Wladimir PalantJan 18, 2024

German law is making security research a risky business.

Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.

When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.

There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.

I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.

Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html

Gericht sieht Nutzung von Klartext-Passwörtern als Hacken an

Der Programmierer, der eine gravierende Lücke in der Software der Firma Modern Solution aufgedeckt hat, fällt unter den Hackerparagrafen, meint das Gericht.

heise online
Show threadjesterchen42

@WPalant And we've had this discussion ad nauseam in the past: if you circumvent any protection mechanism, no matter how stupid, it's bad for you. So deCSS is basically illegal in Germany, even though this wouldn't count as any security "best" practice.

Also, programs that can be used to take part in computer crimes, may not be produced, distributed, downloaded or possessed in Germany - if it's the only purpose of that tool. So either forbid notepad or add a funny feature to such tools. 🙄

Jan 18, 2024 at 1:44pmWeb
Show threadjesterchen42Jan 18, 2024

@WPalant And yeah, basically downloading Kali might get you to jail.

Yet another law that was created despite the protest of several groups like digitalcourage or CCC. Luckily, they're probably addressing it.

Sadly, they're probably addressing it. I fear the outcome - as long as our knowledge of "internet" is that one shown in the article above.

And always remember: pushing F12 is a crime as well. ^^