Creative Commons License

Repercussions of Bad German Laws on Security Research

Sunday, September 20, 2009 at 03:24 PM EDT

This month I’m conducting some research into web hosting security issues and ran into the aftermath of the German law passed in 2007 banning security research publication. The policy has had the effect of silencing security researchers from that country. While investigating issues in PHP security I came upon the Month of PHP Bugs website and when I attempted to download a proof of concept to illustrate what type of security issues PHP had back in 2007 I got an explanation from security researcher Stefan Esser explaining why he no longer feels comfortable publishing results to the Internet.

Instead of summarizing his explanation I’m going to repost it here:

Dear Visitor,

since Friday 10th, August 2007 a new and very troubling law is enforced in
germany.

It is no longer legal to create and/or distribute so called hacking tools in
germany. This includes port scanners like nmap, security scanners like nessus
or simple proof of concept exploits like the MOPB exploits. They are now illegal
because someone COULD use them to commit crimes.

Until today I had hoped that our Bundespresident would stop this insane law with
a last minute veto, but now it is official and our government has rendered germany
more or less defenseless against the threats from outside germany.

Unfortunately our government has been deaf to the warnings from lots of experts
that tried to explain how important these so called hacking tools are not only
for the current generation of security consultants to do their daily job, but
also how important they are for the education of the next generation of
researchers and consultants.

If you do not know how to attack, you will never know how to defend yourself.

Yours,
Stefan Esser

This is incredibly frustrating for someone like me who is doing legitimate research into security problems that are plaguing the Internet. Security research is a rare and valuable skill set which should be cultivated not destroyed. Yet the German law is likely driving away people from this profession due to the impossibility of publication on the Internet without fear of criminal charges. At best the researchers who are turning away in Germany are finding other less beneficial avenues to explore. At worst they are publishing underground only.

I had largely forgotten about this law being passed in 2007 because I too had assumed the President in Germany would come to his senses and repeal it. Germany has had a remarkable history with hackers (see Chaos Computer Club) so it is very surprising they went in this direction.

Some old articles about this:
ars technica
article about aftermath

I need to do some more follow up on this but so far the results look grim.