Wladimir PalantJan 18, 2024

German law is making security research a risky business.

Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.

When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.

There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.

I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.

Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html

Gericht sieht Nutzung von Klartext-Passwörtern als Hacken an

Der Programmierer, der eine gravierende Lücke in der Software der Firma Modern Solution aufgedeckt hat, fällt unter den Hackerparagrafen, meint das Gericht.

heise online
Show threadAndrea  Jan 18, 2024
@WPalant Hmmm... I guess I will answer with this next time I get an incredible job opportunity from Germany...
Show threadKonstantin WeddigeJan 18, 2024
@cifvts @WPalant The law on which this decision is based is on the agenda for reform in the first half of 2024. So hopefully the situation will look better soon.
Show threadWladimir Palant
@weddige @cifvts I’ve learned to keep my expectations low with this government. Only one out of three parties is trying to push forward (yeah, I see your server name), while one is actively working against any improvements of the status quo. It wouldn’t be the first important project to die a very quiet death.
Jan 18, 2024 at 7:19pmWeb
Show threadKonstantin WeddigeJan 18, 2024

@WPalant @cifvts I'm certainly not without some unease, knowing that this bill will be drafted by the Ministry of Justice (with, I'm sure, terrible input from the Ministry of the Interior).

But I'm trying to stay positive for now, so that I still have the energy to get angry when the need arises and I'm not already tired and desillusioned.