Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Government EU Encryption Security

Student Exposes Bad Police Encryption, Gets Suspended Sentence (podcrto.si) 172

An anonymous reader shares a story about Dejan Ornig, a security analyst in Slovenia who warned the Slovenian police department about vulnerabilities in their supposedly secure communication system TETRA in 2013. (Here's Google's English translation of the article, and the Slovenian original.) He discovered that the system, which was supposed to provide encrypted communication, was incorrectly configured. As a result lots of communication could be intercepted with a $25 piece of equipment and some software. To make matters worse, the system is not used just by the police, but also by the military, military police, IRS, Department of Corrections and a few other governmental institutions which rely on secure communications.

After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.

On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.

This discussion has been archived. No new comments can be posted.

Student Exposes Bad Police Encryption, Gets Suspended Sentence

Comments Filter:
  • Hm... (Score:5, Insightful)

    by Anonymous Coward on Sunday May 22, 2016 @11:36AM (#52160043)

    Is it my imagination or is this student's real crime making public figures look bad?

  • Sounds like this is what he did: http://www.rtl-sdr.com/rtl-sdr... [rtl-sdr.com]

    Keep in mind there is no Tetra in the US, but there is plenty of DMR & P25, which is significantly easier to listen in on.

    • Keep in mind there is no Tetra in the US, but there is plenty of DMR & P25, which is significantly easier to listen in on.

      I am not sure you can even buy a switch which will send it unencrypted anymore. Which makes ROIP as secure as any https communication.

  • by Anonymous Coward

    He tried to help them and got a suspended sentence of 15 months in prison (won't that be fun). He was subject to a house search and all of his computers and equipment were seized. He tried to help them all along, and they punished him for it. Now it would have been much more profitable (and no police raid, no prison and no threats and intimidation) if only he had simply sold the information and equipment (for a profit) on the black market to an organized crime ring. He could have made $100,000 or more,

  • Hey, I heard some guys talking in a bar and they said......................so maybe someone should look into this.

  • by Anonymous Coward on Sunday May 22, 2016 @12:00PM (#52160159)

    If you did something illegal in the process of uncovering a vulnerability, do not put your name to the information. Publish anonymously. Not just nation states, but also corporations of any size are known to show no leniency. You will not receive thanks for being a pain in the ass. Your sins will not be forgiven. Even if you did not do anything illegal, be prepared to be hassled relentlessly. Publish, but publish anonymously.

  • Lesson: (Score:5, Insightful)

    by Opportunist ( 166417 ) on Sunday May 22, 2016 @12:07PM (#52160185)

    Do not inform police about their crappy encryption, that's illegal.

    Sell that information to some criminals. That is only potentially illegal, but at least profitable.

    • ...and after criminals use the exploit and show off the police, there will be an investigation and configuration fixed. So, the same outcome except the researcher got some money instead of a sentence. And worst case is he gets money AND a sentence, but that's still better than just a sentence.

    • by delt0r ( 999393 )
      What about option 3. Ignore it and get the fuck on with your life.
  • by Anonymous Coward on Sunday May 22, 2016 @12:11PM (#52160197)

    Kids, the lesson is simple : never ever under any circumstance "help" authority figures. You'll end up getting fucked.
    You try to help and you end up getting fucked. You steal by the millions/billions and you're heralded as a saint.

  • Dear kiddies... (Score:5, Insightful)

    by Lumpy ( 12016 ) on Sunday May 22, 2016 @12:47PM (#52160339) Homepage

    DONT FUCKING TRUST THE POLICE. If you go public with something that shows they are idiots they will absolutely punish you.

    The police are nothing more than a very well financed street gang.

  • This is another illustration of how clumsy, inefficient, and occasionally evil the government is — even in otherwise decent countries. At least, the guy's sentence is "suspended"...

    And everyone seems to agree with the Libertarians in these cases, but, when the topic is something else, a solid chunk of the audience suddenly switches into believing, that the government is not only an acceptable, but the best solution available.

    Why, for example, would the same people be outraged at the government's goo

  • I will remember never to engage in a hire-able offence.
  • by wjcofkc ( 964165 ) on Sunday May 22, 2016 @02:31PM (#52160669)
    Okay so it's not exactly the same.

    Some years ago while on the job I got so caught up on my projects I found myself with an hour or two to kill everyday for a couple weeks. (Disclaimer: I hid the fact I was caught up early.) Now I am the curious type, especially when it comes to networks and security. Needless to say, I started poking around. Poking around quickly led to hacking around. It was an internal LAN, but still. I followed the bread crumbs and uncovered, lets just say "stuff that was not intended to be uncovered. Much more followed from that. It reached a point where it was down right concerning. So finally I crossed my fingers and called my boss over, who of course was not a tech. He was concerned bordering on unhappy about what I was doing. The next day I got a call from the CIO, which is highly unusual. We had a very long talk about what I had been up to. The talk extended into a discussion of my knowledge and abilities which up till then no one in the company knew I had. I don't remember which hacker topic it was, but at one point the CIO said "fuck me" he did not mean it literally. The result? The CIO gave me permission to keep on hacking our systems as long as I documented everything and reported directly to him. Up to that point, my initial finding resulted in ten or so pages of documentation. It was pretty cool.

    A bit off topic. Although I liked my job I found myself in a situation where I had to pick up and move. The details of that are unimportant, but I made sure I had a job waiting for me. Before I left the company, the CIO installed a keystroke logger on my computer. Since I was the only one running Linux, it was my personal computer. The CIO, was one of the single best hackers I have had the pleasure of meeting. Next thing I know I was signed up for a bazillion newsletters and I noticed a Sony Erickson had accessed my Google account. It took me all of one second to figure out what had happened. Fortunately it was all fun and games, nothing malicious. Although I did proceed to reformat the drives in all of my computers and proceeded to change every password I used (a lot) to random alphanumerics every week for a couple of months. Fun stuff.
  • by dweller_below ( 136040 ) on Sunday May 22, 2016 @05:05PM (#52161399)
    We had a similar problem. Fortunately we had a better outcome.

    On of our university's IT group noticed that the university's police were using a packaged IT police support solution that had no security. An attacker could change arrest reports, access and change all the secret log entries, and track the real-time deployment and activity of the police. We verified that the problem existed across hundreds of police departments all over the country. The university police were horrified, when we presented the problem to them.

    I think the main thing that led to a better outcome was the university IT team worked closely with the university police team to present the problem to the external vendor. During the presentation, the external vendor went through all the stages of grief: denial, anger, bargaining, depression and acceptance. When the vendor got to the anger stage, they threatened to have us arrested. We just kept asking how arresting somebody would fix the code, until they got on to the next stage.

    Still, it took months before the vendor deployed fixed code.

  • ...goes unpunished.
  • The lesson learned from this?

    Fuck the pigs, sell the vulnerability to the bad guys....?

    Great lesson to teach the young hackers...

  • On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.

    A pretty standard sort of thank you from people who run a government. He is lucky, a lot of them end up in body bags or crippled and homeless for helping politicians and their machinations.

    You know the real truth is, they are more afraid he will expose corru

  • Quite clearly he should have sold the information, even though it's merely Slovenian police and security services, I'm sure a few grand would have been preferable to a (suspended) prison sentence.

    Modern Commercial Security: HACK US AND WIN PRIZES.

    Modern Government Security: If you just look at us and try to help, we'll put you down. We'd rather have holes being actively exploited by enemies of the state than have the shock horror of a public servant being made to look slightly inept, even if the hole isn't

  • by FrozenGeek ( 1219968 ) on Monday May 23, 2016 @08:38AM (#52164081)

    First mistake: telling the authorities about their problem.

    Second mistake: making the problem public.

    Do be a good citizen and notify the relevant authorities of computer security problems. But be a SMART citizen, and do it anonymously.

    Do not be a jerk and make the security problems public. But if you absolutely feel you must do so, do it anonymously.

    In a more ideal world that this, anonymity would not be needed. However there are far too many authorities who prefer to blame the messenger than to fix things properly. Your idealism is NOT shared universally.

"To take a significant step forward, you must make a series of finite improvements." -- Donald J. Atwood, General Motors

Working...