German Court, in a Really Short-Sighted Move, Basically Criminalises Software Debugging
A local district court in Germany has fined a programmer for analysing software for a client and then reporting a serious vulnerability
Jülich, 17 January 2024 Filed under: Technology
In October of 2021, Germany’s most-read IT news site, heise online, commissioned me to write a story about a German programmer who had reported a pretty significant bug in the software by some medium-sized German IT service provider. As golem.de had uncovered earlier, instead of giving the freelance programmer a bug bounty as thanks, the company had reported him to the police and he then had his home and office raided and all of his computers and mobile devices confiscated1. This was significant because, as Der Spiegel had said in July of that year about the security vulnerability, this programmer had prevented the personal information (including addresses and payment information) of around 700,000 ordinary German online shoppers from being freely discoverable on the net. He had clearly acted in the best interest of the public when he reported the vulnerability to the company in question and, after it had been fixed, got a blogger to publish the details of the bug and bring it, and its possible consequences, to the attention of the wider press here in Germany.
As I uncovered with exclusive research in November of 2021, it was indeed the company Modern Solution from Gladbeck in the Ruhr who had reported the programmer to the police, after he had contacted them about the security vulnerability in their software. I have been on this story ever since, and even recorded an English language podcast episode on it back in the day, because I just found this simple fact so incredible.
The first tangible court decision in this case was handed down today in the tiny town of Jülich in western Germany and I went there to report on it, because this could actually turn into quite an important precedent in German information technology law. But before I get into the court decision, let me quickly recap what kind of software we are talking about here.
Modern Solution Is Everything But
There’s a German company called JTL, which makes the awkwardly named, but relatively popular, inventory tracking software JTL-WaWi. Modern Solution acts as a service provider that connects marketplaces at large online stores — Germany’s local equivalents of Amazon — to this inventory tracking system. That means that Modern Solution customers can thus not only sell their wares at their own websites, but simultaneously at these big online stores. As it turns out, their solution wasn’t as modern as advertised, though.
When our programmer, the defendant in the court case in Jülich, was tasked by one of his clients to look into why the Modern Solution install on his server was filling a log database with errors, the programmer discovered that MSConnect.exe from the Modern Solution install was opening a MySQL database connection over the internet to that company’s servers. He decided to figure out what was going on and looked at the binary code with an editor. When he searched for information from the database connection, like the hostname, he immediately found a simple, easily to bruteforce, plaintext password that was used to connect to the database. But it gets worse. When he connected, presumably to see where the errors were coming from, he realised that the database he was connected to included not only his client’s data. It included all data from Modern Solution’s transactions. Not only from their other customers, but from all the random people who had bought anything in their customer’s online shops. Addresses, bank account data, you name it … from 700,000 random online shoppers.
Now, the programmer made several mistakes. He reached out to a relatively inexperienced blogger instead of a seasoned infosec reporter, who could have protected his source better. He also emailed the company instead of letting a journalist jump into the line of fire. This enabled the police to go to his email provider, subpoena his messages and connect the account to his identity. He also made the mistake of cooperating with the police when they raided his house and of giving them the password to his devices — even though talking to the police is rarely a good idea. All this enabled the prosecution to build a case against him.
Was This Actually a Crime?
Under German criminal law, article 202a StGB makes it illegal to access computer systems if you are not authorised for it and have to defeat security mechanisms to do so. According to the law, the data has to be “eminently secured” for this law to apply. Article 202c makes it actually illegal to use any software that can be used for this purpose2. Collectively, article 202 is known as the infamous “Hackerparagraf” in Germany, because it has long been understood by people who know how hackers actually operate — or ordinary programmers for that matter — that all of this is very stupid and imminently dangerous for the entirety of the German tech sector.
And so, having given the law enforcement people everything they needed, our programmer was indicted pretty quickly as a malicious hacker. But interestingly, his local district court in Jülich, in June of last year, decided not to prosecute him. The court was of the opinion that the district attorney’s office hadn’t sufficiently proven that getting a plaintext password from a file distributed to a client who had tasked you with debugging said software could actually be considered a crime under these laws. The district attorney quickly appealed this decision and a higher court, the regional court in Aix-la-Chapelle, ordered the judges in Jülich to proceed with the prosecution in August. The higher court was of the opinion that a password alone meant that the software was “eminently secured”, no matter how dumb the password or how shoddily written the software. Or if any script kiddie could have figured all of this out with half an hour in front of dad’s computer and some deft Google searches.
The Court Is in Session
In the court proceedings today, the district attorney spent an inordinate amount of time trying to get the defendant to admit that he had decompiled the software to get that password. Instead, the court could have actually looked at MSConnect.exe and how easily the plaintext password was recoverable, even from the binary file. I was involved in some tests in 2021, where we downloaded publicly accessible code from Modern Solution, and were easily able to verify this. It would have been very easy, if not to say trivial, for me to do this on my own. And I’m just a journalist with a bit of Linux knowledge. I’m a pretty far cry from being what people usually think of when they call someone a “hacker”; I’m more of a hack, really. But, alas, the court didn’t do any of that. Instead, it tried to argue that a decompiler is somehow suspicious and should be treated as evidence of a crime. At least, that’s how the police investigation report read.
In the end, it didn’t matter anyhow. The judge said that, after a careful review of the laws in question, he was now of the opinion that a password alone suffices to fulfil the requirement that software has to be “eminently secured” and that this means that the defendant was guilty of illegally accessing that data. The defendant actually got off with quite a lenient sentence, mostly because he’d never been convicted of anything before. He was ordered to pay € 3,000 and cover the cost of the court case. The maximum penalty under these laws is three years in prison.
But that shouldn’t distract from what actually happened here: A programmer, who did legitimate analysis to find a bug in software that his client was allowed to use, accessing a database that his client accessed all day, every day, was sentenced because, in the process of doing so, he found a security vulnerability and then engaged in responsible disclosure. In my view, the state judiciary and executive were misused, by a company being butthurt about their shoddy software quality, to punish a security researcher who found a vulnerability and published it — and as such was acting in the best interest of the public.
Add to that the apparent fact that the German police and DAs seem to think that a decompiler is suspicious software for a software developer to have on his computer and this whole case gets quite nuts.
What This Means for the German Tech Industry
My takeaway from this is that programmers in Germany should never talk to the police, end-to-end encrypt all of their communications and use full disk encryption on everything. Because if the police ever gets hold of your systems and finds a compiler, they will hold that against you and try to put you in jail for doing your job. It is also apparently more important to punish an ethical researcher3 for getting a security vulnerability fixed and the public to know about it, than punishing a company for endangering the security and privacy of hundreds of thousands of citizens. In fact, the state willingly does the dirty work of a company writing shitty code like this, going after the researcher for them. The priorities of current German laws when it comes to IT security are all completely wrong, it seems.
In this climate, who will actually report any security vulnerabilities they find? Let alone go out and look for them? You’d have to be nuts to do so. So we’re building a society that is rapidly tying every part of everyday life up with software and then we make it illegal to fix the inevitable security flaws that we know all of this software comes with. Can anybody see where this is going? I predict that, in typical German fashion, the outcry will be unending and obscene once the actually malicious hackers decide to go after these vulnerabilities and this whole house of cards crumbles. The press will ask: Who could have seen this coming? Anyone with half a brain, guys.
Don’t get me wrong. The court in Jülich decided the way it probably had to, given the current laws. But we really need to change these stupid laws and we need to do it now. Before it’s too late.
The sentencing isn’t legally binding yet and both the defendant and the district attorney can now escalate it up to the Regional Court. And I hope someone does within the one week deadline. The defendant’s attorney seemed to indicate during the trial that his client is in it for the principle of the thing, so they might. If they do, this could become a precedent that finally ends this stupidity. Well, at least I can hope, right?
—30—
Update as of 19 January 2024, 12:58 CET:
I have been told by the defence team that they have appealed the judgement.
This means that a regional court, in all likelihood the one in Aix-la-Chapelle, will have to re-try this case. Since the trial in Jülich was part of a shortened process used for minor crimes (Strafbefehlsverfahren), it did not necessitate an detailed evidence gathering process and no witnesses or experts were called. I expect this will change in the upcoming regional court case.
So far, we don’t know when, or where, the re-trial will take place. I will keep reporting on this story, of course. I think it’s a very important one.
The police kept his stuff for years. This was virtually all of his work equipment. Think about what that does to a freelance programmer working out of his apartment…
I know. This has to be one of the dumbest laws ever written. It just gets worse and worse the more you think about it. That’s like retroactively making anything illegal that could possibly be used to murder somebody. Anything heavy? Now illegal. Cars? Illegal. Your hands? Going to jail, mate!
The district attorney, following a theory that Modern Solution advanced to the police in the process of reporting the programmer, seemed convinced that the defendant had acted to hurt the company and cause it damages. This was predicated on the fact that he was running an IT consulting business at the time and was selling services connected with JTL-WaWi when he’d reported the vulnerability. Much was also made of the fact that he used the alias moki11so (an anagram of ki11moso, as in “kill Modern Solution”). The judge seemed to find this at least plausible. Totally disregarding the idea that you could probably really hurt a company if you had access to a security vulnerability that exposed the data of close to a million people on their servers and that disclosing the vulnerability to the company in question and, after it has been fixed, the press, isn’t the way to go about that at all.
Some people look for floods and locusts as signs of Armageddon, but our true decay is evident through this case, the imprisonment of Assange, the abuse of Ukraine for a proxy war, the shipping of arms to Israel, the takeover of the Labour Party via fake antisemitism, the division of America supporting false idols, the use of liberalism as marketing instead of belief, bad bankers and traders etc.