Forgot your password?
typodupeerror
The Courts Privacy Security Your Rights Online

Dutch MP Fined For Ethical Hacking 122

Posted by Soulskill
from the dutch-politicians-apparently-have-skills dept.
An anonymous reader writes "Dutch Member of Parliament (MP) Henk Krol was fined 750 (US$1,000) by the district court of Oost-Brabant on Friday for breaking and entering the system of the Dutch medical laboratory Diagnostics for You. Krol said he entered the system as an ethical hacker to show that it was easy to access and download confidential medical information. Krol, leader of the Dutch 50plus party, accessed the systems of the laboratory with a login and password he had obtained from a patient of the clinic, who in turn had overheard the information at the laboratory from a psychiatrist that worked there ... In April last year, Krol used the login information to enter the company's Web server and subsequently viewed and downloaded medical files of several patients. He did this to prove how easy it was to get access to the systems, according to the ruling (PDF in Dutch).'"
This discussion has been archived. No new comments can be posted.

Dutch MP Fined For Ethical Hacking

Comments Filter:
  • by Anonymous Coward on Friday February 15, 2013 @07:20PM (#42917375)

    So this putz uses a stolen password to steal confidential documents. He claims that this is ethical hacking?

    He's not exposing some inherent weakness in the system, he's using a stolen password to steal documents to showoff his "1337" skillz.

    • by Anonymous Coward

      As an MP from the 50plus party we're just happy he knows that technology exists and can be used for evil. That puts him head and shoulders above where we thought they were.

    • by sabri (584428) * on Friday February 15, 2013 @07:32PM (#42917521)
      That is an excellent summary of the judge's decision. The judge argues that by not contacting the systems administrator upon logging in, but instead making copies of confidential data, they went from white hat to black hat.

      At the same time, the judge argues, the defendant may not have had criminal intentions. So while the "hackers" crossed the line in their efforts to "expose" the bad security, they were not sent to prison as they are not criminals.
      • by plalonde2 (527372) on Friday February 15, 2013 @08:01PM (#42917815)
        And on top of it, the fine is reasonable for what amounts to civil disobedience. It might or might not have been the way to protest, but the fine isn't insane, either way.
      • by tompaulco (629533)
        the "hackers" crossed the line in their efforts to "expose" the bad security,
        Bad Security? An employee of the lab was overheard speaking the information. They could have the best security in the world, and all it takes is one idiot employee to ruin it.
        • by interval1066 (668936) on Friday February 15, 2013 @11:19PM (#42919167) Homepage Journal

          Bad Security? An employee of the lab was overheard speaking the information. They could have the best security in the world, and all it takes is one idiot employee to ruin it.

          Thus we have bad security. It needs to be better. I don't know what the solution is, but a user name/pw is inherently insecure.

        • by mcvos (645701)

          If one idiot can ruin it, it's not the best security in the world.

          Though of course the idiot needs to lose access for telling others his password.

      • In the US, he'd probably get 10 years in Club Fed. Mike Tyson went upstate for only 3 years for rape, so we know the priorities of our justice system.

        • He's an MP. (Score:3, Insightful)

          by Anonymous Coward

          If we're being hypothetical, if he were in the US, he'd be a Senator or Congressman, and as a result nothing would happen - hell, he'd probably be applauded.

          Now, if you want to strip the political power away, sure - in the US, he'd probably be prosecuted to the fullest extent the law could be twisted in abuse to.

          I suspect he'd be a lot worse off in his home country, for that matter, if he wasn't an MP.

      • Re: (Score:2, Insightful)

        by westlake (615356)

        At the same time, the judge argues, the defendant may not have had criminal intentions.

        That argument feels off.

        Traditionally, a jury had to decide whether the defendant was of sound enough mind to understand that he was committing a crime.

        The defendant's ethical standards were not the jury's problem.

        His actions were the jury's problem.

        Ethics are flexible. The law rarely bends. No means no.

    • by Teun (17872) on Friday February 15, 2013 @07:32PM (#42917525) Homepage
      No, the worry is how far he could get with just one user ID.
      • Re: (Score:3, Insightful)

        by Anonymous Coward

        No, the worry is how far he could get with just one user ID.

        No it's not. The worry is how a patient was close enough to the people working in the lab that they could so easily get hold of a password. A technician in a lab has a direct need to access the patient records, he got exactly as far as he was supposed to with that level of login. If he'd gained access to systems unrelated to that tech's job duties, you'd have been correct.

        But as has already been noted, and ruled by the judge, there was nothing ethical about what he did. He should have immediately reported t

        • by sumdumass (711423)

          I might have missed something, but the alarming part to me was that the MP accessed the patient information by accessing the company's website from outside the building. I agree that the tech in the lab needs access, but would the lab tech at home or the corner coffee shop need access? And if there is a case where someone outside the building needs that kind of access, wouldn't be better to VPN into the network with a preshared key before allowing that kind of access?

    • by greenbird (859670)

      He's not exposing some inherent weakness in the system, he's using a stolen password to steal documents to showoff his "1337" skillz.

      Hmmm...he used one patient's password to access and download a number of different patients confidential information. Yeah, I'd say he exposed a pretty damn severe weakness in the system. It would almost certainly result in fines for whoever was keeping the records under HIPPA/HITECH here in the USA.

      But also, here in the USA he would have probably gotten 50 years at hard labor after being persecuted by some obscenely overzealous prosecutor and being added to whatever secret terrorist lists the government ke

    • by Kaenneth (82978) on Friday February 15, 2013 @09:10PM (#42918489) Homepage Journal

      Three words:

      Two Factor Authentication.

      A little bit of eavesdropping should not allow unlimited remote access to others medical records.

    • by mwvdlee (775178)

      He's not exposing some inherent weakness in the system

      Yes he is; it's users.
      It's not hacking in the modern, limited sense, it's hacking in the traditional sense.
      There aren't some hacking rules that say "you can't use a password if somebody gives it to you".
      If the users can't be trusted with passwords (why were they sharing a password with a collegue in the first place?), provide some other (combination of) methods of identification.

    • by Anonymous Coward

      This "putz" used one user account to access document which should not have been available to that user account.
      By changing the URL.

      I don't consider this hacking for a completely different reason: this is not hacking in the same way that driving up a one-way street the wrong way is not hacking.
      It's obviously possible, and if the security of your private customer data relies on the fact that no one happens to disregard your street signs, then you're the putz.

      If you prefer an analogy with more wheels: this is

    • "So this putz uses a stolen password (...) He claims that this is ethical hacking?"

      Of course yes. "Ethical" in "ethical hacking" is, well, an ethical statement, so all about intention. Are you claiming against his declaration that he did it in bad faith? It doesn't seem so.

      "He's not exposing some inherent weakness in the system,"

      Yes, he is. It's only too common to think that "the system" ends where the computer ends. That's as wrong as it can be: "the system" certainly includes the human factor and the way

  • by Anonymous Coward
    is still disobedience. Accepting the punishment is something to think about before you decide to break the law for your cause.
  • by Anonymous Coward

    I got the password from your father's brother's nephew's cousin's former roommate. What does that make the labratory's security system? Absolutely nothing.

  • He could have sent the user id and password to the company stating how he had obtained it and the company would have been made aware of the situation. Instead he decided to be flashy and break the law.

  • by Nukenbar (215420) on Friday February 15, 2013 @07:29PM (#42917483)

    If you ask permission from the site to pen test, they are probably going to say no.

    If you are a "so called" ethical hacker, whatever that means, and do it anyway, who is to say you don't find something valuable and keep it? May be you are only "ethical" when you don't find something valuable and then use the experience as free advertising.

    The nominal fine seems reasonable.

    • If you ask permission from the site to pen test, they are probably going to say no.

      If you are a "so called" ethical hacker, whatever that means, and do it anyway, who is to say you don't find something valuable and keep it? May be you are only "ethical" when you don't find something valuable and then use the experience as free advertising.

      The nominal fine seems reasonable.

      Perhaps the right way to do it would be to mandate sites that deal in medical information be pen tested by reputable hackers who offer such services.

  • by Anonymous Coward on Friday February 15, 2013 @07:29PM (#42917489)

    No 10 million euro claims for damages, no 15 year sentences for terrorism and definitely no FOX news fear-mongering the ignorant masses.

    • by steelfood (895457)

      First of all, he's an MP, so the fines are going to be much less than say, a poor nameless student. Second, this may cost him the re-election (or it may not, who knows), in which case the punishment would be much more than simply ~$1000.

  • by Anonymous Coward

    He downloaded, viewed and printed medical data from several people. That was more than needed to prove his point. Next to that he made very little effort to contact the company to get the problem fixed and published almost right away.

    The judge explicitly explained that the "hacking" itself was good, but it was the way he handled it that was not ethical and that is why is was fined.

  • Head in sand (Score:4, Insightful)

    by gmuslera (3436) on Friday February 15, 2013 @08:14PM (#42917937) Homepage Journal
    Make illegal to get warned that you are insecure and you will deserve being raped by unethical hackers. Is pretty much like suing the ones that could predict quakes [go.com], making sure that noone, ever, will warn you till is too late.
    • Re:Head in sand (Score:5, Informative)

      by Solandri (704621) on Friday February 15, 2013 @08:50PM (#42918345)
      If you read TFA, the judge's decision is quite a bit more nuanced than the summary makes it out to be:

      The court, however, agreed with Krol that the detection of defects in the protection of confidential, medical data can serve a substantial public interest. Krol said he acted as a journalist and ethical hacker at the time of the breach.

      The fact that he logged into the website and consulted some files was not unlawful, the court said. Similarly, downloading and printing the files to demonstrate the failures and scale of the security risk are defensible, it added. Krol also handled the information carefully because he redacted the printed files, the court noted.

      It was however disproportional that Krol proceeded to view and print more files than necessary to prove his point, the court said. In addition, he should have given the laboratory more time to fix the problem and should have tried to contact them more than once before he informed the media, the court said.

      Krol only knew of one employee that acted carelessly with login information. "Therefore, the problem was not so acute that immediate use of media was necessary," the court said.

      Sounds like the Dutch have some good judges exercising common sense on this issue.

      • by 1s44c (552956)

        Sounds like the Dutch have some good judges exercising common sense on this issue.

        Not at all, they just have the polar opposite to the US legal system.

        US: Looked funny at a policeman you say? Lock him up and throw away the key.
        Netherlands: Killed 8 people in cold blood you say? Well he said he was sorry so put him in a minimum security prison for a week. Make sure he has a widescreen TV and a playstation so he isn't sad.

    • by jklovanc (1603149)

      If you look into the earthquake issue it was not for failing to predict the earthquake, as the headline says, but was for not correcting a spokesman who stated that, since there had been a number of minor earthquakes in the region, the stress in the fault had been relieved and there was no chance of a large earthquake. They were convicted because a number of other scientists confirmed that such a statement was patently false. That caused many people to not take precautions and many people died because of it

  • Based on HIPAA he would be fined at least $100 per document he took, hacker or not.
  • If the owner of the system did not hire him to do pen testing, then it is not ethical. Sorry.

    • by Fuzzums (250400) on Friday February 15, 2013 @10:00PM (#42918809) Homepage

      In my opinion if you report a system with confidential information to be insecure that would be ethical.
      If the owner of the system hired him, then it would have been his job. That's something different.

      • by EmagGeek (574360)

        It is not ethical to access a computer system that you are not authorized to access. Period.

        Sorry.

        • by Fuzzums (250400)

          An example: Watergate.
          Stealing and leaking documents: illegal, but definitely ethical.

        • by 1s44c (552956)

          It is not ethical to access a computer system that you are not authorized to access. Period.

          Sorry.

          It's ethical if you don't have authorization in the form of a valid login but you have the owners permission to test security.

          That wasn't what happened here though. This man's actions were the criminal, non-ethical, actions of a jerk. He should have been jailed.

          • by Fuzzums (250400)

            Iraq. Didn't even have owners permission to test security. Criminal, Unethical. Should be jailed. Both.
            I wouldn't call them jerks. I'd rather stick to the facts.

  • breaking and entering the system of the Dutch medical laboratory Diagnostics for You

    Hey, I never asked him to do anything!

  • Exactly what part of using an overheard user name and password to access patient information is ethical?
    I nominate him for the Captain Obvious award for showing a valid user name and password combination gives access to a server.

  • by thrill12 (711899) on Friday February 15, 2013 @11:15PM (#42919147) Journal
    ..the justice department (yes, you read that right) actually had a login to the same database as it was found following the news on this particular case. One has to wonder if the official story (needed because of certain convicts that have their records in the same medical DB) is even a valid reason, and why they would even be allowed within 10 meters of such a sensitive and secret (medical wise) collection of data.
    While Henk Krol is not a 'true hacker' perhaps, this does raise a lot of questions with regards to the security of any person's data in such a medical database; questions that "Diagnostiek voor U" may want to keep secret, so a "wag the dog" (or more popular "Chewbecca") tactic is followed...
  • Get the details!! (Score:4, Informative)

    by Aethedor (973725) on Saturday February 16, 2013 @03:05AM (#42920145)
    Many of you are probably missing interesting details. The login consisted of a 5 number digit with a password that was exactly the same! Another fact is that Henk Krol DID try to warn 'Diagnostiek voor U', twice! But they sent him away because 'that was not the way to report it'. He had to do it in writing. He also contacted two other governmental organisations responsible for organisations like 'Diagnostiek voor U', but they also sent him away saying it was not their problem. Henk Krol was not fined for the actual hacking, but for going to the press too soon. Come again...?
    • by 1s44c (552956)

      If I happen to be behind you at the ATM queue and warn you that your pin number is 1234 and you tell me to get lost am I then justified in stealing your card and withdrawing money?

      This man committed criminal actions and should at least be given a short jail term or a reasonable fine.

      • by Aethedor (973725)
        An ATM is not the same as a system holding medical records. Making a comparison doesn't prove anything.
  • Man commits a computer crime, man happens to be an MP, man gets a tiny fine.

    The only news here is that this criminal only got a tiny fine.

  • by Hognoxious (631665)

    If he'd murdered someone for not thinking Allah is the best thing EVAR he'd have been sentenced to 30 seconds picking up litter.

I'd rather just believe that it's done by little elves running around.

Working...