German Researchers to Test New Anti-Hacker Law

N.runs says it will risk arrest and prosecution by putting its hacking tool back online tomorrow

Dark Reading logo in a gray background | Dark Reading

A German security firm, fed up with the ambiguity and confusion surrounding the country's controversial new anti-hacker law, says tomorrow it will challenge the law head-on -- by reinstating a hacking tool it had removed from its Website last month for fear of prosecution. (See Hacking Germany's New Computer Crime Law.)

N.runs will place its homegrown Bluetooth hacking tool BTcrack back online -- despite the risk of prosecution under the new Section 202c StGB of the country's cybercrime laws, which has wrought fear, uncertainty, and frustration throughout the German security industry.

Other German security firms and researchers also have removed potentially prosecutable content from their Websites as a precaution: Renowned PHP researcher Stefan Esser last month, for instance, took down all of the proof-of-concept exploits he had developed for the Month of PHP Bugs in March, and Phenoelit, a German researcher Website that contained the default passwords of various network products, recently handed its content over to a U.S. site operator.

Security experts have argued that the law is so broad and flawed that it's nearly impossible to comply with, and that it could potentially hurt white hat hackers more than black hats. If a piece of code you release or distribute is used to commit a crime, for instance, you're complicit in that crime, said Halvar Flake, a.k.a. Thomas Dullien, CEO and head of research at Sabre Security, in a previous interview.

N.runs says it was tired of waiting for the other shoe to drop, so it's willing to make the first move to test the interpretation of the law. Aside from putting BTcrack -- which was written by n.runs' Thierry Zoller -- back on its site, n.runs also will post the tool's source code and announce that it's now expanding its vulnerability disclosure policy, providing more details such as the actual function, variables, and what or how the vulnerability can be verified.

Jan Münther, CTO for n.runs, says he thinks n.run's challenge may be the first true test to the law, although the Chaos Computer Club hacker group has considered reporting itself to the authorities. And a German IT news site recently reported the German Federal Office for Security in Information Technology (BSI) to authorities for publishing a password-cracking tool, he says.

"As far as I know, n.runs are the first to place their own tools back on their site after first taking them off," he says.

And Munther says the company is ready and willing to face any legal consequences that come with the move. But he's not convinced that the law will ultimately hold up in court. "It is pretty much crystal clear this law will not be upheld [when] it is brought to the Supreme Court," says Munther. "So, either we can just do it and nobody bothers, or we'll get into trouble and take it all the way to the Supreme Court."

Why make a move now? "Clarification is due, as the current situation is literally laming everyone around here," he says. "I actually personally think nothing is going to happen. The lawmakers have repeatedly stated professional IT security activities and research would not be affected -- although the actual legal text does not state this, which is part of our criticism -- so it seems somewhat unlikely to me law enforcement is going to come after us.

"But the uncertainty is the problem, and the reason we are addressing this," Munther says.

Renowned researcher HD Moore says he hopes n.runs' actions draw attention to the inherent problems with the law. "It sounds like a brave move. I hope it works out," says Moore, director of security research for BreakingPoint Systems and creator of the Metasploit hacking tool, which could also be subject to the German law in that country. "It's really a stupid law, and until it gets tested by a court, it's going to stifle security research and productivity."

The law, which took effect Aug. 10, mandates fines or prison sentences for any person who violates 202a or 202b "by providing access to, selling, acquiring, leaving at the disposition of someone, distributing or otherwise making accessible" passwords or access control information. It also outlaws computer programs whose purpose is solely criminal.

N.runs hopes its actions will encourage other German security firms and researchers to put their hacking tools back online as well. "The current confusion and uncertainty is affecting everyone around here," Munther says. "Germany is most certainly not becoming a safer place because of these laws."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights