[lionkor]

Might this be because any kind of genuine pentesting, unless it's explicitly been paid for, is highly illegal in countries like Germany (§ 202c StGB, § 202a StGB, etc.)?

For example, I'd be more than happy to pentest some govt websites here in Germany, if the very act of visiting them with a non-standard browser couldn't somehow already be misconstrued as breaking various hacking laws. No thanks! Keep your security vulnerabilities.

[zelphirkalt]

In Germany we have the completely wrong mindset for such things. Instead of being grateful, all we care about is "whose fault is it" and CYA tactics. And no one wants to be "guilty" or have their incompetence revealed, so suits will do anything they can to avoid that. Somethings serious needs to go wrong first, so that loss of face already happens, before anyone will move. Maybe we need to get hacked by Russia a few more times.

[CalRobert]

How is the home of chaos computer club so bad at this....

[rf15]

It is only this degree of malice and incompetence that can give rise to something like the CCC.

[Kirth]

Yeah it does feel like much tech competence that sprouts in Germany is either sequestered off and penned in, and/or leaves the country.

[dmichulke]

There is a kind of naiveté, also at EU level, where people think that once it's a law, bad actors will just fold.

They minds are somehow unable to comprehend that only the good actors will fold and only bad actors will be left.

Other examples are: Firearms possession, supply chain law regarding human rights and child labor.

[CalRobert]

I was really excited for GDPR until I realized Europe had no intention of actually enforcing it :-(

[abc123abc123]

Actually, southern europe seems to have understood that it can be quite a good business fining US megacorps billions and billions. Northern european countries do very little except symbolic wrist slapping.

[CalRobert]

Sure, but there were other provisions like machine-readability of exported data, etc. that could have been really helpful. I should be able to do a one-click export of my Spotify playlists and favourites (the music I like is personal info in my view) in to Qobuz, for instance.

"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided"

https://gdpr-library.com/article/20

[WesolyKubeczek]

You still have quite enough people in high places who are direct or indirect beneficiaries of companies that are either Russian or tied to Russia, so nothing will ever happen even then.

[tetha]

Yeah.

And I do think that security research should have some regulation about it, but it should be more about responsible handling of the privileged access you gained, or a responsibility to disclose found vulnerabilities in private and/or to a government entity. You know, "If you have gained access to a system, and you saw a button <Turn off cooling pump 2> and you pressed it, you are on the hook for the damages". That is common practice with paid pentesters already.

But we're at a point where a court had do decide if discovering an endpoint on an API without authorization is a "circumvention of a security boundary" or not. Luckily, we now have a ruling that accessing API endpoints without authorization logic is no circumvention of a security boundary, due to a lack of a security boundary like authorization.

That's the level we are at. I don't want to know what happens if foreign nation state actors start acting on this seriously.

[mapontosevenths]

The mere act of scanning for vulnerability often causes outages.

I once ran a vulnerability scan at an industrial company that completely disabled their employees ability to clock in and out. I didnt believe it had anything to do with my scanner at first, but it ran on a schedule and the scanners schedule matched their outages eaxctly.

Eventually it turned out the timecard system had these IOT badge readers with a poorly written tcp stack. It would ACK every SYN, and worse the half open connections never closed, so during a port scan every port was left open until it exhausted the memory on the little buggers.

My point is... you cant know in advance what damage you'll do with this sort of testing. That's kind of the entire reason we have to actually perform the real world tests instead of assuming or emulating them.

It's also the reason that real world scanning without authorization is probably already a crime in most jurisdictions, whether it's enforced or not.

[tetha]

But in a perfect world, the question would be: Is it reasonable to expect an outage by sending a few single TCP packet to a system? Or, were you flooding the system unreasonably?

It is a huge security risk to treat systems as ancient eggshells you must not touch ever. A certain amount of touching has to be reasonable, because that is what foreign actors will do if they need to cause trouble. Apparently you could cause this company major operational harm with a pi zero. Why is that protected by professional ruin and jail time?

[mapontosevenths]

> Is it reasonable to expect an outage by sending a few single TCP packet to a system?

Thats kind of the rub isn't it? If I'm authorized to do the scan its reasonable. If I'm unauthorized nothing I do is reasonable.

It' similar to drivers licenses. If you get in an accident that wasn't your fault, but your license was invalid, its still your fault legally because you weren't meant to be on the road at all.

[fossislife]

As a German I fear the only way I can see one of our government agencies to react upon an external pentesting report is if you threatened to release data from it, anyway (this is not a recommendation, please don't raid my home). I just do not see them fixing even a dangerous bug if a stranger came along and told them to.

[breisa]

Thats far from reality. Just use the online form of BSI for disclosure. They contact the affected party for you. This way you optionally can stay anonymous and the vulnerabilities get fixed because BSI appears as the messenger.

[lionkor]

Thats great to know, thank you!

[voodooEntity]

Word.....

This laws, while i wanne say have a good intention, just do the opposite...

I myself, residing in germany, developed a recon/vuln/scanning tool that im legally forbidden to publish cuz of the laws you just mentioned.

[lionkor]

I heard from a friend that you can rent VPSs in pretty much any non-western country with some bitcoin (as long as you do nothing illegal, they don't care). I wouldn't suggest using it to circumvent any laws, but my friend used it for enhanced privacy

[voodooEntity]

Well i wouldnt recommend to use btc for the payment to be honest. But ye offshore servers have been a thing for a long time.

Tho i wanted to open source the tool (spend ~10 years developing it) and thats just not an option.

Don't wanne self advertise here , but for the sake of better understanding if you want to know the details you can read them here: https://blog.laughingman.dev/article/Ishikawa_10_years_of_bu...

[sigmoid10]

To be fair, most of this stuff could be found with any normal browser. You don't even need browser dev tools. But if you write a simple script to automate any of this... yeah. They can totally get you for doing that. Probably one or the best examples why politicians should not be allowed to pass technical laws they fundamentally can't grasp.

[lionkor]

Visiting an admin page is fine, yeah, but even just trying a default password, or having specific cookies set in the browser that look like an attempt to gain access, already clearly violate § 202a and you could be prosecuted, from how I read that law's text.

And while URL obscurity alone is weak evidence of "special protection" of a resource, I'm sure some legal team would love to try to argue otherwise.

[jiehong]

It's a good way to ensure that people outside of Germany pentest German sites instead :D