Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <46F2756E.1030206@drwetter.org>
Date: Thu, 20 Sep 2007 15:28:14 +0200
From: Dirk Wetter <dirk.wetter@...etter.org>
To:  john-users@...ts.openwall.com
Subject: Re: Complaint filed vs. german gov-agency for distributing
 jtr

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


Hi Tom,


On 19.09.2007 08:38, thomas springer wrote:

> There were quite a lot of sensible people protesting, but government
> said, the goal is not to sue security-experts, but hackers. But the
> wording of the law speaks clearly another language.

The usage-of-the-tools-section (202a/b) sounds to me better than the tools
section itself (202c). There's the word "unbefugt" (unauthorised) in 202a/b
w My 2 Euros: That should have been more clear. This was also said by
politicians of the government party in the conciliation committee.

The tool-section is the one which is the one which is not comprehensible
to me and which scared German hacker^Wsecurity tools provider
(FX, kismac, PoC of PHP bugs=Stefan Esser) away.

> There were no court-orders or known filed complaints because of 202c StGB yet.
> 
> German online-magazine tecchannel.de is trying to get clarity about
> the new law and filed a complaint (9/14/07) against the german
> government-agency "Federal Office for Information Security (BSI, see
> http://www.bsi.de/english/index.htm) for distributing John the Ripper
> on one of its CDs and linking to a page (http://www.openwall.com)
> where users can download the tool.

They are referring to BOSS. The story behind it is that BSI did ~2 years
back a public invitation to tender. GOal was to provide an easy to use Open
Source-based toolkit, more for junior admins, in order to check their IT
infrastructure for security holes. Also included is Nessus v2 on both
versions of the CD amongst other tools which are except the sniffer tools
according to p202c not as "dangerous".

> A screenshot of the complaint is here:
> http://images.tecchannel.de/images/tecchannel/bdb/361100/361109/B83CB84F13B738958633FFED96A57C1A_800x600.jpg
> The article (german only, sorry) here:
> http://www.tecchannel.de/sicherheit/grundlagen/1729025/

thanks a bunch for the hint! That is in fact a great manoeuvre :-)
and has some irony in it: BSI, service provider for federal IT,
a goverment agency, is a subsidiary from the BMI, the ministry of interior.
 Driving force for passing the law through the German instances was the
ministry of justice, BMJ ;-)

> I'm rather interested in this case, for i still distribute and use JtR
> and i creditet myself in the compiled the Windows-Binarys available
> from www.openwall.com. Drop me a note if this is noteworthy enough to
> keep you posted about the outcome.

Why just don't post it to the list?

The outcome certainly will provide the needed legal certainty, one way
or the other!


Cheers,
	Dirk



- --
Dirk Wetter @ Dr. Wetter IT-Consulting          http://drwetter.org
Beratung IT-Sicherheit + Open Source
Key fingerprint = 2AD6 BE0F 9863 C82D 21B3  64E5 C967 34D8 11B7 C62F

- -
Found core file older than 7 days: /usr/share/man/man5/core.5.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREDAAYFAkbydW4ACgkQyWc02BG3xi89XgCeOczT+VncOVSiCRyw2bCM3f5X
a9UAoJe1gKERwaqlMcOUJyg1glb7JPXl
=e1Ou
-----END PGP SIGNATURE-----

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.