@WPalant Hmmm... I guess I will answer with this next time I get an incredible job opportunity from Germany...

@WPalant The developer should have been judged by a jury of his peers.

@WPalant And we've had this discussion ad nauseam in the past: if you circumvent any protection mechanism, no matter how stupid, it's bad for you. So deCSS is basically illegal in Germany, even though this wouldn't count as any security "best" practice.

Also, programs that can be used to take part in computer crimes, may not be produced, distributed, downloaded or possessed in Germany - if it's the only purpose of that tool. So either forbid notepad or add a funny feature to such tools. 🙄

@WPalant@infosec.exchange for every country that makes a law like this, blackhats work getsveasier and easier

@WPalant I think we should actually ban judges and lawyers that don't know how computers and software works, from making judgements about these areas. This is absolutely ridiculous, it's like accusing a customer that walked into a store full of illegal wares and gently told the store owner that this might not be a good idea, that they were stealing these wares and breaking into the store. it literally couldn't be more backwards

@WPalant A protection mechanism isn't circumvented when used as intended. The vendor supplied credentials to their customers with the specific intent for them to be used. German judges are morons

@WPalant I remember when they introduced the "hackerparagraph" and it basically criminalized "owning hacker tools" like nmap or Wireshark. Is that still the way it is? I haven't paid attention to that special palace of German lawmaking incompetence in a while.

@WPalant I mean the learning for the guy who discovered this vulnerability is that he should not have revealed it.
Which is quite sad to say the least.

@WPalant guy gets sued for doing his job????

@WPalant From the article I read that the judge is actually on the side on the defendant, but does have no other option - the law currently states this.
Possibly the judge hoped that a higher court can make a precedence. This would not be the first case where the judge and the defendant agreed on a (very) mild sentence to allow a revision/appeal to create ruling by a higher court.

@WPalant "Auch wir fanden bei einer Untersuchung entsprechender, frei im Internet zugänglicher Binärdateien der Firma Modern Solution, Passwörter im Klartext."

Let's just hope nobody else does something illegal here. That would be very bad. Please don't break the law, and please don't post anonymously about the result for the lulz, and especially, please do not use TOR or something similar when not doing so.

@WPalant Deutschland macht wieder Dummheiten.

@WPalant that’s f-ed up!

@WPalant Something similar happened in Denmark. Dad noticed that he could access information private information about other students at his kid's school's website. He reports it to the devs and gets sued for hacking. He was initially found guilty, but that was luckily reversed by a higher court.

@WPalant illegal hacker tools such as phpMyAdmin

@WPalant Honestly, completely unsurprised it's germany, the country that ripped out all its clean energy and replaced it with coal...

@WPalant ayoooooo @hko take a look and holler at me please.

@WPalant Lord, giving cover to cyber crime by punishing white hats or employees doing as asked.

Atta boy, judge.

@WPalant So in Germany at least, we explicitly prefer the black hats find and trade on the vulnerabilities first?

@WPalant the developer has already announced that he will appeal the decision.

But this case has a history. Initially, the court that has now ruled against him decided that it wouldn't even hear the case. But prosecutor appealed and the next instance sent the case back to the court. Let's hope the appeal has a better outcome this time and the prosecutors will accept it.

I hope the law (#hackerparagraph) will be changed soon. It's on the agenda for this year.

@WPalant At least we know which software company we should avoid.

@WPalant

Many years ago, someone performed a web search in a search engine (it was likely one before Google). The webmaster had not properly secured the server, and so everything showed up in a simple search result.

That individual stumbled upon a private directly by simply clicking on a search result that revealed hundreds of people's personal information. They reported it immediately and the company fixed it immediately.

But they were still charged in America for "hacking."

1 of 2

@WPalant
The court had obviously no clue what the password of a databse is used for 🤦‍♂️

@WPalant leave security to the pro, the pro knows you not supposed to actually access data, thats dumb.

@WPalant So my take away is German courts are technologically ignorant.

@WPalant Not entering in the world of analogies the fact remains that he warned them and didn't take advantage of the situation.
For that I'd say he's not guilty of any crime.

my expectations were low but what the fuck

@kaia plz fix this

@WPalant Did the court's judges also study CS? I feel like they didnt, you can easily find out that password by disassembling the binary when its hardcoded or sniffing on network traffic locally.

@WPalant I sincerely hope this gets publicised to all that vendor's customer base and they lose business as a consequence.

@WPalant just make the stuff public news it's not even worth it

@WPalant peak German IT moment right there

@WPalant This has been going on since the mid 1990's. In the US it rather started with the DMCA, which made it illegal to circumvent "access control", but that law was basically made to comply with the EU based treaties it had already agreed to. It's earliest win in the courts was over DeCSS, which was a brute force attack on 40bit encryption. It continues to be applied to ridiculously weak security provisions to this day. Out of state researchers arrested on entry for presenting research.

@WPalant it's bad enough that we have bad laws, and judges without any tech understanding, but why would that company sue him in the first place?!?

@WPalant @privateger not just that, it also incentives selling vulnerabilities / user data on the black market

@WPalant So dumb. This is not hacking, nor is it “security research”. It’s called “troubleshooting”.

The company that hardcoded the password into the DB string should be prosecuted for negligence.

@WPalant @stufromoz This is going to result in a LOT of people drawing hard lines in how far they'll troubleshoot things, and a LOT of back & forth "Problem on their end not ours" because nobody's willing to work with each other collaboratively.

@WPalant This is actually troubling. I hope, the next instance puts this right.

@WPalant
First, this is a result of poorly written laws by politicians who, despite knowing better, intended to make hacking a criminal act.

Second, you never ever disclose security or data flaws on your own, and instead contact organizations such as CCC or Heise Security first.

Third, remember the company "Modern Solutions" from Gladbeck, Germany for writing crappy software and this sanctimonious statement in their imprint: 'Mitglied der Initiative "Fairness im Handel".'

@WPalant I am not sure how I feel about this one. Unauthorised access to any computer system may be a problem, regardless of intentions. The fact that the doors aren’t lock doesn’t mean you can open them. I hope that the next instance changes the decision.

@WPalant I'm still stuck on the part where using the password as a password in a password entry field was circumventing anything. Isn't that the intended function? And part of the ruling was that they "used software" to do it, but how do you interface with a server without using software? Utter fucking nonsense.

@WPalant #goddamnedfascists

@WPalant I don't know if this is interesting to you or not, but even more ridiculous things have happened. My actual state (Missouri) accused a reporter of being a hacker and tried to file criminal charges because they looked at the source code of a website. The prosecutor wouldn't go along with it, thankfully.

https://missouriindependent.com/2022/02/21/prosecutor-no-criminal-intent-by-reporter-missouri-governor-accused-of-hacking/

@WPalant This is just plain wrong. I hope the ruling gets overturned soon.

@WPalant@infosec.exchange A home owner throws a key on a doormat. Somebody grabs the key, opens the door, and begins moving items out of the house. A passerby says "You left the key out and there are people stealing things from your house." Paaserby is arrested much to the relief of the people robbing the house.

???

I feel like this should be fiction?

@WPalant thats real fucked up