076萌SNS
  • Login

  • Public

    • Public
    • Network
    • Groups
    • Popular
    • People

Conversation

Notices

  1. Wolf480pl (wolf480pl@mstdn.io)'s status on Friday, 19-Jan-2024 19:57:11 JST Wolf480pl Wolf480pl
    in reply to
    • Yellow Flag

    @WPalant Which is why I think for laws concerning this to be reasonable, they must make it legal to bypass all protection mechanisms as long as you report your findings to the vendor and don't use the bypass to cause harm or for personal gain.

    In conversation about 10 months ago from mstdn.io permalink
    • LS (lain@lain.com)'s status on Friday, 19-Jan-2024 19:57:11 JST LS LS
      in reply to
      • Yellow Flag
      @wolf480pl @WPalant the only thing reasonable is the 'cause harm' clause, everything else is a non-crime that courts/lawmakers make up.
      In conversation about 10 months ago permalink
    • Wolf480pl (wolf480pl@mstdn.io)'s status on Friday, 19-Jan-2024 19:57:12 JST Wolf480pl Wolf480pl
      in reply to
      • Yellow Flag

      @WPalant arguably, it shouldn't matter how strong the protection was. The purpose of security research is to find flaws in protections, the same flaws that could be used to do something malicious. That's the whole point. The differemce between a security researcher and a cybercriminal isn't what protections they bypass, it's what they do after they find out that they can bypass a protection.

      Do they report it to the vendor? Or exfiltrate data and sell it on black market?
      1/

      In conversation about 10 months ago permalink
    • Yellow Flag (wpalant@infosec.exchange)'s status on Friday, 19-Jan-2024 19:57:13 JST Yellow Flag Yellow Flag

      German law is making security research a risky business.

      Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.

      When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.

      There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.

      I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.

      Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html

      In conversation about 10 months ago permalink

      Attachments

      1. Gericht sieht Nutzung von Klartext-Passwörtern als Hacken an
        from heise online
        Der Programmierer, der eine gravierende Lücke in der Software der Firma Modern Solution aufgedeckt hat, fällt unter den Hackerparagrafen, meint das Gericht.

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

076萌SNS is a social network, courtesy of 076. It runs on GNU social, version 2.0.2-beta0, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All 076萌SNS content and data are available under the Creative Commons Attribution 3.0 license.