back to article IT consultant fined for daring to expose shoddy security

A security researcher in Germany has been fined €3,000 ($3,300, £2,600) for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records. Back in June 2021, according to our pals at Heise, a contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer …

  1. ldo

    Could be worse

    Imagine being prosecuted and fined, not for password hacking, but just for typing “../../../” into your browser’s address bar.

    1. Dinanziame Silver badge
      Happy

      Re: Could be worse

      This article says: As an IT security consultant, it will be a long time before Cuthbert's reputation is restored and it is possible he will never work in the industry again.

      However, it seems their current LinkedIn profile says "Experienced Senior Global Head of Cyber Security Research, skilled in Threat Intelligence"

    2. Anonymous Coward
      Anonymous Coward

      Re: Could be worse

      That's horrific! If that case is really legally sound (and I'm assuming it hasn't been appealed and overturned since the article on 2005) then the law needs to be changed as it's criminalising the wrong people.

      1. Filippo Silver badge

        Re: Could be worse

        I don't think the law was changed, but in nearly 20 years knowledge of basic IT has slowly spread through society, including judges and police. I don't think someone doing the same thing today would be convicted. Doesn't make the original case any less horrific, of course. It's equivalent to being charged for B&E after grabbing the doorknob of a locked shop, attempting to turn it without success, and then walking away. The current case is somewhat more debatable.

  2. heyrick Silver badge

    The problem is law is old and tech is new

    When non-nerdy judges meet people arguing over tech things, those mystical boxes of woo-woo that are never wrong (*), it can be hard for them to sort out who is culpable. If the guy had the password then clearly he took it from somewhere, right? The idea of dropping a file into an editor and reading a plaintext password built into it would be little more than gibberish.

    Maybe courts attending to tech matters should be obliged to demonstrate a prior level of understanding of the sorts of issues that could arise?

    * - one word: Horizon.

    1. Yorick Hunt Silver badge

      Re: The problem is law is old and tech is new

      Summarised perfectly by the astoundingly insightful Not the Nine O'Clock News team, all those years ago...

      https://youtu.be/9VgwxKW0J6I

      1. KittenHuffer Silver badge
        Happy

        Re: The problem is law is old and tech is new

        I knew exactly which clip that link was for. Still went for a view cos it still makes me laugh 40 years later!

      2. sabroni Silver badge
        Meh

        Re: Summarised perfectly

        Missing the point completely by the astoundingly popular Not the Nine O'Clock News team, all those years ago...

        If you understand how courts work you know that judges are required to ask these kinds of questions to make sure the jury understand what is going on.

        1. Yet Another Anonymous coward Silver badge

          Re: Summarised perfectly

          And because the case will be used as a precedent a centuries later. Or do we assume that all modern juries know who a musical hall star from 1830 was

        2. Roland6 Silver badge

          Re: Summarised perfectly

          > If you understand how courts work you know that judges are required to ask these kinds of questions to make sure the jury understand what is going on.

          That caveat makes it even more amusing!

          The topic of discussion is the presentation of three receipts, the judge totally fails to seek clarification as to what a “receipt” is, but seeks irrelevant details of what was purchased.

          In a real court case if the shop says Wile E. Coyote stole a case of “acme explosive tennis balls” and the receipt states it is for a case of “acme explosive tennis balls”, then it doesn’t actually matter what exactly an “explosive tennis ball” is.

        3. Anonymous Coward
          Anonymous Coward

          Re: Summarised perfectly

          "Video recorder? What on earth is a video recorder?"

        4. Plest Silver badge
          Facepalm

          Re: Summarised perfectly

          Jeez, missing a sense of humour more like, bet you're a good laugh down the pub on Friday lunchtimes! Lighten up FFS!

          NOTN is a comedy prog, satrical parody sometimes requires that you suspend your disbelief and just accept the comedy for what it is, basically stop overthinking it and just enjoy something funny, god knows we could all do with more laughs given the state of the world right now.

      3. Oh Matron!

        Re: The problem is law is old and tech is new

        I thought this was the Tory back bench for a moment!

        Great clip!

        1. WonkoTheSane
          Headmaster

          Re: The problem is law is old and tech is new

          You're thinking of Rik Mayall's "The New Statesman".

    2. Anonymous Coward
      Anonymous Coward

      Re: The problem is law is old and tech is new

      In that specific case, it doesn't seem to be a problem with the law, but rather with the judges themselves. Remember that the first decision was found in favor of the consultant.

      The second one is very unlikely to stand. Let's be patient and keep an eye on the evolution of the case. Hoping that ElReg will report again, even if the appeal decision is not shocking as this one is.

    3. Blazde Silver badge

      Re: The problem is law is old and tech is new

      The problem is geeky types like to find pedantic reasons why a password isn't a password but judges are wise and usually old, and the law older still, so they see straight though it. Nobody is not calling it a password because it is one, and a straightforward translation to bricks-and-mortar ethics says you don't have permission to go inside someone's house just because you find their front door key lying around outside for anyone to access. I'm not at all familiar with the interpretation and nuance of German law but a quick glance at the code in question says you shouldn't try to use passwords you know you don't have permission to use, regardless of how you came across them, and how tempting it is.

      It is harsh, and very arguably the company should be prosecuted for terrible security practice too, but you can see in an age where there's a legal responsibility to report data breaches an ethical hacker creating a data breach in many cases won't be that much less of a headache that a non-ethical one doing it.

      1. jmch Silver badge

        Re: The problem is law is old and tech is new

        "straightforward translation to bricks-and-mortar ethics"

        I pass by a warehouse where the key is stuck in the lock on the door outside. I open the door to go inside and shout "Hallo, anyone there? You left the key in the lock!!". What that would usually result in is a "Gosh, thanks, I forgot that" - not a police report for trespass, and certainly not even a prosecution let alone a conviction.

        1. Blazde Silver badge

          Re: The problem is law is old and tech is new

          "Hallo, anyone there"... No one is there. So you take it upon yourself to rummage through a filing cabinet containing 'extensive customer data from the online stores operated by Modern Solution's clients'.

          Is that okay? Or should a genuine security researcher be expected to know when to curb their curiosity?

          An only slightly generous reading of the law says he might have been okay if he'd connected to the database, thus confirming the password worked, and then immediately disconnected without even listing any tables etc. That would be closer to your scenario.

          1. claimed Silver badge

            Re: The problem is law is old and tech is new

            I’m not sure the article made it clear that’s what has happened. I just re read it. It’s possible the exe contained a password and a SQL statement, right. I can deduce what data is store if there is a list of columns and the client in the WHERE clause, without rummaging or connecting. Without reading the details (who has time for that?), it’s possible that this is the equivalent of finding a note with a door code and the locations of where the data is, then telling everyone how dumb that is, and being prosecuted for trespassing as a result.

            Probably connected, but what crime do I commit for typing a code into a door lock, “attempted entry”? If I don’t type it in but I verify there is a lock where the note says there is, is the crime just “knowing stuff” that I read off a note in a public area?

            The law needs to catch up, or come back, to the real world

          2. OhForF' Silver badge

            Re: The problem is law is old and tech is new

            >An only slightly generous reading of the law says he might have been okay if he'd connected to the database, thus confirming the password worked, and then immediately disconnected without even listing any tables etc.

            According to the german heise article the "hacker" was hired by a client of Modern Solution to solve a problem with one of the clients databases being swamped with log entries and when initially connecting to the Modern Solution database thought it was one owned and run by his client. Our "hacker" claims he immediately closed the connection when he figured he saw data belonging to not only his client but all Modern Solution clients.

            A more apt analogy is a service that destroys sensitive paper documents for his clients and hands clients a key to unlock a drop off point for documents to go to the shredder.

            One client hires a private eye to asses the security procedures and gives the key to the investigator who wants to check his clients drop off room but unlocks and opens the wrong door and discovers documents of a different client. When he reports the key seesm to unlock all clients drop off points should the service provider be able to sue him for industrial espionage?

            1. Blazde Silver badge

              Re: The problem is law is old and tech is new

              when initially connecting to the Modern Solution database thought it was one owned and run by his client

              My German is not good but Google Translate of the article implies he believed it was run *for* his client, not by his client. Clearly accessing passworded 3rd party systems is something a consultant needs to be careful about. Check with the client whether you have appropriate authorisation.

              Nevertheless if that's his defence then the case hinges on intent, not on whether or not an exceedingly poorly secured password counts as a password.

          3. Necrohamster Silver badge

            Re: The problem is law is old and tech is new

            Details like the precise moment when checking if anyone’s home turns into trespassing or burglary have been discussed to death in English case law (and German case law too no doubt)

            The title “researcher” doesn’t provide immunity from prosecution. Save the research for companies who’ve got a bug bounty or otherwise state publicly that they don’t mind people sticking their heads through the metaphorical window.

            1. doublelayer Silver badge

              Re: The problem is law is old and tech is new

              "Save the research for companies who’ve got a bug bounty or otherwise state publicly that they don’t mind people sticking their heads through the metaphorical window."

              And for everybody else, report anonymously and make it clear you'll go public after two months, then go public anonymously. The problem with this logic is that companies that have real problems try to hide them by saying that they didn't invite in the researchers, so it's an attack and the researcher should be punished. The people who suffer as a result are the users whose data or purchases were compromised by that, and somehow we're letting the company responsible off the hook if they don't invite it. Analogies to locks and doors are fine, but when the door that is wide open is in front of my data, the person who left the door open doesn't get to blame the person who found out, hopefully the first such person although there's no guarantee.

            2. Anonymous Coward
              Anonymous Coward

              Re: The problem is law is old and tech is new

              > Save the research for companies who’ve got a bug bounty or otherwise state publicly that they don’t mind people sticking their heads through the metaphorical window

              He was working for one of those - he was contracted in by one of Modern System's customers.

              I've actually had a similar (but thankfully, far less extreme) myself. Customer wanted to deploy an endpoint security system onto boxes that were in their network, but were controlled by us. I was asked to take a look at said software to see whether it was likely to cause issues.

              After installing it and watching network comms with Wireshark I spotted a particularly serious issue - leaving anyone using it potentially wide open to having their boxes pwned as a result of the vendor (a security company) having made an extremely fundamental mistake.

              I did the "right" thing - contacted the vendor of the software and reported the issue. The response: they threatened legal action. I was fortunate in that a bit of pushback put a stop to the threats, but people not looking for and reporting this stuff tends to leave innocent users to become collateral damage.

          4. M.V. Lipvig Silver badge

            Re: The problem is law is old and tech is new

            Yes, but no. Is the warehouse empty or full of goods? If it's empty, no issue, but if full of goods I would feel compelled to contact the building owner or, failing that, the police. The guy finding this open password can't see if it's a dead account (empty warehouse) or full of goods (customer data) without a rummage through the drawers.

        2. ovation1357

          Re: The problem is law is old and tech is new

          "straightforward translation to bricks-and-mortar ethics"

          If somebody burgles your house that's a crime regardless of whether they picked the lock or you left the key in the door.

          However I suspect in the case bricks and mortar the police wouldn't give you much sympathy if the criminal gained entry through your negligence. Your insurance might also not pay out.

          Whereas tech companies who metaphorically leave the key in their door usually get to publicly blame it all on the 'evil' hacker who attacked their reassuringly experience software. Their insurance(s) might even pay out in spite of their gross negligence.

          It's hardly a fair comparison

          1. david 12 Silver badge

            Re: The problem is law is old and tech is new

            However I suspect in the case bricks and mortar the police wouldn't give you much sympathy

            I suspect that in the case of bricks and mortar, the rule is "present without lawful excuse". If, as in this case, you were engaged in legitimate inspection of your employer's property, and while going through doors and down corridors found yourself in someone else's warehouse, then you've got a "lawful excuse" and no offense has been committed.

      2. Anonymous Coward
        Anonymous Coward

        Re: The problem is law is old and tech is new

        One would like to think that in similar cases that prosecution was not "in the public interest" but ....

      3. simonlb Silver badge

        Re: The problem is law is old and tech is new

        but a quick glance at the code in question says you shouldn't try to use passwords you know you don't have permission to use, regardless of how you came across them, and how tempting it is

        So the law is saying, 'Just because you can, doesn't mean you should.'

        But which is going to be worse in the long term?

        1. Someone finding and using that plain text password to access the systems and potentially steal information which would critically affect that companies reputation and possibly cost them a lot of money?

        2. Someone finding and using that plain text password to access the systems, recognising what has happened and going no further, and then telling that company they are doing their security wrong?

        There's a serious lack of common sense here.

        1. Blazde Silver badge

          Re: The problem is law is old and tech is new

          If you read the blog where the data was leaked it's clear there is an attempt to damage the company's reputation. It's not clear what the relationship between the security researcher and the blogger is, but you can kinda see where the paranoia about a competitor comes from or at least why that becomes a plausible smear the company then uses.

          I suspect it's more likely just typical hacker hubris ('Haha we pwned you but it's okay because as well as telling the world about it and sharing screenshots of customer info, we also emailed you how we did it"). Personally I'm all for giving professional-acting security researchers some leeway, ideally written into law (in the UK the public interest test is probably sufficient, except for the thorny issue of Post Office style private prosecutions), but clearly there has to be limits and where there are limits arrogant types will occasionally cross those limits.

          1. Anonymous Coward
            Facepalm

            Re: The problem is law is old and tech is new

            @Blazde: “If you read the blog where the data was leaked it's clear there is an attempt to damage the company's reputation.

            They did first tried to contact the company: “Modern Solution GmbH & Co. KG has been contacted but has not yet given any feedback.ref

            The blogger also had this to say:

            The data leak appears to have existed in this form for several years

            JTL does not seem to face is that every certified service partner is apparently allowed to offer interfaces and advertise them “semi-officially” without quality assurance processes. These missing review processes then lead to unacceptable risks for retailers.

            GDPR violations are not a trivial offense. The meaning and purpose of the GDPR can certainly be discussed, but there is a risk of a significant fine. Do not expose yourself to this risk, but consult a lawyer or your data protection officer.

      4. Necrohamster Silver badge

        Re: The problem is law is old and tech is new

        ”… a quick glance at the code in question says you shouldn't try to use passwords you know you don't have permission to use, regardless of how you came across them, and how tempting it is.”

        Precisely why those messages (that nobody ever reads) are displayed on login screens. If you get past one without authorisation, you risk being reported to the relevant authorities if or when someone notices

      5. Grogan Silver badge

        Re: The problem is law is old and tech is new

        That front door analogy again... it's not appropriately applied. I once had a district prosecutor as a computer customer trying to tell me that connecting to someone's open wifi was illegal. She too used the front door analogy. What was really ironic (and embarrassing for her) was that she was connected to someone else's wifi in another apartment, not her own! LOL!

        People THINK they make up the law, but they don't. That "front door" analogy is about the level of understanding of those judges. This conviction will not stand, especially after a previous court dismissed it.

        1. martinusher Silver badge

          Re: The problem is law is old and tech is new

          What she doesn't realize is that she's connected to everyone's WiFi within earshot of her device whether she's established a link or not. "Its the protocol, stupid!" Its difficult to get people's mind around the notion that 'radio' or 'wireless' doesn't mean the same thing as it did 50 or 100 years ago, people think that like then they have an exclusive frequency or channel or something that they get to use and is private and its illegal for anyone else to access it. This isn't how things work, and to use a century old analogy its the fact they're using a party line for their telephone rather than an exclusive line.

          I dispair when I read things like people who should know better condemning things like "Google slurping access point addresses". That's what stations do on a wireless network.

          1. OhForF' Silver badge
            FAIL

            People who should know better

            >I dispair when I read things like people who should know better condemning things like "Google slurping access point addresses". That's what stations do on a wireless network<

            A node on a wireless network keeping a list of connected devices and deleting that information when a device is no longer connected to allow the wireless network to work as designed is legitimate interest and fine. Google collecting that information to create a movement profile of my device without my permission is a problem (and illegal in the scope of GDPR).

      6. ovation1357

        Re: The problem is law is old and tech is new

        "the company should be prosecuted for terrible security practice too"

        Please name the law which prohibits terrible security practice.

        Obviously there's things like GDPR which can result in a company getting fined after a significant data breach but if that goes anywhere at all it's unlikely to result in much more than a financial penalty. What are the chances of anybody responsible for creating or selling software with terrible security actually being charged with a crime?

        I think this is half the trouble. There's no law (that I know of) against terrible software and companies continue to pump out stuff with little or no consideration for security.

        Yet an individual who finds one of these flaws is at serve risk of getting a criminal record even if they did nothing more than discover the problem and, rightly, report it to the vendor.

        Meanwhile organised criminals are remotely hacking these things, exploiting vulnerabilities, stealing data and blackmailing people from various shady corners of the planet and are often very unlikely to be caught.

        I definitely think there needs to be much more legal responsibility put on the vendors to ensure their code is secure and kept up to date - ironically to achieve that they'd probably need to hire hackers/pen-testers to prove it

      7. random internet moose

        Re: The problem is law is old and tech is new

        Oh, believe me, any security researcher fed up with people intelligent differently will not bother, just inform people who will happy to find good use of the information and will not drag him through courts.

        Just don't complain when they are Chinese or North Korean hackers. And, after all, he will not be *using* the password, so nothing on him.

    4. Doctor Syntax Silver badge

      Re: The problem is law is old and tech is new

      And regarding Horizon, just read what a judge is capable of understanding, at least is expert witnesses have provided evidence:

      https://www.judiciary.uk/wp-content/uploads/2022/07/bates-v-post-office-appendix-1-1.pdf

    5. Charlie Clark Silver badge

      Re: The problem is law is old and tech is new

      I think that this particular bit of the law is fairly new: it was revised a few years ago to make all hacking attempts illegal unless you have permission. This includes pen testing. :-(

      However, there have also been improvements on how companies are expected to protect data, especially "personally identifiable data" which the company has clearly breached. Provision has also been made for whistleblowers.

      I'd expect this decision to passed up the courts until some experts are involved: the company can't get away with this kind of incompetence. Whether they can sue for reputational damage is another matter but I suspect they'll be advised to settle to avoid making their own reputation for incompetence if not negligence even more widely known.

    6. Martin M

      Re: The problem is law is old and tech is new

      To add an even more Horizon-y feel to this, a browse of their website reveals that they provide ePOS software.

      It seems to connect up with their JTL-WAWI "cloud" solution with access via RDP (optionally via a VPN tunnel). They even promise to patch the Windows servers.

      I don't think anybody here will be able to think of any ways that this could all go horribly, horribly wrong.

      1. Anonymous Coward
        Anonymous Coward

        Re: The problem is law is old and tech is new

        they provide ePOS software

        Based on this incident, it seems like all the software they provide is likely a POS.

    7. martinusher Silver badge

      Re: The problem is law is old and tech is new

      The worse thing about plaintext passwords is that they're quite likely to end up verbatim somewhere in the program code. That is, anyone can read them, no source code, special permissions or editing needed.

      But then everyone knows that The Law (especially German law, it seems) is An Ass.

  3. Will Godfrey Silver badge
    Unhappy

    Not Surprised

    Remember folks, the first thing we do is shoot the messenger.

    1. elsergiovolador Silver badge

      Re: Not Surprised

      Twice, to be sure.

      1. omz13

        Re: Not Surprised

        Triple tap please

    2. Plest Silver badge
      Facepalm

      Re: Not Surprised

      We certainly do if the message is likely to embarass anyone wealthy or with any modicum of power. Can't have we plebs getting above our station now can we!

  4. claimed Silver badge

    I feel like the word “reasonable” needs to get into these laws. Is it reasonable for me to be able to type admin/admin on my ISP page to make sure they’re not fucking idiots and my data is safe (ish)? I think so. Does it constitute hacking to go down to my local council office and walk in the front door without an appointment? No. It’s not breaking and entering if all I have to do is push the door open, that’s a failure of the institution to secure the important public assets.

    Where we draw the line on reasonable, is what judges are for, but we can’t just have: you were not authorized therefore you’re a criminal. If I didn’t see any indication of security that would prevent me from walking in, how was I to know I wasn’t allowed? If there is a note by the door that says “door code is 1111”, I mean, I just think a receptionist has left that there as they can’t be assed to open the door. You’re telling me I’m not allowed to read a note and make a reasonable interpretation?

    If I found a text password in a dodgy exe, who’s to say I can’t save myself a heap of trouble and just bypass that exe to get *my* data without all the trouble? If I didn’t know the origin of the exe, I could well assume it was built specifically for the client who’s brought me in to make it work (get the data)!

    What constitutes a password, by the definition of the law? admin/admin is secure then? or would the judge call me a criminal for that specialist hacking knowledge?

    1. Lipdorn

      Bit different from walking into a building. I think one can reasonable expect the local community to adhere to the principle that they shouldn't enter unauthorized areas. One can also, obviously, apprehend and prosecute such people easier if they're in your jurisdiction.

      With the internet you are exposed to all walks of life. Including those from enemy countries over whom you might have no jurisdiction. Not like anyone can do much about North Korean hackers. In this case, one should reward people that identify vulnerabilities in your systems (assuming they did not exploit those vulnerabilities).

      In my opinion, this is how one can identify companies that actually care about security and those that just do the bare minimum required by law.

      1. Blazde Silver badge

        assuming they did not exploit those vulnerabilities

        He did that though, that was his mistake.

        1. Doctor Syntax Silver badge

          Define exploit. On first discovery it wouldn't be possible to know whether the password was a bit of stale code from a test environment as opposed to being live. The only way to determine that is to check that there's what looks like viable data at the end of it. We're not told whether he made a copy of it. We're not told that he used it for gain (other, perhaps, than doing his job and warning his client that their supplier was insecure). I find it difficult to call that exploitation.

    2. Doctor Syntax Silver badge

      From what I read into TFA the first court appears to have taken the reasonable approach and dismissed the case. Having a superior court toss it back at them sounds a lot like double jeopardy which has long been held to be unacceptable in English law. Although there are now exceptions where fresh evidence is available there doesn't seem to be any in this case. Does the prosecution get to appeal verdicts in Germany?

      1. Mike 137 Silver badge

        "double jeopardy which has long been held to be unacceptable in English law"

        Actually, in the UK cases can be re-opened after aquittal if significant new evidence is discovered. This occurs not infrequently in respect of major offiences.

        1. VicMortimer Silver badge

          Re: "double jeopardy which has long been held to be unacceptable in English law"

          That particular nasty flaw in the English legal system is why protection against it was written into the US constitution.

          1. ragnar

            Re: "double jeopardy which has long been held to be unacceptable in English law"

            > That particular nasty flaw in the English legal system is why protection against it was written into the US constitution.

            No it isn't.

            The US constitution was written centuries before this 'particular nasty flaw' was introduced into the English legal system, in the Criminal Justice Act 2003.

      2. doublelayer Silver badge

        Cases can also be raised again if the original court is believed to have erred when dropping it. Double jeopardy more often refers to being found innocent by a trial then tried again, because an acquittal is considered more indicative than a dismissal. Even in that case, the case can be brought again if new evidence is discovered, though that evidence will be subject to scrutiny. If the court dismissed before a trial, someone can point out problems with that action and have that decision reviewed and possibly reversed.

      3. Brewster's Angle Grinder Silver badge

        In English courts, that wouldn't be double-jeopardy but the normal appeals process. The superior will have told the junior court in made "an error in law", and sent the case back to reevaluate the facts using the "correct law" as determined by the superior court.

  5. Anonymous Anti-ANC South African Coward Silver badge

    This reminds me of the "Johannesburg job" - city of Johannesburg's billing system had a flaw (URL manipulation) which was not fixed even when reported.

    Chap who discovered it, went public with the knowledge, and a whole host of curious types visited the CoJ website and had a shufty at the URL manipulation thing. In desperation CoJ shut the webserver down.

    City threatened with legal and court action, but nothing came of it.

    But they fixed the vulnerability.

    Seems like security consultants now have to toss a coin and decide on whether to report a vulnerability and risk getting taken to court, or keep quiet about it and hope it never get abused...

    1. Pascal Monett Silver badge

      Well it certainly seems that security consultants in Germany will need a signed contract from their client giving them permission to do a security review of their website.

      Given how Modern Solution reacted in a very Dark Ages way, I doubt that that would happen.

      So the solution is triple the fines for companies who shoot the messenger, then get their databases hacked by some miscreant.

    2. elsergiovolador Silver badge

      or keep quiet about it and hope it never get abused...

      Or sell it on dark web.

  6. This post has been deleted by its author

    1. Pascal Monett Silver badge

      The higher court looked again, but forgot to ask the right questions.

      I sincerely hope that the appeal will succeed, that Modern Solutions will be found guilty of negligence and fined for all court costs and an indemnity for abusing the hacker's good faith.

  7. peteC7x

    Wait, what?

    Screw them then. Next time just post the damn thing somewhere and let them get screwed. This is what happens when good people try to the right thing. No more mr nice guy!

    1. Plest Silver badge
      Facepalm

      Re: Wait, what?

      Not familiar with the phrase "Damned if you do, damned if you don't."?

      - Come clean privately, you get sued for coming clean pirvately!

      - Broadcast it, you get sued for broadcasting it!

      - Do nothing, you get sued for doing nothing and saying nothing!

      You can't win 'cos the game is rigged by those with something to hide, usually their embarassment if anyone finds out about how bloody incompetant they are.

      1. random internet moose

        Re: Wait, what?

        Hmmm, who would.know you knew, and

        - who would know you said anything, esp. to some hackers?

        - who would know you did nothing?

        You don't need to broadcast a password. A position of it, at most. Working for IT security you'd know how to do it so you wouldn't be tracked.

  8. Michael H.F. Wilkinson Silver badge

    Modern Solutions?

    Modern Screw-up, more likely. They can hardly claim blaming the messenger is modern, after all

  9. Anonymous Coward
    Anonymous Coward

    Payroll PI

    I was once tasked with testing a new payroll system module.

    To do this I needed an anonymised copy of the database. This was usually an approved test version that was full of fake names, etc.

    Instead, they loaded a copy of the actual database, all staff and all execs, plus performance bonuses and addresses…

    Yes I looked, of course I did. Just to make sure it was genuine.

    Project Manager couldn’t understand why I then refused to test on it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Payroll PI

      Should have reduced their pay in the test base...

    2. Eclectic Man Silver badge
      Meh

      Re: Payroll PI

      You missed a trick there.

      When my German grandfather in WW1 was appropriated by a General to look after his horse (the general was visiting the trenches to boost morale) he was transferred to work for an officer in an office. As the officer would sign any document grandpa put in front of him, he immediately sent all of his friends fortnight leave passes, active immediately on receipt.

      (Grandpa won an iron Cross, 2nd class, in WW1, but did not get on with the NAZIs, managed to leave Germany in April 1939, joined the British Army and was wounded fighting in France.)

      1. eionmac

        Re: Payroll PI

        Assuming he had British war medals after the war, I assume he put both the German and British war medals on when he was on 'display parade' duty.

        I once read an article about a Finn who has 'carried a rifle' for the Russian Czar, Finland and Germany which was possible because of the dates he served.

      2. xyz123 Silver badge

        Re: Payroll PI

        Grandson, I fought in WW1 and was wounded fighting in France.

        When was this grandpa? 1917 and 1968 cause I can't stand Frenchmen.

    3. Anonymous Coward
      Anonymous Coward

      Re: Payroll PI

      Ditto. Many moons ago we were testing a new backup/restore system for DR. The backup work and the restore worked well, a little too well. During test restores it stripped all the privs off files and exposed all the HR/finance Excel sheets.

      I refused to look as I knew full well if HR find out you looked at classified info without cleareance, you'd get shot! Two other people didn't, a manager overheard them down the pub bragging they'd seen the info and knew what people's salaries were and last time they were seen was being escorted from the building that afternoon.

      Back in the early 1990s worked in one place where we had to actually fly into a country to look at the data in a database if there was a problem. If anyone outside the country's borders was to see the data they'd instantly be sacked. So if any work was needed on the DB that involved risk of seeing data, onto a plane and a week's stay at a 5 star as it was cheaper than the regulartory fines we would have got. DBAs were allowed to manage the DB and system remotely but never to login to the DB other than as a specific backup/restore admin account.

      1. Anonymous Anti-ANC South African Coward Silver badge

        Re: Payroll PI

        As sysadmin I have permissions to go all over the network.

        Including the HR folder.

        But I do not, because foreknowledge is an ugly thing. So I just leave the HR folder well off-limits to myself, and keep well away from it, unless I'm requested to recover deleted files etc...

        It really is not worth it perusing the data in that folder, you may see something which may trigger you...

        Nah. Nope.

    4. xyz123 Silver badge

      Re: Payroll PI

      I appear to have amended and accidentally tripled all my buddies salaries and uploaded the test database over the top of the live version.....oopsie! silly me

  10. This post has been deleted by its author

  11. Mike 137 Silver badge

    "fined for daring to expose shoddy security"

    I've had the odd contract "not renewed" after pointing out some fundamental security issue to the client as a result of actually being asked to investigate their security. Maybe they believe what you don't know can't harm you (or is it just face saving?).

    1. Eclectic Man Silver badge

      Re: "fined for daring to expose shoddy security"

      Maybe someone already knew about it, had signed it off as not being important and you embarrassed them bu pointing out how important it was?

    2. Alan Brown Silver badge

      Re: "fined for daring to expose shoddy security"

      Which is more or less what happened to the outfit who were hired to audit Horizon

  12. Tron Silver badge

    Horizont.

    No different to the UK's Horizon scandal. The courts cheerfully persecuted people and found them guilty of things they were innocent of.

    An important lesson for wannabe 'ethical hackers'. They don't want to know. And if you cost them money telling them they will come after you. So unless they are explicitly offering a bug bounty, don't bother. Pat yourself on the head for finding it, add it to your CV, but don't try to be helpful, or you will get screwed over by rich people in suits and their lawyers. That's how the world works.

    1. Zippy´s Sausage Factory
      Unhappy

      Re: Horizont.

      "That's how the world works"

      To the delight of Russian, Iranian and North Korean hackers, no doubt, who will currently be doing the happy dance because the German courts just gave them a lovely big fat gift wrapped present.

  13. hayzoos

    Has anybody considered...

    An "UN-ethical hacker" had already found the "password" and accessed all the data. Given the company is a service provider to other businesses, all those companies would have then suffered a data breach. Considering the case is being heard in Germany, it would be safe to assume that large numbers of this company's business customers are European based or serving Europeans therefore falling under the GDPR.

    This case would make an excellent distraction to such an event.

    I think Modern Solutions should either provide proof of no massive data breach or face the consequences and unfortunately their business customers would have to face them as well.

  14. Marty McFly Silver badge
    Mushroom

    Lesson learned!

    Expose the problem, and face legal issues. Not an atta-boy. Not a bonus. Not even a Thank You. Next time... Dark web and here is my cryptocurrency address to the highest bidder.

    Snarky attitude aside, this type of vindictive approach will drive the wrong behavior in the future.

  15. J.G.Harston Silver badge

    Clearly, plain-text editors must be banned.

    1. Anonymous Coward
      Anonymous Coward

      Fuckin A, then throw the techies in jail for using encryption. Fucking techies and their technology coming along and making pitchforks and medieval mobs look old fashioned. They should all be subjected to witch trials immediately. Burn them, burn them all...send them back to /dev/null! /s

      It's no wonder a lot of us are excited about getting the old cloak and scythe out to automate wankers out of jobs with AI. We can train AI to not sue us, arrest us, ban us and call us bastards.

      If someone asks me to automate a job, and that job is occupied by a twat...I will enthusiastically say "hell yeah" and ensure I bring it in under budget.

      Kids, be nice to your techies. They have tools, time and they're only a small budget away from investigating how much of your role they can automate...if you treat your techies like shit, you're the one getting your door kicked in by a techie wearing a grim reaper outfit blasting Ghost - Year Zero as he enters your cubicle banging out some phat AI generated scripts.

  16. OllieJones

    This is why lots of people think "software engineer" and "wise judge" are oxymorons.

    You can find all kinds of stuff on the net about NOT opening up port 3306 (MySQL) through firewalls. Enough stuff so you'd think German engineers would have built classy security around credentials if they had a requirement to open it up, WTF? WTF? Embedded plaintext in a downloadable Windows executable? What is this year, 1995?

    And you'd think the German justice system would have access to enough expertise to cope with this kind of screwup in a rational way.

    Guess not. How do you spell "WTF" auf Deutsch?

    1. Anonymous Coward
      Anonymous Coward

      Re: This is why lots of people think "software engineer" and "wise judge" are oxymorons.

      That would be WDF.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is why lots of people think "software engineer" and "wise judge" are oxymorons.

        I knew a dyslexic carpenter once...oh fuck it, can't be arsed.

  17. david 12 Silver badge

    Who's prosecuting?

    It's all very well to blame the judges for bad decisions, but there is a prosecutor investigating the case, and somebody lodged the appeal.

  18. Anonymous Coward
    Anonymous Coward

    This...

    ...is why I don't do unsolicited cybersecurity disclosures. Ever.

    I've found a bug similar to this before in what was a widely used medical practice package. It was written in an archaic language (VB) and used MSSQL as a backend. I was at an event watching the software being demonstrated and the presenter showed the URL for the dashboard login and was banging on about security. So, since the talk was boring, I decided to test out the login...it was vulnerable to the old OR 1=1 and as a result, you could access the admin dash and view whatever you like, change any password etc etc...I stayed behind after the talk to make him aware of the bug (he was a sales guy not the lead techie or something)...he was grateful for the disclosure, I explained my background, 20 years in tech, self taught etc etc. I told him I could help fix it they wanted me to and I gave him my number if he wanted to contact me. I told him I wouldn't disclose the bug publically and I never have.

    Rock on a week and I had some angry douchebag on the phone who introduced himself as the lead developer and co-owner of the business. I sat through a 30 minute tirade including highlights such as "How dare you", "Do you know who I am?", "I should sue you" etc etc etc...turns out the guy had a PhD from somewhere and upon the sales guy explaining the bug to the other directors, this guy was made to look like a complete knob. I got a phone call about an hour later from the sales guy apologising for the dude being an asshole and he offered to pay me to come in and work with the other guy to fix the bug. Obviously, I turned down the offer due to the other bellend being a complete and utter one.

    I did eventually go for a meeting with these guys, at which point the PhD resigned and stormed out...because I think he was forced to sit in on that meeting and I was asked to disclose other bugs I may have found...and they were quite numerous...I could see from his demeanor that he was extremely uncomfortable and probably wanted to kick ten bells of shit out of me. He did wait in the car park for me just to call me a "fucking arsehole" and point out that he'd worked for "years on that solution, it was part of his thesis, I've been at this business for 10 years" and reiterating that "I have a PhD, it's impossible for those bugs to exist without you putting them there, I'd have known about them".

    After he'd left and the meeting was done, I didn't hear from these guys for ages...but they eventually called me up and told me that he'd officially quit but they had a problem. The only copy of the codebase that existed was on his PC and they didn't know his password...so my final act was to reset the guys Windows password and rescue the code for them...which resulted in another call from the guy when he heard about telling me to "fuck off, just fuck off".

    The business eventually sold up and the package was discontinued. It was absorbed into another software platform.

    It could have been worse than just insults and a maniac phoning me up at random, but still.

    Never again.

  19. FuzzyTheBear
    Holmes

    Security optional

    I worked in A/V and telecom all my life. I was in the boardroom of a very important corporation installing wireless mics etc .. all for the convenience of the client.

    Well .. This is a place where very important financial decisions are taken

    At some point they introduce me to the chief of security and i simply told him what was the truth

    You can take a small reciever and listen in from the other building what goes on in the boardroom.

    He was like , " huh ? "

    I took my laptop , my SDR dongle and an antenna and made the demonstration ..

    He was without words.

    My boss didn't like me one bit on the spot , but they did sell them wired replacement microphones. :D

    1. Anonymous Coward
      Anonymous Coward

      Re: Security optional

      I did something similar when patched Digital PBX systems were a thing (before VOIP), with nothing but a netbook and wireshark...it's even scarier when you show the brass that anyone internally can listen in on anything...never mind external threats.

      I didn't tell them the various security problems for ages...I had a lot of fun before I disclosed the problem. My favourite gag was interfering with my managers phone on cold, wet days...his default behaviour was to treat any phone call as earth shatteringly important...99% of his calls were not...anyway, his default fallback was taking his phone upstairs and outside (we were located in a basement office and therefore had no mobile signal)...so if his call quality was cack (crackling, dropping out etc etc) he'd put the call on hold, run upstairs then outside, dial in and take over the call from his mobile.

      My second favourite prank was injecting background audio into his audio so that he sounded like he was in a supermarket, a busy docks, tube station, people shouting at each other, dogs fighting, foxes shagging etc etc...he couldn't hear it, but everyone else could.

      When he went on holiday once, me and a colleague changed his voicemail message to instead of mentioning that he was on annual leave, it mentioned that he was taking two weeks off for gender reassignment surgery...for weeks customers would phone up and tell him how brave he is...he thought they were talking about the holiday he just had, he spent a week camping in a jungle somewhere.

      Customer: Hey, I just want to start by saying I think you're incredibly brave.

      Him: Brave? Oh yeah...my recent leave. It was tough to begin with, but after a few days you get used to it.

      Customer: How did your wife take it all?

      Him: Well, it was tough for her for a while...she wasn't sure it was for her, but she got into in the end, turns out she enjoys it.

      Customer: Good for her! And the kids?

      Him: Well they weren't keen on it, but they're grown up now! It was just me and the wife really.

      Customer: The kids weren't on board then?

      Him: It's not really their thing to be fair...maybe one day they'll come around to the idea.

      We were in stitches.

  20. xyz123 Silver badge

    Congratulations Modern Solutions on your "win".

    You now have ZERO researchers willing to tell you about vulnerabilities and as a bonus you made 10s of thousands of enemies, as well as alerting rogue actors in Russia/China/Iran etc that you DO NOT ABSOLUTELY EVER want anyone to tell you that you're vulnerable or even already under attack from a rogue state.

    You is gonna get Pwned.

    1. Anonymous Anti-ANC South African Coward Silver badge
      Trollface

      You is gonna get Pwned.

      You is gonna get Pwned.

      Any bets on how long this will take?

  21. Anonymous Coward
    Anonymous Coward

    Reading this brought to mind Rob Dyke and Apperta. Another dev sued for trying to do the right thing. https://www.theregister.com/2021/05/14/apperta_rob_dyke_disclosure_brouhaha/

  22. po

    Why?

    You have to wonder why Modern Solution GmbH would bring a suit that would inevitably draw wider attention to its sloppy security. There's no financial gain, a potential loss and the reputation damage is probably significant. The only explanation is pique, an attempt to silence critics in general, but that will also backfire if it puts a target on their back.

    1. doublelayer Silver badge

      Re: Why?

      Generally it's someone who doesn't understand technology trying to either prevent damage or sincerely being deluded. Some people really don't understand what is an attack and what is a bug report. I'd like them not to exist because it should be obvious, but unfortunately, some people just don't get it. The other category is trying to avoid having to do any expensive work to redesign the system. They think that the bug is so obscure that nobody else will find it, and surely nobody has used it yet, so if they can get this reporter to shut up, then they don't have to fix it and don't suffer any damage. As they see it, if they fix the problem, they'll have spent time and money they don't want to and the reporter will publish the report because it's safe, and if they do nothing then the reporter will publish and they'll get the reputational damage, but if they can muzzle the reporter then they can stop. A threat is their attempt to keep things quiet, often keeping them from having to fix their problem as well.

      When they try it and it doesn't work, they find themselves in a vindictive mood and follow through on their threats to make the reporter pay. It's happened that way numerous times and will continue to for a long time. There's a reason why I tend to be worried whenever I find a vulnerability, because I've experienced this before. I've never been sued or prosecuted, but I have gotten some unhappy notes with low-end threats on occasion. The one pattern I've identified is that, if they responded that way and I didn't push back, the bug is still there today.

  23. jonfr

    This is always the fault of the company

    This is always fault of the company. They didn't keep their security in order. Getting this in front of a court the do a lot of victim blaming is ridicules, but that is what happens when highly incompetent people run the show. I hope this man wins this case on appeal. Because he was working for them and troubleshooting their software systems. That includes security.

    I also promptly expect this company to bankrupt because of incompetence being shown there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like