Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch MP Fined For Ethical Hacking

Posted by Soulskill on from the dutch-politicians-apparently-have-skills dept.

An anonymous reader writes "Dutch Member of Parliament (MP) Henk Krol was fined 750 (US$1,000) by the district court of Oost-Brabant on Friday for breaking and entering the system of the Dutch medical laboratory Diagnostics for You. Krol said he entered the system as an ethical hacker to show that it was easy to access and download confidential medical information. Krol, leader of the Dutch 50plus party, accessed the systems of the laboratory with a login and password he had obtained from a patient of the clinic, who in turn had overheard the information at the laboratory from a psychiatrist that worked there ... In April last year, Krol used the login information to enter the company's Web server and subsequently viewed and downloaded medical files of several patients. He did this to prove how easy it was to get access to the systems, according to the ruling (PDF in Dutch).'"

15 of 122 comments (clear)

  1. Showoff Gets Off Easy by Anonymous Coward · · Score: 5, Insightful

    So this putz uses a stolen password to steal confidential documents. He claims that this is ethical hacking?

    He's not exposing some inherent weakness in the system, he's using a stolen password to steal documents to showoff his "1337" skillz.

    1. Re:Showoff Gets Off Easy by Teun · · Score: 4, Insightful

      No, the worry is how far he could get with just one user ID.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    2. Re:Showoff Gets Off Easy by Anonymous Coward · · Score: 3, Insightful

      No, the worry is how far he could get with just one user ID.

      No it's not. The worry is how a patient was close enough to the people working in the lab that they could so easily get hold of a password. A technician in a lab has a direct need to access the patient records, he got exactly as far as he was supposed to with that level of login. If he'd gained access to systems unrelated to that tech's job duties, you'd have been correct.

      But as has already been noted, and ruled by the judge, there was nothing ethical about what he did. He should have immediately reported the compromised login to the system administrator (or security, etc.) and gone on his way, not used it to see how far he could go.

    3. Re:Showoff Gets Off Easy by plalonde2 · · Score: 5, Insightful

      And on top of it, the fine is reasonable for what amounts to civil disobedience. It might or might not have been the way to protest, but the fine isn't insane, either way.

    4. Re:Showoff Gets Off Easy by Kaenneth · · Score: 4, Insightful

      Three words:

      Two Factor Authentication.

      A little bit of eavesdropping should not allow unlimited remote access to others medical records.

    5. Re:Showoff Gets Off Easy by westlake · · Score: 1, Insightful

      At the same time, the judge argues, the defendant may not have had criminal intentions.

      That argument feels off.

      Traditionally, a jury had to decide whether the defendant was of sound enough mind to understand that he was committing a crime.

      The defendant's ethical standards were not the jury's problem.

      His actions were the jury's problem.

      Ethics are flexible. The law rarely bends. No means no.

    6. Re:Showoff Gets Off Easy by interval1066 · · Score: 3, Insightful

      Bad Security? An employee of the lab was overheard speaking the information. They could have the best security in the world, and all it takes is one idiot employee to ruin it.

      Thus we have bad security. It needs to be better. I don't know what the solution is, but a user name/pw is inherently insecure.

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
  2. Thats how civilized countries do it! by Anonymous Coward · · Score: 5, Insightful

    No 10 million euro claims for damages, no 15 year sentences for terrorism and definitely no FOX news fear-mongering the ignorant masses.

  3. Head in sand by gmuslera · · Score: 3, Insightful

    Make illegal to get warned that you are insecure and you will deserve being raped by unethical hackers. Is pretty much like suing the ones that could predict quakes, making sure that noone, ever, will warn you till is too late.

  4. He's an MP. by Anonymous Coward · · Score: 3, Insightful

    If we're being hypothetical, if he were in the US, he'd be a Senator or Congressman, and as a result nothing would happen - hell, he'd probably be applauded.

    Now, if you want to strip the political power away, sure - in the US, he'd probably be prosecuted to the fullest extent the law could be twisted in abuse to.

    I suspect he'd be a lot worse off in his home country, for that matter, if he wasn't an MP.

    1. Re:He's an MP. by Anonymous Coward · · Score: 4, Insightful

      I don't think anyone capable of pulling this off could become a senator or congressman in the US.

    2. Re:He's an MP. by russotto · · Score: 4, Insightful

      Now, if you want to strip the political power away, sure - in the US, he'd probably be prosecuted to the fullest extent the law could be twisted in abuse to.

      We don't have to guess. We know what happens. He'd have been driven to suicide, or if he didn't, branded a felon and thrown in federal prison.

  5. Re:It's not Ethical at all... by Fuzzums · · Score: 4, Insightful

    In my opinion if you report a system with confidential information to be insecure that would be ethical.
    If the owner of the system hired him, then it would have been his job. That's something different.

    --
    Privacy is terrorism.
  6. To add a little gory detail... by thrill12 · · Score: 3, Insightful

    ..the justice department (yes, you read that right) actually had a login to the same database as it was found following the news on this particular case. One has to wonder if the official story (needed because of certain convicts that have their records in the same medical DB) is even a valid reason, and why they would even be allowed within 10 meters of such a sensitive and secret (medical wise) collection of data.
    While Henk Krol is not a 'true hacker' perhaps, this does raise a lot of questions with regards to the security of any person's data in such a medical database; questions that "Diagnostiek voor U" may want to keep secret, so a "wag the dog" (or more popular "Chewbecca") tactic is followed...

    --
    Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
  7. Re:Civil Disobedience by History's+Coming+To · · Score: 3, Insightful

    Rosa Parks did what she did knowing she would be punished, that's the whole point of civil disobedience. You do what you believe to be right and in the process force the judicial system to punish you in public, exposing a flaw in the system. If Rosa Parks hadn't kicked up the legal fuss she did then she wouldn't have had an impact that would still be discussed on internet fora decades later.

    --
    Please consider this account deleted, I just can't be bothered with the spam anymore.