Student Exposes Bad Police Encryption, Gets Suspended Sentence

An anonymous reader shares a story about Dejan Ornig, a security analyst in Slovenia who warned the Slovenian police department about vulnerabilities in their supposedly secure communication system TETRA in 2013. (Here's Google's English translation of the article, and the Slovenian original.) He discovered that the system, which was supposed to provide encrypted communication, was incorrectly configured. As a result lots of communication could be intercepted with a $25 piece of equipment and some software. To make matters worse, the system is not used just by the police, but also by the military, military police, IRS, Department of Corrections and a few other governmental institutions which rely on secure communications.

After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.

On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.

Hm...

Is it my imagination or is this student's real crime making public figures look bad?

Do not admit that you did something illegal!

If you did something illegal in the process of uncovering a vulnerability, do not put your name to the information. Publish anonymously. Not just nation states, but also corporations of any size are known to show no leniency. You will not receive thanks for being a pain in the ass. Your sins will not be forgiven. Even if you did not do anything illegal, be prepared to be hassled relentlessly. Publish, but publish anonymously.

Lesson:

[Opportunist]

Do not inform police about their crappy encryption, that's illegal.

Sell that information to some criminals. That is only potentially illegal, but at least profitable.

So the lesson is...

Kids, the lesson is simple : never ever under any circumstance "help" authority figures. You'll end up getting fucked.
You try to help and you end up getting fucked. You steal by the millions/billions and you're heralded as a saint.

Moral of the story

[Lead+Butthead]

Don't report the vulnerability to the authority; they'll just punish you for it.
Quietly pass the vulnerability to local crime syndicate to carry favor instead.

Re:Only programmers

[Calydor]

See, in this house everyone assumes the lock on the front door works. No one ever tests if it does, they just trust it.

One day, this guy decides to try opening the door without turning the key in the lock first. Whaddya know, the door opens without a problem.

Realizing this he writes a note and drops it in their mailbox to warn them.

Then he gets arrested for breaking and entering.

Re:Only programmers

[Blue+Stone]

This site depresses me sometimes. Look at this comment getting voted up. I mean, aside from the dodgy analogy housebreaking vs penetration testing (which may be similar or not, depending on the specifics) look at this: "Regardless of his objective, he broke the law." --- as if your intentions can not be an absolute defence - punching someone is illegal; punching someone in self-defence is **not** - but "regardless of his objective" is somehow a valid statement? C'mon.

Score:4, Interesting (at time of writing). Seriously.

Dear kiddies...

[Lumpy]

DONT FUCKING TRUST THE POLICE. If you go public with something that shows they are idiots they will absolutely punish you.

The police are nothing more than a very well financed street gang.

Re:Only programmers

[Feral+Nerd]

computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation.

There are the key details of the story.

Yes, I understand that he offered to help. Yes, I understand that he had the noblest intentions. Regardless, he still intentionally broke the law by accessing a system without authorization. That it was easy to do doesn't make it any less of a crime.

Spoken like a true apparatchik: Why, he should have known better than to try and contribute to the defence of his country by revealing security flaws in police/military communications systems and instead just kept his mouth shut and allowed these vulnerabilities to go unfixed thus ensuring that the fucking FSB and the Russian army could pwn his country's military in the event of a war. If the people in charge of the Slovenian police/military weren't the bunch of incompetent morons they apparently are, and it sounds like the problem lies with politicos in the defence ministry (DUH! incompetent political appointees screwing up, surprise, surprise...), they'd have hired this guy and others like him long ago and put them in charge of police/military signals security. Speaking for myself, my first reaction would have been consider recruiting this guy if only to ensure somebody else didn't snatch him up first. I'll also bet that this is what Slovenian military intelligence wanted to do (if they have a single spark of competence among them).

Re:Only programmers

[aralin]

You discover a door to a bank door open:
Option #1: You tell the bank and the police. They do nothing. You let journalists know the bank and police did nothing for 2 years, you get jail sentence in retribution.
Option #2: You tell some criminals for a cut of the profits, retire in Bahamas. No jail sentence.

Clearly the system wants us to take option #2. Lesson learned.