It is basically impossible to know what a system is without accessing it and looking around.
It is like being given a key card for security clearance in a building. You assume any door it opens is a room you're allowed to be in. If security finds you in a room you aren't supposed to be in, is that your fault? Or whoever gave you the card with the wrong clearance level?
Also how about the situation where you open a door, look inside, immediately realize you're not supposed to be there and then report it to security? Should you be punished?
Yes, he logged into the server using the credentials embedded in the app. Since the server contained information from other users, this would clearly be some kind of crime if used this access maliciously or maybe even if he just logged in knowing that he wasn't supposed to be allowed to.
But I think the salient point here is whether or not he could have known that before logging into the server. Since the credentials are in the app, should he assume that the company's security is so bad that this would give him access to all their customer data? He is obviously allowed to use the app, and the app uses these credentials so it's not too much of a leap for him to think that he should be allowed to use them as well.
Regardless, I think the result of this ruling will clearly be bad for computer security. In the future maybe someone who finds a vulnerability like this won't report it out of fear of legal retribution.
There's nothing confusing about it, it just doesn't frame it in the way you prefer.
From the perspective of the developer, it's natural to assume that the password was in place to prevent non-users from accessing, not legitimate users. After all, the credential wasn't hidden or obscured in any way. When it became clear that users weren't supposed to have access, it was reported to the vendor. Am I missing something here?
On one hand, there's a developer doing their job. On the other, there's another "embarrassed" company retaliating and intimidating would-be bug reporters. It seems crystal clear what's going on.
This is true, but he believed that the database was held exclusively for the client, hence only containing data belonging to the client, who gave him permission to access his data. Apparently the name of the database also seemed to indicate this.
As soon as he then noticed that it contained all the data of all customers, he disconnected.
It's what you do with the data once you have access to it. If you do nothing, it shouldn't be a crime, the crime should be the, presumably, nefarious usage if used.
This is actually a big problem for Germany, because the cited StGB 202 ff. penal code paragraphs have made security research in any private sector shape or form impossible, or at least highly unattractive.
Now a gap of almost 20 years has opened, where basically no young engineers have been interested in the field, let alone trained. The biggest companies with the deepest pockets have been mopping up anyone they could find. Top talent went abroad. And so the majority of German businesses which are SMB get hacked more every day. Nobody audits anything. Unfortunately, anything networked is a security risk these days.
I caution that it is highly naive to bet on this getting thrown out at higher court levels. Defendant is looking at YEARS of wasted brain cycles, trying to go from AG to LG to OLG to BGH. My guess is a 100k EUR of fees also wasted. And for what. Because a company couldn't properly secure their data, you told them that, and as a "thank you", they sued you in court?
My advice: If there is no clear bug bounty program, or it is not your own company, or you weren't tasked in writing and paid by the very company to find any holes, don't make it your problem. Suppress any good samaritan helper complex you might have. Wipe all files and talk to nobody. Especially not in your place of employment. Once a lawsuit is involved, anyone questioned will say "Oh, Mike from DevOps figured that one out from the hexdump". You will regret it.
Some of the older German infosec dogs are aggravated by this so much, that they refuse to help any governmental organization if there is an incident. Lernen durch Schmerz.
Last summer the court declined the prosecutor's case (in this system, the prosecutor files their case with the court, and the court does a quick scan and will dismiss the case before scheduling the trial if it's obviously unsound - happens fairly rarely). Prosecutors got this overturned by a higher court, which means this trial happened at the same lower court, but with a different judge than the one who initially dismissed the case.
> According to a decision by the Jülich District Court on May 10, 2023, the criminal proceedings against the security researcher have been dismissed. The court assumes that no criminal offense has been committed because the data accessed by the security researcher was not sufficiently protected. "Only data that is specially protected against unauthorized access is subject to the scope of protection of the criminal offence. This presupposes that measures have been taken that are objectively suitable [...] to prevent access to the data," the court's decision states. "The court does not agree with the opinion of the public prosecutor's office that password protection as such is sufficient. A password does not always provide effective data protection, for example if it is too simple or is used in a standardized way for certain applications. In such cases, the provision of access to data does not constitute an offense."
> Through its own investigations of the Modern Solution software, heise online was able to confirm that it did indeed contain a built-in default password. This meant that anyone who had examined the software, which was freely downloadable from the company's website, would have had access to the data on the Modern Solution servers.
No, he was found guilty for using those credentials to connect to the database. I can’t speak for German law, but at least in the UK this would be an open-and-shut case, it’s a clear violation of the Computer Misuse Act.
You can like that or not, but if you’re in the position to be doing research like this, you really ought to know the basics of the law.
> His crime: he was tasked with looking into a software that produced way too many log messages.
The developer wasn't doing security research. It sounds like they just had a bug they were looking into. Connecting to the database and realizing what it is to immediately disconnect and report it responsibly shouldn't be something that comes with punitive measures. As another commenter pointed out, this incentivizes people to sell this knowledge to others who will actually "misuse" it.
But turning on the app "uses" those credentials. so were all of their consumers guilty of hacking too?
What's the difference. MAYBE I could see this as a violation of the ToS but It's a far cry from "hacking".
Having a password doesn't mean they were trying to keep people out. They shipped the password.
That's like going into a building and they HAND YOU a keycard, and say don't go anywhere you aren't supposed to. And then it's actually a master key. How do you even know that it's going to let you into places you aren't supposed to go.
I have creds to googles services but it only gives me access to MY stuff.
I'm not sure whether it's that easy. AFAIK he had a customer that wanted him to investigate why the customer's system was flooded with some data. He ran the connector to some other service that the data seemingly originated from and observed a connection being opened to a remote MySQL server in plain text in his firewall.
He took a look at this and saw that the credentials used were equal across all tenants of the MySQL DB. So it wasn't just his' customer's data that was exposed, it was the data of all tenants.
AFAIK he then created some hashes of user data and exported this, so he could report this to the authorities and give users the ability to check whether they were listed in the system that had to be considered compromised. The DB exposed data of around 700k end users. He also contacted the company that runs that DB about this issue.
The vendor of that connector then issued a new client that used TLS, which he also circumvented to show that the issue is still valid.
He is also accused of decompiling the client software to obtain the password. IIRC, he instead claimed to just have opened the file in notepad.
Sounds to me like the database credentials were embedded in the application so presumably the application would log in to the vendors server as an intended action. Does this mean all the vendors users must be charged with hacking also?
I wouldn't say it's so clear, if you read the article it seems like the developer was investigating an issue and found the database credentials, assumed the database connection was single-tenant (or that the user would be limited by permissions) as the software was connecting directly to it, and used them. When they realised they had access to more data than intended, they disconnected from it.
I have done exactly the same thing in similar circumstances – I had a desktop software vendor that we had issues with, saw the config files stored database credentials in plaintext and connected to it. In my case, the database was single tenant for our company so I managed to get what I wanted done.
Surely intent must come into play when it comes to applying the law in cases like this? It doesn't seem like the developer had any intent to access a restricted system.
INTENT is the keyword for most laws. If the intent here was to check the security it is 100% legal within EU. Don't know about UK. I guess the guy poked around.
Yeah it is a chilling effect that will make German systems less secure, and other countries who are immune from German prosecution are going to exploit that. This story alone makes me refuse to work in Germany as a developer let alone in security.
I agree, this conviction is really about challenging corporatism and making them look bad. They really want "the peasants" to know their place and not peep through the nobles' windows. The state will almost always side with those with the most money, unless lawyers somehow shine the light of public opinion on it, then they might have a chance. This is why you do stuff anonymously.
Worked with PostNL, the main and previous governmental organisation for sending mail.
Weekly we would upload our orders in their system; and could see our history.
Then one day we could suddenly access all other clients history and export their users data. Many of them direct competitors, and their mailing lists would have been quite valuable to us.
My partner exported all Marley Spoon's (a bigger funded competitor) data in excel and a few others. When he told me I told him to delete it ASAP, even though it's fun you don't create a liability. But we could have used it to grow 10-30% in a few weeks.
They never reported it, which they were legally obliged to do under EU law.
All to say, if you get the keys to the castle, maybe don't use them. Or maybe you do.
We should, and could have used it, in price negotiations since they almost doubled the prices to us for the next few months and didn't have any mercy. Let alone misplacing 3-8% of our orders and not refunding.
But instead we moved to few other delivery services (with all their own flaws)
You can anonymously tip the Autoriteit Persoonsgegevens and let them look into the issue if you're afraid of repercussions. Any screenshot containing evidence of PII being leaked will certainly help, and I doubt PostNL will have fixed their terrible terrible systems.
Under Dutch law your colleague would've committed a crime by downloading the data he knew he shouldn't be allowed to access, beyond what was necessary to conclude that there was a leak.
"Using" this indo during negotiations would've been blackmail, which is very much a thing you wouldn't want to do, especially with a company that big and without real competition; they'd go to the police, and you'd be screwed.
Yeah, this is exactly the case that the headline reminded me of (I got instantly downvoted for commenting about this for some reason). If they had actually encrypted the data it would have been fine, but BASE64 encoding is not encryption. It's trivially easy to decode base64: https://developer.mozilla.org/en-US/docs/Glossary/Base64#the...
So many "hacks" are the equivalent of some fool left the front door wide open. If you left your front door wide and were robbed the public would have 0 sympathy for you yet people scream at the Hackers when these companies cheap out and don't do shit to update/maintain/enforce basic best practices around security.
> If you left your front door wide and were robbed the public would have 0 sympathy for you
Not sure where you live for that to be the case, but someone coming in because I left my door open is not normal, even if I left my door open. Even if they claim they were "making sure everything was safe".
> would it be legal to notice there might be a problem, stop, and short the company stock?
Yes. As long as you don't use inside information this would be perfectly legal. It's pretty much what companies like Hindenburg Research do.
The problem you would find if you actually tried to do this is that investors pretty much don't care about security issues, so the stock price wouldn't go down after you revealed the flaw. That's even if they're publicly traded which doesn't appear to be the case here. I think it's these guys but I don't speak German so don't quote me: https://www.modernsolution.net/
Tor + twitter (if you can actually register there with tor):
"Hey, I just happened to find out that there is a password here in this app, at offset X, here's the screenshot from the hexdump with the visible password... I'm not allowed to check what that password is, even though there is also a username and a host next to it, and clear indication that it's an sql connection, but i'm not testing this, but i'm warning you, the general public, that this here exist, please don't try connecting to this IP using this username and password, thank you!"
Better to just pretend you never noticed it. Even telling them their password is visible is risking being the messager that gets shot. Using the password is right out.
I think a lot of issues are never reported because of stuff like this. We hear about white hat hackers getting sued all the time. And in the end it'll hurt us all because crooks don't care, and will use these found-but-undisclosed security holes to their advantage. Then, when they threaten the company to either pay or get a public dump of their wide-open database, management refuses and gets a slap on their wrist by the government once it's released - and customers receive a "sorry, we got hacked"-mail between a bunch of highly personalized phishing mails.
This is like giving someone a book you wrote to proofread, with your password unintentionally in the text. They use it to login and then tell you about it. Sure, they shouldn't have logged in, but it doesn't feel like it deserves criminal charges.
Good marketing pitch for disclosing to the highest bidder rather than responsibly to industry, gonna go to jail you might as well get top dollar for your trouble.
Oh no we did a terrible job and hardcoded credentials, someone found and tried a password and then reported it without stealing or destroying anything but our egos... the horror. Let's run to the cops and potentially ruin a life.
Sadly this is why one must notify vendors anonymously, and tell them up front they have 30/60/90 days to fix it before the information will be made public.
This vendor was abysmally irresponsible by storing static credentials in the application with apparently full read access to the databases. Stored procedures exist for a reason and they're not even remotely new.
If a "bad guy" had dug this out first, things would have been much, much worse for everyone involved, including the vendor. Trying to shoot the messenger makes me wish they'd mentioned which vendor so that their customers could be encouraged to go with someone who takes security even a little bit seriously.
I don't understand how this news started spreading so much now. This actually hpapened in 2021. Everybody mentions the original source, Heise, but nobody checked it. Their article was published in 2021. https://www.heise.de/news/Datenleck-Anzeige-gegen-IT-Experte...
It's a very fine area. Once he had the database credentials, that's all he needed to tell the company to fix their code. Connecting to the database is what did him in.
We need white hats that want to find vulnerabilities for good, but when you exploit a target and they aren't aware until after the fact, that's still a crime. I don't know what the safe way of doing this is other than only doing white hat hacking on systems you control. Any system outside of your control should not be exploited unless the company has an agreed upon contract that indemnifies you from any harm caused.
It's a lowest level court, they're known to have wildly absurd legal opinions at times. Having stupid laws on the book (like the one in question) doesn't help.
The curious bit is that this law is from 2007, so apparently this is an angle that escaped all attorney and courts who applied this law in 16.5 years, or the defense could have shot down this line of reasoning by pointing out that this isn't what the law intended. (we don't have case law, but there are means of harmonizing outcomes once stuff ended up at higher level courts)
My guess is that this won't hold up for long given the circumstances (trivially got the password, accidentally gained more access than expected, immediately disconnected upon notice)
According to the linked heise.de article the defendant assumed the credentials were for a database that only contained his client's data, and immediately disconnected as soon as he realized he was actually seeing data for all of the complainant's clients.
[+] [-] wackget|2 years ago|reply
If I understand correctly it seems like his crime was *using* the exposed database credentials to log in to the third-party database server.
So he wasn't charged for simply "exposing" the credentials as the title says, but actually using them to poke around.
[+] [-] bluefirebrand|2 years ago|reply
It is like being given a key card for security clearance in a building. You assume any door it opens is a room you're allowed to be in. If security finds you in a room you aren't supposed to be in, is that your fault? Or whoever gave you the card with the wrong clearance level?
Also how about the situation where you open a door, look inside, immediately realize you're not supposed to be there and then report it to security? Should you be punished?
[+] [-] why_at|2 years ago|reply
But I think the salient point here is whether or not he could have known that before logging into the server. Since the credentials are in the app, should he assume that the company's security is so bad that this would give him access to all their customer data? He is obviously allowed to use the app, and the app uses these credentials so it's not too much of a leap for him to think that he should be allowed to use them as well.
Regardless, I think the result of this ruling will clearly be bad for computer security. In the future maybe someone who finds a vulnerability like this won't report it out of fear of legal retribution.
[+] [-] soraminazuki|2 years ago|reply
From the perspective of the developer, it's natural to assume that the password was in place to prevent non-users from accessing, not legitimate users. After all, the credential wasn't hidden or obscured in any way. When it became clear that users weren't supposed to have access, it was reported to the vendor. Am I missing something here?
On one hand, there's a developer doing their job. On the other, there's another "embarrassed" company retaliating and intimidating would-be bug reporters. It seems crystal clear what's going on.
[+] [-] qwertox|2 years ago|reply
This is true, but he believed that the database was held exclusively for the client, hence only containing data belonging to the client, who gave him permission to access his data. Apparently the name of the database also seemed to indicate this.
As soon as he then noticed that it contained all the data of all customers, he disconnected.
[+] [-] drannex|2 years ago|reply
It's what you do with the data once you have access to it. If you do nothing, it shouldn't be a crime, the crime should be the, presumably, nefarious usage if used.
[+] [-] dang|2 years ago|reply
(It's best to use a representative phrase from the article body rather than making up new language; that's usually, though not always, possible.)
[+] [-] Sparkyte|2 years ago|reply
This is just taking the keys and unlocking the door to your benefit.
[+] [-] bsdice|2 years ago|reply
Now a gap of almost 20 years has opened, where basically no young engineers have been interested in the field, let alone trained. The biggest companies with the deepest pockets have been mopping up anyone they could find. Top talent went abroad. And so the majority of German businesses which are SMB get hacked more every day. Nobody audits anything. Unfortunately, anything networked is a security risk these days.
I caution that it is highly naive to bet on this getting thrown out at higher court levels. Defendant is looking at YEARS of wasted brain cycles, trying to go from AG to LG to OLG to BGH. My guess is a 100k EUR of fees also wasted. And for what. Because a company couldn't properly secure their data, you told them that, and as a "thank you", they sued you in court?
My advice: If there is no clear bug bounty program, or it is not your own company, or you weren't tasked in writing and paid by the very company to find any holes, don't make it your problem. Suppress any good samaritan helper complex you might have. Wipe all files and talk to nobody. Especially not in your place of employment. Once a lawsuit is involved, anyone questioned will say "Oh, Mike from DevOps figured that one out from the hexdump". You will regret it.
Some of the older German infosec dogs are aggravated by this so much, that they refuse to help any governmental organization if there is an incident. Lernen durch Schmerz.
[+] [-] formerly_proven|2 years ago|reply
Last summer the court declined the prosecutor's case (in this system, the prosecutor files their case with the court, and the court does a quick scan and will dismiss the case before scheduling the trial if it's obviously unsound - happens fairly rarely). Prosecutors got this overturned by a higher court, which means this trial happened at the same lower court, but with a different judge than the one who initially dismissed the case.
> According to a decision by the Jülich District Court on May 10, 2023, the criminal proceedings against the security researcher have been dismissed. The court assumes that no criminal offense has been committed because the data accessed by the security researcher was not sufficiently protected. "Only data that is specially protected against unauthorized access is subject to the scope of protection of the criminal offence. This presupposes that measures have been taken that are objectively suitable [...] to prevent access to the data," the court's decision states. "The court does not agree with the opinion of the public prosecutor's office that password protection as such is sufficient. A password does not always provide effective data protection, for example if it is too simple or is used in a standardized way for certain applications. In such cases, the provision of access to data does not constitute an offense."
> Through its own investigations of the Modern Solution software, heise online was able to confirm that it did indeed contain a built-in default password. This meant that anyone who had examined the software, which was freely downloadable from the company's website, would have had access to the data on the Modern Solution servers.
[+] [-] HL33tibCe7|2 years ago|reply
You can like that or not, but if you’re in the position to be doing research like this, you really ought to know the basics of the law.
[+] [-] lcnPylGDnU4H9OF|2 years ago|reply
> His crime: he was tasked with looking into a software that produced way too many log messages.
The developer wasn't doing security research. It sounds like they just had a bug they were looking into. Connecting to the database and realizing what it is to immediately disconnect and report it responsibly shouldn't be something that comes with punitive measures. As another commenter pointed out, this incentivizes people to sell this knowledge to others who will actually "misuse" it.
[+] [-] from-nibly|2 years ago|reply
What's the difference. MAYBE I could see this as a violation of the ToS but It's a far cry from "hacking".
Having a password doesn't mean they were trying to keep people out. They shipped the password.
That's like going into a building and they HAND YOU a keycard, and say don't go anywhere you aren't supposed to. And then it's actually a master key. How do you even know that it's going to let you into places you aren't supposed to go.
I have creds to googles services but it only gives me access to MY stuff.
[+] [-] nikeee|2 years ago|reply
The vendor of that connector then issued a new client that used TLS, which he also circumvented to show that the issue is still valid. He is also accused of decompiling the client software to obtain the password. IIRC, he instead claimed to just have opened the file in notepad.
[+] [-] a_dabbler|2 years ago|reply
[+] [-] mpeg|2 years ago|reply
I have done exactly the same thing in similar circumstances – I had a desktop software vendor that we had issues with, saw the config files stored database credentials in plaintext and connected to it. In my case, the database was single tenant for our company so I managed to get what I wanted done.
Surely intent must come into play when it comes to applying the law in cases like this? It doesn't seem like the developer had any intent to access a restricted system.
[+] [-] malka|2 years ago|reply
[+] [-] AtNightWeCode|2 years ago|reply
[+] [-] hypeatei|2 years ago|reply
Company got caught with their pants down and want to punish this person for exposing that.
[+] [-] quickthrower2|2 years ago|reply
[+] [-] EasyMark|2 years ago|reply
[+] [-] wouldbecouldbe|2 years ago|reply
Worked with PostNL, the main and previous governmental organisation for sending mail.
Weekly we would upload our orders in their system; and could see our history.
Then one day we could suddenly access all other clients history and export their users data. Many of them direct competitors, and their mailing lists would have been quite valuable to us.
My partner exported all Marley Spoon's (a bigger funded competitor) data in excel and a few others. When he told me I told him to delete it ASAP, even though it's fun you don't create a liability. But we could have used it to grow 10-30% in a few weeks.
They never reported it, which they were legally obliged to do under EU law.
All to say, if you get the keys to the castle, maybe don't use them. Or maybe you do.
We should, and could have used it, in price negotiations since they almost doubled the prices to us for the next few months and didn't have any mercy. Let alone misplacing 3-8% of our orders and not refunding.
But instead we moved to few other delivery services (with all their own flaws)
[+] [-] jeroenhd|2 years ago|reply
Under Dutch law your colleague would've committed a crime by downloading the data he knew he shouldn't be allowed to access, beyond what was necessary to conclude that there was a leak.
"Using" this indo during negotiations would've been blackmail, which is very much a thing you wouldn't want to do, especially with a company that big and without real competition; they'd go to the police, and you'd be screwed.
[+] [-] daltont|2 years ago|reply
https://www.techdirt.com/2022/02/25/turns-out-it-was-actuall...
The "hacking" was decrypting social security numbers from BASE64.
[+] [-] RajT88|2 years ago|reply
Imagine the number of lazy programmers who paste stuff into an online Base64 decoder. Imagine all the stuff that is in those payloads!
Running a site like base64decode.org would be a fantastic honeypot.
[+] [-] throwitaway1123|2 years ago|reply
[+] [-] mdgrech23|2 years ago|reply
[+] [-] babarock|2 years ago|reply
If you left your front door wide and I robbed you, I'd have committed a crime. There's no "but the front door was open" defense.
[+] [-] bdcravens|2 years ago|reply
It would still be a crime. I would and should be chastised, but the person who robbed me should still receive a proper punishment.
[+] [-] belval|2 years ago|reply
Not sure where you live for that to be the case, but someone coming in because I left my door open is not normal, even if I left my door open. Even if they claim they were "making sure everything was safe".
[+] [-] j-bos|2 years ago|reply
I wonder, if it's illegal to find these problems, would it be legal to notice there might be a problem, stop, and short the company stock?
[+] [-] IshKebab|2 years ago|reply
Yes. As long as you don't use inside information this would be perfectly legal. It's pretty much what companies like Hindenburg Research do.
The problem you would find if you actually tried to do this is that investors pretty much don't care about security issues, so the stock price wouldn't go down after you revealed the flaw. That's even if they're publicly traded which doesn't appear to be the case here. I think it's these guys but I don't speak German so don't quote me: https://www.modernsolution.net/
[+] [-] ajsnigrutin|2 years ago|reply
"Hey, I just happened to find out that there is a password here in this app, at offset X, here's the screenshot from the hexdump with the visible password... I'm not allowed to check what that password is, even though there is also a username and a host next to it, and clear indication that it's an sql connection, but i'm not testing this, but i'm warning you, the general public, that this here exist, please don't try connecting to this IP using this username and password, thank you!"
[+] [-] hipadev23|2 years ago|reply
There’s also the fact that at least for US companies massive data leaks/breaches often have no negative financial impact on the company.
[+] [-] fkkffdddd|2 years ago|reply
https://www.gesetze-im-internet.de/stgb/__202a.html
Roughly:
„Gaining access to data that is protected with special methods against unauthorised access, either for personal use or for others“
So apparently, hardcoded passwords baked into the client do qualify for that.
[+] [-] sgift|2 years ago|reply
[+] [-] yukkuri|2 years ago|reply
[+] [-] jansommer|2 years ago|reply
[+] [-] Zamicol|2 years ago|reply
[+] [-] orenlindsey|2 years ago|reply
[+] [-] PurpleRamen|2 years ago|reply
And it's not a criminal charge, the penalty is paying 3000 Euro and the costs of the lawsuit.
[+] [-] scrps|2 years ago|reply
Oh no we did a terrible job and hardcoded credentials, someone found and tried a password and then reported it without stealing or destroying anything but our egos... the horror. Let's run to the cops and potentially ruin a life.
[+] [-] evilDagmar|2 years ago|reply
This vendor was abysmally irresponsible by storing static credentials in the application with apparently full read access to the databases. Stored procedures exist for a reason and they're not even remotely new.
If a "bad guy" had dug this out first, things would have been much, much worse for everyone involved, including the vendor. Trying to shoot the messenger makes me wish they'd mentioned which vendor so that their customers could be encouraged to go with someone who takes security even a little bit seriously.
[+] [-] dorameleg|2 years ago|reply
[+] [-] magicmicah85|2 years ago|reply
We need white hats that want to find vulnerabilities for good, but when you exploit a target and they aren't aware until after the fact, that's still a crime. I don't know what the safe way of doing this is other than only doing white hat hacking on systems you control. Any system outside of your control should not be exploited unless the company has an agreed upon contract that indemnifies you from any harm caused.
[+] [-] vdaea|2 years ago|reply
[+] [-] pgeorgi|2 years ago|reply
The curious bit is that this law is from 2007, so apparently this is an angle that escaped all attorney and courts who applied this law in 16.5 years, or the defense could have shot down this line of reasoning by pointing out that this isn't what the law intended. (we don't have case law, but there are means of harmonizing outcomes once stuff ended up at higher level courts)
My guess is that this won't hold up for long given the circumstances (trivially got the password, accidentally gained more access than expected, immediately disconnected upon notice)
[+] [-] z500|2 years ago|reply
[+] [-] blurbleblurble|2 years ago|reply
[+] [-] Log_out_|2 years ago|reply