German Government Shoots Self in Anti-Hacking Foot

First published: 31^st August 2007

Ignoring warnings about the consequences from security experts, and the example of the British Government in ammending the Police and Justice Bill, the German Government has brought §202c StGB into force, criminalising the creation and distribution of a wide range of security-related tools. Possession or use of dual-use tools, such as nmap or nessus, will be punished with up to one year in jail, and a fine.

Apparently, possession and use of such tools with the intent only to use them where authorised will be illegal, making it difficult for German System Administrators to test whether their systems are vulnerable.

Developers of such tools, and researchers who wish to publish exploits will also fall foul of the law, and there have been several announcements concerning this:

• The KisMAC (wireless network discovery tool) developers are moving to the Netherlands.
• Phenoelit (developers of a number of interesting tools) have closed their German site, though their US site remains open.
• Stefan Esser, (PHP Security researcher), has withdrawn all of the exploit code that originally accompanied his Month of PHP Bugs project.

So, those that can will move their operations out of Germany. Some researchers may stop, a blow to security research. Testing the security of a system in Germany legally will be tricky, and the criminals will still be able to target German systems from outside. It is difficult to see a positive effect of this law.