Comment by tetha
17 hours ago
I'm a broken record about this by now, but stories like these keep reminding me how broken the law is for ethical hackers in Germany. If an ethical hacker found something like this in Germany, it would from my knowledge not be clear if entering an empty password counts as "circumventing or breaking a security barrier". "No password barrier" has recently been clarified in courts, but "Static Password" hasn't.
And once you break a security barrier, you're breaking the law. Even GDPR doesn't help you there - that just ensures more people are breaking different laws. And this can get all your devices seized, land you in jail, end your career, cause thousands of Euros of equipment loss, because the new laptop naturally got lost in the return process after 6 - 12 months.
And thus, many people with the skill to find such problems and report them silently to get them closed do ... nothing. Until bad people find these holes and what the article describes happens. And Europe has hacker groups who could turn our cybersecurity upside down in a good way. Very frustrating topic.
Hard-coded, publicly available credentials are criminal to circumvent in germany. See https://www.heise.de/en/news/Modern-Solution-Court-of-Appeal... which is now settled, since the appeal was rejected. https://www.heise.de/en/news/Federal-Constitutional-Court-re...
> At the end of the trial, however, this had little impact on the verdict. The presiding judge stated for the record that the mere fact that the [publicly available] software had set a password for the connection meant that viewing the raw data of the [publicly available] program and subsequently connecting to the [publicly available] Modern Solution database constituted a criminal offense under the hacker paragraph.
Yes, taking publicly available data verbatim (no ROT13, nothing) and talking to a publicly available server on the internet can in fact be a criminal offense.
Thank you for providing an example that is exactly showing how messed up this is:
> Der Vorsitzende Richter gab zu Protokoll, dass alleine die Tatsache, dass die Software ein Passwort für die Verbindung gesetzt habe, bedeute, dass ein Blick in die Rohdaten des Programms und eine anschließende Datenbankverbindung zu Modern Solution den Straftatbestand des Hackerparagrafen erfülle
> The Judge gave to protocol that just the fact that the software requires a password for the connection, implies that a look at the raw data of the program and a subsequent database connection is considered hacking.
So yes, entering an empty password can cause all of your electronic devices in all your registered residences to be seized as evidence.
Note that the decompilation is on the complexity level of "strings $binary".
Germany is the most contradicdory country I know of, and such a huge warning flag to anywhere else. For decades, half of children's education has been spent on hammering in "Never Again". Surely there are two huge lessons to learn there: 1. Do not judge the value of people based on their biological characteristics they were born with 2. "I was just following orders" is not an excuse, and one needs to instead do what is right regardless of protocol.
There is no European country which does a worse job at both of these. Germany is easily the number one country in the world for "protocol is everything". It doesn't matter how detrimental and damaging the rules are, the rules are the rules, and they must be followed. This case is the millionth example. The rules are interpretable as it being illegal to access data with a publically available password using this password, so we're going to apply them, despite it being patently absurd. For the first point, German's reponse to Gaza (the slowest in all of the West) said everything.
1 reply →