Re: Legality of Open Source Tools

[Volker Tanger <vtlists () wyae de>]

Greetings!

> I believe Germany passed a law about exploits and/or "security
> tools".    [...]   I *believe* it is taken pretty seriously in
> Germany though.

Of course it's taken seriously here in Germany.
We take EVERYTHING seriously.
;-)

The law (§202c StGB) and its application already have been evaluated in
court - after a German computer magazine publisher reported itself for
such an offence (by offering downloads for nmap etc.)

It only is illegal to program, distribute, own, ... programs that are 
EXPLICITLY designed to commit a(n actual) criminal offence with it. 
Dual-use tools are lacking the law's "designed for an actual crime"
requirement.

Thus the banking-trojan is illegal - the PoC of its infection vector
not, even if it calls the same bank's web page.  

According to governmental papers (DRS 17/10379 if 24.07.2012) even the
DDoS tool LOIC is not clearly enough falling under this singular-purpose
requirement and thus usually considered dual-use and thus not illegal.


Having a disclaimer explicitly stating the "for educational or research
purposes only" design won't hurt, though, as it will derail the
exclusively-for-crime requirement - even if only "officially". 

Bye

Volker


PS:
IANAL, thus ask your own lawyer, of course.



-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists () wyae de                    PGP Fingerprint
5F25 AF01 D104 70E0 539A  3575 05F9 F616 BBE2 192C


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/