New German Hacking Law 202(c) – Sites Close & Possible Backfire

This has been floating around for a while and you might have noticed a warning on some German based security sites that they’ve had to move their tools due to this new legislation known as 202(c) – a couple of examples are KisMAC and Phenoelit.

Basically the new law prohibits manufacturing, programming, installing, or spreading software that has the primary goal of circumventing security measures is, which means that some security scanning & hacking tools might become illegal.

Security researchers in Germany continued to pull down exploit code from their sites last week, scrambling to comply with a German law that makes illegal the distribution of software that could be used to break into computers.

The German law — referred to as 202(c) — went into effect on Sunday. Many experts have complained that the language of the law is very unclear, but a strict reading appears to make illegal the distribution, sale and possession of security tools which could be used to commit a crime.

In the latest move, PHP security professional Stefan Esser removed on Friday all exploit code from his Web site dedicated to the Month of PHP Bugs. While reasonable prosecutors would not likely pursue security researchers, the risk is too great, Esser stated.

Source: Security Focus

It’s a pretty worrying state of affairs. It means under strict enformencent the majority of Linux distributions are now illegal in Germany as they tend to include nmap by default!

I also believe it could back-fire causing more problems that solutions.

Germany’s new antihacker law could open the door to more cybercrime and not less, security experts warn.

The legal uncertainty created by the new law will make the work of security experts in Germany more difficult, according to Müller-Maguhn.

“The law is counterproductive,” said Marcus Rapp, product specialist at the German subsidiary of Finnish security vendor F-Secure. “It will make the security situation worse, not better.”

Rapp is concerned about what he calls the law’s “broad interpretation” of hacking and the legal uncertainty it creates.

Interesting stuff…and I really doubt they are going to reverse it.

Let’s just hope no other countries follow suit with such retarded laws.

Source: Infoworld

There’s also a very interesting article on the whole matter by Dark Reading here:

Hacking Germany’s New Computer Crime Law

You can read what Computer Chaos Club says about it (CCC) here [German].

Posted in: Hacking News, Legal Issues

, , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

12 Responses to New German Hacking Law 202(c) – Sites Close & Possible Backfire

  1. dre October 25, 2007 at 1:27 am #

    i talked with jerome athias about these laws, and he says that france has similar laws in place right now. it appears the whole EU will likely implement something like this

  2. Sandeep Nain October 25, 2007 at 5:52 am #

    Well it seems like a good news for hackers in the other parts of the world.. as in europe there won’t be many security professionals left to test or secure the applications i.e. good chances of finding vulunerabilities in applications developed in europe

  3. Sir Henry December 14, 2007 at 7:32 pm #

    Does this not seem like anti-logic? This law simply puts a target on Germany as a playground for hackers. How can one combat a hacker without having the tools to understand said hacker?

  4. Maiku February 2, 2008 at 9:20 pm #

    i live in germany! its true… its been all over the news!
    :( it really sucks but they wont reach anything with this! to many websites plus people will find ways to continue doing this…
    police should leave us alone!

  5. Pantagruel February 3, 2008 at 1:29 am #


  6. goodpeople February 3, 2008 at 9:28 am #

    One of my (dutch) students is from German descent. Although he lives in The Netherlands, he has lots of relatives and friends in Germany. I urge him to leave his laptop at home when he visits his family across the border.

  7. Nobody_Holme February 4, 2008 at 1:36 pm #

    Thats a good point… they may not be legally able to arrest/prosecute on this law if you’re a foreign citizen, due to their own treaties…

  8. Pantagruel February 5, 2008 at 1:08 am #


    Scream ‘terrorist’ and the majority of people will rather have one false positive behind lock and key instead of a false negative running about.
    It’s worrying me that, even among better educated people, the idea of trading in some privacy for potentially more security is gaining ground.
    Again educations seems to be key to demistifying the FUD that is being spread about to justify the reduction of privacy in general.

  9. Nobody_Holme February 5, 2008 at 1:17 pm #

    Well, to be honest, i have no problem in losing privacy for security, as long as its implemented well. Like i’d have no problem with security cameras on every single inch outside my house, but theres no way thats financially viable.
    anywho. I meant Legally cant, not wont… just means they have to let you go, rather than prosecute.

  10. Pantagruel February 7, 2008 at 7:03 pm #


    It’s exactly this implementations that is bothering.
    With many of these privacy and surveillance related the bureaucrats seem to go for the ‘security by obscurity’ approach. In the Netherlands there is talk about a big electronic ‘patient’ database, this to reduce possible mix-ups when handing out drugs or performing therapy. They do discuss what is needed for the system to work, but are reluctant to disclose the actual protective measurements. I an kinda worried that is is just as crappy as our ‘transport card’ system (recently a tech student cloned a day pass, it is rumored the German CCC has data on cloning a full blown card.

  11. James C March 10, 2008 at 9:16 pm #

    The problem here is Intelligence or lack there of.
    Intelligent people are to smart to think being a Politician is a good career those, and we

  12. Pantagruel March 10, 2008 at 10:18 pm #

    @ James C

    So damn true , it’s quite said if you think of it and realise your country is being run by someone who is a high school drop out (and is complaing he should earn more becase it’s a responsible job).