Wladimir PalantJan 18, 2024

German law is making security research a risky business.

Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.

When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.

There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.

I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.

Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html

Gericht sieht Nutzung von Klartext-Passwörtern als Hacken an

Der Programmierer, der eine gravierende Lücke in der Software der Firma Modern Solution aufgedeckt hat, fällt unter den Hackerparagrafen, meint das Gericht.

heise online
Show threadhamatoJan 18, 2024
@WPalant I remember when they introduced the "hackerparagraph" and it basically criminalized "owning hacker tools" like nmap or Wireshark. Is that still the way it is? I haven't paid attention to that special palace of German lawmaking incompetence in a while.
Show threadWladimir PalantJan 18, 2024

@hamato No, there is a high court decision clarifying that dual use tools are exempt from that rule.

Source: https://www.golem.de/0906/67887.html

Hackerparagraf: Verfassungsgericht weist Beschwerden zurück - Golem.de

Gestern hat das Bundesverfassungsgericht drei Beschwerden gegen den Paragrafen 202c des Strafgesetzbuches, den sogenannten Hackerparagrafen, zurückgewiesen. Damit wird der Besitz und Gebrauch von Software zum Auffinden von Sicherheitslücken in Computersystemen nicht generell unter Strafe gestellt, erklärte das Gericht.

Golem.de
Show threadhamato

@WPalant Yeah okay, that's *not* really better, because it mostly covers "professional use". While I am an IT consultant, I am *not* a security consultant so professional use probably'd never apply.

The part about malicious intent is also something I'd decidedly not like to test in court, because it's way too easy to assume and way too hard to disprove.

But it's great to see Karlsruhe involved in this. Once or twice more and we might even get reasonable hacking laws. 🙈

Jan 18, 2024 at 3:03pmWeb