Secure Germany26/09/2007 Written by Boris Mutina
It’s been few weeks since Mrs. Merkel on her visit in China complained about spyware and hackers attacking German institutions. And more weeks ago Strafgesetzbuch — German penal code was updated. Mrs. Merkel’s government wanted probably distract all German hackers and crackers and script kiddies from attacking their institutions. From professional point of view, this is the bad implication of maybe good idea.
So called anti-hacking law is part of German penal code — §202. It talks about inviolability of letters. But newly added parts speak about possessing and using hacking tools, querying systems to get informations… Let’s look, what is inside.
§202a Spying on data
(1) Who, to himself or to another person arranges unauthorized access to data, which are not for him and which are especially protected against unauthorized access, with bypassing of access control, will be sentenced up to 3 years or fine.
(2) Data for the meaning of the point 1 are only these, which electronically, magnetically of in another form are not saved or are being transmitted.
§202b Querying of data
Who, to himself or to another person with help of technical means acquires data from non-public data transmission of electromagnetic radiation of data processing device, that are not for him, will be sentenced up to 2 years or fine…
§202c Preparation of spying and querying of data
Who prepares crime listed in §202a or §202b, in which he
1. Passwords or another security codes that enable access to data (§202a/2)
2. Computer programs, which their purpose is performing such deeds,
produces, gets or provides to another person, sells, gives up to another person, spreads or makes accessible in another way, will be sentenced up to 1 year or fine.
Some points are clear: you cannot intercept any other traffic except that one for you. you cannot access the data you intercepted or acquired and you cannot own word lists that are used for session brute forcing, you cannot even have the brute forcer, port scanner or any other tool that can be used to these “non-legal” activities. But for your daily job as administrator or support team member you need some tools, that are prohibited. If administrator wants to check the network traffic with Ethereal and needs to download it, he performs crime. Moreover, security testers are cut off. Their job became illegal.
Think about, how many tools you can use for hacking, spying on data, sniffing, brute forcing, testing etc… German laws doesn’t allow to test security of your own network, because it is crime. Does German government think, that all systems are safe and there is no need to test it? Well, if the it is a crime, then many other, mainly malicious people will test German systems. Then is no wonder, that spyware was found in German institutions. But, how do they discovered it, if it was hidden? They checked the logs (and logs are result from analyzing of traffic, processes…), or any other kind of activity, they have done, it seems, they performed crime…
Think about, what all can you do with default installation of operating system? For example, Microsoft Windows contains lot of such tools, for example, ping and tracert commands (either you can test availability of your systems or you can test if system, you want to attack, is up…), telnet (you can use it when connecting to services for administrative tasks of you can grab a banner…), net (command with various possibilities for system administrator or tool for attacking and compromising the system?)… What about your browser? Even this can be used either for browsing newspaper or web application hacking… Or if you look for WiFi access point on the airport and accidentally you find lot of another AP’s that belong to handling company… All possible with Windows default installation, you don’t need any special software. Then, Windows or any other operating system should be prohibited in Germany, because it is a set of tools helping breaching the law. And Microsoft and many other vendors of operating systems (like Novell-SuSE — most popular Linux distro in Germany) can be sued because of spreading and providing such tools to users.
And we still didn’t mentioned other tools, like Ethereal, nmap, or even Metasploit. There are lot of another tools, that are just using administrator’s lazyness to digging out for informations, that are normaly not available.
Chaos Computer Club is most famous hacker club in Germany and it’s activity thanks to this law is questionable. In December of this year, 24th Chaos Communication Congress should happen. Such events are mainly focused on knowledge transfer. If the German government will take seriously the law, then all the participants with laptops. All speakers can be sentenced, because they “prepare crime” even they only talk about issues and show their findings from security research.
We pointed out another important fact — knowledge. Security tools can provide also some knowledge about, how the attackers attack the system and how to avoid them. But without proper knowledge and also testing with tools, you can only hope, it is enough. Somebody could say, using only best practices is enough. Wrong. Education in security field is important, without knowing what attacker can do to the system we will never find out the best remedy.
Of course we understand, why such points to German penal code were added. Cyber crime is hot topic nowadays and every country is trying it’s best to fight against it. But local laws aren’t enough, when the most of attackers are from foreign countries, how would you sentence them? If somebody steals your car from the street because you forgot to lock it, who’s fault?
Therefore, since this law is valid now, take special care, when traveling to Germany.
UPDATE: Thierry Zoller, n.runs AG posted today on Full Disclosure list his message where he stated:
We are fed up with the ambiguity and confusion surrounding Germany controversial new anti-hacker law and n.runs AG decided to put the lawto the test, we reuploaded the BTCrack (Bluetooth Cracking tool) and futhermore added a new Item, the source code to the Linux port forimmediate download.