Dutch MP Fined For Ethical Hacking

← Back to Stories (view on slashdot.org)

Dutch MP Fined For Ethical Hacking

Posted by Soulskill on Friday February 15, 2013 @11:15AM from the dutch-politicians-apparently-have-skills dept.

An anonymous reader writes "Dutch Member of Parliament (MP) Henk Krol was fined 750 (US$1,000) by the district court of Oost-Brabant on Friday for breaking and entering the system of the Dutch medical laboratory Diagnostics for You. Krol said he entered the system as an ethical hacker to show that it was easy to access and download confidential medical information. Krol, leader of the Dutch 50plus party, accessed the systems of the laboratory with a login and password he had obtained from a patient of the clinic, who in turn had overheard the information at the laboratory from a psychiatrist that worked there ... In April last year, Krol used the login information to enter the company's Web server and subsequently viewed and downloaded medical files of several patients. He did this to prove how easy it was to get access to the systems, according to the ruling (PDF in Dutch).'"

31 of 122 comments (clear)

Min score:

Reason:

Sort:

Showoff Gets Off Easy by Anonymous Coward · 2013-02-15 11:20 · Score: 5, Insightful

So this putz uses a stolen password to steal confidential documents. He claims that this is ethical hacking?
He's not exposing some inherent weakness in the system, he's using a stolen password to steal documents to showoff his "1337" skillz.
1. Re:Showoff Gets Off Easy by sabri · 2013-02-15 11:32 · Score: 4, Informative
  
  That is an excellent summary of the judge's decision. The judge argues that by not contacting the systems administrator upon logging in, but instead making copies of confidential data, they went from white hat to black hat.
  
  At the same time, the judge argues, the defendant may not have had criminal intentions. So while the "hackers" crossed the line in their efforts to "expose" the bad security, they were not sent to prison as they are not criminals.
  
  --
  I'm not a complete idiot... Some parts are missing.
2. Re:Showoff Gets Off Easy by Teun · 2013-02-15 11:32 · Score: 4, Insightful
  
  No, the worry is how far he could get with just one user ID.
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
3. Re:Showoff Gets Off Easy by Anonymous Coward · 2013-02-15 11:54 · Score: 3, Insightful
  
  No, the worry is how far he could get with just one user ID.
  No it's not. The worry is how a patient was close enough to the people working in the lab that they could so easily get hold of a password. A technician in a lab has a direct need to access the patient records, he got exactly as far as he was supposed to with that level of login. If he'd gained access to systems unrelated to that tech's job duties, you'd have been correct.
  But as has already been noted, and ruled by the judge, there was nothing ethical about what he did. He should have immediately reported the compromised login to the system administrator (or security, etc.) and gone on his way, not used it to see how far he could go.
4. Re:Showoff Gets Off Easy by plalonde2 · 2013-02-15 12:01 · Score: 5, Insightful
  
  And on top of it, the fine is reasonable for what amounts to civil disobedience. It might or might not have been the way to protest, but the fine isn't insane, either way.
5. Re:Showoff Gets Off Easy by X0563511 · 2013-02-15 12:47 · Score: 5, Funny
  
  I like this judge. Seems like sound reasoning to me all around, and the sentencing seems entirely fair.
  Can we get this judge to come work in the US? Pretty please?
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
6. Re:Showoff Gets Off Easy by Kaenneth · 2013-02-15 13:10 · Score: 4, Insightful
  
  Three words:
  Two Factor Authentication.
  A little bit of eavesdropping should not allow unlimited remote access to others medical records.
7. Re:Showoff Gets Off Easy by interval1066 · 2013-02-15 15:19 · Score: 3, Insightful
  
  Bad Security? An employee of the lab was overheard speaking the information. They could have the best security in the world, and all it takes is one idiot employee to ruin it.
  Thus we have bad security. It needs to be better. I don't know what the solution is, but a user name/pw is inherently insecure.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
8. Re:Showoff Gets Off Easy by tsa · 2013-02-15 19:52 · Score: 4, Informative
  
  We don't have juries in the Netherlands.
  
  --
  -- Cheers!
9. Re:Showoff Gets Off Easy by mcvos · 2013-02-15 23:02 · Score: 2
  
  So all in all this is good news? The old-people's party is tech savvy, and the punishment is reasonable and proportional.
10. Re:Showoff Gets Off Easy by menno_h · 2013-02-16 01:15 · Score: 3, Informative
  
  For the non-Dutch: the 50plus party defends the interests of people above 50 years of age. I was quite surprised when I saw him on the Dutch news last year, showing off his "1337 h4x0r sk1llz".
  
  --
  AccountKiller
11. Re:Showoff Gets Off Easy by EMN13 · 2013-02-16 01:43 · Score: 2
  
  The username/password in question supposedly were "admin". And it sounds like it was probably overheard because the sharing was routine and the authentication a farce. So perhaps they didn't have a technical problem, but they certainly don't sound blameless.
  I think these kind of issues are harmful to everyone because they encourage black-hat hacking (which is trivial), and they discourage whistleblowing. It's perhaps not honorable, but obviously many whistleblowers like the attention. But if that's the currency that needs to be payed for better security, it sounds like a pretty reasonable tradeoff. In short: typically the hackee should be fined and shamed, not the hacker, even if the hacker's a jerk. It's not about the hacker after all - he's probably not the person you've entrusted your data to - it's about the resposible party taking responsibilty.
Any right way to do this? by Nukenbar · 2013-02-15 11:29 · Score: 2

If you ask permission from the site to pen test, they are probably going to say no.
If you are a "so called" ethical hacker, whatever that means, and do it anyway, who is to say you don't find something valuable and keep it? May be you are only "ethical" when you don't find something valuable and then use the experience as free advertising.
The nominal fine seems reasonable.
Thats how civilized countries do it! by Anonymous Coward · 2013-02-15 11:29 · Score: 5, Insightful

No 10 million euro claims for damages, no 15 year sentences for terrorism and definitely no FOX news fear-mongering the ignorant masses.
1. Re:Thats how civilized countries do it! by steelfood · 2013-02-15 11:48 · Score: 2
  
  First of all, he's an MP, so the fines are going to be much less than say, a poor nameless student. Second, this may cost him the re-election (or it may not, who knows), in which case the punishment would be much more than simply ~$1000.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
2. Re:Thats how civilized countries do it! by tsa · 2013-02-15 19:55 · Score: 3, Informative
  
  No and no. All people are equal for the law here, and the guy is quite popular so this will not cost him many votes.
  
  --
  -- Cheers!
Re:Ah. by cgimusic · 2013-02-15 11:38 · Score: 2

I asked if they could put me through to Anonymous Coward but they didn't seem to know who you were. xD
Head in sand by gmuslera · 2013-02-15 12:14 · Score: 3, Insightful

Make illegal to get warned that you are insecure and you will deserve being raped by unethical hackers. Is pretty much like suing the ones that could predict quakes, making sure that noone, ever, will warn you till is too late.
1. Re:Head in sand by Solandri · 2013-02-15 12:50 · Score: 4, Informative
  
  If you read TFA, the judge's decision is quite a bit more nuanced than the summary makes it out to be:
  
  The court, however, agreed with Krol that the detection of defects in the protection of confidential, medical data can serve a substantial public interest. Krol said he acted as a journalist and ethical hacker at the time of the breach.
  
  The fact that he logged into the website and consulted some files was not unlawful, the court said. Similarly, downloading and printing the files to demonstrate the failures and scale of the security risk are defensible, it added. Krol also handled the information carefully because he redacted the printed files, the court noted.
  
  It was however disproportional that Krol proceeded to view and print more files than necessary to prove his point, the court said. In addition, he should have given the laboratory more time to fix the problem and should have tried to contact them more than once before he informed the media, the court said.
  
  Krol only knew of one employee that acted carelessly with login information. "Therefore, the problem was not so acute that immediate use of media was necessary," the court said.
  Sounds like the Dutch have some good judges exercising common sense on this issue.
Lucky it's only $1,000 by pele_smk · 2013-02-15 12:28 · Score: 2

Based on HIPAA he would be fined at least $100 per document he took, hacker or not.
It's not Ethical at all... by EmagGeek · 2013-02-15 13:14 · Score: 2

If the owner of the system did not hire him to do pen testing, then it is not ethical. Sorry.
1. Re:It's not Ethical at all... by Fuzzums · 2013-02-15 14:00 · Score: 4, Insightful
  
  In my opinion if you report a system with confidential information to be insecure that would be ethical.
  If the owner of the system hired him, then it would have been his job. That's something different.
  
  --
  Privacy is terrorism.
Re:Civil Disobedience by tompaulco · 2013-02-15 13:22 · Score: 3, Informative

So Rosa Parks deserved to be punished?
Breaking an unjust law to call attention to it doesn't alleviate the consequences of it. Despite what the history textbooks say, Ms. Parks was not just a random black woman who decided to make a stand. She was carefully groomed, the act was carefully planned and timed, and she was more than aware of what the consequences could be. She was likely prepared to end up a martyr. As luck would have it, she didn't have to.

--
If you are not allowed to question your government then the government has answered your question.
He's an MP. by Anonymous Coward · 2013-02-15 13:39 · Score: 3, Insightful

If we're being hypothetical, if he were in the US, he'd be a Senator or Congressman, and as a result nothing would happen - hell, he'd probably be applauded.
Now, if you want to strip the political power away, sure - in the US, he'd probably be prosecuted to the fullest extent the law could be twisted in abuse to.
I suspect he'd be a lot worse off in his home country, for that matter, if he wasn't an MP.
1. Re:He's an MP. by Anonymous Coward · 2013-02-15 15:42 · Score: 4, Insightful
  
  I don't think anyone capable of pulling this off could become a senator or congressman in the US.
2. Re:He's an MP. by russotto · 2013-02-15 16:26 · Score: 4, Insightful
  
  Now, if you want to strip the political power away, sure - in the US, he'd probably be prosecuted to the fullest extent the law could be twisted in abuse to.
  We don't have to guess. We know what happens. He'd have been driven to suicide, or if he didn't, branded a felon and thrown in federal prison.
To add a little gory detail... by thrill12 · 2013-02-15 15:15 · Score: 3, Insightful

..the justice department (yes, you read that right) actually had a login to the same database as it was found following the news on this particular case. One has to wonder if the official story (needed because of certain convicts that have their records in the same medical DB) is even a valid reason, and why they would even be allowed within 10 meters of such a sensitive and secret (medical wise) collection of data.
While Henk Krol is not a 'true hacker' perhaps, this does raise a lot of questions with regards to the security of any person's data in such a medical database; questions that "Diagnostiek voor U" may want to keep secret, so a "wag the dog" (or more popular "Chewbecca") tactic is followed...

--
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
Re:Hacking by DarwinSurvivor · 2013-02-15 15:45 · Score: 2

He was able to access multiple patients' records using one patient's username & password. That should NOT be allowed by the system in any way.
Get the details!! by Aethedor · 2013-02-15 19:05 · Score: 4, Informative

Many of you are probably missing interesting details. The login consisted of a 5 number digit with a password that was exactly the same! Another fact is that Henk Krol DID try to warn 'Diagnostiek voor U', twice! But they sent him away because 'that was not the way to report it'. He had to do it in writing. He also contacted two other governmental organisations responsible for organisations like 'Diagnostiek voor U', but they also sent him away saying it was not their problem. Henk Krol was not fined for the actual hacking, but for going to the press too soon. Come again...?

--
It doesn't have to be like this. All we need to do is make sure we keep talking.
Re:Civil Disobedience by History's+Coming+To · 2013-02-16 02:35 · Score: 3, Insightful

Rosa Parks did what she did knowing she would be punished, that's the whole point of civil disobedience. You do what you believe to be right and in the process force the judicial system to punish you in public, exposing a flaw in the system. If Rosa Parks hadn't kicked up the legal fuss she did then she wouldn't have had an impact that would still be discussed on internet fora decades later.

--
Please consider this account deleted, I just can't be bothered with the spam anymore.
Re:He had other options - Not really by scsirob · 2013-02-16 05:36 · Score: 2

He was in a radio interview for Dutch Radio 2 this morning. He claims that he did contact the company and they replied that they were not interested, and if he had a complaint that he should write them a letter. That will take weeks, meanwhile leaving the door wide open for others to get unauthorized access to confidential patient records.
He was fined because the judge thought he retrieved more records than necessary to show the issue. During the interview he claimed that he did this to show that with this single user account he could get records from patients who were not with this doctor. During discovery it turned out that anyone with access to the system had access to pretty much all records. Even support people from the company who maintains the system had access to patient records. That's a pretty big f*ckup.
We have discussions here about a national health record system. It is this kind of lame 'security' that make a lot of people not want to participate, including myself. A country-wide central health record is a goldmine for insurance companies, at the expense of the people. Also, the system is supposedly developed by a company with roots in the USA, and US law would allow US government to snoop in our database. Let's just say I pass..

--
To Terminate, or not to Terminate, that's the question - SCSIROB