Slashdot Mirror
Student Exposes Bad Police Encryption, Gets Suspended Sentence (podcrto.si)
An anonymous reader shares a story about Dejan Ornig, a security analyst in Slovenia who warned the Slovenian police department about vulnerabilities in their supposedly secure communication system TETRA in 2013. (Here's Google's English translation of the article, and the Slovenian original.)
He discovered that the system, which was supposed to provide encrypted communication, was incorrectly configured. As a result lots of communication could be intercepted with a $25 piece of equipment and some software. To make matters worse, the system is not used just by the police, but also by the military, military police, IRS, Department of Corrections and a few other governmental institutions which rely on secure communications.
After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.
On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.
After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.
On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.
Is it my imagination or is this student's real crime making public figures look bad?
Why is it programmers are the only people who feel breaking into your house to show you how bad your locks are is a reason for congratulations and adoration?
Regardless of his objective, he broke the law. The courts were very lenient on him, so no harm was done.
Punish those who tell you about your vulnerabilities. That way you know that you're not vulnerable.
The security researcher forgot the age-old wisdom of wanting to talk to the manager.
Sounds like this is what he did: http://www.rtl-sdr.com/rtl-sdr...
Keep in mind there is no Tetra in the US, but there is plenty of DMR & P25, which is significantly easier to listen in on.
All your bays are belong to us!
For him to discover bad police encryption, it means he was illegally messing with it in the first place.
He tried to help them and got a suspended sentence of 15 months in prison (won't that be fun). He was subject to a house search and all of his computers and equipment were seized. He tried to help them all along, and they punished him for it. Now it would have been much more profitable (and no police raid, no prison and no threats and intimidation) if only he had simply sold the information and equipment (for a profit) on the black market to an organized crime ring. He could have made $100,000 or more, gained street cred, and would be sitting on a beach right now sipping something cool and rum flavored, oh, and he wouldn't have to be looking for new computer equipment (more money out of pocket, and there is no guarantee that they won't come along and just take all his new equipment, still new-in-box "on suspicion").
The title says he's a student and the summary says he's a security analyst while the article doesn't mention either. I would imagine that his sentence would depend greatly on who he is and neither the article nor summary give any indication, so there's not enough information to conclude if I agree with the result or not.
Hey, I heard some guys talking in a bar and they said......................so maybe someone should look into this.
If you did something illegal in the process of uncovering a vulnerability, do not put your name to the information. Publish anonymously. Not just nation states, but also corporations of any size are known to show no leniency. You will not receive thanks for being a pain in the ass. Your sins will not be forgiven. Even if you did not do anything illegal, be prepared to be hassled relentlessly. Publish, but publish anonymously.
That's a US agency. Slovenia may have an equivalent agency, but it's not called the IRS. My god the editors here are stupid.
Do not inform police about their crappy encryption, that's illegal.
Sell that information to some criminals. That is only potentially illegal, but at least profitable.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
No black market because that still could land him jail.
What you do is find the person who ass will be grass high enough on the food chain so that they can hire you for big bucks as a consultant. And for a job like that, $250,000 US would not be unreasonable.
And THAT will give him some legitimate business cred that would land him more lucrative work - all legal.
Kids, the lesson is simple : never ever under any circumstance "help" authority figures. You'll end up getting fucked.
You try to help and you end up getting fucked. You steal by the millions/billions and you're heralded as a saint.
Don't report the vulnerability to the authority; they'll just punish you for it.
Quietly pass the vulnerability to local crime syndicate to carry favor instead.
ELOI, ELOI, LAMA SABACHTHANI!?
DONT FUCKING TRUST THE POLICE. If you go public with something that shows they are idiots they will absolutely punish you.
The police are nothing more than a very well financed street gang.
Do not look at laser with remaining good eye.
The courts were very lenient on him, so no harm was done.
3 years suspended sentence is not lenient... This is a European country... Where unlike the US, doing a crime is not a life ending event.
On topic, "counterfeit police badge" is very bad... That said, I don't see how they got a search warrant in the first place, so he could probably go after them on the fact that such search warrant shouldn't have been issued.
I remember reading the TETRA encryption was insecure anyways and because of that the Germans added an additional encryption to their TETRA network.
Once again with these types of stories, there's more to it than the summary reveals - which is usually all that /. reads before launching into pearl-clutching hysterics in the comment section.
Ornig judgment is charged attack on the information system, falsification of documents and undue audio recording.
The bit about wiretapping was conveniently left out of the summary.
Ornig should also allegedly in complicity with the person Mr. G., whom the court has earmarked three months' imprisonment conditionally with a year ago, the probation period, in February, March and December 2014, repeatedly invaded or tried to hack into the system Tetra. This would also hamper the operation of radio stations.
Not exactly clear, but I get the impression Ornig was working with someone who was already in trouble for hacking Tetra repeatedly.
Ornig should be according to the judgment of imitation badge in 2010 and 2014 repeatedly falsely pretending to be a police officer.
Impersonating a police officer for 4 years? That's felony in the US.
Third offense unduly sound recording, should Ornig guilty March I and II 2014, with the recording of the conversation of their former colleagues and superior, while he was still working for the security service G4S. On seized during a house search your hard disk Ornig are in fact police officers find copies of that conversation, which is Ornig wanted to prove mobbing
Illegally recording people who work for a former employer. I don't know what "prove mobbing" means, but I guess it had something to do with making the company look bad on the website and media site that printed information from the transcripts he made. Sounds like he's a disgruntled employee motivated by payback.
So basically, like that Tor developer who's hiding from the FBI, this criminal is fronting himself as some kind of innocent security researcher who the police overreacted to when he broke into a system that they and the military use.
Opened the original and using my working knowledge of russian tried to decypher the headline " something weakness something, 3 months, something was executed".
So Slovenian is Just like reading ruby code, you know some of the words and think you got it but then you are executed for missing the meaning.
They'll never understand nor care for your analogy.
This is another illustration of how clumsy, inefficient, and occasionally evil the government is — even in otherwise decent countries. At least, the guy's sentence is "suspended"...
And everyone seems to agree with the Libertarians in these cases, but, when the topic is something else, a solid chunk of the audience suddenly switches into believing, that the government is not only an acceptable, but the best solution available.
Why, for example, would the same people be outraged at the government's goons in some discussions (this one, or anything about Snowden, or the CIA), but turn immediately around defending same in discussions of public schools and roads, health service, or municipal WiFi?
In Soviet Washington the swamp drains you.
I will remember never to engage in a hire-able offence.
Brought to you by Carl's Junior.
And be grateful that you're getting away with your sedition so easily!
Rule 35 of the internet: "If it can be hacked, it will be". - Charles Stross
Don't go to the authorities with these kinds of things.
Just don't do it.
There is absolutely 0 benefit for the person reporting the problem and it only increases your chances of getting in trouble.
If you find some security problem just leak it anonymously.
Fuck responsible disclosure.
Responsible disclosure is nice for the company, but not for the person disclosing anything.
Okay so it's not exactly the same.
Some years ago while on the job I got so caught up on my projects I found myself with an hour or two to kill everyday for a couple weeks. (Disclaimer: I hid the fact I was caught up early.) Now I am the curious type, especially when it comes to networks and security. Needless to say, I started poking around. Poking around quickly led to hacking around. It was an internal LAN, but still. I followed the bread crumbs and uncovered, lets just say "stuff that was not intended to be uncovered. Much more followed from that. It reached a point where it was down right concerning. So finally I crossed my fingers and called my boss over, who of course was not a tech. He was concerned bordering on unhappy about what I was doing. The next day I got a call from the CIO, which is highly unusual. We had a very long talk about what I had been up to. The talk extended into a discussion of my knowledge and abilities which up till then no one in the company knew I had. I don't remember which hacker topic it was, but at one point the CIO said "fuck me" he did not mean it literally. The result? The CIO gave me permission to keep on hacking our systems as long as I documented everything and reported directly to him. Up to that point, my initial finding resulted in ten or so pages of documentation. It was pretty cool.
A bit off topic. Although I liked my job I found myself in a situation where I had to pick up and move. The details of that are unimportant, but I made sure I had a job waiting for me. Before I left the company, the CIO installed a keystroke logger on my computer. Since I was the only one running Linux, it was my personal computer. The CIO, was one of the single best hackers I have had the pleasure of meeting. Next thing I know I was signed up for a bazillion newsletters and I noticed a Sony Erickson had accessed my Google account. It took me all of one second to figure out what had happened. Fortunately it was all fun and games, nothing malicious. Although I did proceed to reformat the drives in all of my computers and proceeded to change every password I used (a lot) to random alphanumerics every week for a couple of months. Fun stuff.
Brought to you by Carl's Junior.
This why black hats are so abundant. For all instinsive purposes it's pointless to help the "supposed" good guys. Let them fall and learn cyber security the hard way. They look down on the people they are "suppose" to serve anyways.
"A badge from a Halloween costume or cereal box wouldn't warrant a charge by itself "
What land of Reality do you live in?
Certainly, not the one where the news story took place.
Certainly, not the one that I live in.
The wonderful thing about American Liberals is that think that everywhere is just like America! How provincial. How bourgeois. You suck Lefty.
I guess these should be the Slovenian counterparts, or are they also called IRS and Department of Corrections in Slovenia?
I'm not familiar with the details, but it's a bit more complicated. While conducting the house search, the police have found a counterfeit police badge, voice recordings and transcriptions of conversations between his former co-worker and their boss. Dejan was trying to prove he was being harassed in the workplace, he also sent these transcriptions to the media. He was also accused of disrupting TETRA service, which was a consequence of his failed attempts to break into the system. Although some actions of the police might be questionable, I think 3 years of probation is not that bad of a punishment all things considered.
On of our university's IT group noticed that the university's police were using a packaged IT police support solution that had no security. An attacker could change arrest reports, access and change all the secret log entries, and track the real-time deployment and activity of the police. We verified that the problem existed across hundreds of police departments all over the country. The university police were horrified, when we presented the problem to them.
I think the main thing that led to a better outcome was the university IT team worked closely with the university police team to present the problem to the external vendor. During the presentation, the external vendor went through all the stages of grief: denial, anger, bargaining, depression and acceptance. When the vendor got to the anger stage, they threatened to have us arrested. We just kept asking how arresting somebody would fix the code, until they got on to the next stage.
Still, it took months before the vendor deployed fixed code.
What land of Reality do you live in?
Certainly, not the one where the news story took place.
Certainly, not the one that I live in.
America, early 21st century. You should try reading the news more often. Reality in America might shock you.
http://listverse.com/2013/08/30/10-disturbing-cases-of-police-impersonation/
The wonderful thing about American Liberals is that think that everywhere is just like America! How provincial. How bourgeois.
If you bothered to read my comment, I pointed out what would happen in the US. Short history lesson: most legal systems around the world are based on Roman law. Whatever can happen legally in the US, can also happen elsewhere in the world.
https://en.wikipedia.org/wiki/Roman_law
You suck Lefty.
I'm a moderate conservative.
Because this is how you get black hats.
...goes unpunished.
of us vs them
If you discover a security vulnerability, exploit it , profit from it and don't get caught or tell anyone about it, otherwise... if you take the white hat route they will persecute you. It is clear the black hat route is more profitable and is what the authorities would want. The way they treat people trying to help them is stupid.. The authorities in this case should be fired and replaced with people who are a bit more tech savvy and much less assholes.
Next time just sell it to real criminals or foreign intelligence services.
Don't bother to help your country, they will put you in jail for exposing them as incompetent idiots who don't even lsiten to people who want to help them.
hmm $25 dollars. I am betting he didn't get Hamitup! with his rtlsdr, mostly cause he didn't give a fuck about the lower ham freq's.
The lesson learned from this?
Fuck the pigs, sell the vulnerability to the bad guys....?
Great lesson to teach the young hackers...
A pretty standard sort of thank you from people who run a government. He is lucky, a lot of them end up in body bags or crippled and homeless for helping politicians and their machinations.
You know the real truth is, they are more afraid he will expose corruption than they are of their communications not being secure. Its probably a valid concern for them.
"I opened my eyes, and everything went dark again"
That link says quite clearly that English common law system (which formed the basis of US laws upon independence) evolved out of the old Anglo-Saxon laws, which had evolved from the German tradition, which was influenced (but not based on) Roman law. So yes, while most of the world's legal systems are based on Roman law, the one you picked was only very tenuously so, and well over a thousand years ago.
Quite clearly he should have sold the information, even though it's merely Slovenian police and security services, I'm sure a few grand would have been preferable to a (suspended) prison sentence.
Modern Commercial Security: HACK US AND WIN PRIZES.
Modern Government Security: If you just look at us and try to help, we'll put you down. We'd rather have holes being actively exploited by enemies of the state than have the shock horror of a public servant being made to look slightly inept, even if the hole isn't their fault and is a pure accident.
First mistake: telling the authorities about their problem.
Second mistake: making the problem public.
Do be a good citizen and notify the relevant authorities of computer security problems. But be a SMART citizen, and do it anonymously.
Do not be a jerk and make the security problems public. But if you absolutely feel you must do so, do it anonymously.
In a more ideal world that this, anonymity would not be needed. However there are far too many authorities who prefer to blame the messenger than to fix things properly. Your idealism is NOT shared universally.
linquendum tondere
So yes, while most of the world's legal systems are based on Roman law, the one you picked was only very tenuously so, and well over a thousand years ago.
It's even more tenuous that our calendar system is based upon a hippie carpenter getting hammered on a telephone pole 2,000+ years ago.
Same bullshit different country.