Dutch Parliament Member Fined For Hacking; He Says He Was Just Exposing Security Flaw

from the ethical-hacking-or-not dept

A few folks sent over this story of Dutch Member of Parliament (MP) Henk Krol being fined about $1,000 for "hacking." He claims that he was just exposing poor security on the part of a Dutch medical laboratory called "Diagnostics for You," which he felt was especially important since there are stricter privacy rules for medical info. Of course, "hacking" is used loosely here: basically, a patient overheard an employee at Diagnostics for You reveal the system password while he was in the lobby, and that patient passed the password along to Krol. So, the "flaw" could be as simple as a stupid employee revealing their password out loud (though, you could argue that a system like that should require two-factor authentication or some other more advanced security than a simple password).

Either way, the court recognized that Krol's intentions may have been in the right place, but faulted him for viewing and printing "more files than necessary" to make his point -- and also for going to the press with his findings at around the same time he notified the laboratory. The court said simply finding the flaw and even downloading some records to prove it to the lab would have been fine, but that he went too far (even if he carefully redacted personal info). And then going to the press immediately when the problem seemed to be more a case of a bad employee revealing their password, just seemed like too much. As the court noted: "the problem was not so acute that immediate use of media was necessary."

Of course, this kind of thing is often a struggle when it comes to security hacking. Different people have different opinions on whether or not it's appropriate to go to the press, and also how much information to access. But it seems to be handled on a case by case basis, rather than with clear rules. There are some norms among security researchers -- and that tends to include giving a company some period of time to fix things -- but this remains an area of the law that is sometimes a bit fuzzy. You want companies to respond quickly to security flaws, and sometimes going to the press ensures getting a real response faster. But, it also seems less likely to cause significant damage if you contact them first.

Perhaps MP Krol can now try to pass some legislation with standards on how to handle security breaches found without having them turn into legal cases against the researchers.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    arcan, Feb 18th, 2013 @ 1:23pm

    some activist does this, and they face 55 years in jail. a politician does it, 1000 fine. double standards indeed.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 18th, 2013 @ 1:37pm

    two points here

    a) had this have happened in the USA, the poor sap would have had DoJ and others crawling up his arse with accusations of god knows what, then jailed for the rest of his life

    b) i wonder what sort of attitude would have been taken there, had this have been an ordinary worker that did the same thing, resulting in what sort of punishment? a damn sight more severe than Henk Krol got, i'll bet

    c) i also wonder what sort of attitude will be taken against TPB member Svartholm, who has been accused of tax site 'hacking' (just to please the USA entertainment industries) based on supposedly trumped up charges. i doubt he wont get a $1,000 fine. more likely banged up for years for doing the opposite of what Hollywood demanded, with only bribery to aid them to carry out what they wanted because no jurisdiction existed. just as corrupted as the charges in the Mega case!!

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Ninja (profile), Feb 19th, 2013 @ 5:59am

      Re:

      a) nop, he's a politician. They'd probably praise him for his patriotism. The ordinary citizenry can go screw themselves and just keep quiet.

      b) he'd be harassed till he suicided with absurd fines and jail time.

      c) see 'b'.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 18th, 2013 @ 1:40pm

    Doesn't pass the smell test

    Doesn't pass the smell test. Overheard password? Passed on to an MP? Who checked it out and then downloaded more than needed? Yeah right.

    This smells to me like the good 'ol pre-emptive "but I was fixing it!"

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 18th, 2013 @ 1:45pm

    This...actually makes sense. He isn't a security professional and snooped around as if he was, when he should have gone to the personnel in the company responsible for fixing the problem. Further, he also went to the media for no real reason. If the problem hadn't been fixed, or they had gone after him when he reported it, then he should have gone to the media, but it was irresponsible behavior on his fault. A $1,000 fine is reasonable.

    The problem is that the general public is not held to the same standard and are prosecuted for life imprisonment for reporting security breaches. If everyone else was held to this exact standard, there would be no issue.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      PRMan, Feb 18th, 2013 @ 2:20pm

      Re:

      Ah, but if you don't go to the media first, THEY go to the media with their side of the story which is that you are a stone-cold hacker.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 18th, 2013 @ 1:45pm

    Don't tell anyone but passwords are dead.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 18th, 2013 @ 2:04pm

    The security was a joke. You only needed a username and password to get access to very confidential information. In this case the system even allowed a user to use his username as password.

    Do you think a company like that will take any action if somebody tells them that basically, their security is a joke?

    The IT company even had the medical organization mobilize the 'victims' to testify against Krol. In some cases using pressure on their own patients that borders the unethical.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Zakida Paul (profile), Feb 18th, 2013 @ 2:50pm

    It goes like this

    Activist is a hacker - unethical and illegal

    Member of law enforcement/intelligence community is a hacker - ethical and legal

    Hypocrisy? I think so.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 18th, 2013 @ 2:58pm

    The password must have been it. Otherwise, how would he have known there was a security flaw if he hadn't been hacking?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    btrussell (profile), Feb 18th, 2013 @ 5:55pm

    1) Overhear/obtain password.

    2) Download a ton of info.

    3) When caught, claim to be exposing security flaw.

    4) ?e?x?t?o?r?t?i?o?n?i?s?t?

    5) PROFIT!!!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 18th, 2013 @ 6:20pm

    Dutch Parliament Member Fined For Hacking; He Says He Was Just Exposing Security Flaw

    Sounds like all of those "journalists" who explain that the kiddie porn on their computers was just "research" for an "article" they were writing.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    EJ, Feb 19th, 2013 @ 3:45am

    Needs a bit of context

    Judging by the kneejerk comments this post need a bit of context. Dutch government and helath isurers have for years now tried to introduce mandatory electronic medical dossiers for all dutch citizens. The idea is that a health professional can always check a patient medical record even if he has never seen this patient before. The first attempt went nowhere because of privacy issues and fears over misuse of data by powerfull interest groups, particularly health insurers. Pariament rejected the proposed laws and that should have been the end of it. But, now governent departments in collusion with healt insurers are trying to introduce these electronic dossier again by making it into a "pseudo voluntary scheme" that will eventually force everybody to use this system.
    The system that provides for acces to these electronic medical records is not a central database. It is a kind of central access control, where you are authorized by the central hub and then referred to the keeper of the record. You then connect to the hospital or provider that keeps the record and they will provide you with the requested information. Obviously there are numerous security issues with a system like this. And the health care providers generally have a bad reputation for security issues and for not fixing them. In this context this hack bij knol is just another example of the disastrous quality of IT security provided by the healt care industry. And another reason not to implement mandatory electronic patient records. basically, the hack was politically motivated, merely another move in a rather dirty fight over the the introduction of another "big brother" like system.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 19th, 2013 @ 8:38pm

    What does going you the press have to do with it? It's not as if he revealed a recipe for breaking in to the medical laboratory's computer. It doesn't even sound like there was any kind of systematic flaw that anyone could exploit -- just sloppiness about a password, not the kind of thing you can count on even if it does shoe a certain laxness toward security.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This