Slashdot Mirror
Student Exposes Bad Police Encryption, Gets Suspended Sentence (podcrto.si)
An anonymous reader shares a story about Dejan Ornig, a security analyst in Slovenia who warned the Slovenian police department about vulnerabilities in their supposedly secure communication system TETRA in 2013. (Here's Google's English translation of the article, and the Slovenian original.)
He discovered that the system, which was supposed to provide encrypted communication, was incorrectly configured. As a result lots of communication could be intercepted with a $25 piece of equipment and some software. To make matters worse, the system is not used just by the police, but also by the military, military police, IRS, Department of Corrections and a few other governmental institutions which rely on secure communications.
After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.
On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.
After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.
On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.
Is it my imagination or is this student's real crime making public figures look bad?
computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation.
There are the key details of the story.
Yes, I understand that he offered to help. Yes, I understand that he had the noblest intentions. Regardless, he still intentionally broke the law by accessing a system without authorization. That it was easy to do doesn't make it any less of a crime.
You do not have a moral or legal right to do absolutely anything you want.
If you did something illegal in the process of uncovering a vulnerability, do not put your name to the information. Publish anonymously. Not just nation states, but also corporations of any size are known to show no leniency. You will not receive thanks for being a pain in the ass. Your sins will not be forgiven. Even if you did not do anything illegal, be prepared to be hassled relentlessly. Publish, but publish anonymously.
Do not inform police about their crappy encryption, that's illegal.
Sell that information to some criminals. That is only potentially illegal, but at least profitable.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Kids, the lesson is simple : never ever under any circumstance "help" authority figures. You'll end up getting fucked.
You try to help and you end up getting fucked. You steal by the millions/billions and you're heralded as a saint.
Don't report the vulnerability to the authority; they'll just punish you for it.
Quietly pass the vulnerability to local crime syndicate to carry favor instead.
ELOI, ELOI, LAMA SABACHTHANI!?
See, in this house everyone assumes the lock on the front door works. No one ever tests if it does, they just trust it.
One day, this guy decides to try opening the door without turning the key in the lock first. Whaddya know, the door opens without a problem.
Realizing this he writes a note and drops it in their mailbox to warn them.
Then he gets arrested for breaking and entering.
-=This sig has nothing to do with my comment. Move along now=-
DONT FUCKING TRUST THE POLICE. If you go public with something that shows they are idiots they will absolutely punish you.
The police are nothing more than a very well financed street gang.
Do not look at laser with remaining good eye.
So capturing signals broadcasted over the public airspace and decrypting them is breaking an entering? Gee, then whenever the police use a Stingray device to intercept encrypted data between my cellphone and the cell tower, they are really violating my constitutional rights by entering my home and I am therefor obliged to sue them personally and directly for that violation of my civil rights. Also Castle law, because hey they are breaking an entering. Lets get a party together, go find the stingray van, and kill everyone and everything inside. It's all 100% legal, afterall. They picked the digital locks to my digital house and broke down the doors!
Smugly painting the entire situation with a brush may feel good, but in the long run, you're better off just shutting the hell up. The public will think, after reading that post, that anything a hacker does is breaking an entering. Even in bonafide hacking cases where information was stolen, it isn't breaking an entering, it's something else entirely.
Why do government employee's feel the need to crucify security researchers whenever they discover and disclose security weaknesses? Because when they publicly disclose the information, it not only puts the good guys lives at stake, but it also makes them look weak and incompetent to the public.
The cops had 3 years to do something; They didn't even take him out for a cup of coffee and explain to him or give him the BS excuse of "we've got a pretty substantial investment in equipment, it's going to take time to change it". Nothing was done until he publicly embarrassed them.
Nobody is right here, but government employee's are expected to act in good faith. At this point they should let the kid go, give him and the public an apology, and fix the broke systems. That won't happen, of course, because heaven forbid we ever fire government employee's for incompetence.
computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation.
There are the key details of the story.
Yes, I understand that he offered to help. Yes, I understand that he had the noblest intentions. Regardless, he still intentionally broke the law by accessing a system without authorization. That it was easy to do doesn't make it any less of a crime.
Spoken like a true apparatchik: Why, he should have known better than to try and contribute to the defence of his country by revealing security flaws in police/military communications systems and instead just kept his mouth shut and allowed these vulnerabilities to go unfixed thus ensuring that the fucking FSB and the Russian army could pwn his country's military in the event of a war. If the people in charge of the Slovenian police/military weren't the bunch of incompetent morons they apparently are, and it sounds like the problem lies with politicos in the defence ministry (DUH! incompetent political appointees screwing up, surprise, surprise...), they'd have hired this guy and others like him long ago and put them in charge of police/military signals security. Speaking for myself, my first reaction would have been consider recruiting this guy if only to ensure somebody else didn't snatch him up first. I'll also bet that this is what Slovenian military intelligence wanted to do (if they have a single spark of competence among them).
This is another illustration of how clumsy, inefficient, and occasionally evil the government is — even in otherwise decent countries. At least, the guy's sentence is "suspended"...
And everyone seems to agree with the Libertarians in these cases, but, when the topic is something else, a solid chunk of the audience suddenly switches into believing, that the government is not only an acceptable, but the best solution available.
Why, for example, would the same people be outraged at the government's goons in some discussions (this one, or anything about Snowden, or the CIA), but turn immediately around defending same in discussions of public schools and roads, health service, or municipal WiFi?
In Soviet Washington the swamp drains you.
You discover a door to a bank door open:
Option #1: You tell the bank and the police. They do nothing. You let journalists know the bank and police did nothing for 2 years, you get jail sentence in retribution.
Option #2: You tell some criminals for a cut of the profits, retire in Bahamas. No jail sentence.
Clearly the system wants us to take option #2. Lesson learned.
If programs would be read like poetry, most programmers would be Vogons.
On of our university's IT group noticed that the university's police were using a packaged IT police support solution that had no security. An attacker could change arrest reports, access and change all the secret log entries, and track the real-time deployment and activity of the police. We verified that the problem existed across hundreds of police departments all over the country. The university police were horrified, when we presented the problem to them.
I think the main thing that led to a better outcome was the university IT team worked closely with the university police team to present the problem to the external vendor. During the presentation, the external vendor went through all the stages of grief: denial, anger, bargaining, depression and acceptance. When the vendor got to the anger stage, they threatened to have us arrested. We just kept asking how arresting somebody would fix the code, until they got on to the next stage.
Still, it took months before the vendor deployed fixed code.