48 comments

[ 3.1 ms ] story [ 107 ms ] thread
No good deed goes unpunished.

Kid should have just sold his hack to the highest bidder and skipped the country. Denounce me as unethical as all you want but his situation would be objectively better if he hadn't cooperated with the authorities.

I can't downvote but this is a terrible attitude.
To be fair, I can sympathize with OP's sentiment; why offer help to someone who not only doesn't want but will actively prosecute you for it?

I don't agree, but I could imagine feeling this way in another universe.

Not offering help is one thing. Selling a hack against someone is actively hurting them.
It's also a reprehensible response from the authorities, too. IMO they're in the wrong much more so than the one who discovered the vulnerability.
Both sides can be wrong. I was simply pointing out that harming them by selling the hack because they would react poorly if you told them about it is a terrible plan.
> I can't downvote but this is a terrible attitude.

While I'm not down with selling the hack, not interacting with police is always good advice.

It's shown over and over again that official contact with the police rarely has good results, at best has neutral results, and sometimes has VERY bad results.

I was referring to the 'the kid who did a good thing should have made himself explicitly a criminal' part.
Why is this being criticized (by downvoting)? This absolutely is a wrong attitude.

The path of least resistance is mutely accepting that it's a bad idea to talk to police, or otherwise engage with authorities.

Those who hold so much power over our lives must be held to much higher standards: of responsibility, ethics, and behavior. If you want change, take the path of maximum resistance.

It's not unethical. One has to be very naive to cooperate with the authorities.
I'm hoping you're saying that parent's statement was not unethical (which of course it's not), rather than saying that the course of action he mentioned is ethical.

Your second statement roughly mirrors the parent comment in saying that the guy would have been served better by selling the vulnerability, but surely you don't believe that that's the only criterion for determining if something is ethical, right?

Do you have in mind a buyer who would make such a sale ethical? I would imagine intelligence agencies of major European powers, as well as the US and Russia, as the nation-state buyers, plus organized crime as another possible buyer. Among that field of upstanding people, who do you imagine this exploit could be sold to without clearly and knowingly contributing to massively unethical operations? Perhaps the NSA wouldn't be too terrible a result, because they would just use it to watch everyone rather than cause instability and threaten officials, but for that extra potential it seems like organized crime would be the bigger buyers. Or do you excuse everyone so long as they're not the final link in the chain, the one firing the gun?

I hope that I've just written all of this out of a misunderstanding of your comment, because in no world is selling this vulnerability ethical. If Slovenia were a huge liability, likely to start World War III at any time, maybe, but that's just not the case.

Selling vulnerability is not ethical. Opening yourself to police is just stupid.

It would be ethical to report about vulnerability but without disclosing your name. And if it won't fixed, disclose it at public.

> Among that field of upstanding people, who do you imagine this exploit could be sold to without clearly and knowingly contributing to massively unethical operations?

I imagine state actors as the most likely buyers and way worse offenders, than organized crime. In the world, you believe in, it might be unethical to sell to them. In the world, where the state actors are the enemies of the people and the enemies of each other, it might not, but passively not doing anything might be.

> Kid should have just sold his hack to the highest bidder

Really? If the thing is used for anything important, just sell the intercepted data on darknet :) And it seems this was passive reception of radio traffic - it'd take them a while to find him.

The whole story just illustrates the danger of doing security research in the open. If he tipped them anonymously, he could simply pass the news to the media after a month and they'd have to shut up and fix their shit.

I once refrained from reporting a web vuln for similar reason - I didn't trust the owner to handle this professionally and, unfortunately, I didn't use tor because I attempted the hack just for fun wanting to see how they are protected from that - turns out, they weren't at all.

Slovakian found the encryption protocol only worked for about 30% of the communications. He notified the proper authorities and the did nothing for 2 years so he went public. To be fair he did not go to 15 months of prison, he only got parole. Catch-22 situation kind alike always having a roll of money in your pocket when you are trying to save.

Still, running from the police because they won't fix their insecure communications is ridiculous. Regardless of whether or not you made any money.

> To be fair

That's not fair at all.

Slovenian, not Slovakian.

(yeah, I know. But they're two entirely different countries)

Correction, he started intercepting the data as well as playing cop. Still that better than running away. If it were the USA, he would have been in jail for sure.
playing cop

Is there any evidence of this? Simply owning a fake badge doesn't even prove intent, let alone being actual evidence that it happened.

Simply owning a fake badge doesn't even prove intent, let alone being actual evidence that it happened

Well, not in the US. Many other countries take a dim view towards citizens owning anything that even remotely resembles the accruements of official power and authority.

He may have broken the law by possessing it, but that's not the same as "playing cop". What he actually did doesn't change according to the jurisdiction, only its legal status.
This strikes me as one of the most poorly understood aspects of software/computing.

Breaking into a computer system is like criticizing someone's ideas, not breaking into a house. Since anyone can trivially break into a house, we judge people by their intent, and thus authorities are trained to wonder "why was he doing that at all?" Whereas with computers malice is taken for granted and security has to be by design.

Most people understand that criticism does you a favor. Maybe we should explain that security systems are like public debates, and that successful hackers just happened to say something first.

I feel like a better analogy, especially in this case, would be "it's not breaking into the house, it's looking in the window". Non-technical people would generally understand the equivalent of, say, a business leaving a stack of personal files next to a sidewalk window and someone calling up the news to say "this could lead to identity theft!".
From what little is described of this "hack", it does sound akin to looking in a window that nobody noticed was open. In general, uninvited pentesting is more like going around and checking doorknobs to see if they're locked. Not sure if that's illegal (in Slovenia no less), but I can't blame someone for feeling really uptight about it.
How does this analogy make sense? It's totally possible for someone to steal valuable data from a computer system, even personal information. There may not have been any sensitive information in this case, but to suggest that breaking a security system is a "public debate" seems wrong.
I mean the underlying conceptual security system, not the data it protects. Crowdsourced security audits are similar to everyone telling you in public debates why you're wrong.
Ah ok, sure. Thanks for clarifying.
Maybe now that he has been sentenced and everything seems settled, he should talk to some lawyers or NGOs and have them sued for negligence. Two years of not giving a damn is unacceptable.
Part of the problem is the over-reliance on metaphor. They're flawed, and often confuse people. The suggestion of people walking into houses, or sticking their hands through open windows (or even just peering through them), tends to unsettle people. It brings to mind trespassing and countless episodes of Law & Order that start off with rape and murder. So why are we willingly choosing to discuss encryption, networking, and security research/disclosure through analogies that set people on edge from the very beginning? We lose the listener immediately. And probably poison the well, too.
I think it might be more like breaking into a house than you think. The reason is that there's no way to verify your intent. This leaves 'em free to make up one of their choosing.

"Security by design" seems to imply "oh, this is just a game." Nope. If you now require all people to be part of an electronics security arms race, this is a problem.

It may well be that there should be a mechanism for the police to refer such a kid to others in e. security to enculturate him or get him a network to be part of.

no, its not like breaking into anything.

Its more like walking past your neighbors house and finding the person who is supposed to be looking after it has left all the windows and doors open and a shopping list of things to steal pinned to the wall.

Then when your friend doesn't do anything about it.

Telling your other friends what an idiot he is.

The reason telling people they are insecure has been criminalised is the security agencies are the ones doing all the stealing.

That last part, what?
It's a simple posit. The security agencies (generally) don't breach systems to protect you from physical harm. They breach systems to steal the intellectual property of anyone and everyone for use by the elites that provide their funding.

So we've had three decades of systems security being cast as a dirty word only criminals care about.

Thanks for trying to explain it. Are you familiar with "window peeping"? It's sort of a tort.
This is yet another example of how one who practices "responsible disclosure" eventually changes their beliefs and begins to practice "full, anonymous, public disclosure".
I think the issue is more that he took this knowledge and tried to listen into encrypted stuff

>Officials also conducted a search of his house a month later, in April 2015. Besides seizing his computer and a $25 custom equipment with which Ornig was able to intercept TETRA communications, officers also found a fake police badge, and also accused him of impersonating a police officer.

Proof of concept? The existence of the device demonstrates even to the most ignorant layperson the insecurity of TETRA communications.

As for the fake police badge, I bet this was unrelated —Costume party, BDSM, an old toy…

It wouldn't seem like any kind of hacking went on if some of the communications were actually un-encrypted (reading plain-text is not the same as decrypting something with a weak-key)? The article makes it sound like something you can check just by grabbing packets via. wire-shark. Some details are missing here...
If you're going to release this kind of thing publicly you want to do your damndest to do it anonymously.
That's what you get for breaking the law, idiot. He's up there with the thief who posted a selfie on facebook while robbing a store.
(comment deleted)
My sympathies for the guy, and I'm not blaming the victim, but there is a basic safety rule that every aspiring hacker needs to understand, right now, right up there with 'fasten your seatbelt' and 'don't feed the bears':

DON'T DISCLOSE SECURITY FLAWS TO UNWILLING OWNERS.

If you stumble across a security flaw in a proprietary system, check whether they have a bug bounty. If so, great. If not, keep your mouth shut and get on with your life. (Unless, of course, you've decided to sell it on the black market; if you're okay with the ethics of that, so be it. But my advice, that needs to become the standard advice to everyone, is to just keep your mouth shut.)

Don't bite the hand that feeds you - and don't feed the mouth that's going to bite you.

I'll add to disclose it anonymously tied to a pseudonym and/or public key. You can give them data and time to fix it with assurances it will be more public after a reasonable period of time. Thanks to anonymity, they're not going to do shit like in the article.
Key is "unwilling". Hackers must also remember some companies willingly pay for this info.

Based on the numbers I've seen doing contract work for a big blue chip in the UK, you could see it as an opportunity to sell penetration testing services. If this one is unwilling, there could be 5 more willing to pay a good sum to have these sorts of flaws identified and fixed.

I get the feeling a lot of pen. testing companies run a standard set of checks for vulnerabilities. The report I saw was simply a bunch of metasploit results. They were charging some many thousands for this. Offering above and beyond could be a good opportunity.

I think the problem here is that the hacker's "responsible disclosure practice" never filtered down to a part of the organization that was in a position to care, understand and respond.

Merely sending a emails and awaiting a response (if that's what happened) is an ineffectual tactic as it depends on a chain of unaccountable people within the org making the right decision about who to forward the email to.

So let's suppose I'm a clever computer guy and I enjoy finding out how systems work and don't work, and I uncover lots of security problems.

But I'm also lazy and/or not very good at dealing with large corporations to find the right person to report these things to, even if they have a bug bounty.

Are there any organizations -- uhh, non-criminal organizations -- that will take a security report, find the right person at the company to report it to, see that it is addressed, and maintain my anonymity, so that I can wash my hands of it and go back to what I prefer to do with my time?

that sounds like a nice idea! but just imagine such a thing to exist...

they'd need to document these security holes so that the same bug isn't reported several times simultaniously. so, they'll have a database of security holes a documented way to break into them...

this would be more than just a honeypot for every black-hat hacker out there. they'd be swarming them

Journalists are the first that come to mind. Use Secure Drop to maintain anonymity.