacking Law
There has been much written about the new German hacker-tool law, which went into effect earlier this month.
Dark Reading has the most interesting speculation:
Many security people say the law is so flawed and so broad and that no one can really comply with it. "In essence, the way the laws are phrased now, there is no way to ever comply... even as a non-security company," says researcher Halvar Flake, a.k.a. Thomas Dullien, CEO and head of research at Sabre Security.
"If I walked into a store now and told the clerk that I wish to buy Windows XP and I will use it to hack, then the clerk is aiding me in committing a crime by [selling me] Windows XP," Dullien says. "The law doesn't actually distinguish between what the intended purpose of a program is. It just says if you put a piece of code in a disposition that is used to commit a crime, you're complicit in that crime."
Dullien says his company's BinNavi tool for debugging and analyzing code or malware is fairly insulated from the law because it doesn't include exploits. But his company still must ensure it doesn't sell to "dodgy" customers.
Many other German security researchers, meanwhile, have pulled their proof-of-concept exploit code and hacking tools offline for fear of prosecution.
The German law has even given some U.S. researchers pause as well. It's unclear whether the long arm of the German law could reach them, so some aren't taking any chances: The exploit-laden Metasploit hacking tool could fall under German law if someone possesses it, distributes it, or uses it, for instance. "I'm staying out of Germany," says HD Moore, Metasploit's creator and director of security research for BreakingPoint Systems.
"Just about everything the Metasploit project provides [could] fall under that law," Moore says. "Every exploit, most of the tools, and even the documentation in some cases."
Moore notes that most Linux distros are now illegal in Germany as well, because they include the open-source nmap security scanner tool -- and some include Metasploit as well.
The law basically leaves the door open to outlaw any software used in a crime, notes Sabre Security's Dullien.
Zoller says the biggest problem with the new law is that it's so vague that no one really knows what it means yet. "We have to wait for something to happen to know the limits."
Posted on August 28, 2007 at 1:32 PM
• 52 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The most obvious flaw that I see with the law is that it hampers a company's ability to test the security of their network, externally or internally, since using nmap or, certainly, Nessus is a violation. This will either lead to severe and inane IT policies inside the companies or-- more likely-- it will leave them in a poor security standing.
This, of course, will make them an easier target. Presumably, that's the opposite of the intended effect...
The law is very badly phrased, and this is due to a huge incompetence on the side of MPs, too many of whom are lawyers or economists and have no background in IT at all.
The responsible minister, in the meantime, has commented officially that the law is not meant to be used to prosecute "honest use", i.e. security and penetration tests and the like. However, since this clear specification has not been included in the law, we will indeed have to wait until a case goes to court. As someone has put it, the only ones who profit from it at the moment are black hats and criminals since they are not going to care about what the law says! Talk about Germans being all organised and reasonable?
This is not the only case where IT legislation has gone mad in Germany - software patents fall into the same category of incompetence.
IANAL (neither US or German), but note that the German system works fundamentally different from the US system. There are no precedence cases for example. AFAIK, German courts look into the justification and comments made by the parliament about the law when applying it and cite those in their decisions. The law might be worded a bit ambiguous, but the intention most likely included something along the lines of "tools whose sole use is to break into computers are bad". Chances are you won't get in trouble for buying a copy of XP or Linux.
A better question to ask might be: can the DA charge people with this crime out of public interest (can the police patrol the net and search for exploit authors?) or only upon request (e.g. computer intrusion, criminal copyright infringement)?
Laws that are this broad and unworkable should be immediately void. However, the law is sufficiently unworkable that morally it should be considered void.
Now, what will judges do? That's the practical mystery. Let's hope no one has to be the guinea pig for this.
The Finnish copyright activists tested our new copyright law by breaking it willfully and turning themselves in. The law says that "organized discussion about breaking copyright protection" is illegal - which is very vague. So the guys made a web site, and exchanged all sorts of DVD CSS cracks; and even gave money to the maintainer. And then they turned themselves in to the police, which was then forced to make a decision on whether they would be prosecuted or not.
The case was taken to court, which ruled that DVD CSS is not even really a copy protection system because there were so many cracks available, so discussing it is certainly not illegal.
It might be interesting if a bunch of Germans turned themselves in for purchasing a Linux distro which contained nmap, and using it to scan their own systems. That would certainly bring in publicity, and also establish a precedent.
I think this represents the future of law-making and law enforcement: broad and vague laws which can be applied to anyone whom law enforcers wish to arrest and whom prosecutor wish to prosecute.
The law then becomes a tool to give power to those in the justice system, so that they can arrest and prosecute anyone they choose. If the laws are broad enough, everyone will be a law-breaker, but only those persons who have offended in some way (in any way) will be prosecuted.
This is the ultimate tool against 'terrorism' since it can be used to prosecute persons who have not actually committed any true criminal offence.
As a relatively casual computer user, my biggest regret is that this law has led to KisMAC being discontinued. Given how uninformative the WiFi system built into Mac OS X can be, it was extremely helpful to have a somewhat more capable tool.
We're awaiting with baited breadth the New Haven ordinance prohibiting the sale of flour or other substances that may resemble hazardous substances
> We're awaiting with baited breadth
Speaking for myself, I am waiting with enticed girth.
Even if the law doesn't "work", it still gives the police the power to prosecute and catch you (and in the process find evidence for other "crimes"). And when you come out of jail months later (because a judge closed the case), there is nothing you can do to. It works the same with so called "terrorists".
I don't like the new law (and some others...) either.
However, Mark is right with his comments about how our courts work. Still it remains to be seen how the judges will read the new law.
Personally I don't think think police will be out taking people to court for possessing Linux, nmap or metasploit.
I don't think it will work as a deterrent against computer crime, either.
The justification for the law is available here:
(for obvious reasons in german) and the protocol of the final debat here http://dip.bundestag.de/btp/16/16100.pdf#P.10283
While they mention the problem of dual-use, they don't get the point.
Not only usage for criminal attacs is prohibited, but producing, selling and distributing it is prohibited too.
And how can someone know what his clients intend to do?
He simply can't.
How can I prove, that I downloaded a tool to test my own network?
Well - I can advertise the tool, to be a defensive one - but everyone can do that, just to cover himself.
And everybody may claim to download it for self defense. Well - it might be a defensive lie.
The law produces uncertainty, and people start removing their tools from the web.
Other people might follow.
The law is flawed.
When security software is outlawed, only outlaws will be secure.
I don't know why someone releasing proof-of-concept exploit code would do it anything but anonymously - it only seems prudent given the propensity of laws to change.
Is this law vague enough that software with published vulnerabilities become a gray area ?
Does this mean PuTTY and Perl will be outlawed?
please ask a lawyer on legal matters, not a cool hacker ;) IANAL, but I have worked with a few lawyers on this topic, the all agree on a few point, which I'l summarize.
The new law does indeed state it's purpose clearly:
If - and only if - you are actively preparing for a hack, then the possession, distribution and building of software for this purpose is an offense. The laws you have to be shown to prepare to break: STGB § 202a/b, §303a/b/c.
Dual-Use-Software (telnet, etc) is not and will not be considered a hacking-software, only covered is single use software as for example metasploit, exploits in general and similar software. So no linux distro is illegal now, same goes for nmap and such, as portscanns are not a crime.
If you are a professional security guy or an admin or other function which involves legal applications (pentests, audits etc) the law does not apply to you.
Unclear is if the publishing of a covered software (exploit) is considered a crime, the memos from the german BMJ (Department of Justice) are unclear on this. This is right now the biggest problem and the source of much discussion. Most probably they are after metasploit and similar softwares.
As a side note, the possession, distribution et all of software for computer fraud is illegal in germany since 4 years. Even the preparation for this offense (§ 263 STGB) is an offense. So if the FUD theorists are right, every researcher of exploits could be put before a court based on this. It has not happened in the past years.
As a German I'm guessing (and hoping) that this law will be overturned by the Constitutional Court.
@Pluto: "only covered is single use software"
One might argue that there is no such thing as an "inherently evil" software.
@Pluto: "only covered is single use software"
In addition to my previous argument, when reading http://www.bmj.bund.de/media/archive/1317.pdf, it says something completely different:
"The software does not have to be exclusively designed for committing a computer crime. It is sufficient if the objective purpose is *also* committing such a crime."
(Excerpt from p.18, translated and emphasis added by me.)
This also means that is is not possible to have some sort of a "disclaimer" ready that users shall only download the software for allowed purposes.
The court will have to decide about the "objective purpose" of the software in question and whether part of that purpose can be committing a computer crime.
Therefore, despite that there is no "single use" hacking software, the law may apply to software.
subsequent publishings of memos from the BMJ have a different tone in this regard. Even in this document, the sentences before the one you translated states that no general tool, software or application should be considered "hacker-tool" if it's purpose is not objectively for committing crimes.
Which other uses has metasploit or some generic exploit? Pentests are not another use, just another context.
One should note as a side note, that private computers get protection from break ins by this changes in the law as well.
So what about just putting the "tool" etc on a web site in Poland or Austria? This is the EU after all right?
"I think this represents the future of law-making" -- well, it looks astonishingly similar to the past of law-making: Emperor/Pope/King got to "interpret" the "natural" law (tradition/bible) more or less as he please.
Does this include the use of Microsoft Excel if it is used to keep track of accounts of illegal bets and debts?
It's a case of the government over-reacting because they do not understand the tradeoffs in contemporary computer security.
Generally, governments have a police monopoly (it sounds even more impressive in German: Gewaltmonopol -- brute force monopoly) for good reason. And they feel this monopoly threatened when everyone can download their own "cyberguns" and put them to use. The government wants the sole authority of protecting its citizens from threats, whether in real life or cyberspace. From this point of view (and taking Europe's tough laws on gun ownership into account), the new law almost makes sense. They want "hacker tools" in the hands of licensed professionals only.
That of course completely ignores the contemporary reality, which is very much anarchistic -- the government does not have the capability to protect us from "cyber threats", and it's pretty much everyone for themselves.
So it's a somewhat sensible theoretic exercise based on the government extending its police monopoly into cyberspace, and to expand gun control to their online equivalents.
I'm not attempting to rationalize the law, I'm just trying to follow their line of reasoning so that we may debate and refute it more effectively.
BTW, if you walked into a department store and asked for a butcher's knife to stick-up people in dark alleys, the clerk would be in a similar moral situation as the clerk selling Windows XP to a "hacker" in the quoted posting.
I write software for a living, that makes me a security professional.
"If you are a professional security guy or an admin or other function which involves legal applications (pentests, audits etc) the law does not apply to you."
Does the law still apply to me? I'm pretty certain a judge in Germany (if they didn't morally and correctly throw the vague law out) would say something stupid like "Well, security is not your primary job function."
It isn't? You mean I really don't think about the security of the code I write every day? I don't think about how to protect data at each stage of every process?
Huh, I had no idea.
You use computers these days, you are practically a security professional. Heck I see no reason why I shouldn't be able to use any hacking tool or anything I develop to test the security of my own personal computer at my home.
It's an unjust and immoral law... Hacking tools != criminal activity.
@Pluto: "One should note as a side note, that private computers get protection from break ins by this changes in the law as well."
This is a very stupid claim. German law will not stop attacks from foreign countries, where 98% of attacks come from. Also, it will not even stop most of the 2% from germany, because they come either anonymized or automatic from botnets and such. Hence it does not help at all. But it does hurt very much, because I cannot defend myself because I feel threatened by my own government. What a bad tradeoff.
I agree with Larry Colen.
Personally I think that the security community should deny all assistance to Germany. All security lists should block German subscribers. All anti-virus and malware companies should not sell products to any government or corporation in Germany. No security professional should assist them in any way.
"You have made us criminals. You therefore do not want our help. Deal with the problem on your own. Have a nice day."
Let them get hacked and laugh every time they do. Pain is the only way the idiots will learn.
Alan: "Pain is the only way the idiots will learn."
Problem is, these idiots you are talking about are of those special type of idiot. When they can't crash with the head through the solid concrete wall the first time, then they will ignore the pain and try a second time with a longer run, a third time with a stronger hit, a fourth time with a plastic helmet -- in the unflinching believe that the concrete wall will finally give up.
That it is impossible to crash with the head through the wall and that they have made a mistake, this will be the last thing they would admit, even when their heads have turned into bloody messes.
They wouldn't be politicians if it would be otherwise.
In the case of the this German Hacker-Law the written paragraph is so wide open that the comments, which are written by law academics are important. If there was a case based on that hacker paragraph the written comments would be the important part and not the law itself. Sound weird but that is because Germany we have civil law while the US have common law.
@Alan: This law is the local implementation of the cybercrime traty ( http://conventions.coe.int/Treaty/EN/Treaties/... ) and of an eu directive ( http://eur-lex.europa.eu/LexUriServ/... ) so germany is - afaik - the first country to implement this, but will not be the last. So let's use this as a learning process where the other countries will use a wording, where everybody knows whats legal or not. Hopefully :)
@greg: If and this is still a big if, the publication of a tool will be ruled as a crime, the German police could extradict you. If you are an eu national, that is. IF you are a German that uploaded the software from Germany then it would be easy because you did the upload from german soil, from what I remember about localization of the legal problems in the net, this is the approach in use right now.
@christoph: We do have a thing called http://de.wikipedia.org/wiki/Richterrecht which is comparable to the anglo-saxon model and used in cases where there is no law to govern an issue. And then, after the first courts have decided a high chance exists other courts will decide likewise until the BGH has ruled on the matter or the law gets changed.
@Elliott: A law does not directly prevent an attack, but if you get caught, you can go to jail for a DoS against a private computer as of now. This is a deterrent if there is a probability for this to happen. Right now the German police is not always in the position to guarantee this, to say the least. If the politicians would like to make the internet a safer place, they should hire more cops with good education about IT, imho.
@FP: came to the same conclusion and comparison to gun laws, does not help right now, agreed. But what if the signatories of the cybercrime treaty would actively shut down all exploit download sites on their soil and in dependent or otherwise influenceable countries? How much sites would still be up? Problem of course, exploits get traded only in the backyards, so if you have the connections, you will get the stuff or code your own. If you are not able to code and have no connections, your days as a script kid will be over. In a positive development in this direction, proof of concept *without* giving shell would still be legal, you could publish the problem and the PoC, but the easy to use ploits would be hard to get by. Just mind storming here, thinking of more than the next few months, or trying to see the changes this would pose on the it security community.
Ah, as an afterthought, if the vendor of a software would be held responsible for the security issues he includes in the package up to say ten times the amount the software is sold for, then the vendors would be more careful, which would be a very big help. Why the cap on the damages? Because then any software you do not pay for could not the made to pay damages, for example open source.
In the justification of 202c it is explicitly stated, that 202c is intended not to be bound to a concrete incident (My first post, first link, page 19).
"§ 202c StGB soll dagegen kein Antragsdelikt sein. Anders als §§ 202a und 202b StGB knüpft § 202c StGB nicht an eine Verletzung der Rechtsgüter Einzelner an, sondern stellt ein abstraktes Gefährdungsdelikt dar, so dass es (noch) keinen Geschädigten gibt, der einen
Strafantrag stellen könnte."
In the debate, the speakers claim that security staff using such tools for defense should not be punished.
But they don't think about distribution of the tools.
@Alan: "Personally I think that the security community should deny all assistance to Germany."
Right. Just because a government -- which I did not vote for, I might add, and neither did about 30% of the voters -- does its usual bullshit, the people should suffer. Deny assistance to the government, but not to the people.
@ Stefan: The german you quoted says /there does not need to be a complaint filed to have the police investigate, because there is no attacked person who could file a complaint yet/. This is necessary as the 202c states that preparation for a felony is a felony already. But the *intention* for a felony against 202a/b and 303b (only b, mistake in my former post) has to be *proven* for the 202c to come into effect. On this all lawyers I have spoken to are sure, as far as you can be sure, before the courts had their way.
To note, this intention thing is very crucial and very often overlooked by commentaries.
Actually as this intention can not be proven when you just put the code on the web, this could mean you can publish whatever you want. Some lawyers are very sure, that just the culprit using your code is only remotely connected to you and would not bring about a felony for the publisher. But this would be against the intentions of the BMJ, they have clearly stated that "hacker-tools" which are meant to be used for crimes are definitely covered by 202c from the moment of public presentation, for example on the web. So yes, they will try to punish the ppl who post exploits. But maybe they will fail, hopefully.
For some more stuff in german see:
"A law does not directly prevent an attack, but if you get caught, you can go to jail for a DoS against a private computer as of now. This is a deterrent if there is a probability for this to happen."
First, DoS attacks are aimed at websites of organisations, not private computers. And you don't need tools to perform DoS attacks, nor to defend against them.
But I do need tools to perform penetration tests on my own computers and those for which I am responsible. Now I cannot do my job anymore because there is a law that forbids me to possess and use tools like nmap, Nessus etc. Now those computers will not be tested any more, hence they will be insecure. Thank you.
From the mentioned pdf, Page 17, top:
"Mit dem neuen § 202c StGB sollen bestimmte besonders gefährliche Vorbereitungshandlungen selbständig mit Strafe bedroht werden."
Trial of translation:
"The new § 202c StGB is intendet to threaten specific, very dangerous preparations independtly with penalty."
AFAIK, intentions can't be proven.
Did I write that thing for money? As an exercice? To let people harden their system? To let blackhats break in? Do I just go for attention?
And how does that fit to the idea of "prohibiting dangerous tools"?
The tool is dangerous or not, regardless of my intentions, when I developed it, or put it on the web, on an usb-stick, whereever.
The law is in itself a bug.
@Elliot: No, if you need the tools for legal work you may poses, distribute, create any tools you wish. And the DoS thing against private systems is not connected to the tool discussion, it was just introduced in the same law-changing-law
@Stefan: Intention is difficult, sure. If you work as a security consultant, teacher of it security, researcher and the like, so if you are known to do this in the open against your own systems and the systems of your customers, you can be said to have no intention. But this decision will be made by the judge, so more clarification would have been very helpful. In all other cases, the police will have to show proof of active preparation that confirms your intentions. This is not the mind-cops ;)
To repeat, they want to punish those who publish exploits and other "dangerous" software. My hope is, that this will not work as expected, as the intention can not be proven when you put a software on the web. Then you have only accepted that your soft may be used for illegal purposes but were not directly involved in the crime.
Even if you find my comments positive about the law, it has major faults, will be hard for judges and created much confusion and FUD. To have some clarification the issues of publication, legal applications and who can now safely have this stuff is more than needed. Mybe other countries will get this right in the first try ...
So hacking is still not a crime, unless you get caught ;)
@Alan: That kind of comment does not speak on behalf of its author (wait - actually, it does).
The college professors will kill that law. You can't stop academic freedom. Everyone with a so called banned or illegal software tool can call it an academic version not for commercial use.
Take it to court and test the law. That's what happened to DVD decryption tools. People are going to decode what gets coded. This sounds like banning books. You can't print the code and reading it is illegal. Make T-shirts with the code. I know, the Germans will ban the T's! Morons.
MasterCard and Visa mandate security testing as part of the PCI/DSS standard. It requires organizations to undertake regular internal and external vulnerability scanning as well as infrastructure and web application penetration testing.
Every merchant and processor in Germany will be either in violation of the law or in violation of the card company compliance programs.
What happens when these organizations cannot get anyone to come to Germany to do the tests? And anything they do to facilitate the tests could put their management in jail.
@Pluto: "No, if you need the tools for legal work you may poses, distribute, create any tools you wish."
Even if the law was created with that spirit in mind, that does not help me much. What exactly could I present in court to prove that I did not intend to abuse the code I downloaded or wrote myself? I don't own a "gun licence" for security tools, nor do my contracts say explicitly that my job is to do penetration testing using tools. I am just expected to do what I deem necessary to uphold server security. And honestly, I am not keen of paying through the nose for some shitty "certificate" that blackhats could buy equally well (if they like, that is).
The whole "intention" principle is wrong from the start. There would be no problem as long as "in dubio pro reo" is always respected - although parts of the law were then useless, only annoying people that need to defend themselves in court each week.
But politicians like Schäuble and Beckstein work hard to make "in dubio contra reo" the norm. And it has always been practise for judges to imply guilt from "utmost probability" when there is no real proof.
If you like laws that can be used arbitrarily, please let it be used against you in another country. I don't want it to apply to me, thank you very much.
I share the view of Ralph (DE), C. Gomez, RC, Schröder, Painiteo, GiacomoL, Stefan Wagner and others who posted to this thread.
@Pluto: Well - I guess we don't get together on this.
I claim: You can be a security consultant AND a criminal. Those sets aren't disjunctive.
What is the purpose of this law again? It's the wrong answer to the right problem.
A better one is to punish vendors with insecure applications. Just like car manufacturers would be like if they produced vehicles with faulty brakes.
yay! more code on the black market.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.