Introduction to the BPjM

The Federal Department for Media Harmful to Young Persons (German: "Bundesprüfstelle für jugendgefährdende Medien" or BPjM) is an upper-level German federal agency subordinate to the Federal Ministry of Family Affairs, Senior Citizens, Women and Youth. It is responsible for examining media works allegedly harmful to young people and entering these onto an official list – a process known as Indizierung (indexing) in German. The decision to index a work has a variety of legal implications. [...] Germany is the only western democracy with an organization like the BPjM. The rationales for earlier decisions to add works to the index are, in retrospect, incomprehensible reactions to moral panics.

Quote by Wikipedia

Sublist A: Works that are harmful to young people

Sublist B: Works whose distribution is prohibited under the Strafgesetzbuch (German Criminal Code) (in the opinion of the BPjM)

Sublist E: Entries prior to April 1, 2003

Sublist C: All indexed virtual works harmful to young people whose distribution is prohibited under Article 4 of the Jugendmedienschutz-Staatsvertrag

Sublist D: All indexed virtual works, which potentially have content whose distribution is prohibited under the Strafgesetzbuch.

BPjM-Modul implementations

the search engines receive the URL list of the BPjM-Modul encrypted via OpenPGP which they can decrypt to the cleartext

a list with separate md5 hashes for domain and path part of the URL and two bits for indicating the depth of the URL, as used by by the Openschoolserver, AVM FRITZ!Box and an unknown implementation uploaded to SourceForge

a BPjMInspect.dll file which downloads a bpjmlist.xml with salted sha1 hashes as used by the Telekom Kinderschutzsoftware

BPjM-Modul implementation with separate md5 hashes for domain and path

domain – md5 hash of the domain of the entry. The cleartext always starts with "http://" and never contains the www subdomain (but may contain other subdomains like www3). For example d7d6c7dd3e6592ab4d2c88b7305d6f20 is the md5 hash of "http://youporn.com". path – md5 hash of the URL path of the entry without a slash in the beginning, in most cases it is d41d8cd98f00b204e9800998ecf8427e for an empty string (=complete domain blocked). Another example would be eacf331f0ffc35d4b482f1d15a887d3b for "index.html". depth – Two bits representing the "path length" of the entry. Mostly it's 00 for no depth, which means the complete domain is blocked. The value 00 is used as well if the entry represents a certain filename but no directory, like "index.html". 01 stands for an entry with at least one slash, like "directory/". The highest depth seen so far is 04 for an entry like "dir/foo/bar/bla/".

BPjM-Modul implementation with salted sha1 hash of the URL

BPjMInspect.dll

00168D58328DF6363331B6CD944F2B9EC14A9DF366E9 ... 000EAEA17218F15DCDEC54752360A91C7CBFF96BC1E9 000EB30D02BE3A08A34D75271E66DC3B4804E80292FC ... 0020CDCBB0EE01AD4989FD299659BB22B202C4963CDF 001A23D76FDFD2C50B58ECC48DA200864DB6309E8230 ... 003539FE72A1CBE73A2E97537A893293D82B76CAC260

00168D58328DF6363331B6CD944F2B9EC14A9DF366E9

8D58328DF6363331B6CD944F2B9EC14A9DF366E9

Get the BPjM-Modul blacklist

/etc/bpjm.data

/var/bpjm.data

/var/media/ftp/FRITZ/bpjm.data

#96*8*

# Open a local netcat server on port 1234 in the terminal of your computer to receive the file

netcat -l -p 1234 > /tmp/bpjm.data

# make a telnet connection to your FRITZ!Box in another terminal window

telnet fritz.box 23

# Transfer the current BPjM-Modul database to your computer. If the file is not found, try /var/media/ftp/FRITZ/bpjm.data instead of /var/bpjm.data

cat /var/bpjm.data | nc [YOUR-LOCAL-IP] 1234



# Convert the database from binary to hex (ignoring first 64 bytes) and save it with the original filename

od -t x1 -An -j 64 /tmp/bpjm.data | tr -d '

' > `strings /tmp/bpjm.data | head -n 1`

# Split each entry into a separate line:

sed -i -e 's/.\{66\}/&

/g' 20140701_bpjm-modul_06_14.txt

# Split each entry to domain, path, depth

sed -i 's/.\{32\}/& /' 20140701_bpjm-modul_06_14.txt

sed -i 's/.\{65\}/& /' 20140701_bpjm-modul_06_14.txt

BPjM-Modul blacklist from "Telekom Kindersicherung" (sha1 implementation)

C:\ProgramData\T-Online\BPJM\bpjmlist.xml

# Alternatively, download the BPjM blacklist from Telekom in the same way the software does

wget -d --header="Range: bytes=0-204799" --user-agent="BPjMModule" --header="Cache-Control: no-cache" http://www.t-online.de/bpjm/bpjmlist.xml

# Apparently T-Online now serves an empty file on that URL, the last version of this file is mirrored here: bpjmlist.xml.

# Select all hashes, remove the tabs and convert to lower case

grep entry bpjmlist.xml | tr -d '\t' | tr [:upper:] [:lower:] > bpjmlist-sha1-telekom.txt

# Remove the XML tags

sed -i 's/<entry>//' bpjmlist-sha1-telekom.txt

sed -i 's/<\/entry>//' bpjmlist-sha1-telekom.txt

# remove the first 4 bit representing the size of the cleartext to get the plain sha1 hashes

sed -i 's/^....//' bpjmlist-sha1-telekom.txt

Calculate the cleartext

./hashcat-cli64.bin -r rules.txt md5hashes.txt dictionary.txt -o results.txt

^/^/^:^p^t^t^h

http://

Analysis of the list entries

the domain "homo.com" offers a wildcard domain which echoes anything that is entered as a subdomain on the website, eg. visiting "Fritz.homo.com" results in a webpage "Haha, Fritz is gay!". On the BPjM list there is a entry irgend.ein.name.homo.com – the German "Irgend ein Name" stands for "any name". Contrary to the belief of the BPjM public servants this doesn't work as a wildcard – just this specific domain will be blocked

– the German "Irgend ein Name" stands for "any name". Contrary to the belief of the BPjM public servants this doesn't work as a wildcard – just this specific domain will be blocked there are some domains with upper case letters on the list ( ExtremeAdultSex.com , FUQQER.com , HQBoys.com and painGate.com ). This implies that eiter the calculation of the md5 hash is in fact case sensitive, which would mean that only "youporn.com" is filtered but "YouPorn.com" or "youporn.COM" are not. However, it is more likely that domains are always converted to lower cases before calculating the md5 hash which would mean this 4 domains will never get filtered. For more details on URL normalization see Wikipedia and RFC3986

, , and ). This implies that eiter the calculation of the md5 hash is in fact case sensitive, which would mean that only "youporn.com" is filtered but "YouPorn.com" or "youporn.COM" are not. However, it is more likely that domains are always converted to lower cases before calculating the md5 hash which would mean this 4 domains will never get filtered. For more details on URL normalization see Wikipedia and RFC3986 the listing of the XBOX 360 game "Dead Island" on amazon.co.uk is blocked

is blocked the complete sell list of leading online music database Discogs . Probably at one point in time there was a listing of a music album which is forbidden in Germany – this was enough to block access to the "eBay of music" for years

. Probably at one point in time there was a listing of a music album which is forbidden in Germany – this was enough to block access to the "eBay of music" for years the domain beyondthedot.com is blocked, where FairWinds Partners, LLC, a domain name consulting firm explains the new generic top level domains. According to archive.org this was a porn website up to about 2008

is blocked, where FairWinds Partners, LLC, a domain name consulting firm explains the new generic top level domains. According to archive.org this was a porn website up to about 2008 the free website hosting on mywebpage.netscape.com was shut down at least 5 years ago but there is still a URL on the list

was shut down at least 5 years ago but there is still a URL on the list besides all the porn domains the trustworthy looking domain bible.org stands out. One article glorifying beating up kids for "education" is blocked

stands out. One article glorifying beating up kids for "education" is blocked lyrics of severals songs are blocked: Frei.Wild – Rache muss sein Landser – Zigeunerpack Normahl – Bullenschweine Weiße Wölfe – Ruhm und Ehre Swiss – Der letzte Schultag

a German "Call of Duty 4" gameserver clan with a German .de domain: deutschefront.de – since it is a German domain hosted in Germany it should be possible to take other measures besides just blocking access to the domain

– since it is a German domain hosted in Germany it should be possible to take other measures besides just blocking access to the domain many entries appear more than once on the list. The YouTube user pages of saberrien and Saifulhaakim are 4 times respectively 5 times on the list. However, there is not one single YouTube video itself blocked.

and are 4 times respectively 5 times on the list. However, there is not one single YouTube video itself blocked. several URLs with a wrong trailing slash: Death.html/ welcome.htm/ free/index.html/ freecontent.html/ A URL path with a trailing slash means that the part before the slash is a directory and not a file. The examples above are filenames. The entries on the list with the trailing slash are invalid and return a 404 file not found error. The correct URLs without the trailing slashes won't match the hash and are not blocked. Explanation here

A URL path with a trailing slash means that the part before the slash is a directory and not a file. The examples above are filenames. The entries on the list with the trailing slash are invalid and return a 404 file not found error. The correct URLs without the trailing slashes won't match the hash and are not blocked. Explanation here voy.com provides free message boards where each board has a numeric id, like "voy.com/123456/". The BPjM wants to block five of those URLs with suicide forums. Only two of the entries contain the (in this case) correct trailing slash, the voy.com webserver redirects requests without trailing slash to those with a trailing slash. The other three entries will never be blocked if they are requested with the correct trailing slash.

provides free message boards where each board has a numeric id, like "voy.com/123456/". The BPjM wants to block five of those URLs with suicide forums. Only two of the entries contain the (in this case) correct trailing slash, the voy.com webserver redirects requests without trailing slash to those with a trailing slash. The other three entries will never be blocked if they are requested with the correct trailing slash. a website from the 1990s selling rusty old helmets: germanhelmetsinc.com

the French counterpart of German "Jochen Schweizer" adventure coupons: happytime.com - apparently this used to be a porn website several years ago

- apparently this used to be a porn website several years ago since many years switched off website of 17(!) year old game "Shadow Warrior" 3drealms.com/catalog/sw/

website of a 10+ year old game which since long redirects to the publisher: postal2.com

the domain kartoffelkanone.org (German for "spud gun"), which is not active since at least 2008

(German for "spud gun"), which is not active since at least 2008 splashdamage.com/content/wolfenstein-enemy-territory-barracks , the website of the free-to-play game "Wolfenstein: Enemy Territory" which is rated "PEGI: 16" by the Pan European Game Information system

, the website of the free-to-play game "Wolfenstein: Enemy Territory" which is rated "PEGI: 16" by the Pan European Game Information system audio books download portal hoerbuch.in is the only warez entry besides the XXX section of defunct movie2k.com . One explanation for this might be the porn advertisements on the website

is the only warez entry besides the XXX section of defunct . One explanation for this might be the porn advertisements on the website bananenbar.com is the website of an Amsterdam strip bar with only modest content

is the website of an Amsterdam strip bar with only modest content according to archive.org the domain facegoo.com is since at least 3 years not an porn website anymore. Now it is the website of an iPhone App for fun picture manipulation. The startup has no chance to be listed in German search engine results at all

is since at least 3 years not an porn website anymore. Now it is the website of an iPhone App for fun picture manipulation. The startup has no chance to be listed in German search engine results at all ety.com/tell/ according to archive.org used to be a Swiss nazi website "last updated: 14.04.2001" but now presents a startup beta invite screen

according to archive.org used to be a Swiss nazi website "last updated: 14.04.2001" but now presents a startup beta invite screen several websites of the artist Alex Dirk Freyling are blocked (e.g. alexd.net , dieetwasandereart.net , macassar-art.com and neuexpressionismus.com ). But other similar domains of the same artist are not blocked: derfreikuenstler.com, dualismus.net, kulturreportonline.net, adffilm.com, dfreyling.com etc.

, , and ). But other similar domains of the same artist are not blocked: derfreikuenstler.com, dualismus.net, kulturreportonline.net, adffilm.com, dfreyling.com etc. not on the current list, but older versions of the BPjM-Blacklist had plain typos: http://bilola, http://hot-soccer-moms-info and http://www-gangbang-squad.com

About and contact