Modern Solution created a software platform that is so ass-backwards and treats customer data so casually, it’s almost criminally negligent. Instead of fessing up to how bad they are as a company, they now want to get a security researcher in jail.
I originally had another topic planned, but then I got assigned this story and I think it might actually be interesting for privacy-conscious international audiences, too. So this time, on The Private Citizen, we will be talking about the company here in Germany that is trying to get a security researcher in jail, instead of admitting that they did something very bad with the user data of 700,000 people.
This podcast was recorded with a live audience on my Twitch channel. Details on the time of future recordings can usually be found on my personal website. Recordings of these streams get saved to a YouTube playlist for easy watching on demand after the fact.
The Coding Debacle
Earlier this week, I had the questionable distinction of having to research a story that a colleague had broken a few days earlier . I talked to some sources and wrote this piece and followed it up with an op-ed . But first let’s get into the background of what happened in June :
An independent programmer who was working for a retailer was tasked with debugging software by a German company from Gelsenkirchen called Modern Solution. This company provides a solution that ties independent resellers into the marketplaces of big German online stores like Otto, Kaufland and Check24. These companies run online shopping platforms, but much like international companies like Amazon do, they also allow independent retailers to offer their ware on the platform to diversify their inventory and take a cut of the sale. The big platforms have APIs that independent retailers must talk to if they want to list their wares and get the shipping information for the resultant sales.
Companies like Modern Solution are essentially middle men. They offer to connect the inventory management systems of retails to all of these stores in one fell swoop, no additional programming necessary. Sounds worth some money, doesn’t it? More customers, more sales, less hassle. Well, the problem is, as our programmer discovered, that the system Modern Solution set up, was crap. Instead of using APIs, they set up something that’s so dumb, it’s almost unbelievable.
The software Modern Solution installed at their customers did not talk to the company’s servers using HTTP or another modern protocol like that. It sent SQL commands directly over the wire to a remote server. Unencrypted SQL commands. To a remote server.
But it gets worse. All customers used the same login credentials to the SQL database they were connecting to. Credentials that were unencrypted and hard coded into the software. In other words: Any of the retailers had access to anything another retailer (and their customers) did. Customer addresses, mail addresses, payment data, what they ordered, where they ordered it, inventory …the works. It is a minor miracle that this never got abused.
When the programmer in question found out about this, he contacted a relatively well known blogger in the German ecommerce community. The blogger told the inadvertent security researcher to contact Modern Solution about this security vulnerability and the potential data leak. The data leak turned out to affect at least 700,000 customers. The data was available publicly for several years, protected only by a very thin layer of obscurity. Nobody knows if it was ever accessed by spies or criminals and who’s copied it.
The PR Debacle
When the programmer told Modern Solution, they claimed the vulnerability did not exist. The blogger contacted them as well, providing proof. The company still denied there was a data leak. Then programmer and blogger noticed the server in question was suddenly turned off. The vulnerability was thus banished. The blogger and programmer decided to go public.
Disclosing the vulnerability – albeit after the vulnerable server went offline and erasing the danger – a few hours after reporting it, was a questionable move, it can be argued. Usually responsible security researchers and press give companies more time. But it can also be argued, that it was laudable to inform the public, especially after the company’s response made it pretty clear that no constructive interaction was forthcoming from them for the foreseeable future. Technically, this was an ethical disclosure. The problem was fixed by the time the researcher went public. It was also, ethical and morally, in good faith.
The vulnerability was publicly reported by the blogger on 23 June. On 15 September, police raided the home and office of the programmer and seized a desktop computer, five laptops, a smartphone and five external storage devices – leaving the programmer without any equipment to do his job with. The equipment is still being analysed by police.
The programmer was raided after a complaint by an unknown party under the amendments to § 202 StGB, collectively know as the Hackerparagraf . They make it illegal to access a computer system you’re not allowed to access, especially if you circumvent any kind of access control to do so. This complaint was clearly meant to punish the inadvertent security researcher – his gear was seized, whether an indictment will be forthcoming or not (which is questionable).
The original Golem story was about this raid and I followed it up with my take after having thoroughly researched it. What made me so mad that I wrote an op-ed about the topic is the way in which someone, it looks very much like someone from the Modern Solution corner to me, is trying to using the state and its power of seizure to do their dirty work here and to punish a well-meaning individual. If the police is raiding that guy (essentially a whistleblower), the next thing will be raids on journalists reporting on the story. And all just because the guys running this company can’t eat humble pie and fess up to fucking up big time.
Funnily enough, there was a guy in the forums at Heise, who sounded very much like an insider at Modern Solution to me, who tried to turn the discussion onto the disclosure timeline and how much time I gave the company to respond, instead of about how this company was borderline criminally negligent in protecting user data. I’ve summarised my replies to his bullshit on my blog . All of this just makes me angry. These people would rather put an innocent person in jail, or at least possibly fatally disrupt his business, instead of apologising to hundreds of thousands of people which they hurt by being total assclowns, writing code that any high school student would get a fail on in their assignment. They shoot against this guy who was a bit eager in his disclosure and at the press, instead of considering the consequences of their actions like adults. I fucking hate people like this. And I don’t use that term lightly.
The police and state attorney would do well in folding this whole investigation as soon as possible. Instead, Modern Solution should be investigated. And possibly shut down. For being criminally incompetent. Fucking SQL queries unprotected over the wire, hardcoded, with one login. Fucking hell.
Producer Feedback
An anonymous listener writes:
Every couple of years, I tighten up my privacy and security. It’s an ever-evolving battle. Today I have a custom uBlock Origin ruleset that exceeds 700 lines and hardened Firefox. I keep up with privacy-specific news that give countermeasures to the new ways it is infringed. I also have a backup strategy where nearly everything is end to end encrypted, though it doesn’t beat a $5 wrench.
And yet, I nearly wrote this from GMail on Windows. I don’t have controversial political opinions and I have never been to a protest. In the Khmer Rouge state or the Third Reich, I would probably have been a quiet bystander. This is difficult to admit, but it’s the truth that I, and my opinions are unremarkable and would never get me persecuted. I believe this applies to most people. My interest in privacy was triggered by insane people on the internet doxing and harassing me, not from state persecution. With that in mind, I have been making some compromises. I’ve started playing games again. I know that you do too! And I wanted to ask what compromises you accept in your own life, especially as someone who’s more likely to be targeted by police and the state.
The obvious example is using Microsoft Windows, and I say this because I know you were a full-time Linux user in the past. You also use social media, but of course you need that to publish your content and I imagine you log out of Google after uploading things to YouTube.
So my question is, how do you perceive your “compromises”, and have you seen your stance change with time? I used to watch a guy called Bryan Lunduke, in the Linux space. Lunduke steadily became more of a Free Software and privacy fanatic, being offline for most of the time. He eventually put his money where his mouth is, and even erased his highly successful YouTube Channel! He credits most of this to becoming a dad and having serious problems with the promotion of Google Docs at his kids' school. So along those lines, who do you think your personal stance toward privacy could evolve in the future?
One additional question: I was personally a Linux user too but left it because I enjoyed games too much, and upgrading from Mint became impossible at one point in 2015.
A new handheld called the Steam Deck has been announced. Valve has promised that Proton (which runs Windows games on Linux) will be compatible with EVERY Windows game before the end of this year, including the anti-cheat components which have historically been a problem. This could actually bring us the “Year of the Linux Desktop”! Will 2022 be the year you return to Linux – for privacy but without giving up cool proprietary games?
If you have any thoughts on the things discussed in this or previous episodes, please feel free to contact me. In addition to the information listed there, we also have an experimental Matrix room for feedback. Try it out if you have an account on a Matrix server. Any Matrix server will do.
Toss a Coin to Your Podcaster
I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.
You can also support the show by sending money to via PayPal, if you prefer.
This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.
Thanks and Credits
I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show. This is why I am thankful to the following people, who have supported this episode through Patreon and PayPal and thus keep this show on the air:
Georges, Steve Hoos, Butterbeans, Jonathan M. Hethey, Michael Mullan-Jensen, Dave, Michael Small, 1i11g, Jaroslav Lichtblau, Jackie Plage, Philip Klostermann, Vlad, ikn, Bennett Piater, Kai Siers, tobias, Fadi Mansour, Rhodane the Insane, Joe Poser, Dirk Dede, m0dese7en, Sandman616, David Potter, Mika, Rizele, Martin, avis, MrAmish, Dave Umrysh, drivezero, RikyM, Cam, Barry Williams, Jonathan, Captain Egghead, RJ Tracey, Rick Bragg, D, Robert Forster, Superuser, Noreply and astralc.
Many thanks to my Twitch subscribers: Mike_TheDane, jonathanmh_com, Sandman616, centurioapertus, BaconThePork, m0dese7en_is_unavailable, l_terrestris_jim, Galteran and redeemerf.
I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.
Podcast Music
The show’s theme song is Acoustic Routes by Raúl Cabezalí. It is licensed via Jamendo Music. Other music and some sound effects are licensed via Epidemic Sound. This episode’s ending song is Don’t Wanna Be Dead Anymore by Coma Svensson and Van Psyke.