 Hello, and welcome back to the X-Hine stage and X-Hine, so I have a weird double role here because the following talk is also done by me, so let's do the organisation stuff here. You can ask questions for the following talk on Twitter with the hashtag rc3xhine or in the corresponding IRC channel here. So now I'm switching to my role as Karl from Zerforschen and Willit. So what is Zerforschen? So Zerforschen is a collective of a couple of young people, well less than 10 right now. It's a bit hard to define, and in the past year we've found together, just with all over Germany, and communicated with other people, and we started, from interest, to have a look at Teich. And since we started this, we found Willnobody and Willnobby and Willnobby. And in this talk today, we want to talk what we would like to know for one year ago, for all of that. So, and now should I say something? Hi, I'm Linus from Chaos Computer Club, and the Chaos Computer Club is a society of hackers, one of the largest, if not even the largest one in Europe. And maybe some of you have heard of it, and we are looking for Willnobities and report vulnerabilities for quite a while, quite more than one year actually. And so Zerforschen, we helped them, supported them, and talked to them. And in this talk, we not only want to talk about what Zerforschen, what reports to you, how to report vulnerabilities, but also how to react to availability. Because one thing I noticed is that I got the impression that certain companies improved their reaction over time. But this year, some of them really reacted in a really, really bad way. So that was what I wanted to talk about in this talk here. So the whole talk here, we will refer to several papers or other information of interest. So we created a link list, which you find under RC3.Zerforschen.org. And after the talk, we will have a complete script on that page here. So let's start right now. So the following movie will be created by cringe placement. Wow, this is all data from the Carthcad community. And Linus is there as well. Hey, Carl, should I Twitter this? I don't know. Okay, I'll just do it. Hey, Linus, have a look at your data here. Let's treat vulnerabilities. That's what he said. Open the door, please. Stop. Not like that. That's what we've seen right now. This was full disclosure. This means that someone found a vulnerability and just published this completely right now. This can create really, really bad trouble for you. And it's really dangerous for people whose data get published and also not cool. I mean, in the hacker ethics says use public data, protect private data. That's what we talked about today. So because we are looking at a responsible disclosure, which is the process how to tell a software company that you found a vulnerability. So nothing speaks again, publish about the vulnerability afterwards, but only when the company has closed the vulnerability. Not everything that's broken in the internet is really a data leak. Nevertheless, we really want to have a look at data leaks, which is a special class of vulnerability where data leaks. Also, we are looking at apps and websites only from one company, like Moogle. So if you have, for example, have an educational app where people could download the personal data of your data, then this is exactly that from everyone here. So if you have any questions or kind of reports, just talk with Lino. It's just right to disclosure at linus.de. All right, I just said that. All right, back to our subject, the data. Before you run into any direction, you should first think how bad is this security vulnerability? Because on this, it will depend on what you should do and how quickly you should do it. Because of course, every security vulnerability should be reported, but also not every vulnerability is equally bad. So we will look into how you can estimate how bad it really is, and we will look into what kind of vulnerability is it, how many people are affected, and what kind of data is affected. So first, what kind of vulnerability is it? Can you read the data? Can you change data? Can you even delete the data? And in our example from the beginning, only the first one was possible, which is bad enough because we can get a list of all the names, addresses. So I don't know what other kind of data is in there. We can download all this, but we cannot change the list. We can't give everyone the first name Kao. Also, we can't delete the list because that is important, because it's part of security that data doesn't just vanish. If it's about personal data, then the last two points of changing, deleting data are really unfortunate, but it is bad enough if the confidentiality of data is lost. And if people are able to read data who are not supposed to be able to. And we had enough of these data leaks this year. We noticed this in many Koran test centers and even in some educational platforms. And in every case, we could access the data of many, many thousands of people. An example, some time ago we found a security vulnerability in Koran test center in the test Berlin. And they had this nice system where you could register online for a test and then get the result online as well. So we did a test ourselves and then looked at the results at the system. And we found an API where you could get a list of all the people registered in the system and through another interface, even the test results. And these were almost 700,000 tests with all the data, name, address, email address, telephone number, personal identification card number and the test result. 400,000 people were affected, but in this case it was even worse because we thought not only read all the tests of the system, but we could also create new ones and save the results of those new tests. So we could create for arbitrary people the result that they had made a negative PCR test, despite them not having entered a test center. So we tried this for Robert Koch born 1843. And the test was fortunately negative because with 180 years, a corona infection would be very dangerous. So like this we could read foreign data and also write new data into the system. And you might imagine we can also delete data from the system, which is a catastrophe from the IT security and also public health standpoint. And after you know this, you have to continue estimating how many people are affected and what kind of data of these people is going around. Because the reality with many affected people is worse than with few people. If a lot of people are affected, then we're at the worst alarm level already. But it's not that simple because if it's about very, very personal data, then already few affected people are a big security leak. And there are some examples of especially bad data in the general data protection law, corona test results would fall under health results, sexual orientation, union membership, some other things. And so if it's about especially sensible data, then we're at the dark, dark, dark red emergency level. And this is the point where we should start writing down everything that we found out. All right. Once upon a time in a software, wait, Carl, a report that is not supposed to be a novel. All right, let's go back a step. Let's imagine we have found a relevant security leak. And we know, but according to the criteria just now, how bad it is. And now we want to tackle this responsible disclosure procedure and report the vulnerability. And to be honest, we've done this a few times now, but it still starts some adrenaline, which is natural. You have probably just seen the data of other people which you're not supposed to have been able to see. And so the heart rate will go up a bit, of course. And the most important thing in this situation is to stay calm, to check again. Have I really just found this security vulnerability? Have I really seen the data of other people that I'm not supposed to be able to see? I know just check again. It sounds easier than it is. And it's very important to never, that's already in the hacker ethics, don't look at the data of other people. So if possible, create a second account or ask friends if you can use their accounts. If you think you might be able to delete or change data that you shouldn't be able to, then of course don't do this with the data of other people. If it's really the way that you suspected, then start writing. You start documenting the vulnerability for several different target groups because this document will pass through several hands. It will first of all go to a group of people who will just read the first two sentences but are then responsible for forwarding the document to everyone who will understand the rest of what you wrote. So that is why the first sentences should be understandable for everyone that you found and the most important facts should be in there already, which includes how many people are affected by the vulnerability and what kind of data of these people is affected. And try to avoid here using technical details. Those can go later in the report. And if you are going to send the report to official places such as that set, then it also makes a lot of sense to describe what kind of service or product it is because then those places can decide how important the vulnerability is. So in our example, I have found that the API of the ChaosCat community is certain in point. So in the membership app of the CatCartier community, the data of all members can be found. The amount is name, address, payment stages and vaccination stages. And the rest, you're writing for a technical target group. So they know what an API is. Be precise, don't buy a master thesis, a bachelor thesis, no novel, just a good documentation. Screenshots can help to make this, to really describe this problem in a way. Describe what the vulnerability is in our example. So folks, I found the API of the ChaosCat community member app and found that via the API endpoint slash member slash ID, I could enumerate the membership ID, personal data of all members. Profile could look like follows. Second. All right, the impacts next. Using this vulnerability, I have access to the complete membership database of the ChaosCat community. The name, address, birth date, payment status and that they are a member. And this is important so that the other side can quickly comprehend how bad this vulnerability is. And then the official basis can try to decide if they need to impose sanctions or something. Next point is how to reproduce the vulnerability. If you have a short script, then you can insert it there. Otherwise describe in clear steps what you need to do. For instance, number one, become a member of the ChaosCat community. Cats are always great. Number two, register in the app and then memorize the logging code. Number three, open this URL. Number four, you can see the profile of CatZ, CatMacatface. And sometimes you can also give good tips how to solve the vulnerability. If you have this, then you can add it to the report as well. But you don't have to because that's the job of the company and not your own. And once you have all the information for your report, then the company has to learn about it. And there are again several options for this. Phone rings. Hack, hack, hack and hack. Running here. We build the banks for your data. How can I help you? Hi, here's Karl von Zaforschen. Do you know why I call? Do you want to give an order? Or is it a new term? So in our CRM, I buy a CRF with missing authentication full access of the PPI of your users. We have MDF, HDF, plywood and solid wood. We don't have anything else. Okay, so you got me wrong here. So I found a vulnerability at you through which I can access the data of all your customers. Do you have five minutes for me? That's bad. What do we do now? Yes, so I want to chat with you. Who to report this or how can I report this? We can fix this quickly. That's about someone, someone build this for us. So if you can stay in line, I can try to find the contact for you to call. Ah, that's perfect. Hey, thank you. See you in many situations. It's probably the simple go via the vulnerability report form of the BSI. It's possible to do this in anonymous way. So you find this under this URL here. So if you fill this in, you're sending the vulnerability report directly to the federal search. So this is a team at the federal office for security in IT. Their main job is making sure that the infrastructure of federal administration is secure. So that's why they have the point of contact. They are the point of contact if you find any security problems in the infrastructure of the state of Germany. But they also connect you with security researchers and companies. So take your report and check this within a few hours and then talk to the corresponding companies. This makes it easier for us because you don't have to directly contact the company themselves except if you want to do that. And if the BSI writes to a company, they are typically pretty quick and fixed in the whole because otherwise they're getting a letter with a very, very important letter ahead. And they also don't want the BSI to provide a public warning about the software of this company. But what you always should keep in mind. The BSI is a security agency like police and intelligence agencies and reports to the Ministry of Interior. The federal search works slightly different than police or security agencies. But in our perspective, pretty independent. But always think clearly what you tell them or what you don't. So, for example, if you report a vulnerability that's suitable for a state atroian, like athlete or actual, we wouldn't tell them. So what we want is to make the BSI to make a really independent agency and cancel the hacker law. So there are a couple of things you should also keep in mind in your report. Report everything. Do not keep any knowledge back and also do not make any demands. Don't ask about money, don't ask about t-shirts, chocolates or presents. Nothing. You don't demand anything and report everything. And the other round, you need to be careful that no demands are made towards you. For example, NDAs, which are anything else you need to sign. So it happens quite often by ad bug bounties, for example. So if you understand or not, you're going into a contract that prevents you from talking about this vulnerability or having another look at these systems again. So no demands from you and don't accept any demands. And definitely not any NDAs. So also we made this kind of mistakes before. So we are pretty unhappy about that. So we didn't have much experience back then and we reported a vulnerability via the official bug found program of the company. What we didn't thought about that is that there was an NDA there. So we are still not allowed to talk about this at all. And this is exactly what the companies want to achieve with these kind of NDAs. Control the negative, make sure you don't talk about these vulnerabilities. And this is a problem because as a society, we need to be able to talk about security problems in software. Because this is the only way on how to, as a society, find new regulations, find new measures to avoid those. Also, never try to sell any consulting to these companies. Also, if they offer you to pay as a consultant, just tell them no. The risk is way too high that they use this against you later on. So if you're not sure whether your fraud is fine and then better talk with someone who has more experience there. So for example, Linus can do this. Hey, I can do this just right at disclosure at ccc.de. Yes, Linus can that, can do that. And this is nothing where we should be ashamed of. We did this very often instead of Linus. And instead of Linus, you can also ask hello at zapportion.org. We also are happy to help you out there. Hey, that's what I said as well. Hey Linus, that's what I just said. You also be very quick in reporting a security gap. So don't haste so much. But for example, if you find some vulnerability, then try it out whether it works. And for weeks again, don't buy any report. Because if the company finds this vulnerability on their own and look at their locks and see that you exploited that vulnerability and didn't tell them. Then they will consider you to be malicious there and getting out of that and prove your good intentions. That's pretty complicated, can be pretty complicated. So please report the report from yourself as soon as you thought about everything and wrote it down. This also means that write everything into a part of what you know. Because if you keep some information back, it may look like that you're doing this on purpose. So what a really, really bad idea is ask for money to report everything. It's because this looks like blackmailing and this can have bad results. So please do not do that. What also may happen with companies and with agencies is if you generate automated reports with a vulnerability scanner and then directly send them to them. Don't get this wrong. This scanner can be very helpful to get some hints on clues about a whole. But you're back at the beginning. So jump back at the beginning of the talk and have a look at the rules. So this sounds like a lot of fun and it is, but be very careful in thinking a lot about each step because there's a lot that can go wrong. Because if you found a hole here, a security gap here, you are implicitly saying that you exploited that one. I mean, there's no way around that. But in Germany, this can be a felony here, according to the hacker paragraph 202 of panel code, which makes it illegal to get access to especially protected data. It sounds reasonable, but the corresponding paragraph is not very clear and dangerous there. Even the CDU who thought this war here doesn't really understand this paragraph here. So they tried to seal it after reporting a security hole to the CDU. So the prosecutors said the data were protected so badly that this wasn't even prosecutable. So security research, so it's a really bad idea for a company to seal security researchers. Only very difficult people are trying to do this. We didn't met many of those, but they are out there. So we really hope that this paragraph gets abandoned. So many security researchers will put this down in an open letter. So really think about whether you report your identity because reporting can be done pseudonymously or anonymously. Remember, in internet, you are not anonymous. Protect from the very beginning because if you found something, then your IP address was already locked and it's too late to look for anonymity. So Linus and Thorsten made a very good talk with the title, you can hack everything, just don't get caught. Oh yeah, with Thorsten I had a talk recently about the title, you can hack everything, it was not allowed to just try not to get caught. So if you communicate with the company, be very, very careful, don't hold any relevant information back. Also be careful not to put you in a bad light and do not expect that the company is thankful to you. Right at the beginning companies are very much in a shock and don't really know what happens. So they're not allowed to threaten or sue but right at the beginning they might be very unfriendly. And as I said, be extremely careful, never do anything that could look or could taken as a threat or blackmail. In general, we recommend to keep your flat or your house in a way that is ready for a search by two leads. It's really bad that this is necessary, but well, then again, police may have a look at other reasons as well. So there was a talk, you have the right to be silent from Udo Veto at media, for example, with a lot of explanations there. So since we are talking about taking yourself, not about your own IT, be careful. Because if you've found a vulnerability and it can be really, really stressful, this report can be very, can cause a lot of nerves, a lot of sleep. So check your health, do self-care, try to find allies, friends, people you can talk with, you trust. And who can tell you if you're going too deep here, tell you to stop, tell you to go around for a walk. So the fortune is exactly this, a very wet heart here. So we managed to achieve a lot this year, more than everybody from us. And we had a lot of fun there. And so doing this pandemic until now, at least, it was easier to bear here. Without this collective, we wouldn't have been able to manage all of that, not even from in the time. So more and also more had to think better than just one. So the collective gave us a lot of different perspective. This is really, really helpful and really, really nice. Of course it can happen that we are not in the right mood. For instance, if we're Tuesday evening at quarter to midnight, we're sitting together and we notice, hey, this text has to be done until tomorrow. And the threats for social media has to be there. And someone has to create the title image for the thought post. And someone at the end can manage to create everything. And then it's nice to see the result at the end. So find your friends, create a pack and then report these security vulnerabilities together. All right, let's assume you've done everything correctly. And if let's check what happens afterwards. 22, 24, HKH and we built the banks for your data. How can I help you? Now we don't have a data pipe. We have a normal pipe and a sync pipe. Data pipe. Is there some kind of disease? What do you mean customer data? Oh yeah, what? No, I'll call the police. You can't do that. Hello, police. There's an emergency. Do you have cyber police or something? I've just got a call. Someone said something with data, data leak. And they had all my customers data. No, I don't know who it was. They said a name. I don't remember what it was. Some kind of funds are for some kind of noble name. All right, I'll hold. All right, dear companies, let's look at you. Your tasks are very simple to explain. Be kind and open to the reporter, close the leak and don't even think about suing us. All right, we can maybe say a bit more. First of all, you are communicating in a responsible discovery process, usually with a person or a team who do this in their free time. So really treat them well. But of course, really your task talk begins a lot earlier before you have the hackers on the phone. Your first step is to be reachable as a company because mistakes can always happen. But if you find someone outside of your organization, someone outside of your ring to find them, they should be able to report them. And the most important thing that researchers will ask themselves is how can we even reach you? And the most important, the conventional resolution here is that you have a special email address such as security at your domain. And it is also useful if this address is read and regularly checked by multiple people because it's not useful if you get an email and then the responsible person is on location or just checks it once a month anyways. And these emails should be read directly by technically competent personnel so that everything can go smoothly. And you should also look into the spam folder because sometimes hackers use their own mail servers and those emails might not end up in their inbox, especially with Google and Apple. And this reachability might sound trivial, but we often notice that we are not able to reach the right person for these vulnerability reports. And that means we will write to everyone we can find wherever on the website. And this is for you as a company not ideal because then this report is going to reach a lot of different people usually. And they might not be specialized for security reports and they can't really estimate how bad it is. And then there will be a lot of panic who nobody knows what to do and anything might happen. The message might be ignored or in the worst case it might be read by the wrong people in the C suit and then be escalated to the wrong people. So that's why a separate address makes a lot of sense. And if there's a report there you should report quickly and send an acknowledgement of received very quickly. And then we know that you have received the message and we don't need to continue trying to reach you because if we at Zafarsing don't reach you by email then we will keep trying through other means. We might write you on WhatsApp, we might slide into your EMs, we might write you on fax, we might call your investors or even your parents if that's not the same thing. So this might sound a bit weird, but we have done all of these things because we want to make 100% sure that you know about the issue and we will resolve it as quickly as possible. And this is why the security mail address should be easy to find such as in the legal information about your website or even the security.txt which is a standard on how to publish the security information for your website. And this can contain the ways to reach you, the preferred language for communication, crypto keys, anything and you make your work a lot easier for us this way. Alright, now you've received a report and the next step is to check if you can follow the description of the report and if you can then you should confirm this to the researchers and this is important because otherwise we will just keep annoying you and this will cost time to us and you and you should also directly explain what will happen next until the report, the vulnerability is closed and it will be interesting for us what you're doing immediately as well as what consequences you're doing such as we have been able to reproduce the vulnerability that you described and directly took the affected service offline we have now closed the leak and are checking the service thoroughly again. Thank you for the responsible disclosure procedure and reproduced the issue then check back if you understood everything correctly and don't just directly claim that the leak doesn't exist because you want to keep the person that you're talking with up to date and don't want to have any misunderstandings in the communication so prefer sending too much updates rather than too little so regularly write back for instance every week check back how far are you with fixing the leak and communicate clearly here if there's a move in the timeline if it's a delay then you should name that explicitly as well because you want the security researchers to be honest and transparent so you should also be honest and transparent put everything on the table and don't hold anything back it is also important because security researchers will want to write something about the leaks so we write blog posts for instance describing how we found the leak and what the effects were which means that everyone can learn something from these cases and these leaks will hopefully get less common if you're talking to security researchers be honest, be friendly, be thankful to the reporters keep in mind that people are helping you in their free time to keep your software safe and this is great and of course it's not nice if great security vulnerability in your software is found but that's not the fault of the researchers they found the vulnerability they didn't create it so don't shoot the messengers so imagine how bad it feels for the opponent so they looked at your software in their free time and they found a problem and they even told you about and you're just sending back abuse insults or even turning to sue and that is how you scare away potential security researchers which is the worst case for your security because the vulnerabilities aren't gone now they just will not be reported to you they might be fully disclosed immediately or even sold to criminals and the CDU the German party had to learn this the hard way after they sent this they turned to sue there was a huge outcry and they were told that nobody would report vulnerabilities to them anymore this is of course a tragic case we cannot recommend anyone to report vulnerabilities in CDU apps again and we will not do this again and we are hoping that they will we wish the CDU good luck and that they will be able to find all the vulnerabilities themselves and nobody else instead some further vulnerabilities were found in CDU software and immediately published so watch out that you don't write anything that could be taken as a threat and it is obvious that you should not force the people to sign anything no NDA no consulting contracts don't even try it of course security researchers are often happy if you are paying back in some friendly way but always agree to this first don't just send money or presents always ask if it's actually desired and especially important do it to be honestly thankful it is not an opportunity for a cool press release and don't put conditions on it this also means don't just be thankful publicly not every person wants to be named on your social media channels such as we don't want to be named on the Armed Forces website or someone doesn't want to deal with vulnerability anymore it could be stress at work people just maybe don't want it and you have to accept it so it turned out well not directly in the communication with security researchers but also in the communication with everyone else to be open on it so don't keep anything back so be transparent what happened and what to do so it can happen that journalists want to report about this incident with you don't try to lie to them or don't try to discredit the security researchers usually this backfires so also it's a never good idea to make a press release without talking to these researchers so you also want to encourage you to always inform your users about this incident this is part of a transparent way of handle any available cheese so what we have explained in the last couple of minutes are just the main basics if you really had a good process with your security incidents there's a lot else you can do there's a lot of literature there much more that fits into this talk here so some link about further information about things is in the show notes under rc3.thereforcial.org so now and happy hacking to everyone and see everyone the worst are the the orders by the these weird people from Berlin so it's a camera running so they're really really annoying those people from Berlin so special colors here this here smart bangs gloom bad stuff the good thing so the good thing is you just take your old pallets and sell them and they are so stupid they even in their old loft there they put this in it it's in it's the latest thing they can just sell every garbage to them so and with these words we are back live on the exheim stage and first of all something organizational point of view so we'll have a short Q&A so you can ask any questions hashtag rcexheim or an IRC in the channel rc3-exheim and again so they're going to be show notes and the script of the whole movie we just showed under rc3.zerforschung.org and if you want to watch more cringe from us just follow us on twitter or tiktok or instagram so I have to move to the Q&A part and there's the first question so do we make a difference between real security vulnerabilities like a leg of authentication or open barn doors like an API with no barn door so first of all these barn doors are more annoying but we have a certain process and it doesn't make any difference with that one at all also what I need to add here is that certain kind things about the information is closer which happens quite often and someone says oh we switch debugging on and this usually allows further vulnerabilities there so it also makes it all in vulnerabilities and so you usually don't really report this tiny stuff here if they don't have any immediate danger at what I mean so our main intention is finding data leaks, data leaking out this doesn't mean that there are many many other kind of vulnerabilities but the one we are looking for are data leaks data leaking to the outside, data being a velogy outside and that's our main focus for our own reports here less about how this happened but more what actually the actual input of that one innovation of API or more complex so also it's attached to that so we have seen companies defending themselves by well I mean it's openly open for two ways or one month I mean it's nice that it's only so short but once the data has leaked which might only take just a few seconds then the bad thing already happens the other question what is a good time span between a report and the publication so the general rule is 90 days is a kind of industry standard by now but in this particular case if personal data is involved here we don't say has to come in three months that's not what we do I think that it depends on each case on the urgency there and the general answer is the answer want to get things fixed faster than we'll be able to report that so we don't really say it needs to be done in a few minutes but we can really only publish if it's fixed because otherwise the publication would allow other people to get access to that data illegal access to the data so this is why PII private data is some special case here so the most important thing for us is once we have done the report we want to get feedback answer from the company within 48 hours typically it's faster and then it depends on the actual case and the company but the first feedback should be very very quick but also you should give the companies the chance to react in a meaningful way so 12 hours is typically a very way too short time so if you're talking to a company next question what happens if try to play everything down especially when they talk to journalists so you have a lot of experience with journalists so this always happens I've never actually seen once that the company didn't try to play this down it was just a short moment just two months the API was open or there was some access to only a small part of our customer base so everything was able but the only downloaded 23 data sets of them so we don't have to report that we're taking things down and in that form we always see this I mean it's understandable because they want to come their customer base in that kind of okay but what's really a bad thing is if people negate that companies negate that or if they attack the researchers so that's understandable you shouldn't tell this to them but if they getting personal if they try to attack you if they say that the the timeline was way too short that's a bad thing so for us it it was important to find a professional media partner for the report about the security because we want to make sure that our side of the story would be reported in a good way so even in the worst case if the company suits you you have some allies but we don't really have a good way for our thing we just want to find a good way for us here so since you're talking since you're talking about partners you were already talking about the data protection agencies and what are your experiences with data protection agencies if you're reporting something there are they competent do they do enough they have limited possibilities in Germany so the data protection agency can't do everything they can't just say with the very first foundation we are doing going to do a huge fee they are limited and there's a lot of pressure on them from politics and from the economy so they have limited opportunities but on the professional level the work together with them is always working great we have a great relationship with them they're always nice they're happy to hear from us sometimes we help them to follow along and then the process is starting there legally the data protection agency cannot always inform you there so you might just report something and then later there comes a press report very rarely it helps it happens that the company will get a fee but it's unfortunately fairly rare to add something there I think I hear a lot of misunderstanding from the question there's IT security and data protection and data protection is just a legal concept just because you have a vulnerability it doesn't mean necessarily that you have a violation of data protection this would happen if you report it too late if you don't inform people or if it becomes clear that you have data on the server which isn't supposed to be there after a certain period of time there's a concept of data protection and then they can do something immediately but with a security vulnerability it happens a lot so I think it also makes sense that not every company that has a vulnerability immediately has a data protection problems but from a legal perspective but I think it still makes a lot of sense because then it's already on the books or on file then the data protection legal perspective can take a close look at it as well and at the end of the day the most important thing is that the vulnerability is closed and as long as there aren't any indications that the data was actually stolen or that there was anything done especially poorly then the data protection agencies don't do all that much with the first incident and I would say that's okay that way we as the Valsion would like for them to be a bit more proactive for the agencies and we sometimes hear this from the data protection people as well that the agencies want to do more and they want to go to the companies directly and a lot of the things that we found aren't as old type vulnerabilities that are totally incomprehensible it's often fairly easy to find stuff but they don't have enough resources so if there's less than a handful of people responsible for health data and burden then they can't check all the corona test centers which is why we also demand that they are better equipped with the possibilities that legally they already have and I think also in them with this CDU connect app the person isn't going to say that there isn't I think this app wasn't actually a data protection problem right yes because it collected political orientation of people and this is especially protected data according to the general data protection regulation and so this is relevant to data protection laws so this is the kind of data I would say any data under article 9 should be protected especially and then the data protection agencies should be able to check especially all right and then I think before we start talking more about data protected agencies but don't be sad if there's a million dollar fee or million euro fee all right and what we've noticed is we start talking to the companies and then they might learn something and especially if it's larger problems then the data protection agency might go to the company and then have the effect that they close down so data protection can be a good tool but don't expect that you will immediately see the consequences the next question is a legal question which I think we cannot answer on the legal level but I think it's still an interesting question if you have found the problem can you forward it to more competent people is it okay I would take it away from the legal and more to the moral level is it okay to go to the CCC and say okay there's this problem here I have found it how can we solve this probably and I was forget there's this if there's some kind of data there there's this paragraph so all of us aren't lawyers but there's this paragraph where the first person who learns about something is free of any penalty each other person might be penalized but we're not talking about being liable juristically but maybe to answer the question a bit carefully that's not the most important thing we can't say that it's always wrong to tell another person but if talking to another person in this case means twitter tweeted to a lot of thousands of people then that's a problem of course if we're saying so if you're this closure at CCC we see this very often there someone says I've just found this and my answer is okay you have to describe it completely so we can follow along and we can judge the impact if you're just writing this then I can't do anything about it and I won't report it either so this means of course that I have to be told the complete vulnerability and I will check it and if I were to do any mischief with it then it would be bad for me of course and for the person who told me as well so I think that the question is answered by asking do you trust the person to work based on the same ethical standards as you and then if you're a unit more or less then I wouldn't see this as juristically very risky. One more note here it's a we've found when working with the data protection agencies that we've reported a vulnerability and then told the agency that there was or they say that no data was taken away because it is trust worthy which is of course funny because we've found this vulnerability and nobody knows if the data was taken off before we found the vulnerability or anything but in the practice of data protection if we are not talking about legal perspective we've already seen that security researchers are trusted already to such an extent that people don't consider this very problematic but you have to be very careful there I think this amount of trust not everyone gets that much trust with their first report so as we said try to get help and find more competent or more experienced people and ask them such as Linus or us if you want to and I think this is a legal question so we can just add our legal disclaimer which means this hacker paragraph has to be abolished at least in its current form it has to be formally in such a way that security research is possible legally and you don't have to be afraid that the police is in front of the door of the suit and I'll maybe add I'm not aware of any case where someone was actually sentenced who shouldn't have been sentenced to something in court but about these being sued is annoying because they take away your computers a lot of troubles you have to pay lawyers pay all these legal stuff and this is a totally annoying when they come into your apartment if you haven't invited them and that is why even if it doesn't lead to sentence against you it is just terribly annoying and that is why it makes sense to work with the CCC together or as the CCC because I think that it has support has spread that sending the police to the CCC is difficult okay so I think we answered this question so here's the question on whether we know of any cases where the data data protection agencies put any penalties on the companies so as a portion we don't know of any case but there are also many other cases where we don't know the result of that because if you put a result in so if you are an affected individual of that one so you have a way to get information about that but if we do this as collective as a juristic person we do not have the right to get this information and so they are not the agency are not even allowed to send this about so the best way is to create IFG requests here and so we did this previously so in the case where the company we didn't do that we published the phone number in a plot so people tried to call that in fact the users tried to call this company there and they reached the CEO while he was washing his cow so I think these were all questions that we had in the pad so let's wrap this up here thank you very much Linus that you are over here and did this with us so I really enjoyed that one here so thank you so much I would love to to having you in AC3 and it was really great how he did this