Yellow Flag

German law is making security research a risky business.

Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.

When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.

There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.

I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.

Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html

Gericht sieht Nutzung von Klartext-Passwörtern als Hacken an

Der Programmierer, der eine gravierende Lücke in der Software der Firma Modern Solution aufgedeckt hat, fällt unter den Hackerparagrafen, meint das Gericht.

heise online
Jan 18, 2024 at 12:25pmWeb
Show threadEmelia 👸🏻Jan 18, 2024
@WPalant that's like saying it's breaking & entering if I give you a key to my house. I gave you the key, ergo you had permission to be there.
Show threadhusjon.devJan 18, 2024
@thisismissem @WPalant you could also twist it a bit more and say you left your key under your door mat, not even explicitly giving them the key.
Show threadww 🩶Jan 18, 2024
@husjon @thisismissem @WPalant if you really want a metaphor, here's a more accurate one. there's a fulfillment center, and each customer is issued a delivery robot that will drive there and retrieve their deliveries. one customer followed the robot to see where it goes and saw that the door opens for any robot and stays open long enough for another person to enter, allowing access to everyone's deliveries. reported that to the company and got sued.
Show threadcognitively accessible mathJan 18, 2024
@husjon @thisismissem @WPalant Yes, that's the better analysis. "Attractive nuisance" idea works well, too. If you make it too easy/tempting then it's your responsibility.
Show threadYellow FlagJan 18, 2024

@thisismissem Difficult. If we spin this analogy further: you gave me your key for a specific purpose (e.g. pizza delivery while you were out), after which I returned it to you. You didn’t allow me to make a copy of this key and use it later to rearrange the furniture for example.

Abusing hardcoded credentials can definitely constitute hacking and cause perfectly justified criminal charges. But intention and damage caused definitely need to go into the equation, not merely “circumvention of protection mechanisms.”

Show threadEmelia 👸🏻Jan 18, 2024
@WPalant in this case it just sounds like he used the key to open the front door, saw an absolute mess & notified the company of the issue
Show threadBartoszJan 18, 2024
@thisismissem @WPalant this seems to omit the other side of the story. If I understand this correctly, vendor software was making undocumented calls to outside infrastructure and sharing potentially sensitive data. It should be in company's right to check the level of exposure to properly protect their and their customers' rights.
Show threadThomas TempelmannJan 18, 2024
@RakowskiBartosz @thisismissem @WPalant Well, no. You can't demand the right to look into the internals of your partners - they have a right to privacy as well. You are instead "protected" by the law that requires the partner to protect your privacy interests, or by contracts. What that law is missing, however, is a way to universally verify that they do it correctly, e.g. by independent auditors. Which isn't often feasible, though. It's all a compromise, and it sucks.
Show threadRiley S. FaelanJan 18, 2024

@RakowskiBartosz

Surely you forgot to add a sarcasm tag.

The vendor is almost certainly out of GDPR compliance.

@thisismissem @WPalant

Show threadTamas K LengyelJan 18, 2024
@WPalant @thisismissem Intent and damages should absolutely matter. But it's also common sense not to use the hardcoded credentials to login and dump the database. Or if you do, why report that you did? Perfectly sufficient to just say you found the hardcoded credentials and stop there.. Bad practice on both sides.
Show threadYellow FlagJan 18, 2024
@tklengyel @thisismissem Where did you read that he dumped the database? My understanding is that he connected to the database in the assumption that it was specific to his client, then disconnected and reported the issue immediately after realizing that it contained data on other customers as well.
Show threadTamas K LengyelJan 18, 2024
@WPalant @thisismissem Just connecting to the db won't show you what data is in it to determine it's not just your data. So he must have dumped it or at the least queried it sufficiently deeply to make that call.
Show threadBeady Belle FanchannelJan 19, 2024
@tklengyel @WPalant @thisismissem Just connect to it with a GUI tool like dbeaver (like devs are likely to do), it will show you the schema of tables.
There will be columns like “clientName” or similar, and then doing a few very simple selects will tell you whether you have access to other people’s data.
Show threadBeady Belle FanchannelJan 19, 2024
@tklengyel @WPalant @thisismissem Mixing customer data like that and giving full access to the database with the given user credentials is criminal neglect and should cost the company dearly. Not the person who figured it out.
Show threadYellow FlagJan 19, 2024
@Profpatsch @tklengyel @thisismissem According to https://nitter.net/der_sofc/status/1747644600469127386 he connected with phpMyAdmin. While I haven’t used that tool in decades, that would presumably also expose the database schema immediately.
Show threadAlex RockJan 18, 2024

@WPalant @thisismissem

Many judges in court don't know jack shit about programming, and "compiling" is the same as "encrypting" for them.

As many analogies said: if you give someone the key to your house, whether it's wrapped in tons of cardboard and tape, they still have the key.

The software provider must be condemned as a security flaw, endangering all users.

Show threadcrazyeddieJan 18, 2024
@thisismissem @WPalant More like you put a lock on your door that has no tumbers because you didn't know this because it's a "secret"--and someone comes along and says, "Hey, those locks have no tumblers and can just be turned with a flathead," and that person is arrested and imprisoned. No actual entry is required and its been this way for almost 3 decades. Can also be used to imprison someone for the act of selling you a screwdriver or just telling you how to forge one.
Show threadJR FreemanJan 18, 2024

@thisismissem @WPalant It's more like someone found a key hidden in a very obvious place.

Like, if you call the plumber because of a leak in your yard, he can't find it, so he let's himself in with a key under the mat and finds the problem in your house. He was doing the job you hired him to do, but you might be a little uncomfortable learning he's taken liberties with your locks in order to do so.

Now, whether that discomfort means a crime has occurred is another matter.

Show threadAndrea  Jan 18, 2024
@WPalant Hmmm... I guess I will answer with this next time I get an incredible job opportunity from Germany...
Show threadKonstantin WeddigeJan 18, 2024
@cifvts @WPalant The law on which this decision is based is on the agenda for reform in the first half of 2024. So hopefully the situation will look better soon.
Show threadYellow FlagJan 18, 2024
@weddige @cifvts I’ve learned to keep my expectations low with this government. Only one out of three parties is trying to push forward (yeah, I see your server name), while one is actively working against any improvements of the status quo. It wouldn’t be the first important project to die a very quiet death.
Show threadKonstantin WeddigeJan 18, 2024

@WPalant @cifvts I'm certainly not without some unease, knowing that this bill will be drafted by the Ministry of Justice (with, I'm sure, terrible input from the Ministry of the Interior).

But I'm trying to stay positive for now, so that I still have the energy to get angry when the need arises and I'm not already tired and desillusioned.

Show threadDarren du NordJan 18, 2024
@WPalant The developer should have been judged by a jury of his peers.
Show threadYellow FlagJan 18, 2024
@darren We don’t do that in Germany.
Show threadDaniel GibsonJan 18, 2024
@WPalant @darren
Schöffen?
Show threadYellow FlagJan 18, 2024
@Doomed_Daniel @darren Yeah, in a way but not really and only at the lowest possible instance.
Show threadDaniel GibsonJan 18, 2024
@WPalant @darren
This verdict was from the lowest possible instance (Amtsgericht), and Schöffen can also be at the next higher instance (Landesgericht)
Show threadBecca Cotton-WeinholdJan 18, 2024
@Doomed_Daniel @WPalant @darren Schöffen are not assigned based on their competence in the case, but through a randomized system. E.g. in Berlin you get a list of appointments for the next year, and whatever case takes place on that date is the one you judge on.
Show threadjesterchen42Jan 18, 2024

@WPalant And we've had this discussion ad nauseam in the past: if you circumvent any protection mechanism, no matter how stupid, it's bad for you. So deCSS is basically illegal in Germany, even though this wouldn't count as any security "best" practice.

Also, programs that can be used to take part in computer crimes, may not be produced, distributed, downloaded or possessed in Germany - if it's the only purpose of that tool. So either forbid notepad or add a funny feature to such tools. 🙄

Show threadjesterchen42Jan 18, 2024

@WPalant And yeah, basically downloading Kali might get you to jail.

Yet another law that was created despite the protest of several groups like digitalcourage or CCC. Luckily, they're probably addressing it.

Sadly, they're probably addressing it. I fear the outcome - as long as our knowledge of "internet" is that one shown in the article above.

And always remember: pushing F12 is a crime as well. ^^

Show threadAnthropyJan 18, 2024
@WPalant I think we should actually ban judges and lawyers that don't know how computers and software works, from making judgements about these areas. This is absolutely ridiculous, it's like accusing a customer that walked into a store full of illegal wares and gently told the store owner that this might not be a good idea, that they were stealing these wares and breaking into the store. it literally couldn't be more backwards
Show threadPatrick $8 Jan 18, 2024
@WPalant A protection mechanism isn't circumvented when used as intended. The vendor supplied credentials to their customers with the specific intent for them to be used. German judges are morons
Show threadAlexander Goeres 𒀯Jan 18, 2024
the enterprise that initiated this lawsuit is called Modern Solution GmbH & Co. KG. it resides in gladbach in germany.
Show threadMiruJan 18, 2024
@WPalant I imagine this will lead to all the German security researchers moving to another country in Europe if it stays.

Especially since the borders are open. Just go somewhere where it's legal?
Show threadhamatoJan 18, 2024
@WPalant I remember when they introduced the "hackerparagraph" and it basically criminalized "owning hacker tools" like nmap or Wireshark. Is that still the way it is? I haven't paid attention to that special palace of German lawmaking incompetence in a while.
Show threadYellow FlagJan 18, 2024

@hamato No, there is a high court decision clarifying that dual use tools are exempt from that rule.

Source: https://www.golem.de/0906/67887.html

Hackerparagraf: Verfassungsgericht weist Beschwerden zurück - Golem.de

Gestern hat das Bundesverfassungsgericht drei Beschwerden gegen den Paragrafen 202c des Strafgesetzbuches, den sogenannten Hackerparagrafen, zurückgewiesen. Damit wird der Besitz und Gebrauch von Software zum Auffinden von Sicherheitslücken in Computersystemen nicht generell unter Strafe gestellt, erklärte das Gericht.

Golem.de
Show threadhamatoJan 18, 2024

@WPalant Yeah okay, that's *not* really better, because it mostly covers "professional use". While I am an IT consultant, I am *not* a security consultant so professional use probably'd never apply.

The part about malicious intent is also something I'd decidedly not like to test in court, because it's way too easy to assume and way too hard to disprove.

But it's great to see Karlsruhe involved in this. Once or twice more and we might even get reasonable hacking laws. 🙈

Show threadEdin 🇪🇺Jan 18, 2024
@WPalant I mean the learning for the guy who discovered this vulnerability is that he should not have revealed it.
Which is quite sad to say the least.
Show threadDаn̈ıel Раršlow 🥧Jan 18, 2024
@techtraveler @WPalant Or he should have pseudonymously leaked it them using a throwaway account. With a note to the effect that if they didn't correct it, the next step would be to post it to a public forum.
Show threadnbktJan 19, 2024

@techtraveler

https://www.ccc.de/disclosure

@WPalant

CCC | Disclosure

Der Chaos Computer Club ist eine galaktische Gemeinschaft von Lebewesen für Informationsfreiheit und Technikfolgenabschätzung.

Show threadMarekNov 9
@techtraveler @WPalant Or simply sell them (also illegally): Then at least he would still have gotten money.
Show threadRobin Syl 🌸 Jan 18, 2024
@WPalant guy gets sued for doing his job????
Show threadVarbin  ​Jan 18, 2024
@WPalant From the article I read that the judge is actually on the side on the defendant, but does have no other option - the law currently states this.
Possibly the judge hoped that a higher court can make a precedence. This would not be the first case where the judge and the defendant agreed on a (very) mild sentence to allow a revision/appeal to create ruling by a higher court.
Show threadFelix "tmbinc" DomkeJan 18, 2024

@WPalant "Auch wir fanden bei einer Untersuchung entsprechender, frei im Internet zugänglicher Binärdateien der Firma Modern Solution, Passwörter im Klartext."

Let's just hope nobody else does something illegal here. That would be very bad. Please don't break the law, and please don't post anonymously about the result for the lulz, and especially, please do not use TOR or something similar when not doing so.

Show threada1Jan 18, 2024
@WPalant Deutschland macht wieder Dummheiten.
Show threada.d. 🗽🇺🇸Jan 18, 2024
@WPalant that’s f-ed up!
Show threadStineDJan 18, 2024
@WPalant Something similar happened in Denmark. Dad noticed that he could access information private information about other students at his kid's school's website. He reports it to the devs and gets sued for hacking. He was initially found guilty, but that was luckily reversed by a higher court.
Show threadSite Reliability Enby🏳️‍⚧️🏁🔦📈🐺👗😷Jan 18, 2024
@WPalant Honestly, completely unsurprised it's germany, the country that ripped out all its clean energy and replaced it with coal...
Show threadYellow FlagJan 18, 2024
@SiteRelEnby Hey, I totally agree that Germany did really badly in this area, but are you certain about that “ripped out” and “replaced” part? From all I know, Germany merely stopped paying for building up clean energy capacities which essentially killed this industry branch. But whatever was there already stayed there (healthy increases again under the new government). And Germany isn’t actually expanding the capacity of its coal-fired power stations, though it could certainly retire them sooner.
Show threadSite Reliability Enby🏳️‍⚧️🏁🔦📈🐺👗😷Jan 18, 2024

@WPalant https://www.wired.com/story/germany-rejected-nuclear-power-and-deadly-emissions-spiked/

https://www.forbes.com/sites/jamesbroughel/2023/04/20/germany-embraces-pseudoscience-with-nuclear-phaseout/?sh=6bc997385c20

Also worth noting it's not just coal, they are also a massive financial backer of the Putin regime via LNG imports as a result too.

Germany Rejected Nuclear Power—and Deadly Emissions Spiked

After Fukushima, the country opted to decommission its nuclear reactors. The US has a lot to learn from what happened next.

WIRED
Show threadYellow FlagJan 18, 2024
@SiteRelEnby Oh, you referred to nuclear power as “clean.” Oook. 😂
Show threadGrace Vulpes Alopex   Jan 18, 2024
@WPalant @SiteRelEnby

nuclear is the cleanest power source we have currently
Show threadCloverJan 19, 2024

@pharmafemboy @WPalant @SiteRelEnby wouldn’t say cleanest because of recent advances in solar and battery storage making things more efficient in that direction, nuclear uses lots of concrete so it takes a long time to offset the carbon emissions of that

Though generally speaking yeah, nuclear is considered clean energy, the coal powerplants getting built and fired back up to replace it in Germany produce far more radioactive waste that is released into the air than any nuclear plant would release in its lifetime

Show threadEricka SimoneJan 18, 2024
@WPalant ayoooooo @hko take a look and holler at me please.
Show threadhko 😷🪁Jan 18, 2024

@ErickaSimone @WPalant ugh. That law is a disgrace, and it's not good to see it applied.

I couldn't easily find an english text about the law, but https://de.wikipedia.org/wiki/Vorbereiten_des_Aussp%C3%A4hens_und_Abfangens_von_Daten is a german language text about it.

Vorbereiten des Ausspähens und Abfangens von Daten – Wikipedia