Forgot your password?
typodupeerror
The Courts Privacy Security Your Rights Online

Dutch MP Fined For Ethical Hacking 122

Posted by Soulskill
from the dutch-politicians-apparently-have-skills dept.
An anonymous reader writes "Dutch Member of Parliament (MP) Henk Krol was fined 750 (US$1,000) by the district court of Oost-Brabant on Friday for breaking and entering the system of the Dutch medical laboratory Diagnostics for You. Krol said he entered the system as an ethical hacker to show that it was easy to access and download confidential medical information. Krol, leader of the Dutch 50plus party, accessed the systems of the laboratory with a login and password he had obtained from a patient of the clinic, who in turn had overheard the information at the laboratory from a psychiatrist that worked there ... In April last year, Krol used the login information to enter the company's Web server and subsequently viewed and downloaded medical files of several patients. He did this to prove how easy it was to get access to the systems, according to the ruling (PDF in Dutch).'"
This discussion has been archived. No new comments can be posted.

Dutch MP Fined For Ethical Hacking

Comments Filter:
  • by Anonymous Coward on Friday February 15, 2013 @06:20PM (#42917375)

    So this putz uses a stolen password to steal confidential documents. He claims that this is ethical hacking?

    He's not exposing some inherent weakness in the system, he's using a stolen password to steal documents to showoff his "1337" skillz.

  • by Anonymous Coward on Friday February 15, 2013 @06:29PM (#42917489)

    No 10 million euro claims for damages, no 15 year sentences for terrorism and definitely no FOX news fear-mongering the ignorant masses.

  • by Teun (17872) on Friday February 15, 2013 @06:32PM (#42917525) Homepage
    No, the worry is how far he could get with just one user ID.
  • by Anonymous Coward on Friday February 15, 2013 @06:54PM (#42917721)

    No, the worry is how far he could get with just one user ID.

    No it's not. The worry is how a patient was close enough to the people working in the lab that they could so easily get hold of a password. A technician in a lab has a direct need to access the patient records, he got exactly as far as he was supposed to with that level of login. If he'd gained access to systems unrelated to that tech's job duties, you'd have been correct.

    But as has already been noted, and ruled by the judge, there was nothing ethical about what he did. He should have immediately reported the compromised login to the system administrator (or security, etc.) and gone on his way, not used it to see how far he could go.

  • by plalonde2 (527372) on Friday February 15, 2013 @07:01PM (#42917815)
    And on top of it, the fine is reasonable for what amounts to civil disobedience. It might or might not have been the way to protest, but the fine isn't insane, either way.
  • Head in sand (Score:4, Insightful)

    by gmuslera (3436) on Friday February 15, 2013 @07:14PM (#42917937) Homepage Journal
    Make illegal to get warned that you are insecure and you will deserve being raped by unethical hackers. Is pretty much like suing the ones that could predict quakes [go.com], making sure that noone, ever, will warn you till is too late.
  • by Kaenneth (82978) on Friday February 15, 2013 @08:10PM (#42918489) Homepage Journal

    Three words:

    Two Factor Authentication.

    A little bit of eavesdropping should not allow unlimited remote access to others medical records.

  • He's an MP. (Score:3, Insightful)

    by Anonymous Coward on Friday February 15, 2013 @08:39PM (#42918695)

    If we're being hypothetical, if he were in the US, he'd be a Senator or Congressman, and as a result nothing would happen - hell, he'd probably be applauded.

    Now, if you want to strip the political power away, sure - in the US, he'd probably be prosecuted to the fullest extent the law could be twisted in abuse to.

    I suspect he'd be a lot worse off in his home country, for that matter, if he wasn't an MP.

  • by Fuzzums (250400) on Friday February 15, 2013 @09:00PM (#42918809) Homepage

    In my opinion if you report a system with confidential information to be insecure that would be ethical.
    If the owner of the system hired him, then it would have been his job. That's something different.

  • by westlake (615356) on Friday February 15, 2013 @09:17PM (#42918901)

    At the same time, the judge argues, the defendant may not have had criminal intentions.

    That argument feels off.

    Traditionally, a jury had to decide whether the defendant was of sound enough mind to understand that he was committing a crime.

    The defendant's ethical standards were not the jury's problem.

    His actions were the jury's problem.

    Ethics are flexible. The law rarely bends. No means no.

  • by thrill12 (711899) on Friday February 15, 2013 @10:15PM (#42919147) Journal
    ..the justice department (yes, you read that right) actually had a login to the same database as it was found following the news on this particular case. One has to wonder if the official story (needed because of certain convicts that have their records in the same medical DB) is even a valid reason, and why they would even be allowed within 10 meters of such a sensitive and secret (medical wise) collection of data.
    While Henk Krol is not a 'true hacker' perhaps, this does raise a lot of questions with regards to the security of any person's data in such a medical database; questions that "Diagnostiek voor U" may want to keep secret, so a "wag the dog" (or more popular "Chewbecca") tactic is followed...
  • by interval1066 (668936) on Friday February 15, 2013 @10:19PM (#42919167) Homepage Journal

    Bad Security? An employee of the lab was overheard speaking the information. They could have the best security in the world, and all it takes is one idiot employee to ruin it.

    Thus we have bad security. It needs to be better. I don't know what the solution is, but a user name/pw is inherently insecure.

  • Re:He's an MP. (Score:4, Insightful)

    by Anonymous Coward on Friday February 15, 2013 @10:42PM (#42919287)
    I don't think anyone capable of pulling this off could become a senator or congressman in the US.
  • Re:He's an MP. (Score:5, Insightful)

    by russotto (537200) on Friday February 15, 2013 @11:26PM (#42919507) Journal

    Now, if you want to strip the political power away, sure - in the US, he'd probably be prosecuted to the fullest extent the law could be twisted in abuse to.

    We don't have to guess. We know what happens. He'd have been driven to suicide, or if he didn't, branded a felon and thrown in federal prison.

  • by History's Coming To (1059484) on Saturday February 16, 2013 @09:35AM (#42921579) Journal
    Rosa Parks did what she did knowing she would be punished, that's the whole point of civil disobedience. You do what you believe to be right and in the process force the judicial system to punish you in public, exposing a flaw in the system. If Rosa Parks hadn't kicked up the legal fuss she did then she wouldn't have had an impact that would still be discussed on internet fora decades later.

In order to get a loan you must first prove you don't need it.

Working...