Greetings! > I believe Germany passed a law about exploits and/or "security > tools". [...] I *believe* it is taken pretty seriously in > Germany though.
Of course it's taken seriously here in Germany. We take EVERYTHING seriously. ;-) The law (ยง202c StGB) and its application already have been evaluated in court - after a German computer magazine publisher reported itself for such an offence (by offering downloads for nmap etc.) It only is illegal to program, distribute, own, ... programs that are EXPLICITLY designed to commit a(n actual) criminal offence with it. Dual-use tools are lacking the law's "designed for an actual crime" requirement. Thus the banking-trojan is illegal - the PoC of its infection vector not, even if it calls the same bank's web page. According to governmental papers (DRS 17/10379 if 24.07.2012) even the DDoS tool LOIC is not clearly enough falling under this singular-purpose requirement and thus usually considered dual-use and thus not illegal. Having a disclaimer explicitly stating the "for educational or research purposes only" design won't hurt, though, as it will derail the exclusively-for-crime requirement - even if only "officially". Bye Volker PS: IANAL, thus ask your own lawyer, of course. -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtli...@wyae.de PGP Fingerprint 5F25 AF01 D104 70E0 539A 3575 05F9 F616 BBE2 192C _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/