Secret Kraut URL Shitlist Leaked, Journalists Threatened with Child Porn Charges

Summary Germany's BPjM apparently didn't know that it wasn't safe to release MD5 hashes if you want the source URLs to remain 'hidden'. Earlier this week, they were proven wrong. And of course they're not happy about that. Some German news sources dubbed this the 'BPjM-Leak' incident.

An anonymous cracker managed to reverse engineer large parts of Germany's Federal Department for Media Harmful to Young Persons' Secret List Of The Big Bad Internet, otherwise known as the telemedia parts of indices C and D. In light of this, federal agents are threatening journalists linking to a description of the crack - which contains large portions of the list - with charges of distribution of child pornography if they don't take it down. Yesterday, an interview with the cracker on the matter has been published.

So, what's the story?

The list is kept top secret to avoid any kind of "marketing effect" that an open list might have, but MD5 hashes of the list are incorporated into routers and similar devices by certain German vendors to be used as a URL blacklist. This feature is usually described to be in the interest of protecting the children, and may or may not be enabled by default in routers that incorporate it. In addition to this, the list is distributed to search engines, such as Google, to filter search results in Germany that might turn up anything on the list.

Due to the secrecy of the URLs on the list, the whole process is variously described by critics as suppressive, totalitarian and Nazi-esque. This is largely due to the complete lack of oversight as to whether the entries on the list are even valid, and a perceived lack of action as a result of placements on the list. The C list contains media that would be considered harmful for children and adolescents, e.g. websites on violent video games, horror flicks, lyrics to songs criticising the establishment, pornography and anorexia, whereas the D list entries are considered to be illegal by the department's panel, e.g. child pornography and pretty much anything to do with World War II. Webmasters are not informed of their spot on a list, and the entries are kept for at least 25 years - not exactly a time frame that makes sense on the net.

Critique has it that the process just hides bad sites instead of actually dealing with them by getting them taken down - and according to the interview linked above, that is precisely what happened with this blacklist, just as it has with any previous blacklist anyone else has ever employed. Lack of oversight by a neutral curator also lends itself to the list being abused for political means, which the leaked list of sites clearly demonstrates is what is happening.

To quell any kind of sensible discourse based on the list being poorly curated, the Federal Department for Media Harmful to Young Persons - the BPjM - has released a press statement on Wednesday, claiming that publishing the list of URLs would severly impede their performance and threaten the mental health of kids countrywide. The press release goes on to state that the Commission for the Protection of Minors in the Media - the KJM - had been informed of this incident and a charge against a person unknown - the cracker - had been filed with the federal police. In what is quite possibly the hugest German dick move this year, the KJM then went ahead and sent demands to journalists who had previously reported on the matter to take down any links to the description of the crack, or face charges for distributing child pornography. Because, you know, the list might link to that. And apparently it's better to threaten people than to just ask the hacker to take down those links in particular.

What the shit, Germany?

I am personally outraged that these people used to be funded by my tax money. I try to avoid insulting people personally, but I am making an exception in this case: if you're the person who thought it was a good idea to threaten journalists with one of the most horrific - and life ruining - of charges you guys have in your laws to silence them, as opposed to taking action against the critters who are actually hosting the child porn, then you, personally, are a huge fucking asshole. What, you can't send webmasters and net ops of these sites an email to have them take the stuff down? It's not like they'd do that in under 24 hours on average. But then, that might be on purpose - 'cause in the case of a leak they could use it as leverage. Suddenly it all makes sense... well, it's either that or they're actually surprised that distributing MD5s is not going to keep the source URLs secret.

Anyway, since they pissed me off so much, let's spend some time mocking some of the sillier entries on the list. Because there's no law I know of that makes it illegal to have the list and pick on random stuff on it that is obviously not kiddie porn or otherwise illegal here in Ireland, but which still shows why the list would need sensible, public oversight. So, here's some random notes on why this agency fails at The Internets:

Quite unsurprinsgly, Krautchan made the list. Rather surprisingly, 2chan and 4chan did not. On the other hand, chan4chan's jailbait tag page did make the list. Not sure if the URL to that one still works, though. I'll leave it up to you to decide how absurd this is.

The list has pages containing song lyrics - specifically songs like Bullenschweine by Slime. This particular song is rather idiotic, but it quite escapes me why it was classified as damaging to children's minds. But hey, it's not nice to the police force, suggesting that they occasionally overstep their power and the author would feel it a good idea to hurt them back for it. I guess that's justification enough to ban those lyrics, right?

Surprisingly, the list does not contain any .onion URLs. I guess it would be futile to try and filter them. The Tor and Tails sites are also missing. But that might be because the list only has HTTP URLs and you can't transparently filter HTTPS.

Speaking of protocols, there is not a single FTP or GOPHER link, either, even though those could very well be filtered transparently by a properly designed module. Well, I guess now we know at least four ways of getting around the stupid filter if you're a webmaster and figure out your domain is on the agency's shitlist.

There's nothing related to the good ol' usenet, either. I almost feel offended, maybe I'm just too old to even remember this?

A quick scan through the links inidicate that the list is mostly comprised of porn sites. Of all varieties. Including hentai sites. However, almost all of these pages seem to be in English or German. Which is odd for the hentai pages, because those are kind of often in Japanese. And curiously enough, almost all of the major hentai sites that people are using are missing - like pururin or sankakucomplex. Even pixiv is missing, which certainly has quite a bit of questionable content. No scanlators on the list, either. I guess these guys really do think that comics are for kids?

There is a single item on the list on a subpage of Amazon. It's an 18+ video game, specifically the XBOX, non-USK version of Dead Island - not even Wolfenstein, as one would expect. But it's only on the list on amazon.co.uk - guess the Krauts still mistrust those crazy Tommies. Also, Amazon kind of tends to have more than one URL for each item, so that's kind of futile. Also also, you could just use HTTPS with Amazon and you'd be golden. Or you could remove the ref= parameter. Or get yourself a real console, like a Playstation 3. So that's just silly.

A single page on bible.org managed to get on the list! It's commentary on how beating your kids is a good thing. Now, again, that's not really anthing sensible, but putting it on a secret list on the same level as kiddie porn, violent video games and songs against the establishment seems a bit overkill. None of the actual parts of the bible made the cut, though - which is strange, what with the genocide, incest, divine revenge, torturing the saviour to death and all.

Some of the URLs are actually typos and were never valid to begin with. Wow.

... and it just keeps going like that. Not posting the list, but you shouldn't have any trouble googling for it. There's also at least one pastebin that has it. Speaking of, there is a pastebin that explains the crack but does not link to the actual list. That also contains further observations on some of the more absurd content.

I wonder if this will get me on the shitlist as well? Oh wait, that's right, the site is HTTPS-only unless you're using Tor. Guess they're SOL. They might try and add pastebin to the list, though.

Background photo credit: w3p706 / Foter.com / CC BY-NC-SA