[HN Gopher] German developer guilty of 'hacking' for exposing ha...
___________________________________________________________________
German developer guilty of 'hacking' for exposing hardcoded
credentials in app
Author : zoobab
Score : 248 points
Date : 2024-01-18 20:01 UTC (2 hours ago)
(HTM) web link (infosec.exchange)
(TXT) w3m dump (infosec.exchange)
| macawfish wrote:
| This is outrageous.
| Log_out_ wrote:
| No it's Germany. That law is a seal of quality on any germ
| software. So bad security wise, they need obscurity by
| lawzyness as main protection.
| busterarm wrote:
| Precious Germany. Swiss cheese security enshrined and
| protected by law but will blow an absolute fucking gasket if
| your open source software is even remotely applicable to
| national defense.
| dzhiurgis wrote:
| Explain the latter part?
| busterarm wrote:
| See NixCon 2023, but also in general universities and
| student organizations in the country mandating that you
| pretend the defense industry doesn't exist if you want to
| have a presence there.
|
| Just about anything German-hosted in the Fediverse is
| absolutely allergic to the industry and users will lose
| their fucking minds and hound you to the ends of the
| earth and send you death threats if you forget this fact.
|
| Basically shitty ideologues who put purity ahead of the
| technology dominate every level of the discourse there.
| It wastes everyones' time and distracts from things that
| actually matter. In fairness, America isn't far behind.
| _dain_ wrote:
| _> NixCon 2023_
|
| what happened there?
| alphager wrote:
| https://discourse.nixos.org/t/nixcon-2023-sponsorship-
| situat...
|
| TL/DR: they accepted sponsorship by Anduril, a weapons
| manufacturer and publicized that fact 3 days before the
| conference. The German scene is quite pacifistic and
| threw a fit.
| busterarm wrote:
| While "threw a fit" is accurate, it really does downplay
| the level of hostility that was expressed in response to
| the situation.
|
| It was unbecoming of any group that wishes to call itself
| a community and it certainly has chilled participation
| from reasonable people.
| dylan604 wrote:
| So what happens when the vuln is accessed from someone _not_
| under German legal jurisdiction?
| exe34 wrote:
| Vee schend zem a sthrungly vorded letter!
| CalRobert wrote:
| If you needed security you should've used a fax!
| coldblues wrote:
| Should have sold the information on a forum like any reasonable
| person would.
| judge2020 wrote:
| Sounds like they're a customer of the vendor, so they'd be
| pwning themselves if they did so.
| fkkffdddd wrote:
| Paragraph 202a of the criminal code:
|
| https://www.gesetze-im-internet.de/stgb/__202a.html
|
| Roughly:
|
| ,,Gaining access to data that is protected with special methods
| against unauthorised access, either for personal use or for
| others"
|
| So apparently, hardcoded passwords baked into the client do
| qualify for that.
| sgift wrote:
| Yeah. It's well known as a really shitty law, which should
| never have been passed. But here we are. Maybe until 2050 they
| fix it or so.
| aleph_minus_one wrote:
| SS 202c is even worse:
|
| > https://www.gesetze-im-internet.de/stgb/__202c.html
|
| English translation based on the DeepL translation:
|
| "SS 202c Preparing the spying and interception of data (1)
| Any person who prepares an offense under SS 202a or SS 202b
| by
|
| 1. passwords or other security codes that enable access to
| data (SS 202a (2)), or
|
| 2. Computer programs whose purpose is the commission of such
| an offense,
|
| or by procuring, selling, transferring, distributing or
| otherwise making available to himself or another person,
| shall be liable to a custodial sentence not exceeding two
| years or to a monetary penalty.
|
| (2) SS 149 (2) and (3) shall apply accordingly."
| TillE wrote:
| The silver lining is that the _punishment_ for crimes in
| Germany is generally extremely lenient. The article mentions
| a 3000 Euro fine plus legal fees.
| j-bos wrote:
| Isn't this the opposite of good samaritan laws? If you see
| something, say, nothing, do nothing.
|
| I wonder, if it's illegal to find these problems, would it be
| legal to notice there might be a problem, stop, and short the
| company stock?
| IshKebab wrote:
| > would it be legal to notice there might be a problem, stop,
| and short the company stock?
|
| Yes. As long as you don't use inside information this would be
| perfectly legal. It's pretty much what companies like
| Hindenburg Research do.
|
| The problem you would find if you actually tried to do this is
| that investors pretty much don't care about security issues, so
| the stock price wouldn't go down after you revealed the flaw.
| That's even if they're publicly traded which doesn't appear to
| be the case here. I think it's these guys but I don't speak
| German so don't quote me: https://www.modernsolution.net/
| hipadev23 wrote:
| Issue is those flaws can go unnoticed for years, so you may
| need to give them a nudge for your short to be successful.
|
| There's also the fact that at least for US companies massive
| data leaks/breaches often have no negative financial impact on
| the company.
| ajsnigrutin wrote:
| Tor + twitter (if you can actually register there with tor):
|
| "Hey, I just happened to find out that there is a password here
| in this app, at offset X, here's the screenshot from the
| hexdump with the visible password... I'm not allowed to check
| what that password is, even though there is also a username and
| a host next to it, and clear indication that it's an sql
| connection, but i'm not testing this, but i'm warning you, the
| general public, that this here exist, please don't try
| connecting to this IP using this username and password, thank
| you!"
| mywittyname wrote:
| We, as an industry, need to create an institution that lobbies
| for fair laws on the handling of computer crimes as well as
| creates public awareness campaigns that help people better
| understand cyber crimes. I'd like to see "Good Samaritan" laws
| for cyber crime.
|
| This kind of thing is what enables cyber crime.
|
| I personally find lots of bugs with APIs, since my job involves
| dealing with so many of them. I basically don't report them for
| fear of prosecution. There's already a fear in the back of my
| mind when I'm trying to work around such bugs that someone will
| come after me, but at least I have some plausible deniability to
| say, "I just wrote shitty software." Whereas, if I report a bug,
| that means I knew about it and admit to "probing" it to elicit
| more information.
|
| I literally spent 4 hours this morning working around a vendor
| API bug.
| costco wrote:
| That's what the EFF does.
| yieldcrv wrote:
| I don't get how the tech sector as a whole is so inept at
| this after half a century now.
|
| EFF plays defense, when it should be playing offense more
| effectively
|
| Organizations like it need to be donating to campaigns
|
| Play the game until the lobbying laws change
|
| All of our people should have been pardoned because the
| President was in our pockets.
|
| Aaron Schwartz would have had nothing to worry about, maybe
| that gets someone attention here
| soraminazuki wrote:
| Would that help the German developer though?
| acheong08 wrote:
| After moving to the UK, it has been my policy to pretend to see
| nothing.
|
| During my first week in university, I found a vulnerability in
| two of their servers allowing me to execute arbitrary
| code/commands + escalate to root due to a very outdated kernel.
|
| I reported this to a lecturer and was immediately told that what
| I did was illegal and not to poke at any of their services. Last
| I checked, it still hasn't been fixed.
| jonnycomputer wrote:
| The ostrich approach to tech security.
| spacecadet wrote:
| Yes it is illegal, wont stop someone. Fools.
| wackget wrote:
| Article/title is a bit confusing and perhaps borderline
| clickbait, so...
|
| If I understand correctly it seems like his crime was *using* the
| exposed database credentials to log in to the third-party
| database server.
|
| So he wasn't charged for simply "exposing" the credentials as the
| title says, but actually using them to poke around.
| bluefirebrand wrote:
| It is basically impossible to know what a system is without
| accessing it and looking around.
|
| It is like being given a key card for security clearance in a
| building. You assume any door it opens is a room you're allowed
| to be in. If security finds you in a room you aren't supposed
| to be in, is that your fault? Or whoever gave you the card with
| the wrong clearance level?
|
| Also how about the situation where you open a door, look
| inside, immediately realize you're not supposed to be there and
| then report it to security? Should you be punished?
| secondcoming wrote:
| I don't see why an investigation into excessive logging
| requires running queries on a database.
| lcnPylGDnU4H9OF wrote:
| If they connect with a desktop application, said
| application might run some queries against
| `INFORMATION_SCHEMA` in order to display schemas, tables,
| and columns. If the investigation is open-ended enough ("we
| have no idea so just figure it out"), then it might seem
| reasonable to connect to the database to see what it's
| about.
|
| It's already hard to see the malice in their actions but
| it's harder still when I consider that they immediately
| alerted the company who made the error. Even more when I
| consider that the company fixed the error. This developer
| did the company a favor and they had charges filed against
| them over it.
| formerly_proven wrote:
| This is a high profile case because they went public with
| it, but I assure you, stuff like this happens a lot more
| frequently than you might think (the public can attend
| court proceedings in that country, but they are neither
| published nor publicized for the vast, vast majority of
| cases). It's why anyone remotely familiar with the legal
| situation (not just in germany, many countries have
| similarly broad laws, like CFAA or the Computer Misuse
| Act) will tell you to never ever, _ever_ do vulnerability
| disclosure yourself to the responsible party.
| ptx wrote:
| What should you do instead? How would someone familiar
| with the legal situation disclose a vulnerability?
| HL33tibCe7 wrote:
| Finding a key on the floor and then using that key to break
| into a building is illegal, and for good reason.
| judge2020 wrote:
| It's more like you're given a keycard to a building that
| says "Floor 20" but then find out it has access to all the
| floors and telling the building security about it. All they
| did was 'open' the 'elevator door' here revealing the
| access they mistakenly had. It doesn't sound like they
| snooped through other customers' data or downloaded
| anything.
| User3456335 wrote:
| You're not really given it though. You found it and even
| though nobody ever asked you to use the key card you used
| it on the floor that nobody ever asked you to go to.
| hooverd wrote:
| They weren't not allowed either, though.
| feanaro wrote:
| Your machine regularly uses that key to access what's
| behind the door on your behalf; there is no reason you
| shouldn't be able to access it yourself.
|
| If you don't find the key and realise it's actually a
| lost one, leading to a potentially dangerous place,
| someone else will and they won't be benevolent.
| Almondsetat wrote:
| If you don't know what the key does who are you reporting
| it to?
| contravariant wrote:
| If that's unclear the answer is simple, destroy the key.
| Otherwise you can try to be a good neighbour and let them
| know. You do not get to just open random doors and see
| what's going on.
|
| The real issue here is whether this instance is
| comparable, not whether opening doors with lost and found
| keys is a bad thing.
|
| The real difference is whether they 'found' the key or if
| they were handed it. In this case I'd argue they were
| handed the key, as there was no plausible protection
| mechanism preventing them from accessing the key. It
| wasn't lying around somewhere forgotten or secret, it was
| in plain sight.
|
| And frankly we need some good Samaritan laws for cases
| where someone responsibly disclose a vulnerability
| without doing further harm, even if what they did was
| illegal on its own it certainly should not be in light of
| the fact that they responsibly disclosed the
| vulnerability.
| feanaro wrote:
| It's not a "lost" key if it's found hardcoded in an
| easily available place (e.g. an application). It's a
| negligently placed key leading to a vulnerable place that
| is going to get into the hands of a malicious person.
| adrr wrote:
| Its not finding a random key on the floor unless the key
| was in his house sending data back to a 3rd party server.
| Closest paradigm using technology terms is finding an S3
| key in a 3rd party library and then browsing the the S3
| bucket to see whats in it. Authorization was granted by
| providing the developer the library, they literally sent
| him a username and password. If the code was unique to each
| client would the person been charged?
| fn-mote wrote:
| US law:
|
| > If you did not have permission to enter [...] the likely
| charge is a misdemeanor charge of illegal entry (also known
| as entry without permission).
|
| [1] https://www.avvo.com/legal-answers/is-it-breaking-and-
| enteri...
| axus wrote:
| Yep, what the guy did here seems at worst a misdemeanor,
| and only because a company's feelings were hurt. The
| vendor brought charges against an employee of their
| customer, someone who was paying to use their product.
| acangiano wrote:
| Troy Hunt called that behavior "way too far into the grey for
| my comfort" in a recent post about the massive Naz.API leak.
| Gelob wrote:
| Says the guy who gets emailed hacked database from
| cybercriminals
| itishappy wrote:
| Right, the guy who's job is receiving hacked databases of
| user credentials from cybercriminals argues actually
| using said credentials would be going too far.
| contravariant wrote:
| In that case the keys he has were _definitely_ not his to
| use. Here we 're looking at someone handed an API key by a
| company and then using it to access the API.
|
| A lot of this depends on whether you view a phone as a
| device running third party' programs on behalf of the user,
| or a device that third parties allow users to run software
| on on behalf of the third party.
|
| A lot of society is moving towards the later view, which is
| of course fundamentally wrong.
| posterboy wrote:
| It's rather different. Some time I saw my neighbour left the
| key sticking outside. Doesn't feel like an invitation to me.
| Also, garden doors aren't necessarily locked and I think this
| is difficult to legislate.
|
| German law applies to TFA so compare _Hausfriedensbruch_
| (criminal code): the adverbs of choice are "widerrechtlich"
| like _undefined behaviour_ ; "ohne Befugnis", essentially
| _without permission_ , e.g. in case of not a lawful entry of
| police. Official translation actually distinguishes
| "unlawful" and later "without permission". I always feel it
| says, like, _illegal entry is illegal_. Vandalism uses the
| same words, section 303a applied to computer sabotage as
| "Data manipulation".
|
| https://www.gesetze-im-
| internet.de/englisch_stgb/englisch_st...
|
| https://www.gesetze-im-
| internet.de/englisch_stgb/englisch_st...
|
| PS: the relevant section is 202a "Data espionage", following
| another comment.
|
| https://news.ycombinator.com/item?id=39047283
|
| https://www.gesetze-im-
| internet.de/englisch_stgb/englisch_st...
| posterboy wrote:
| This deserves further commentary.
|
| In my humble opinion, what really grinds my gears is the
| abuse of the letter of the law, "circumventing the access
| protection". If your fence has gaping holes, it's not a
| functional fence.
|
| Since this is hackernews, graffiti "vandalism" is still a
| good example. The only protection of public facing walls is
| law enforcement, which is spotty. Private property such as
| trains may employ fences and security, which can be
| circumvented. Train stations and trains in service have to
| open anyhow. Terms of Service may explicitly forbid
| pollution, defacement, however you want to call it (this
| holds by analogy if you leave logs on the server, my point
| being, as it were, that _security is a process_ ).
|
| The law makes a practical difference for each of these
| cases, but the spirit of the law is the same in each case
| and the baseline is that the law is whatever is deemed
| appropriate by the powers that be, the finder of facts,
| population as represented by select individuals, the common
| joe. This, in turn, is supposed to be enshrined in
| constitutions of sorts. In sum, "unlawful"
| ("widerrechtlich" or "unbefugt") derives in different ways
| from constitutional rights.
|
| In the given case, subsection 202a is based on
| confidentiality (Art. 10 GG "privacy of correspondance"),
| but in my example (guilty as charged) the laws against
| vandalism are based on property (Art. 14 GG). In result,
| your comparison is a type error for me (as is _circumvent_
| if access control is a _process_ ).
|
| https://www.gesetze-im-internet.de/englisch_gg/index.html
|
| Comparative Law is a real thing, by the way, that is most
| foreign to me, but I make due.
| aleph_minus_one wrote:
| > Since this is hackernews, graffiti "vandalism" is still
| a good example. The only protection of public facing
| walls is law enforcement, which is spotty. Private
| property such as trains may employ fences and security,
| which can be circumvented. Train stations and trains in
| service have to open anyhow. Terms of Service may
| explicitly forbid pollution, defacement, however you want
| to call it (this holds by analogy if you leave logs on
| the server, my point being, as it were, that security is
| a process).
|
| Grafitti satisfy the criterion of Sachbeschadigung
| (criminal property damage). Nothing (except some
| reputation) was damaged by the "hacking" involved here.
| User3456335 wrote:
| I'll argue the other side:
|
| It's more similar to finding a key hidden under the mat at
| someone's house. You can then contact the owner and inform
| them of the security issue but what you should not do is use
| the key to open the door and go in and see if there is really
| harm in you being able to enter. Because you might
| accidentally achieve the exact thing that a criminal wants
| such as finding a note with a password on it. You can then
| claim you didn't want to find it but the fact is that 1) you
| broke the law by entering and 2) you caused a malicious event
| (namely obtaining a password).
|
| You can then pinky swear that you didn't already use it for
| any further malicious actions but that will be difficult to
| verify.
|
| If I ever lose my key, I don't want people to enter my house
| to prove that they can. Inform me of how you obtained the key
| and I'll change the locks and make sure I don't lose my key
| again. If you do enter my house, expect me to press charges.
| hypeatei wrote:
| It's not similar at all.
|
| The key (connection string) was already given to him via
| the app and he was entering the house (database) on a
| regular basis.
|
| This would be like mistaking a door for the bathroom but
| find a closet full of gold instead.
| User3456335 wrote:
| He had access to the key by looking at the source code.
| The key wasn't intended to be used by him manually.
| ryandrake wrote:
| I wonder if there was some kind of software license that
| stated that the developer was giving the user the key but
| the user wasn't permitted to use it. At least in that
| case, he would have known the company's intentions.
| williamcotton wrote:
| Well, the key was already "given to him" by the nature of
| leaving it under the mat.
|
| Oh, but this is a food truck that he's been visiting on a
| regular basis so obviously he's allowed to go in the back
| door, with full access to all the ingredients and poking
| around inside the cash register?
|
| Also, if you take someone else's gold behind a door you
| unlocked with a key that isn't yours, it is called
| stealing.
| PurpleRamen wrote:
| But he had no right to examine the app, or enter the
| database outside the app. Even if that is a simple task
| for an expert, it's still an obvious difference between
| legitimate usage of the app, and illegitimate usage of
| the database.
|
| Wouldn't that account as reverse-engineering, which is
| often also illegal?
| williamcotton wrote:
| We're getting downvoted by the "I have no clue about how
| the criminal justice system works" brigade.
| Ensorceled wrote:
| You are getting down voted by people who understand that,
| while the situation is nuanced, it is NOT equivalent to
| flipping over the house mat at random house and entering
| it.
|
| It may not be totally akin to a security card opening
| more doors than it should, but it is entirely reasonable
| to assume that "the key in your copy of the app" is "your
| personal access key".
| Prickle wrote:
| It wasn't hidden though.
|
| Lets pretend the guy was a pest exterminator, hired to kill
| some bug infestation. He is given a keycard to access most
| of the building. As he is hunting down the nest, he finds a
| hole in the wall. Bugs tend to come through holes in walls,
| so he goes in to figure out whether what he is looking for
| originates there.
|
| He enters the room on the other side, and looks around for
| other holes that might have bugs. He then notices a file
| with big red letters saying "TOP SECRET". Turns out he
| accidentally entered the maximum security file room. So now
| he leaves the room, goes to security and tells them what he
| found. Then gets arrested for 1 count of trespassing and 1
| count of breaking and entering.
|
| How is that fair?
| Levitating wrote:
| Exactly. As the original article states, he just didn't
| assume he'd stumble into a sensitive database.
|
| > According to the defendant, the defendant has first
| assumed that the software on his customer's server will
| connect to a Modem Solution database that was only
| intended for his customer and contained only his data.
| From the read-out database name, this sounded quite
| plausible. However, the defendant quickly discovered that
| the corresponding database contained much more
| information.
| FrustratedMonky wrote:
| Exactly. Maybe he could just be exploring an API.
|
| It isn't hidden, maybe this is how I'm supposed to get
| data.
| lamontcg wrote:
| > It wasn't hidden though.
|
| If a key is taped to the outside of the door that it
| opens, you still can't use it without committing a
| trespass. Not unless you got authorization to use it from
| the right person(s) first. Shitty security isn't a legal
| invitation.
| seabass-labrax wrote:
| Unfortunately, like many physical security analogies,
| there's no one correct way of translating the details from
| the software world to the real world.
|
| I think how close you think those two situations are
| depends on whether you consider the application to be an
| agent of the _customer_ (like a personal shopper), or of
| the _shop_ (like a salesman).
|
| Did:
|
| A - the programmer coerce the application (an agent of the
| shop) into accessing secret information (breaking into the
| shop warehouse), or
|
| B - the programmer ask the application (his own agent, a
| personal shopper) to go and look for interesting things in
| the database (shop's warehouse) for him, a privilege that
| the application (personal shopper) was afforded in advance
| by the shop?
|
| I personally think that A is a dangerous precedent to set
| for society. Treating any network-bound application as the
| agent of its creator would mean it was wrong to observe
| your computer (which you generally use for more than just
| accessing one online shop), and would therefore effectively
| kill FOSS.
| akira2501 wrote:
| > It is basically impossible to know what a system is without
| accessing it and looking around.
|
| What reason do you have to needing to know what a system is?
| Just because you think you have a password for it?
|
| > If security finds you in a room you aren't supposed to be
| in, is that your fault?
|
| It depends. Do you know you're not supposed to be in that
| room?
|
| > Should you be punished?
|
| I've run into this exact same situation three times. One was
| a hard coded SSH key to a root account, two were hard coded
| passwords.
|
| In all three cases, I simply contacted the vendor, let them
| know I had this key, coordinated disclosure with them, and
| then told them what the password was and where I found it.
|
| In all three cases, the disclosure was enough for them to go
| wide eyed, immediately understand which systems were
| impacted, and then quickly leave the call to go fix the
| problem.
|
| There is _zero_ reason for you to _use_ exposed credentials
| if you find them. It adds nothing to the "security research"
| you may be doing.
| drannex wrote:
| I stand by the phrase "Hacking Is Not A Crime".
|
| It's what you do with the data once you have access to it. If
| you do nothing, it shouldn't be a crime, the crime should be
| the, presumably, nefarious usage if used.
| itishappy wrote:
| I would not recommend trying that defense in a courtroom.
| sterlind wrote:
| You can do a lot of damage by simply accessing data:
| blackmail, state or industrial espionage, insider trading,
| HIPPA violations, obtaining signing keys or passwords for
| lateral movement, etc. All those require additional intent,
| to be fair, but it's hard to prove intent and much easier to
| prove access. And there are very few legitimate reasons to
| access someone else's private data, and many nefarious ones.
| soraminazuki wrote:
| There's nothing confusing about it, it just doesn't frame it in
| the way you prefer.
|
| From the perspective of the developer, it's natural to assume
| that the password was in place to prevent non-users from
| accessing, not legitimate users. After all, the credential
| wasn't hidden or obscured in any way. When it became clear that
| users weren't supposed to have access, it was reported to the
| vendor. Am I missing something here?
|
| On one hand, there's a developer doing their job. On the other,
| there's another "embarrassed" company retaliating and
| intimidating would-be bug reporters. It seems crystal clear
| what's going on.
| Sparkyte wrote:
| That isn't hacking which the title implies. Hacking is more
| involved and exploitation of systems.
|
| This is just taking the keys and unlocking the door to your
| benefit.
| why_at wrote:
| Yes, he logged into the server using the credentials embedded
| in the app. Since the server contained information from other
| users, this would clearly be some kind of crime if used this
| access maliciously or maybe even if he just logged in knowing
| that he wasn't supposed to be allowed to.
|
| But I think the salient point here is whether or not he _could_
| have known that before logging into the server. Since the
| credentials are in the app, should he assume that the company
| 's security is so bad that this would give him access to all
| their customer data? He is obviously allowed to use the app,
| and the app uses these credentials so it's not too much of a
| leap for him to think that he should be allowed to use them as
| well.
|
| Regardless, I think the result of this ruling will clearly be
| bad for computer security. In the future maybe someone who
| finds a vulnerability like this won't report it out of fear of
| legal retribution.
| 2muchcoffeeman wrote:
| I guess the moral of the story is, if you find hardcoded
| credentials, immediately inform whoever is in charge without
| actually using the credentials.
|
| Or can that still get you sued?
| tiluha wrote:
| I'd probably not say anything. At most anonymously. I'm not
| taking the risk as i stand nothing to gain
| aqme28 wrote:
| I don't think the "hardcoded" part is at issue here. If
| this wasnt a MySQL database but an API that exposed other
| customer information, he would have the same moral duty to
| disclose and the same legal liability, I think.
| tptacek wrote:
| Maybe not? Again, only speaking to US law, but your
| intent matters a lot here, and you have more plausible
| deniability sending API requests than you do making a
| direct connection to a database.
| aleph_minus_one wrote:
| > you have more plausible deniability sending API
| requests than you do making a direct connection to a
| database.
|
| A direct connection to a database is an API, too. :-)
| 2muchcoffeeman wrote:
| My thinking is that prod credentials that you aren't
| supposed to have were used. So if you've been ask to
| investigate, and see something this glaringly bad, then
| you need to stop immediately, inform your boss, and get
| explicit approval before continuing.
| teaearlgraycold wrote:
| Do it anonymously if you do it at all.
|
| In my opinion this is like filing criminal charges because
| someone opened a door at the front of your business.
| Normally what is known to your front end is not sensitive
| data for the entire user base. So if you take a peak in,
| its the same as wondering what the extra front door is to a
| brick and mortar store. You've got the main door with the
| OPEN sign and then a plain door that, whoops, is unlocked
| and has all of your customer's files laying out on tables.
| At this point you've done nothing wrong. If you start
| rummaging around you're outside of plausible deniability.
| tptacek wrote:
| Not a lawyer, and certainly not in Germany, but spend a lot
| of time reading and noodling about this space. There's
| maybe a reach-y contract lawsuit if you violated reverse
| engineering terms; it wouldn't win, but it could be
| annoying and expensive.
|
| Actually using the database creds to the point where you
| can tell a story about the data in the database though is
| enough to put you at criminal risk in the US; the DOJ
| doesn't prosecute good-faith vulnerability research, but
| depending on the kind of poking you do and the kind of logs
| you keep of what you find, you can put yourself in a
| position where your good faith isn't assumed.
| DarkmSparks wrote:
| I think the moral of the story is if you stumble on such a
| vuln while working in Germany in the future its best
| practice to sell it on the darknet since you unknowingly
| already committed the crime anyway. might as well get paid
| for it.
|
| Please Dont shoot the messenger, I didnt write the stupid
| law.
| SlightlyLeftPad wrote:
| It's not clear, but what is clear is Cases like this can
| and often do have a chilling effect on legitimate, well-
| intentioned reporters of vulnerabilities which leaves
| everyone else at even greater risk due to negligence on the
| part of the company. We should be highly critical of these
| legal outcomes particularly when there was no intent to
| harm.
| joshxyz wrote:
| i think it all comes down to:
|
| it's not a crime to build a house that has open doors and
| windows.
|
| but it's certainly a crime to enter one as an uninvited
| guest, let alone do things with traceable logs.
| dariosalvi78 wrote:
| according to data protection laws, it's certainly a crime
| to leave some systems unprotected like in this case
| dang wrote:
| If someone can suggest a better (more accurate and neutral)
| title, we can change it above.
|
| (It's best to use a representative phrase from the article body
| rather than making up new language; that's usually, though not
| always, possible.)
| qwertox wrote:
| > but actually using them to poke around.
|
| This is true, but he believed that the database was held
| exclusively for the client, hence only containing data
| belonging to the client, who gave him permission to access his
| data. Apparently the name of the database also seemed to
| indicate this.
|
| As soon as he then noticed that it contained _all_ the data of
| _all_ customers, he disconnected.
| mdgrech23 wrote:
| So many "hacks" are the equivalent of some fool left the front
| door wide open. If you left your front door wide and were robbed
| the public would have 0 sympathy for you yet people scream at the
| Hackers when these companies cheap out and don't do shit to
| update/maintain/enforce basic best practices around security.
| babarock wrote:
| It's not about "sympathy". It's about crime.
|
| If you left your front door wide and I robbed you, I'd have
| committed a crime. There's no "but the front door was open"
| defense.
| wvenable wrote:
| But nobody was robbed. This guy looked in the house and then
| immediately called you to tell your door is open. Instead of
| thanking him, you sue him for trespassing. Technically, he
| would be guilty of trespassing.
| hooverd wrote:
| Private residentce is a bad analogy. This is like being
| sued for trespassing because you stepped over a green-grey
| marble line on the grey-green marble floor of the open
| ground floor lobby of an office building where you work.
| AndroTux wrote:
| It's like telling someone the pin to your safe and then suing
| them for them opening it. They didn't even steal anything.
| They just opened the safe that you gave them the pin for.
| bdcravens wrote:
| > If you left your front door wide and were robbed
|
| It would still be a crime. I would and should be chastised, but
| the person who robbed me should still receive a proper
| punishment.
| skissane wrote:
| Where I live, walking in the open front door of the house of
| a stranger is rather antisocial, but not in itself criminal.
| The real world analogy fails, because this person didn't take
| anything (copying isn't taking since the owner is not
| deprived of the original)
|
| Even unlocking their door with a key you found lying in the
| street, and then going in, is not _in itself_ criminal (where
| I live). If you go on to commit a crime while inside, or did
| it with the intention to commit such a crime-that added fact
| makes it a crime ("break and enter"). But mere unlocking the
| door and entering in itself is not.
| belval wrote:
| > If you left your front door wide and were robbed the public
| would have 0 sympathy for you
|
| Not sure where you live for that to be the case, but someone
| coming in because I left my door open is not normal, even if I
| left my door open. Even if they claim they were "making sure
| everything was safe".
| shagmin wrote:
| Normalcy doesn't matter. I think the point is that you're not
| going to get much sympathy if you leave your front door wide
| open, leave for work or better yet go on Christmas vacation
| and have no sign anyone is home, and then come home to find
| something's been stolen. Maybe a better analogy is leaving a
| laptop in your car overnight and leaving your car unlocked
| parked on a busy street.
|
| Obviously stealing is a crime and we shouldn't victim blame.
| But with a lot of software the business isn't much of a
| victim so much as their customers are, and there doesn't seem
| to be much incentive for companies pro-actively securing
| their software. You could argue in hindsight the developer
| would've been better off selling the vulnerability and/or
| data to the black market rather than reporting it.
| happytoexplain wrote:
| I struggle with the use of the word "hacking". Sometimes we want
| it to mean a penetration that requires exceptional knowledge and
| effort. Sometimes we just want it to mean "fiddled with the
| internals".
|
| I once did a search in the free version of Feedly. They showed me
| the real search results, _behind_ a "this is a paid feature"
| overlay. I submitted feedback saying they should either provide
| the feature or not provide it - and refrain from this in-between
| teasing. I mentioned that I deleted the overlay in the HTML to
| see the results, and they told me I had "hacked" the web app in
| their response.
|
| That usage, and this usage, are ridiculous, because they imply an
| unscrupulousness that isn't present. And yet applying the
| friendlier meaning of the word, as in "Hacker News", I think is
| reasonable in both cases.
| aleph_minus_one wrote:
| > I struggle with the use of the word "hacking". Sometimes we
| want it to mean a penetration that requires exceptional
| knowledge and effort. Sometimes we just want it to mean
| "fiddled with the internals".
|
| "Hacking" means "getting (typically) technology to do things
| that they were not intended to do, sometimes in a playful way".
| The other meaning was purposefully disseminated by the
| mainstream media to spread fear and hate against the hacker
| scene, because their knowledge about programming, computers and
| technology was a thorn in the side of specific groups in power.
| fluoridation wrote:
| Okay, but that clearly cannot be the meaning being used here,
| since to prohibit "hacking" in this sense is not unlike a
| blanket prohibition on "play".
| aleph_minus_one wrote:
| Did you read the original link:
| https://infosec.exchange/@WPalant/111776937550399546
|
| "Current news: A court found a developer guilty of
| "hacking." His crime: he was tasked with looking into a
| software that produced way too many log messages."
|
| Note that "hacking." is in quotes, which should clear the
| opinion that the poster "Yellow Flag" considers it to be
| ironic that this action is called "hacking".
| fluoridation wrote:
| Yes, and I also skimmed the German source. "Hacking" is
| in quotes because that's what they called it in Germany.
| Yellow Flag puts "hacking" in quotes to make it clear
| that they're citing a source and that they're not calling
| the action "hacking" themselves. It doesn't necessarily
| imply a sense of irony, they're just reporting a piece of
| news.
| _dain_ wrote:
| _> Sometimes we want it to mean a penetration that requires
| exceptional knowledge and effort. Sometimes we just want it to
| mean "fiddled with the internals"._
|
| oo-err
| yieldcrv wrote:
| so he would have been fine if he didn't check the vendor
| database? or if he got written authorization to check the
| database?
| HL33tibCe7 wrote:
| No, he was found guilty for using those credentials to connect to
| the database. I can't speak for German law, but at least in the
| UK this would be an open-and-shut case, it's a clear violation of
| the Computer Misuse Act.
|
| You can like that or not, but if you're in the position to be
| doing research like this, you really ought to know the basics of
| the law.
| a_dabbler wrote:
| Sounds to me like the database credentials were embedded in the
| application so presumably the application would log in to the
| vendors server as an intended action. Does this mean all the
| vendors users must be charged with hacking also?
| HL33tibCe7 wrote:
| The clue's in the name: "misuse".
| dzhiurgis wrote:
| Is there evidence he misused the data or the server? Did he
| download all the data and sold to third parties, spammed
| the hell out of existing users or anything like that? How
| is verifying the credentials misuse?
| HL33tibCe7 wrote:
| He didn't just "verify the credentials". He was in the
| database making queries, viewing private data.
| feanaro wrote:
| "Viewing" private data for purposes of verification of
| the issue. How about you just don't ship passwords in the
| application like some negligent troglodyte?
| malka wrote:
| Or you just could go the whole other way. Don't report. Sell.
| ipaddr wrote:
| I wish more people would go the other way. Companies should
| hire people fulltime to find and report bugs.
| from-nibly wrote:
| But turning on the app "uses" those credentials. so were all of
| their consumers guilty of hacking too?
|
| What's the difference. MAYBE I could see this as a violation of
| the ToS but It's a far cry from "hacking".
|
| Having a password doesn't mean they were trying to keep people
| out. They shipped the password.
|
| That's like going into a building and they HAND YOU a keycard,
| and say don't go anywhere you aren't supposed to. And then it's
| actually a master key. How do you even know that it's going to
| let you into places you aren't supposed to go.
|
| I have creds to googles services but it only gives me access to
| MY stuff.
| HL33tibCe7 wrote:
| Sorry but you're wrong. In the eyes of the law this is very
| clear cut.
|
| Morally is another question of course.
| cortesoft wrote:
| Is there no mens rea requirement in Germany?
| from-nibly wrote:
| I understand, but that doesn't mean I don't want to yell
| into the void about it.
| MetaWhirledPeas wrote:
| Sorry, but the law is wrong.
| xtracto wrote:
| My house Door is usually open . That doesnt mean people are
| free to enter and use the toilet .
| lcnPylGDnU4H9OF wrote:
| > research like this
|
| > His crime: he was tasked with looking into a software that
| produced way too many log messages.
|
| The developer wasn't doing security research. It sounds like
| they just had a bug they were looking into. Connecting to the
| database and realizing what it is to immediately disconnect and
| report it responsibly shouldn't be something that comes with
| punitive measures. As another commenter pointed out, this
| incentivizes people to sell this knowledge to others who will
| actually "misuse" it.
| quickthrower2 wrote:
| Everyone coder in Germany should unionize and go on a
| password strike. Refuse to do any part of your job that
| requires authentication unless you have a signed written
| statement verified by a lawyer as to the scope and use of the
| access. And then only use that level of access.
|
| Can you fix this bug? Sure, I'll be chilling on this sofa
| while you get me my access.
| nikeee wrote:
| I'm not sure whether it's that easy. AFAIK he had a customer
| that wanted him to investigate why the customer's system was
| flooded with some data. He ran the connector to some other
| service that the data seemingly originated from and observed a
| connection being opened to a remote MySQL server in plain text
| in his firewall. He took a look at this and saw that the
| credentials used were equal across all tenants of the MySQL DB.
| So it wasn't just his' customer's data that was exposed, it was
| the data of all tenants. AFAIK he then created some hashes of
| user data and exported this, so he could report this to the
| authorities and give users the ability to check whether they
| were listed in the system that had to be considered
| compromised. The DB exposed data of around 700k end users. He
| also contacted the company that runs that DB about this issue.
|
| The vendor of that connector then issued a new client that used
| TLS, which he also circumvented to show that the issue is still
| valid. He is also accused of decompiling the client software to
| obtain the password. IIRC, he instead claimed to just have
| opened the file in notepad.
| AtNightWeCode wrote:
| INTENT is the keyword for most laws. If the intent here was to
| check the security it is 100% legal within EU. Don't know about
| UK. I guess the guy poked around.
| oytis wrote:
| The current German law says something different currently.
| Getting access to data by overcoming protection is a crime.
| It doesn't matter what you wanted to do with this data if
| anything at all.
|
| I've read current government had some plans to fix it, but
| they have a lot to do at the moment.
| mpeg wrote:
| I wouldn't say it's so clear, if you read the article it seems
| like the developer was investigating an issue and found the
| database credentials, assumed the database connection was
| single-tenant (or that the user would be limited by
| permissions) as the software was connecting directly to it, and
| used them. When they realised they had access to more data than
| intended, they disconnected from it.
|
| I have done exactly the same thing in similar circumstances - I
| had a desktop software vendor that we had issues with, saw the
| config files stored database credentials in plaintext and
| connected to it. In my case, the database was single tenant for
| our company so I managed to get what I wanted done.
|
| Surely intent must come into play when it comes to applying the
| law in cases like this? It doesn't seem like the developer had
| any intent to access a restricted system.
| vdaea wrote:
| After reading the text I predict this is completely
| sensationalised and that something worse happened.
| z500 wrote:
| According to the linked heise.de article the defendant assumed
| the credentials were for a database that only contained his
| client's data, and immediately disconnected as soon as he
| realized he was actually seeing data for all of the
| complainant's clients.
| pgeorgi wrote:
| It's a lowest level court, they're known to have wildly absurd
| legal opinions at times. Having stupid laws on the book (like
| the one in question) doesn't help.
|
| The curious bit is that this law is from 2007, so apparently
| this is an angle that escaped all attorney and courts who
| applied this law in 16.5 years, or the defense could have shot
| down this line of reasoning by pointing out that this isn't
| what the law intended. (we don't have case law, but there are
| means of harmonizing outcomes once stuff ended up at higher
| level courts)
|
| My guess is that this won't hold up for long given the
| circumstances (trivially got the password, accidentally gained
| more access than expected, immediately disconnected upon
| notice)
| cybrox wrote:
| I've been following this for a long while now, as I frequent
| one of the forums that this person is also active on.
|
| Even if the sentence is overturned by a higher instance, the
| confiscation of all devices for months and the additional
| legal trouble have made pretty sure that this person will not
| make the same "mistake" again.
|
| The company's public statements during the whole affair were
| another story entirely. For these alone they'd deserve the
| next guy to just sell the credentials on a forum and have
| them blow up.
| magicmicah85 wrote:
| It's a very fine area. Once he had the database credentials,
| that's all he needed to tell the company to fix their code.
| Connecting to the database is what did him in.
|
| We need white hats that want to find vulnerabilities for good,
| but when you exploit a target and they aren't aware until after
| the fact, that's still a crime. I don't know what the safe way of
| doing this is other than only doing white hat hacking on systems
| you control. Any system outside of your control should not be
| exploited unless the company has an agreed upon contract that
| indemnifies you from any harm caused.
| fluoridation wrote:
| Alternatively, reporting the vulnerability is what did him in.
| This seems to encourage an adversarial environment where no one
| will report any vulnerabilities they find for fear of
| repercussions. If their good faith efforts will be used against
| them, they may as well act in bad faith.
| raphman wrote:
| The developer claims that he assumed that he assumed that the
| database credentials were specific to the customer he was
| helping debug the problem. Once he realized that he could see
| other data, he closed the connection and notified the company.
|
| I'd argue that a customer who accesses their own data on a
| vendor's database via a client has also the right to access it
| via a different client.
| throwitaway1123 wrote:
| Something similar happened in Missouri a few years ago when the
| state's web developers leaked thousands of social security
| numbers in the HTML of one of their websites. A reporter noticed
| the flaw, reported it to the state government, waited for them to
| fix it, and then finally publicized the security issue. The
| governor (Mike Parson) accused the reporter of "hacking" because
| he clicked the view source button in his browser.
| yukkuri wrote:
| Better to just pretend you never noticed it. Even telling them
| their password is visible is risking being the messager that gets
| shot. Using the password is right out.
| daltont wrote:
| Sounds similar to a case where I am from:
|
| https://www.techdirt.com/2022/02/25/turns-out-it-was-actuall...
|
| The "hacking" was decrypting social security numbers from BASE64.
| throwitaway1123 wrote:
| Yeah, this is exactly the case that the headline reminded me of
| (I got instantly downvoted for commenting about this for some
| reason). If they had actually encrypted the data it would have
| been fine, but BASE64 encoding is not encryption. It's
| trivially easy to decode base64:
| https://developer.mozilla.org/en-US/docs/Glossary/Base64#the...
| RajT88 wrote:
| Funny message in the encoded Base64 on that article, which
| reminds me of a musing I had a while back.
|
| Imagine the number of lazy programmers who paste stuff into an
| online Base64 decoder. Imagine all the stuff that is in those
| payloads!
|
| Running a site like base64decode.org would be a fantastic
| honeypot.
| j-bos wrote:
| That's why many large firms block online code assist tools.
| formerly_proven wrote:
| This case has been going on for a few years.
|
| Last summer the court declined the prosecutor's case (in this
| system, the prosecutor files their case with the court, and the
| court does a quick scan and will dismiss the case before
| scheduling the trial if it's obviously unsound - happens fairly
| rarely). Prosecutors got this overturned by a higher court, which
| means this trial happened at the same lower court, but with a
| different judge than the one who initially dismissed the case.
|
| > According to a decision by the Julich District Court on May 10,
| 2023, the criminal proceedings against the security researcher
| have been dismissed. The court assumes that no criminal offense
| has been committed because the data accessed by the security
| researcher was not sufficiently protected. "Only data that is
| specially protected against unauthorized access is subject to the
| scope of protection of the criminal offence. This presupposes
| that measures have been taken that are objectively suitable [...]
| to prevent access to the data," the court's decision states. "The
| court does not agree with the opinion of the public prosecutor's
| office that password protection as such is sufficient. A password
| does not always provide effective data protection, for example if
| it is too simple or is used in a standardized way for certain
| applications. In such cases, the provision of access to data does
| not constitute an offense."
|
| > Through its own investigations of the Modern Solution software,
| heise online was able to confirm that it did indeed contain a
| built-in default password. This meant that anyone who had
| examined the software, which was freely downloadable from the
| company's website, would have had access to the data on the
| Modern Solution servers.
| Alifatisk wrote:
| Can we flag posts for clickbait headline?
| orenlindsey wrote:
| This is like giving someone a book you wrote to proofread, with
| your password unintentionally in the text. They use it to login
| and then tell you about it. Sure, they shouldn't have logged in,
| but it doesn't feel like it deserves criminal charges.
| hypeatei wrote:
| Seems like those laws to need to be re-written. Intent matters
| and it doesn't seem like this "hacker" was trying to do any harm.
|
| Company got caught with their pants down and want to punish this
| person for exposing that.
| quickthrower2 wrote:
| Yeah it is a chilling effect that will make German systems less
| secure, and other countries who are immune from German
| prosecution are going to exploit that. This story alone makes
| me refuse to work in Germany as a developer let alone in
| security.
| WesolyKubeczek wrote:
| Hackers somewhere in Novosibirsk who look for ways to disrupt
| or exfiltrate data from some of the Germany's bigger IT
| systems, are likely very gleeful now.
|
| Look ma, they just _leave their passwords in cleartext_ , and
| people are scared shitless to report it, lest they be sued!
| It's a pure gold mine!
| ttyyzz wrote:
| Greetings from Germany, I would not be surprised in the slightest
| if German legislation considered pressing F12 in your browser
| looking at the HTML was considered "hacking".
| pavel_lishin wrote:
| Where do you think Germany is, in Missouri?
|
| https://www.theverge.com/2021/12/31/22861188/missouri-govern...
| niemandhier wrote:
| If you ever wonder why Germany is trapped in a predigital state
| since the late 2000s: Things like this are the reason.
|
| If met people from all over the word, some of the coolest hackers
| and devs were from Germany, but: The perpetual effort of the
| German government to make all things ,,safe ,, and ,,stable"
| hinders the evolution of the country into something greater than
| a nation of car manufacturers.
| aleph_minus_one wrote:
| > If you ever wonder why Germany is trapped in a predigital
| state since the late 2000s
|
| I think the term "(pre)digital" does not fit: for example CDs
| and punchcards are clearly digital.
| pmarreck wrote:
| Here's a good article on the problem. Seriously, given how
| excellent most other qualities of life are in Germany, and how
| smart/educated Germans are, the Internet situation is jarringly
| bad (for anyone who visits or emigrates, and isn't used to it).
|
| I think there's even a bit of pride about it, I hate to say.
| Germans are pretty proud of their outdoor activities and
| general physical health, and "device obsession" works directly
| against that... and is still not as much of a thing there as in
| the US for example. You could make an argument for it...
|
| https://www.settle-in-berlin.com/why-is-internet-so-bad-in-g...
|
| tl;dr Blame Helmut Kohl. Helmut was clearly the type of guy who
| would have printed out his emails (if he even had to email, if
| perhaps only by necessity) until the day he died.
| aleph_minus_one wrote:
| > Here's a good article on the problem. Seriously, given how
| excellent most other qualities of life are in Germany, and
| how smart/educated Germans are, the Internet situation is
| jarringly bad (for anyone who visits or emigrates, and isn't
| used to it).
|
| > I think there's even a bit of pride about it, I hate to
| say. Germans are pretty proud of their outdoor activities and
| general physical health, and "device obsession" works
| directly against that... and is still not as much of a thing
| there as in the US for example. You could make an argument
| for it...
|
| Honestly, I am not sure what kind of "device obsession" in
| other countries vs Germany you are talking about. My
| impression, as a German, is that many German people value
| other qualities of technological products than what is valued
| in other countries.
|
| For example, many German customers value long-lasting, robust
| products instead of the latest fad that will be out of
| fashion in a few years. For example, many Germans who are
| able to afford them would love household appliances built by
| Miele. Also, because of the German history (two dicatorships
| on German soil of which one ended little more than 30 years
| ago), many Germans are much more suspicious of "spying
| devices" (e.g. internet-enabled home appliances (IoT)) and
| things that might track you (this is also a reason why many
| Germans strongly prefer paying cash).
|
| But it is nevertheless my impression that many Germans
| nevertheless do have quite some love for devices that _do_
| fit their values; it 's just that the taste is quite
| different from the taste in other countries.
| pmarreck wrote:
| That's a great point. I was trying to strike a noncritical
| tone, believe it or not. Germans, like everyone else, are
| shaped by personal and shared experiences of the past.
| AtNightWeCode wrote:
| A colleague had a valid German driver license with a photo
| stapled on, way into the 21st century. Nice.
| wouldbecouldbe wrote:
| Had a food startup in the Netherlands.
|
| Worked with PostNL, the main and previous governmental
| organisation for sending mail.
|
| Weekly we would upload our orders in their system; and could see
| our history.
|
| Then one day we could suddenly access all other clients history
| and export their users data. Many of them direct competitors, and
| their mailing lists would have been quite valuable to us.
|
| My partner exported all Marley Spoon's (a bigger funded
| competitor) data in excel and a few others. When he told me I
| told him to delete it ASAP, even though it's fun you don't create
| a liability. But we could have used it to grow 10-30% in a few
| weeks.
|
| They never reported it, which they were legally obliged to do
| under EU law.
|
| All to say, if you get the keys to the castle, maybe don't use
| them. Or maybe you do.
|
| We should, and could have used it, in price negotiations since
| they almost doubled the prices to us for the next few months and
| didn't have any mercy. Let alone misplacing 3-8% of our orders
| and not refunding.
|
| But instead we moved to few other delivery services (with all
| their own flaws)
| gumballindie wrote:
| > So he immediately informed the vendor - and while they fixed
| this vulnerability they also pressed charges.
|
| Germany has an obsession with accusing people of crimes. Perhaps
| a projection?
| cybrox wrote:
| Ah yes, the homogeneous entity of germany born in 1939...
|
| To the bottom you go.
| petre wrote:
| Ah Germany, where everything is precisely regulated, even the use
| of kitchen knives, which are of course unlawful to use outside of
| the kitchen. Nur in der Kuchen schneiden mit dem Kuchenmesser!
| Zamicol wrote:
| The law shouldn't be involved in this. Fix your systems. Tax
| payers should not be forced to defend poorly designed systems.
| WesolyKubeczek wrote:
| Next time: never report anything. Sell it on some black market,
| then forget everything about it.
|
| Alternatively, get a sockpuppet account, publicize the
| information anonymously somewhere, then pretend you accidentally
| stumbled upon it and sue the vendor for gross negligence with
| your data. Go on the offence. Germany is so anal on privacy laws
| that I suspect the whole case has been hinging on the company
| making the first move. Keep sucking those sweet damages. I'm
| surprised there's not a whole fucking industry around this
| behavior, which is way too common to go unpunished.
|
| Don't be a boy scout. This seems to be frowned upon these days.
| posterboy wrote:
| Title could be read as exposing by means of an app dedicated to
| exposing said credentials. Hackernews suggests something else,
| but hasn't really outlined the expose-action.
|
| The text of the decision should be paramount.
___________________________________________________________________
(page generated 2024-01-18 23:01 UTC)