
2.7M Medical Calls Breached in Sweden - phigcch
https://www.hjorthjort.xyz/2019/02/20/2.7_million_medical_calls_breached_in_sweden_-_it%27s_pure_commedy.html
======
cle
> I sincerely hope that we fill see massive fines, people lose their jobs, and
> perhaps some more severe criminal charges brought against those whose
> negligence caused this.

TBH I find this “off with their head” mentality to be counter productive.
Sure, if someone broke the law then administer justice. But it’s not
addressing the root cause. What systemic weaknesses led to this scenario, and
what systemic changes can we make to prevent it from happening again? That’s a
much more productive discussion to have, although doesn’t appeal to our baser
instincts and so won’t score easy political points.

~~~
Gpetrium
I agree with your point. It is complicated since everytime humans become
outraged about something, their emotional side tends to take over and they
tend to look for someone(s) to blame and a head(s) to roll without taking all
aspects into consideration, for example:

* How to pin-point one or a group of individuals to blame within the company? What if it is someone that has long moved to another company?

*Does finding a scapegoat and forcing someone out of their jobs resolve the matter? Whats the impact in that person's lives? Was it just for the masses to feel better?

To be honest, I think society is rewarding the wrong attitude in some cases.
Someone in the reporter's position should have raised the issue to the
relevant authorities and after the issue was resolved (at least partially), he
should have made a request to publish an article talking about what happened,
how many people could have been impacted, the actions he took. The outcome
could have been that the reporter receives an award for his work and
appreciation from society for raising awareness in the area, the government
talking about concrete actions they have/will take, other companies and
society works towards improving said issue.

------
tapland
Medhelp has filed a police report against the reporting paper ComputerSweden
late last night:

[https://omni.se/medhelp-polisanmaler-tidning-efter-
avslojand...](https://omni.se/medhelp-polisanmaler-tidning-efter-
avslojande/a/8wy6GW)

~~~
bjourne
The crappy thing is that the psycho CEO that filed charges is 100% right. The
journalist willfully and knowingly committed a data breach. There are no
provisions in the law for "I did it for a good cause" or "I only demonstrated
that it was possible."

Of course if he hadn't, he wouldn't have been able to write a story about it
and the security holes would not have become public knowledge.

The laws in these areas are insanely antiquated and this is not the first time
investigated people in power have tried to use them to silence or smear
journalists. Freedom of speech is threatened.

~~~
m-s
If I understand correctly, the journalist did nothing more than accessing an
entirely unsecured, public website.

~~~
emerongi
I think in this case the argument actually applies. There is no action on the
user's part that signifies bad intent. Maybe if they downloaded too many of
the files, but otherwise I wouldn't expect the accusation to stick.

------
dkarl
What's sad is that the CEO seems to be doing his best to provide an accessible
explanation to people who understand the technology even less than he does, as
if those are the people he needs to answer to. It's a real "series of tubes"
moment in that it feels unfair to nit-pick what he's saying on the level he's
saying it, but it's obvious he doesn't understand it on any deeper level, and
he doesn't understand that the issue needs to be in the hands of someone who
does.

------
Kiro
> “That someone probably, when updating at some point, seen that there was a
> free networking cable slot, and I guess they thought, some technician: ‘Aha,
> there should probably be a cable here, but it fell out [sic]’, and then they
> have connected a networking cable, so that it’s become connected to the
> Internet. That is just, like, how you do these things.”

Yeah, no, that's not how you do these things...

~~~
xorcist
Not only is this statement extremely funny in its own right, it completely
ignores the fact that there was a public dns name too with a clear service
name. Maybe that same poor technician also fell over the keyboard too. How
extremely unfortunate!

------
wil421
The 10 talking points from the guy who spoke to the press are so terrible I
burst out laughing. Government IT incompetence is so terrible all around I
find it hard to imagine a way out. Either they do terrible things themselves
or outsource it to the lowest bidder who might be slightly less clueless.

~~~
xorcist
Let me see if I got that right. When the government does something bad, it is
(obviously) at fault. When a private company is hired instead, and fails
spectacularly breaking along the way not just contract but both national and
European law, then that is also sign of terrible government incompetence.
There's just no winning for public officials, is there?

~~~
opportune
The public officials could just do a good job of either finding good
contractors or doing the work themselves? Or is that so far fetched we are not
even considering that possibility?

~~~
xorcist
An official hand picking contractors out of good judgement is called
"corruption", at least around the EU. The contract must be awarded the one who
makes the best promises, if the controversial wording is excused. Public
agencies may do work themselves, of course, but that tends to attract a more
common type of criticism.

I know nothing about this particular case however. It may very well be a royal
fubar every step along the way. It was just interesting how some thought the
government responsible even for private companies found breaking the law.

------
IdontRememberIt
I was working on a project for a client in 2002. Our genius project leader,
told us to set up a public ftp server... without password. We told him that it
was a no solution and super dangerous. As junior devs, in a service company,
we were told to simply shut our mouth and do what was ordered. The server was
instantly found but they only started to use it during the week-end as a porn
server. The hosting company was on fire. This leader is now a director. hehe

------
ypolito
I had to call the emergency due to intense toothache in the middle of the
night two years ago. Am I affected and was my call leaked?!

------
jackconnor
"55 files have been downloaded from the drive, “many of them duplicates”" \- I
laughed pretty hard at "duplicates"

------
HNLurker2
[https://news.ycombinator.com/item?id=19191241](https://news.ycombinator.com/item?id=19191241)

It was discussed

~~~
bjoli
Oh, but it is the gift that keeps on giving. The sheer incompetence behind
this is enormous.

~~~
JoachimS
Indeed. The company has now gone to the police to report the newspaper and its
journalist for hacking.

~~~
ambentzen
It's good to see that we Danes have exported something to Sweden. The same
thing happened after someone "hacked" some school webapp-thingy, I can't
remember the exact details, by changing the URL to get access to another
students data. He was promptly reported to the police for hacking after he
reported it to the company.

~~~
tokai
I just looked it up again, and he actually did hack them:

"Forælderen, Henrik Høyer havde blandt andet opdaget, at den infoskærm, som
hver enkelt børnehave havde i systemet, var befængt med et sikkerhedshul, der
tillod cross-site scripting. Ganske enkelt blev de beskeder, som man skrev til
den fælles infoskærm, ikke renset for tegn, der gør det muligt at indsende
Javascript-kode.

Det udnyttede Henrik Høyer til at skrive en simpel Javascript alertbox, der
poppede frem med beskeden 'Ring til Infoba og sig at jeres nye intranet
løsning er blevet hacket', hvorefter brugeren skulle trykke ‘OK’.

Det var der flere af pædagogerne, som så, og som undrede sig over, ifølge
Infobas produktchef.

»Jeg skrev til Infoba og hørte aldrig fra dem. Så lavede jeg den her løsning,
som måske var lige på grænsen for, hvad man må,« siger Henrik Høyer og
fortsætter:

»Jeg lavede et harmløst javascript, men kunne have gjort det meget værre.«"[0]

(Sorry for the danish ya'll)

[0] [https://www.version2.dk/artikel/foraeldre-finder-banale-
sikk...](https://www.version2.dk/artikel/foraeldre-finder-banale-
sikkerhedshuller-i-udbredt-it-system-til-boernehaver-247985)

~~~
bjoli
My porridge-language is limited, but if I understand correctly he used an XSS
vulnerability to place an alert box on the page telling the users of the
system they should contact the provider and tell them the system had been
hacked. It could of course has been much worse. He was later found not guilty:

[https://www.version2.dk/artikel/derfor-blev-henrik-hoeyer-
fr...](https://www.version2.dk/artikel/derfor-blev-henrik-hoeyer-
frifundet-1074649)

~~~
tokai
Yeah totally benign, the only ones guilty of anything is that awful
contractor. I just wanted to point out that there was more to the story than a
police report over emails.

------
kmlx
on one hand, pretty terrible.

on the other hand one could analyse all the calls and provide a helpful
medical bot.

