"We also release our tooling so that fellow security researchers can dig into KakaoTalk’s broad attack surface to find more bugs." I think this would be illegal in Germany.
Why? How is that relevant? Isnt it well established that open source security research is the number one way to have a secure app/ecosystem? Why should tooling be kept secret when another team can potentially find more exploits using these/similar techniques?
> The sole possession of hardware, software or other tools that can be used to commit cybercrime can constitute a criminal offence according to Sec. 202c of the German Criminal Code.
Well that is kinda the point of these vague laws. Just like they eventually nailed Al Capone with taxes in the US - if you can't hit someone directly, you can hit them with the "three felonies a day".
I'm German... our politicians, at least most of them are a bunch of pathologically technologically incompetent buffoons. A lot of that was masked during the Merkel era because she herself was a literal nuclear physics doctorate, but now that she's gone, it's painfully obvious what's going on.
Except §202c StGB https://www.gesetze-im-internet.de/englisch_stgb/englisch_st... isn't actually vague. The simple reason it doesn't outlaw compilers is that compilers aren't built for the purpose of giving unauthorized access to other people's data, even though they can help achieve that aim.
It's similar to how weapons designed to be used against people are regulated differently from tools that merely happen to be usable as weapons.
In the concrete case of sharing tools to explore the attack surface of KakaoTalk, this is not a crime under §202c StGB as long as you do not intend them to be used to hack accounts you do not own.
The burden of proof is supposed to be the other way around, as presumption of innocence is a thing in Germany (Unschuldsvermutung).
Good luck to the prosecution trying to prove that you did intend to hack other people's accounts when you can point to this blog post where the author demonstrates hacking their own account and reports the vulnerability to get it fixed.
I think people who get convicted of one of the "preparation to commit a crime" crimes mostly:
1. fail to come up with any alternative explanation for their behavior
2. put their plans in writing or told someone about their intentions
> The burden of proof is supposed to be the other way around, as presumption of innocence is a thing in Germany (Unschuldsvermutung).
Theoretically.
Unfortunately, judges who are actually fit in IT topics are rare, especially in the criminal courts. They tend to rather believe what the prosecutor tells them. I'm just happy we don't have US-style juries because that would be even worse given our collective love as a society for faxes and writing information on highly processed dead trees (i.e. paper).
That is not in fact well-established at all, though as someone who came up through vuln research I expect we have similar takes on the public policy of vuln and exploit disclosure.
Good. Since KakaoTalk refuse to issue bug bounties to non-Koreans, hopefully they'll change their mind when a bunch of hackers destroy their infrastructure.
