Repercussions of Bad German Laws on Security Research - Watching the Watchers



	Repercussions of Bad German Laws on Security Research by zeroday Sunday, September 20, 2009 at 03:24 PM EDT This month Iâ€™m conducting some research into web hosting security issues and ran into the aftermath of the German law passed in 2007 banning security research publication. The policy has had the effect of silencing security researchers from that country. While investigating issues in PHP security I came upon the Month of PHP Bugs website and when I attempted to download a proof of concept to illustrate what type of security issues PHP had back in 2007 I got an explanation from security researcher Stefan Esser explaining why he no longer feels comfortable publishing results to the Internet. Instead of summarizing his explanation Iâ€™m going to repost it here: Dear Visitor, since Friday 10th, August 2007 a new and very troubling law is enforced in germany. It is no longer legal to create and/or distribute so called hacking tools in germany. This includes port scanners like nmap, security scanners like nessus or simple proof of concept exploits like the MOPB exploits. They are now illegal because someone COULD use them to commit crimes. Until today I had hoped that our Bundespresident would stop this insane law with a last minute veto, but now it is official and our government has rendered germany more or less defenseless against the threats from outside germany. Unfortunately our government has been deaf to the warnings from lots of experts that tried to explain how important these so called hacking tools are not only for the current generation of security consultants to do their daily job, but also how important they are for the education of the next generation of researchers and consultants. If you do not know how to attack, you will never know how to defend yourself. Yours, Stefan Esser This is incredibly frustrating for someone like me who is doing legitimate research into security problems that are plaguing the Internet. Security research is a rare and valuable skill set which should be cultivated not destroyed. Yet the German law is likely driving away people from this profession due to the impossibility of publication on the Internet without fear of criminal charges. At best the researchers who are turning away in Germany are finding other less beneficial avenues to explore. At worst they are publishing underground only. I had largely forgotten about this law being passed in 2007 because I too had assumed the President in Germany would come to his senses and repeal it. Germany has had a remarkable history with hackers (see Chaos Computer Club) so it is very surprising they went in this direction. Some old articles about this: ars technica article about aftermath I need to do some more follow up on this but so far the results look grim. This article originally appeared on Zeroday 01100100011010010.
Home \| Masthead \| Archive \| RSS Feed \| RSS-Spec \| Published by World Readable