Conversation

Notices

1. Embed this notice
   Yellow Flag (wpalant@infosec.exchange)'s status on Thursday, 18-Jan-2024 21:40:31 JST Yellow Flag

   German law is making security research a risky business.

   Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.

   When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.

   There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.

   I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.

   Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html

   • Haelwenn /элвэн/ :triskell: and MortSinyx like this.
   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Friday, 19-Jan-2024 19:28:41 JST Wolf480pl

     in reply to

     @WPalant arguably, it shouldn't matter how strong the protection was. The purpose of security research is to find flaws in protections, the same flaws that could be used to do something malicious. That's the whole point. The differemce between a security researcher and a cybercriminal isn't what protections they bypass, it's what they do after they find out that they can bypass a protection.

     Do they report it to the vendor? Or exfiltrate data and sell it on black market?
     1/

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Friday, 19-Jan-2024 19:29:31 JST Wolf480pl

     in reply to

     @WPalant Which is why I think for laws concerning this to be reasonable, they must make it legal to bypass all protection mechanisms as long as you report your findings to the vendor and don't use the bypass to cause harm or for personal gain.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     lainy (lain@lain.com)'s status on Friday, 19-Jan-2024 19:57:27 JST lainy

     in reply to

     • Wolf480pl
     @wolf480pl @WPalant the only thing reasonable is the 'cause harm' clause, everything else is a non-crime that courts/lawmakers make up.
   • Embed this notice
     timthelion (timthelion@emacs.ch)'s status on Monday, 22-Jan-2024 07:07:07 JST timthelion

     in reply to

     @WPalant This is self sabotage by the German government. It's a shocking display of utter incompetency. If I find a security flaw in German software I certainly won't be telling anyone about it. This simply weakens German security for no reason.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Alex (alex_02@infosec.exchange)'s status on Monday, 22-Jan-2024 07:08:01 JST Alex

     in reply to

     • Emelia 👸🏻
     • Tamas K Lengyel

     @tklengyel @WPalant @thisismissem I hate this thread. Also responsible disclosure is a thing and should be protected under law. Vendors doing something stupid than pressing charges is incompetence and should be audited by a gov agency.

     This thread and this case is why people don't bother reporting anything they find without malicious intent and just watch the company shoot themselves in the foot.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Tamas K Lengyel (tklengyel@discuss.systems)'s status on Monday, 22-Jan-2024 07:08:02 JST Tamas K Lengyel

     in reply to

     • Emelia 👸🏻

     @WPalant @thisismissem Intent and damages should absolutely matter. But it's also common sense not to use the hardcoded credentials to login and dump the database. Or if you do, why report that you did? Perfectly sufficient to just say you found the hardcoded credentials and stop there.. Bad practice on both sides.

   • Embed this notice
     Yellow Flag (wpalant@infosec.exchange)'s status on Monday, 22-Jan-2024 07:08:03 JST Yellow Flag

     in reply to

     • Emelia 👸🏻

     @thisismissem Difficult. If we spin this analogy further: you gave me your key for a specific purpose (e.g. pizza delivery while you were out), after which I returned it to you. You didn’t allow me to make a copy of this key and use it later to rearrange the furniture for example.

     Abusing hardcoded credentials can definitely constitute hacking and cause perfectly justified criminal charges. But intention and damage caused definitely need to go into the equation, not merely “circumvention of protection mechanisms.”

   • Embed this notice
     Emelia 👸🏻 (thisismissem@hachyderm.io)'s status on Monday, 22-Jan-2024 07:08:04 JST Emelia 👸🏻

     in reply to

     @WPalant that's like saying it's breaking & entering if I give you a key to my house. I gave you the key, ergo you had permission to be there.