Email or username:

Password:

Forgot your password?
Yellow Flag

German law is making security research a risky business.

Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.

When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.

There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.

I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.

Source: heise.de/news/Warum-ein-Sicher

116 comments
Emelia 👸🏻

@WPalant that's like saying it's breaking & entering if I give you a key to my house. I gave you the key, ergo you had permission to be there.

husjon

@thisismissem @WPalant you could also twist it a bit more and say you left your key under your door mat, not even explicitly giving them the key.

ww
@husjon @thisismissem @WPalant if you really want a metaphor, here's a more accurate one. there's a fulfillment center, and each customer is issued a delivery robot that will drive there and retrieve their deliveries. one customer followed the robot to see where it goes and saw that the door opens for any robot and stays open long enough for another person to enter, allowing access to everyone's deliveries. reported that to the company and got sued.
cognitively accessible math

@husjon @thisismissem @WPalant Yes, that's the better analysis. "Attractive nuisance" idea works well, too. If you make it too easy/tempting then it's your responsibility.

Yellow Flag

@thisismissem Difficult. If we spin this analogy further: you gave me your key for a specific purpose (e.g. pizza delivery while you were out), after which I returned it to you. You didn’t allow me to make a copy of this key and use it later to rearrange the furniture for example.

Abusing hardcoded credentials can definitely constitute hacking and cause perfectly justified criminal charges. But intention and damage caused definitely need to go into the equation, not merely “circumvention of protection mechanisms.”

Emelia 👸🏻

@WPalant in this case it just sounds like he used the key to open the front door, saw an absolute mess & notified the company of the issue

Bartosz Rakowski

@thisismissem @WPalant this seems to omit the other side of the story. If I understand this correctly, vendor software was making undocumented calls to outside infrastructure and sharing potentially sensitive data. It should be in company's right to check the level of exposure to properly protect their and their customers' rights.

Thomas Tempelmann

@RakowskiBartosz @thisismissem @WPalant Well, no. You can't demand the right to look into the internals of your partners - they have a right to privacy as well. You are instead "protected" by the law that requires the partner to protect your privacy interests, or by contracts. What that law is missing, however, is a way to universally verify that they do it correctly, e.g. by independent auditors. Which isn't often feasible, though. It's all a compromise, and it sucks.

Riley S. Faelan

@RakowskiBartosz

Surely you forgot to add a sarcasm tag.

The vendor is almost certainly out of GDPR compliance.

@thisismissem @WPalant

Tamas K Lengyel

@WPalant @thisismissem Intent and damages should absolutely matter. But it's also common sense not to use the hardcoded credentials to login and dump the database. Or if you do, why report that you did? Perfectly sufficient to just say you found the hardcoded credentials and stop there.. Bad practice on both sides.

Yellow Flag

@tklengyel @thisismissem Where did you read that he dumped the database? My understanding is that he connected to the database in the assumption that it was specific to his client, then disconnected and reported the issue immediately after realizing that it contained data on other customers as well.

Tamas K Lengyel

@WPalant @thisismissem Just connecting to the db won't show you what data is in it to determine it's not just your data. So he must have dumped it or at the least queried it sufficiently deeply to make that call.

DELETED

@tklengyel @WPalant @thisismissem I hate this thread. Also responsible disclosure is a thing and should be protected under law. Vendors doing something stupid than pressing charges is incompetence and should be audited by a gov agency.

This thread and this case is why people don't bother reporting anything they find without malicious intent and just watch the company shoot themselves in the foot.

Tamas K Lengyel

@alex_02 @WPalant @thisismissem I agree, but the reality is that you are better off just ditching that vendor if they won't fix the issue. Then why not publish the issue anonymously? If you aren't going for a bug bounty what is there is to gain by attaching your name to it?

DELETED

@tklengyel @WPalant @thisismissem why does disclosing a security issue require to be a bug bounty or publishing it anonymously? Treating hackers and researchers like terrorists is just making things worse and why threats like ransomware gangs have such an easy walk in the park with breaking into networks.

Alex Rock

@WPalant @thisismissem

Many judges in court don't know jack shit about programming, and "compiling" is the same as "encrypting" for them.

As many analogies said: if you give someone the key to your house, whether it's wrapped in tons of cardboard and tape, they still have the key.

The software provider must be condemned as a security flaw, endangering all users.

Leonid

@thisismissem @WPalant I understand this case more like you put your key in front of your house, visible for everybody. And I'm just telling you that it is a security issue and you are suing me for that.

Yellow Flag

@leonid @thisismissem Well, you did verify that it isn’t just any key but the one opening my door. It’s the fact that you opened the door which got you into court.

In fact, even that analogy doesn’t really convey the situation – it’s not actually the key to my house but rather to the storage facility where I keep stuff of people who paid me. And that key puts their stuff at risk.

Leonid

@WPalant @thisismissem now I get it. The issue was that he accessed vendor's database. Even if he has the credentials, he is not allowed to use it.

It's like if I found a post-it with password on your PC, I'm still not allowed to use it to login into your account.

crazyeddie

@thisismissem @WPalant More like you put a lock on your door that has no tumbers because you didn't know this because it's a "secret"--and someone comes along and says, "Hey, those locks have no tumblers and can just be turned with a flathead," and that person is arrested and imprisoned. No actual entry is required and its been this way for almost 3 decades. Can also be used to imprison someone for the act of selling you a screwdriver or just telling you how to forge one.

JR Freeman

@thisismissem @WPalant It's more like someone found a key hidden in a very obvious place.

Like, if you call the plumber because of a leak in your yard, he can't find it, so he let's himself in with a key under the mat and finds the problem in your house. He was doing the job you hired him to do, but you might be a little uncomfortable learning he's taken liberties with your locks in order to do so.

Now, whether that discomfort means a crime has occurred is another matter.

Andrea :archlinux: :neovim:

@WPalant Hmmm... I guess I will answer with this next time I get an incredible job opportunity from Germany...

Konstantin Weddige

@cifvts @WPalant The law on which this decision is based is on the agenda for reform in the first half of 2024. So hopefully the situation will look better soon.

Yellow Flag

@weddige @cifvts I’ve learned to keep my expectations low with this government. Only one out of three parties is trying to push forward (yeah, I see your server name), while one is actively working against any improvements of the status quo. It wouldn’t be the first important project to die a very quiet death.

Konstantin Weddige

@WPalant @cifvts I'm certainly not without some unease, knowing that this bill will be drafted by the Ministry of Justice (with, I'm sure, terrible input from the Ministry of the Interior).

But I'm trying to stay positive for now, so that I still have the energy to get angry when the need arises and I'm not already tired and desillusioned.

Darren du Nord

@WPalant The developer should have been judged by a jury of his peers.

Yellow Flag

@Doomed_Daniel @darren Yeah, in a way but not really and only at the lowest possible instance.

Daniel Gibson

@WPalant @darren
This verdict was from the lowest possible instance (Amtsgericht), and Schöffen can also be at the next higher instance (Landesgericht)

Rebecca Cotton-Weinhold

@Doomed_Daniel @WPalant @darren Schöffen are not assigned based on their competence in the case, but through a randomized system. E.g. in Berlin you get a list of appointments for the next year, and whatever case takes place on that date is the one you judge on.

jesterchen42

@WPalant And we've had this discussion ad nauseam in the past: if you circumvent any protection mechanism, no matter how stupid, it's bad for you. So deCSS is basically illegal in Germany, even though this wouldn't count as any security "best" practice.

Also, programs that can be used to take part in computer crimes, may not be produced, distributed, downloaded or possessed in Germany - if it's the only purpose of that tool. So either forbid notepad or add a funny feature to such tools. 🙄

jesterchen42

@WPalant And yeah, basically downloading Kali might get you to jail.

Yet another law that was created despite the protest of several groups like digitalcourage or CCC. Luckily, they're probably addressing it.

Sadly, they're probably addressing it. I fear the outcome - as long as our knowledge of "internet" is that one shown in the article above.

And always remember: pushing F12 is a crime as well. ^^

lunya (cute) :neocat_floof:

@WPalant@infosec.exchange for every country that makes a law like this, blackhats work getsveasier and easier

Anthropy :verified_dragon:

@WPalant I think we should actually ban judges and lawyers that don't know how computers and software works, from making judgements about these areas. This is absolutely ridiculous, it's like accusing a customer that walked into a store full of illegal wares and gently told the store owner that this might not be a good idea, that they were stealing these wares and breaking into the store. it literally couldn't be more backwards

Patrick $8 :verified:

@WPalant A protection mechanism isn't circumvented when used as intended. The vendor supplied credentials to their customers with the specific intent for them to be used. German judges are morons

Alexander Goeres
the enterprise that initiated this lawsuit is called Modern Solution GmbH & Co. KG. it resides in gladbach in germany.
Miru
@WPalant I imagine this will lead to all the German security researchers moving to another country in Europe if it stays.

Especially since the borders are open. Just go somewhere where it's legal?
hamato

@WPalant I remember when they introduced the "hackerparagraph" and it basically criminalized "owning hacker tools" like nmap or Wireshark. Is that still the way it is? I haven't paid attention to that special palace of German lawmaking incompetence in a while.

Yellow Flag

@hamato No, there is a high court decision clarifying that dual use tools are exempt from that rule.

Source: golem.de/0906/67887.html

hamato

@WPalant Yeah okay, that's *not* really better, because it mostly covers "professional use". While I am an IT consultant, I am *not* a security consultant so professional use probably'd never apply.

The part about malicious intent is also something I'd decidedly not like to test in court, because it's way too easy to assume and way too hard to disprove.

But it's great to see Karlsruhe involved in this. Once or twice more and we might even get reasonable hacking laws. 🙈

Edin 🇪🇺

@WPalant I mean the learning for the guy who discovered this vulnerability is that he should not have revealed it.
Which is quite sad to say the least.

Dаn̈ıel Раršlow 🥧

@techtraveler @WPalant Or he should have pseudonymously leaked it them using a throwaway account. With a note to the effect that if they didn't correct it, the next step would be to post it to a public forum.

Varbin :arctic_fox: ​:gay_furr:

@WPalant From the article I read that the judge is actually on the side on the defendant, but does have no other option - the law currently states this.
Possibly the judge hoped that a higher court can make a precedence. This would not be the first case where the judge and the defendant agreed on a (very) mild sentence to allow a revision/appeal to create ruling by a higher court.

Felix "tmbinc" Domke

@WPalant "Auch wir fanden bei einer Untersuchung entsprechender, frei im Internet zugänglicher Binärdateien der Firma Modern Solution, Passwörter im Klartext."

Let's just hope nobody else does something illegal here. That would be very bad. Please don't break the law, and please don't post anonymously about the result for the lulz, and especially, please do not use TOR or something similar when not doing so.

Piiieps & Brummm

@WPalant @pluralistic
Please note: This is not a risky law, but a faulty interpretation of the law. Unfortunately we have a really bad track record of judges not understanding technology. Slowly it gets better.

My 80 year old father has a better knowledge, than some of them. Especially: he asks, if he doesn't understand. 😄

I absolutely agree with you, that this ruling should be overturned. Perhaps the @bsi or @bfdi could write an amicus brief with regard to the password.

@WPalant @pluralistic
Please note: This is not a risky law, but a faulty interpretation of the law. Unfortunately we have a really bad track record of judges not understanding technology. Slowly it gets better.

My 80 year old father has a better knowledge, than some of them. Especially: he asks, if he doesn't understand. 😄

Yellow Flag

@PiiiepsBrummm @pluralistic Sorry, I’m not really convinced. It is a problematic law, as it rules any data access to be illegal as long as the data is protected – it does not set any requirements on that protection. It doesn’t even require the data to be remote: I could access data on my own computer protected by military-grade ROT13 encryption, and it could be considered a violation of this law. This extremely broad definition is why we now have courts carving out restrictions where this law violates common sense, and they won’t always produce sensible results.

@PiiiepsBrummm @pluralistic Sorry, I’m not really convinced. It is a problematic law, as it rules any data access to be illegal as long as the data is protected – it does not set any requirements on that protection. It doesn’t even require the data to be remote: I could access data on my own computer protected by military-grade ROT13 encryption, and it could be considered a violation of this law. This extremely broad definition is why we now have courts carving out restrictions where this law violates...

Piiieps & Brummm

@WPalant @pluralistic
Every law needs interpretation. You _can't_ include all definitions and possible exceptions. If you would do this, the code for a bike fit for road use would still involve a 6V dynamo. Battery lamps not allowed.

The whole ruling depends on the interpretation of "protected". The error here is believing, that a hardcoded and unencryprted password fulfills the definition.

a1

@WPalant Deutschland macht wieder Dummheiten.

StineD

@WPalant Something similar happened in Denmark. Dad noticed that he could access information private information about other students at his kid's school's website. He reports it to the devs and gets sued for hacking. He was initially found guilty, but that was luckily reversed by a higher court.

DELETED

@WPalant illegal hacker tools such as phpMyAdmin

Site Reliability Enby🏳️‍⚧️🏁🔦📈🐺👗

@WPalant Honestly, completely unsurprised it's germany, the country that ripped out all its clean energy and replaced it with coal...

Yellow Flag

@SiteRelEnby Hey, I totally agree that Germany did really badly in this area, but are you certain about that “ripped out” and “replaced” part? From all I know, Germany merely stopped paying for building up clean energy capacities which essentially killed this industry branch. But whatever was there already stayed there (healthy increases again under the new government). And Germany isn’t actually expanding the capacity of its coal-fired power stations, though it could certainly retire them sooner.

Ericka Simone

@WPalant ayoooooo @hko take a look and holler at me please.

hko 😷

@ErickaSimone @WPalant ugh. That law is a disgrace, and it's not good to see it applied.

I couldn't easily find an english text about the law, but de.wikipedia.org/wiki/Vorberei is a german language text about it.

GhostOnTheHalfShell

@WPalant Lord, giving cover to cyber crime by punishing white hats or employees doing as asked.

Atta boy, judge.

Urzl

@WPalant So in Germany at least, we explicitly prefer the black hats find and trade on the vulnerabilities first?

Yellow Flag

@gooba42 The law will hopefully be revised. But – yes, that’s the current effect.

pivot

@WPalant If I understand right, the developer found hard coded credentials being used to connect from his instance to the vendor. I think at that point, he has no reason to believe that using those credentials will give him access to anything other than his own data. As soon as he saw otherwise, he backed out and did responsible disclosure. Two thoughts:

1. This will have chilling effects on responsible disclosure (perhaps the goal).
2. If you give me the credentials needed to access a dataset, I don't think you should be able to claim the existence of those credentials as an access control meant to keep me out.

@WPalant If I understand right, the developer found hard coded credentials being used to connect from his instance to the vendor. I think at that point, he has no reason to believe that using those credentials will give him access to anything other than his own data. As soon as he saw otherwise, he backed out and did responsible disclosure. Two thoughts:

Yellow Flag

@pivot So much for the theory. I would very much like to see the next court instance see things in this way. It’s not a given unfortunately.

Konstantin Weddige

@WPalant the developer has already announced that he will appeal the decision.

But this case has a history. Initially, the court that has now ruled against him decided that it wouldn't even hear the case. But prosecutor appealed and the next instance sent the case back to the court. Let's hope the appeal has a better outcome this time and the prosecutors will accept it.

I hope the law (#hackerparagraph) will be changed soon. It's on the agenda for this year.

Arnold Boer

@WPalant At least we know which software company we should avoid.

DELETED

@WPalant

Many years ago, someone performed a web search in a search engine (it was likely one before Google). The webmaster had not properly secured the server, and so everything showed up in a simple search result.

That individual stumbled upon a private directly by simply clicking on a search result that revealed hundreds of people's personal information. They reported it immediately and the company fixed it immediately.

But they were still charged in America for "hacking."

1 of 2

DELETED

@WPalant

2 of 2

It was then, that I realized that elected officials and our justice department, were behind the times, and likely out to get anyone to meet a quota.

It was also then, that I understood that technologically, we were going to fall behind.

I have not been proven wrong in all those years.

DELETED

@WPalant

Well, in the Death Star's (= Capitalist = 💩​) world, reverse engineering and/or access to accounts and/or databases that are NOT yours IS illegal.

The guy should have shut up and/or protected himself.

He could have protected his anonymity by providing reports to medias or well protected institutions with guarantees.

Being "a security researcher" is not only being able to reverse engineer shitty software.

It's also being aware of laws, cautious, and well-protected. 😉​

Although one is a far better person than the world is, one should always be wise enough to remember the world around him/her is still a (very) shitty world.

Cheers.

@WPalant

Well, in the Death Star's (= Capitalist = 💩​) world, reverse engineering and/or access to accounts and/or databases that are NOT yours IS illegal.

The guy should have shut up and/or protected himself.

He could have protected his anonymity by providing reports to medias or well protected institutions with guarantees.

David Bruchmann

@WPalant
The court had obviously no clue what the password of a databse is used for 🤦‍♂️

ChickenPwny

@WPalant leave security to the pro, the pro knows you not supposed to actually access data, thats dumb.

LisPi
@WPalant @codeneko And so, all proprietary corposcum software cannot be inspected nor trusted.

It can no longer be used. RIP corposcum, you won't be missed.
Scott Guertin

@WPalant So my take away is German courts are technologically ignorant.

Yellow Flag

@scott_guertin Aren’t all courts? Mind you, this was the lowest court instance. Though I do see the problem here with the law itself which was criticized from the very start as being far too broad for the intended goal.

Scott Guertin

@WPalant The law is too broad and the lawmakers are too ignorant.

gulthaw

@WPalant Not entering in the world of analogies the fact remains that he warned them and didn't take advantage of the situation.
For that I'd say he's not guilty of any crime.

[GARLIC] Neon | Natalie

my expectations were low but what the fuck

Luna 🏳️‍⚧️

@WPalant Did the court's judges also study CS? I feel like they didnt, you can easily find out that password by disassembling the binary when its hardcoded or sniffing on network traffic locally.

Yellow Flag

@luna I don’t think it mattered here how exactly the password was determined – the ruling is based solely on the fact that a password exists, completely ignoring how easily it could be found. Even if the vendor failed to use TLS for that MySQL connection and is sending everything in plain text, looking around in that database to determine that it isn’t only your data would still be considered a law violation.

I hope that a higher court instance will produce a more sensible definition of “protection.”

@luna I don’t think it mattered here how exactly the password was determined – the ruling is based solely on the fact that a password exists, completely ignoring how easily it could be found. Even if the vendor failed to use TLS for that MySQL connection and is sending everything in plain text, looking around in that database to determine that it isn’t only your data would still be considered a law violation.

Dаn̈ıel Раršlow 🥧

@WPalant I sincerely hope this gets publicised to all that vendor's customer base and they lose business as a consequence.

DELETED

@WPalant just make the stuff public news it's not even worth it

Enrico

@WPalant I haven't read the original document and all data that supports this, but I have a question: is this judgment because he connected to the database?

It is my understanding that he did connect. In that case, he was aware that the connection to the database might constitute a violation. He is a person that "knows" these things (and even if he might not know the particular DB engine, he was certainly aware that it was in fact a DB engine). Database engines are not supposed to be exposed, and they might contain data from other persons.

The logical course of action was to notify about the exposed credentials without testing the connection.

@WPalant I haven't read the original document and all data that supports this, but I have a question: is this judgment because he connected to the database?

It is my understanding that he did connect. In that case, he was aware that the connection to the database might constitute a violation. He is a person that "knows" these things (and even if he might not know the particular DB engine, he was certainly aware that it was in fact a DB engine). Database engines are not supposed to be exposed, and...

crazyeddie

@WPalant This has been going on since the mid 1990's. In the US it rather started with the DMCA, which made it illegal to circumvent "access control", but that law was basically made to comply with the EU based treaties it had already agreed to. It's earliest win in the courts was over DeCSS, which was a brute force attack on 40bit encryption. It continues to be applied to ridiculously weak security provisions to this day. Out of state researchers arrested on entry for presenting research.

Marco

@WPalant it's bad enough that we have bad laws, and judges without any tech understanding, but why would that company sue him in the first place?!?

Yellow Flag

@madeingermany They didn’t sue, this isn’t a civil case. They rather reported him to the authorities. Because – why not retaliate against someone who caused bad press? It’s cheap and easy, doesn’t cost them anything.

Marco

@WPalant he could have downloaded and sold the data - he'd be richer and not in legal trouble right now.

Yellow Flag

@madeingermany Yep, this law certainly does disproportionately affect people who have moral principles.

⛧ veeeeeeeeee

@WPalant @privateger not just that, it also incentives selling vulnerabilities / user data on the black market

Wolf480pl

@WPalant arguably, it shouldn't matter how strong the protection was. The purpose of security research is to find flaws in protections, the same flaws that could be used to do something malicious. That's the whole point. The differemce between a security researcher and a cybercriminal isn't what protections they bypass, it's what they do after they find out that they can bypass a protection.

Do they report it to the vendor? Or exfiltrate data and sell it on black market?
1/

@WPalant arguably, it shouldn't matter how strong the protection was. The purpose of security research is to find flaws in protections, the same flaws that could be used to do something malicious. That's the whole point. The differemce between a security researcher and a cybercriminal isn't what protections they bypass, it's what they do after they find out that they can bypass a protection.

Scott Wilson

@WPalant So dumb. This is not hacking, nor is it “security research”. It’s called “troubleshooting”.

The company that hardcoded the password into the DB string should be prosecuted for negligence.

Sheepie

@WPalant @stufromoz This is going to result in a LOT of people drawing hard lines in how far they'll troubleshoot things, and a LOT of back & forth "Problem on their end not ours" because nobody's willing to work with each other collaboratively.

Niklas

@WPalant This is actually troubling. I hope, the next instance puts this right.

geminikrokette

@WPalant
First, this is a result of poorly written laws by politicians who, despite knowing better, intended to make hacking a criminal act.

Second, you never ever disclose security or data flaws on your own, and instead contact organizations such as CCC or Heise Security first.

Third, remember the company "Modern Solutions" from Gladbeck, Germany for writing crappy software and this sanctimonious statement in their imprint: 'Mitglied der Initiative "Fairness im Handel".'

Adam Chovanec

@WPalant I am not sure how I feel about this one. Unauthorised access to any computer system may be a problem, regardless of intentions. The fact that the doors aren’t lock doesn’t mean you can open them. I hope that the next instance changes the decision.

Mitsunee | 光音

@WPalant I'm still stuck on the part where using the password as a password in a password entry field was circumventing anything. Isn't that the intended function? And part of the ruling was that they "used software" to do it, but how do you interface with a server without using software? Utter fucking nonsense.

Joseph Riparian 🏳️‍⚧️

@WPalant I don't know if this is interesting to you or not, but even more ridiculous things have happened. My actual state (Missouri) accused a reporter of being a hacker and tried to file criminal charges because they looked at the source code of a website. The prosecutor wouldn't go along with it, thankfully.

missouriindependent.com/2022/0

Jim Rogantini

@WPalant This is just plain wrong. I hope the ruling gets overturned soon.

pseudoramble

@WPalant@infosec.exchange A home owner throws a key on a doormat. Somebody grabs the key, opens the door, and begins moving items out of the house. A passerby says "You left the key out and there are people stealing things from your house." Paaserby is arrested much to the relief of the people robbing the house.

???

I feel like this should be fiction?

Go Up