Dutch MP Fined For Ethical Hacking 122
An anonymous reader writes "Dutch Member of Parliament (MP) Henk Krol was fined 750 (US$1,000) by the district court of Oost-Brabant on Friday for breaking and entering the system of the Dutch medical laboratory Diagnostics for You. Krol said he entered the system as an ethical hacker to show that it was easy to access and download confidential medical information. Krol, leader of the Dutch 50plus party, accessed the systems of the laboratory with a login and password he had obtained from a patient of the clinic, who in turn had overheard the information at the laboratory from a psychiatrist that worked there ... In April last year, Krol used the login information to enter the company's Web server and subsequently viewed and downloaded medical files of several patients. He did this to prove how easy it was to get access to the systems, according to the ruling (PDF in Dutch).'"
Showoff Gets Off Easy (Score:5, Insightful)
So this putz uses a stolen password to steal confidential documents. He claims that this is ethical hacking?
He's not exposing some inherent weakness in the system, he's using a stolen password to steal documents to showoff his "1337" skillz.
Thats how civilized countries do it! (Score:5, Insightful)
No 10 million euro claims for damages, no 15 year sentences for terrorism and definitely no FOX news fear-mongering the ignorant masses.
Re:Showoff Gets Off Easy (Score:5, Insightful)
Re:Showoff Gets Off Easy (Score:3, Insightful)
No, the worry is how far he could get with just one user ID.
No it's not. The worry is how a patient was close enough to the people working in the lab that they could so easily get hold of a password. A technician in a lab has a direct need to access the patient records, he got exactly as far as he was supposed to with that level of login. If he'd gained access to systems unrelated to that tech's job duties, you'd have been correct.
But as has already been noted, and ruled by the judge, there was nothing ethical about what he did. He should have immediately reported the compromised login to the system administrator (or security, etc.) and gone on his way, not used it to see how far he could go.
Re:Showoff Gets Off Easy (Score:5, Insightful)
Head in sand (Score:4, Insightful)
Re:Showoff Gets Off Easy (Score:5, Insightful)
Three words:
Two Factor Authentication.
A little bit of eavesdropping should not allow unlimited remote access to others medical records.
He's an MP. (Score:3, Insightful)
If we're being hypothetical, if he were in the US, he'd be a Senator or Congressman, and as a result nothing would happen - hell, he'd probably be applauded.
Now, if you want to strip the political power away, sure - in the US, he'd probably be prosecuted to the fullest extent the law could be twisted in abuse to.
I suspect he'd be a lot worse off in his home country, for that matter, if he wasn't an MP.
Re:It's not Ethical at all... (Score:5, Insightful)
In my opinion if you report a system with confidential information to be insecure that would be ethical.
If the owner of the system hired him, then it would have been his job. That's something different.
Re:Showoff Gets Off Easy (Score:2, Insightful)
At the same time, the judge argues, the defendant may not have had criminal intentions.
That argument feels off.
Traditionally, a jury had to decide whether the defendant was of sound enough mind to understand that he was committing a crime.
The defendant's ethical standards were not the jury's problem.
His actions were the jury's problem.
Ethics are flexible. The law rarely bends. No means no.
To add a little gory detail... (Score:4, Insightful)
While Henk Krol is not a 'true hacker' perhaps, this does raise a lot of questions with regards to the security of any person's data in such a medical database; questions that "Diagnostiek voor U" may want to keep secret, so a "wag the dog" (or more popular "Chewbecca") tactic is followed...
Re:Showoff Gets Off Easy (Score:4, Insightful)
Bad Security? An employee of the lab was overheard speaking the information. They could have the best security in the world, and all it takes is one idiot employee to ruin it.
Thus we have bad security. It needs to be better. I don't know what the solution is, but a user name/pw is inherently insecure.
Re:He's an MP. (Score:4, Insightful)
Re:He's an MP. (Score:5, Insightful)
We don't have to guess. We know what happens. He'd have been driven to suicide, or if he didn't, branded a felon and thrown in federal prison.
Re:Civil Disobedience (Score:4, Insightful)