12 comments

[ 3.2 ms ] story [ 49.1 ms ] thread
Germany, where even possesion of security software can be a crime.
Liberal (as long as what you do does not threaten your rulers—even in a tiny way).
There should be strong protections for security researchers, and anyone reporting a security flaw should receive the benefit of the doubt. To the extend we fail to do this we are sacrificing national security in exchange for the convenience of companies.
It’s so dumb. They come to you to tell you you have a problem. Why would you accuse them of anything…
Because it’s Germany and things are done here the German way. It’s all sovereign and maybe we can stick some iso on it.

Look, everything works as expected. The law worked, police stopped the perpetrator, the hack has been prevented, customer data is now safe.

Is your statement a justification for punishing this researcher or sarcasm of the situation? Hard for me to infer.

If the former, then it’s only a matter of time where you are so confused as to why/how your entire nations infrastructure gets completely borked because there was a proliferation of such juvenile vulnerabilities that were illegal to be disclosed to the appropriate authorities.

This researcher deserves better. They tried to make society more safe and were punished :(

It's sarcasm. They tried to indicate that without /s by including "maybe we can stick some iso on it"
It's the second tier of German justice (first one had sided with the guy, btw), still subject to appeal. Hopefully sanity can prevail.
One angle is missing in this article: the judge stated that the intention by the lawmaker was to criminalize any kind of hacking when they have introduced the law, so it doesn’t matter how strong the password was or how good it was protected.

Frustratingly, the judge is absolutely right. That was precisely the intention behind the law change back then. I just hope the law will be changed by the government, which (despite all their quarrels) is a much saner one than the one which changed that law.

Security by insecurity is not a strategy.
How could the appeal judge be so wrong? They're supposed to get expert testimony.
From the articles I read on this in German and this one it seems to me that there is an easy to miss point: the consultant didn't have any authorization from Modern Solutions to conduct a pentest, he was working for a Modern Solutions customer. When he discovered the hard-coded password, he should have stopped there and reported it.