Secure Germany

26/09/2007 Written by Boris Mutina

merkelIt’s been few weeks since Mrs. Merkel on her visit in China com­plained about spy­ware and hack­ers attack­ing Ger­man insti­tu­tions. And more weeks ago Strafge­set­zbuch — Ger­man penal code was updated. Mrs. Merkel’s gov­ern­ment wanted prob­a­bly dis­tract all Ger­man hack­ers and crack­ers and script kid­dies from attack­ing their insti­tu­tions. From pro­fes­sional point of view, this is the bad impli­ca­tion of maybe good idea.

So called anti-​hacking law is part of Ger­man penal code — §202. It talks about invi­o­la­bil­ity of let­ters. But newly added parts speak about pos­sess­ing and using hack­ing tools, query­ing sys­tems to get infor­ma­tions… Let’s look, what is inside.

§202a Spy­ing on data
(1) Who, to him­self or to another per­son arranges unau­tho­rized access to data, which are not for him and which are espe­cially pro­tected against unau­tho­rized access, with bypass­ing of access con­trol, will be sen­tenced up to 3 years or fine.
(2) Data for the mean­ing of the point 1 are only these, which elec­tron­i­cally, mag­net­i­cally of in another form are not saved or are being trans­mit­ted.

§202b Query­ing of data
Who, to him­self or to another per­son with help of tech­ni­cal means acquires data from non-​public data trans­mis­sion of elec­tro­mag­netic radi­a­tion of data pro­cess­ing device, that are not for him, will be sen­tenced up to 2 years or fine…

§202c Prepa­ra­tion of spy­ing and query­ing of data
Who pre­pares crime listed in §202a or §202b, in which he
1. Pass­words or another secu­rity codes that enable access to data (§202a/​2)
or
2. Com­puter pro­grams, which their pur­pose is per­form­ing such deeds,

pro­duces, gets or pro­vides to another per­son, sells, gives up to another per­son, spreads or makes acces­si­ble in another way, will be sen­tenced up to 1 year or fine.



Some points are clear: you can­not inter­cept any other traf­fic except that one for you. you can­not access the data you inter­cepted or acquired and you can­not own word lists that are used for ses­sion brute forc­ing, you can­not even have the brute forcer, port scan­ner or any other tool that can be used to these “non-​legal” activ­i­ties. But for your daily job as admin­is­tra­tor or sup­port team mem­ber you need some tools, that are pro­hib­ited. If admin­is­tra­tor wants to check the net­work traf­fic with Ethe­real and needs to down­load it, he per­forms crime. More­over, secu­rity testers are cut off. Their job became ille­gal.

Think about, how many tools you can use for hack­ing, spy­ing on data, sniff­ing, brute forc­ing, test­ing etc… Ger­man laws doesn’t allow to test secu­rity of your own net­work, because it is crime. Does Ger­man gov­ern­ment think, that all sys­tems are safe and there is no need to test it? Well, if the it is a crime, then many other, mainly mali­cious peo­ple will test Ger­man sys­tems. Then is no won­der, that spy­ware was found in Ger­man insti­tu­tions. But, how do they dis­cov­ered it, if it was hid­den? They checked the logs (and logs are result from ana­lyz­ing of traf­fic, processes…), or any other kind of activ­ity, they have done, it seems, they per­formed crime…

Think about, what all can you do with default instal­la­tion of oper­at­ing sys­tem? For exam­ple, Microsoft Win­dows con­tains lot of such tools, for exam­ple, ping and trac­ert com­mands (either you can test avail­abil­ity of your sys­tems or you can test if sys­tem, you want to attack, is up…), tel­net (you can use it when con­nect­ing to ser­vices for admin­is­tra­tive tasks of you can grab a ban­ner…), net (com­mand with var­i­ous pos­si­bil­i­ties for sys­tem admin­is­tra­tor or tool for attack­ing and com­pro­mis­ing the sys­tem?)… What about your browser? Even this can be used either for brows­ing news­pa­per or web appli­ca­tion hack­ing… Or if you look for WiFi access point on the air­port and acci­den­tally you find lot of another AP’s that belong to han­dling com­pany… All pos­si­ble with Win­dows default instal­la­tion, you don’t need any spe­cial soft­ware. Then, Win­dows or any other oper­at­ing sys­tem should be pro­hib­ited in Ger­many, because it is a set of tools help­ing breach­ing the law. And Microsoft and many other ven­dors of oper­at­ing sys­tems (like Novell-​SuSE — most pop­u­lar Linux dis­tro in Ger­many) can be sued because of spread­ing and pro­vid­ing such tools to users.

And we still didn’t men­tioned other tools, like Ethe­real, nmap, or even Metas­ploit. There are lot of another tools, that are just using administrator’s lazy­ness to dig­ging out for infor­ma­tions, that are nor­maly not avail­able.

Chaos Com­puter Club is most famous hacker club in Ger­many and it’s activ­ity thanks to this law is ques­tion­able. In Decem­ber of this year, 24th Chaos Com­mu­ni­ca­tion Con­gress should hap­pen. Such events are mainly focused on knowl­edge trans­fer. If the Ger­man gov­ern­ment will take seri­ously the law, then all the par­tic­i­pants with lap­tops. All speak­ers can be sen­tenced, because they “pre­pare crime” even they only talk about issues and show their find­ings from secu­rity research.

We pointed out another impor­tant fact — knowl­edge. Secu­rity tools can pro­vide also some knowl­edge about, how the attack­ers attack the sys­tem and how to avoid them. But with­out proper knowl­edge and also test­ing with tools, you can only hope, it is enough. Some­body could say, using only best prac­tices is enough. Wrong. Edu­ca­tion in secu­rity field is impor­tant, with­out know­ing what attacker can do to the sys­tem we will never find out the best rem­edy.

Of course we under­stand, why such points to Ger­man penal code were added. Cyber crime is hot topic nowa­days and every coun­try is try­ing it’s best to fight against it. But local laws aren’t enough, when the most of attack­ers are from for­eign coun­tries, how would you sen­tence them? If some­body steals your car from the street because you for­got to lock it, who’s fault?

There­fore, since this law is valid now, take spe­cial care, when trav­el­ing to Germany.

UPDATE: Thierry Zoller, n.runs AG posted today on Full Dis­clo­sure list his mes­sage where he stated:

We are fed up with the ambi­gu­ity and con­fu­sion sur­round­ing Ger­many con­tro­ver­sial new anti-​hacker law and n.runs AG decided to put the lawto the test, we reu­ploaded the BTCrack (Blue­tooth Crack­ing tool) and futher­more added a new Item, the source code to the Linux port forim­me­di­ate down­load.


Share this content: