
Hacker facing an 8-year jail term for exposing vulnerabilities in Magyar Telekom - DyslexicAtheist
https://cyware.com/news/hacker-uncovers-vulnerabilities-in-magyar-telekoms-network-gets-a-jail-term-of-8-years-56c4d478
======
hiperlink
Some details that as it appeared (in Hungarian) on the Civil Liberties Union
blog (
jelenti.blog.hu/2019/01/25/igy_kert_bortont_etikus_hacker_vedencunkre_az_ugyesz
):

(it was translated to English by me, sorry for any mistakes):

\- he was invited to visit Telekom's office (the expenses was on him), and
wanted to give them the details

\- he was not convinced by the meeting that they'll solve it (close the
doors): tried again, successfully (yep, that's a bit grey hat).

There are several issues not with the hacking, according to the Hungarian
Civil Liberties Union:

\- the prosecutors used a way too generic accusation which missed several
important details, like [regarding the crime] when, how, etc.

\- the accusation claimed that the hack was done by using the Internet
(seriously).

\- they (the prosecutors) offered a deal of "admit the crime == free to leave"
but when the guy denied they asked for more prison.

\- the prosecutor stated: "we are not IT people but we know from the media (!)
that with Internet and certain competence he could have hidden more of his
digital footprints". And the prosecutors didn't asked for expert advisory for
more than one an a half year long.

\- they asked for 8 years because the hacker should have been able to disturb
a public interest service, though the company claimed that this server/service
was not affected any of their customers.

------
friendly_chap
Hungarian here (Magyar means Hungarian in our language).

The guy was not sentenced yet, likely won't be, but given how incompetent
everyone involved one can not be sure.

Telekom does not want to press charges as far as I know, so despite their
gross technical incompetence, at least their they have that going for them.

Hungary recently had a bunch of ethical hackers getting into trouble, but
fortunately the people are so outraged at the powers that be trying to jail
them that they don't get harmed.

~~~
doktrin
> The guy was not sentenced yet, likely won't be, but given how incompetent
> everyone involved one can not be sure.

Does the public prosecutor in Hungary have a poor conviction rate? I know
nothing about your country, but if I were facing a similar charge in the US I
would be _very_ concerned.

~~~
htamas
The public prosecutor actually has a unusually high conviction rate (can't
cite a source right now for this), but there was a very similar scandal last
year where a similarly young security enthusiast figured out he could buy
public transport tickets for any price in the then recently launched web
interface of the Budapest public transport company (BKK). He did this simply
by editing the form post URL on the order page.

BKK then tried to prosecute him but quickly dropped the case since there was a
huge public outrage. The website and the related services has been down ever
since the incident.

So this is why people suspect they will drop the case soon again, but as an
other commenter already said, they are incompetent and corrupt to the bones,
so who knows?

------
amingilani
> gets a jail term of 8 years

The article says the prosecutor's recommending an 8-year jail term, but since
the court hasn't decided on the case — how did the hacker "get" a jail term?

Is the article wrong, or is the Hungarian legal system different from what I'm
used to?

~~~
gota
I think the threat of prosecution in this case is already some form of damage.
Even if he is ultimately not convicted, future whitehats will think twice
about coming forward because this one was _threathned_ with prosecution,
thinking "what if I don't get so lucky?"

~~~
chii
The smart thing to do, if a company has no public vulnerability bounty
program, is to sell the information on the blackmarket instead. This will
incentivize all companies to start their bounty program, whilst still getting
some cash reward.

~~~
mirimir
I don't know about the "sell the information on the blackmarket" part. But
uninvited pen-testing seems pretty risky. Maybe it'd be prudent to have an
~anonymous pseudonym for this stuff.

And if you really care about reputation building, you could use an ~anonymous
pseudonym plus the sha256 or sha512 hash of some string. If it all works out,
you just share the string, and reap the credit.

~~~
giancarlostoro
I agree. No need to get way too unethical to make a buck.... Ask for Monero or
something if they want the full disclosure before you publicly and anonymously
do a full disclosure.

------
LeonM
This reminds me of the Vtech hacker story. Darknet diaries did an excellent
podcast on it [0].

As someone having worked in pentesting, I have mixed feelings about this
situation. Whitehat or not, the hacker knew that what he was doing was
illegal. Of course this gives the hacker a dilemma, as not disclosing might
result in a blackhat exploiting the same vuln.

[0]
[https://darknetdiaries.com/episode/2/](https://darknetdiaries.com/episode/2/)

~~~
Cthulhu_
The hacker in this case, if they want to do the Right Thing but without any
reward, is report it anonymously - they of all people should know how to hide
their tracks. Creating a throwaway e-mail address through half a dozen proxies
and/or TOR is relatively easy.

~~~
Timpy
The hacker did report it anonymously, there's no evidence that the hacker was
caught from the email they reported the vulnerabilities from. They of all
people should know how hard it is to remain completely untraceable.

------
pjc50
\- Never do unsolicited pentesting

\- If you do, be very careful about how you report it; must be to a recognised
bug bounty program

\- Especially don't do this in a repressive state

~~~
miga
Since it is major public company serving many Hungarians, it can be arguing
that hacker did a public service.

I understand that he did not want to admit _wrongdoing_ , since he believed it
should be considered an extenuating circumstance where public interest
requires such action.

------
hd4
Whenever I hear another case like this, I'm once again reminded of how the
mainland Chinese deal with being witnesses to accidents or crimes taking place
(as long as they aren't the victim), they simply walk on by as the "reward"
for them is often not good, and in many cases they end up getting implicated.

Maybe it's time for solo security researchers to stop being the nice guys. I'm
not saying they should start behaving like blackhats, simply that self-
preservation must come first and when you are faced with an industry who
treats what I'd consider acts of generosity with contempt and legal action,
then fuck them.

------
aboutruby
Article with sources: [https://www.zdnet.com/article/white-hat-hacker-
discloses-mag...](https://www.zdnet.com/article/white-hat-hacker-discloses-
magyar-telekom-vulnerability-faces-jail/)

> the first vulnerability allowed the hacker to obtain an administrator
> password through a public-facing service. The second bug allowed him to
> "create a test user with administrative privileges."

Translated source article with much more information:
[https://translate.google.com/translate?sl=auto&tl=en&u=https...](https://translate.google.com/translate?sl=auto&tl=en&u=https%3A%2F%2Findex.hu%2Fbelfold%2F2017%2F07%2F26%2Ftelekom_t-
systems_biztonsagi_res_nni_etikus_hekker_rendorseg_nni_orizetbe_vetel%2F)

> She browsed and found a user guide in a PDF file on the Telekom website that
> contained the IP address of a DNS server. Performed a routine scan for this
> IP address and then surprised to find that it was relatively easy to get an
> administrator password from here.

------
jacquesm
This is a better article with a better headline:

[https://portswigger.net/daily-swig/hungarian-ethical-
hacker-...](https://portswigger.net/daily-swig/hungarian-ethical-hacker-faces-
eight-year-prison-sentence)

------
kome
When in a country you reward unethical behavior and you punish ethical
behavior you are going to the fall.

This is outrageous and ridiculous. Magyar Telekom is a bunch of crooks anyway,
why in western Europe phones plans are so much cheaper?

~~~
friendly_chap
Because Hungary is just a free for all market for every corrupt big corp and
organisation that wants easy profits.

Everything costs more than in Western Europe (except rents and services), yet
people make 1/6th of the money. Hence why third of the working population left
the country.

~~~
kome
I know, I wrote a couple of articles about Hungary for Jacobin, for those
interested:

\- [https://www.jacobinmag.com/2018/03/viktor-orban-hungary-
fide...](https://www.jacobinmag.com/2018/03/viktor-orban-hungary-fidesz-
authoritarian-opposition)

\- [https://www.jacobinmag.com/2018/04/fidesz-viktor-orban-
hunga...](https://www.jacobinmag.com/2018/04/fidesz-viktor-orban-hungarian-
elections)

------
thecleaner
Why would you set a precedent for not reporting vulnerabilities ? Are they
stupid ? This just means "next time you find something, exploit it or just
sell it to someone".

