Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
lionkor 2 hours ago

Might this be because any kind of genuine pentesting, unless it's explicitly been paid for, is highly illegal in countries like Germany (§ 202c StGB, § 202a StGB, etc.)?

For example, I'd be more than happy to pentest some govt websites here in Germany, if the very act of visiting them with a non-standard browser couldn't somehow already be misconstrued as breaking various hacking laws. No thanks! Keep your security vulnerabilities.

zelphirkalt 2 hours ago | parent | next [-]

In Germany we have the completely wrong mindset for such things. Instead of being grateful, all we care about is "whose fault is it" and CYA tactics. And no one wants to be "guilty" or have their incompetence revealed, so suits will do anything they can to avoid that. Somethings serious needs to go wrong first, so that loss of face already happens, before anyone will move. Maybe we need to get hacked by Russia a few more times.

CalRobert 2 hours ago | parent | next [-]

How is the home of chaos computer club so bad at this....

rf15 an hour ago | parent [-]

It is only this degree of malice and incompetence that can give rise to something like the CCC.

Kirth 3 minutes ago | parent [-]

Yeah it does feel like much tech competence that sprouts in Germany is either sequestered off and penned in, and/or leaves the country.

WesolyKubeczek 8 minutes ago | parent | prev [-]

You still have quite enough people in high places who are direct or indirect beneficiaries of companies that are either Russian or tied to Russia, so nothing will ever happen even then.

fossislife an hour ago | parent | prev | next [-]

As a German I fear the only way I can see one of our government agencies to react upon an external pentesting report is if you threatened to release data from it anyway (this is not a recommendation, please don't raid my home). I just do not see them fixing even a dangerous bug if a stranger came along and told them to.

tetha an hour ago | parent | prev | next [-]

Yeah.

And I do think that security research should have some regulation about it, but it should be more about responsible handling of the privileged access you gained, or a responsibility to disclose found vulnerabilities in private and/or to a government entity. You know, "If you have gained access to a system, and you saw a button <Turn off cooling pump 2> and you pressed it, you are on the hook for the damages". That is common practice with paid pentesters already.

But we're at a point where a court had do decide if discovering an endpoint on an API without authorization is a "circumvention of a security boundary" or not. Luckily, we now have a ruling that accessing API endpoints without authorization logic is no circumvention of a security boundary, due to a lack of a security boundary like authorization.

That's the level we are at. I don't want to know what happens if foreign nation state actors start acting on this seriously.

sigmoid10 2 hours ago | parent | prev [-]

To be fair, most of this stuff could be found with any normal browser. You don't even need browser dev tools. But if you write a simple script to automate any of this... yeah. They can totally get you for doing that. Probably one or the best examples why politicians should not be allowed to pass technical laws they fundamentally can't grasp.

lionkor 2 hours ago | parent [-]

Visiting an admin page is fine, yeah, but even just trying a default password, or having specific cookies set in the browser that look like an attempt to gain access, already clearly violate § 202a and you could be prosecuted, from how I read that law's text.

And while URL obscurity alone is weak evidence of "special protection" of a resource, I'm sure some legal team would love to try to argue otherwise.