Exploits, security tools disappear as German anti-hacker law takes effect

Security professionals in Germany have started removing exploits and hacking tools from the Internet in response to a new German law that expressly forbids the distribution of any software that can be used in computer/network attacks.

Stefan Esser (left), the PHP security guru behind the recent Month of PHP Bugs project, has yanked all the proof-of-concept exploits from the project page because of legal concerns related to the new law.

"This new law renders the creation and distribution of software illegal that could be used by someone to break into a computer system or could be used to prepare a break in. This includes port scanners like nmap, security scanners like nessus and of course proof of concept exploits," Esser explained.

[ SEE: Flaw trifecta kicks off Month of PHP bugs ]

He said the law explicitly forbids the creation, distribution and usage of tools that can be used to prepare for, or actively exploit computer systems. However, there is uncertainty about the law and how it applies to the work of security professionals in Germany.

The big problem is that the paragraph is not clearly written. It allows too much interpretation. While our government says that they do not want to punish for example hired penetration testers, this is NOT written down in the law. The written law does not know any exception. And that is the big problem.

Phenoelit, another German site that distributes hacking tools, has posted a goodbye note that refers to the new law. Phenoelit's tools and security material have been moved to a different server outside Germany.

Kismac, a wireless network discovery and attack tool, has also disappeared.

* More from SecurityFocus.com's Rob Lemos.