Slashdot Mirror
Student Exposes Bad Police Encryption, Gets Suspended Sentence (podcrto.si)
An anonymous reader shares a story about Dejan Ornig, a security analyst in Slovenia who warned the Slovenian police department about vulnerabilities in their supposedly secure communication system TETRA in 2013. (Here's Google's English translation of the article, and the Slovenian original.)
He discovered that the system, which was supposed to provide encrypted communication, was incorrectly configured. As a result lots of communication could be intercepted with a $25 piece of equipment and some software. To make matters worse, the system is not used just by the police, but also by the military, military police, IRS, Department of Corrections and a few other governmental institutions which rely on secure communications.
After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.
On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.
After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.
On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.
Is it my imagination or is this student's real crime making public figures look bad?
Sounds like this is what he did: http://www.rtl-sdr.com/rtl-sdr...
Keep in mind there is no Tetra in the US, but there is plenty of DMR & P25, which is significantly easier to listen in on.
All your bays are belong to us!
computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation.
There are the key details of the story.
Yes, I understand that he offered to help. Yes, I understand that he had the noblest intentions. Regardless, he still intentionally broke the law by accessing a system without authorization. That it was easy to do doesn't make it any less of a crime.
You do not have a moral or legal right to do absolutely anything you want.
If you did something illegal in the process of uncovering a vulnerability, do not put your name to the information. Publish anonymously. Not just nation states, but also corporations of any size are known to show no leniency. You will not receive thanks for being a pain in the ass. Your sins will not be forgiven. Even if you did not do anything illegal, be prepared to be hassled relentlessly. Publish, but publish anonymously.
This is a terrible analogy. He didn't "break into" anything. They broadcasted poorly encrypted information to whoever was listening, and assumed that nobody listening could decrypt it. Now they're mad because they were proven wrong.
Do not inform police about their crappy encryption, that's illegal.
Sell that information to some criminals. That is only potentially illegal, but at least profitable.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Next time he will hopefully not be so dumb and inform the cops but sell that info to some criminals. There's money to be made with a device that lets them know when the sting's gonna fall.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The same kind of police badge I have? That came in the cereal box?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Kids, the lesson is simple : never ever under any circumstance "help" authority figures. You'll end up getting fucked.
You try to help and you end up getting fucked. You steal by the millions/billions and you're heralded as a saint.
Don't report the vulnerability to the authority; they'll just punish you for it.
Quietly pass the vulnerability to local crime syndicate to carry favor instead.
ELOI, ELOI, LAMA SABACHTHANI!?
See, in this house everyone assumes the lock on the front door works. No one ever tests if it does, they just trust it.
One day, this guy decides to try opening the door without turning the key in the lock first. Whaddya know, the door opens without a problem.
Realizing this he writes a note and drops it in their mailbox to warn them.
Then he gets arrested for breaking and entering.
-=This sig has nothing to do with my comment. Move along now=-
This site depresses me sometimes. Look at this comment getting voted up. I mean, aside from the dodgy analogy housebreaking vs penetration testing (which may be similar or not, depending on the specifics) look at this: "Regardless of his objective, he broke the law." --- as if your intentions can not be an absolute defence - punching someone is illegal; punching someone in self-defence is **not** - but "regardless of his objective" is somehow a valid statement? C'mon.
Score:4, Interesting (at time of writing). Seriously.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
DONT FUCKING TRUST THE POLICE. If you go public with something that shows they are idiots they will absolutely punish you.
The police are nothing more than a very well financed street gang.
Do not look at laser with remaining good eye.
So capturing signals broadcasted over the public airspace and decrypting them is breaking an entering? Gee, then whenever the police use a Stingray device to intercept encrypted data between my cellphone and the cell tower, they are really violating my constitutional rights by entering my home and I am therefor obliged to sue them personally and directly for that violation of my civil rights. Also Castle law, because hey they are breaking an entering. Lets get a party together, go find the stingray van, and kill everyone and everything inside. It's all 100% legal, afterall. They picked the digital locks to my digital house and broke down the doors!
Smugly painting the entire situation with a brush may feel good, but in the long run, you're better off just shutting the hell up. The public will think, after reading that post, that anything a hacker does is breaking an entering. Even in bonafide hacking cases where information was stolen, it isn't breaking an entering, it's something else entirely.
Why do government employee's feel the need to crucify security researchers whenever they discover and disclose security weaknesses? Because when they publicly disclose the information, it not only puts the good guys lives at stake, but it also makes them look weak and incompetent to the public.
The cops had 3 years to do something; They didn't even take him out for a cup of coffee and explain to him or give him the BS excuse of "we've got a pretty substantial investment in equipment, it's going to take time to change it". Nothing was done until he publicly embarrassed them.
Nobody is right here, but government employee's are expected to act in good faith. At this point they should let the kid go, give him and the public an apology, and fix the broke systems. That won't happen, of course, because heaven forbid we ever fire government employee's for incompetence.
computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation.
There are the key details of the story.
Yes, I understand that he offered to help. Yes, I understand that he had the noblest intentions. Regardless, he still intentionally broke the law by accessing a system without authorization. That it was easy to do doesn't make it any less of a crime.
Spoken like a true apparatchik: Why, he should have known better than to try and contribute to the defence of his country by revealing security flaws in police/military communications systems and instead just kept his mouth shut and allowed these vulnerabilities to go unfixed thus ensuring that the fucking FSB and the Russian army could pwn his country's military in the event of a war. If the people in charge of the Slovenian police/military weren't the bunch of incompetent morons they apparently are, and it sounds like the problem lies with politicos in the defence ministry (DUH! incompetent political appointees screwing up, surprise, surprise...), they'd have hired this guy and others like him long ago and put them in charge of police/military signals security. Speaking for myself, my first reaction would have been consider recruiting this guy if only to ensure somebody else didn't snatch him up first. I'll also bet that this is what Slovenian military intelligence wanted to do (if they have a single spark of competence among them).
I'm not condoning his actions, but I do believe as a computer scientist I have some authority to call someone out on their actions. I have a duty to inform people that you can formally prove that a system is secure. For some reason most people don't even consider that a thing.
The house analogy breaks down because it would be impractical to build a house that no one can break into, but many systems have been designed with formal proofs of security and are secure given certain constraints.
The sad thing is that the systems with formal proofs can take less time to design and engineer, so sometimes it's just pure laziness that it isn't done correctly.
With that said it doesn't give anyone the right to break into a computer system.
Okay so it's not exactly the same.
Some years ago while on the job I got so caught up on my projects I found myself with an hour or two to kill everyday for a couple weeks. (Disclaimer: I hid the fact I was caught up early.) Now I am the curious type, especially when it comes to networks and security. Needless to say, I started poking around. Poking around quickly led to hacking around. It was an internal LAN, but still. I followed the bread crumbs and uncovered, lets just say "stuff that was not intended to be uncovered. Much more followed from that. It reached a point where it was down right concerning. So finally I crossed my fingers and called my boss over, who of course was not a tech. He was concerned bordering on unhappy about what I was doing. The next day I got a call from the CIO, which is highly unusual. We had a very long talk about what I had been up to. The talk extended into a discussion of my knowledge and abilities which up till then no one in the company knew I had. I don't remember which hacker topic it was, but at one point the CIO said "fuck me" he did not mean it literally. The result? The CIO gave me permission to keep on hacking our systems as long as I documented everything and reported directly to him. Up to that point, my initial finding resulted in ten or so pages of documentation. It was pretty cool.
A bit off topic. Although I liked my job I found myself in a situation where I had to pick up and move. The details of that are unimportant, but I made sure I had a job waiting for me. Before I left the company, the CIO installed a keystroke logger on my computer. Since I was the only one running Linux, it was my personal computer. The CIO, was one of the single best hackers I have had the pleasure of meeting. Next thing I know I was signed up for a bazillion newsletters and I noticed a Sony Erickson had accessed my Google account. It took me all of one second to figure out what had happened. Fortunately it was all fun and games, nothing malicious. Although I did proceed to reformat the drives in all of my computers and proceeded to change every password I used (a lot) to random alphanumerics every week for a couple of months. Fun stuff.
Brought to you by Carl's Junior.
At the same time, they didn't seem all that interested in the false identification until he reported the weakness. The last instance of the false ID was 2014.
You discover a door to a bank door open:
Option #1: You tell the bank and the police. They do nothing. You let journalists know the bank and police did nothing for 2 years, you get jail sentence in retribution.
Option #2: You tell some criminals for a cut of the profits, retire in Bahamas. No jail sentence.
Clearly the system wants us to take option #2. Lesson learned.
If programs would be read like poetry, most programmers would be Vogons.
Thus why no law enforcement will actually admit in court to using Stingrays. They would rather withdraw the evidence and have the case fail instead.
On of our university's IT group noticed that the university's police were using a packaged IT police support solution that had no security. An attacker could change arrest reports, access and change all the secret log entries, and track the real-time deployment and activity of the police. We verified that the problem existed across hundreds of police departments all over the country. The university police were horrified, when we presented the problem to them.
I think the main thing that led to a better outcome was the university IT team worked closely with the university police team to present the problem to the external vendor. During the presentation, the external vendor went through all the stages of grief: denial, anger, bargaining, depression and acceptance. When the vendor got to the anger stage, they threatened to have us arrested. We just kept asking how arresting somebody would fix the code, until they got on to the next stage.
Still, it took months before the vendor deployed fixed code.
I do have to admit, though, that it got me into trouble, too. My mom explained to me in no uncertain terms that it does not give me authority to do a strip search with Jessica...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
But what if you can't know it's insecure unless you break into it first? If you're not a security expert and you have not been called in to assist, then don't go breaking into anything. If it's for something important and not just for police (like say voting machines) then do it secretly.
Anyone smart enough to understand security (ie, not a script kiddie) should also presumably be smart enough to understand personal security.
You should have just called your mom a soft-on-crime bleeding heart liberal SJW.
Quite clearly he should have sold the information, even though it's merely Slovenian police and security services, I'm sure a few grand would have been preferable to a (suspended) prison sentence.
Modern Commercial Security: HACK US AND WIN PRIZES.
Modern Government Security: If you just look at us and try to help, we'll put you down. We'd rather have holes being actively exploited by enemies of the state than have the shock horror of a public servant being made to look slightly inept, even if the hole isn't their fault and is a pure accident.
I don't think you understand software, nor does the government. No one gets hurt with white hat hacking. Comparing it to rape is like comparing a snow cone to a blizzard. External security audits are the best way to find vulnerabilities, and when the results are given to you for free, it's even better. The law hasn't caught up with technology in this case yet. Jailing good people who are trying to help is a bad idea, period. That's why there are things like the Good Samaritan law and stand your ground laws that protect people who are trying to do the right thing.
Brilliance without wisdom, power without conscience. Ours is a world of nuclear giants and ethical infants.
First mistake: telling the authorities about their problem.
Second mistake: making the problem public.
Do be a good citizen and notify the relevant authorities of computer security problems. But be a SMART citizen, and do it anonymously.
Do not be a jerk and make the security problems public. But if you absolutely feel you must do so, do it anonymously.
In a more ideal world that this, anonymity would not be needed. However there are far too many authorities who prefer to blame the messenger than to fix things properly. Your idealism is NOT shared universally.
linquendum tondere