New German Hacking Law 202(c) – Sites Close & Possible Backfire

This has been floating around for a while and you might have noticed a warning on some German based security sites that they’ve had to move their tools due to this new legislation known as 202(c) – a couple of examples are KisMAC and Phenoelit.

Basically the new law prohibits manufacturing, programming, installing, or spreading software that has the primary goal of circumventing security measures is, which means that some security scanning & hacking tools might become illegal.

Security researchers in Germany continued to pull down exploit code from their sites last week, scrambling to comply with a German law that makes illegal the distribution of software that could be used to break into computers.

The German law — referred to as 202(c) — went into effect on Sunday. Many experts have complained that the language of the law is very unclear, but a strict reading appears to make illegal the distribution, sale and possession of security tools which could be used to commit a crime.

In the latest move, PHP security professional Stefan Esser removed on Friday all exploit code from his Web site dedicated to the Month of PHP Bugs. While reasonable prosecutors would not likely pursue security researchers, the risk is too great, Esser stated.

Source: Security Focus

It’s a pretty worrying state of affairs. It means under strict enformencent the majority of Linux distributions are now illegal in Germany as they tend to include nmap by default!

I also believe it could back-fire causing more problems that solutions.

Germany’s new antihacker law could open the door to more cybercrime and not less, security experts warn.

The legal uncertainty created by the new law will make the work of security experts in Germany more difficult, according to Müller-Maguhn.

“The law is counterproductive,” said Marcus Rapp, product specialist at the German subsidiary of Finnish security vendor F-Secure. “It will make the security situation worse, not better.”

Rapp is concerned about what he calls the law’s “broad interpretation” of hacking and the legal uncertainty it creates.

Interesting stuff…and I really doubt they are going to reverse it.

Let’s just hope no other countries follow suit with such retarded laws.

Source: Infoworld

There’s also a very interesting article on the whole matter by Dark Reading here:

Hacking Germany’s New Computer Crime Law

You can read what Computer Chaos Club says about it (CCC) here [German].

Posted in: Hacking News, Legal Issues

, , ,

Latest Posts:

Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.

12 Responses to New German Hacking Law 202(c) – Sites Close & Possible Backfire

  1. dre October 25, 2007 at 1:27 am #

    i talked with jerome athias about these laws, and he says that france has similar laws in place right now. it appears the whole EU will likely implement something like this

  2. Sandeep Nain October 25, 2007 at 5:52 am #

    Well it seems like a good news for hackers in the other parts of the world.. as in europe there won’t be many security professionals left to test or secure the applications i.e. good chances of finding vulunerabilities in applications developed in europe

  3. Sir Henry December 14, 2007 at 7:32 pm #

    Does this not seem like anti-logic? This law simply puts a target on Germany as a playground for hackers. How can one combat a hacker without having the tools to understand said hacker?

  4. Maiku February 2, 2008 at 9:20 pm #

    i live in germany! its true… its been all over the news!
    :( it really sucks but they wont reach anything with this! to many websites plus people will find ways to continue doing this…
    police should leave us alone!

  5. Pantagruel February 3, 2008 at 1:29 am #


  6. goodpeople February 3, 2008 at 9:28 am #

    One of my (dutch) students is from German descent. Although he lives in The Netherlands, he has lots of relatives and friends in Germany. I urge him to leave his laptop at home when he visits his family across the border.

  7. Nobody_Holme February 4, 2008 at 1:36 pm #

    Thats a good point… they may not be legally able to arrest/prosecute on this law if you’re a foreign citizen, due to their own treaties…

  8. Pantagruel February 5, 2008 at 1:08 am #


    Scream ‘terrorist’ and the majority of people will rather have one false positive behind lock and key instead of a false negative running about.
    It’s worrying me that, even among better educated people, the idea of trading in some privacy for potentially more security is gaining ground.
    Again educations seems to be key to demistifying the FUD that is being spread about to justify the reduction of privacy in general.

  9. Nobody_Holme February 5, 2008 at 1:17 pm #

    Well, to be honest, i have no problem in losing privacy for security, as long as its implemented well. Like i’d have no problem with security cameras on every single inch outside my house, but theres no way thats financially viable.
    anywho. I meant Legally cant, not wont… just means they have to let you go, rather than prosecute.

  10. Pantagruel February 7, 2008 at 7:03 pm #


    It’s exactly this implementations that is bothering.
    With many of these privacy and surveillance related the bureaucrats seem to go for the ‘security by obscurity’ approach. In the Netherlands there is talk about a big electronic ‘patient’ database, this to reduce possible mix-ups when handing out drugs or performing therapy. They do discuss what is needed for the system to work, but are reluctant to disclose the actual protective measurements. I an kinda worried that is is just as crappy as our ‘transport card’ system (recently a tech student cloned a day pass, it is rumored the German CCC has data on cloning a full blown card.

  11. James C March 10, 2008 at 9:16 pm #

    The problem here is Intelligence or lack there of.
    Intelligent people are to smart to think being a Politician is a good career those, and we

  12. Pantagruel March 10, 2008 at 10:18 pm #

    @ James C

    So damn true , it’s quite said if you think of it and realise your country is being run by someone who is a high school drop out (and is complaing he should earn more becase it’s a responsible job).