 Nun folgt der Vortrag mehr schlecht als recht, Grauzone Sicherheitsforscher mit Dominik und Fabian. Das ist die Geschichte, die Dominik und Fabian erzählen. Wir haben ein großes Applaus für die beiden Menschen. Danke. Fabian und ich sprechen hier. Warum sind wir hier? Das hat etwas zu tun mit den Legalen. Wir sind keine Rechtsanwälte. Wir sind keine Lawyer. Ich muss auch dazu sagen, sie sind nicht nur wie beide betroffen gewesen. Und auch ein weiteres von TU Eindhoven. Er hat ihn dann ignoriert. Aber es ist okay. Er hat nicht viel geblasen. Die einzige Kommunalität hier ist, dass wir nicht wirklich eine Solution trauen, die absoluter Sicherheitsverband hat. Wer das tut, ist hier die Erklärung. Wer sagt, wir geben dir das Software und machen es sicher, auch wenn du die Systeme mit Malware hast. Warum sind wir zwei Gruppen, und das ist, weil das Erklärung hier in Deutschland ziemlich weit versammelt ist. Wir haben das letzte Jahr angeschaut. Wir haben hier ein paar Publikum, hier in der Süddeutsche, auf der linken Seite can be seen the timeline. Blue is an FAU and Green the TU M. Wir haben das reportiert. Und zwar nicht mehr Details. Wir haben hier ein Artikel. Ein Monat später haben wir das Gespräch in der Konferenz. Wir haben hier ein paper, Wir haben hier ein paper, ein scientifisches Paper, das wir dieses Jahr an DIMVA präsentiert haben. Wir haben hier nicht nur die Antragstellerin betrachtet, sondern auch die Anwendung, aber auch andere Unternehmen auf dem Markt. Und das war ja unsere Sache, und dann war es fertig. Vielen Dank, Dominik. Es gibt zwei Zeitstränge, die an einigen Stellen kommen. Es gibt hier zwei Timelines, und ein paar davon, die im gleichen Zeit passieren. Wir hatten einen Freund von mir, der die Elster-App angeschaut hat. Er hat gemerkt, dass wir schon gesagt haben, dass es 34 C3 gibt. Und als der Paper an DIMVA war, war er konditionell akzeptiert. Und also, dass wir unsere Analyse auch auf das Paper angeschaut haben. Was wir auch gefunden haben, war eine Weitbox-Kryptografie, die auch als eine zusätzliche Kiste in der Software war. Und wir wollten das Weitbox-Krypto anschauen. Wir wollten es in der Akademik-Kanz Texte analysieren. Und dann haben wir versucht, ein Paper auf den Usenix-Workshop. Wir haben es auf den Usenix-Workshop von Offensive Technologies 18. Und wir haben es konditionell akzeptiert, über ein Jahr später. Wurde wir uns das wirklich anrufen? Und dann waren wir ein bisschen überrascht. Wir haben uns für das erste Mal überrascht. Ein paar Wochen nach der konditionellen Akzeptierung, haben wir eine E-Mail von der CTO von der Klammung getroffen. Mit der Subjekt-Responsible-Exclosure-Violation. Und wir waren ein bisschen überrascht, weil wir uns mit der reverse-Engineering keine Sicherheits-League oder Eröffnung erinnert haben. Die Ergebnisse, die wir hatten, haben wir uns über verschiedene Aspekte des Papiers mitgeteilt. Wir haben uns über verschiedene Aspekte des Papiers mitgeteilt. Ja, Überraschung. Ja, Überraschung. Wir, wie ich vorhin gesagt habe, dachten wir, dass das fertig war. Wir wollten nicht mehr mehr machen. Und dann haben wir das offizielle-seitige Ding geteilt. Zuerst mit E-Mail und dann mit der Snail-Mail. Bitte beantragen. Wir haben das usually-called-Warning-Liter. Das war eine E-Mail von einem Lawyer, der uns die Eröffnung eröffnet hat. Das war eine Sitz- und Sitz-Deklaration, die sie uns passen. Wir hatten nur zwei armen Tage, um das zu beantragen. Das war wegen Hacking-Tests, wie die Koppelreise. Und wir haben auch Wir haben uns für eine Kompetition gemacht, und sie wollten uns eigentlich nicht mehr den Software von der Klaventur machen, und nicht mehr eine Protektionsmeasure zu verwenden. Wir sind nicht mehr allowed mehr zu machen, weil das natürlich mit ihnen eine perfekte Protektion hat. Und wenn es verbindet, dann ist der Protektion perfekt, natürlich. Und keine Publikation über es und nicht eigene Software haben, die das tun, was wir tun. Also, und nie tun, was wir tun, für Leben. Und du payst bis zu 10.000 Euro, wenn du die Konditionen verabschiedest. Und Legale Konsequenzen werden auch verabschiedet. Auch wenn du das verabschiedest, kannst du das noch tun. Und du kannst noch Legale Konsequenzen verabschieden. Und glücklich war ich nicht in der Universität. Und ich bin ein Forscher. Und ich habe unser Legale Konsequenzen verabschiedet. Und die Legale Konsequenzen haben gesagt, dass es kein Problem ist, dass wir das tun. Und mit der Konsequenzen habe ich es gemacht. Und ich bin mit diesem Gespräch auch fertig, weil ich nichts mehr mit dem Gespräch zu tun habe. Und zurück zu Fabian. Das wäre schön gewesen. Das wäre schön gewesen. Das wäre schön gewesen. In Munich haben wir auch diese Letter von E-Mail, eine prälimine Version, auf der Freitagabend. Wir waren noch in einer Meeting, bei meinem Professor, meinem PhD-Mentor. Und sie haben einfach die Legale Konsequenzen genannt. Und die Universität, vielleicht ... Du weißt, was passiert ist, wenn du jemand auf die Freitagabend nimmst. Und eigentlich war noch jemand da. Und ich habe das auch verabschiedet. Und sie haben gesagt, oh, der Herr so und so ist nicht mehr da. Ich werde ihn auf dem Montag sagen, das erste Mal am Morgen. Und er ist ein kleiner Calendar, um zu zeigen, wie nah das war. Der 24. war die Dattelange. Bis dann sollten wir es senden. Und dann könnten wir die Legale Konsequenzen evakuieren. Vielleicht sind es mehrere Legale Konsequenzen. Nichts passiert auf dem Wochenende. Und wir mussten warten, den Wochenende, ohne alles zu tun. Und dann haben wir die Legale Konsequenzen kontinuierlich several times und haben versucht, zu erklären zu ihnen, was hat passiert. Und sie wussten nicht, was passiert war. Und was war wrong. Wir haben ihnen die Geschichte erzählt. Wir hatten ein paar Diskussionen mit ihnen. Und wir haben ihnen das Papier erzählt. Wir haben ihnen das Papier, eine Primilimerie von dem Papier. Und wir haben auch die und sehen, ob wir vielleicht Damage haben müssen oder so. Oder vielleicht, um das zu verabschieden, oder so etwas, was die Rechtsabteilung hat, die Legaldepartement, dann für eine Ausstattung der Todeslinie gefragt hat. Und das ist das Wort für die Lawyer der Verabschiedung und wir fragen für eine Ausstattung der Todeslinie, bis zu Juli. Und das wäre eine Woche mehr gewesen. Und wir haben eine Ausstattung von einem Tag bekommen. Ja, danke dir. Okay, also... Wir müssen irgendwie mit dieser Rechtsabteilung... Also, wir müssen das mit unserer Legaldepartement klären. Wir müssen mit ihnen reden. Und sie haben wirklich legaler Artikel geguckt. Und ein paar Tage später war es ein anderer interessantes Ding. Und wir können nur die Lette vorbereiten. Und wir können das nicht beantworten. Da ist dein Name auf der Lette. Und du musst das beantworten. Und die Universität ist nicht der Partei des Prozesses. Also musst du das persönlich beantworten. Wir konnten das nicht wirklich verstehen. Und wir haben das wirklich beantworten. Das ist die Saisendessist-Deklaration. Und wir senden es zurück zu der Verabschiedung. Einmal, einfach beantworten. Ich habe es komplett vergessen. Es war nicht genau so, wie es war. Sie haben gesagt, es war dein Name. Und du musst es beantworten. Und du musst wirklich ein Lawyer sprechen. Und wir haben nichts mit dem zu tun. Und das war wirklich wundervoll. Das war wirklich toll. Also, das Legal-Betrag. Fabian, bitte. Was folgt jetzt? Wir wussten nicht, dass wir das damals nicht wussten. Das ist einfach was, was wir nachher gefunden haben. Und alles, was in diesem Gespräch kommt. Wir sind nicht Lawyers. Und wir wussten nicht, was das Problem ist. Wie lange wir verstehen. Für unsere Analyse der Software haben wir verschiedene Methoden aus der Reversen-Engineering-Toolkit. Das ist grün. Das ist z.B. de-compiling. Differenzatik-Analysis-Methode. Man kann z.B. es in einem Emulator erheben. Nicht direkt auf der Hardware. Man kann es in ein Emulator sehen und dann sehen, was das ist. Man kann es in ein Debugger erheben. Man kann sie in den Registr-Values verändern. Ein Debugger kann das machen. Legale Analyse, man muss sich nie de-compile. Es ist verbitten. Es gibt verschiedene Artikel in dem Copyright-Law Es bedient, welchen Lawyer man fragt. Vielleicht ist es auch, dass es eine Law über die Konpetition ist. Man kann nicht von einem Kompetitor von der Zeit kommen, dass man das Testen erlaubt. Und all that's in the middle in between testing and decompiling, we don't really know according to which articles you read, legal articles you read. We asked and nobody was really able to tell us, we had really talked to lawyers ourselves and they also said we don't really know, it hasn't been clarified. Und according, regarding decompiling, there's one exception, if you have to create interoperability, then you can do that. And there's an API and you want to connect to that. And there's one interface and for reasons of remaining competitive, you may perhaps do that under certain conditions. Und executed in an emulator, we asked our lawyers and it's probably rather forbidden. So you have to really look at that. So the idea is maybe, yeah well then the program isn't executed in its natural environment anymore. So yeah, it's difficult. In static analysis we also sometimes, some are of your opinion that disassembly is already forbidden disassembling. And if you really just use the tax codes and then have the op codes in your mind, that's allowed. But if you use a tool for that, for disassembling, that's forbidden perhaps. And our goal was really, we really wanted, we had no, we really weren't looking for a struggle. We weren't looking for a fight. But what can we do without compromising our scientific integrity and to really make it more acceptable to the claimant. And we just, we talked to them and some formula, some sentences we took out maybe. And we couldn't really say, we struck out something that we couldn't, well in the end we really retracted the paper. So we, that's a consequence of our acceptance of the cease and desist declaration really. And then we went on holiday and hoped that the storm was over. So we had a weekend of calm and quiet. Here we have an unboxing video of what came in the next week. So yeah, it's not really reusable, but a lot of content. And you can see here a large volume, a large amount of papers. That was the letter from the court. And they wanted here a preliminary injunction, but the court said this is a very complex topic. So, yeah, and there's a large sum of money involved here. And the court can just accept that the injunction. Or the court says, yeah, we want to have here a real process here with lawyers. And people need to be there personally. So after a lot of communication, we wanted to go there and see what happens. But there was a lot of writing to the court to show that the opposing side was kind of talking out of their behinds. And then we met in the courtroom and was pretty full. And they never had such a full civil process. Es war sehr interessant. Es war ein sehr interessantes und langer Prozess. Unsere Lawyer dachten, es wäre zwei Stunden, und in dem Ende waren es sieben. Und ja, da waren es sehr interessante kleine Gäste, die da waren. For example, the lawyers of the claimants said things like the security of the software of our client cannot really be guaranteed if we discuss this security in public. So, that was interesting. The court did their job pretty well. So, they actually looked into the whole topic. And the court writer went home at some point because she was done with her shift. And seven hours later, the third person in the court, they wrote down that we had here a responsible disclosure. A process and that was what we told them. And in return, we were able to actually publish our findings and with this responsible disclosure procedure. We were told them, oh, we want to publish something and we give you X amount of days and then they could answer and say, ah, yes, we have some comments here. Maybe wait a little bit and we will patch something. But yeah, we were able to actually keep the right to publish and that they would actually pay for any court costs. And yeah, afterwards we had also some press echo here. So, yeah, did we get to our end goal? So, yeah, we had a lot of stress for eight researchers. With a lot of things that we could never really dream of. We never really could answer these legal grey area issues. So, yeah, about the compilation, for example. And the paper of the Technical University Munich is still not published. So, lessons learned. So, don't panic. So, just a standard thing. I didn't panic enough while it's weekend and on Monday the university will take care of it. No, not really. And don't sign something blindly without knowing what it is. If we had just signed it, we just could have stopped doing our job, right? University Lawyers, legal experts are not IT experts. So, it wasn't easy to explain to them what the problem was. And the FAU was a lot better, their legal department. Yeah, whatever. Don't overdo it, don't exaggerate in publications. Maybe we sometimes tend to exaggerate and if we put in things that may be legally not quite correct, then if you put the name of the company in it or something like that, that may be a problem. And of course, do never ever use a decompiler, not at all, not ever. And you just can't do that here in Germany. But the burden of proof is on the claimant in that case. If someone accidentally uses it and never ever write it in the paper. And of course, there can be demands by the claimant or something, but never ever decompile. So, and there are some questions that have come up and we like to answer those. So, before we come to the end, of course, during the process, we had our questions ourselves and got questions from other people and we are going through the best of the questions right now. So, the judges during the hearing, they really let us look into how they saw it. So, please tell the claimant, you cannot be successful with your claims here with this court. So, why did we settle in the end? So, what we got was there was a preliminary injunction and we got this warning letter and we rejected it. And because there is a preliminary injunction that goes to the state court and into revision in the upper state court and there is a decision, but then there is another proceeding about the injunction proper. And in Bavaria, you have to do that within one month after you know it and then you can't get a preliminary injunction because it is no longer urgent and but you can also try to get the same things done in the proper injunction proceedings. So, where were we? There was this five-step thing here, we ignited that and we were at the state court and maybe a sentence would have ended in our favor. And the lawyers of the Technical University of Munich, they knew in our team, they already knew that most companies don't really want to discuss the security of the software in court proceedings, in a court of law. And in this case, that wasn't the case in our case. And with the settlement, there's a compensation clause and they can't ever do anything with that, they can't go into revision. And those four additional stages, they can't go through the other instances and it doesn't work and we don't have to do it and the claimant also doesn't have to do it. And maybe we wouldn't have been able to go the long way. And so maybe for us the settlement was the better way for us and we really wanted to do responsible disclosure. In this case maybe it wasn't so good and we are sorry for that, but perhaps a mistake, but we could also ask experts in the court and there are deadlines to be observed and we didn't want to be sitting on a ticking bomb. And the next problem is, can an IT-Researcher be silenced by legal means? That's hard to say, maybe, maybe not. So it didn't work in our case. We fought for our rights to continue our research, especially at the University of Munich. So we can still publish it. We have no non-disclosure agreement. We can talk to you about it and we do that and raise awareness for this problem. So that hopefully you don't have to suffer the same thing. On the other hand side, we have a feeling that nothing has really been clarified or the nuances of the analysis. That maybe you can always construct a reason for legally reasonable reason. That maybe they have a point with this claim. And maybe if you don't want to go through all the courts, then they can still effectively silence the researchers and the pressure is really enormous. And that was really maybe the most stressful summer that I've ever had. So, who represents university security researchers? So people asked me, you are dependent researchers from the university. Why doesn't the university take care of that? And why that works, I can't really tell you from a legal perspective. There's a Bavarian state employee law and some paragraphs. I don't exactly know what that is for Bavarian civil servants. And I don't know really what it is. And we have no final answer. And maybe the Bavarian Ministry for Science has to work on that. In the case of our university, that hasn't been clarified, finally. So, how do you work with your side jobs, if you do other jobs besides your university employment, pentesting or something like that? How do you deal with that? In this warning letter, it could happen that they say, oh, they have a company, it's a competitor and a much stricter rule supply for them. And that is quite a critical point. And luckily the judges didn't bring that up and didn't say that. Do they make a competition product? No, they don't, but maybe the danger is still there. So, what would we have liked to have? It would have been very cool if we could cover this risk of being sued by a company. So, if the worst case actually comes to pass, if there is no settlement, or if we have to go through all these five instances that we don't have to pay that ourselves. Maybe, yeah, you can get some money back again if you actually win in the proceedings. And, yeah, you can also lose. So, would be cool if there is some sort of insurance for that. And then, yeah, this is a copyright thing. So, copyright is usually not included because of this file sharing that has happened. And if you get sued for impinging on the competition, then, yeah, that's also not really included. So, yeah, those are the two things that aren't really covered. So, yeah, would be cool if there's some kind of insurance policy for that. Then the research institutes, if we could get some support there. Because we didn't quite... There were a lot of people there who actually made an effort and they really tried. But in the end, yeah, there was some kind of restriction and they couldn't quite go the whole way. And, yeah, there's this feeling that, yeah, there was some kind of resistance here in the system that they didn't quite want to stand by. For example, external, also researchers, students. And also, yeah, some kind of legal protection here. And if they also, if they can also be sued for your research or not. But, yeah, so we thought about that, but we didn't quite want to pursue that avenue. Then would be cool a legal basis for security research, which would ideally allow all kinds of analyses, including decompiling. Because, yeah, we had this copyright issue. In the DMCA, the Digital Millennium Copyright Act, since 2016 there is an exception for security research. And if we had such an exception, then maybe many legal questions here could be quenched. And we had a more security concerning this issue. Because, yeah, legal people can't not really judge all of these technical issues. And that was our talk. Now it's time for questions. Vielen Dank erstmal für diese Vorstellung. Yes, thank you very much for this presentation of your suffering. It's really scary. And now we have a Q&A. Whoever has a question, please come forward to one of the microphones. And I really think questions 1.0. There's one sentence with a question mark at the end. So, get close to the microphone. Don't touch it, but click it close. Whoever has to go now, please keep quiet, so you don't disturb the rest. Please microphone number 2. Thank you for this exciting story. Who talking about the costs, that is not normal, that one side bears all the costs. Could you please give an indication how high the costs were, the costs of the court? So, there is here like a lawyer cost table that probably doesn't, is not called like that. And that's just how the costs are calculated. And it was like 200.000 euros in the end. And that's just like the initial cost estimate. But that's not necessarily what is actually due in the end. And then in the end it's just the costs for the court and the lawyers. Yes, mark number 1. One question that you could answer with yes or no. Were there consequences for one of you with your employment? Yes. Yeah, we are two different teams and one of eight, definitely. There were consequences, but not for us too from a professional perspective. But psychologically seen, yes, also definitely some consequences. I personally am glad that I actually did that and I'm also quite happy. Hey, three. Did your lawyers ever answer the question if what was there in the legal text as decompiling was that really the same thing that we think of as technicians when we use decompiling. Is just pressing a five or is it just change the compile program into another form? Yeah, this is why it's a gray area in security research. That's why we had this figure, because many things might actually fall under decompilation. There is this decompiling paragraph in the law. It actually says yes, it's decompiling and there is no further details on what is actually understood as decompilation. So I cannot really answer what a lawyer would say as decompiling. So disassembly could also be interpreted as that. And that's why a court needs to decide that. So we could only say, yeah, we don't really know if there's any pre pre existing decisions here. So that's something that should really need to be cleared up legally speaking. All we can say is, yeah, opinions and every judge can can decide differently here. Is the question from the Internet. The question is that students and researchers have a right to an insurance and it's not really a clear question. So, everyone has the right for an insurance if they use their own software for looking for security problems. Yeah, it would be really nice if there was an insurance company that could actually insure against these risks. So we had this legal protection insurance. They wouldn't have paid for that exact case, because we did it afterwards. And we informed ourselves. But yeah, we discovered that even if we had that legal protection insurance, maybe we would have had the same problem, because those issues are not covered by the police. And yeah, you should really be able to look at it yourself. But yeah, that law should maybe be changed. The CCC also does something like that, if someone finds data or obtains data one way or another, that they also support them. Did you contact the CCC and how did that work? Yeah, we have different experiences here. I had close contact with CCC. We also got our lawyers recommended from CCC. And yeah, two thumbs up for that, if you have something like that. But we thank people from our side. I don't want to denigrate CCC here. Maybe we had some miscommunication. But yeah, we didn't quite get as much support as we maybe would have liked. The Nuremberg Research Group was represented by one lawyer, but that lawyer didn't want to represent us. And although that was maybe completely detached experiences here with another exact same case, but the lawyer didn't want to do it because of conflicts of interest. So yeah, there was that. Nr. 1, please. Yes, thank you very much for the presentation. And the question with the un clarified parts and the wouldn't it have been nice to really get a sentence of precedence and not just settle in my opinion. In the end, we could have only proven that it's not provable that we didn't decompile. So that is probably the only thing that would have resulted in that process. And maybe we could have lost and that would have sucked. So yeah. Meintest du jetzt tatsächlich, dass die Gegenseite der Versuch ist, du denkst, dass die anderen Seite vor Kord zu Ende vorgesehen ist. Und es war über die Technologien, die Techniken, die man in der Sicherheitsbesorgung benutzen kann, also dass wir eine Entscheidung hatten, ob sie legal oder nicht. Ja, das Problem mit diesem Problem ist, dass wir acht Forschern, die auch busy mit anderen Dingen zu tun haben. Und wir haben auch noch einiges mit der Technologischen Universität geöffnet. Und dann hast du diesen langen Prozess, zwei oder drei Jahre. Und wir wollten nur, um das zu treffen. Und ich war eigentlich durch die Zwitschbord-Düte, nur um alles zu kommunikieren und um das zu halten, über mehrere Jahre, das wäre eine Nachtmärkte gewesen. Und auch eine große psychologische Presse. Und mit Korprosythinzen, du willst nur die Lohang-Fruit bekommen. Und du gehst nach den kleinen technischen Dingen, wie ein Missing-Paragraph, in einem Dokument. Das Dokument ist nicht kohäriert formalerweise. Und so du startest nicht mit dieser, was ist die Kompellation? Und wie wird es beteiligt? Wir beginnen mit, dass deine Lieder nicht korrekt sind. Also in dem Ende, wenn wir eigentlich mit der Stich-Kompilation herkommen, ist es komplett open. Okay, die Zeit ist auf. Sie haben noch Fragen. Vielleicht sind die beiden Gespräche noch da, und bitte kommen zu den Fronten, um zu sprechen. Ja, und das war legally bad. Grey areas in security research. Your translators were choppy.