
Student Who Found Security Flaws in Police Protocol Gets Suspended Sentence - campuscodi
http://news.softpedia.com/news/student-who-found-flaws-in-police-communication-protocol-gets-prison-sentence-504333.shtml
======
rwallace
My sympathies for the guy, and I'm not blaming the victim, but there is a
basic safety rule that every aspiring hacker needs to understand, right now,
right up there with 'fasten your seatbelt' and 'don't feed the bears':

DON'T DISCLOSE SECURITY FLAWS TO UNWILLING OWNERS.

If you stumble across a security flaw in a proprietary system, check whether
they have a bug bounty. If so, great. If not, _keep your mouth shut and get on
with your life_. (Unless, of course, you've decided to sell it on the black
market; if you're okay with the ethics of that, so be it. But my advice, that
needs to become the standard advice to everyone, is to just keep your mouth
shut.)

Don't bite the hand that feeds you - and don't feed the mouth that's going to
bite you.

~~~
saalweachter
So let's suppose I'm a clever computer guy and I enjoy finding out how systems
work and don't work, and I uncover lots of security problems.

But I'm also lazy and/or not very good at dealing with large corporations to
find the right person to report these things to, even if they have a bug
bounty.

Are there any organizations -- uhh, _non-criminal_ organizations -- that will
take a security report, find the right person at the company to report it to,
see that it is addressed, and maintain my anonymity, so that I can wash my
hands of it and go back to what I prefer to do with my time?

~~~
wlonkly
Journalists are the first that come to mind. Use Secure Drop to maintain
anonymity.

------
brhsiao
This strikes me as one of the most poorly understood aspects of
software/computing.

Breaking into a computer system is like criticizing someone's ideas, not
breaking into a house. Since anyone can trivially break into a house, we judge
people by their intent, and thus authorities are trained to wonder "why was he
doing that at all?" Whereas with computers malice is taken for granted and
security has to be by design.

Most people understand that criticism does you a favor. Maybe we should
explain that security systems are like public debates, and that successful
hackers just happened to say something first.

~~~
zyxley
I feel like a better analogy, especially in this case, would be "it's not
breaking into the house, it's looking in the window". Non-technical people
would generally understand the equivalent of, say, a business leaving a stack
of personal files next to a sidewalk window and someone calling up the news to
say "this could lead to identity theft!".

~~~
mcbits
From what little is described of this "hack", it does sound akin to looking in
a window that nobody noticed was open. In general, uninvited pentesting is
more like going around and checking doorknobs to see if they're locked. Not
sure if that's illegal (in Slovenia no less), but I can't blame someone for
feeling really uptight about it.

------
IIAOPSW
No good deed goes unpunished.

Kid should have just sold his hack to the highest bidder and skipped the
country. Denounce me as unethical as all you want but his situation would be
objectively better if he hadn't cooperated with the authorities.

~~~
eximius
I can't downvote but this is a terrible attitude.

~~~
bsder
> I can't downvote but this is a terrible attitude.

While I'm not down with selling the hack, not interacting with police is
always good advice.

It's shown over and over again that official contact with the police rarely
has good results, at best has neutral results, and sometimes has _VERY_ bad
results.

~~~
eximius
I was referring to the 'the kid who did a good thing should have made himself
explicitly a criminal' part.

------
jlgaddis
This is yet another example of how one who practices "responsible disclosure"
eventually changes their beliefs and begins to practice "full, anonymous,
public disclosure".

~~~
rtpg
I think the issue is more that he took this knowledge and tried to listen into
encrypted stuff

>Officials also conducted a search of his house a month later, in April 2015.
Besides seizing his computer and a $25 custom equipment with which Ornig was
able to intercept TETRA communications, officers also found a fake police
badge, and also accused him of impersonating a police officer.

~~~
loup-vaillant
Proof of concept? The existence of the device demonstrates even to the most
ignorant layperson the insecurity of TETRA communications.

As for the fake police badge, I bet this was unrelated —Costume party, BDSM,
an old toy…

------
hackney
Slovakian found the encryption protocol only worked for about 30% of the
communications. He notified the proper authorities and the did nothing for 2
years so he went public. To be fair he did not go to 15 months of prison, he
only got parole. Catch-22 situation kind alike always having a roll of money
in your pocket when you are trying to save.

Still, running from the police because they won't fix their insecure
communications is ridiculous. Regardless of whether or not you made any money.

~~~
soneil
Slovenian, not Slovakian.

(yeah, I know. But they're two entirely different countries)

------
forgotpwtomain
It wouldn't seem like any kind of hacking went on if some of the
communications were actually un-encrypted (reading plain-text is not the same
as decrypting something with a weak-key)? The article makes it sound like
something you can check just by grabbing packets via. wire-shark. Some details
are missing here...

------
donatj
If you're going to release this kind of thing publicly you want to do your
damndest to do it anonymously.

------
hackney
Correction, he started intercepting the data as well as playing cop. Still
that better than running away. If it were the USA, he would have been in jail
for sure.

~~~
icebraining
_playing cop_

Is there any evidence of this? Simply owning a fake badge doesn't even prove
intent, let alone being actual evidence that it happened.

~~~
TheCartographer
_Simply owning a fake badge doesn 't even prove intent, let alone being actual
evidence that it happened_

Well, not in the US. Many other countries take a dim view towards citizens
owning anything that even remotely resembles the accruements of official power
and authority.

~~~
icebraining
He may have broken the law by possessing it, but that's not the same as
"playing cop". What he actually did doesn't change according to the
jurisdiction, only its legal status.

