Please notice: This article is more than 3 years old
Content, Source code or links may no longer be correct in the meantime.

In the previous webinar on IT risk assessment and information security, participants questioned me during the 15-minute live hacking session: Is this not illegal?

We took a closer peek at the servers of an ambulant care unit and two other businesses. I found them by chance from a total of 28 million hosts¹ across Germany using specific search terms. The search lasted just a few seconds and after that we browsed through the numerous directories with patient data and medical prescriptions.

In the second example, we had the accounting data of a company in the form of data backups of the last 5 years straight in front of us. In addition, we were able to see private .PFX certificates for the Elster software and also recent invoices with the recipient’s company names in the filenames. And in between we saw the written correspondence with the employees of the company. With best regards to the GDPR! Let’s take a look to the so-called hacking-paragraph² “Spying out data” in detail:

Anyone who gains unauthorised access to data which is not intended for him or herself or to another person and which is specially protected against unauthorised access, while overcoming the access protection, will be sentenced to up to three years of imprisonment or a fine.

Well from a formal point of view, I have not even been close to hacking. The servers have been freely accessible to everyone without any authentication. In the analogue world we stood in the opened front door and took a peek inside the house, carefully keeping our feets outside.

Interestingly, the attempt to spy on data itself is not a criminal offence. Even an unsuccessful attempt at virtual intrusion remains without consequences, even if it is practised on a large scale. But only as long no server is affected in its function³.

Why do you not inform the owner of the hosts?

Actually I count more than 64,000 computers in Germany having an open SMB port. More than 7,000 of them are without authentication⁴. If the owner is not detectable by servername or WHOIS-record, he remains unknown. I would have to figure him or her out from the data. But this is neither my job nor being paid. Simultaneously I would make myself liable and could be prosecuted as the messenger of the bad news. Kill the Messenger!

Even if the owner does not do this, his service provider, who caused the disaster, will eventually do. He is the one in need of an explanation and before he loses any customer he rather blames a hacker for everything. Best served with a thick layer of snakeoil security solutions, which also generate revenue.

Besides that, my personal experience is that it is rather a stroke of luck to meet someone on the other end of the line who understands the consequences of an open SMB port. I’d like to quote Carlo Cipolla’s 2nd essay⁵.

That’s why I prefer to trust in the regulative power of the Internet and use my limited time to help everybody who wants to run his or her IT really safely and would rather invest in information security management.

Disclaimer: Everything without claim of correctness or completeness. I explicitly emphasize that I am not a lawyer and that this blog is only my personal opinion and understanding of the current legal situation in Germany.