GripNews➤ 德國法律限制安全研究,對於漏洞揭露者帶來風險
✤ https://infosec.exchange/@WPalant/111776937550399546
一名開發者被控“駭客”罪名,因調查軟體時發現資料庫中含有客戶數據,並即時通知軟體供應商。然而,軟體供應商除了修補漏洞外,還提出控告。法院裁定有密碼保護機制,因此他的行為算是駭客行為。這對合法研究造成嚴重影響,讓公司得以擺脫不足的安全措施,最終危害使用者。
+ 這篇文章提出的問題很值得關注,對於安全研究的規範需要更完善的討論。
+ 德國的這項法律對於安全研究者來說確實是一大挑戰,這也牽涉到研究者對於資料漏洞公開揭露的權益。
#德國法律 #安全研究 #風險
Yellow Flag (@WPalant@infosec.exchange)
German law is making security research a risky business. Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server. When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges. There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking. I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users. Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html