A German court has fined a programmer investigating hacking IT problems 3,000 euros ($3,265) for what it considers unauthorized access to external computer systems and data espionage.
According to Heise’s original report, the programmer, working as a freelance IT service provider, was initially asked by a client to resolve an issue where their product management software was generating excessive logs. I was there.
When programmers examined the software, they found that a MySQL connection was established with a remote server belonging to management software vendor Modern Solution GmbH.
After connecting to the database, he discovered that it contained not only his customer’s data, but also the data of approximately 700,000 other Modern Solution customers, raising serious data privacy concerns.
After realizing that the database contained data from other companies, the programmer severed the connection to the remote database and worked with technology bloggers to help notify software vendors of the cybersecurity and privacy issues.
Modern Solution GmbH took its servers offline to resolve the issue and denied there were any security gaps in its systems. The programmer and technology blogger immediately publicized the issue the same day without waiting for comment from his vendor of management software.
Shortly thereafter, the company reported the programmer to the police for allegedly leaking data and unauthorized access to its database servers.
Password stored in plain text
The programmer told the technology blog Word Filters that the management software was discovered connecting to the MySQL server over the Internet.
To determine the purpose of the database connection, the programmer extracted the plaintext password for the MySQL database connection from one of the management software’s executable files.
Prosecutors argued that the defendant went so far as to decompile the software. but, Haise confirmed. The programmer simply listed the strings in the MSConnect.exe executable to find the password in plain text.
However, the court has held that unauthorized access to password-protected data is a violation. Article 202c of the German Criminal Codealso called a hacker paragraph.
The judge cited a 2007 law reform on hacking to emphasize that protections do not need to be robust to justify an attack.
However, the judge showed some leniency and imposed a lower fine than the prosecution had requested, given the consultant’s previously innocent history.
Defendants’ lawyers argued that their clients acted in the public’s interest and responsibly notified software vendors of security lapses, and criticized the court’s position on the issue as outdated.
The programmers have decided to appeal the decision, and the case will be transferred to the Higher Regional Court in Aachen, where the decision could serve as an important legal precedent.