This article was first published at ITK SECURITY.

Last update 1 year ago by Patrick Ruppelt

Reading time: 6 minutes

Last year, we uncovered that the Federal Bar Association (BRAK) was getting its users to install illegal pirated copies of the software Oracle Java on their computers. The BRAK has now admitted this in its latest newsletter. It's about time.

The instructions provided to users of the "special electronic lawyer's mailbox" (beA) requested the download and installation of the respective current JAVA software from Oracle. The BRAK was not at all interested in the fact that this software would be chargeable - even for every lawyer who installed it.

On the contrary, BRAK referred to licensing provisions on its website, although the BRAK had no licence at all. The manufacturer Oracle had confirmed this to us in writing at the time and referred to the fact that the BRAK had cited the wrong licence model as alleged legitimacy anyway1).

Since every lawyer, law firm and court is legally obliged to use the beA system, we have calculated that it is therefore a Licence fraud amounting to around USD 5 million annually traded2).

Added to this were safety concerns due to demonstrably Server software not updated for months at the Federal Bar Association. The software used had countless known security vulnerabilities3).

When asked, the BRAK was very unwilling to help us. No, they were not grateful for the information.

Several BRAK lawyers tried to silence usby generally denying everything, denying everything and trying to take refuge in more and more outrageous excuses.4).

For those who would like to read about the incidents in more detail, I recommend the following articles, which seem almost amusing in retrospect:

  1. Do beA users actually have valid JAVA licences? Thought experiment on the correct licensing of Oracle JAVA software by lawyers and law firms5) from 11 August 2019
  2. Open letter to the Federal Bar Association (BRAK)6) from 23 September 2019
  3. BRAK waives security updates for beA7) from 3 October 2019
  4. Officially confirmed: beA users require paid JAVA licence8)/ from 9 October 2019

With the change of operator away from Atos and towards the bidding consortium Westernacher/rockenstein9) everything should get better, as always.

And indeed, at least the Oracle Java licence problem has apparently been "solved". Solved insofar as this component has been abolished and now a free alternative is used that comes with other restrictions. For example, it no longer works on our Linux computers. According to the instructions, only Windows 7, Windows 10 and Mac OS X 10 are supported. Our practical test confirms that not much works with Linux:

Source: Login window of the BNotK for PIN setup for beA cards under Linux / Chrome (screenshot created on 22.2.2020 at 11:14 a.m.)10)

It's nice to see that it still works with Windows 7, which is ten years old and no longer supported by Microsoft at all - completely insecure - but not on a current and secure Linux PC.

Well, as is well known, the Federal Bar Association has never thought much of up-to-date security software and since there are still at least 33,000 PCs with Windows 7 in the German administration11)that's the way it had to be. The next Kammergericht-GAU12) is pre-programmed.

End-to-end encryption of this supposedly so-secure messaging system also exists today. to the change of operator still does not13). Because experts from the Bar and the courts agree on this: State-of-the-art security is not needed for court traffic (cf. AGH Berlin, judgement of 14 November 2019 - I AGH 6/1814).

Be that as it may, to our great astonishment, we read a sentence in the BRAK's latest newsletter which we assumed would simply be swept under the table, like everything else before it:

The Federal Chamber of Notaries recently amended the SAK. Previously, a separate ORACLE Java installation was necessary for use. This is no longer necessary.

Source: beA Newsletter Issue 4/2020 v. 20.2.2020 15), emphasis added by us

Let's pause for a moment. "Until now, a separate ORACLE Java installation was necessary for use," writes BRAK.

But up to now we have been assured time and again, like a prayer mill, that it is exactly not be necessary to install this chargeable piece of software and for - quote - "which would not incur any separate costs from the beA system and from the beA application or client security (...)" (cf. email from BRAK to me dated 29.08.2019).

This is very interesting in so far as it is a complete 180 degree turnaround. Up to now, the BRAK has done everything to assure me that everything was licensed correctly. With this newsletter, the BRAK now admits exactly the opposite. Until now, all beA users would have had to buy an Oracle JAVA licence for each computer on which they used beA. Which brings us to the licence fraud sum of around 5 million US dollars at the time. Qed.

Incidentally, the fact that the BRAK is now making the Oracle JAVA software obsolete does not mean that everything is now fine. This is by no means the case, because this software component was developed by the users or their administrators. probably installed on at least 85,000 computers, continues to run happily there and is of course still chargeable, without any doubt16) . And that is until it is uninstalled again. As long as the user does not ensure that Oracle JAVA is removed from his computer, he will continue to use pirated copies and has been doing so since the beginning of 2019. However, the BRAK - who would have expected otherwise - does not say a single word about this.

List of sources

↑1https://www.itk-security.de/offener-brief-an-die-bundesrechtsanwaltskammer-brak-bea/
↑2https://www.itk-security.de/offiziell-bestaetigt-bea-anwender-benoetigen-kostenpflichtige-java-lizenz/
↑3https://www.itk-security.de/brak-verzichtet-bei-bea-auf-sicherheitsupdates/
↑4https://www.itk-security.de/haben-bea-nutzer-eigentlich-gueltige-java-lizenzen/
↑5https://www.itk-security.de/haben-bea-nutzer-eigentlich-gueltige-java-lizenzen/
↑6https://www.itk-security.de/offener-brief-an-die-bundesrechtsanwaltskammer-brak-bea/
↑7https://www.itk-security.de/brak-verzichtet-bei-bea-auf-sicherheitsupdates/
↑8https://www.itk-security.de/offiziell-bestaetigt-bea-anwender-benoetigen-kostenpflichtige-java-lizenz/
↑9https://www.lto.de/recht/juristen/b/bea-vergabeverfahren-neuer-dienstleister-westernacher-rockstein-folgt-atos/
↑10https://secure.bnotk.de/idp/Authn/Smartcard/
↑11https://www.handelsblatt.com/politik/deutschland/windows-7-bundesregierung-zahlt-fast-eine-million-euro-fuer-veraltetes-microsoft-betriebssystem/25452158.html?ticket=ST-7494672-79NK0UVPqdwhvPmgZf2K-ap1
↑12https://www.itk-security.de/wort-zum-sonntag-berliner-kammergericht-von-altbekanntem-virus-bis-naechstes-jahr-lahm-gelegt/
↑13https://anwaltsblatt.anwaltverein.de/de/news/agh-berlin-bea-ist-sicher-keine-ende-zu-end-verschluesselung-noetig
↑14https://anwaltsblatt.anwaltverein.de/files/anwaltsblatt.de/anwaltsblatt-online/2020-003.pdf
↑15https://mailcluster.wegewerk.com/mailing/36/2620027/7696415/3951/c90ce8ac25/index.html
↑16https://shop.oracle.com/apex/f?p=DSTORE:PRODUCT:::NO:RP,6:P6_LPI,P6_PROD_HIER_ID:132208699270491131625576,123775488249871532594385