[SAGE-Stuttgart] [sage] Strafanzeige gegen das BSI^Wunbekannt wegen Verbreitung von Hackertools :-) [fwd]

Jan Schmidt info at solarisguru.de
Mon Okt 1 21:41:04 CEST 2007 

hey bernhard,

am 23.09.2007, um 15:17:23 +0200 Uhr schrieb Bernhard Ehses

> Coole Idee das, gefällt mir :-)

the discussion went on on the john-users mailinglist (might be of
interest for some readers on this list):


---------------- quoting john-users at lists.openwall.com --------------------
Date: Thu, 20 Sep 2007 15:28:14 +0200
From: Dirk Wetter <dirk.wetter at ...etter.org>
To:  john-users at ...ts.openwall.com
Subject: Re: Complaint filed vs. german gov-agency for distributing
 jtr

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


Hi Tom,


On 19.09.2007 08:38, thomas springer wrote:

> There were quite a lot of sensible people protesting, but
> government said, the goal is not to sue security-experts, but
> hackers. But the wording of the law speaks clearly another
> language.

The usage-of-the-tools-section (202a/b) sounds to me better than the
tools section itself (202c). There's the word "unbefugt"
(unauthorised) in 202a/b w My 2 Euros: That should have been more
clear. This was also said by politicians of the government party in
the conciliation committee.

The tool-section is the one which is the one which is not
comprehensible to me and which scared German hacker^Wsecurity tools
provider (FX, kismac, PoC of PHP bugs=Stefan Esser) away.

> There were no court-orders or known filed complaints because of
> 202c StGB yet.
> 
> German online-magazine tecchannel.de is trying to get clarity about
> the new law and filed a complaint (9/14/07) against the german
> government-agency "Federal Office for Information Security (BSI,
> see http://www.bsi.de/english/index.htm) for distributing John the
> Ripper on one of its CDs and linking to a page (http://www.openwall.com)
> where users can download the tool.

They are referring to BOSS. The story behind it is that BSI did ~2
years back a public invitation to tender. GOal was to provide an easy
to use Open Source-based toolkit, more for junior admins, in order to
check their IT infrastructure for security holes. Also included is
Nessus v2 on both versions of the CD amongst other tools which are
except the sniffer tools according to p202c not as "dangerous".

> A screenshot of the complaint is here:
> http://images.tecchannel.de/images/tecchannel/bdb/361100/361109/B83CB84F13B738958633FFED96A57C1A_800x600.jpg
> The article (german only, sorry) here:
> http://www.tecchannel.de/sicherheit/grundlagen/1729025/

thanks a bunch for the hint! That is in fact a great manoeuvre :-)
and has some irony in it: BSI, service provider for federal IT, a
goverment agency, is a subsidiary from the BMI, the ministry of
interior.
 Driving force for passing the law through the German instances was
the ministry of justice, BMJ ;-)

> I'm rather interested in this case, for i still distribute and use
> JtR and i creditet myself in the compiled the Windows-Binarys
> available from www.openwall.com. Drop me a note if this is
> noteworthy enough to keep you posted about the outcome.

Why just don't post it to the list?

The outcome certainly will provide the needed legal certainty, one
way or the other!


Cheers,
	Dirk



- --
Dirk Wetter @ Dr. Wetter IT-Consulting          http://drwetter.org
Beratung IT-Sicherheit + Open Source
Key fingerprint = 2AD6 BE0F 9863 C82D 21B3  64E5 C967 34D8 11B7 C62F

- -
Found core file older than 7 days: /usr/share/man/man5/core.5.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREDAAYFAkbydW4ACgkQyWc02BG3xi89XgCeOczT+VncOVSiCRyw2bCM3f5X
a9UAoJe1gKERwaqlMcOUJyg1glb7JPXl
=e1Ou
-----END PGP SIGNATURE-----

---------------------------------- end quoting --------------------


Regards,
Jan