Interview with BPjM-Leaker: Website Blacklists shouldn’t be done „in an intransparent way by a government“

Screenshot of the website "BPJM-Leak" with a description of the hack and the extracted list of URLs.

An anonymous hacker has reverse-engineered and published the once-secret blacklist of URLs produced by a German federal agency. He or she did this mainly out of technical curiosity – and found that it was really easy to do. The hacker hopes not go get sued for this action – and offers a general critique on secret, state-sponsored internet censorship.

Wir finanzieren uns zu fast 100 % aus Spenden von Leserinnen und Lesern. Unterstütze unsere Arbeit mit einer Spende oder einem Dauerauftrag.

On Tuesday we reported, that the secret URL blacklist of the German „Federal Department for Media Harmful to Young Persons“ was reverse-engineered and published. It contains many dead sites and cases of overblocking, but also „normal porn, animal porn, child/teen porn, violence, suicide, nazi or anorexia.“ The list is given to internet search engines like Google and DSL/Cable routers, so they can block those URLs.

Yesterday we decided to remove our link to the original website, because the „Commission for the Protection of Minors in the Media“ threatened to file a criminal complaint, accusing us of „making child pornography available“. Now we have conducted an interview with the anonymous hacker. (This interview is also available in German, thanks to Kilian for the translation!)

netzpolitik.org: What was your intention of reverse-engineering the list?

BPjM-Leaker: I did this leak out of (technical) curiosity, basically.

I’ve stumbled over the md5 hashed BPjM list by chance and was just curious. It was like a „hacker puzzle“, I tried to figure out the system how this BPJM-Modul works. Eventually I found the system (md5 hash of URL with http:// in front and no www subdomain, other md5 hash for the path) by manually trying domains I expected to be on the list (rotten.com and youporn.com). Now that the puzzle was solved it involved into a challenge: Try to find each and every domain on this list by collecting huge lists of domains and check if they are on the list. In an ideal world this leak may lead to the end of the BPjM/FSM/KJM/etc. website filtering and the money will be instead spent on pedophile prevention programs…

netzpolitik.org: What is your intention of publishing the list?

BPjM-Leaker: I wasn’t sure what would be the best way to deal with this information. Just keep it on my own, send the data to Wikileaks, write an article/blog post with my real name or just leak it on my own with the raw data and technical details how to verify the list? In the end I decided for the last option. By publishing this list everyone can see how ridiculous this list is with its absurd entries.

netzpolitik.org: How much time did the hack take you in total?

BPjM-Leaker: Extracting the list and figuring out the md5 „encryption“ system was two evenings if I remember correctly. Collecting all the lists of domains happened over the course of several months, but in total it wasn’t that many hours.

netzpolitik.org: Publishing the list is forbidden by German law. Why did you chose to disobey that? Do you expect to get sued? Do you think you will get caught?

BPjM-Leaker: In my opinion it is wrong to collect this list in the first place. Technically the BPjM published the list and I just did a kind of transformation of the data. I hope to stay anonymous. But in fact I didn’t do anything special. Anyone with some basic computer knowledge and curiosity should be able to collect this list. Homework in the first semester of studying computer science is usually more difficult. I can’t believe nobody did this before and they consider this BPjM-Modul as completely safe for so many years.

netzpolitik.org: We have linked to your site, but the „Commission for
the Protection of Minors in the Media“ threatened to sue us, because allegedly some of the URLs in the list contain child pornography, illegal after § 184b StGB in Germany.

netzpolitik.org: Do you know of any specific URLs on the list, that host such material? If yes: have you done anything about it?

BPjM-Leaker: Thank you for linking to the website in the first place and thank you for hesitating to remove it and being transparent about it! I am not aware of a domain on the list containing child pornography. At first I tried to do do a deeper analysis of the list entries (like the other analysis by AK-Zensur and Matti Nikki I linked to) by visiting each URL and categorize them manually. But 3000 stupid websites was just too much to visit and I gave up pretty quickly.

netzpolitik.org: Would you be willing to take down URLs on your list, when provided with URLs that contain such material?

BPjM-Leaker: If I am aware of URLs on the list which contain such material I would write a mail to the abuse contact of both the domain registrar and the hoster. Reporting the URL to local authorities of the country the website is hosted in would also be a good idea. Then I would expect the website to be taken down in a matter of hours. If I know a domain contains child abuse material I would replace the URL with its md5 hash.

netzpolitik.org: What’s your general opinion on blacklists like that? Should states produce blacklists for child/youth protection? Should they be mandatory? Should they be secret?

BPjM-Leaker: For me it feels wrong that there are many different laws for different people. Depending on the country you live in and your age other people decide what you are allowed to see. In China they have their huge censorship infrastructure, in the UK they block file sharing, in Germany they block websites selling old helmets because they have a swastika on them. If the list is secret there is no control and as a result the quality of the entries is really bad as this BPjM example proves. Filtering websites for child protection might be a useful tool in some cases but not in an intransparent way by a government.

Weitersagen und Unterstützen. Danke!
Ein Kommentar

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.