Dutch MP Fined For Ethical Hacking

An anonymous reader writes "Dutch Member of Parliament (MP) Henk Krol was fined 750 (US$1,000) by the district court of Oost-Brabant on Friday for breaking and entering the system of the Dutch medical laboratory Diagnostics for You. Krol said he entered the system as an ethical hacker to show that it was easy to access and download confidential medical information. Krol, leader of the Dutch 50plus party, accessed the systems of the laboratory with a login and password he had obtained from a patient of the clinic, who in turn had overheard the information at the laboratory from a psychiatrist that worked there ... In April last year, Krol used the login information to enter the company's Web server and subsequently viewed and downloaded medical files of several patients. He did this to prove how easy it was to get access to the systems, according to the ruling (PDF in Dutch).'"

Showoff Gets Off Easy

So this putz uses a stolen password to steal confidential documents. He claims that this is ethical hacking?

He's not exposing some inherent weakness in the system, he's using a stolen password to steal documents to showoff his "1337" skillz.

Re:Showoff Gets Off Easy

As an MP from the 50plus party we're just happy he knows that technology exists and can be used for evil. That puts him head and shoulders above where we thought they were.

Re:Showoff Gets Off Easy

[sabri]

That is an excellent summary of the judge's decision. The judge argues that by not contacting the systems administrator upon logging in, but instead making copies of confidential data, they went from white hat to black hat.

At the same time, the judge argues, the defendant may not have had criminal intentions. So while the "hackers" crossed the line in their efforts to "expose" the bad security, they were not sent to prison as they are not criminals.

Re:Showoff Gets Off Easy

[Teun]

No, the worry is how far he could get with just one user ID.

Re:Showoff Gets Off Easy

No, the worry is how far he could get with just one user ID.

No it's not. The worry is how a patient was close enough to the people working in the lab that they could so easily get hold of a password. A technician in a lab has a direct need to access the patient records, he got exactly as far as he was supposed to with that level of login. If he'd gained access to systems unrelated to that tech's job duties, you'd have been correct.

But as has already been noted, and ruled by the judge, there was nothing ethical about what he did. He should have immediately reported the compromised login to the system administrator (or security, etc.) and gone on his way, not used it to see how far he could go.

Re:Showoff Gets Off Easy

[plalonde2]

And on top of it, the fine is reasonable for what amounts to civil disobedience. It might or might not have been the way to protest, but the fine isn't insane, either way.

Re:Showoff Gets Off Easy

[greenbird]

He's not exposing some inherent weakness in the system, he's using a stolen password to steal documents to showoff his "1337" skillz.

Hmmm...he used one patient's password to access and download a number of different patients confidential information. Yeah, I'd say he exposed a pretty damn severe weakness in the system. It would almost certainly result in fines for whoever was keeping the records under HIPPA/HITECH here in the USA.

But also, here in the USA he would have probably gotten 50 years at hard labor after being persecuted by some obscenely overzealous prosecutor and being added to whatever secret terrorist lists the government keeps and likely the sex offenders list if there happen to be any medical pictures like chest x-rays.

Re:Showoff Gets Off Easy

[X0563511]

I like this judge. Seems like sound reasoning to me all around, and the sentencing seems entirely fair.

Can we get this judge to come work in the US? Pretty please?

Re:Showoff Gets Off Easy

I see several Americans posting along the lines of "he used the credentials that were revealed to him, so he should be punished." Remember that under HIPAA the laboratory would stand to get a lot more severe punishment.

If he'd picked up the phone and called the lab, they'd have changed their password, and not the procedures that had someone discuss the password in front of a patient that simply had to not go "LALALLALALLA" while overhearing the conversation.

This is why he is denoted an "ethical hacker". To have any claim whatsoever in trying to show how crap the security is, he needed to extract some data to illustrate the fact. He never revealed this data to the public at all.

So in effect, while he compromised the integrity of the data storage, he did not compromise the people whose data was stored. I think he did very well. He was punished which may be fair enough since he did compromise personal health data, however there is no story about the lab being punished at all. This is very sad.

Before assessing whether this guy was right or wrong, please consider the full picture.

I am replying to a post because I am AC ( I do not have a login for this site, but have been reading it for a decade), my reply does not bear any direct relation to the parent post.

Re:Showoff Gets Off Easy

[tompaulco]

the "hackers" crossed the line in their efforts to "expose" the bad security,
Bad Security? An employee of the lab was overheard speaking the information. They could have the best security in the world, and all it takes is one idiot employee to ruin it.

Re:Showoff Gets Off Easy

[Kaenneth]

Three words:

Two Factor Authentication.

A little bit of eavesdropping should not allow unlimited remote access to others medical records.

Re:Showoff Gets Off Easy

[tompaulco]

If he'd picked up the phone and called the lab, they'd have changed their password, and not the procedures that had someone discuss the password in front of a patient that simply had to not go "LALALLALALLA" while overhearing the conversation.
Of course they would not have changed the procedure, because the procedure undoubtedly already forbids it. The only thing they can do is punish the employee, if they know who it is and change the password.

Re:Showoff Gets Off Easy

[westlake]

At the same time, the judge argues, the defendant may not have had criminal intentions.

That argument feels off.

Traditionally, a jury had to decide whether the defendant was of sound enough mind to understand that he was committing a crime.

The defendant's ethical standards were not the jury's problem.

His actions were the jury's problem.

Ethics are flexible. The law rarely bends. No means no.

Re:Showoff Gets Off Easy

[interval1066]

Bad Security? An employee of the lab was overheard speaking the information. They could have the best security in the world, and all it takes is one idiot employee to ruin it.

Thus we have bad security. It needs to be better. I don't know what the solution is, but a user name/pw is inherently insecure.

Re:Showoff Gets Off Easy

It is bad security. Good security would be requiring two-factor to log in to the secure system (and I mean real two factor, as in something you know and something you have, not that "what's your mother's maiden name" crap the banks like to use). At the very least, it makes it obvious when there's a potential breach.

Re:Showoff Gets Off Easy

No it isn't inherently secure, you can time out for repeated guesses and other things to stop people from just guessing at it with a robot.
Even with better security...what do you propose that would defeat someone with access accidentally handing access out?

Re:Showoff Gets Off Easy

[tsa]

We don't have juries in the Netherlands.

Re:Showoff Gets Off Easy

[mwvdlee]

He's not exposing some inherent weakness in the system

Yes he is; it's users.
It's not hacking in the modern, limited sense, it's hacking in the traditional sense.
There aren't some hacking rules that say "you can't use a password if somebody gives it to you".
If the users can't be trusted with passwords (why were they sharing a password with a collegue in the first place?), provide some other (combination of) methods of identification.

Re:Showoff Gets Off Easy

[dshk]

AFAIK In Europe the role of the jury is much smaller. If there is a jury at all, it is only a few people, and they alone do not decide about anything, they work together with the judge.

Re:Showoff Gets Off Easy

I don't know, there's a pretty ugly part here:

"they were not sent to prison as they are not criminals."

Why do we assume that a criminal is necessarily so dangerous that they must be locked away? It's pretty clear to me that criminal law in all countries covers a much broader range of activities than really must be met with prison.

Re:Showoff Gets Off Easy

This "putz" used one user account to access document which should not have been available to that user account.
By changing the URL.

I don't consider this hacking for a completely different reason: this is not hacking in the same way that driving up a one-way street the wrong way is not hacking.
It's obviously possible, and if the security of your private customer data relies on the fact that no one happens to disregard your street signs, then you're the putz.

If you prefer an analogy with more wheels: this is like you taking the shopping cart from the supermarket home (e.g., to improvise a BBQ). While the supermarket claims that the fact they have painted tracks for the carts on the pavement should've been adequate to prevent you to do such a thing. And the supermarket then wants to charge you for the cost of installing measures to prevent taking of carts.

Re:Showoff Gets Off Easy

[mcvos]

So all in all this is good news? The old-people's party is tech savvy, and the punishment is reasonable and proportional.

Re:Showoff Gets Off Easy

[mcvos]

If one idiot can ruin it, it's not the best security in the world.

Though of course the idiot needs to lose access for telling others his password.

Re:Showoff Gets Off Easy

[mcvos]

This case wasn't in the US. You're confusing judicial systems.

Re:Showoff Gets Off Easy

You've made a little logic error there. No where does the statement you've quoted imply that all criminals go to prison, only that all non-criminals don't go to prison. They're not equivalent statements and no one has assumed what you seem to think they have.

Obligatory car analogy: if someone says "No safe driver drives a white van", that doesn't mean that "All dangerous drivers drive white vans".

Re:Showoff Gets Off Easy

[menno_h]

For the non-Dutch: the 50plus party defends the interests of people above 50 years of age. I was quite surprised when I saw him on the Dutch news last year, showing off his "1337 h4x0r sk1llz".

Re:Showoff Gets Off Easy

[turbidostato]

"So this putz uses a stolen password (...) He claims that this is ethical hacking?"

Of course yes. "Ethical" in "ethical hacking" is, well, an ethical statement, so all about intention. Are you claiming against his declaration that he did it in bad faith? It doesn't seem so.

"He's not exposing some inherent weakness in the system,"

Yes, he is. It's only too common to think that "the system" ends where the computer ends. That's as wrong as it can be: "the system" certainly includes the human factor and the way people use the computer part of the system so, yes, he exposed a flaw in the system and he did it in the least lessive way he could so, again yes, the "ethical hacking" definition can be sustained here.

All that being said, I think both the representative and the judge did properly their duty: the former showed a flaw in the system, the latter penalized a punible act in a proportioned way. Civil disobedience is not meant to go without consequences, even if it is the ethical thing to be done.

Re:Showoff Gets Off Easy

[EMN13]

The username/password in question supposedly were "admin". And it sounds like it was probably overheard because the sharing was routine and the authentication a farce. So perhaps they didn't have a technical problem, but they certainly don't sound blameless.

I think these kind of issues are harmful to everyone because they encourage black-hat hacking (which is trivial), and they discourage whistleblowing. It's perhaps not honorable, but obviously many whistleblowers like the attention. But if that's the currency that needs to be payed for better security, it sounds like a pretty reasonable tradeoff. In short: typically the hackee should be fined and shamed, not the hacker, even if the hacker's a jerk. It's not about the hacker after all - he's probably not the person you've entrusted your data to - it's about the resposible party taking responsibilty.

Re:Showoff Gets Off Easy

[interval1066]

You didn't really read my post, did you...?

Re:Showoff Gets Off Easy

[sumdumass]

I might have missed something, but the alarming part to me was that the MP accessed the patient information by accessing the company's website from outside the building. I agree that the tech in the lab needs access, but would the lab tech at home or the corner coffee shop need access? And if there is a case where someone outside the building needs that kind of access, wouldn't be better to VPN into the network with a preshared key before allowing that kind of access?

Re:Showoff Gets Off Easy

Can we get this judge to come work in the US? Pretty please?

You seem to be under the faulty impression that judges in the US are appointed because they are competent.

No, he can't come work in the US, he didn't donate anything to the president's re-election campaign.

Krol!

He is Krol, ruler of the planet Omicron Persei 8 and member of the dutch Parliament!

Re:Krol!

Er, no. The ruler of Omicron Persei 8 is Lrrr.

Please turn your geek card and nerd badge at the door, thank you.

PS: Captcha is 'failure'.

Permission is important

Krol used the login information to enter the company's Web server and subsequently viewed and downloaded medical files of several patients.

He didn't have the company's permission. Did he have the patients' permission?
It doesn't matter what point you're trying to make; you are not allowed to do things you're not allowed to do.

Civil Disobedience

is still disobedience. Accepting the punishment is something to think about before you decide to break the law for your cause.

Re:Civil Disobedience

That's a catch-all excuse for authoritarianism.

Re:Civil Disobedience

[TapeCutter]

Bullshit. If you don't respect the rule of law as a pillar of civilization you're not even in the same game.

Re:Civil Disobedience

Bullshit. If you don't respect the rule of law as a pillar of civilization you're not even in the same game.

So Rosa Parks deserved to be punished?

Re:Civil Disobedience

Deserve is a strong word.
It was definitely the correct decision (at the time) that she was punished. If she hadn't been, we might as well never convict anyone ever again, for whatever they did, for it might become legal one day.

Re:Civil Disobedience

Why is it illegal? Because it's bad!
Why is it bad? Because it's illegal!

Re:Civil Disobedience

[tompaulco]

So Rosa Parks deserved to be punished?
Breaking an unjust law to call attention to it doesn't alleviate the consequences of it. Despite what the history textbooks say, Ms. Parks was not just a random black woman who decided to make a stand. She was carefully groomed, the act was carefully planned and timed, and she was more than aware of what the consequences could be. She was likely prepared to end up a martyr. As luck would have it, she didn't have to.

Re:Civil Disobedience

[LordLimecat]

Breaking the law is always "bad". The only question is whether not breaking it would be a worse evil.

Re:Civil Disobedience

[History's+Coming+To]

Rosa Parks did what she did knowing she would be punished, that's the whole point of civil disobedience. You do what you believe to be right and in the process force the judicial system to punish you in public, exposing a flaw in the system. If Rosa Parks hadn't kicked up the legal fuss she did then she wouldn't have had an impact that would still be discussed on internet fora decades later.

Re:Civil Disobedience

[sumdumass]

Rosa Parks is actually an example of someone who did think it through before hand. She clerked for a lawyer and previously secured the support of him as well as a/some civil rights groups. Her decision to act might have been entirely her own, but she was comforted in knowing she wasn't alone in making it.

Where did he get the password?

I got the password from your father's brother's nephew's cousin's former roommate. What does that make the labratory's security system? Absolutely nothing.

Re:Where did he get the password?

What's the password?
12345
That's amazing. I've got the same combination on my luggage!

Slap on the wrist

And all he got was a slap on the wrist for still breaking the law.

Seems fair.

Personally I like...

the slap on the wrist fine.

Wonder if a politician in the US did that, would they get a fine, jail time, or have it swept under the rug?

And what if some non-political schmuck did it?

15-50 years?

He had other options.

[jklovanc]

He could have sent the user id and password to the company stating how he had obtained it and the company would have been made aware of the situation. Instead he decided to be flashy and break the law.

Re:He had other options.

ehm he did that and was ignored by the company, he was fined for going to the press directly instead of waiting 6 weeks.

Re:He had other options.

I doubt that would have had the same result...

1) Receive email/letter with login details
2) Change password
3) Deny lax security
End of story or...
4) Discredit the politician
5) Call in law enforcement for attempting to gain unauthorized access or illegally obtaining confidential data.

Either way it ends with the politician looking bad at worst, useless at best and the people responsible for security holes absolving themselves.

Re:He had other options.

ehm he did that and was ignored by the company, he was fined for going to the press directly instead of waiting 6 weeks.

He was fined for using the login credentials to gain access to the system.

Re:He had other options.

[jklovanc]

Reference please. I don't see anything in the article about him informing the company he had the credentials before he used them, According to the article he used the credentials and reported the results to a media outlet.

Any right way to do this?

[Nukenbar]

If you ask permission from the site to pen test, they are probably going to say no.

If you are a "so called" ethical hacker, whatever that means, and do it anyway, who is to say you don't find something valuable and keep it? May be you are only "ethical" when you don't find something valuable and then use the experience as free advertising.

The nominal fine seems reasonable.

Re:Any right way to do this?

[VortexCortex]

If you ask permission from the site to pen test, they are probably going to say no.

If you are a "so called" ethical hacker, whatever that means, and do it anyway, who is to say you don't find something valuable and keep it? May be you are only "ethical" when you don't find something valuable and then use the experience as free advertising.

The nominal fine seems reasonable.

Perhaps the right way to do it would be to mandate sites that deal in medical information be pen tested by reputable hackers who offer such services.

Thats how civilized countries do it!

No 10 million euro claims for damages, no 15 year sentences for terrorism and definitely no FOX news fear-mongering the ignorant masses.

Re:Thats how civilized countries do it!

Yeah, I'm sure if a Congressman in the 'States did it he'd be slapped with all those things.

Re:Thats how civilized countries do it!

there's no 10 million euro claims for damages in the US either, so we must be at least as civilized as you think you are.

Re:Thats how civilized countries do it!

The average congressman would struggle to write his own e-mail.

Re:Thats how civilized countries do it!

The congressman in the 'States wouldn't know how to do such thing. Instead, he would pay for the son of his illegal immigrant house cleaner to do the hacking, then when they get busted run through harsher penalties for illegal immigrants.

Re:Thats how civilized countries do it!

Yeah, it would be 13 325 000 dollars because your currency is going downhill everyday.

Re:Thats how civilized countries do it!

[steelfood]

First of all, he's an MP, so the fines are going to be much less than say, a poor nameless student. Second, this may cost him the re-election (or it may not, who knows), in which case the punishment would be much more than simply ~$1000.

Re:Thats how civilized countries do it!

[tompaulco]

Yeah, it would be 13 325 000 dollars because your currency is going downhill everyday.
Ah, yes. Disinformation is so funny. What's even more funny is how the Euro was the strongest against the dollar 5 years ago, and ever since that time, the Euro has been losing ground against the dollar.

Re:Thats how civilized countries do it!

[tsa]

No and no. All people are equal for the law here, and the guy is quite popular so this will not cost him many votes.

Re:Thats how civilized countries do it!

Yes, we in the EU are *EXTREMELY* amused about the aftershock of the 2008 USA Credit Default Swap/Subprime Mortgage circus. Thanks a lot for that entertainment.

Re:Thats how civilized countries do it!

Talk about disinformation. Check your facts!

Re:Thats how civilized countries do it!

[tompaulco]

Thank you for the chart. It does indeed prove my point that the Euro was strongest against the dollar 5 years ago, and the USD has been trending up ever since.

The smart thing to do would be to publish the info

Then you're not actually doing it.

Though the smart thing to do would be to post it anonymously, or in some venue when you can't be held accountable, or redact the dangerous parts.

For example, if I were a US Congressperson, I'd say it there, and then the only people who can speak on it would be other Congress people.

Not ethical hacking

He downloaded, viewed and printed medical data from several people. That was more than needed to prove his point. Next to that he made very little effort to contact the company to get the problem fixed and published almost right away.

The judge explicitly explained that the "hacking" itself was good, but it was the way he handled it that was not ethical and that is why is was fined.

Re:Ah.

[cgimusic]

I asked if they could put me through to Anonymous Coward but they didn't seem to know who you were. xD

750 (US$1,000)?

Wow $750,000 seems a little steep...

Re:750 (US$1,000)?

[corychristison]

Wow $750,000 seems a little steep...

I see what you did there.

Hacking

[BradleyUffner]

Using someone else's username and password is NOT hacking.

Re:Hacking

[Shinobi]

Yes it is.

Hell, one of the primary goals of hacking, from the start of computer/network related hacking, was to get hold of someone's username and password, which included keylogging, dumpster diving, conning people to reveal their usernames and passwords etc.

Re:Hacking

NO IT ISN’T!

By your non-logic, asking my company's network admin for my own password is "hacking".
You're confusing so many things, phreaking, phishing, cracking, hacking, etc, etc, etc, it's not even funny.

And I didn't even mention the whole hacker vs. cracker confusion, that you probably never knew of.
Here is the fucking original definition of a hacker: http://catb.org/jargon/html/H/hacker.html
And here is the fucking original definition of a cracker: http://catb.org/jargon/html/C/cracker.html
Which is what you meant in your confusion.

He didn't break shit! He opened a door with a key somebody gave to him.
Saying he broke something is like saying somebody broke a window by opening it.

But I bet you never even heard of the Jargon File, did you?

Kids these days...

Re:Hacking

[DarwinSurvivor]

He was able to access multiple patients' records using one patient's username & password. That should NOT be allowed by the system in any way.

Re:Hacking

[Slippery_Hank]

He used a psychiatrists password, which was overheard by a patient. Still not a good system, but not as bad as if any patients username/password could be used.

WTF HAX!

Nobody is hacking n00b! I'ts called skills.lol. Learn2play. drool drool duhhhh.

This isn't "Hacking"

How did he "hack" anything? He used a username and password that someone gave him after over hearing it from someone else. It's not like he identified an sql injection vulnerability that allowed him to dump a db or an xss vuln that compromised an admin account. He just logged in.... wow, that's some real high profile hacking there! sheesh!

Head in sand

[gmuslera]

Make illegal to get warned that you are insecure and you will deserve being raped by unethical hackers. Is pretty much like suing the ones that could predict quakes, making sure that noone, ever, will warn you till is too late.

Re:Head in sand

[Solandri]

If you read TFA, the judge's decision is quite a bit more nuanced than the summary makes it out to be:

The court, however, agreed with Krol that the detection of defects in the protection of confidential, medical data can serve a substantial public interest. Krol said he acted as a journalist and ethical hacker at the time of the breach.

The fact that he logged into the website and consulted some files was not unlawful, the court said. Similarly, downloading and printing the files to demonstrate the failures and scale of the security risk are defensible, it added. Krol also handled the information carefully because he redacted the printed files, the court noted.

It was however disproportional that Krol proceeded to view and print more files than necessary to prove his point, the court said. In addition, he should have given the laboratory more time to fix the problem and should have tried to contact them more than once before he informed the media, the court said.

Krol only knew of one employee that acted carelessly with login information. "Therefore, the problem was not so acute that immediate use of media was necessary," the court said.

Sounds like the Dutch have some good judges exercising common sense on this issue.

Re:Head in sand

[jklovanc]

If you look into the earthquake issue it was not for failing to predict the earthquake, as the headline says, but was for not correcting a spokesman who stated that, since there had been a number of minor earthquakes in the region, the stress in the fault had been relieved and there was no chance of a large earthquake. They were convicted because a number of other scientists confirmed that such a statement was patently false. That caused many people to not take precautions and many people died because of it. Had the statement been "There is a decreased risk in a large earthquake occurring", a true statement, they would have been in the clear.

Re:Head in sand

There is a second organisation in Holland which has power when dealing with privacy data, CBP. It can deal with you when non-appropriate security measures are taken in an organisation.

Re:Head in sand

We do. It's only when our branch office of the RIAA/MPAA gets into it that judges get confused.

Re:Head in sand

[1s44c]

Sounds like the Dutch have some good judges exercising common sense on this issue.

Not at all, they just have the polar opposite to the US legal system.

US: Looked funny at a policeman you say? Lock him up and throw away the key.
Netherlands: Killed 8 people in cold blood you say? Well he said he was sorry so put him in a minimum security prison for a week. Make sure he has a widescreen TV and a playstation so he isn't sad.

Re:Head in sand

Even though some may find his point to be funny; I'm from the Netherlands myself and have to agree with the point he makes.

As always, it is much more complex than that. It is not the time and place to go into a full discussion about (relative/absolute) (non)ethics and the need(?) of laws and such, but I do want to add some Dutch specific examples to U.S. persons (citizens? Citizens?). This set of examples is not exhaustive by any means and is in itself no an argument for the claim "The Netherlands has weak/soft laws [compared to some other set of laws]"

The sites are in Dutch, but /. would know how to use Google Translate and know it wont be perfect, I suppose.

1. Case of "Pascal Keijzer" (name)
Summary in English (mine): "Pascal (16) sells cocaine to Emile (36) and Michel (40). Emile and Michel are not satisfied by the quality of the cocaine. The 3 man exchange words, when Emile stabs Pascal in his neck. Pascal falls to the ground. After letting Pascal bleed, Emile drives over the body of Pascal with his car. Talking it over with Michel, they decided to drive over Pascal again".

http://www.moordzaken.com/Uitspraak_Pascal_Keijzer (full Dutch judge text)

Point relating to parent post: The court found that Emile and Michel decided to kill Pascal and planned it. She also found, they were not mentally ill (and yes, i know..) . In the end, Emile is jailed for 15 years, Michel is jailed for 8 years ( accomplice ). After that, they are free man again. In many cases, they get out while only completing half their time. Common knowledge for Dutch people.

Some other links to cases like that, but you will have to do the reading/translating :)

Called the Facebook-murders here; a man stabbed a girl and her father to death because of gossip. He got 1 year detention, 3 years in clinic.
http://gelrenieuws.nl/2012/09/dader-facebook-moord-krijgt-maximale-straf.html

Man who had alcohol,narcotics and other drugs in his system while driving, kills girl with his car; gets 4 years
http://pasteurella.blogspot.nl/2009/08/belachelijk-lage-straf-voor-tommy-p.html

They robbed and shot someone to death and got 5 - 15 years.
http://www.nu.nl/binnenland/3203622/in-beroep-te-lage-straffen-overvallers-juwelier.html
http://www.telegraaf.nl/binnenland/21276586/__Tot_13_jaar_voor_overval__.html

If you plan to kill someone and then kill him; the maximum sentencing is 30 years.
That's why I think the parent post is correct in some way.

Compare the murders to some simple taxfraud cases, for example:

4 years in jail for small taxfraud of some thousand euro (BelastingDienst ~= IRS)
http://www.ad.nl/ad/nl/1012/Nederland/article/detail/3311586/2012/09/05/Celstraffen-voor-oplichting-Belastingdienst.dhtml

Lucky it's only $1,000

[pele_smk]

Based on HIPAA he would be fined at least $100 per document he took, hacker or not.

"No it's not!"

Your system is easy to hack! People are at risk!
No it's not
Yes it is
No it's not
Yes it is, look: see? Got proof!
Yawn... oh, mr. policeman?
{sound of handcuffs clicking}
No it's not.

The end.

Guy should be punished

It's not ethical if you don't have permission. If he was ethical he would report the password breach, not try to be some "hero".

It's not Ethical at all...

[EmagGeek]

If the owner of the system did not hire him to do pen testing, then it is not ethical. Sorry.

Re:It's not Ethical at all...

[Fuzzums]

In my opinion if you report a system with confidential information to be insecure that would be ethical.
If the owner of the system hired him, then it would have been his job. That's something different.

Re:It's not Ethical at all...

[EmagGeek]

It is not ethical to access a computer system that you are not authorized to access. Period.

Sorry.

Re:It's not Ethical at all...

[EmagGeek]

It is not ethical to access a computer system you are not authorized to access. Period. End of story.

It is no different than breaking into a house to point out the fact that the door can be broken down with enough force.

Re:It's not Ethical at all...

[Fuzzums]

An example: Watergate.
Stealing and leaking documents: illegal, but definitely ethical.

Re:It's not Ethical at all...

Sorry.

As you should be. Go play with your emags, AsshOLe.

Re:It's not Ethical at all...

[EmagGeek]

It's a poor example, because it was not ethical.

Re:It's not Ethical at all...

[Fuzzums]

Since you disagree with my examples, I'm curious what you would consider ethical.

Re:It's not Ethical at all...

[1s44c]

It is not ethical to access a computer system that you are not authorized to access. Period.

Sorry.

It's ethical if you don't have authorization in the form of a valid login but you have the owners permission to test security.

That wasn't what happened here though. This man's actions were the criminal, non-ethical, actions of a jerk. He should have been jailed.

Re:It's not Ethical at all...

[Fuzzums]

Iraq. Didn't even have owners permission to test security. Criminal, Unethical. Should be jailed. Both.
I wouldn't call them jerks. I'd rather stick to the facts.

Here, it'd be 10 years

[Myria]

In the US, he'd probably get 10 years in Club Fed. Mike Tyson went upstate for only 3 years for rape, so we know the priorities of our justice system.

For who, now?

[snerdy]

breaking and entering the system of the Dutch medical laboratory Diagnostics for You

Hey, I never asked him to do anything!

He's an MP.

If we're being hypothetical, if he were in the US, he'd be a Senator or Congressman, and as a result nothing would happen - hell, he'd probably be applauded.

Now, if you want to strip the political power away, sure - in the US, he'd probably be prosecuted to the fullest extent the law could be twisted in abuse to.

I suspect he'd be a lot worse off in his home country, for that matter, if he wasn't an MP.

Re:He's an MP.

I don't think anyone capable of pulling this off could become a senator or congressman in the US.

Re:He's an MP.

[russotto]

Now, if you want to strip the political power away, sure - in the US, he'd probably be prosecuted to the fullest extent the law could be twisted in abuse to.

We don't have to guess. We know what happens. He'd have been driven to suicide, or if he didn't, branded a felon and thrown in federal prison.

Ethical?

[Fuzzums]

Exactly what part of using an overheard user name and password to access patient information is ethical?
I nominate him for the Captain Obvious award for showing a valid user name and password combination gives access to a server.

To add a little gory detail...

[thrill12]

..the justice department (yes, you read that right) actually had a login to the same database as it was found following the news on this particular case. One has to wonder if the official story (needed because of certain convicts that have their records in the same medical DB) is even a valid reason, and why they would even be allowed within 10 meters of such a sensitive and secret (medical wise) collection of data.
While Henk Krol is not a 'true hacker' perhaps, this does raise a lot of questions with regards to the security of any person's data in such a medical database; questions that "Diagnostiek voor U" may want to keep secret, so a "wag the dog" (or more popular "Chewbecca") tactic is followed...

ignant cunts

med lab and the judge deserve fucked with jackhammers. dutchbag is shit cream.

Get the details!!

[Aethedor]

Many of you are probably missing interesting details. The login consisted of a 5 number digit with a password that was exactly the same! Another fact is that Henk Krol DID try to warn 'Diagnostiek voor U', twice! But they sent him away because 'that was not the way to report it'. He had to do it in writing. He also contacted two other governmental organisations responsible for organisations like 'Diagnostiek voor U', but they also sent him away saying it was not their problem. Henk Krol was not fined for the actual hacking, but for going to the press too soon. Come again...?

Re:Get the details!!

According to the Judge he only contacted the lab once and the second point was that he downloaded and printed way too much to just prove he had access. So in the opinion of the Judge he acted disproportional: he was fast with contacting the press (within a week) while as far as he knew, only one employee was making mistakes. So the Judge didn't make it a criminal offence and gave a tiny fine to bring the point home that yes you are allowed to download and print some stuff to prove your case, but downloading large amounts of privacy data is pointless and going too far.

Re:Get the details!!

[1s44c]

If I happen to be behind you at the ATM queue and warn you that your pin number is 1234 and you tell me to get lost am I then justified in stealing your card and withdrawing money?

This man committed criminal actions and should at least be given a short jail term or a reasonable fine.

Re:Get the details!!

[Aethedor]

An ATM is not the same as a system holding medical records. Making a comparison doesn't prove anything.

Not ethical

You aren't "ethical" just because you say you are. If you do not have permission and you are breaking into computer systems, you are not an "ethical" hacker.

Re:He had other options - Not really

[scsirob]

He was in a radio interview for Dutch Radio 2 this morning. He claims that he did contact the company and they replied that they were not interested, and if he had a complaint that he should write them a letter. That will take weeks, meanwhile leaving the door wide open for others to get unauthorized access to confidential patient records.

He was fined because the judge thought he retrieved more records than necessary to show the issue. During the interview he claimed that he did this to show that with this single user account he could get records from patients who were not with this doctor. During discovery it turned out that anyone with access to the system had access to pretty much all records. Even support people from the company who maintains the system had access to patient records. That's a pretty big f*ckup.

We have discussions here about a national health record system. It is this kind of lame 'security' that make a lot of people not want to participate, including myself. A country-wide central health record is a goldmine for insurance companies, at the expense of the people. Also, the system is supposedly developed by a company with roots in the USA, and US law would allow US government to snoop in our database. Let's just say I pass..

What's with the small fine?

[1s44c]

Man commits a computer crime, man happens to be an MP, man gets a tiny fine.

The only news here is that this criminal only got a tiny fine.

Re:He had other options - Not really

[jklovanc]

During the interview he claimed that he did this to show that with this single user account he could get records from patients who were not with this doctor.

When someone dies because a patient's physician is not available and the records can not be accessed I bet you will have a different opinion about this issue. I would rather have all doctors have access to my records but I would also like to have my doctor informed when another doctors looked at them. That way my doctor, or his staff more likely, can monitor and question who has been accessing my records.

Even support people from the company who maintains the system had access to patient records. That's a pretty big f*ckup.

When an issue is reported and/or a bug needs to be fixed it has to be replicated. How can someone replicate a bug if they do not have the same access as the user reporting the bug?

It is this kind of lame 'security' that make a lot of people not want to participate, including myself

Any system that uses user id/password credentials is only as secure as the people who hold the credentials. When users do not keep their credentials secure it is the user's fault not the system. What alternative is there than educating the people who hold the credentials?

A country-wide central health record is a goldmine for insurance companies, at the expense of the people.

It is a gold mine but to get that gold there would have to be a great deal of data accessed which would be very obvious and easily prosecuted. I would love a national database that contained my health records. That way when I am in another province the attending physician will have access to all my records which may save my life. The small chance that an insurance company may use my records in a marketing campaign is worth the risk.

Ob

[Hognoxious]

If he'd murdered someone for not thinking Allah is the best thing EVAR he'd have been sentenced to 30 seconds picking up litter.