Security

Germany outlaws 'hacking tools': An impossible ban for sysadmins?


A recent update to the German criminal code has outlawed so called "hacking tools." This move has raised angry responses from security experts worldwide who have branded it as "ill considered and counterproductive."

The overhaul was designed to tighten up legal definitions in order to make actions like wireless sniffing and denial of service attacks irrefutably illegal. Previously, only attacks directed towards government organisations or corporate entities were felonious. The new regulations also make it an offence for "unauthorised users to bypass computer security protection to access secure data."

Why the big fuss? Surely it’s a good thing -- cracking down on the bad guys and making the world a safer place. The problem is with the way that the new regulations are worded. Under these regulations the creation, installation, or distribution of "hacking tools" is strictly forbidden.

An interpretation by arstechnica.com states, "Manufacturing, programming, installing, or spreading software that has the primary goal of circumventing security measures is verboten." Obviously this is primarily targeting creators, distributors, and users of trojans, malware, "botnets," and the like. However, with this rather loose description fitting almost every security-related application in a system administrator’s toolkit, it quickly becomes clear that there’s a problem. Chaos Computer Club spokesman Andy Müller-Maguhn was obviously unhappy with the new legislation -- he told arstechnica, "Forbidding this software is about as helpful as forbidding the sale and production of hammers because sometimes they also cause damage”. He also went on to point out that “safety research can [now] take place only in an unacceptable legal grey area."

If it’s illegal to create, distribute, and use legitimate security auditing tools then security analysts and system administrators can’t assess the security of their systems nor track down potential vulnerabilities. When you actually think about the huge array of programs that can be used for both legitimate auditing or potentially illegal activities, the list is endless. The use of powerful penetration testing tools like Nessus is most certainly questionable; even a simple port scanner could be considered malicious software. If administrators were unable to use tools like these to check their systems for exploitable entry points, then surely security as a whole would suffer and cyber crime would win. You can be sure that the new legislation won’t deter serious criminals from continuing to develop malicious software and exploiting vulnerable systems. I can’t see that this leaves administrators with any choice other than to continue working as usual in the hope that common sense will prevail.

While I’m sure this matter will eventually be clarified, it raises some interesting questions. Can somebody certify that a system is secure without using software to try and circumvent it? Should lawmakers be required to take more of an effort to understand the real-world implications of their bills? An even bigger question is: can you ever really ban software? I don’t think many of the computer viruses in the wild are "legal" but they are still prevalent.

49 comments
Locrian_Lyric
Locrian_Lyric

More nonsense in outlawing the use because of the abuse....

TBBrick
TBBrick

It seems like the world is going through one of it's paranoid-schizophrenic stages again. Between civil wars, IEDs, crazy weather, and who's gonna set off a dirty bomb where, people worldwide are just flat afraid. When "the people" are afraid, their nefarious politicians perk right up. It's a prime opportunity to twist laws to make them as restrictive on their citizens and as lucrative to themselves as possible.

SJMcD
SJMcD

I will admit that my knowledge of the legislation comes entirely from this article, but I noticed that a quote from the legislation that it was an offence for "unauthorised users to bypass computer security protection to access secure data". I would think that employees using such tools, to do their job, would not be affected as they would be considered authorised users. They would be authorised, as their employer on employing them, authorises them to use any tools they need to perform their job properly.

Dr_Zinj
Dr_Zinj

Germany is obviously being governed by congenital idiots. (Probably imported from the United States's current administration) What this really means is that Germany has outlawed the computer security industry in their country; as well as declaring open season on all German computer systems to hackers outside their country. Technology is neutral. The uses and purposes for which it is used is not.

demonhunterii
demonhunterii

A similar law is due to appear in the UK in around April 2008 with the revision of the Computer Misuse Act. It is based on meeting the guidelines of the Council for Europe Covention on Cybercrime (as are Germany's actions I'm sure), which states that countries must make it illegal "the production, sale, procurement for use, import, distribution or otherwise making available of...hacking tools or passwords" Issues arose that lead parliament to the need for "intent" both for the creation and obtaining of the tools - basically sys admins are alright as long as they have no intention of committing an offence. However there are still issues with the distribution, worded as "is likely to be used" How this will be tested is still to be determined, but it could still cause severe problems. Overall, I think it's just an interesting case of how people are approaching the same problems, but not quite learning from each other. Though undoubtedly it will be sorted in the not to distant future... D.

oz_ollie
oz_ollie

Well done to German bureaucrats - they have just outlawed all Linux distributions (obvious), Microsoft Windows (ping, etc), Microsoft Office (VBA is used for writing viruses), Mac OS X (Network Tools, etc), and pretty much any other operating system. The first person charged should be the Federal Chancellor, as head of German government, because I'm sure he has a computer in his office!

cristi
cristi

I work for a corporation which has computers all over the world, including Germany... They are all visible to each other via tunnels. Does this mean I cannot sweep-ping my hosts in germany? Or scan them for exploits? Or develop tools to test their security? P.S. I am (physically) not located in Germany...

Double DeBo
Double DeBo

I think the title speaks for it self.

fgranier
fgranier

It is a new way of getting more tax money. You will be charged for a certification, like electricians and other skilful workers. What if you are in France and produce the tools, will it be adopted in the EC like RoHS has, or will it die on its own. Will the Asian countries follow? Its just another brick on the wall?

TonytheTiger
TonytheTiger

"possession of criminal tools" in the US. It's perfectly legal to own a crowbar, for example, but if you're caught walking in an alley at night carrying one, you can be charged.

wburr
wburr

The problem with the leadership elements on all sides of the Atlantic is that the make laws concerning areas and technologies that they know virtually nothing about. And in the short term it may pacify some who think that they have taken a brave new stride. The fallicy, however, is you should crimnalize a body of behavior that gets you from point A to point B (actually hacking). You can hang someone if you possess rope, but I don't see a need to criminalize ownership of rope. Many tools have equally important and valid uses also. Who wants to make it a criminal offense to own a soldering gun/iron. WB

mellsworth
mellsworth

I see it from the standpoint of getting a government license or application to specifically use/develop/apply "hacking" tools to be used in the confines of a business etc. That would definitely make hacking illegally much easier to prosecute.

apotheon
apotheon

Germany has a long history of stupid, tyrannical laws like this. Consider, for instance, that holocaust denial (stupid and wrong, but hardly a "crime") is punishable by prison time in Germany. I recall reading an article a couple years ago about a man who was jailed there for publishing an academic paper enumerating the major points of "evidence" generally cited by holocaust deniers. I guess that it won't be long at this rate before people who question catastrophic climate change in Germany get thrown in jail, too -- especially considering that there are so-called academics in the US who are literally comparing those who question pro-catastrophic climate change conclusions with holocaust deniers. All network administrators criminals because of tools like ping . . . ? Hardly a surprising bit of legislation, considering we're talking about Germany here. So much for the German tech industry. I bet the people working for SuSE in Germany are actually becoming a little bit less annoyed that Novell bought the company, since now the acquisition might mean they get a chance to move out of the country to keep their jobs.

Snak
Snak

.... very rarely produce competent solutions. This is not the first time people who know nothing made the rules. Why not ban the use of fire because it's the tool of the arsonist. The case of the judge who didn't even understand the concept of a 'web site' presiding over the trial of a hacker/spammer is a good example of the incompetence of 'those in charge' to understand what happens in the real world. It's estimated that ?100,000,000 (about $200,000,000) each year is spent of on the wrong computer equipment in the UK because the people that don't know don't ask those who do. It seems this problem starts at the 'top'.

Inkling
Inkling

I hate to take it in this direction...but I simply can not help myself. This is almost as silly as trying to ban guns because they CAN be harmful.

bandoonation
bandoonation

This problem has been resolved, and it is only a matter of time for the lawmakers to catch up

mgordon
mgordon

I use "nmap" frequently. Most recently we had a problem with the HVAC (heating, ventilating and air conditioning controller). The controller would not respond to Internet Explorer, but was the controller dead? NMAP revealed that the controller was listening on the designated control ports but was not listening on port 80. Nmap is a port scanner, a relatively minor tool for a hacker but very important for network engineers. Another use of it is to remotely detect trojans on my four-state network. Nmap allows me to do a survey on the entire network looking for ports that have been opened by backdoors and trojans. I use tcpdump almost every day; most frequently to diagnose email problems. It lets me see the actual tcp "conversation" between servers. It can be considered a hacking tool, although by itself in a switched network it isn't all that useful. It is useful to me since I can establish the "sniffing points" (port mirroring, or "span" in Cisco speak).

TBBrick
TBBrick

In the USA, with our current climate of hysterical reaction to anything that could be remotely misconstrued as endangering homeland security, I'm not keen on betting my life/freedoms on some government bureaucrat deciding if my employer's authorization is legal or not.

apotheon
apotheon

"[i]Technology is neutral. The uses and purposes for which it is used is not.[/i]" 'Nuff said.

Justin Fielding
Justin Fielding

is to prosecute the companies who make hackable software. If software fims don't ensure that their products are secure then when it's hacked their negligence is the cause of the breach, not the tool which exploited their poor software coding. Just a thought.

apotheon
apotheon

Got it. Somehow, I didn't realize that walking through an alley at night suddenly turned people into criminals who, during the daytime or in a garage, wouldn't otherwise be criminals. It's a bad idea for Germany with regard to software, and it's a bad idea for the US with regard to physical tools.

jschmitz
jschmitz

And licensing anything ensures quality, as well as raising massive loads of cash for the government. Of course, that means more government-provided mandatory schooling, and all the associated cash-soaked levies. And those of us who've had to stomach state-run technology courses, where we learn things like, "(t)he Internet is not something you just dump something on... (it's) not a truck. It's a series of tubes," know exactly how good that'll be for everyone. Bad law makes for bad behaviour. -Jim

TBBrick
TBBrick

between the evidence of German history and having been stationed there for four years with the USAF, it doesn't surprise me a bit that Germany came up with something like this. Don't get me wrong, unlike others I was stationed with, I thoroughly enjoyed my time there.

Henry Nymann
Henry Nymann

That was *exactly* what I thought when I read this article!

info
info

I immigrated legally to the US because of draconion gun control laws of Canada. Up there only bad guys and the govenment are allowed to have guns - everyone else is a pre-approved victim.

leonard_aj
leonard_aj

I see most of the responses from U.S. persons. I agree, the law just imposed by those of little knowledge/understanding is rather stupid however, it is an extreme case of micromanagement and, a first step in the right direction. We, in the U.S., should be vigilant in insuring this mistake isn't adopted at home. An administrator and his/her personnel must have the ability to use any tool available to protect the environment in which they are responsible to maintain. Those currently affected by the legal restrictions should take it upon themselves to lobby and educate their lawmakers enough to prove the necessary changes. Remember, if you do nothing but complain, you become part of the problem.

Iam_Mordac
Iam_Mordac

I believe you are missing the point of this tale... ALMOST ANY PROGRAM CAN BE USED TO HACK AND IN GERMANY THEY COULD ALL BE ILLEGAL!!! If I do a ping sweep on your address space to map out your network, were I in Germany, I could be prosecuted. NMAP is a lot more powerful than ping. Taken to the extreme, just having it on your network/pc/thumbdrive/cd could get you in deep doodoo! Thanks for sharing your use of known hacker tools! Have a nice day. ;)

SJMcD
SJMcD

TBBrick, I can see what you mean. To me having employees automatically authorised in order to do their job, would be common sense, but then again common sense seems to be a rare commodity in today's world, due to a number of reasons, including threat to homeland security which you pointed out.

TonytheTiger
TonytheTiger

that cannot be hacked. There may be some that [b]hasn't[/b] been hacked... yet! It's like designing bullet-proof vests. Sure, it works against today's bullets...

ralphclark
ralphclark

OK, but what if they're wearing a mask and a black and white striped jumper? :-D

Neon Samurai
Neon Samurai

My read of that initial post was that someone wouldn't be walking around dark alleys at night carrying a crowbar without intent. Intent being the most important part of physical or logical tools. I've software on my flashdrive that can't cross borders legally. I can use those tools at home with the intent to audit my own network. I can use those tools to audit another person's network provided I have there approval. As soon as my intent becomes to audit a network I don't own or have approval to hammer on then there is a problem. If I'm traveling, I take a cleaned flashdrive and save myself stress from overzeleous border gaurds. I don't read the previous post to say that anyone with a crowbar in hand and caught in an alley between a half hour before sundown and a half hour after sunup is criminal; they sure are suspect if they down't live on one side of that alley though. This is close to the Gun argument. Is it better to ban or allow firearms; is it better to ban or allow security software. On one side, you have an armed nation where indavidual intent must be accounted for and realized by those who are armed. On the other side, only those certified to own a firearm have them. Either way, it only effects those who respect the laws since availablility of either item hasn't yet been hindered by any laws created to date.

apotheon
apotheon

I guess I should expect you to vote for Ron Paul in the primaries and general Presidential elections in 2008, then -- right? You seem to favor both freedom for use of technology and support of the 2nd Amendment.

SJMcD
SJMcD

TBBrick, I guess you are saying there that common sense (or what ever you want to call it)to us prototypical computer nerds brings us to a different conclusion then say the common sense of a politician due our experiences being different ? That sounds fair to me. Although I would have thought that with all the advisers that the politicians seem to have today (or is that just here in Oz ?) that each politician would have an adviser with "prototypical computer nerd common sense", or maybe that is just part of my "prototypical computer nerd common sense" bringing me to that conclusion :)

TBBrick
TBBrick

SJMcD IMNSHO, common sense, reasonable thinking, logic, however you want to call it, is a bit like beauty, much in the eye of the beholder. I expect the prototypical computer nerd (including yours truly) sees common sense as you do. Give the authorization to the network nerds to use our favorite tools and let us do our thing keeping the network safe. What we computer types do get hysterical about makes absolute no sense to the rest of the world. Issues such as whether Bill Gates is a shrewd businessman or the right hand of the Antichrist. Or Firefox vs. IE, Windoze-Linsux, do we wait until Vista SP1 or SP2 before we start upgrading our systems, etc. ad naseum.

ralphclark
ralphclark

...I just couldn't resist a smartass remark :-) I'll give up my so-called "hacking" tools when they prise them from my cold dead fingers. It's not than I need them all that often, it's just that, well as a guy you always want to keep a well-stocked toolbox. Nobody has the right to take a guy's tools away. As long as they are passing stupid laws like this I feel quite comfortable with ignoring them.

apotheon
apotheon

I'm not saying you shouldn't be aware of suspicious behavior, and keep up your guard -- just don't criminalize behavior that is merely "suspicious", or tools that can be misused. Criminalize the misuse of the tools and behavior that confirms suspicions, instead. In other words, the bad stuff is already illegal. Making it illegal to own a digital crowbar won't make anyone any safer.

apotheon
apotheon

It happens. The key isn't to worry and fret that you might make a mistake -- it's to correct mistakes and learn from them. I could have been clearer in my intent, and I've learned from that. You were willing to correct the potential misunderstanding, so you've done right -- and, in fact, didn't really seem to need to learn anything this time other than perhaps how to interpret my style (which is useful for dealing with me in particular, but hardly a universal life lesson you can't do without). Anyhow, I guess my point without all the rambling is pretty simple: All's well that ends well.

Neon Samurai
Neon Samurai

I seem to have read the tone of your initial post wrong.

apotheon
apotheon

"[i]In the first case; Cheers. (I rather hope it's the first case)[/i]" Yes -- the first case.

Neon Samurai
Neon Samurai

If my post read like someone jumping into yet another BS flamewar raging through the TR forums then I should have worded it better. Sure someone walking home from the hardware store after purchasing a new crowbar may pass through alleys. If I'm walking past the opening to that alley and notice someone walking through with an object in there hand, I'm surely remain aware of there presence. This is all regardless of what side of the tracks the even happens on encase racial concerns where of question. That is still different from someone down a dark alley with a crowbar who is creeping about looking at the outside of the buildings. Sure, that may be a home owner fixing something after sundown. If it isn't Sam or Bob (bob living on the left we'll say) and you are one of those two people; are you going to discount the snooping subject as "walking home from the store"? I should have specified "down an alley and not just passing by" but the discussion was at a general level and I sort of thought the logical assumption to be that. My intention was not to say that anyone caught near an alley after dark is inherently criminal. Of course providing a rational explanation for one's presence would be allowed but I've already mentioned that I'd presumed a subject with intent. The idea was only to point out that I did not read the original post to be in favor of anyone, anywhere caught with networking tools but rather that the post indicated intent with it's general examples. I used the firearms debate as an example since it's very similar and likely to be well known from both sides. Anyone's personal feeling on the firearm debate specifically is really irrelevant but good to know your "for" rather than against. I'm more "for with registration" but realize that a gun license, like the new German law, is only for those who obey laws. I'm not sure about your last response though. The other's read as if they where very brisk but the last one left me hanging. I can't tell if your being funny or or carrying-on feelings from arguments with other posts. { "Either way, it only effects those who respect the laws since availablility of either item hasn't yet been hindered by any laws created to date." No kidding. } That bit there. I rather thought my statement was obvious. Are you responding to say; Dude, no kidding! That's right on man! or No kidding; your an idiot for even needing to say it. In the first case; Cheers. (I rather hope it's the first case) In the second case; Bite me. I simply tried to add another interpretation of the same post. My poor wording does not invalidate the content though I could have been more detailed. Either case; Cheers. We're actually arguing the same point and where we have disagreed in past, it's not been something worth arguing over.

apotheon
apotheon

Walking through a dark alley at night might just mean you're on your way home from the hardware store, having bought a crowbar you needed for construction work on the weekend, at a time of year when the sun goes down at about 6 PM. So much for "intent". "[i]they sure are suspect if they down't live on one side of that alley though.[/i]" Until that person does something wrong -- actually wrong, not just being on the white side of the tracks with a crowbar -- I don't see that anyone has the right to harass that person at all. If you have no real evidence of intent to employ force or threat of force, you have no right to employ force or threat of force to confirm or allay your suspicions. "[i]This is close to the Gun argument. Is it better to ban or allow firearms; is it better to ban or allow security software.[/i]" Allow -- obviously. "[i]Either way, it only effects those who respect the laws since availablility of either item hasn't yet been hindered by any laws created to date.[/i]" No kidding.

TonytheTiger
TonytheTiger

I was just saying that it looks similar in concept to "criminal tools" laws in the US. I fully understand that there are legitimate uses for these tooks, and that mere possession shouldn't be criminal unless an investigation into the intent of the possessor indicates criminal activity.

apotheon
apotheon

It sure seemed like you were offering justifications for Germany's attempt to outlaw "hacking tools".

TonytheTiger
TonytheTiger

I only want to outlaw the illegitimate use of that tool.

apotheon
apotheon

How open can you be if you outlaw the tool?

TonytheTiger
TonytheTiger

I said they were suspect. I don't know of many people who wouldn't be suspicious of someone walking behind their houses in the middle of the night carrying a crowbar. But I am open to what may well be a legitimate explanation.

apotheon
apotheon

So, the [b]tools[/b] aren't bad, but the [b]people[/b] are. That's even worse.

Editor's Picks