Modern Solution: Now criminal proceedings against security researchers
In the case of the IT expert, who had found a serious security gap in the systems of the Gladbeck-based software service provider Modern Solution, proceedings are now being brought before the Jülich district court. According to a decision dated July 27th (file number 60 Qs 16/23), the district court in Aachen decided that the AG Jülich had to negotiate the case. The Jülich judges had rejected the criminal complaint of the Cologne public prosecutor’s office in May on the grounds that the data accessed by the IT expert was not sufficiently protected to justify a criminal offense within the meaning of hacker paragraph 202a StGB. The public prosecutor’s office in Cologne then appealed.
Decompiling as some kind of black magic?
In Jülich, the judges at the district court held that “a password does not always ensure effective data security”. “E.g. if it is too simple or is used in a standardized way for certain applications. In such cases, providing access to data is not a fact.” The judges at the LG Aachen did not follow this reasoning. The data was particularly secure because there was password protection and “retrieval” of the data “was also only possible after decompilation,” according to the Aachen Regional Court’s decision. “Securing access with a password is sufficient to secure access,” so the criminal offense is fulfilled. The court is thus following the legal opinion that has also prevailed in other courts for years.
According to the legal opinion of the Aachen judges, “the general security of the data against access by unauthorized persons should be taken into account, not whether those in the know or experts can easily access the data”. The decision also follows the arguments of the Cologne public prosecutor’s office, which had argued in its complaint that the decompilation of a binary file requires “a deep understanding of programming languages and software development” in order “to be able to deal with the result of the decompilation”. A conclusion that many IT security experts would probably disagree with – it’s not for nothing that the term “script kiddies” exists. The Cologne prosecutors had concluded that “the data and passwords in question here are only accessible to a limited group of people who have the necessary specialist knowledge”.
When is a password an “effective backup”?
The district court must now negotiate the case (file number 17 Cs 55/23) against the IT expert, from whom a police task force had confiscated all of his work tools. The programmer found the vulnerability in June 2021. Among other things, Modern Solution acts as a service provider and hosts the merchandise management system JTL-WaWi for customers who want to connect their online shops with online marketplaces, for example at Kaufland, Otto, Check24 and Idealo. Due to the security gap, the data of more than 700,000 end customers of these marketplaces was not adequately protected. The programmer, who was debugging freelance for a Modern Solution customer at the time, reported the vulnerability to Modern Solution and then made it public after the company fixed the vulnerability. In his view, he acted like a security researcher who finds and reports a security vulnerability in the course of his work. But instead of giving a reward, the company reported him to the police.
In the two procedural steps so far, two different legal opinions have emerged as to which data is considered to be particularly secure and whether unauthorized access to it constitutes “spying on data” within the meaning of Section 202a of the Criminal Code. In the present case, it is an extremely easy-to-guess password that was permanently entered in the affected software and was therefore the same for all installations. It could either be recorded at points in the customer’s internal network where transport encryption does not work, or found by decompiling the program’s binary files. This password was used to open an SQL connection through the Internet to the Modern Solution servers.
The decision of the Aachen judges is of interest to security researchers and people who work professionally with computer systems. Very few experts would really speak of a security with such a technical implementation. The position that compiling the program code into binary data constitutes some kind of protection would probably also be difficult to argue before a panel of experts.
Irrespective of the question of what is legally considered “special security against unauthorized access” in this country, the case is probably of particular interest to security researchers and IT experts because, in his opinion, the accused acted in the interest of the general public. Last but not least, the fact that criminal proceedings are imminent for the accused could deter security researchers in this country from reporting security gaps at companies. So far, no date has been set for the hearing at the Jülich district court.
#Modern #Solution #criminal #proceedings #security #researchers