Makes you wonder if the investigators discovered this independently, or decided to maybe ask the hackers already involved in defending against them for help...
I'm not deep into the topic, but AFAIK there generally isn't a warm connection between the CCC and the BND in Germany (in the recent years mostly due to the BNDs involvement ins spying on German citizens, but I think there is also deeper history there). If a hacker collaborates with the BND they do run a risk of many of their peers not wanting to collaborate with them anymore.
It also has something to do with the so called "Hackerparagraph" [1] under which whitehat hacking is basically impossible in Germany. Even writing a program that could potentially be used for hacking is a crime. If you followed the law word for word the authors of e.g. curl could be charged under this law.
> If you followed the law word for word the authors of e.g. curl could be charged under this law.
They really couldn't. BVerfG (Germany's constitutional court) has clearly said that dual use tools have a presumption of not being tools to break the law. It's been very clear that mens rea matters. And that a narrow reading of the law is the only constitutional reading.
The problem here is taking "word for word" as "by dictionary meaning", which is never how laws are read.
It's still a problematic law (together with §202a/b) because it doesn't clearly carve out space for grey-hat activities (white-hat attacks with authorization really don't fall under it even with creative reading).
On the upside, Germany is considering fixing that. On the downside, it moves with the speed of classic German bureaucracy and is being "discussed" since 2024.
> The problem here is taking "word for word" as "by dictionary meaning", which is never how laws are read.
Back in the days of "smart contracts" and "DAOS" this was something many well-meaning technical people struggeled with. Humans and their societies are flexible and therefore laws must be flexible as well (to a certain degree before it becomes damaging).
It's also why a lawyer/expert is usually recommended when engaged with legal matters: We as layman lack all the context around seemingly "simple" concepts, procedures and definitions. You can learn all of that or hire a professional.
Isn’t that by design so governments can prosecute citizens they don’t like? For example, curl is probably ok but that one annoying Kim Dotcom guy is probably going to catch a case under some dubious law.
The pirate bay case, one of the laws cited by the judges was an law written to target biker bars and their owners. It only takes a bit of creative work to bend laws and prior cases to match an already made conclusion, if that conclusion has enough political support.
In that way, I don't really think the government need to design laws to have loop holes in them. With enough political pressure they can get the judges to make any decision they like.
some countries find such creative ways to stifle innovation while they look to be caring about safety or what not
I'm not sure white-hat hacking is broadly compatible with German culture. Keep in mind that going bankrupt in Germany permanently closes off lots of avenues, from future lending to whether you can be in senior management at a public company.
Bankruptcy does not usually permanently bar you from loans or holding senior management position, there are temporary restrictions, unless grossly negligent. But your point still stands I guess, when compared to the US
>There (...) isn't a warm connection between the CCC and the BND in Germany
Fun fact: In the 1990s, the CCC e.V. was declared a terrorist organization by the BND. Also, a lot of members have been sued for Landesverrat (high treason) for disclosing found vulnerabilities and/or doing journalistic work.
For example, the netzpolitik guys have been sued for high treason twice.
Just as a side note on how competent the German state is to use their existing talent to work on issues in cyber security.
> If a hacker collaborates with the BND they do run a risk of many of their peers not wanting to collaborate with them anymore.
Another fun fact: There is no effective witness protection program in Germany. You have to have been attacked almost murdered twice (with legal cases leading to prosecution) before you can apply for the witness protection program.
And they're asking themselves why all the witnesses in high profile cases from Europol/Interpol keep disappearing ...
Well at least the german state can collaborate with russian agents in projects like wirecard and not violate any laws when threatening journalists reporting on its collaborations.
It's very difficult to stop them doing this. The extent to which it happens varies a lot, and some countries and places have a much worse problem than others, but fundamentally if you "cause trouble" to "respectable people and companies" you're going to get hassled by law enforcement. Yes, the sarcasm quotes are important.
Sadly, there is a rift now since quite a few hackers are left leaning and therefore are by definition activists.
80th, 90th were the last time were hacking was a means to an end. C64 and Amiga scene had skindheads showing up at copy parties but no one cared really.
Some were a bit unsure but the moment they talked about their craft there was no divide but hacker spirit.
In recent years this would be unimaginable. And guess what? Talking to each other made the skins disappear.
It was more of a niche expression without doing harm. Popper, Goths, Ted’s, Rockers - in comparison to today there was more unity than today.
Hooligans were the same. Many local groups that fought each other due to political stances befriended each other later because it was more of a ritual than ideology.
It is a bit sad because politics doesn’t belong to hacking, and never did.
Hacking is Boolean only in the sense of it either works or it doesn’t. Or does a computer care about left or right?
And BtW that’s why I find local attempts in Europe for “Go EU” pathetic. It is about ideology, not improvement.
Computers don't care whether they are used for good or for evil. I would rather have a culture that encourages using computers for good, and there is nothing sad about such culture existing. Computers are already used for evil on a much larger scale by meta, palantir, etc.
Putting someone on a (most) wanted list is "doxing"?
[Edit] "An international search is underway for Daniil Maksimovich SHCHUKIN on suspicion of numerous counts of gang-related and commercial extortion using ransomware to the detriment of commercial enterprises, public facilities, and institutions."
Yeah, I’m not okay with this. Doxxing is a term with an extremely negative connotation and is often done to people who, bluntly, weren’t hiding or doing anything wrong. The correct term for the same act here is either “accuse” or “unmask”.
> Putting someone on a (most) wanted list is "doxing"?
No, if they just put UNKN on the most wanted list, then it wouldn't be doxing. But then they also tie UNKN together with "Daniil Maksimovich Shchukin", and that's the doxxing, regardless or not if it's on a most wanted list.
How is "this is the name of the formerly anonymous extortionist" doxxing?
Unless there's something not covered in the article, his current address, family members, phone, etc were not listed. That's not doxxing; that's "here's a guy were want to arrest."
I think people are getting stuck on the concept of the word doxing here. In anonymous online hacking circles, the idea that you're exposing anyone's OPSEC at all is considered basically doxing. People do it regularly, but it's seen as a clear indication of being an enemy.
Some take a "full disclosure" style and expose all OPSEC failures instantly and transparently, because otherwise people seem to collect OPSEC failures and make it seem to be extortion itself, like saying "hey remember that time you signed off with your real name?" or "I know your clearnet address"
Since when does putting criminals on official wanted lists count as doxxing?!? If they want their information taken down they just have to show up in court.
Some of the comments here (and lately on HN in general) are very concerning to me. Are we really going to pretend that people accused of real crimes shouldn’t be arrested, charged and, if found guilty, have an appropriate sentence? It doesn’t take many more than 2 brain cells rubbing together to see that that won’t end well. Whataboutism, political differences, and even real injustices in my opinion do not make this a reasonable position.
These groups typically exploit unpatched vulnerabilities and exposed credentials. Most companies don't discover they're vulnerable until after a breach. Regular security audits are the only real defense.
160 comments
Makes you wonder if the investigators discovered this independently, or decided to maybe ask the hackers already involved in defending against them for help...
1: https://de.wikipedia.org/wiki/Vorbereiten_des_Aussp%C3%A4hen... [de]
> If you followed the law word for word the authors of e.g. curl could be charged under this law.
They really couldn't. BVerfG (Germany's constitutional court) has clearly said that dual use tools have a presumption of not being tools to break the law. It's been very clear that mens rea matters. And that a narrow reading of the law is the only constitutional reading.
The problem here is taking "word for word" as "by dictionary meaning", which is never how laws are read.
It's still a problematic law (together with §202a/b) because it doesn't clearly carve out space for grey-hat activities (white-hat attacks with authorization really don't fall under it even with creative reading).
On the upside, Germany is considering fixing that. On the downside, it moves with the speed of classic German bureaucracy and is being "discussed" since 2024.
> The problem here is taking "word for word" as "by dictionary meaning", which is never how laws are read.
Back in the days of "smart contracts" and "DAOS" this was something many well-meaning technical people struggeled with. Humans and their societies are flexible and therefore laws must be flexible as well (to a certain degree before it becomes damaging).
It's also why a lawyer/expert is usually recommended when engaged with legal matters: We as layman lack all the context around seemingly "simple" concepts, procedures and definitions. You can learn all of that or hire a professional.
https://ansuz.sooke.bc.ca/entry/23
In that way, I don't really think the government need to design laws to have loop holes in them. With enough political pressure they can get the judges to make any decision they like.
>
some countries find such creative ways to stifle innovation while they look to be caring about safety or what notI'm not sure white-hat hacking is broadly compatible with German culture. Keep in mind that going bankrupt in Germany permanently closes off lots of avenues, from future lending to whether you can be in senior management at a public company.
>There (...) isn't a warm connection between the CCC and the BND in Germany
Fun fact: In the 1990s, the CCC e.V. was declared a terrorist organization by the BND. Also, a lot of members have been sued for Landesverrat (high treason) for disclosing found vulnerabilities and/or doing journalistic work.
For example, the netzpolitik guys have been sued for high treason twice.
Just as a side note on how competent the German state is to use their existing talent to work on issues in cyber security.
> If a hacker collaborates with the BND they do run a risk of many of their peers not wanting to collaborate with them anymore.
Another fun fact: There is no effective witness protection program in Germany. You have to have been attacked almost murdered twice (with legal cases leading to prosecution) before you can apply for the witness protection program.
And they're asking themselves why all the witnesses in high profile cases from Europol/Interpol keep disappearing ...
>but AFAIK there generally isn't a warm connection between the CCC and the BND
nor should there be.
Similar to how us American hackers have a huge dislike and distrust of the FBI.
Your own law enforcement agency will lie to you, manipulate you, raid you, extort you, and imprison you over bullshit.
But this is not, how it should be. And not all law enforcement agencies are like this.
80th, 90th were the last time were hacking was a means to an end. C64 and Amiga scene had skindheads showing up at copy parties but no one cared really.
Some were a bit unsure but the moment they talked about their craft there was no divide but hacker spirit.
In recent years this would be unimaginable. And guess what? Talking to each other made the skins disappear.
It was more of a niche expression without doing harm. Popper, Goths, Ted’s, Rockers - in comparison to today there was more unity than today.
Hooligans were the same. Many local groups that fought each other due to political stances befriended each other later because it was more of a ritual than ideology.
It is a bit sad because politics doesn’t belong to hacking, and never did.
Hacking is Boolean only in the sense of it either works or it doesn’t. Or does a computer care about left or right?
And BtW that’s why I find local attempts in Europe for “Go EU” pathetic. It is about ideology, not improvement.
Apparently they had not been contacted.
[Edit] "An international search is underway for Daniil Maksimovich SHCHUKIN on suspicion of numerous counts of gang-related and commercial extortion using ransomware to the detriment of commercial enterprises, public facilities, and institutions."
> Putting someone on a (most) wanted list is "doxing"?
No, if they just put UNKN on the most wanted list, then it wouldn't be doxing. But then they also tie UNKN together with "Daniil Maksimovich Shchukin", and that's the doxxing, regardless or not if it's on a most wanted list.
Unless there's something not covered in the article, his current address, family members, phone, etc were not listed. That's not doxxing; that's "here's a guy were want to arrest."
Some take a "full disclosure" style and expose all OPSEC failures instantly and transparently, because otherwise people seem to collect OPSEC failures and make it seem to be extortion itself, like saying "hey remember that time you signed off with your real name?" or "I know your clearnet address"
Also talk about a headline that would mean absolute gibberish just a couple decades ago.
Identifying a criminal is ethical.