If I understand correctly it seems like his crime was *using* the exposed database credentials to log in to the third-party database server.

So he wasn't charged for simply "exposing" the credentials as the title says, but actually using them to poke around.

It is like being given a key card for security clearance in a building. You assume any door it opens is a room you're allowed to be in. If security finds you in a room you aren't supposed to be in, is that your fault? Or whoever gave you the card with the wrong clearance level?

Also how about the situation where you open a door, look inside, immediately realize you're not supposed to be there and then report it to security? Should you be punished?

It's more similar to finding a key hidden under the mat at someone's house. You can then contact the owner and inform them of the security issue but what you should not do is use the key to open the door and go in and see if there is really harm in you being able to enter. Because you might accidentally achieve the exact thing that a criminal wants such as finding a note with a password on it. You can then claim you didn't want to find it but the fact is that 1) you broke the law by entering and 2) you caused a malicious event (namely obtaining a password).

You can then pinky swear that you didn't already use it for any further malicious actions but that will be difficult to verify.

If I ever lose my key, I don't want people to enter my house to prove that they can. Inform me of how you obtained the key and I'll change the locks and make sure I don't lose my key again. If you do enter my house, expect me to press charges.

Lets pretend the guy was a pest exterminator, hired to kill some bug infestation. He is given a keycard to access most of the building. As he is hunting down the nest, he finds a hole in the wall. Bugs tend to come through holes in walls, so he goes in to figure out whether what he is looking for originates there.

He enters the room on the other side, and looks around for other holes that might have bugs. He then notices a file with big red letters saying "TOP SECRET". Turns out he accidentally entered the maximum security file room. So now he leaves the room, goes to security and tells them what he found. Then gets arrested for 1 count of trespassing and 1 count of breaking and entering.

How is that fair?

> According to the defendant, the defendant has first assumed that the software on his customer's server will connect to a Modem Solution database that was only intended for his customer and contained only his data. From the read-out database name, this sounded quite plausible. However, the defendant quickly discovered that the corresponding database contained much more information.

If a key is taped to the outside of the door that it opens, you still can't use it without committing a trespass. Not unless you got authorization to use it from the right person(s) first. Shitty security isn't a legal invitation.

The “key” analogy though is a bit stretched.

It is clear that here, the credentials were used in a way other than intended.

The questions are now rather “is it reasonable to expect that a person interacting with a website normally would reasonably be permitted to use anything sent to them by that website in any way they choose?”

A lot of us here are more tech-minded and would likely say “yes, if you don’t want people using credentials, don’t provide them”. The courts on the other hand may take a different view and say “well we already restrict what people can do with content on a website through copyright laws, this person should not automatically have the right to use those credentials in any way other than the way provided”.

It will become even more complicated if the website has terms of service which clearly state something which has a similar technical meaning to “no trespassing”’s physical meaning.

You get to a door, and there is a postit note on the door saying "Keycode is 2424".

You know your job is in the building. Your keycard let you into the room with the door. Therefore, if this door lead to a "high-security" area, surely they wouldn't put a postit note there? Maybe, as the bug exterminator, or maintenance person, it is expected that I should be able to enter that room?

then how does the analogy play out?

The vendor put the master keys of the main database in a publicly-accessible package. It’s insane.

Of course the researchers tested the keys, to check whether it was true. If it can be proven that it was used for nefarious reasons, then ok for blaming him, but as far as we know, the researcher just used it to get convincing evidence and left the system.

The company is to blame 100%, and the research should get an encouraging award for white-hat reporting. Not this.

His job was to solve a problem with a database's log files. He found another second database. "Maybe this second database is causing duplicate log files?" so he goes in and looks.

It makes sense to me. Based on the german article: (machine translated to english)

> The software of Modern Solution had a database of the defendant's customer "fully littered with log reports," says the defence lawyer. His client was then given the order from his customer to solve this problem.

> The defendant then determined that the software from Modern Solution established a MySQL connection over the Internet to the servers of the Gladbeck company. ...the defendant has first assumed that the software on his customer's server will connect to a Modem Solution database that was only intended for his customer and contained only his data. From the read-out database name, this sounded quite plausible.

> However, the defendant quickly discovered that the corresponding database contained much more information. It later turned out that the data here was included Modern Solutions customers and from all end customers whose online shops were included. According to his own statement, the defendant had directly separated the database connection when he discovered that he had access to other customers' data.

> the programmer contacted the affected company with the help of a tech blogger, which then closed the security gap and displayed the programmer at the police.

It isn't hidden, maybe this is how I'm supposed to get data.

I think how close you think those two situations are depends on whether you consider the application to be an agent of the customer (like a personal shopper), or of the shop (like a salesman).

Did:

A - the programmer coerce the application (an agent of the shop) into accessing secret information (breaking into the shop warehouse), or

B - the programmer ask the application (his own agent, a personal shopper) to go and look for interesting things in the database (shop's warehouse) for him, a privilege that the application (personal shopper) was afforded in advance by the shop?

I personally think that A is a dangerous precedent to set for society. Treating any network-bound application as the agent of its creator would mean it was wrong to observe your computer (which you generally use for more than just accessing one online shop), and would therefore effectively kill FOSS.

But even just assuming that the fact that the app was using a key means that he can try to access other things with it is a dangerous precedent. Can I access your OnlyFans if you give me the password to your Netflix account and you use the same password for both? Can I access the company database directly if the app connects to it? There could be all sorts of confidential info on that server, perhaps the gossip of the customer service people about you or info about other customers.

The key (connection string) was already given to him via the app and he was entering the house (database) on a regular basis.

This would be like mistaking a door for the bathroom but find a closet full of gold instead.

I don't think we can otherwise know for sure the company's intentions. If I leave the front door to my house open (or if I tape the key to the outside of the door, to further strain the physical key analogy), is it my intention that people just come on in? We have no idea.

Oh, but this is a food truck that he’s been visiting on a regular basis so obviously he’s allowed to go in the back door, with full access to all the ingredients and poking around inside the cash register?

Also, if you take someone else’s gold behind a door you unlocked with a key that isn't yours, it is called stealing.

Nothing was "under the mat" since he was already using his PC to connect to the database with those same credentials.

> if you take someone else’s gold behind a door you unlocked with a key that isn't yours, it is called stealing.

Nothing was stolen, he informed the vendor of the issue immediately.

It may not be totally akin to a security card opening more doors than it should, but it is entirely reasonable to assume that "the key in your copy of the app" is "your personal access key".

I've never been in a situation where I was given an app binary as a user but where the author intended for me to go find a key in the decompilation so that I could manually access information that wasn't visible in the app.

This seems like it is an unreasonable thing to assume. And courts seem to agree.

Illegal vs legal and reasonable vs unreasonable are not entirely analogous.

There are lots of laws that I think are unreasonable and a lot of legal things that I think are unreasonable.

That you favor one argument over another as your lens with which to side when it comes to really stupid analogies, including mine, is entirely in bad faith.

What is you plan if you disaggre?

He was charged for connecting to a database with credentials that he was already connecting to before with the application. I could argue that he already had access to the other data because the connection allowed it.

So, that begs the question: what did he actually "break" into and how is it different than connecting to the database via the app on the same PC? Would you even be able to tell the difference as a sysadmin looking at logs?

What reason do you have to needing to know what a system is? Just because you think you have a password for it?

> If security finds you in a room you aren't supposed to be in, is that your fault?

It depends. Do you know you're not supposed to be in that room?

> Should you be punished?

I've run into this exact same situation three times. One was a hard coded SSH key to a root account, two were hard coded passwords.

In all three cases, I simply contacted the vendor, let them know I had this key, coordinated disclosure with them, and then told them what the password was and where I found it.

In all three cases, the disclosure was enough for them to go wide eyed, immediately understand which systems were impacted, and then quickly leave the call to go fix the problem.

There is _zero_ reason for you to _use_ exposed credentials if you find them. It adds nothing to the "security research" you may be doing.

That's hard to believe. Which seems like the defense understood, because they offered that the "name of the remote database" seemed like it could be related to his customer that he was contracted to.

In the end, he's going to pay 3,000 euro, and made an example of. He could have received 3 years in prison. So slightly unfair to everyone but hardly worth stretching credulity to defend.

If you don't find the key and realise it's actually a lost one, leading to a potentially dangerous place, someone else will and they won't be benevolent.

> If you did not have permission to enter [...] the likely charge is a misdemeanor charge of illegal entry (also known as entry without permission).

[1] https://www.avvo.com/legal-answers/is-it-breaking-and-enteri...

The real issue here is whether this instance is comparable, not whether opening doors with lost and found keys is a bad thing.

The real difference is whether they 'found' the key or if they were handed it. In this case I'd argue they were handed the key, as there was no plausible protection mechanism preventing them from accessing the key. It wasn't lying around somewhere forgotten or secret, it was in plain sight.

And frankly we need some good Samaritan laws for cases where someone responsibly disclose a vulnerability without doing further harm, even if what they did was illegal on its own it certainly should not be in light of the fact that they responsibly disclosed the vulnerability.

A lot of this depends on whether you view a phone as a device running third party' programs on behalf of the user, or a device that third parties allow users to run software on on behalf of the third party.

A lot of society is moving towards the later view, which is of course fundamentally wrong.

Not really. Apparently they interpret the software which has the embedded key as an "agent".

So it's more like you go into a building and get assigned a person who opens the door and retrieves the stuff you want from there for you. Turns out that the person was on drugs and promptly fell asleep ("malfunctioning") and you take the key to get into the room but it turns out you've just witnessed that this company is a huge scam. Now they want to sue you.

German law applies to TFA so compare Hausfriedensbruch (criminal code): the adverbs of choice are "widerrechtlich" like undefined behaviour; "ohne Befugnis", essentially without permission, e.g. in case of not a lawful entry of police. Official translation actually distinguishes "unlawful" and later "without permission". I always feel it says, like, illegal entry is illegal. Vandalism uses the same words, section 303a applied to computer sabotage as "Data manipulation".

https://www.gesetze-im-internet.de/englisch_stgb/englisch_st...

https://www.gesetze-im-internet.de/englisch_stgb/englisch_st...

PS: the relevant section is 202a "Data espionage", following another comment.

https://news.ycombinator.com/item?id=39047283

https://www.gesetze-im-internet.de/englisch_stgb/englisch_st...

In my humble opinion, what really grinds my gears is the abuse of the letter of the law, “circumventing the access protection”. If your fence has gaping holes, it's not a functional fence.

Since this is hackernews, graffiti "vandalism" is still a good example. The only protection of public facing walls is law enforcement, which is spotty. Private property such as trains may employ fences and security, which can be circumvented. Train stations and trains in service have to open anyhow. Terms of Service may explicitly forbid pollution, defacement, however you want to call it (this holds by analogy if you leave logs on the server, my point being, as it were, that security is a process).

The law makes a practical difference for each of these cases, but the spirit of the law is the same in each case and the baseline is that the law is whatever is deemed appropriate by the powers that be, the finder of facts, population as represented by select individuals, the common joe. This, in turn, is supposed to be enshrined in constitutions of sorts. In sum, “unlawful" (“widerrechtlich” or “unbefugt”) derives in different ways from constitutional rights.

In the given case, subsection 202a is based on confidentiality (Art. 10 GG "privacy of correspondance"), but in my example (guilty as charged) the laws against vandalism are based on property (Art. 14 GG). In result, your comparison is a type error for me (as is circumvent if access control is a process).

https://www.gesetze-im-internet.de/englisch_gg/index.html

Comparative Law is a real thing, by the way, that is most foreign to me, but I make due.

Grafitti satisfy the criterion of Sachbeschädigung (criminal property damage). Nothing (except some reputation) was damaged by the "hacking" involved here.

Of course if that's the case the vendor would have to be found to be in violation of privacy laws by not using state of the art protections (e.g. not shipping plaintext passwords, not using the same database/credentials for data from different customers) and might be fined for that separately.

It's already hard to see the malice in their actions but it's harder still when I consider that they immediately alerted the company who made the error. Even more when I consider that the company fixed the error. This developer did the company a favor and they had charges filed against them over it.

It's of course ridiculous that the police and prosecution called this "decompilation" but I agree with them to a point: the password didn't spontaneously fall in his lap, he deliberately went out to look for it in the software itself, even if he found it in the most trivial way possible. And then he decided to use those credentials to access an external system he must have known did not belong to his client without asking for permission. This rapidly enters grey hat territory and crosses a legal line.

I think it's right to be appalled by the mere act of opening the file in an editor being considered suspect by the prosecution but I also think it's important to understand that it wasn't just the software analysis that got him into trouble, it was the digital trespass that this enabled.

But I think the salient point here is whether or not he could have known that before logging into the server. Since the credentials are in the app, should he assume that the company's security is so bad that this would give him access to all their customer data? He is obviously allowed to use the app, and the app uses these credentials so it's not too much of a leap for him to think that he should be allowed to use them as well.

Regardless, I think the result of this ruling will clearly be bad for computer security. In the future maybe someone who finds a vulnerability like this won't report it out of fear of legal retribution.

Or can that still get you sued?

Please Dont shoot the messenger, I didnt write the stupid law.

Actually using the database creds to the point where you can tell a story about the data in the database though is enough to put you at criminal risk in the US; the DOJ doesn't prosecute good-faith vulnerability research, but depending on the kind of poking you do and the kind of logs you keep of what you find, you can put yourself in a position where your good faith isn't assumed.

A direct connection to a database is an API, too. :-)

it's not a crime to build a house that has open doors and windows.

but it's certainly a crime to enter one as an uninvited guest, let alone do things with traceable logs.

But this is the entire issue. It's common practice for a business to have open doors because they intend for anyone to come inside and patronize their establishment. Some of the businesses are even in residential houses, where the area is zoned for that sort of thing.

The question is what that's supposed to mean for a computer system. Obviously answering requests is the intended purpose of a public-facing internet server, and the general expectation is that if you're not allowed to make a particular request, the server will refuse it. Protocols even have widely supported standards for this, e.g. HTTP 403 Forbidden.

So what are you supposed to make it of it when you issue a well-formed request and the server answers it? The default expectation is naturally that they intended it to, because if it was intended to do otherwise then they'd have configured it to do otherwise. How it responds is how you know if you're allowed to do it.

At some point you may be able to reason out that what's happening is the result of a misconfiguration (exceptional circumstance) instead of the standard expectation (server refuses requests if server operator intended them to be refused), but this may not be obvious to the user until after it has already happened.

In my opinion this is like filing criminal charges because someone opened a door at the front of your business. Normally what is known to your front end is not sensitive data for the entire user base. So if you take a peak in, its the same as wondering what the extra front door is to a brick and mortar store. You’ve got the main door with the OPEN sign and then a plain door that, whoops, is unlocked and has all of your customer’s files laying out on tables. At this point you’ve done nothing wrong. If you start rummaging around you’re outside of plausible deniability.

From the perspective of the developer, it's natural to assume that the password was in place to prevent non-users from accessing, not legitimate users. After all, the credential wasn't hidden or obscured in any way. When it became clear that users weren't supposed to have access, it was reported to the vendor. Am I missing something here?

On one hand, there's a developer doing their job. On the other, there's another "embarrassed" company retaliating and intimidating would-be bug reporters. It seems crystal clear what's going on.

This is true, but he believed that the database was held exclusively for the client, hence only containing data belonging to the client, who gave him permission to access his data. Apparently the name of the database also seemed to indicate this.

As soon as he then noticed that it contained all the data of all customers, he disconnected.

His crime wasn't accessing the data. His crime was accessing the data in a way he had not been authorized to do. As far as he was concerned, the investigation should have stopped at "there are hardcoded plaintext credentials here". But not only did he then also try if those credentials were correct, he also used those credentials to go spelunking. That's trespass even if he had reason to believe there were no other customers' data on that server.

It's what you do with the data once you have access to it. If you do nothing, it shouldn't be a crime, the crime should be the, presumably, nefarious usage if used.

(It's best to use a representative phrase from the article body rather than making up new language; that's usually, though not always, possible.)

This is just taking the keys and unlocking the door to your benefit.

Now a gap of almost 20 years has opened, where basically no young engineers have been interested in the field, let alone trained. The biggest companies with the deepest pockets have been mopping up anyone they could find. Top talent went abroad. And so the majority of German businesses which are SMB get hacked more every day. Nobody audits anything. Unfortunately, anything networked is a security risk these days.

I caution that it is highly naive to bet on this getting thrown out at higher court levels. Defendant is looking at YEARS of wasted brain cycles, trying to go from AG to LG to OLG to BGH. My guess is a 100k EUR of fees also wasted. And for what. Because a company couldn't properly secure their data, you told them that, and as a "thank you", they sued you in court?

My advice: If there is no clear bug bounty program, or it is not your own company, or you weren't tasked in writing and paid by the very company to find any holes, don't make it your problem. Suppress any good samaritan helper complex you might have. Wipe all files and talk to nobody. Especially not in your place of employment. Once a lawsuit is involved, anyone questioned will say "Oh, Mike from DevOps figured that one out from the hexdump". You will regret it.

Some of the older German infosec dogs are aggravated by this so much, that they refuse to help any governmental organization if there is an incident. Lernen durch Schmerz.

You can like that or not, but if you’re in the position to be doing research like this, you really ought to know the basics of the law.

> His crime: he was tasked with looking into a software that produced way too many log messages.

The developer wasn't doing security research. It sounds like they just had a bug they were looking into. Connecting to the database and realizing what it is to immediately disconnect and report it responsibly shouldn't be something that comes with punitive measures. As another commenter pointed out, this incentivizes people to sell this knowledge to others who will actually "misuse" it.

Can you fix this bug? Sure, I'll be chilling on this sofa while you get me my access.

What's the difference. MAYBE I could see this as a violation of the ToS but It's a far cry from "hacking".

Having a password doesn't mean they were trying to keep people out. They shipped the password.

That's like going into a building and they HAND YOU a keycard, and say don't go anywhere you aren't supposed to. And then it's actually a master key. How do you even know that it's going to let you into places you aren't supposed to go.

I have creds to googles services but it only gives me access to MY stuff.

And if you went somewhere you're not supposed to and found out it's a master key by trying it in those places you're not supposed to access, you'd be accused of trespass.

It's okay to argue that the punishment is excessive or that the law should factor in malicious intent more but the law is pretty clear and his behavior wasn't innocent white hat hacking even if he meant no harm.

> MAYBE I could see this as a violation of the ToS but It's a far cry from "hacking".

Maybe? How about definitely. He didn't use the app for its stated purpose, he extracted the credentials and then used them manually. That's a clear ToS violation at least. That this isn't a sophisticated hacking attack doesn't mean it is legal. You can argue it should be but it's easy to see why it isn't even if you just consider property law.

Actually the only problem with the law in my eyes is that it doesn't distinguish very well between malicious abuse (i.e. abuse with the intent to cause damage or impact security) and non-malicious abuse (e.g. building an unauthorized third-party client) and that it doesn't have special provisions to protect security research akin to whistleblower laws.

Morally is another question of course.

The vendor of that connector then issued a new client that used TLS, which he also circumvented to show that the issue is still valid. He is also accused of decompiling the client software to obtain the password. IIRC, he instead claimed to just have opened the file in notepad.

I have done exactly the same thing in similar circumstances – I had a desktop software vendor that we had issues with, saw the config files stored database credentials in plaintext and connected to it. In my case, the database was single tenant for our company so I managed to get what I wanted done.

Surely intent must come into play when it comes to applying the law in cases like this? It doesn't seem like the developer had any intent to access a restricted system.

I've read current government had some plans to fix it, but they have a lot to do at the moment.

Company got caught with their pants down and want to punish this person for exposing that.

Look ma, they just leave their passwords in cleartext, and people are scared shitless to report it, lest they be sued! It's a pure gold mine!

https://www.techdirt.com/2022/02/25/turns-out-it-was-actuall...

The "hacking" was decrypting social security numbers from BASE64.

Imagine the number of lazy programmers who paste stuff into an online Base64 decoder. Imagine all the stuff that is in those payloads!

Running a site like base64decode.org would be a fantastic honeypot.

If you left your front door wide and I robbed you, I'd have committed a crime. There's no "but the front door was open" defense.

It would still be a crime. I would and should be chastised, but the person who robbed me should still receive a proper punishment.

Even unlocking their door with a key you found lying in the street, and then going in, is not in itself criminal (where I live). If you go on to commit a crime while inside, or did it with the intention to commit such a crime-that added fact makes it a crime (“break and enter”). But mere unlocking the door and entering in itself is not.

Not sure where you live for that to be the case, but someone coming in because I left my door open is not normal, even if I left my door open. Even if they claim they were "making sure everything was safe".

Obviously stealing is a crime and we shouldn't victim blame. But with a lot of software the business isn't much of a victim so much as their customers are, and there doesn't seem to be much incentive for companies pro-actively securing their software. You could argue in hindsight the developer would've been better off selling the vulnerability and/or data to the black market rather than reporting it.

I wonder, if it's illegal to find these problems, would it be legal to notice there might be a problem, stop, and short the company stock?

"Hey, I just happened to find out that there is a password here in this app, at offset X, here's the screenshot from the hexdump with the visible password... I'm not allowed to check what that password is, even though there is also a username and a host next to it, and clear indication that it's an sql connection, but i'm not testing this, but i'm warning you, the general public, that this here exist, please don't try connecting to this IP using this username and password, thank you!"

There’s also the fact that at least for US companies massive data leaks/breaches often have no negative financial impact on the company.

Yes. As long as you don't use inside information this would be perfectly legal. It's pretty much what companies like Hindenburg Research do.

The problem you would find if you actually tried to do this is that investors pretty much don't care about security issues, so the stock price wouldn't go down after you revealed the flaw. That's even if they're publicly traded which doesn't appear to be the case here. I think it's these guys but I don't speak German so don't quote me: https://www.modernsolution.net/

https://www.gesetze-im-internet.de/stgb/__202a.html

Roughly:

„Gaining access to data that is protected with special methods against unauthorised access, either for personal use or for others“

So apparently, hardcoded passwords baked into the client do qualify for that.

> https://www.gesetze-im-internet.de/stgb/__202c.html

English translation based on the DeepL translation:

"§ 202c Preparing the spying and interception of data (1) Any person who prepares an offense under § 202a or § 202b by

1. passwords or other security codes that enable access to data (§ 202a (2)), or

2. Computer programs whose purpose is the commission of such an offense,

or by procuring, selling, transferring, distributing or otherwise making available to himself or another person, shall be liable to a custodial sentence not exceeding two years or to a monetary penalty.

(2) § 149 (2) and (3) shall apply accordingly."

Worked with PostNL, the main and previous governmental organisation for sending mail.

Weekly we would upload our orders in their system; and could see our history.

Then one day we could suddenly access all other clients history and export their users data. Many of them direct competitors, and their mailing lists would have been quite valuable to us.

My partner exported all Marley Spoon's (a bigger funded competitor) data in excel and a few others. When he told me I told him to delete it ASAP, even though it's fun you don't create a liability. But we could have used it to grow 10-30% in a few weeks.

They never reported it, which they were legally obliged to do under EU law.

All to say, if you get the keys to the castle, maybe don't use them. Or maybe you do.

We should, and could have used it, in price negotiations since they almost doubled the prices to us for the next few months and didn't have any mercy. Let alone misplacing 3-8% of our orders and not refunding.

But instead we moved to few other delivery services (with all their own flaws)

There were huge public rallys when the § 202c StGB (https://news.ycombinator.com/item?id=39047767) was to become introduced.

In Germany, we learnt that resistance and rallys against the politics is typically futile.

Thus, in the recent years in some circles in Germany it has become actually fashionable to speak "Politiker" (politician) in a tone as if you were speaking of a mass rapist or child abuser (and covertly do this word replacement in your head). Believe me: in some circles in Germany, the fury against the politicians of basically every party is insane. :-(

Oh no we did a terrible job and hardcoded credentials, someone found and tried a password and then reported it without stealing or destroying anything but our egos... the horror. Let's run to the cops and potentially ruin a life.

We need white hats that want to find vulnerabilities for good, but when you exploit a target and they aren't aware until after the fact, that's still a crime. I don't know what the safe way of doing this is other than only doing white hat hacking on systems you control. Any system outside of your control should not be exploited unless the company has an agreed upon contract that indemnifies you from any harm caused.

I'd argue that a customer who accesses their own data on a vendor's database via a client has also the right to access it via a different client.

what happened there?

TL/DR: they accepted sponsorship by Anduril, a weapons manufacturer and publicized that fact 3 days before the conference. The German scene is quite pacifistic and threw a fit.

It was unbecoming of any group that wishes to call itself a community and it certainly has chilled participation from reasonable people.

The curious bit is that this law is from 2007, so apparently this is an angle that escaped all attorney and courts who applied this law in 16.5 years, or the defense could have shot down this line of reasoning by pointing out that this isn't what the law intended. (we don't have case law, but there are means of harmonizing outcomes once stuff ended up at higher level courts)

My guess is that this won't hold up for long given the circumstances (trivially got the password, accidentally gained more access than expected, immediately disconnected upon notice)

Even if the sentence is overturned by a higher instance, the confiscation of all devices for months and the additional legal trouble have made pretty sure that this person will not make the same "mistake" again.

The company's public statements during the whole affair were another story entirely. For these alone they'd deserve the next guy to just sell the credentials on a forum and have them blow up.

0. https://nitter.net/der_sofc/status/1747644600469127386

edit: Apparently der_sofc is the person who got sued.

Last summer the court declined the prosecutor's case (in this system, the prosecutor files their case with the court, and the court does a quick scan and will dismiss the case before scheduling the trial if it's obviously unsound - happens fairly rarely). Prosecutors got this overturned by a higher court, which means this trial happened at the same lower court, but with a different judge than the one who initially dismissed the case.

> According to a decision by the Jülich District Court on May 10, 2023, the criminal proceedings against the security researcher have been dismissed. The court assumes that no criminal offense has been committed because the data accessed by the security researcher was not sufficiently protected. "Only data that is specially protected against unauthorized access is subject to the scope of protection of the criminal offence. This presupposes that measures have been taken that are objectively suitable [...] to prevent access to the data," the court's decision states. "The court does not agree with the opinion of the public prosecutor's office that password protection as such is sufficient. A password does not always provide effective data protection, for example if it is too simple or is used in a standardized way for certain applications. In such cases, the provision of access to data does not constitute an offense."

> Through its own investigations of the Modern Solution software, heise online was able to confirm that it did indeed contain a built-in default password. This meant that anyone who had examined the software, which was freely downloadable from the company's website, would have had access to the data on the Modern Solution servers.

The text of the decision should be paramount.

Next time: use a vpn, get yourself a anonymous email address and report it to your goverment dataprivacy office. Make it hurt. Make it hurt bad.

Alternatively, get a sockpuppet account, publicize the information anonymously somewhere, then pretend you accidentally stumbled upon it and sue the vendor for gross negligence with your data. Go on the offence. Germany is so anal on privacy laws that I suspect the whole case has been hinging on the company making the first move. Keep sucking those sweet damages. I'm surprised there's not a whole fucking industry around this behavior, which is way too common to go unpunished.

Don't be a boy scout. This seems to be frowned upon these days.

If met people from all over the word, some of the coolest hackers and devs were from Germany, but: The perpetual effort of the German government to make all things „safe „ and „stable“ hinders the evolution of the country into something greater than a nation of car manufacturers.

I think the term "(pre)digital" does not fit: for example CDs and punchcards are clearly digital.

I think there's even a bit of pride about it, I hate to say. Germans are pretty proud of their outdoor activities and general physical health, and "device obsession" works directly against that... and is still not as much of a thing there as in the US for example. You could make an argument for it...

https://www.settle-in-berlin.com/why-is-internet-so-bad-in-g...

tl;dr Blame Helmut Kohl. Helmut was clearly the type of guy who would have printed out his emails (if he even had to email, if perhaps only by necessity) until the day he died.

> I think there's even a bit of pride about it, I hate to say. Germans are pretty proud of their outdoor activities and general physical health, and "device obsession" works directly against that... and is still not as much of a thing there as in the US for example. You could make an argument for it...

Honestly, I am not sure what kind of "device obsession" in other countries vs Germany you are talking about. My impression, as a German, is that many German people value other qualities of technological products than what is valued in other countries.

For example, many German customers value long-lasting, robust products instead of the latest fad that will be out of fashion in a few years. For example, many Germans who are able to afford them would love household appliances built by Miele. Also, because of the German history (two dicatorships on German soil of which one ended little more than 30 years ago), many Germans are much more suspicious of "spying devices" (e.g. internet-enabled home appliances (IoT)) and things that might track you (this is also a reason why many Germans strongly prefer paying cash).

But it is nevertheless my impression that many Germans nevertheless do have quite some love for devices that do fit their values; it's just that the taste is quite different from the taste in other countries.

This kind of thing is what enables cyber crime.

I personally find lots of bugs with APIs, since my job involves dealing with so many of them. I basically don't report them for fear of prosecution. There's already a fear in the back of my mind when I'm trying to work around such bugs that someone will come after me, but at least I have some plausible deniability to say, "I just wrote shitty software." Whereas, if I report a bug, that means I knew about it and admit to "probing" it to elicit more information.

I literally spent 4 hours this morning working around a vendor API bug.

EFF plays defense, when it should be playing offense more effectively

Organizations like it need to be donating to campaigns

Play the game until the lobbying laws change

All of our people should have been pardoned because the President was in our pockets.

Aaron Schwartz would have had nothing to worry about, maybe that gets someone attention here

I once did a search in the free version of Feedly. They showed me the real search results, behind a "this is a paid feature" overlay. I submitted feedback saying they should either provide the feature or not provide it - and refrain from this in-between teasing. I mentioned that I deleted the overlay in the HTML to see the results, and they told me I had "hacked" the web app in their response.

That usage, and this usage, are ridiculous, because they imply an unscrupulousness that isn't present. And yet applying the friendlier meaning of the word, as in "Hacker News", I think is reasonable in both cases.

"Hacking" means "getting (typically) technology to do things that they were not intended to do, sometimes in a playful way". The other meaning was purposefully disseminated by the mainstream media to spread fear and hate against the hacker scene, because their knowledge about programming, computers and technology was a thorn in the side of specific groups in power.

"Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages."

Note that “hacking.” is in quotes, which should clear the opinion that the poster "Yellow Flag" considers it to be ironic that this action is called "hacking".

oo-err

During my first week in university, I found a vulnerability in two of their servers allowing me to execute arbitrary code/commands + escalate to root due to a very outdated kernel.

I reported this to a lecturer and was immediately told that what I did was illegal and not to poke at any of their services. Last I checked, it still hasn’t been fixed.

I wonder if such reports would be taken more or less serious if it was made anonymously.

https://www.theverge.com/2021/12/31/22861188/missouri-govern...

Germany has an obsession with accusing people of crimes. Perhaps a projection?

To the bottom you go.