The Julich District Court in Germany recently announced the latest verdict, concluding that a programmer was punished for violating the so-called hacking clause 202a of the German Criminal Code (StGB) for unauthorized access to third-party computer systems and spying on data . A fine of 3,000 euros (approximately 23,500 yuan) and all legal costs will be borne.
In June 2021, the researcher named Hendrik H. was troubleshooting software problems for a customer of the IT services company Modern Solution GmbH when he discovered that Modern Solution's code connected to a MariaDB database server through MySQL. The password to access the remote server is stored in plain text in the program file MSConnect.exe. Anyone using a simple text editor can open the file to view the contents and find the unencrypted hardcoded password.
It is precisely because of this readily available password that anyone can log in to the remote server to access the data of Modern Solution's customers, and also access the data of all the supplier's customers stored on the database server. Overall, the database breach exposed nearly 700,000 customer records, including names, email addresses, phone numbers, banking information, passwords, and conversation and call logs.
After discovering the vulnerability, the programmer contacted the relevant company with the help of a technology blogger, Mark Steier, who subsequently fixed the security vulnerability and called the police to hold the programmer accountable. In September 2021, German police seized the computer of Hendrik H. after Modern Solution accused him of obtaining the password through internal information and claimed that he was a competitor.
In June 2023, the Jülich District Court in Germany supported Hendrik H’s lawsuit on the grounds that Modern Solution software was poorly protected. However, the Aachen District Court ordered the Jülich District Court to hear the case again, and the original ruling was overturned. On January 17, 2024, the Jülich District Court finally sentenced Hendrik H. to a fine and ordered him to pay legal costs.
This judgment inevitably caused controversy among a large number of network security experts and researchers. Steier posted that the ruling was fundamentally wrong. "Passwords kept in almost plain text form do not constitute 'special security' as required by Section 202. It is understandable that a judge would not be able to judge this, but then one would have to listen to experts on the issue. Unfortunately , that didn’t happen.”
However, the judgment is not yet legally binding. The defendant's defense lawyer argued that his client acted in the public interest even if the court found him guilty. The accused programmer announced on January 19 that he was appealing the verdict.