On Monday, the Aachen Regional Court rejected as unfounded the programmer’s appeal, which was reported and later blamed by the software provider “Modern Solution”. Therefore the lower court’s decision stands. However, the verdict is not yet final and the defense announced online that it intends to appeal (LG Aachen AZ 74 NB 34/24).
Advertisement
The programmer was sentenced to a fine of 3,000 euros by the Jülich District Court in January after he was convicted of unauthorized access to third-party computer systems and spying on data while revealing a security vulnerability (AG Jülich Az 17 CS 55/ 23). Modern Solutions reported the vulnerability rather than rewarding the expert for finding it.
Search of house after revelation
The accused freelance IT service provider in this case audited Gladbach company Modern Solution’s software for a client in June 2021 due to a database error. They discovered a serious security flaw that allowed access to the personal data of approximately 700,000 online shop customers. Programmers revealed the existence of the vulnerability after the company fixed it using a blog related to the e-commerce industry. A few months later, the police searched his business premises and confiscated his work materials.
Decision on insulting leaders: Number of followers does not matterThe Jülich district court initially dismissed the case in 2023. In an appeal filed by the Cologne public prosecutor’s office, the Aachen regional court decided that judges in Jülich would have to rehear the case. In the trial at the beginning of the year, the government prosecutor wanted to prove that the defendant had extracted a password from Modern Solution software using a decompiler.
The defendant determined that its customer’s problems were caused by the software that established the Internet connection to the database on Modern Solution’s servers. He used passwords stored in the software’s source code to view this database because it “cluttered the software with log messages.”
The actual executable file, which, according to the defendant, contained the password in plain text, was not examined at the trial in Jülich. It seems that even law enforcement officials have not done this already. In June 2021, heise online was able to confirm through its investigation that the password was present in plain text in the file.
In the appeal process on Monday, the Aachen Regional Court adopted Jülich AG’s assessment that access to the secure database is a criminal offence. Process Supervisor from Chaos Computer Club ReportThe court was also not concerned with how the defendant obtained the password. The password could not be easily guessed or was not publicly known, making access a criminal offense.
At trial, the Small Criminal Chamber emphasized that the defendant could have avoided criminal liability if he had terminated access the moment he realized he could access customer data that he should not have seen. The fact that he documented this data with screenshots, which was undisputed at trial, seals his criminal liability.
Key Points Screenshot
According to several trial observers with whom Heise spoke online after the trial and some of whose notes we have, these screenshots were the crux of the conversation. The court determined from them that the defendant undoubtedly accessed the data and that he must also have known that he was guilty of being a “hacker” within the meaning of paragraph 202a StGB. How the accused got the password apparently did not matter.
The verdict is not yet final and the defense has announced it will appeal. It was approved by LG Aachen and will probably be heard by the Higher Regional Court in Cologne. However, during appeals, the findings made by lower courts are examined only to a very limited extent and no new evidence is taken into account. The main issue will be whether the decision was procedurally correct.
(vbr)
Open letter calls for more open source investment from government
