You can read more here[0], unfortunately it is in Swedish, and not that much. More or less, the editor in chief of the journal denies to comment. The charges are suspected data breaches, suspected instigation of data breaches and unauthorized disclosure of personal data.
It's good to see that we Danes have exported something to Sweden.
The same thing happened after someone "hacked" some school webapp-thingy, I can't remember the exact details, by changing the URL to get access to another students data. He was promptly reported to the police for hacking after he reported it to the company.
I guess not. But he was still in prison for 2 years. And anyone else can be put in prison for 2 years without actually comitting a crime too. The CFAA is just that vague. And they likely won't have the legal support that weev did.
That's the real precedent here. The feds can and will throw you in prison for years for not comitting a crime.
From Wikipedia: "On April 11, 2014, the Third Circuit issued an opinion vacating Auernheimer's conviction, on the basis that the venue in New Jersey was improper.[48][49] While the judges did not address the substantive question on the legality of the site access, they were skeptical of the original conviction, noting that no circumvention of passwords had occurred and that only publicly accessible information was obtained.[50] He was released from prison on April 11, 2014.[51]"
My (foreign layman's) take on it is that the lower court precedent still stands, as it was not formally overturned.
I just looked it up again, and he actually did hack them:
"Forælderen, Henrik Høyer havde blandt andet opdaget, at den infoskærm, som hver enkelt børnehave havde i systemet, var befængt med et sikkerhedshul, der tillod cross-site scripting. Ganske enkelt blev de beskeder, som man skrev til den fælles infoskærm, ikke renset for tegn, der gør det muligt at indsende Javascript-kode.
Det udnyttede Henrik Høyer til at skrive en simpel Javascript alertbox, der poppede frem med beskeden 'Ring til Infoba og sig at jeres nye intranet løsning er blevet hacket', hvorefter brugeren skulle trykke ‘OK’.
Det var der flere af pædagogerne, som så, og som undrede sig over, ifølge Infobas produktchef.
»Jeg skrev til Infoba og hørte aldrig fra dem. Så lavede jeg den her løsning, som måske var lige på grænsen for, hvad man må,« siger Henrik Høyer og fortsætter:
»Jeg lavede et harmløst javascript, men kunne have gjort det meget værre.«"[0]
My porridge-language is limited, but if I understand correctly he used an XSS vulnerability to place an alert box on the page telling the users of the system they should contact the provider and tell them the system had been hacked. It could of course has been much worse. He was later found not guilty:
Yeah totally benign, the only ones guilty of anything is that awful contractor. I just wanted to point out that there was more to the story than a police report over emails.
The crappy thing is that the psycho CEO that filed charges is 100% right. The journalist willfully and knowingly committed a data breach. There are no provisions in the law for "I did it for a good cause" or "I only demonstrated that it was possible."
Of course if he hadn't, he wouldn't have been able to write a story about it and the security holes would not have become public knowledge.
The laws in these areas are insanely antiquated and this is not the first time investigated people in power have tried to use them to silence or smear journalists. Freedom of speech is threatened.
I think in this case the argument actually applies. There is no action on the user's part that signifies bad intent. Maybe if they downloaded too many of the files, but otherwise I wouldn't expect the accusation to stick.
There must have been some intent for it to be a crime. It is not illegal to click on a public link on the web. Accessing sensitive data is not a crime in itself.
These accusations seem completely baseless. The data was public and could probably be found using one of several public search engines.
Apart from that, the journalists could also claim they were given the link by someone, in which case it would even be illegal to investigate the source. This lawsuit was not filed to win.
Yes, it is strange the way news like this gets buried so quickly. At least the lawsuit will make sure it will pop up every now and then, even if only in alternative media and possibly in ComputerSweden - although they might keep quiet about it while the lawsuit progresses.
The 10 talking points from the guy who spoke to the press are so terrible I burst out laughing. Government IT incompetence is so terrible all around I find it hard to imagine a way out. Either they do terrible things themselves or outsource it to the lowest bidder who might be slightly less clueless.
By experience, and this is a good example, subcontractors are waaaaay more clueless than government employees. There are actually very competent tech peopme in government, although not at decision levels. For subcontractors you often have cheap labour with a high turnover and no worries about consequences of bad actions.
They are even funnier in Swedish. Translated they sound much more reasonable but in Swedish it's complete mumbo-jumbo and have sprouted endless of memes in programming groups/forums.
Yes! I can't put my finger on exactly why that is, but something about how it's said in Swedish makes the soundbites even more batshit insane. This is some new level, I've never seen this level of incompetence with these high level stakes.
Let me see if I got that right. When the government does something bad, it is (obviously) at fault. When a private company is hired instead, and fails spectacularly breaking along the way not just contract but both national and European law, then that is also sign of terrible government incompetence. There's just no winning for public officials, is there?
More like there's no winning for society when we put incompetent people in power. I don't have any crocodile tears for public officials, my concern is the long-term consequences of the actions of our government(s) and how that affects both us and future generations as societies and people.
The public officials could just do a good job of either finding good contractors or doing the work themselves? Or is that so far fetched we are not even considering that possibility?
An official hand picking contractors out of good judgement is called "corruption", at least around the EU. The contract must be awarded the one who makes the best promises, if the controversial wording is excused. Public agencies may do work themselves, of course, but that tends to attract a more common type of criticism.
I know nothing about this particular case however. It may very well be a royal fubar every step along the way. It was just interesting how some thought the government responsible even for private companies found breaking the law.
What's sad is that the CEO seems to be doing his best to provide an accessible explanation to people who understand the technology even less than he does, as if those are the people he needs to answer to. It's a real "series of tubes" moment in that it feels unfair to nit-pick what he's saying on the level he's saying it, but it's obvious he doesn't understand it on any deeper level, and he doesn't understand that the issue needs to be in the hands of someone who does.
> “That someone probably, when updating at some point, seen that there was a free networking cable slot, and I guess they thought, some technician: ‘Aha, there should probably be a cable here, but it fell out [sic]’, and then they have connected a networking cable, so that it’s become connected to the Internet. That is just, like, how you do these things.”
Not only is this statement extremely funny in its own right, it completely ignores the fact that there was a public dns name too with a clear service name. Maybe that same poor technician also fell over the keyboard too. How extremely unfortunate!
> I sincerely hope that we fill see massive fines, people lose their jobs, and perhaps some more severe criminal charges brought against those whose negligence caused this.
TBH I find this “off with their head” mentality to be counter productive. Sure, if someone broke the law then administer justice. But it’s not addressing the root cause. What systemic weaknesses led to this scenario, and what systemic changes can we make to prevent it from happening again? That’s a much more productive discussion to have, although doesn’t appeal to our baser instincts and so won’t score easy political points.
I agree with your point. It is complicated since everytime humans become outraged about something, their emotional side tends to take over and they tend to look for someone(s) to blame and a head(s) to roll without taking all aspects into consideration, for example:
* How to pin-point one or a group of individuals to blame within the company? What if it is someone that has long moved to another company?
*Does finding a scapegoat and forcing someone out of their jobs resolve the matter? Whats the impact in that person's lives? Was it just for the masses to feel better?
To be honest, I think society is rewarding the wrong attitude in some cases. Someone in the reporter's position should have raised the issue to the relevant authorities and after the issue was resolved (at least partially), he should have made a request to publish an article talking about what happened, how many people could have been impacted, the actions he took. The outcome could have been that the reporter receives an award for his work and appreciation from society for raising awareness in the area, the government talking about concrete actions they have/will take, other companies and society works towards improving said issue.
Deterrence is important. It is unacceptable for any company to be this negligent about highly sensitive personal data. What leads to these kinds of situations is that the company didn't care about security at all. Even now the company reported the journalist to the police.
Thanks for the feedback. I wrote this post and I would like to clarify:
I did not intend to say that we should go outside of the confines of the law here and lynch anyone. But I sincerely hope that our legal system has the power to punish gross negligence (I mean that in an everyday sense, not as a legal term) and that officials and CEO's can't get away with anything by just burying it under several levels of procurement. The company in question was obviously not competent enough to handle the data that they received, and it is gross negligence to take on this kind of project without doing a proper audit of their systems and methods. At the very least, their handling was against GDPR, which should result in fines.
Yet somehow, they ended up with the project. That is negligence on someone else's part. If you're hiring contractors to build a highway bridge, you should be held liable if you pick the local carpenter to do the job, just because they say they definitely know how to make it out of wood. I hope that the legal system can punish governmental officials and government contractors for handing off sensitive data to a party that isn't even aware of how incompetent they are, and that merely the procurement can be considered illegal.
If my hopes are not fulfilled, and one can indeed hand off all responsibility in a procurement process, then I instead hope we will see the law change in this regard.
As for people losing their jobs, I think that warrants no explanation.
Still, I agree: the issue isn't bad actors, the issue is the process, and it needs to be addressed. But part of a good system is not letting contractors getting away with bullshit, and making sure something is at stake when you take on a contract. If you can walk away from this wreckage without consequences, what's to stop you or anyone else from continuing to play fast-and-loose (which is usually the cheapest way to do things) with the public's data, raking in the payments and shrugging it off when things blow to pieces?
I understand I could have made that clearer, and I'll think about how to change my wording, or adding a footnote or something.
I was working on a project for a client in 2002. Our genius project leader, told us to set up a public ftp server... without password. We told him that it was a no solution and super dangerous. As junior devs, in a service company, we were told to simply shut our mouth and do what was ordered. The server was instantly found but they only started to use it during the week-end as a porn server. The hosting company was on fire. This leader is now a director. hehe
48 comments
[ 2.6 ms ] story [ 108 ms ] threadIt was discussed
[0] https://omni.se/medhelp-polisanmaler-tidning-efter-avslojand...
https://en.wikipedia.org/wiki/Weev#AT&T_data_breach
A very objectionable fellow, but I'm sure they'll move on to more sympathetic ones now that the precedent is set.
That's the real precedent here. The feds can and will throw you in prison for years for not comitting a crime.
My (foreign layman's) take on it is that the lower court precedent still stands, as it was not formally overturned.
"Forælderen, Henrik Høyer havde blandt andet opdaget, at den infoskærm, som hver enkelt børnehave havde i systemet, var befængt med et sikkerhedshul, der tillod cross-site scripting. Ganske enkelt blev de beskeder, som man skrev til den fælles infoskærm, ikke renset for tegn, der gør det muligt at indsende Javascript-kode.
Det udnyttede Henrik Høyer til at skrive en simpel Javascript alertbox, der poppede frem med beskeden 'Ring til Infoba og sig at jeres nye intranet løsning er blevet hacket', hvorefter brugeren skulle trykke ‘OK’.
Det var der flere af pædagogerne, som så, og som undrede sig over, ifølge Infobas produktchef.
»Jeg skrev til Infoba og hørte aldrig fra dem. Så lavede jeg den her løsning, som måske var lige på grænsen for, hvad man må,« siger Henrik Høyer og fortsætter:
»Jeg lavede et harmløst javascript, men kunne have gjort det meget værre.«"[0]
(Sorry for the danish ya'll)
[0] https://www.version2.dk/artikel/foraeldre-finder-banale-sikk...
https://www.version2.dk/artikel/derfor-blev-henrik-hoeyer-fr...
https://omni.se/medhelp-polisanmaler-tidning-efter-avslojand...
Of course if he hadn't, he wouldn't have been able to write a story about it and the security holes would not have become public knowledge.
The laws in these areas are insanely antiquated and this is not the first time investigated people in power have tried to use them to silence or smear journalists. Freedom of speech is threatened.
The case should be dismissed.
These accusations seem completely baseless. The data was public and could probably be found using one of several public search engines.
Apart from that, the journalists could also claim they were given the link by someone, in which case it would even be illegal to investigate the source. This lawsuit was not filed to win.
As an individual I wouldn't want to publish info on a security breach though.
[1] https://en.wikipedia.org/wiki/Streisand_effect
I know nothing about this particular case however. It may very well be a royal fubar every step along the way. It was just interesting how some thought the government responsible even for private companies found breaking the law.
Yeah, no, that's not how you do these things...
TBH I find this “off with their head” mentality to be counter productive. Sure, if someone broke the law then administer justice. But it’s not addressing the root cause. What systemic weaknesses led to this scenario, and what systemic changes can we make to prevent it from happening again? That’s a much more productive discussion to have, although doesn’t appeal to our baser instincts and so won’t score easy political points.
And still there are people wanting more government control. Mind boggling
* How to pin-point one or a group of individuals to blame within the company? What if it is someone that has long moved to another company?
*Does finding a scapegoat and forcing someone out of their jobs resolve the matter? Whats the impact in that person's lives? Was it just for the masses to feel better?
To be honest, I think society is rewarding the wrong attitude in some cases. Someone in the reporter's position should have raised the issue to the relevant authorities and after the issue was resolved (at least partially), he should have made a request to publish an article talking about what happened, how many people could have been impacted, the actions he took. The outcome could have been that the reporter receives an award for his work and appreciation from society for raising awareness in the area, the government talking about concrete actions they have/will take, other companies and society works towards improving said issue.
I did not intend to say that we should go outside of the confines of the law here and lynch anyone. But I sincerely hope that our legal system has the power to punish gross negligence (I mean that in an everyday sense, not as a legal term) and that officials and CEO's can't get away with anything by just burying it under several levels of procurement. The company in question was obviously not competent enough to handle the data that they received, and it is gross negligence to take on this kind of project without doing a proper audit of their systems and methods. At the very least, their handling was against GDPR, which should result in fines.
Yet somehow, they ended up with the project. That is negligence on someone else's part. If you're hiring contractors to build a highway bridge, you should be held liable if you pick the local carpenter to do the job, just because they say they definitely know how to make it out of wood. I hope that the legal system can punish governmental officials and government contractors for handing off sensitive data to a party that isn't even aware of how incompetent they are, and that merely the procurement can be considered illegal.
If my hopes are not fulfilled, and one can indeed hand off all responsibility in a procurement process, then I instead hope we will see the law change in this regard.
As for people losing their jobs, I think that warrants no explanation.
Still, I agree: the issue isn't bad actors, the issue is the process, and it needs to be addressed. But part of a good system is not letting contractors getting away with bullshit, and making sure something is at stake when you take on a contract. If you can walk away from this wreckage without consequences, what's to stop you or anyone else from continuing to play fast-and-loose (which is usually the cheapest way to do things) with the public's data, raking in the payments and shrugging it off when things blow to pieces?
I understand I could have made that clearer, and I'll think about how to change my wording, or adding a footnote or something.
on the other hand one could analyse all the calls and provide a helpful medical bot.