Last Friday, a new law on computer crime came into effect in Germany. The newly introduced Section 202c of the German penal code created much buzz around the net since it prohibits the distribution of certain computer programs assisting in committing data espionage.
Although I think the law is bad and creates an uncanny area of uncertainty it is not the end of all security research done in Germany. In fact, much of the current outcry is overblown and counter-productive, as it contributes to spreading FUD about the issue.
The relevant part of the new Sec. 202c reads (translation by me):
Whoever prepares an offense under Sec. 202a [Data espionage] or
Sec. 202b [Data capture] by creating, obtaining, providing,
distributing or making otherwise available
2. computer programs whose purpose is committing such an offense,
shall be punished with imprisonment for not more than one year or a fine.
Sounds pretty bad, huh? Obviously, the key question is for which type of programs the "purpose" is committing a crime. This is currently the subject of much speculation, however, it is possible to take a more thorough approach.
In Germany, legislation is primarily made by the parliament, the "Bundestag". Among other parties, new laws may be proposed by the government, which is what happened here. Always accompanying the proposal is a rationale outlining the motivation for it. In cases where the law itself is not clear it is quite common that the courts base their opinion on the rationale behind the law. For the new computer crime law, it can be found in printing paper 16/3656.
The part for the rationale behind Sec. 202c largely talks of "dangerous hacking tools" (thus further denouncing hackerdom). It is security theater at its worst and defines "hacking tools" to be "designed by its manner and structure to serve for illegal tasks". This rules out a large class of security tools as you cannot commit illegal tasks using them alone, but only when combining with other techniques.
However, the rationale also clearly states that such a tool does not need to be meant exclusively for illegal tasks. So there is no free pass for dual-use tools.
Definitely not. The tools simply cannot be used to break into a computer system and commit data espionage. Additionally, data espionage as defined by Sec. 202a requires the data to be "specially secured", which is not the case for data arriving on your network card. Even WEP cracking will probably not be subject to this section as it is widely known to be broken beyond repair.
Hardly. PoCs are, by definition, small snippets of code that demonstrate how a security hole can be exploited. However, being able to run arbitrary code on a remote computer does not mean you commit data espionage.
Tools that can be directly used to break into computer systems. Metasploit immediately comes to mind here. Next, I would not recommend publishing exploits that take an IP address and open a shell on the target host. But this has been a grey area before, and if someone had used such an exploit program to commit a crime, you would have been in trouble anyway. Publishing virus construction kits is also not a good idea, but I think you already guessed that.
A few final remarks: While the situation is not so bad as many people on the net portray it, there are a few caveats. Even though your deeds may be perfectly legal, you may be subject to criminal prosecution, and especially lower courts may rule against you, costing time to fight your way up the jurisdiction. And of course IANAL, but I promise to keep publishing exploit code and consider the new law largely being a non-issue for security researchers.
Copyright 2006--2011 Hendrik Weimer. This document is available under the terms of the GNU Free Documentation License. See the licensing terms for further details.