Dutch Developer Added Backdoor To Websites He Built, Phished Over 20,000 Users (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Dutch Developer Added Backdoor To Websites He Built, Phished Over 20,000 Users (bleepingcomputer.com)

Posted by BeauHD on Wednesday January 18, 2017 @01:00AM from the bolting-to-the-door dept.

An anonymous reader quotes a report from BleepingComputer: A Dutch developer illegally accessed the accounts of over 20,000 users after he allegedly collected their login information via backdoors installed on websites he built. According to an official statement, Dutch police officials are now in the process of notifying these victims about the crook's actions. The hacker, yet to be named by Dutch authorities, was arrested on July 11, 2016, at a hotel in Zwolle, the Netherlands, and police proceeded to raid two houses the crook owned, in Leeuwarden and Sneek. According to Dutch police, the 35-years-old suspect was hired to build e-commerce sites for various companies. After doing his job, the developer also left backdoors in those websites, which he used to install various scripts that allowed him to collect information on the site's users. Police say that it's impossible to determine the full breadth of his hacking campaign, but evidence found on his laptop revealed he gained access to over 20,000 email accounts. Authorities say the hacker used his access to these accounts to read people's private email conversations, access their social media profiles, sign-up for gambling sites with the victim's credentials, and access online shopping sites to make purchases for himself using the victim's funds.

123 comments

Min score:

Reason:

Sort:

So by Anonymous Coward · 2017-01-18 01:03 · Score: 0

What
1. Re:So by tattood · 2017-01-19 09:18 · Score: 1
  
  This proves the importance of using different passwords for every online service you use.
  
  --
  WTB [sig], PST!!!
I knew it! by Anonymous Coward · 2017-01-18 01:04 · Score: 4, Funny

There are two kinds of people in this world I hate.
Those that are intolerant of other people's cultures and the Dutch.
1. Re:I knew it! by Mr+D+from+63 · 2017-01-18 01:32 · Score: 1
  
  There are two kinds of people in this world I hate.
  Those that are intolerant of other people's cultures and the Dutch.
  How about people who don't know what "phishing" means?
2. Re:I knew it! by gnick · 2017-01-18 01:47 · Score: 1
  
  Obviously, phishing means hacking and hacking means "stealing with a computer." What other definitions could there possibly be? Duh.
  
  --
  He's getting rather old, but he's a good mouse.
3. Re: I knew it! by Anonymous Coward · 2017-01-18 02:15 · Score: 0
  
  You are either kidding or don't know either...hard to tell.
4. Re: I knew it! by Anonymous Coward · 2017-01-18 02:27 · Score: 0
  
  You are either kidding or the whoosh was deafining...hard to tell.
5. Re: I knew it! by Anonymous Coward · 2017-01-18 03:41 · Score: 0
  
  I think I just got double whoooooshed
6. Re:I knew it! by gweihir · 2017-01-18 05:30 · Score: 1
  
  I get it! You mean to say in a circumspect way that you are Dutch! Nice!
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
7. Re:I knew it! by TechyImmigrant · 2017-01-18 05:43 · Score: 1
  
  There are two kinds of people in this world I hate.
  Those that are intolerant of other people's cultures and the Dutch.
  I met a drunk Dutch guy in Seattle last week. He was quite the bore.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
all that talent... by Anonymous Coward · 2017-01-18 01:09 · Score: 0

...yet no strong encryption on his laptop. And the word of the day is hubris.
(It's not criminals in general that are dumb - just most of the ones that get caught.)
Useless account creation by Anonymous Coward · 2017-01-18 01:10 · Score: 0

People think I am weird if I don't like to create an account if I can help it and often don't use a service if it forces the issue for some nebulous reason.
Then stuff like this happens. Again. And even more services force account creation.
1. Re:Useless account creation by Anonymous Coward · 2017-01-18 01:23 · Score: 0
  
  His name was Hugh G. Rection.
2. Re:Useless account creation by Oswald+McWeany · 2017-01-18 05:23 · Score: 1
  
  I think he's my doppleganger because a lot of women say his name when they meet me.
  
  --
  "That's the way to do it" - Punch
3. Re:Useless account creation by tattood · 2017-01-19 09:22 · Score: 1
  
  People think I am weird if I don't like to create an account if I can help it and often don't use a service if it forces the issue for some nebulous reason.
  Then stuff like this happens. Again. And even more services force account creation.
  Even if you don't create an account, the company still has your name, email and mailing address, and credit card info if you actually bought anything. That is why I only use virtual credit cards on websites, or PayPal.
  
  --
  WTB [sig], PST!!!
Why not name him? by haruchai · 2017-01-18 01:14 · Score: 3, Interesting

He's been in custody for over 6 months and is not a minor so why keep his name a secret?

--
Pain is merely failure leaving the body
1. Re:Why not name him? by Anonymous Coward · 2017-01-18 01:23 · Score: 5, Informative
  
  The Dutch never reveal the names of the accused, even after they are found guilty after trial, has to do with the privacy laws.
2. Re: Why not name him? by Anonymous Coward · 2017-01-18 01:23 · Score: 2, Interesting
  
  Because he's not yet been found guilty, and some cultures take a more enlightened approach than others when it comes to destroying potentially innocent lives via the judicial system.
  Think he'd ever find work again, if found not guilty, but named all over Google anyway?
3. Re:Why not name him? by Anonymous Coward · 2017-01-18 01:26 · Score: 0
  
  His name is Hugh G. Rection.
4. Re:Why not name him? by Anonymous Coward · 2017-01-18 01:27 · Score: 0
  
  Innocent until convicted
5. Re:Why not name him? by Anonymous Coward · 2017-01-18 01:30 · Score: 0
  
  He's been in custody for over 6 months and is not a minor so why keep his name a secret?
  Possibly they're still investigating some details ?
  Possibly the local legal system protects identity until you're proven guilty (his trial is only just starting)?
  Or maybe they just haven't got round to naming him because it's only just hit the media.
  Or any number of other possible reasons. The article simply doesn't give enough detail to really make anything more than guesses, and frankly I don't care enough to approach the Dutch police to ask them directly. But if you do care enough, please feel free to do so.
6. Re: Why not name him? by Anonymous Coward · 2017-01-18 01:33 · Score: 1
  
  I also like keeping guilty people anonymous simply because it seems like in todays celebrity driven culture there's some portion of the population who will do anything to become famous, including doing some quite heinous crimes. Lets not turn criminals into minor celebrities and make them look as cool as possible. I remember looking at the front page of CNN thinking "is it really appropriate to be using the ISIS glamour shots on the front page? Are you trying to make them look as cool and bad ass as possible?"
7. Re:Why not name him? by Anonymous Coward · 2017-01-18 01:47 · Score: 0
  
  The Dutch never reveal the names of the accused, even after they are found guilty after trial, has to do with the privacy laws.
  That's where they go wrong. (seriously)
8. Re:Why not name him? by Holi · 2017-01-18 01:49 · Score: 5, Insightful
  
  Wow, what's the recidivism rate in Europe compared to America? Yet you seem to think there system is worse then our lock up everyone we don't like policy.
  
  Sorry but an American critiquing anyone else's prison system is the height of hypocrisy.
  
  --
  Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
9. Re:Why not name him? by Desler · 2017-01-18 02:01 · Score: 1
  
  Weak trolling is weak.
10. Re: Why not name him? by Anonymous Coward · 2017-01-18 02:03 · Score: 0
  
  Genetic fallacy.
11. Re:Why not name him? by Desler · 2017-01-18 02:07 · Score: 4, Informative
  
  Considering the US has the highest recidivism rate, around 76%, in the world, the EU countries by definition are doing better. Norway, as an example, has the lowest recidivism rate, around 20%, in the world.
  http://www.businessinsider.com...
12. Re: Why not name him? by Anonymous Coward · 2017-01-18 02:20 · Score: 0
  
  And yet their statement is true. Someone from a country with one of the highest murder rates of first world countries and highest imprisonment rate and the highest recidivism rate in the world critiquing other countries' justice systems is quite rich.
13. Re:Why not name him? by hcs_$reboot · 2017-01-18 02:31 · Score: 2
  
  Because nobody here can pronounce it.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
14. Re:Why not name him? by Anonymous Coward · 2017-01-18 02:45 · Score: 1
  
  Well of course the US has the highest recidivism. We lock people up - often for minor crimes - and then we allow employers to ask if they have ever been convicted of a crime. With a checkbox on an employment application. Duh! Nearly nobody will hire a person who checks the box. And if they don't check the box, a background check finds that they are lying and they still won't be hired. So of course you are going to do more crime if you cannot work to make a living. You aren't just going to say, "well, I screwed up and now I should be homeless, have no food, and die". You will steal things. We make minor criminals into major ones this way. This is obvious. Only apparently not obvious to lawmakers in the US...
15. Re:Why not name him? by ctilsie242 · 2017-01-18 02:47 · Score: 5, Informative
  
  As a devil's advocate, it can be argued that other than a direct victim or people who are affected by the criminal's actions, keeping the names of people arrested private isn't such a bad thing. It is a better system than here in the US where as soon as someone is booked, that info goes into hundreds of databases, and even if charges are dropped or the person is found innocent, the arrest record is still public, and can affect finding work in the future. It just might be that the public humiliation of having some peccadillo be forever branded into a person's virtual hide is far greater a punishment than the offense requires.
16. Re:Why not name him? by Opportunist · 2017-01-18 02:54 · Score: 2
  
  Not really. Unless you want to detain him forever.
  Else you're one day going to release someone whose only possible career is one as a criminal. Is that what you want?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
17. Re:Why not name him? by Ol+Olsoc · 2017-01-18 02:56 · Score: 4, Interesting
  
  Considering the US has the highest recidivism rate, around 76%, in the world, the EU countries by definition are doing better. Norway, as an example, has the lowest recidivism rate, around 20%, in the world.
  Hey! We pour the most money into our prison system, so it must be the best.
  Sad to say, the get tough on crime crowd in conjunction with the war on drugs, has turned the US Prison system into insanity. Then there is the aspect of money, which in some cases gets you three months for sexual assault rape, http://www.cnn.com/2016/09/02/... versus getting 50 years for stealing a rack of ribs. http://www.huffingtonpost.com/...
  And yet, the people who think that what amounts to a life sentence for stealing food is a fine idea, almost universally don't want to pay for that incarceration.
  We're Kookoo for Cocoa-Puffs some times.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
18. Re:Why not name him? by Ol+Olsoc · 2017-01-18 02:57 · Score: 1
  
  Because nobody here can pronounce it.
  Hmmm, not sure if +1 funny, or +1 insightful........
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
19. Re:Why not name him? by Opportunist · 2017-01-18 02:58 · Score: 2
  
  That's what you get when you base your justice system on the idea of revenge.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
20. Re: Why not name him? by ctilsie242 · 2017-01-18 03:01 · Score: 1
  
  I remember back in the 1980s, as soon as the press stopped naming people in public who committed suicide, the amount of public suicide pacts and other items went down. What bothered me about the press wasn't the fact that a mass murderer was named. A few years ago, there was a mass shooting at UCSB. The shooter was not just named, but his writings and his YouTube videos were published, and the press spent most of the holiday going through his life like a biography of a hero. What the press should have done is give the guy an emasculating nickname, and from that point on, if the incident comes up, it will be "Happy Bunny" or "Lollipop Licker" who is named for that event, with all his/her writings not readily available, so the person never gets any press after the action. Definitely no monuments with the shooter's name on it. Just the victims.
21. Re:Why not name him? by Anonymous Coward · 2017-01-18 03:02 · Score: 0
  
  A potential victim can't stay-away from a perp not already identified. Branding a large *A* on the forehead and breaking the knuckles of maleficent byteboiz and perv progressives would surely do great good. Float them off on an ice-berg heading south? Who sez global warming doesn't have its benefits?
22. Re:Why not name him? by mwvdlee · 2017-01-18 03:10 · Score: 5, Insightful
  
  Because you want to be able to punish ex-criminals after he has received his punishment according to the law?
  If a criminal is released from prison, it should be assumed he won't commit crimes again.
  If you assume an ex-prisoner will commit crimes again, your prison system isn't working.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
23. Re:Why not name him? by mwvdlee · 2017-01-18 03:12 · Score: 2
  
  You're asking the wrong question.
  Why ever release his name at all?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
24. Re:Why not name him? by Anonymous Coward · 2017-01-18 03:14 · Score: 0
  
  Considering the US has the highest recidivism rate, around 76%, in the world, the EU countries by definition are doing better. Norway, as an example, has the lowest recidivism rate, around 20%, in the world.
  http://www.businessinsider.com...
  For a meaningful comparison, it should be broken down by types of crime.
25. Re:Why not name him? by mwvdlee · 2017-01-18 03:23 · Score: 1
  
  Hey! We pour the most money into our prison system, so it must be the best.
  Your prison companies will be happy to make your prison system even better by increasing their profit margins.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
26. Re:Why not name him? by Anonymous Coward · 2017-01-18 03:28 · Score: 0
  
  That would jeopardise the criminal case against him.
27. Re: Why not name him? by Anonymous Coward · 2017-01-18 03:43 · Score: 0
  
  Welcome to America. Please stamp your passport on the way out.
28. Re:Why not name him? by slashrio · 2017-01-18 03:44 · Score: 1
  
  Well, we all know whom the US prison system in reality is for.
  Hint: it has to do with financial gain.
  
  --
  "Trump!!", the new Godwin.
29. Re:Why not name him? by houghi · 2017-01-18 04:05 · Score: 1
  
  Innocent until proven guilty. Also the way Europe thinks about privacy is different from how the US thinks about it.
  In Europe everything is private unless it is public.
  In the US everything is public unless it is private.
  And this is for all people, not just for a selected group. This thus includes people who are in prison. It is not that they suddenly are perceived as sub-human. They are still part of our society.
  
  --
  Don't fight for your country, if your country does not fight for you.
30. Re:Why not name him? by thegarbz · 2017-01-18 04:27 · Score: 2
  
  That's where they go wrong. (seriously)
  With crime, criminality, and incarceration rates at a fraction of the USA, to borrow some popular culture references: if this is wrong I don't want to be right.
31. Re:Why not name him? by Anonymous Coward · 2017-01-18 04:38 · Score: 0
  
  If the courts and justice system are set up to work for the people, why shouldn't the people get to know? Keep everything quiet and just hope the justice system is doing its job?
32. Re:Why not name him? by Ol+Olsoc · 2017-01-18 04:44 · Score: 2
  
  Hey! We pour the most money into our prison system, so it must be the best.
  Your prison companies will be happy to make your prison system even better by increasing their profit margins.
  Hard to imagine that people could not figure out that in a corporatocracy, that applting the profit motive to incarcerating humans would not lead to demands and baksheesh to incarderate more humans. If you have to make more profit every quarter, you need more prisoners, for longer periods of time. The most contradictory thing about that, is that you need to take care of the prisoners so that they live as long as possible, maximizing the profit per prisoner, while the get tough on crime crowd wants them all dead as soon as possible, so they pay as little as possible. Guess who wins?
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
33. Re:Why not name him? by houghi · 2017-01-18 04:58 · Score: 1
  
  In Belgium the employer can ask if you have a clean slate. What they will get is a yes or no. After a while these will be removed depending the type of crime. You also see the time it happened.
  It is only in very specific places where I was responsible for customers money that this was actually asked. If you are a desk jockey, most likely nobody will ask.
  
  --
  Don't fight for your country, if your country does not fight for you.
34. Re:Why not name him? by Desler · 2017-01-18 05:17 · Score: 1
  
  What if the person was wrongfully convicted and later determined to br e innocent?
35. Re:Why not name him? by Desler · 2017-01-18 05:19 · Score: 1
  
  #1 in the world! USA! USA! USA! /sarcasm
36. Re:Why not name him? by Desler · 2017-01-18 05:20 · Score: 1
  
  Trying to shift the goalposts. How cute...
37. Re:Why not name him? by Desler · 2017-01-18 05:21 · Score: 1
  
  We're #1! We're #1! /sarcasm
38. Re:Why not name him? by Oswald+McWeany · 2017-01-18 05:24 · Score: 1
  
  I thought I read the US was abolishing all private prisons.
  (because what you said, was correct).
  
  --
  "That's the way to do it" - Punch
39. Re:Why not name him? by Oswald+McWeany · 2017-01-18 05:28 · Score: 2
  
  Dutch is easy- it's just German looking words pronounced as if they were English words. Dutch to me always sounded like "fake German" being spoken by an English speaker.
  
  --
  "That's the way to do it" - Punch
40. Re:Why not name him? by gweihir · 2017-01-18 05:33 · Score: 1
  
  Because it is not the US and civilized countries have laws that protect the identities of people that are not yet convicted?
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
41. Re:Why not name him? by gweihir · 2017-01-18 05:35 · Score: 3
  
  They don't. They just have realized, like any civilized country, that punishment is the task of the state and _nobody_ else. Hence they do not release names. This is actually pretty standard in Europe.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
42. Re:Why not name him? by gnick · 2017-01-18 06:57 · Score: 1
  
  If you assume an ex-prisoner will commit crimes again, your prison system isn't working.
  At least in the U.S., it's a good bet that a criminal will re-commit. This may be a sign that the prison system isn't working, but it doesn't change the fact that we have a recidivism rate of over 50% in the first year after release alone.
  That said, if we don't give "rehabilitated" convicts the benefit of the doubt after "paying their debt," we're pretty much guaranteeing that they'll have to return to crime. Convicts do need the ability to escape their criminal past.
  
  --
  He's getting rather old, but he's a good mouse.
43. Re:Why not name him? by Ravaldy · 2017-01-18 07:31 · Score: 1
  
  Why would we want to give any wiggle room to those who, of their own will opted to be malicious? Isn't trust earned? Why should they get a free pass after screwing up royally?
  IMO going to prison is just part 1 of a 2 phase process. Re-integration is probably the hardest part because now you need to earn people's trust again.
44. Re:Why not name him? by Anonymous Coward · 2017-01-18 07:33 · Score: 1
  
  Uh huh. Which is why the recidivism rate in the Netherlands is more than 20% lower than in the US?
45. Re:Why not name him? by ctilsie242 · 2017-01-18 08:19 · Score: 3
  
  What wiggle room? The justice system here in the US is a meat grinder that destroys lives, even people who were innocent. Take NYC, for example. Someone gets arrested for jaywalking. Unless they bond out, they are going to be staying at Riker's for over a year until trial. Even after trial, if they are found lily-white innocent, their lives are ruined. They are most likely evicted, their job is long gone, and any vehicle they had is either repossessed or impounded and sold.
  What do we want in the US, a -justice- system, or a -revenge- system? A -justice- system is designed to ensure crimes are not repeated, and rehabilitation is part of that. What we have now is a -revenge- system. It is great if one likes watching people suffer, and great if you have private prison stock, but not if you have any ethics or a conscience. Yes, we need to lock up some people well away from society to keep the streets safe, but why should someone who was caught with a bag of marijuana be locked up for life, and even if they get released, will never be able to hold a meaningful job.
  I'd rather have my taxpayer dollars go for vocational rehab in prisons, so someone getting out has a chance of a job. This way, they can work, or even just cruise on welfare... both are cheaper on the taxpayer than locking them up in a private, for-profit prison for the rest of their life.
46. Re:Why not name him? by Anonymous Coward · 2017-01-18 10:19 · Score: 0
  
  ... who, of their own will opted to be malicious ...
  
  Yes, every time you went 7 MPH over the speed limit, you were committing a malicious act. Yes, paying a woman for sex is a malicious act; ditto with begging on a street corner or smoking a joint of cannabis. Corporations practice the right to speech by taking other people's money (investors) and using it to tell other people's politicians what to do, because such legal behaviour has no destructive consequences at all. That's why the same corporation is not allowed to practice the same behaviour in any other country.
  You are conflating illegal with destructive to society and by implication, legal is beneficial. Most Americans would agree "the law is an ass" and yet demand the hypocrisy of "tough on crime" policies. Punishment provides a fixed benefit to society so providing more punishment does not make a society better. It's why most countries eliminated the death sentence; as the monetary and social cost became unjustifiable. The USA with the highest incarceration, the most expensive health and legal systems, failing education system and shrinking middle class; is not getting safer and happier because they wage wars on the criminals committing terrorism/drug-running/pedophilia/piracy.
  
  ... after screwing up royally.
  
  Because, like slavery, witchcraft or communism, once you declare such people to be 'non-people', they lose all rights and deserve whatever suffering they get. It is a socially-supported "fuck you, I got mine" class warfare.
  
  ... you need to earn people's trust again.
  
  And do it without welfare services, a housing lease, a job, a car loan, or a voice in the laws forced upon me. That's perpetual punishment, it's not asking me to support a law-abiding society. It's fascinating that so many Americans can't see the double-think in that attitude.
47. Re:Why not name him? by haruchai · 2017-01-18 10:42 · Score: 1
  
  I thought I read the US was abolishing all private prisons.
  (because what you said, was correct).
  That may not be as big a deal as it sounds .....http://www.mockingbirdpaper.com/content/abolishing-private-prisons-biggest-lie-economic-recovery
  
  --
  Pain is merely failure leaving the body
48. Re:Why not name him? by Anonymous Coward · 2017-01-18 10:49 · Score: 0
  
  Dutch is easy- it's just German looking words pronounced as if they were English words. Dutch to me always sounded like "fake German" being spoken by an English speaker.
  "Nein droppen ze haut kaffe oont ze knackkers"
49. Re:Why not name him? by Anonymous Coward · 2017-01-19 06:03 · Score: 0
  
  How bad do things have to get for America to get their shit together?
50. Re:Why not name him? by david_thornley · 2017-01-19 07:39 · Score: 1
  
  As an employer, why would I want to hire someone with a criminal record? If that person does hurt someone else while working for me, I'm likely to be sued for providing an unsafe work environment by deliberately hiring someone with a criminal record. It's safer to reject the applicant and hope none of the crimes we're forcing him to commit just to survive have an impact on me.
  If I couldn't know if there's a criminal record when making the hiring decision, or if I were confident of not being liable if something goes wrong with such a hire, I'd be much more interested in hiring someone with a record.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
51. Re:Why not name him? by Ol+Olsoc · 2017-01-19 12:01 · Score: 1
  
  How bad do things have to get for America to get their shit together?
  I think we've had a really bad memory leak, and regardless, have voided our warranty.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
52. Re:Why not name him? by Anonymous Coward · 2017-01-22 11:17 · Score: 0
  
  Calling him a "crook" rather than a suspect also implies guilt and opens this site to a claim of libel should the person in custody be exonerated.
You get what you pay for... by Anonymous Coward · 2017-01-18 01:20 · Score: 0

When software developers are registered to regulating bodies, have insurance and are paid like doctors, lawyers, accountants, engineers and other trusted professionals this type of behaviour will become more prolific. But of course nobody wants to pay for that, so they get what they pay for.
1. Re:You get what you pay for... by Anonymous Coward · 2017-01-18 01:24 · Score: 0
  
  When soft.. == Until soft.. (doh)
2. Re:You get what you pay for... by Anonymous Coward · 2017-01-18 01:27 · Score: 0
  
  Not a new idea
3. Re:You get what you pay for... by worf_mo · 2017-01-18 01:50 · Score: 1
  
  Because doctors, lawyers, accountants, engineers and other trusted professionals are less prone than software developers to do shady or outright illegal things when exercising their profession? I don't have any specific data about that, but members of any of the above categories pop up in the relevant sections on the news now and then. If you are a crook you're crook, and no regulating body neither an insurance will change that.
  
  But of course nobody wants to pay for that, so they get what they pay for.
  As far as TFS goes, none of of his customers have paid him to siphon their customer's data. If he wasn't happy with what his customers were willing to pay he could simply have not accepted the jobs.
  OTOH there are many examples of software projects - some of them are mentioned on this site now and then - that were badly handled although absurdly high amounts of money have been paid.
4. Re:You get what you pay for... by Anonymous Coward · 2017-01-18 02:11 · Score: 0
  
  When software developers are registered to regulating bodies, have insurance and are paid like doctors, lawyers, accountants, engineers and other trusted professionals this type of behaviour will become more prolific. But of course nobody wants to pay for that, so they get what they pay for.
  So you want to regulate programming. What a fascist approach. Let programming be free.
  My company develops websites and apps, among other services, and we are the superadmins for the clients [hundreds]. In our case, commercial ethics is enough.
5. Re:You get what you pay for... by volodymyrbiryuk · 2017-01-18 02:29 · Score: 1
  
  There is an interesting talk by Robert C. Martin on a similar topic: http://developeronfire.com/pod...! The registration will probably lead to more bureaucracy to the point where we will have "regulation bodies" who exist for their own sake.
  
  --
  sudo rm -r -f --no-preserve-root /
6. Re:You get what you pay for... by The-Ixian · 2017-01-18 02:39 · Score: 1
  
  What I don't understand is why he needed "back doors".
  During the course of work (obviously depending on scope) you may need access to sensitive information: admin passwords, internet utility bills, access to admin e-mail accounts (postmaster, webmaster), employee rosters, internal topology information, router passwords, the list goes on. All of this stuff is usually handed over without a second thought.
  I have known these details and more for many local companies in my course of work. I have never abused that trust (I actually go out of my way to try to not remember passwords and other sensitive information), but I can certainly see how it could be abused without ever having to install any malware.
  
  --
  My eyes reflect the stars and a smile lights up my face.
7. Re: You get what you pay for... by Anonymous Coward · 2017-01-18 03:50 · Score: 0
  
  Are you hiring? My buddy from the Netherlands sent me this cool backdo...erm I mean CMS system that I heard works wonders. I am eager to test it out.
8. Re:You get what you pay for... by IRGlover · 2017-01-18 03:55 · Score: 1
  
  He was using the accounts of the USERS of the websites, not the OWNERS. Putting in a backdoor would mean that even when the admin passwords are changed, he would still have access to the data. Also, a backdoor likely also gives a level of plausible deniability to deflect suspicion should a 'hack' ever be spotted internally - "it can't have been me. I never had access to the live server. I just gave you the code to deploy yourself".
9. Re:You get what you pay for... by Anonymous Coward · 2017-01-18 03:58 · Score: 0
  
  I have work as a software developer in the Netherlands, and having seen several companies from the inside and having met quite a number of corporate customers and service providers, I think I can safely say that all Dutch software shops are run by crooks and mostly staffed by crooks. This guy was just unlucky or stupid enough so the police could pin something on him, is all.
10. Re:You get what you pay for... by Anonymous Coward · 2017-01-18 20:43 · Score: 0
  
  The ieee are also considering about licensing software developers (http://theinstitute.ieee.org/career-and-education/career-guidance/licensing-software-engineers-is-in-the-works), for critical stuff where harm can be done it makes sense. It is not about freedom or facism. You just have to prove that you have the qualifications and integrity to do the job, if you mess up severely (malpractice) the industry has the right to stop you from practicing. When the consequences to peoples lives are at stake I think this is absolutely ok. I would feel better if the guy writing control software for passenger transport is both registered and accredited. Building informational websites no license required, dealing with personal/financial data of third party's then you need to be held personally accountable.
Things that make you go Hmmmmm. by Anonymous Coward · 2017-01-18 01:22 · Score: 0

This makes me wonder about how many more websites have been developed by folks with nefarious intent. Are there hundreds, thousands, or even worse, somewhere in the millions? How many developers are like this guy, and not only collect credentials, but install some sort of virus? I'm afraid that the answer is that we will never know. Kudos to whomever discovered this, and tracked it right back to the developer.
1. Re:Things that make you go Hmmmmm. by Oswald+McWeany · 2017-01-18 08:20 · Score: 1
  
  You can probably add Slashdot to that list. They are collecting all our opinions about Trump, AI being real, and the slashvertisement of the day and are going to use that information against us.
  
  --
  "That's the way to do it" - Punch
Hmm by Anonymous Coward · 2017-01-18 01:23 · Score: 0

Why do they continue to call these people hackers?
Coding a backdoor doesn't make you a hacker.
Finding a bug in somebody else's program and gaining access makes you a hacker.
Well...at least that's how I feel about it.
"Hackatons" and other programming events with the word "hack" don't change this one bit.
1. Re:Hmm by Anonymous Coward · 2017-01-18 01:30 · Score: 0
  
  Probably because he hacked into people's private email accounts... their social media profiles.... online shop accounts... you know... stuff like that... you know... "illegally"
2. Re:Hmm by Anonymous Coward · 2017-01-18 01:49 · Score: 0
  
  He didn't hack into anything. He logged in to services with valid credentials that he gained by installing a backdoor while in a position of trust.
  The work hack has been subverted a lot over the years. So much that it now means "illegally accessing something by whatever means".
  It initially did not have any illegal connotations and lot of hackers in the original original sense would like to return it to it's original meaning.
  Just for reference the old definition that makes the naming of things like Hackatons make sense.
  http://www.catb.org/jargon/html/H/hack.html
3. Re:Hmm by Ol+Olsoc · 2017-01-18 03:07 · Score: 1
  
  Why do they continue to call these people hackers?
  I hear Xanax is now being prescribed for Pedantic Anxiety Syndrome. Ask your Doctor if Xanax is right for you!
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
4. Re: Hmm by Anonymous Coward · 2017-01-18 03:53 · Score: 0
  
  My doctor prescribed me Xanax and I feel great.!..!.!;$:)/);&;@:):63$;@/@/);),6$3@/@dhshxhfkkchehdud
  Whoa, sorry I just blacked out and fell asleep with my head on the keyboard. What was I saying? I can't remember.
5. Re: Hmm by Ol+Olsoc · 2017-01-18 04:45 · Score: 1
  
  My doctor prescribed me Xanax and I feel great.!..!.!;$:)/);&;@:):63$;@/@/);),6$3@/@dhshxhfkkchehdud
  Whoa, sorry I just blacked out and fell asleep with my head on the keyboard. What was I saying? I can't remember.
  You were saying "Life is damn good!" 8^)
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
6. Re:Hmm by Megol · 2017-01-18 07:23 · Score: 1
  
  The original meaning? Which of them? That some people are hacks?
  Words can have multiple meanings and commonly do. Words also change meaning (or accumulate more meanings). There is no problem accepting people can be hacks, that there are many elegant hardware hacks, that some people are excellent hackers and that some people are hacking into other peoples computers. Not for me anyway, YMMV.
Love the town names by Anonymous Coward · 2017-01-18 01:34 · Score: 0

I really hope Zwolle, Sneek, and Leeuwarden look as magical and fantastic as their names imply.
1. Re:Love the town names by Anonymous Coward · 2017-01-18 02:01 · Score: 0
  
  Nah, just typical looking European cities. Maybe they will look "magical" to you if all you have seen are the sterile, cookie-cutter style American cities, but to the more worldly they are quite dull.
Oh that is just textbook xkcd... by teslar · 2017-01-18 01:41 · Score: 4, Funny

https://xkcd.com/792/
1. Re:Oh that is just textbook xkcd... by Holi · 2017-01-18 02:04 · Score: 1
  
  Comic from 2010, gotta wonder if that is where the idea originated.
  
  --
  Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
2. Re:Oh that is just textbook xkcd... by chihowa · 2017-01-18 03:03 · Score: 1
  
  Why is xkcd (through fastly) still using a cert signed by a revoked intermediate CA? Isn't three months long enough to sort that out?
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
3. Re:Oh that is just textbook xkcd... by chihowa · 2017-01-18 03:19 · Score: 1
  
  OK, it looks like the fix for them accidentally revoking their certificate was just to un-revoke it and pretend that it never happened. Clearing my OCSP cache "resolved" the issue. That whole affair really reinforces my faith in the CA system.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
4. Re:Oh that is just textbook xkcd... by Quirkz · 2017-01-18 03:57 · Score: 1
  
  "Since March of 1997 I don't really believe in anything." That's oddly specific. Curious if he's referencing a specific thing/event, or if that's a callback to a personal moment of truth, or just a weirdly detailed joke?
  
  --
  The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
5. Re:Oh that is just textbook xkcd... by ChoGGi · 2017-01-18 05:19 · Score: 2
  
  However, he reveals that "since March of 1997" he doesn't really believe in anything. This could possibly refer to the March 26, 1997 incident in San Diego, California, where 39 Heaven's Gate cultists committed mass suicide at their compound. It is a plausible explanation, since one of them was the brother of Nichelle Nichols (a Star Trek actress), so the event got a big resonance in nerd circles (and Randall often refers to Star Trek in xkcd). However, given Black Hat's strange behavior, it could be anything, even Bill Clinton banning federal funding for human cloning research.
  https://www.explainxkcd.com/wi...
EULA by wardrich86 · 2017-01-18 01:43 · Score: 1

Should have just added a line to the EULA that he would be able to gain access to your account(s) if you register. Nobody reads the EULA, and there'd be no case against him because it would be in the EULA.

This should also set the precedent that the government can be arrested if they put backdoors into things... of coursehttps://yro.slashdot.org/story/17/01/18/0527225/dutch-developer-added-backdoor-to-websites-he-built-phished-over-20000-users#, that will never happen. Nothing is illegal if the Government is doing it.
1. Re:EULA by Anonymous Coward · 2017-01-18 04:14 · Score: 0
  
  EULAs are not legally binding in the Netherlands.
Maybe they'll let him go by Anonymous Coward · 2017-01-18 01:47 · Score: 0

If he starts dressing like a woman.
1. Re:Maybe they'll let him go by Opportunist · 2017-01-18 03:01 · Score: 1
  
  Dude, if you start dressing as a woman in a male prison, you better be serious about it...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re: Maybe they'll let him go by Anonymous Coward · 2017-01-18 03:57 · Score: 0
  
  AYYYYOOO AC, hold my pocket.
  The squirrel master won't be there to protect you forever.
3. Re:Maybe they'll let him go by Oswald+McWeany · 2017-01-18 05:31 · Score: 1
  
  I'm not even sure how one would go about "dressing up" as a woman in prison. It's not like prison uniforms come a wide variety of fashion styles that prisoners get to pick.
  "Oh, like, this orange jumpsuit is so, tacky. I'll try the black and white stripes, it is so slimming and fabulous, like, oh, I can add this red belt as an accessory, that would be like, so rad."
  
  --
  "That's the way to do it" - Punch
Dangerous words by Anonymous Coward · 2017-01-18 01:51 · Score: 0

He's called a crook and then a suspect in the blurb. So which is it? You do know, don't you, that calling him a crook can make you the subject of a lawsuit?
The town name just was too funny. by MensaMoron · 2017-01-18 02:00 · Score: 1

He is a Sneak Thief from Sneek.
1. Re:The town name just was too funny. by Anonymous Coward · 2017-01-18 05:42 · Score: 0
  
  In Dutch, "Sneek" is pronounced as the English "snake".
2. Re:The town name just was too funny. by Anonymous Coward · 2017-01-18 07:52 · Score: 0
  
  In Dutch you pronounce Sneek as the English 'snake' - which is still fitting.
What Backdoor? by coofercat · 2017-01-18 02:13 · Score: 1

Anyone know how he got the information out of the sites he'd created? How did he 'install some scripts'? And even then, how did he get the data out?
I realise that if you're hiring someone like this you might not be so-inclined to watch logs and whatnot, but there must be some sort of trail left by his accesses.
1. Re:What Backdoor? by The-Ixian · 2017-01-18 02:53 · Score: 1
  
  My guess is that he had the credentials to legitimately log in to the web hosts and make whatever changes he wanted.
  In the tradition of: "you touched it last, it's yours", many professional web dev outfits will also just take the role of web server maintainers (even if they typically suck at that job) or, at the very least, hang on to the web host credentials in case the client comes back to them with problems or changes.
  If you are the web dev, you could very easily, for example, e-mail yourself in addition to the legitimate recipient for every submitted web form. Really, anything you can do on a web site, a copy could be sent to the web dev. I would assume this could include everything from names and e-mail addresses to passwords and credit card information. It just depends on what the site does.
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:What Backdoor? by Anonymous Coward · 2017-01-18 03:06 · Score: 0
  
  Webdev here, when clients give you access to their servers so you can make their site, there's all kinds of crazy shit you can do. Install monitor scripts, modify existing code that will capture and send data to anywhere you want, etc. If you did it right, you could even clean-up any trail you left behind, but the real reason is, the client doesn't care or never, ever logs-in to the server to check for that kind of thing.
3. Re:What Backdoor? by LordWabbit2 · 2017-01-18 03:13 · Score: 1
  
  Clearly you are not a developer. All you would have to do is create webpage which when you pass it a certain variable pops up a form to upload something and run it on the server. The webpage does a legitimate task (registration for instance) but if you access it with webpage.php?action=registers instead of webpage.php?action=register it jumps to a separate section and allows you to upload a file etc. Even if someone were to give the site a once over it would be hard to pick up. To make it even more secure you can have it check for a cookie or originating IP address so that if someone else tries it, it will ignore it.
  
  Developers have access to very sensitive stuffs, there is a very high level of trust that the developer is not going to do what this guy did. Firstly they are expensive to hire, what they produce can only be understood by another developer, so just having the code double checked (properly, not just a quick look) will almost double your costs, so it's rarely going to happen.
  
  I'm not sure about other countries, although I imagine it's pretty much the same everywhere, but any financial institution here does a full background check before they will hire you. Any criminal record and you won't even get an interview. Bad debt is almost as bad, if you are black listed don't even bother applying. Sometimes they will make an exception for black listing, depends on the situation, but in all my years I have only heard of one.
  
  --
  There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
4. Re:What Backdoor? by coofercat · 2017-01-18 03:23 · Score: 1
  
  You're right - I'm a devops, so I know a lot about sysadmin, and a bit about dev. I know he *could* do all those things, but I was looking to find out what he did do, and how he covered his tracks (if at all). I doubt most of the site owners would be checking /var/log/audit logs or /var/log/nginx/access.log or whatever, but if they had been, would they have been able to see something going on?
  It my impression that most criminals aren't nearly clever enough. He *could* have written scripts to snaffle the data and delete the logs that showed it happening, but I guess I'm wondering if he did all of that and if in fact, there's a clear trail of evidence on the systems he delivered.
5. Re:What Backdoor? by Anonymous Coward · 2017-01-18 04:32 · Score: 0
  
  You're right - I'm a devops, so I know a lot about sysadmin, and a bit about dev. I know he *could* do all those things, but I was looking to find out what he did do, and how he covered his tracks (if at all). I doubt most of the site owners would be checking /var/log/audit logs or /var/log/nginx/access.log or whatever, but if they had been, would they have been able to see something going on?
  It my impression that most criminals aren't nearly clever enough. He *could* have written scripts to snaffle the data and delete the logs that showed it happening, but I guess I'm wondering if he did all of that and if in fact, there's a clear trail of evidence on the systems he delivered.
  You can't do that with major FOSS CMS's. Your script would stand out very conspicuously to the trained eye.
6. Re:What Backdoor? by swb · 2017-01-18 05:48 · Score: 1
  
  It my impression that most criminals aren't nearly clever enough.
  Maybe small-time criminals like home burglars or armed robbery people aren't clever enough, but someone capable of delivering a working e-commerce site? I'm assuming there that all the cleverness required to pull it off is built-in.
  My question is -- they caught THIS guy, but how many have done the same thing and not gotten caught? There's possibly millions of e-commerce sites out there written by people with nobody looking over their shoulder and not enough resources for someone to check for something like this.
  Surely this isn't the only person to give in to a moral hazard like this.
7. Re:What Backdoor? by coofercat · 2017-01-18 07:30 · Score: 1
  
  Right - so back to my original question... what *did* he do?
8. Re:What Backdoor? by Anonymous Coward · 2017-01-18 10:21 · Score: 0
  
  If you weren't a complete moron you would improperly sanitize user input in some out of the way place and then compromise it from behind tor some months after the end of the engagement with a "realistic" scan. The only thing pointing back to you would be that a bunch of sites developed by the same guy had a similar vulnerability, which isn't very compelling.
  OTOH, the system I'm working on now has a huge "security hole" that is needed so that certain IoT devices can make API calls without user credentials. Its not great, but its also not fixable for another 5+ years when old hardware finally dies. If some rando did a code review it may look like a backdoor, but it isn't.
  The "cyber" guys I met while doing some consulting for my (large) local pd were all semi-morons that couldn't do more than just barley use the tools that were purchased for them.
  The point of all of this is that I would also like more details before thinking this guy actually did something inappropriate.
9. Re:What Backdoor? by LordWabbit2 · 2017-01-19 02:27 · Score: 1
  
  I doubt he did any of this on a major FOSS projects main trunk, it would definitely have been picked up there. He could have modified a WordPress site to add the functionality / backdoor and deployed that directly onto the server. No one would think to check that the code was not standard. I doubt he did that though, since they have an update function which would have wiped out his backdoor. I suspect this was all custom code, probably some cookie cutter website he used with a lot of his clients.
  
  --
  There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
10. Re:What Backdoor? by LordWabbit2 · 2017-01-19 02:31 · Score: 1
  
  The clever ones are not criminals, they get away with it. There are some scary smart people working on the trojans etc. out there. Some of the stuff is hand coded in assembler, which they structure in such a way that the usual debuggers get confused and either crash or start following the wrong path, all just to make it more difficult for the white hats to figure out how to shut down the botnet.
  
  --
  There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
Hello Mr. victim by SpaghettiPattern · 2017-01-18 02:59 · Score: 1, Funny

Hello Mr. victim. It is me, Steffen van der Hast-Gracht of the Amsterdam police. Wiz my partner and also I am very happy to say my lover Ronald. I am terribly sorry to inform you zat you haf bin vukked ofer ze Internet by some ferry dubious person stemming from Ze Nezerlands. Vee haf already prepared ze forms for you to fill in so zat you can claim insurance, psychological help and absent time from yor wurk. Vee also made petition on ze Internet for you to arrange a silent march over ze canals. You ken bye flowers from my nephew but if you don't want or you don't like also from any other shop. Yes. End may I infite you for a romantic evening with you, your partners, our dogs and a few convicted drug dealers zat reely reely promise to take ze right path very soon.

--

I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
Re: guilty people? by slashrio · 2017-01-18 03:46 · Score: 1

He's a suspect. He will only become guilty when the judge has ruled so.

--
"Trump!!", the new Godwin.
Back door unneeded by CODiNE · 2017-01-18 03:47 · Score: 1

Could have just left a couple vulnerabilities sprinkled in odd places and used poor hashing practices. He'd have complete deniability as it looks just like 90% of websites out there.

--
Cwm, fjord-bank glyphs vext quiz
Re: not obvious to law makers by slashrio · 2017-01-18 03:49 · Score: 1

It is obvious to them, but on the other hand there are the re-election contributions from lobbying prison-organisations that stand to gain from more prisoners.

--
"Trump!!", the new Godwin.
Just like roaches. If by pjv936 · 2017-01-18 05:40 · Score: 1

you see one there must be hundreds. There has to be other developers who have installed backdoor into the web sites they built. You should have your web site source code checked for a backdoor..