Secret Kraut URL Shitlist Leaked, Journalists Threatened with Child Porn Charges

Secret Kraut URL Shitlist Leaked, Journalists Threatened with Child Porn Charges

Summary

Germany's BPjM apparently didn't know that it wasn't safe to release MD5 hashes if you want the source URLs to remain 'hidden'. Earlier this week, they were proven wrong. And of course they're not happy about that. Some German news sources dubbed this the 'BPjM-Leak' incident.

An anonymous cracker managed to reverse engineer large parts of Germany's Federal Department for Media Harmful to Young Persons' Secret List Of The Big Bad Internet, otherwise known as the telemedia parts of indices C and D. In light of this, federal agents are threatening journalists linking to a description of the crack - which contains large portions of the list - with charges of distribution of child pornography if they don't take it down. Yesterday, an interview with the cracker on the matter has been published.

So, what's the story?

The list is kept top secret to avoid any kind of "marketing effect" that an open list might have, but MD5 hashes of the list are incorporated into routers and similar devices by certain German vendors to be used as a URL blacklist. This feature is usually described to be in the interest of protecting the children, and may or may not be enabled by default in routers that incorporate it. In addition to this, the list is distributed to search engines, such as Google, to filter search results in Germany that might turn up anything on the list.

Due to the secrecy of the URLs on the list, the whole process is variously described by critics as suppressive, totalitarian and Nazi-esque. This is largely due to the complete lack of oversight as to whether the entries on the list are even valid, and a perceived lack of action as a result of placements on the list. The C list contains media that would be considered harmful for children and adolescents, e.g. websites on violent video games, horror flicks, lyrics to songs criticising the establishment, pornography and anorexia, whereas the D list entries are considered to be illegal by the department's panel, e.g. child pornography and pretty much anything to do with World War II. Webmasters are not informed of their spot on a list, and the entries are kept for at least 25 years - not exactly a time frame that makes sense on the net.

Critique has it that the process just hides bad sites instead of actually dealing with them by getting them taken down - and according to the interview linked above, that is precisely what happened with this blacklist, just as it has with any previous blacklist anyone else has ever employed. Lack of oversight by a neutral curator also lends itself to the list being abused for political means, which the leaked list of sites clearly demonstrates is what is happening.

To quell any kind of sensible discourse based on the list being poorly curated, the Federal Department for Media Harmful to Young Persons - the BPjM - has released a press statement on Wednesday, claiming that publishing the list of URLs would severly impede their performance and threaten the mental health of kids countrywide. The press release goes on to state that the Commission for the Protection of Minors in the Media - the KJM - had been informed of this incident and a charge against a person unknown - the cracker - had been filed with the federal police. In what is quite possibly the hugest German dick move this year, the KJM then went ahead and sent demands to journalists who had previously reported on the matter to take down any links to the description of the crack, or face charges for distributing child pornography. Because, you know, the list might link to that. And apparently it's better to threaten people than to just ask the hacker to take down those links in particular.

What the shit, Germany?

I am personally outraged that these people used to be funded by my tax money. I try to avoid insulting people personally, but I am making an exception in this case: if you're the person who thought it was a good idea to threaten journalists with one of the most horrific - and life ruining - of charges you guys have in your laws to silence them, as opposed to taking action against the critters who are actually hosting the child porn, then you, personally, are a huge fucking asshole. What, you can't send webmasters and net ops of these sites an email to have them take the stuff down? It's not like they'd do that in under 24 hours on average. But then, that might be on purpose - 'cause in the case of a leak they could use it as leverage. Suddenly it all makes sense... well, it's either that or they're actually surprised that distributing MD5s is not going to keep the source URLs secret.

Anyway, since they pissed me off so much, let's spend some time mocking some of the sillier entries on the list. Because there's no law I know of that makes it illegal to have the list and pick on random stuff on it that is obviously not kiddie porn or otherwise illegal here in Ireland, but which still shows why the list would need sensible, public oversight. So, here's some random notes on why this agency fails at The Internets:

... and it just keeps going like that. Not posting the list, but you shouldn't have any trouble googling for it. There's also at least one pastebin that has it. Speaking of, there is a pastebin that explains the crack but does not link to the actual list. That also contains further observations on some of the more absurd content.

I wonder if this will get me on the shitlist as well? Oh wait, that's right, the site is HTTPS-only unless you're using Tor. Guess they're SOL. They might try and add pastebin to the list, though.

Background photo credit: w3p706 / Foter.com / CC BY-NC-SA

Written by Magnus Deininger ().