Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch MP Fined For Ethical Hacking

Posted by Soulskill on from the dutch-politicians-apparently-have-skills dept.

An anonymous reader writes "Dutch Member of Parliament (MP) Henk Krol was fined 750 (US$1,000) by the district court of Oost-Brabant on Friday for breaking and entering the system of the Dutch medical laboratory Diagnostics for You. Krol said he entered the system as an ethical hacker to show that it was easy to access and download confidential medical information. Krol, leader of the Dutch 50plus party, accessed the systems of the laboratory with a login and password he had obtained from a patient of the clinic, who in turn had overheard the information at the laboratory from a psychiatrist that worked there ... In April last year, Krol used the login information to enter the company's Web server and subsequently viewed and downloaded medical files of several patients. He did this to prove how easy it was to get access to the systems, according to the ruling (PDF in Dutch).'"

13 of 122 comments (clear)

  1. Showoff Gets Off Easy by Anonymous Coward · · Score: 5, Insightful

    So this putz uses a stolen password to steal confidential documents. He claims that this is ethical hacking?

    He's not exposing some inherent weakness in the system, he's using a stolen password to steal documents to showoff his "1337" skillz.

    1. Re:Showoff Gets Off Easy by sabri · · Score: 4, Informative

      That is an excellent summary of the judge's decision. The judge argues that by not contacting the systems administrator upon logging in, but instead making copies of confidential data, they went from white hat to black hat.

      At the same time, the judge argues, the defendant may not have had criminal intentions. So while the "hackers" crossed the line in their efforts to "expose" the bad security, they were not sent to prison as they are not criminals.

      --
      I'm not a complete idiot... Some parts are missing.
    2. Re:Showoff Gets Off Easy by Teun · · Score: 4, Insightful

      No, the worry is how far he could get with just one user ID.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    3. Re:Showoff Gets Off Easy by plalonde2 · · Score: 5, Insightful

      And on top of it, the fine is reasonable for what amounts to civil disobedience. It might or might not have been the way to protest, but the fine isn't insane, either way.

    4. Re:Showoff Gets Off Easy by X0563511 · · Score: 5, Funny

      I like this judge. Seems like sound reasoning to me all around, and the sentencing seems entirely fair.

      Can we get this judge to come work in the US? Pretty please?

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    5. Re:Showoff Gets Off Easy by Kaenneth · · Score: 4, Insightful

      Three words:

      Two Factor Authentication.

      A little bit of eavesdropping should not allow unlimited remote access to others medical records.

    6. Re:Showoff Gets Off Easy by tsa · · Score: 4, Informative

      We don't have juries in the Netherlands.

      --

      -- Cheers!

  2. Thats how civilized countries do it! by Anonymous Coward · · Score: 5, Insightful

    No 10 million euro claims for damages, no 15 year sentences for terrorism and definitely no FOX news fear-mongering the ignorant masses.

  3. Re:Head in sand by Solandri · · Score: 4, Informative
    If you read TFA, the judge's decision is quite a bit more nuanced than the summary makes it out to be:

    The court, however, agreed with Krol that the detection of defects in the protection of confidential, medical data can serve a substantial public interest. Krol said he acted as a journalist and ethical hacker at the time of the breach.

    The fact that he logged into the website and consulted some files was not unlawful, the court said. Similarly, downloading and printing the files to demonstrate the failures and scale of the security risk are defensible, it added. Krol also handled the information carefully because he redacted the printed files, the court noted.

    It was however disproportional that Krol proceeded to view and print more files than necessary to prove his point, the court said. In addition, he should have given the laboratory more time to fix the problem and should have tried to contact them more than once before he informed the media, the court said.

    Krol only knew of one employee that acted carelessly with login information. "Therefore, the problem was not so acute that immediate use of media was necessary," the court said.

    Sounds like the Dutch have some good judges exercising common sense on this issue.

  4. Re:It's not Ethical at all... by Fuzzums · · Score: 4, Insightful

    In my opinion if you report a system with confidential information to be insecure that would be ethical.
    If the owner of the system hired him, then it would have been his job. That's something different.

    --
    Privacy is terrorism.
  5. Re:He's an MP. by Anonymous Coward · · Score: 4, Insightful

    I don't think anyone capable of pulling this off could become a senator or congressman in the US.

  6. Re:He's an MP. by russotto · · Score: 4, Insightful

    Now, if you want to strip the political power away, sure - in the US, he'd probably be prosecuted to the fullest extent the law could be twisted in abuse to.

    We don't have to guess. We know what happens. He'd have been driven to suicide, or if he didn't, branded a felon and thrown in federal prison.

  7. Get the details!! by Aethedor · · Score: 4, Informative

    Many of you are probably missing interesting details. The login consisted of a 5 number digit with a password that was exactly the same! Another fact is that Henk Krol DID try to warn 'Diagnostiek voor U', twice! But they sent him away because 'that was not the way to report it'. He had to do it in writing. He also contacted two other governmental organisations responsible for organisations like 'Diagnostiek voor U', but they also sent him away saying it was not their problem. Henk Krol was not fined for the actual hacking, but for going to the press too soon. Come again...?

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.