New German Hacking Law 202(c) – Sites Close & Possible Backfire

This has been floating around for a while and you might have noticed a warning on some German based security sites that they’ve had to move their tools due to this new legislation known as 202(c) – a couple of examples are KisMAC and Phenoelit.

Basically the new law prohibits manufacturing, programming, installing, or spreading software that has the primary goal of circumventing security measures is, which means that some security scanning & hacking tools might become illegal.

Security researchers in Germany continued to pull down exploit code from their sites last week, scrambling to comply with a German law that makes illegal the distribution of software that could be used to break into computers.

The German law — referred to as 202(c) — went into effect on Sunday. Many experts have complained that the language of the law is very unclear, but a strict reading appears to make illegal the distribution, sale and possession of security tools which could be used to commit a crime.

In the latest move, PHP security professional Stefan Esser removed on Friday all exploit code from his Web site dedicated to the Month of PHP Bugs. While reasonable prosecutors would not likely pursue security researchers, the risk is too great, Esser stated.

Source: Security Focus

It’s a pretty worrying state of affairs. It means under strict enformencent the majority of Linux distributions are now illegal in Germany as they tend to include nmap by default!

I also believe it could back-fire causing more problems that solutions.

Germany’s new antihacker law could open the door to more cybercrime and not less, security experts warn.

The legal uncertainty created by the new law will make the work of security experts in Germany more difficult, according to Müller-Maguhn.

“The law is counterproductive,” said Marcus Rapp, product specialist at the German subsidiary of Finnish security vendor F-Secure. “It will make the security situation worse, not better.”

Rapp is concerned about what he calls the law’s “broad interpretation” of hacking and the legal uncertainty it creates.

Interesting stuff…and I really doubt they are going to reverse it.

Let’s just hope no other countries follow suit with such retarded laws.

Source: Infoworld

There’s also a very interesting article on the whole matter by Dark Reading here:

Hacking Germany’s New Computer Crime Law

You can read what Computer Chaos Club says about it (CCC) here [German].

Posted in: Hacking News, Legal Issues

, , ,

Latest Posts:

SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.

12 Responses to New German Hacking Law 202(c) – Sites Close & Possible Backfire

  1. dre October 25, 2007 at 1:27 am #

    i talked with jerome athias about these laws, and he says that france has similar laws in place right now. it appears the whole EU will likely implement something like this

  2. Sandeep Nain October 25, 2007 at 5:52 am #

    Well it seems like a good news for hackers in the other parts of the world.. as in europe there won’t be many security professionals left to test or secure the applications i.e. good chances of finding vulunerabilities in applications developed in europe

  3. Sir Henry December 14, 2007 at 7:32 pm #

    Does this not seem like anti-logic? This law simply puts a target on Germany as a playground for hackers. How can one combat a hacker without having the tools to understand said hacker?

  4. Maiku February 2, 2008 at 9:20 pm #

    i live in germany! its true… its been all over the news!
    :( it really sucks but they wont reach anything with this! to many websites plus people will find ways to continue doing this…
    police should leave us alone!

  5. Pantagruel February 3, 2008 at 1:29 am #


  6. goodpeople February 3, 2008 at 9:28 am #

    One of my (dutch) students is from German descent. Although he lives in The Netherlands, he has lots of relatives and friends in Germany. I urge him to leave his laptop at home when he visits his family across the border.

  7. Nobody_Holme February 4, 2008 at 1:36 pm #

    Thats a good point… they may not be legally able to arrest/prosecute on this law if you’re a foreign citizen, due to their own treaties…

  8. Pantagruel February 5, 2008 at 1:08 am #


    Scream ‘terrorist’ and the majority of people will rather have one false positive behind lock and key instead of a false negative running about.
    It’s worrying me that, even among better educated people, the idea of trading in some privacy for potentially more security is gaining ground.
    Again educations seems to be key to demistifying the FUD that is being spread about to justify the reduction of privacy in general.

  9. Nobody_Holme February 5, 2008 at 1:17 pm #

    Well, to be honest, i have no problem in losing privacy for security, as long as its implemented well. Like i’d have no problem with security cameras on every single inch outside my house, but theres no way thats financially viable.
    anywho. I meant Legally cant, not wont… just means they have to let you go, rather than prosecute.

  10. Pantagruel February 7, 2008 at 7:03 pm #


    It’s exactly this implementations that is bothering.
    With many of these privacy and surveillance related the bureaucrats seem to go for the ‘security by obscurity’ approach. In the Netherlands there is talk about a big electronic ‘patient’ database, this to reduce possible mix-ups when handing out drugs or performing therapy. They do discuss what is needed for the system to work, but are reluctant to disclose the actual protective measurements. I an kinda worried that is is just as crappy as our ‘transport card’ system (recently a tech student cloned a day pass, it is rumored the German CCC has data on cloning a full blown card.

  11. James C March 10, 2008 at 9:16 pm #

    The problem here is Intelligence or lack there of.
    Intelligent people are to smart to think being a Politician is a good career those, and we

  12. Pantagruel March 10, 2008 at 10:18 pm #

    @ James C

    So damn true , it’s quite said if you think of it and realise your country is being run by someone who is a high school drop out (and is complaing he should earn more becase it’s a responsible job).