PU 5: The Modern Solution Case
The story of an IT consultant turned unwitting security researcher, who found a security vulnerability, reported it to the software vendor and instead of getting a reward got prosecuted for hacking.
Hendrik Heinle, a German IT consultant who got convicted of the crime of reporting a security vulnerability to a software vendor (Tagesthemen / ARD)
This week on PUNCHING UPWARDS: When a programmer found a security vulnerability in e-commerce software by the German company Modern Solution and reported it to them, they didn’t thank him. They reported him to the police. His house was raided, his electronics were seized and he was thrust into a multi-year legal battle that ended with him being convicted of malicious hacking. He narrowly avoided up to three years in prison and had to pay a hefty fine. Even an appeal to the Constitutional Court failed.
This story illustrates how abysmal Germany’s legal system treats people who want to help make software secure. When those who want to make society better get penalised, we all lose. What we will get is a very dangerous society. One that in its everyday processes depends on software that is fundamentally flawed. We can only hope that other countries will learn from this example and avoid passing stupid laws and having them enforced by uninformed judges.
Sources:
- Tagesthemen report featuring Hendrik Heinle
- heise online — Datenleck bei Modern Solution: Sicherheitslücke betrifft rund 700.000 Käufer
- heise online — Datenleck bei Modern Solution: Hausdurchsuchung statt Bug Bounty
- heise online — Kommentar zu Modern Solution: Der Staat darf kein Handlanger von Stümpern sein
- heise online — Datenleck: Anzeige gegen IT-Experte kam von Modern Solution
- heise online — Modern Solution: Staatsanwaltschaft scheitert mit Anklage gegen IT-Experten
- heise online — Modern Solution: Jetzt doch Strafverfahren gegen Sicherheitsforscher
- heise online — Gericht sieht Nutzung von Klartext-Passwörtern als Hacken an
- heise online — Kommentar zu Modern Solution: Der Hackerparagraf muss endlich weg!
- heise online — Modern Solution: Berufungsgericht bestätigt Schuld des Sicherheitsforschers
- heise online — Kommentar zu Modern Solution: Wer gemeinnützig handelt, wird bestraft
- heise online — Modern Solution: Verurteilter IT-Experte reicht Verfassungsbeschwerde ein
- heise online — Bundesverfassungsgericht lehnt Beschwerde im Fall Modern Solution ab
- Legal texts: § 202a, § 202b, § 202c StGB
The theme music for the podcast is a track called Fight or Fall by Def Lev. Find out more about the show at fab.industries/podcast — new media, new rules!