German Court Fines Security Researcher for Reporting Company's Vulnerabilities

Previously: &quot;German developer guilty of &#x27;hacking&#x27; for exposing hardcoded credentials in app&quot;[0] (319 points, 4 days ago, 243 comments)<p>[0]: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39046838">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39046838</a>

It&#x27;s interesting that it seems the trial hinged on the use of a password specifically. I&#x27;d guess the thinking was: password protecting it implies you shouldn&#x27;t access it without authorisation, he worked around this authorisation, therefore it was illegal access.<p>This strikes me as a naive, if understandable, viewpoint. The average person on the street I&#x27;m sure gives special consideration to passwords as a concept, but from a security perspective they&#x27;re just entropy. Engineers frequently use things like a &quot;sufficiently random string&quot; in a URL as a pseudo-password, or a username only on HTTP basic auth, or API keys that aren&#x27;t &quot;passwords&quot; but are &quot;keys&quot;, all of these are the same concept – unpredictability.<p>This is obviously a sad outcome for the researcher, and for the German cybersecurity industry, but I&#x27;m also surprised that the court was happy with such a shallow interpretation of security, as it theoretically opens the door to types of misuse that don&#x27;t depend on passwords to be defended, and may prevent legitimate uses that happen by chance to depend on passwords. The boundary seems to have been drawn in a place that won&#x27;t be useful for anyone.

The &quot;best&quot; part is the reason given by the court for the conviction is that he used software to access the database by password.<p>He used phpMyAdmin.<p>How on earth should you be able to access a database other than via software? Telepathy?

If white hats aren&#x27;t welcome, black hats will visit.

I don&#x27;t particularly disagree with the verdict. He was not hired by them, he did disclose the issue publicly, and the 3-day fix schedule is hilarious. And the 3000 eur fine is more like a slap on the wrist. I actually know an ethical hacker, and the process is quite different - the &quot;deadline&quot; is more like 3 months, and he always contacts the authorities a long time before anything has a chance of going public.<p>As for the company denying the issue this means nothing. It&#x27;s reflex due to liability - GDPR exposes them of fines of millions, and an email saying &quot;ups, we fucked up&quot; is a quick shortcut to that.<p>&gt; [...] police arrived at the researcher’s residence on September 15, 2021, “gained access to the apartment and pushed him against the wall. The police confiscated a PC, five laptops, a cell phone and five external storage media - the programmer&#x27;s entire work device.”<p>This is the scary part. Total value confiscated is over 3000 eur, and the disruption created is even more than that. And this happened _before_ any conviction. THIS is what we should be up in arms about.<p>From what I understand, confiscating phones and keeping them for the duration of the investigation is becoming, if not standard, at least moderately common. This is punishment, not investigation.

I can explain, a bit, as I recently did a bit of research in this area, particularly Section 202 (Section 202a, Section 202b, and Section 202c) of the German Criminal Code (Strafgesetzbuch, StGB) which addresses the unauthorized access to data. Disclaimer: I&#x27;m not a lawyer (but I do have one).<p>In Germany this is taken <i>very</i> seriously.<p>- 202a deals with secret interception of data which was not intended for the interceptor<p>- 202b makes it illegal to access data within a system without the necessary authorization. I <i>think</i> this also means (I&#x27;m sure someone out there can correct me if I&#x27;m wrong) that even if the accessor knows the password and has even been given it, but does not have the explicit granted permission nor authority to use it to access the system, it is a crime. I&#x27;m pretty sure (as a layman) that this is what this case is about. Perhaps this and a bit of 202a. &#x27;Goodwill, whitehat&#x27; etc will not help here. Lucky he had no criminal priors and Germany is not generally a fan of throwing people in prison.<p>- 202c is mostly about stealing data, making it public, or using it for (a) or (b).

&gt; The court convicted the researcher, calling into question whether accessing software with weak password protection through readily available methods constitutes hacking<p>&gt; Ultimately the court sided with the prosecution, finding the researcher guilty of hacking<p>So which one is it? I haven’t read the actual court documents, but this is confusing.

Countries need to realize that the way to improve your security is by <i>facilitating</i> (non malicious) hacking.<p>It&#x27;s likely that many, in governments and intelligence, still favor ensuring access for themselves to preventing it to everyone.<p>They need to think it through and see that it&#x27;s stupid for their countries

[dupe]<p>The ruling referenced in this is from last week<p>More discussion: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39046838">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39046838</a>

Let&#x27;s wait and see, this feels like a mistrial by a small court. The last word has not been spoken here.

While this is a disastrous ruling, it also will very likely not stand in the higher court that will handle the appeal. But great that our idiotic hacker tool law from 2007 is finally getting some international exposure.

when you find a hole, you go sell it on the darknet.<p>governments, the justice. they will F you up if you try to play white knight.<p>seriously, that security researcher just got what he deserved.<p>you have to sell that data on the darknet. and F them up again, and again, and again until their asses bleed to much they will give FULL protection to security researchers.<p>and if you don&#x27;t make them bleed, they wont care.