Slashdot Mirror
Student Exposes Bad Police Encryption, Gets Suspended Sentence (podcrto.si)
An anonymous reader shares a story about Dejan Ornig, a security analyst in Slovenia who warned the Slovenian police department about vulnerabilities in their supposedly secure communication system TETRA in 2013. (Here's Google's English translation of the article, and the Slovenian original.)
He discovered that the system, which was supposed to provide encrypted communication, was incorrectly configured. As a result lots of communication could be intercepted with a $25 piece of equipment and some software. To make matters worse, the system is not used just by the police, but also by the military, military police, IRS, Department of Corrections and a few other governmental institutions which rely on secure communications.
After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.
On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.
After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.
On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.
Is it my imagination or is this student's real crime making public figures look bad?
Punish those who tell you about your vulnerabilities. That way you know that you're not vulnerable.
The security researcher forgot the age-old wisdom of wanting to talk to the manager.
Sounds like this is what he did: http://www.rtl-sdr.com/rtl-sdr...
Keep in mind there is no Tetra in the US, but there is plenty of DMR & P25, which is significantly easier to listen in on.
All your bays are belong to us!
For him to discover bad police encryption, it means he was illegally messing with it in the first place.
He tried to help them and got a suspended sentence of 15 months in prison (won't that be fun). He was subject to a house search and all of his computers and equipment were seized. He tried to help them all along, and they punished him for it. Now it would have been much more profitable (and no police raid, no prison and no threats and intimidation) if only he had simply sold the information and equipment (for a profit) on the black market to an organized crime ring. He could have made $100,000 or more, gained street cred, and would be sitting on a beach right now sipping something cool and rum flavored, oh, and he wouldn't have to be looking for new computer equipment (more money out of pocket, and there is no guarantee that they won't come along and just take all his new equipment, still new-in-box "on suspicion").
The title says he's a student and the summary says he's a security analyst while the article doesn't mention either. I would imagine that his sentence would depend greatly on who he is and neither the article nor summary give any indication, so there's not enough information to conclude if I agree with the result or not.
computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation.
There are the key details of the story.
Yes, I understand that he offered to help. Yes, I understand that he had the noblest intentions. Regardless, he still intentionally broke the law by accessing a system without authorization. That it was easy to do doesn't make it any less of a crime.
You do not have a moral or legal right to do absolutely anything you want.
Hey, I heard some guys talking in a bar and they said......................so maybe someone should look into this.
How would you propose to find leaks otherwise if the agencies trust the system and therefor never initiate a security audit?
The guy apparently was trying to get the attention to warn them, nobody reacted.
If you don't RTFA, you'll say: It sends the wrong message. Far easier for us to post stuff like this online anonymously and ruin everyone's day.
After RTFA: Looks like he got off lightly on the false identification charges, he seems to have had a history. The courts were _very_ lenient.
If you did something illegal in the process of uncovering a vulnerability, do not put your name to the information. Publish anonymously. Not just nation states, but also corporations of any size are known to show no leniency. You will not receive thanks for being a pain in the ass. Your sins will not be forgiven. Even if you did not do anything illegal, be prepared to be hassled relentlessly. Publish, but publish anonymously.
This is a terrible analogy. He didn't "break into" anything. They broadcasted poorly encrypted information to whoever was listening, and assumed that nobody listening could decrypt it. Now they're mad because they were proven wrong.
The leaks will be found when bad guys break in and shit happens. If you feel bad about the costs when shit happens, then just remember the savings the agencies made by skipping the security audit.
That's a US agency. Slovenia may have an equivalent agency, but it's not called the IRS. My god the editors here are stupid.
Do not inform police about their crappy encryption, that's illegal.
Sell that information to some criminals. That is only potentially illegal, but at least profitable.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Next time he will hopefully not be so dumb and inform the cops but sell that info to some criminals. There's money to be made with a device that lets them know when the sting's gonna fall.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
No black market because that still could land him jail.
What you do is find the person who ass will be grass high enough on the food chain so that they can hire you for big bucks as a consultant. And for a job like that, $250,000 US would not be unreasonable.
And THAT will give him some legitimate business cred that would land him more lucrative work - all legal.
The same kind of police badge I have? That came in the cereal box?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Kids, the lesson is simple : never ever under any circumstance "help" authority figures. You'll end up getting fucked.
You try to help and you end up getting fucked. You steal by the millions/billions and you're heralded as a saint.
Don't report the vulnerability to the authority; they'll just punish you for it.
Quietly pass the vulnerability to local crime syndicate to carry favor instead.
ELOI, ELOI, LAMA SABACHTHANI!?
See, in this house everyone assumes the lock on the front door works. No one ever tests if it does, they just trust it.
One day, this guy decides to try opening the door without turning the key in the lock first. Whaddya know, the door opens without a problem.
Realizing this he writes a note and drops it in their mailbox to warn them.
Then he gets arrested for breaking and entering.
-=This sig has nothing to do with my comment. Move along now=-
Regardless, he still intentionally broke the law by accessing a system without authorization.
And that is why you never give your name out when doing this stuff.
“He’s not deformed, he’s just drunk!”
This site depresses me sometimes. Look at this comment getting voted up. I mean, aside from the dodgy analogy housebreaking vs penetration testing (which may be similar or not, depending on the specifics) look at this: "Regardless of his objective, he broke the law." --- as if your intentions can not be an absolute defence - punching someone is illegal; punching someone in self-defence is **not** - but "regardless of his objective" is somehow a valid statement? C'mon.
Score:4, Interesting (at time of writing). Seriously.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
It's more like saying "hey, your house door doesn't latch properly, I checked it."
Because useless locks and doors and windows and walls and gates and electric security systems have been around forever (some longer than others) and so many fewer youngsters actually care to learn about those 'uninteresting' things. Computers are still interesting to many even in the newer geelnerations. Since they just learned many of these (fairly complex by Norman standard) things, they are still in the mode of showing off, like they used to showing off to their parents or siblings or friends. They actually don't understand the egos and the politics of the real world yet. This will surely teach them quickly.
This kid didn't deserve any sentence if the people charging him didn't behave like the robots of the establishment that they are. But what this shows me is that the future is still brighter than many would believe. The anti government movement will strengthen if only through the yonge people learning not to trust governments and learning the lesson the hard way is the quickest and most durable way.
Eventually the anti government movement will reach a certain size and power and life on this planet will evolve beyond the oppression of the past.
You can't handle the truth.
He didn't break into the police's house. He demonstrated that the letters sent via the secure UPS service were open for anyone to read. Choose better analogies, intercepting secure communications is not breaking into anyone's house.
Why is it that when people project their information into my house in the form of electromagnetic interference they expect me to just ignore it?
Bad analogy. It's more like you give the bank some stuff to put into a safety deposit box. You "trust" that the bank is only going to allow you to access your own stuff. Just to test their security, you use a different person's name and they let you into different person's lock box. You let them know that their teller allowed you to access something you didn't own without actually checking your identity. They call the cops and you get arrested for impersonation. And then your stuff gets stolen via the same exploit while you're in jail.
If a third party is handling my stuff, I should be able to do my due diligence that this third party is actually doing its job. This is especially important when its something that I don't get a choice in the matter, like the police, military, IRS, or a plane I'm flying on whatever. If they get compromised, it could seriously fuck me over (especially in the plane scenario), so I have a vested interest in ensuring that they don't get compromised.
DONT FUCKING TRUST THE POLICE. If you go public with something that shows they are idiots they will absolutely punish you.
The police are nothing more than a very well financed street gang.
Do not look at laser with remaining good eye.
The courts were very lenient on him, so no harm was done.
3 years suspended sentence is not lenient... This is a European country... Where unlike the US, doing a crime is not a life ending event.
On topic, "counterfeit police badge" is very bad... That said, I don't see how they got a search warrant in the first place, so he could probably go after them on the fact that such search warrant shouldn't have been issued.
If he is doing exactly what I am doing receiving unencrypted Tetra communications, and notified the police that that is possible because badly configured systems. And did not rebroadcast this tetra information, how this can possibly violate the Geneva convention and ECHR for receiving broadcast signals?
Support Eachother, Copy Dutch Property!
I remember reading the TETRA encryption was insecure anyways and because of that the Germans added an additional encryption to their TETRA network.
punching someone is illegal; punching someone in self-defence is **not** - but "regardless of his objective" is somehow a valid statement? C'mon.
Punching someone in the face, unsolicited, to show them how weak their guard is, is not just assault, it's aggravated assault.
Once again with these types of stories, there's more to it than the summary reveals - which is usually all that /. reads before launching into pearl-clutching hysterics in the comment section.
Ornig judgment is charged attack on the information system, falsification of documents and undue audio recording.
The bit about wiretapping was conveniently left out of the summary.
Ornig should also allegedly in complicity with the person Mr. G., whom the court has earmarked three months' imprisonment conditionally with a year ago, the probation period, in February, March and December 2014, repeatedly invaded or tried to hack into the system Tetra. This would also hamper the operation of radio stations.
Not exactly clear, but I get the impression Ornig was working with someone who was already in trouble for hacking Tetra repeatedly.
Ornig should be according to the judgment of imitation badge in 2010 and 2014 repeatedly falsely pretending to be a police officer.
Impersonating a police officer for 4 years? That's felony in the US.
Third offense unduly sound recording, should Ornig guilty March I and II 2014, with the recording of the conversation of their former colleagues and superior, while he was still working for the security service G4S. On seized during a house search your hard disk Ornig are in fact police officers find copies of that conversation, which is Ornig wanted to prove mobbing
Illegally recording people who work for a former employer. I don't know what "prove mobbing" means, but I guess it had something to do with making the company look bad on the website and media site that printed information from the transcripts he made. Sounds like he's a disgruntled employee motivated by payback.
So basically, like that Tor developer who's hiding from the FBI, this criminal is fronting himself as some kind of innocent security researcher who the police overreacted to when he broke into a system that they and the military use.
See, in this house everyone assumes the lock on the front door works.
Finally, some common sense in this thread. All he did was jiggle some "locked" doors, and inform the residents of the doors that didn't lock. It's a community service, as long as he doesn't take anything.
I should be able to do my due diligence that this third party is actually doing its job.
Your due diligence doesn't entitle you to break the law, or attempt to break in, or gain fraudulent access to the safety deposit boxes.
Instead get them to produce reports by a security audit services company they pay to audit their security.
If the reports do not satisfy you, and you are a big enough fish, you can insist they hire the auditor of your choice, at your expense, or perhaps your a big enough fish to demand they even do it at their expense. Being a big fish opens a lot options.
If you aren't a big enough fish, you can go find another bank that's has something in place you are satisfied with.
So capturing signals broadcasted over the public airspace and decrypting them is breaking an entering? Gee, then whenever the police use a Stingray device to intercept encrypted data between my cellphone and the cell tower, they are really violating my constitutional rights by entering my home and I am therefor obliged to sue them personally and directly for that violation of my civil rights. Also Castle law, because hey they are breaking an entering. Lets get a party together, go find the stingray van, and kill everyone and everything inside. It's all 100% legal, afterall. They picked the digital locks to my digital house and broke down the doors!
Smugly painting the entire situation with a brush may feel good, but in the long run, you're better off just shutting the hell up. The public will think, after reading that post, that anything a hacker does is breaking an entering. Even in bonafide hacking cases where information was stolen, it isn't breaking an entering, it's something else entirely.
Why do government employee's feel the need to crucify security researchers whenever they discover and disclose security weaknesses? Because when they publicly disclose the information, it not only puts the good guys lives at stake, but it also makes them look weak and incompetent to the public.
The cops had 3 years to do something; They didn't even take him out for a cup of coffee and explain to him or give him the BS excuse of "we've got a pretty substantial investment in equipment, it's going to take time to change it". Nothing was done until he publicly embarrassed them.
Nobody is right here, but government employee's are expected to act in good faith. At this point they should let the kid go, give him and the public an apology, and fix the broke systems. That won't happen, of course, because heaven forbid we ever fire government employee's for incompetence.
Opened the original and using my working knowledge of russian tried to decypher the headline " something weakness something, 3 months, something was executed".
So Slovenian is Just like reading ruby code, you know some of the words and think you got it but then you are executed for missing the meaning.
Realizing this he writes a note and drops it in their mailbox to warn them
Actually no, he put a billboard on the front lawn which said "This house is unlocked! You can get into it like *blah blah*."
What about punching someone without their consent to test the strength of their bone structure, and then publicly humiliating the target?
As if self defence can be compared to uninvited pen testing followed by public disclosure of a vulnerability.
They'll never understand nor care for your analogy.
computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation.
There are the key details of the story.
Yes, I understand that he offered to help. Yes, I understand that he had the noblest intentions. Regardless, he still intentionally broke the law by accessing a system without authorization. That it was easy to do doesn't make it any less of a crime.
Spoken like a true apparatchik: Why, he should have known better than to try and contribute to the defence of his country by revealing security flaws in police/military communications systems and instead just kept his mouth shut and allowed these vulnerabilities to go unfixed thus ensuring that the fucking FSB and the Russian army could pwn his country's military in the event of a war. If the people in charge of the Slovenian police/military weren't the bunch of incompetent morons they apparently are, and it sounds like the problem lies with politicos in the defence ministry (DUH! incompetent political appointees screwing up, surprise, surprise...), they'd have hired this guy and others like him long ago and put them in charge of police/military signals security. Speaking for myself, my first reaction would have been consider recruiting this guy if only to ensure somebody else didn't snatch him up first. I'll also bet that this is what Slovenian military intelligence wanted to do (if they have a single spark of competence among them).
This is another illustration of how clumsy, inefficient, and occasionally evil the government is — even in otherwise decent countries. At least, the guy's sentence is "suspended"...
And everyone seems to agree with the Libertarians in these cases, but, when the topic is something else, a solid chunk of the audience suddenly switches into believing, that the government is not only an acceptable, but the best solution available.
Why, for example, would the same people be outraged at the government's goons in some discussions (this one, or anything about Snowden, or the CIA), but turn immediately around defending same in discussions of public schools and roads, health service, or municipal WiFi?
In Soviet Washington the swamp drains you.
So what you're saying is that he should have anonymously sold the vulnerability to the KGB for money rather than trying to be a patriotic idiot.
Personally, I'd be grateful if some random stranger told me my door lock is busted (or more likely, that I forgot to lock it).
I will remember never to engage in a hire-able offence.
Brought to you by Carl's Junior.
And be grateful that you're getting away with your sedition so easily!
Rule 35 of the internet: "If it can be hacked, it will be". - Charles Stross
I'm not condoning his actions, but I do believe as a computer scientist I have some authority to call someone out on their actions. I have a duty to inform people that you can formally prove that a system is secure. For some reason most people don't even consider that a thing.
The house analogy breaks down because it would be impractical to build a house that no one can break into, but many systems have been designed with formal proofs of security and are secure given certain constraints.
The sad thing is that the systems with formal proofs can take less time to design and engineer, so sometimes it's just pure laziness that it isn't done correctly.
With that said it doesn't give anyone the right to break into a computer system.
The parent didn't compare self-defense to pen testing. He just gave a self-contained proof that ignoring the objective of an action is not a valid step when determining the legality of the action.
Don't go to the authorities with these kinds of things.
Just don't do it.
There is absolutely 0 benefit for the person reporting the problem and it only increases your chances of getting in trouble.
If you find some security problem just leak it anonymously.
Fuck responsible disclosure.
Responsible disclosure is nice for the company, but not for the person disclosing anything.
Last I checked, both the police and military (supposedly) exist for the defense of the populace. To the extent that they're engaging in encrypting their own communication to prevent unsolicited access because apparently it wasn't enough to make it illegal to listen to the communications, it's clearly a failed system incapable (in their eyes) of providing defense and hence in one's own self-defense, it'd seem necessary to inform others so that people don't blindly rely upon it.
The real issue, I'd say, is we don't really know exactly what Dejan Ornigu precisely did. Analogies of trying to open doors or punching people in faces may or may not be good analogy to what was done. If the action was to merely listen to communications, it's unclear what should really be illegal or wrong even if it involved exposing weak encryption. If it involved pretending to be an officer (the police badge) to get documents to understand the encryption, that should be illegal but then at the same time those documents should already be public as a basis for any good encryption should be withstanding public scrutiny*. If it involved exchanging keys to engage in the system to listen to communication, that's more iffy but as long as the act itself wasn't some sort of DoS I don't see it any different than pinging an IP address and really should be no more illegal than using a flashlight to look at a public building in the dark.
* And just to the point that the possibility that Tetra was a closed, private system, that itself should not be acceptable precisely because it's insane to trust a third party company, possibly in the hands or to be in the hands of another country, for your communication security or to leave it to limited, authorized scrutiny by government officials. This is the same sort of bullshit that has resulted in Windows STILL being a clusterfuck of an insecure OS. And no, that doesn't mean the converse is true. But there's no sane reason to make it more difficult to discover vulnerabilities.
Okay so it's not exactly the same.
Some years ago while on the job I got so caught up on my projects I found myself with an hour or two to kill everyday for a couple weeks. (Disclaimer: I hid the fact I was caught up early.) Now I am the curious type, especially when it comes to networks and security. Needless to say, I started poking around. Poking around quickly led to hacking around. It was an internal LAN, but still. I followed the bread crumbs and uncovered, lets just say "stuff that was not intended to be uncovered. Much more followed from that. It reached a point where it was down right concerning. So finally I crossed my fingers and called my boss over, who of course was not a tech. He was concerned bordering on unhappy about what I was doing. The next day I got a call from the CIO, which is highly unusual. We had a very long talk about what I had been up to. The talk extended into a discussion of my knowledge and abilities which up till then no one in the company knew I had. I don't remember which hacker topic it was, but at one point the CIO said "fuck me" he did not mean it literally. The result? The CIO gave me permission to keep on hacking our systems as long as I documented everything and reported directly to him. Up to that point, my initial finding resulted in ten or so pages of documentation. It was pretty cool.
A bit off topic. Although I liked my job I found myself in a situation where I had to pick up and move. The details of that are unimportant, but I made sure I had a job waiting for me. Before I left the company, the CIO installed a keystroke logger on my computer. Since I was the only one running Linux, it was my personal computer. The CIO, was one of the single best hackers I have had the pleasure of meeting. Next thing I know I was signed up for a bazillion newsletters and I noticed a Sony Erickson had accessed my Google account. It took me all of one second to figure out what had happened. Fortunately it was all fun and games, nothing malicious. Although I did proceed to reformat the drives in all of my computers and proceeded to change every password I used (a lot) to random alphanumerics every week for a couple of months. Fun stuff.
Brought to you by Carl's Junior.
At the same time, they didn't seem all that interested in the false identification until he reported the weakness. The last instance of the false ID was 2014.
You discover a door to a bank door open:
Option #1: You tell the bank and the police. They do nothing. You let journalists know the bank and police did nothing for 2 years, you get jail sentence in retribution.
Option #2: You tell some criminals for a cut of the profits, retire in Bahamas. No jail sentence.
Clearly the system wants us to take option #2. Lesson learned.
If programs would be read like poetry, most programmers would be Vogons.
These scenarios seem like the perfect opportunity for guerilla groups everywhere to recruit valuable players. If your group has the kind of insight to take advantage of these weakness it'll give you more of a fighting chance against large oppressive adversaries.
His intentions was taken into account: why do you think he got a _SUSPENDED_ sentence?
vux984: spoken like a true bureaucrat.
definition: an official in a government department, in particular one perceived as being concerned with procedural correctness at the expense of people's needs.
Really, this is more akin to knocking on someone's door, and the door just falls inward because the hinges, doorknob, and deadbolt is missing and there are several gang members watching you from across the street (ie, FSU / KGB). What these people are really advocating is they would rather that person just walk away at that point, and not even bother to stick their head inside and yell "HEY YOUR FRONT DOOR JUST FELL IN! HELLO? ANYONE HOME?"!
And their also taking the Slovenian Defense Ministry's word that he even HAD a badge. Why did they wait SIX years to arrest him if he really tried to be a "fake cop"? It's been voted the most corrupt country in the EU rated at 96% in 2013 by "3,459 company board members in 36 countries worldwide, including 22 EU member states. " But yeah, go ahead and take their Ministry's version of this hook, line, and sinker. While your at it, you should install the new app "Please spy on me NSA" on all your electronic devices too.
Thus why no law enforcement will actually admit in court to using Stingrays. They would rather withdraw the evidence and have the case fail instead.
That depends... was yours used repeatedly in the past to claim to be an officer?
You do not have a moral or legal right to do absolutely anything you want.
I call BULLSHIT!!!
LEOs break the laws every freaking day in the USA.
And they receive Promotions, Commendations, Raises and Accolades.
Why can't a civilian?
Because the Authorities are Sociopaths and Psychopaths who protect only themselves.
I guess these should be the Slovenian counterparts, or are they also called IRS and Department of Corrections in Slovenia?
Are you suggesting to replace cryptography with law?
I'm not familiar with the details, but it's a bit more complicated. While conducting the house search, the police have found a counterfeit police badge, voice recordings and transcriptions of conversations between his former co-worker and their boss. Dejan was trying to prove he was being harassed in the workplace, he also sent these transcriptions to the media. He was also accused of disrupting TETRA service, which was a consequence of his failed attempts to break into the system. Although some actions of the police might be questionable, I think 3 years of probation is not that bad of a punishment all things considered.
On of our university's IT group noticed that the university's police were using a packaged IT police support solution that had no security. An attacker could change arrest reports, access and change all the secret log entries, and track the real-time deployment and activity of the police. We verified that the problem existed across hundreds of police departments all over the country. The university police were horrified, when we presented the problem to them.
I think the main thing that led to a better outcome was the university IT team worked closely with the university police team to present the problem to the external vendor. During the presentation, the external vendor went through all the stages of grief: denial, anger, bargaining, depression and acceptance. When the vendor got to the anger stage, they threatened to have us arrested. We just kept asking how arresting somebody would fix the code, until they got on to the next stage.
Still, it took months before the vendor deployed fixed code.
People like you have probably never been inside a system, or discovered a vulnerability and watched pride ignore it.
These scenarios seem like the perfect opportunity for guerilla groups everywhere to recruit valuable players. If your group has the kind of insight to take advantage of these weakness it'll give you more of a fighting chance against large oppressive adversaries.
Thing is that you don't have to be a major poser like the USA, China or Russia to achieve a monster intelligence coup like cracking your opponents signals traffic. Small countries have achieved major military victories by letting a small group of very talentet people loose on the encrypted signals traffic of a much bigger and better equipped opponent. Cracking your opponents cencrypted comms is probably the biggest force multiplier there is. Conversely small players cannot afford incompetent politicay appointed pencil gnawers opening up their security.
Sure! I have to admit though that was a long time ago, when I was younger. It did impress the other kids, though.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I do have to admit, though, that it got me into trouble, too. My mom explained to me in no uncertain terms that it does not give me authority to do a strip search with Jessica...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
> Why is it programmers are the only people who feel breaking into your house to show you how bad your locks are is a reason for congratulations and adoration?
As opposed to the crooks who will just make off with everything because of your shitty security???
To be informed is to be forewarned
Regardless, he still intentionally broke the law by accessing a system without authorization. That it was easy to do doesn't make it any less of a crime.
That is a legal point, not an ethical one though. Breaking unjust laws is neigh the definition of civil disobedience.
Spoken like a true apparatchik
Ah, yes. I oppose your particular flavor of freedom, so I must be a Communist!
Why, he should have known better than...
First, he should have not been screwing around with anybody else's system without finding out exactly what the boundaries are. For instance, it might be perfectly legal to receive TETRA signals passively, but any transmission (even announcing that you're only listening) might be illegal. Seeking a lawyer's advice is recommended.
After determining exactly what is and is not legal, then he has to make a conscious choice as to whether he will break the law or not. I won't advocate either approach, but if the outlaw's path is chosen, everything else must be done under an assumed identity, completely dissociated from one's real identity. It is not easy to establish such an identity, but that's the price for flouting laws.
After that, investigation of the vulnerability may proceed. Every step should be documented, including the ones that don't lead to any desired outcome. If it's legal, you're building evidence to strengthen your upcoming presentation of your case. If it's illegal, you're building a procedure that authorized personnel can use to harden the system.
Then you go to the authorities. An outlaw would only be able to dump information to the applicable agencies, and hope they care enough to fix it on their own. With less concern for ethics, the outlaw can also disclose his research publicly, opening up the vulnerability to others' use, including the FSB and Russian army, as you mentioned. A lawful researcher, on the other hand, can have an active dialog with the agencies, including presenting the detailed description of how he did not commit any crimes. Again, a lawyer's involvement is recommended.
After that initial disclosure, one can offer to help fix the problem. The outlaw can try appearing as just an innocent bystander who read the disclosure, but it's risky. The lawful researcher can openly offer his past work as a reference. Once authorization has been obtained, the improvement process can begin. It's possible, of course, that the agency will reject the offer to help. Perhaps they like having broken systems, or perhaps it's an issue they'd rather handle internally. Regardless of why, that ends the research.
You do not have a moral or legal right to do absolutely anything you want.
When you throw your trash on my front lawn each day as you go to work, you can't claim I'm stealing your stuff when I decide to keep something I feel is treasure instead of trash.
Additionally, claiming I broke into your home to steal the trash you keep tossing on my lawn only serves to make you look foolish and ignorant.
That is how "radio waves" and "criminally accessing" works in the real world
This notion that listening to police communications is some magic "get out of jail free" card is such a pile of caca.
1) You must be familiar with police jargon local to the area in question; this requires dedication of time that criminals rarely devote
1a) Certain cops are not above using their own private code words amongst a select few of their buddies specifically to avoid *ANYBODY* knowing what they're saying, including their colleagues and superiors. Good luck with that!
2) You must listen to the channel carrying the communications concerning the place or criminal act in question; what if there's a stake out coincidentally in that same area that you plan to hit, but you're not listening to them?
3) This assumes the communications in question are carried on the radio system that you are monitoring. Police often send undercover agents with wireless mics/transceivers on their own discrete frequencies.
These are but a few snowflakes on the iceberg of considerations when monitoring public safety communications, encryption, monitoring apps, and related crap. Decrypting the communications is merely step 1 of many other steps. This is not SVU nor 24 nor any other prime time fantasy, this is real life and it is substantially different and fraught with all kinds of pitfalls and curve balls for the uninitiated listener.
Spoken like a true apparatchik
Ah, yes. I oppose your particular flavor of freedom, so I must be a Communist!
** snipped long winded speech **
Communist? I didn't mean tomac use you of being a communist by calling you an apparatchik, any number of other similarly themed descriptors would fit you as well. You seem like the kind of dusty stiff necked bueraucrat who would rather follow the letter of the law even if it resulted in your country's military get steamrolled by it's enemies than bend the rules a bit and reap the benefits of discovering a gaping security flaw in your country's most secret and sensetive communications system.
And what do you call conflating red-tape procedure with criminal law?
You can't try to assault a woman wearing a rape whistle, just to find out if it works or not. Claiming after the fact that you weren't really going to actually rape her even if nobody came to her rescue isn't going to fly.
You want to test the efficacy of rape whistles, or bank security, or anything else that's fine, but the methodology needs to be legal. That's not bureaucratic red tape; that's just common sense.
What land of Reality do you live in?
Certainly, not the one where the news story took place.
Certainly, not the one that I live in.
America, early 21st century. You should try reading the news more often. Reality in America might shock you.
http://listverse.com/2013/08/30/10-disturbing-cases-of-police-impersonation/
The wonderful thing about American Liberals is that think that everywhere is just like America! How provincial. How bourgeois.
If you bothered to read my comment, I pointed out what would happen in the US. Short history lesson: most legal systems around the world are based on Roman law. Whatever can happen legally in the US, can also happen elsewhere in the world.
https://en.wikipedia.org/wiki/Roman_law
You suck Lefty.
I'm a moderate conservative.
Sorry to wake you but you should really get a proper lock for your doggie door.
I am suggesting that we be wary of replacing rule of law with rule of man, regardless of how noble that man claims to be.
You do not have a moral or legal right to do absolutely anything you want.
But what if you can't know it's insecure unless you break into it first? If you're not a security expert and you have not been called in to assist, then don't go breaking into anything. If it's for something important and not just for police (like say voting machines) then do it secretly.
Anyone smart enough to understand security (ie, not a script kiddie) should also presumably be smart enough to understand personal security.
You should have just called your mom a soft-on-crime bleeding heart liberal SJW.
Because this is how you get black hats.
Eventually the anti government movement will reach a certain size and power and life on this planet will evolve beyond the oppression of the past.
You seem to wax poetically about an anti government movement. So why are you not part of one? You come here to tell us how your lord and savior is the answer to every question ever asked by man, and so deserves to be the eternal leader of all of mankind. Yet that is very much not an anti-government stance. What you advocate for instead is merely a stance against the current American government, in favor of a different system.
Punching someone in the face even in self defense is illegal in many countries. Hacking government systems or even publishing breaks is illegal in many as well. It would have taken a 3 sec google search to work that out.
./ is bad your free to go over to digg, redit and 4chan whenever you please. I hear the crowed of anonymous cowards are much better over there.
If you think
If information wants to be free, why does my internet connection cost so much?
...goes unpunished.
of us vs them
I'm a programmer. My yard is completely insecure. You can walk right up and take my mailbox, a yard gnome, a lawn chair, even a potted plant. If I dont know you and you do it to prove a point, I'm going to think you are some naive little shit hallway monitor. People that are so stupid to believe the police are the good guys get what they deserve when they go trying to "help" the pigs. Maybe now he knows the truth and won't be so naive stupid boyscout gungho about helping the people that just ransacked his house, punched him the gut, and threw him in a holding cell.
If you discover a security vulnerability, exploit it , profit from it and don't get caught or tell anyone about it, otherwise... if you take the white hat route they will persecute you. It is clear the black hat route is more profitable and is what the authorities would want. The way they treat people trying to help them is stupid.. The authorities in this case should be fired and replaced with people who are a bit more tech savvy and much less assholes.
Thus why no law enforcement will actually admit in court to using Stingrays. They would rather withdraw the evidence and have the case fail instead.
So if ever the police are in a case against you and you are winning.. accuse them of falsely obtaining evidence with a stingray device until the bailiff tasers you and halls you into solitary confinement?
Next time just sell it to real criminals or foreign intelligence services.
Don't bother to help your country, they will put you in jail for exposing them as incompetent idiots who don't even lsiten to people who want to help them.
That won't happen, of course, because heaven forbid we ever fire government employee's for incompetence.
Actually they will abuse their authority, mistakenly thinking that by being assholes they somehow will look less incompetent, despite nothing being further from the truth.
FTFY
hmm $25 dollars. I am betting he didn't get Hamitup! with his rtlsdr, mostly cause he didn't give a fuck about the lower ham freq's.
The lesson learned from this?
Fuck the pigs, sell the vulnerability to the bad guys....?
Great lesson to teach the young hackers...
A pretty standard sort of thank you from people who run a government. He is lucky, a lot of them end up in body bags or crippled and homeless for helping politicians and their machinations.
You know the real truth is, they are more afraid he will expose corruption than they are of their communications not being secure. Its probably a valid concern for them.
"I opened my eyes, and everything went dark again"
That link says quite clearly that English common law system (which formed the basis of US laws upon independence) evolved out of the old Anglo-Saxon laws, which had evolved from the German tradition, which was influenced (but not based on) Roman law. So yes, while most of the world's legal systems are based on Roman law, the one you picked was only very tenuously so, and well over a thousand years ago.
Quite clearly he should have sold the information, even though it's merely Slovenian police and security services, I'm sure a few grand would have been preferable to a (suspended) prison sentence.
Modern Commercial Security: HACK US AND WIN PRIZES.
Modern Government Security: If you just look at us and try to help, we'll put you down. We'd rather have holes being actively exploited by enemies of the state than have the shock horror of a public servant being made to look slightly inept, even if the hole isn't their fault and is a pure accident.
Indeed. If you really think there is a lot of sophisticated code going on, think again. I've heard more stringent radio discipline in milsim clans than on police radio. Might be different in the US, don't know, but police 'round here isn't shy to call shit shit.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation.
There are the key details of the story.
Yes, I understand that he offered to help. Yes, I understand that he had the noblest intentions. Regardless, he still intentionally broke the law by accessing a system without authorization. That it was easy to do doesn't make it any less of a crime.
Spoken like a true apparatchik: Why, he should have known better than to try and contribute to the defence of his country by revealing security flaws in police/military communications systems and instead just kept his mouth shut and allowed these vulnerabilities to go unfixed thus ensuring that the fucking FSB and the Russian army could pwn his country's military in the event of a war...
You did read that part where he tried to inform them for years before finally going public, right?
I don't think you understand software, nor does the government. No one gets hurt with white hat hacking. Comparing it to rape is like comparing a snow cone to a blizzard. External security audits are the best way to find vulnerabilities, and when the results are given to you for free, it's even better. The law hasn't caught up with technology in this case yet. Jailing good people who are trying to help is a bad idea, period. That's why there are things like the Good Samaritan law and stand your ground laws that protect people who are trying to do the right thing.
Brilliance without wisdom, power without conscience. Ours is a world of nuclear giants and ethical infants.
First mistake: telling the authorities about their problem.
Second mistake: making the problem public.
Do be a good citizen and notify the relevant authorities of computer security problems. But be a SMART citizen, and do it anonymously.
Do not be a jerk and make the security problems public. But if you absolutely feel you must do so, do it anonymously.
In a more ideal world that this, anonymity would not be needed. However there are far too many authorities who prefer to blame the messenger than to fix things properly. Your idealism is NOT shared universally.
linquendum tondere
Laws are written by mankind, there are no others.
Not sure how your comment got so highly ranked. It seems to stem from ignorance.
The laws dealing with assault and homicide have exemptions for certain situations. Self-defense is one of those, so harm committed in a reasonable act of self-defense is not punishable. The context and intent are important because the law takes them into consideration.
I cannot speak to Slovenian law, but his intent would be irrelevant in the US. The primary hacking law here, the Computer Fraud and Abuse Act, does not take motivation into account. If a willful act violates the law, there is no motivation or intent which might legally justify it.
Now, you could argue that the law should be amended and say what needs to be changed. But you didn't do that. You just sobbed about how this site makes you sad. Boo hoo.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
He told them, then years later put up the billboard.
Yeah, and did he get in trouble those first 2 years?
Uh... there actually are.
We'll disregard the ancient rules supposedly written by deities, mostly because they're not sufficient to cover the needs of any society within the past two thousand years.
In more recent ancient history, there has been the divine right of kings. Under such a system, kings are exempt from laws because their authority is absolute, generally held to be originally granted by a deity and passed down through a bloodline (unless the ruling family fell out of favor and a new military victor gained the deity's favor, which was obvious due to that victor's victory).
There have also previously been separate rule sets for peasants and nobles, and to an extent those are still in effect in places where a society's caste system has entered its legal structure.
The term I use, "rule of man" is a more general term for a system where an individual (or group) use their sense of justice to override written rules, effectively turning every case into a battle of celebrity. That's effectively the case in rural India now, where old village councils hand out arbitrary judgments based on their whims and local politics, often resulting in harsh sexism. The core problem with any "rule of man" system is that a human lifespan is usually too short and too narrow a perspective to apply a widespread fair justice. There are a few exceptions, but it is not a reliable system.
In contrast, "rule of law" means that the law is written to be the rule. Before someone acts (as in this case, before accessing a system without authorization), they can go read the laws and find out what's legal. They can ask a lawyer for advice if needed. At no point is their fate ever left up to whether someone else thinks they're guilty or not. They can decide their own fate.
The downside to rule of law is that most laws aren't written perfectly. They don't cover every situation perfectly, and society's values change. To resolve that, the court has the ability to interpret the laws to a certain degree of freedom, but the vast majority of the law is still already written specifically, and case histories are usually public, so a judge does not need to rely on his own narrow perspective unless the dispute is an entirely new situation. Even then, parallels are drawn to previous similar situations, so we are relying as little as possible on the judgement of one person.
You do not have a moral or legal right to do absolutely anything you want.
Yes they ignored him, (or passed the fix to someone lower, etc.). But news flash here:
We do not have to go public everytime we find someone's weakness. Just notify a little higher than the last guy, then eventually the president or something to that effect.
The trick is to "keep it in house", that is tell others in gov't not the public press. Does it get fixed any faster? It's not point- if bureaucrats delay the fix, well at least nothing negative has happened yet. Tell the press? Yeah every hacker that hears about it will try. See?
Just keep informing higher. thanks.
So yes, while most of the world's legal systems are based on Roman law, the one you picked was only very tenuously so, and well over a thousand years ago.
It's even more tenuous that our calendar system is based upon a hippie carpenter getting hammered on a telephone pole 2,000+ years ago.
I don't think you understand software, nor does the government. No one gets hurt with white hat hacking.
No one got hurt in my rape whistle scenario either. That was part of my point. It was a just a "white-hat" test to see if the rape whistle was going to work.
Everyone doing white-hat external security audits knows that you need permission to do it up front. That consent is what transforms it from a 'an illegal criminal activity' to a 'legitimate service'.
Comparing it to rape is like comparing a snow cone to a blizzard.
Except nobody got raped, or was ever at risk of being raped. Don't you see my hat! Its WHITE! I'm here to help! I'm not going to actually hurt you.
External security audits are the best way to find vulnerabilities, and when the results are given to you for free, it's even better.
That's what I tried to explain to the women I was accosting after they called the police on me. This is for your own good! Don't you want to know how well your rape whistle works? This is the best way to find out. I'm doing you a favor... you should be grateful I'm doing this for free. I wasn't going to hurt you or anything... it was just a test. Nobody got hurt! Why am I going to jail?
Hacking systems, even with good intent, can lead to service outages, system downtime, etc. And by its very nature is a form of trespass and break in. I don't care what your intentions are whether you are electronically slinking around in my networks, or physically slinking around my home looking for ways in. And you are doing it without my permission... you shouldn't be doing it, and it should be (and is) illegal.
Assault is defined as the threat of bodily harm that reasonably causes fear of harm in the victim. That is a crime. You are hurting a person. You can even kill someone with a weak heart. The day you can teach a computer to feel fear, I'll change my tune.
Brilliance without wisdom, power without conscience. Ours is a world of nuclear giants and ethical infants.
That is a crime.
Hacking into computers that aren't yours is also a crime.
You can even kill someone with a weak heart.
You can inadvertently corrupt a critical database that wasn't being properly backed up and destroy a company.
You are hurting a person
You are causing harm.
The day you can teach a computer to feel fear, I'll change my tune.
Why does the computer itself need to feel fear for you to realize causing harm to it causes harm to the company and the people who own it?
I am saying in this case the law is wrong. Hacking into a system and letting the company know about it is good. Hacking into a system and destroying there database is bad. Blindly applying a law without hearing the circumstances of the case is moronic and does not constitute justice.
Brilliance without wisdom, power without conscience. Ours is a world of nuclear giants and ethical infants.
Hacking into a system and letting the company know about it is good. Hacking into a system and destroying there database is bad
Intending to do the former, still risks doing the latter.
Blindly applying a law without hearing the circumstances of the case is moronic and does not constitute justice.
Agreed. Consideration of Intent absolutely matters for justice. But that still doesn't make it ok.
Bottom line, this is basic property law. Its NOT your property, so if you want to fuck around with it, get permission from the owner first.
What exactly do you disagree with about that statement?
That isn't true.
Tetra was used by military, police, etc.
Military communications did NOT have any encryption.
Police communications DID have encryption, although a weak one.
He wasn't charged for intercepting plaintext military communications, but for breaking the encryption, eavesdropping on police communications *and* obstructing/jamming several police radio stations.
Its digital content. Its not tangible. If you hack in and do no harm and alert me of the vulnerability, who gives a crap, legally speaking. If you hack in and accidentally wipe my server, then you are liable. We shouldn't punish risky behavior, we should punish consequences of those actions. Additionally, you compared hacking a server with rape which I wholeheartedly disagree with. It's one of the worst analogies I have ever heard. Seriously, not even close.
Brilliance without wisdom, power without conscience. Ours is a world of nuclear giants and ethical infants.
The anti government movement will strengthen if only through the yonge people learning not to trust governments and learning the lesson the hard way is the quickest and most durable way.
Nonsense. The Boomers tried that. They failed miserably. They (well, the ones who didn't OD on drugs or got shot at Vietnam or Kent State) end up as lawyers and bankers and union bosses, becoming part of the establishment. They became teachers and indoctrinated the next generation to love government.
And before that, the brave men and women who fought against the evil collectivist governments of Germany and Japan, upon returning home, embraced enlarging their own government to pay for their college (GI Bills) and infrastructure projects.
And even before THAT, the supposed anti-government-enslaving-blacks Republicans, after they won the Civil War, became the big government themselves, ramming Reconstruction and the Trans Continental Railroad down people's throats.
Eventually the anti government movement will reach a certain size and power and life on this planet will evolve beyond the oppression of the past.
Wrong. Eventually every anti-government movement BECOMES the government.
Every anti-government starts by saying "we'll take over government then leave you alone". Then they proceed to do only the first part.
If you hack in and do no harm
If I find a way into your house, get in and walk around and don't damage anything, that's no harm either right? If I pick your lock because it wasn't very good, what's wrong with leaving you a note on your fridge? What's wrong with trespassing?
And what if you do harm? What if your 'hack' does damage the data, whether you intended to or not? You can't know for certain you won't crash the system or corrupt data.
If you hack in and accidentally wipe my server, then you are liable.
I don't tolerate good Samaritans wandering around in my kitchen either, whether they wreck the place or not is beside the point. They don't belong in my kitchen, and they aren't welcome.
You seem hung up on this notion that a 'hack' can't or won't do damage unless you intend it too, and that's plainly wrong. Sooner or later you are going to crash a system, corrupt some data, or worse whether you intend to or not. And that's real actual harm you are causing to stuff that simply doesn't belong to you.
Meanwhile, like the stranger in my kitchen, you are simply unwelcome. You shouldn't be there. Legally you are not allowed to be.
I agree that 'harmless' trespassing is a lesser crime than breaking and entering followed by arson. And the electronic equivalents should be similarly structured. But I don't agree that it should be legal.
Additionally, you compared hacking a server with rape
Not exactly. I compared pen testing a server with testing the security of a rape whistle; where in either case the target wasn't notified. However, nobody was going to actually get raped. So at worst it was a rape threat, which I agree is still pretty bad -- but remember, it was for a good cause, for their own good even. I was just making sure their rape whistle worked. But if picking a lock and rummaging around in my kitchen is a better analagy, I'm fine with that too.
Same bullshit different country.