[MeImCounting]

Why? How is that relevant? Isnt it well established that open source security research is the number one way to have a secure app/ecosystem? Why should tooling be kept secret when another team can potentially find more exploits using these/similar techniques?

[radlad]

> The sole possession of hardware, software or other tools that can be used to commit cybercrime can constitute a criminal offence according to Sec. 202c of the German Criminal Code.

https://iclg.com/practice-areas/cybersecurity-laws-and-regul...

[mlinhares]

We'd all be arrested in Germany then as we all have computers with compilers installed on them.

[mschuster91]

Well that is kinda the point of these vague laws. Just like they eventually nailed Al Capone with taxes in the US - if you can't hit someone directly, you can hit them with the "three felonies a day".

I'm German... our politicians, at least most of them are a bunch of pathologically technologically incompetent buffoons. A lot of that was masked during the Merkel era because she herself was a literal nuclear physics doctorate, but now that she's gone, it's painfully obvious what's going on.

[yorwba]

Except §202c StGB https://www.gesetze-im-internet.de/englisch_stgb/englisch_st... isn't actually vague. The simple reason it doesn't outlaw compilers is that compilers aren't built for the purpose of giving unauthorized access to other people's data, even though they can help achieve that aim.

It's similar to how weapons designed to be used against people are regulated differently from tools that merely happen to be usable as weapons.

In the concrete case of sharing tools to explore the attack surface of KakaoTalk, this is not a crime under §202c StGB as long as you do not intend them to be used to hack accounts you do not own.

[mlinhares]

Good luck proving you have an exploit in your machine but you _do not intend_ to use it to hack accounts to a judge.

[yorwba]

The burden of proof is supposed to be the other way around, as presumption of innocence is a thing in Germany (Unschuldsvermutung).

Good luck to the prosecution trying to prove that you did intend to hack other people's accounts when you can point to this blog post where the author demonstrates hacking their own account and reports the vulnerability to get it fixed.

I think people who get convicted of one of the "preparation to commit a crime" crimes mostly:

1. fail to come up with any alternative explanation for their behavior

2. put their plans in writing or told someone about their intentions

[tptacek]

That is not in fact well-established at all, though as someone who came up through vuln research I expect we have similar takes on the public policy of vuln and exploit disclosure.