It's interesting that it seems the trial hinged on the use of a password specifically. I'd guess the thinking was: password protecting it implies you shouldn't access it without authorisation, he worked around this authorisation, therefore it was illegal access.
This strikes me as a naive, if understandable, viewpoint. The average person on the street I'm sure gives special consideration to passwords as a concept, but from a security perspective they're just entropy. Engineers frequently use things like a "sufficiently random string" in a URL as a pseudo-password, or a username only on HTTP basic auth, or API keys that aren't "passwords" but are "keys", all of these are the same concept – unpredictability.
This is obviously a sad outcome for the researcher, and for the German cybersecurity industry, but I'm also surprised that the court was happy with such a shallow interpretation of security, as it theoretically opens the door to types of misuse that don't depend on passwords to be defended, and may prevent legitimate uses that happen by chance to depend on passwords. The boundary seems to have been drawn in a place that won't be useful for anyone.
This is an old, old interpretation, and it is correct. You can't base law on a sliding scale like entropy. The value of the password is symbolic, not that it's easy or difficult - anything beyond a password is clearly private.
I don't love metaphors very much, but doing anything other than that opens the door to absurd defenses like "your honor, he left his wallet on the table when he went to the bathroom, it's obvious anybody can legally pick it up". Not to mention a cop favorite which is unfortunately in use: if you dare report a robbery, they'll fine you for not having your security system up to date. Yes, it's a thing. Does wonders for their closure rates.
It's not the height of the fence that makes it theft - it's that there is a fence at all.
I don't particularly disagree with the verdict. He was not hired by them, he did disclose the issue publicly, and the 3-day fix schedule is hilarious. And the 3000 eur fine is more like a slap on the wrist. I actually know an ethical hacker, and the process is quite different - the "deadline" is more like 3 months, and he always contacts the authorities a long time before anything has a chance of going public.
As for the company denying the issue this means nothing. It's reflex due to liability - GDPR exposes them of fines of millions, and an email saying "ups, we fucked up" is a quick shortcut to that.
> [...] police arrived at the researcher’s residence on September 15, 2021, “gained access to the apartment and pushed him against the wall. The police confiscated a PC, five laptops, a cell phone and five external storage media - the programmer's entire work device.”
This is the scary part. Total value confiscated is over 3000 eur, and the disruption created is even more than that. And this happened _before_ any conviction. THIS is what we should be up in arms about.
From what I understand, confiscating phones and keeping them for the duration of the investigation is becoming, if not standard, at least moderately common. This is punishment, not investigation.
> As for the company denying the issue this means nothing.
It doesn't mean nothing - if the company themselves claim it's not an issue, then they're admitting he didn't hack anything and didn't expose them to any risk by revealing the vulnerability. Because according to the company themselves, it "means nothing", so he just took them at their word. They can't have it both ways, claim it was nothing to avoid liability themselves, while also claiming it caused them great harm and he should be prosecuted.
I will, perhaps, have a tiny bit of sympathy for the company, when attacks by companies on consumers via undisclosed spyware (they call it "telemetry") are treated in the same "raid the premises and confiscate everything" manner by the authorities.
I had $10k of gear confiscated. Took them eight months to find nothing, then I had to go pick it up. This was in Australia.
Police forces are grossly under educated about anything related to computers and the internet, and ironically the people that suffer at their hands are the actual knowledgeable ones.
I can explain, a bit, as I recently did a bit of research in this area, particularly Section 202 (Section 202a, Section 202b, and Section 202c) of the German Criminal Code (Strafgesetzbuch, StGB) which addresses the unauthorized access to data. Disclaimer: I'm not a lawyer (but I do have one).
In Germany this is taken very seriously.
- 202a deals with secret interception of data which was not intended for the interceptor
- 202b makes it illegal to access data within a system without the necessary authorization. I think this also means (I'm sure someone out there can correct me if I'm wrong) that even if the accessor knows the password and has even been given it, but does not have the explicit granted permission nor authority to use it to access the system, it is a crime. I'm pretty sure (as a layman) that this is what this case is about. Perhaps this and a bit of 202a. 'Goodwill, whitehat' etc will not help here. Lucky he had no criminal priors and Germany is not generally a fan of throwing people in prison.
- 202c is mostly about stealing data, making it public, or using it for (a) or (b).
Is there not wider EU regulation dealing with responsible disclosure? I know for a fact that in Romania you can do that, if and only if you follow certain steps (definitely not public disclosure after 3 days, obviously), and I _think_ the source is EU regulation, not local law. IANAL etc.
> The court convicted the researcher, calling into question whether accessing software with weak password protection through readily available methods constitutes hacking
> Ultimately the court sided with the prosecution, finding the researcher guilty of hacking
So which one is it? I haven’t read the actual court documents, but this is confusing.
While this is a disastrous ruling, it also will very likely not stand in the higher court that will handle the appeal. But great that our idiotic hacker tool law from 2007 is finally getting some international exposure.
From what I heard the (idiotic) law was interpreted correctly.
There might be a final chance with the European Court of Human Rights if everything else fails.
But that easily takes many years. The right thing is to show your government how stupid the law is (harmful for German's security), to change it quickly and retroactively and compensate the researcher (I'd also say punish the company seriously, but that can't be applied retroactively).
when you find a hole, you go sell it on the darknet.
governments, the justice. they will F you up if you try to play white knight.
seriously, that security researcher just got what he deserved.
you have to sell that data on the darknet. and F them up again, and again, and again until their asses bleed to much they will give FULL protection to security researchers.
[+] [-] gnabgib|2 years ago|reply
[0]: https://news.ycombinator.com/item?id=39046838
[+] [-] danpalmer|2 years ago|reply
This strikes me as a naive, if understandable, viewpoint. The average person on the street I'm sure gives special consideration to passwords as a concept, but from a security perspective they're just entropy. Engineers frequently use things like a "sufficiently random string" in a URL as a pseudo-password, or a username only on HTTP basic auth, or API keys that aren't "passwords" but are "keys", all of these are the same concept – unpredictability.
This is obviously a sad outcome for the researcher, and for the German cybersecurity industry, but I'm also surprised that the court was happy with such a shallow interpretation of security, as it theoretically opens the door to types of misuse that don't depend on passwords to be defended, and may prevent legitimate uses that happen by chance to depend on passwords. The boundary seems to have been drawn in a place that won't be useful for anyone.
[+] [-] radu_floricica|2 years ago|reply
I don't love metaphors very much, but doing anything other than that opens the door to absurd defenses like "your honor, he left his wallet on the table when he went to the bathroom, it's obvious anybody can legally pick it up". Not to mention a cop favorite which is unfortunately in use: if you dare report a robbery, they'll fine you for not having your security system up to date. Yes, it's a thing. Does wonders for their closure rates.
It's not the height of the fence that makes it theft - it's that there is a fence at all.
[+] [-] croes|2 years ago|reply
He used phpMyAdmin.
How on earth should you be able to access a database other than via software? Telepathy?
[+] [-] damiante|2 years ago|reply
[+] [-] WolfCop|2 years ago|reply
[+] [-] radu_floricica|2 years ago|reply
As for the company denying the issue this means nothing. It's reflex due to liability - GDPR exposes them of fines of millions, and an email saying "ups, we fucked up" is a quick shortcut to that.
> [...] police arrived at the researcher’s residence on September 15, 2021, “gained access to the apartment and pushed him against the wall. The police confiscated a PC, five laptops, a cell phone and five external storage media - the programmer's entire work device.”
This is the scary part. Total value confiscated is over 3000 eur, and the disruption created is even more than that. And this happened _before_ any conviction. THIS is what we should be up in arms about.
From what I understand, confiscating phones and keeping them for the duration of the investigation is becoming, if not standard, at least moderately common. This is punishment, not investigation.
[+] [-] jevoten|2 years ago|reply
It doesn't mean nothing - if the company themselves claim it's not an issue, then they're admitting he didn't hack anything and didn't expose them to any risk by revealing the vulnerability. Because according to the company themselves, it "means nothing", so he just took them at their word. They can't have it both ways, claim it was nothing to avoid liability themselves, while also claiming it caused them great harm and he should be prosecuted.
I will, perhaps, have a tiny bit of sympathy for the company, when attacks by companies on consumers via undisclosed spyware (they call it "telemetry") are treated in the same "raid the premises and confiscate everything" manner by the authorities.
[+] [-] BLKNSLVR|2 years ago|reply
Police forces are grossly under educated about anything related to computers and the internet, and ironically the people that suffer at their hands are the actual knowledgeable ones.
[+] [-] karim79|2 years ago|reply
In Germany this is taken very seriously.
- 202a deals with secret interception of data which was not intended for the interceptor
- 202b makes it illegal to access data within a system without the necessary authorization. I think this also means (I'm sure someone out there can correct me if I'm wrong) that even if the accessor knows the password and has even been given it, but does not have the explicit granted permission nor authority to use it to access the system, it is a crime. I'm pretty sure (as a layman) that this is what this case is about. Perhaps this and a bit of 202a. 'Goodwill, whitehat' etc will not help here. Lucky he had no criminal priors and Germany is not generally a fan of throwing people in prison.
- 202c is mostly about stealing data, making it public, or using it for (a) or (b).
[+] [-] radu_floricica|2 years ago|reply
[+] [-] Karupan|2 years ago|reply
> Ultimately the court sided with the prosecution, finding the researcher guilty of hacking
So which one is it? I haven’t read the actual court documents, but this is confusing.
[+] [-] g-b-r|2 years ago|reply
It's likely that many, in governments and intelligence, still favor ensuring access for themselves to preventing it to everyone.
They need to think it through and see that it's stupid for their countries
[+] [-] ChrisArchitect|2 years ago|reply
The ruling referenced in this is from last week
More discussion: https://news.ycombinator.com/item?id=39046838
[+] [-] atoav|2 years ago|reply
[+] [-] Semaphor|2 years ago|reply
[+] [-] g-b-r|2 years ago|reply
There might be a final chance with the European Court of Human Rights if everything else fails.
But that easily takes many years. The right thing is to show your government how stupid the law is (harmful for German's security), to change it quickly and retroactively and compensate the researcher (I'd also say punish the company seriously, but that can't be applied retroactively).
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] 6R1M0R4CL3|2 years ago|reply
governments, the justice. they will F you up if you try to play white knight.
seriously, that security researcher just got what he deserved.
you have to sell that data on the darknet. and F them up again, and again, and again until their asses bleed to much they will give FULL protection to security researchers.
and if you don't make them bleed, they wont care.
[+] [-] mariya12|2 years ago|reply
[deleted]