Hacker News new | comments | ask | show | jobs | submit login
Hacker facing an 8-year jail term for exposing vulnerabilities in Magyar Telekom (cyware.com)
167 points by DyslexicAtheist 12 days ago | hide | past | web | favorite | 82 comments

Some details that as it appeared (in Hungarian) on the Civil Liberties Union blog ( jelenti.blog.hu/2019/01/25/igy_kert_bortont_etikus_hacker_vedencunkre_az_ugyesz ):

(it was translated to English by me, sorry for any mistakes):

- he was invited to visit Telekom's office (the expenses was on him), and wanted to give them the details

- he was not convinced by the meeting that they'll solve it (close the doors): tried again, successfully (yep, that's a bit grey hat).

There are several issues not with the hacking, according to the Hungarian Civil Liberties Union:

- the prosecutors used a way too generic accusation which missed several important details, like [regarding the crime] when, how, etc.

- the accusation claimed that the hack was done by using the Internet (seriously).

- they (the prosecutors) offered a deal of "admit the crime == free to leave" but when the guy denied they asked for more prison.

- the prosecutor stated: "we are not IT people but we know from the media (!) that with Internet and certain competence he could have hidden more of his digital footprints". And the prosecutors didn't asked for expert advisory for more than one an a half year long.

- they asked for 8 years because the hacker should have been able to disturb a public interest service, though the company claimed that this server/service was not affected any of their customers.

Hungarian here (Magyar means Hungarian in our language).

The guy was not sentenced yet, likely won't be, but given how incompetent everyone involved one can not be sure.

Telekom does not want to press charges as far as I know, so despite their gross technical incompetence, at least their they have that going for them.

Hungary recently had a bunch of ethical hackers getting into trouble, but fortunately the people are so outraged at the powers that be trying to jail them that they don't get harmed.

> The guy was not sentenced yet, likely won't be, but given how incompetent everyone involved one can not be sure.

Does the public prosecutor in Hungary have a poor conviction rate? I know nothing about your country, but if I were facing a similar charge in the US I would be very concerned.

The public prosecutor actually has a unusually high conviction rate (can't cite a source right now for this), but there was a very similar scandal last year where a similarly young security enthusiast figured out he could buy public transport tickets for any price in the then recently launched web interface of the Budapest public transport company (BKK). He did this simply by editing the form post URL on the order page.

BKK then tried to prosecute him but quickly dropped the case since there was a huge public outrage. The website and the related services has been down ever since the incident.

So this is why people suspect they will drop the case soon again, but as an other commenter already said, they are incompetent and corrupt to the bones, so who knows?

I don't know about that, but I think we don't have such a culture of prosecutors having conviction rates (might be wrong on this one I admit).

But Hungary is a very tense country, it only needs a spark to blow up (last time internet tax triggered a massive massive protest), so I don't think the political elite wants to risk protests and outrage.

> Does the public prosecutor in Hungary have a poor conviction rate?

Not if you are a politician. In the last two terms of Fidesz 1 low figure guy was convicted. I find that ridiculous since we are the poster child of corruption in the EU.

It is because the Chief Prosecutor[1] is a good old friend of Orban.

[1] https://en.wikipedia.org/wiki/P%C3%A9ter_Polt

> gets a jail term of 8 years

The article says the prosecutor's recommending an 8-year jail term, but since the court hasn't decided on the case — how did the hacker "get" a jail term?

Is the article wrong, or is the Hungarian legal system different from what I'm used to?

I think the threat of prosecution in this case is already some form of damage. Even if he is ultimately not convicted, future whitehats will think twice about coming forward because this one was _threathned_ with prosecution, thinking "what if I don't get so lucky?"

The smart thing to do, if a company has no public vulnerability bounty program, is to sell the information on the blackmarket instead. This will incentivize all companies to start their bounty program, whilst still getting some cash reward.

I don't know about the "sell the information on the blackmarket" part. But uninvited pen-testing seems pretty risky. Maybe it'd be prudent to have an ~anonymous pseudonym for this stuff.

And if you really care about reputation building, you could use an ~anonymous pseudonym plus the sha256 or sha512 hash of some string. If it all works out, you just share the string, and reap the credit.

I agree. No need to get way too unethical to make a buck.... Ask for Monero or something if they want the full disclosure before you publicly and anonymously do a full disclosure.

It might incentivize the companies to change, but it might not. Especially if you end up selling it to an entity who uses Meanwhile you are doing real damage.

Why not publish the leak online to force the company to fix it asap?

Sounds like the same thing that happened to Aaron Swartz...

Cyware is a garbage site that copies articles from actual news outlets. If you read coverage on other sites, they all say he faces up to 8 years in jail. He's been barely charged.

Source: https://hungarytoday.hu/ethical-hacker-faces-8-years-in-pris...

It is just simply wrong.

This reminds me of the Vtech hacker story. Darknet diaries did an excellent podcast on it [0].

As someone having worked in pentesting, I have mixed feelings about this situation. Whitehat or not, the hacker knew that what he was doing was illegal. Of course this gives the hacker a dilemma, as not disclosing might result in a blackhat exploiting the same vuln.

[0] https://darknetdiaries.com/episode/2/

Don’t give other people power over you would have to be the first rule.

Oh gee, a “blackhat” exploits it. Moral dilemma! Who cares? You can’t control what other people will do on the internet and if it’s a target worth more than pennies of crypto cpu someone else has most likely done it already. 9/10 there’s like a dozen webshells on that box if there’s a good bug to be had.

I srsly don’t get the hand wringing folks do. Shells are shells and you know what you be doing.

But every year there are more summer children and I suppose we should look after them.

The hacker in this case, if they want to do the Right Thing but without any reward, is report it anonymously - they of all people should know how to hide their tracks. Creating a throwaway e-mail address through half a dozen proxies and/or TOR is relatively easy.

The hacker did report it anonymously, there's no evidence that the hacker was caught from the email they reported the vulnerabilities from. They of all people should know how hard it is to remain completely untraceable.

- Never do unsolicited pentesting

- If you do, be very careful about how you report it; must be to a recognised bug bounty program

- Especially don't do this in a repressive state

Since it is major public company serving many Hungarians, it can be arguing that hacker did a public service.

I understand that he did not want to admit wrongdoing, since he believed it should be considered an extenuating circumstance where public interest requires such action.


The European parliament certainly believes (with a two-thirds majority) that the current government in Hungary poses a "systematic threat" to democracy and the rule of law: https://www.theguardian.com/world/2018/sep/12/eu-meps-vote-t...


"The European Court said the conviction was correct"

First of all, I think the argument that can be drawn from one Court decision is not very strong.

Second and possibly more important: this was a decision by the European Court of Human Rights (which is completely unrelated to the European Court of Justice and the EU) and the decision was not an appeal but the question was whether Austria had violated the European Convention on Human Rights which is a specific international treaty with specific Rights, mainly crafted in the late 1940s. It doesn't aim to be an all around Constitution for Europe but protects certain things for example in this case possibly free speech under Art. 10.

The fact the the HR Court interpreted the Convention in a way that allowed Austrian Authorities to fine a certain statement does in no way imply that freedom of speech is not protected in the European Union or in the Council of Europe Member States. Instead it is a fundamental idea of the European Convention on HR that states get a certain margin of appreciation to make decisions such as these. In other cases (for example concerning whistleblowing or Lingens v Austria) the Court has upheld free speech.

Quoting tabloids is not going to win you any arguments


The publication doesn't matter because you're directly contradicting yourself. You just wrote in another comment:

> Having a corrupt public servant (if this is the case here) does not make a country a "repressive state".

And now you seem to argue that other countries look repressive as well by quoting a single conviction that was invalidated by the ECJ.

The EHCR, not the ECJ (the latter of which is related to trade agreements). The EHCR did the opposite of invalidate her conviction -- they upheld the decision of the Austrian court[1]. In other words, they rejected the claim that Austria's anti-blasphemy laws are a violation of human rights (which I disagree with -- though I'm definitely not anti-EU like others in this chain).

[1]: https://www.theatlantic.com/ideas/archive/2018/10/its-not-fr...

That's the opposite of what happened.

You should understand the framework around this whole thing, since it involves religion (ancient, fictitious or otherwise very hard to prove, very little actionable evidence, mostly based on belief), but also current laws and crimes (well documented, easy to provide evidence).

First of all when you make an accusation you have to prove it, bring actual evidence, otherwise it's slander (or blasphemy, in a religious case). Second, we're talking about religion, so take every detail (the "evidence") with a grain of salt. Third, even assuming you can use a holy book to prove your case, the accusation is not valid because the law you're using wasn't in place back then when the "crime" was committed. On the other hand a blasphemy law is in place when your crime was committed.

So although I'm as far from a religious person as it gets, I still believe people are entitled to their own religious beliefs without someone uselessly dragging them through the mud. Every religion mentions some details that could prove insulting for many people, why bring one up in particular? And if a law is in place don't break it arguing that it's unfair. Maybe fight for changing it before you break it.

Then again, it's not like the European parliament is a proper democracy, or that the European people really go for the bureaucracy in Brussels...

The European parliament is a proper democracy (and unfortunately not powerful enough). It's the European commission that kind of lacks democratic legitimacy.

Nitpick: A parliament can't be a democracy. It's a necessary ingredient to a democracy, but a parliament itself is just a room full of politicians. It's perfectly possible (and common) for a parliament to be structured democratically. But if it has no teeth, it's not part of a proper democracy.

Eg China has a parliament too but it's just for show. The EU parliament is somewhere in the middle. Norway's parliament is probably the gold standard.

It's called a parliamentary democracy.

Yeah,which means "a democracy that has a parliament", not "a democracy that is a parliament".

> It's the European commission that kind of lacks democratic legitimacy.

The Council of the European Union as well. Many (but not all) of the government representatives sitting on the Council are elected as MPs in their own countries, but that shouldn't make them a powerful part of the legislature at the EU level.

I wish we had a real bicameral European Parliament instead of this historically grown mess.

A proper democracy is governed by corrupt "politicians" and lobby? Well, if that's the definition, then yes : )

Only if you squint really hard. It's about as undemocratic as an appointed cabinet.

EU MPs are elected.

Yes, but the council isn’t - each member is appointed by the governments. So, my point is, that if you claim its undemocratic then you also have to call national cabinets undemocratic, or ambassadorships undemocratic.

You do realise that every single EU citizen can vote for the EU parliament, right? It doesn't get any more democratic than this.

I think you’ve thoroughly misread my post and it’s context. Please tell me where any citizen can vote for the European Comission - not parliament - which you can’t, because you do realize they are appointed by the heads of government in each country directly, which is why it’s wrongly targeted as “undemocratic”.

My point is that if you call that undemocratic then there is lots of thing probably much closer to home that you should also critisize - like appointed cabinets forming the government - at least in the UK, you elect a local representative - nobody anywhere voted for e.g. Jeremy Hunt to be foreign secretary, so wouldn’t you have to argue that that is undemocratic also?

You do realize that citizens were allowed to vote in all number of dictatorships, right?

Being able to vote is the bare minimum for a democracy, not its ultimate realization.

The accountability of elected officials, the procedures, who and when voted for those procedures, the processes used, etc., are more important than merely being able to vote.

In fact the mere decline in participation and lack of voter engagement is also indicative of the disconnect between Brussels and the national EU-voters.

I'm more left-of-center myself, but even the right-of-center Economist put it somewhat well (if mildly):


"Proper" just in that its members are voted for (and often, the national regional populace can't even vote them directly, they are appointed by party leaders and the vote is wholesale).

Not proper in that it's wanted, established by popular demand, accountable, has checks and balances, and moves according to the voters will.


Hungary has become to some degree, and is moving towards being, a repressive state.[0]

> Since Orbán returned to power in 2010 his government has introduced measures to curb judicial independence and increase control over the media, and imposed restrictions that could lead to the closure of the Central European University (CEU).

Crackdown on the media, compromising judicial independence, and measures leading to increased obscurantism. Net effect is indeed leading Hungary towards being a repressive state.

0. https://www.theguardian.com/world/2018/sep/12/eu-meps-vote-t...

> restrictions that could lead to the closure of the Central European University (CEU)

The rest of what you mention certainly is repressive, but one of the stated aims of the foreign-funded CEU is, by its own admission, open-society propaganda. When the US tries to limit foreign political ads, is that also repressive? If not, why would putting a university behind those ads change things?

tomp 12 days ago [flagged]

> Crackdown on the media, compromising judicial independence, and measures leading to increased obscurantism

That's one interpretation. The alternative is that the media used to be owned/controlled by the (former) communists, and so was the judiciary.

Media. The fourth estate.

Currently in Hungary it's simply controlled by the governing party.

* Via the Media Authority and the public service broadcasters

* Also financially (the public service broadcasters have a budget that dwarf independent media outlets' budgets, 300M EUR vs a few millions EURs at best; plus the government subsidizes gov-friendly outlets through advertisement and public communications contracts - and they advertise their own propaganda [you know, the usual George Soros, fight Brussels, immigrants are raping everybody] )

* Through buyouts (TV2, local newspapers, etc.), consolidation ( https://www.voanews.com/a/huge-pro-government-media-conglome... ) and strict central command ( https://budapestbeacon.com/wp-content/uploads/2017/11/megyei... https://kep.cdn.indexvas.hu/1/0/1981/19814/198141/19814191_0... )

There are a few independent sites that try to serve the classic democratic role of oversight.


That's even easier. The current government and the governing party is full of members with ties to the old Socialist/Communist era.

Oh, and don't forget, how since 1990 everyone conveniently forgot to finally grant access to the old secret police archives, or at least set up a process that can clean people holding and/or running for seats and various positions.

Wouldn't make it less of crackdown on independence even if all the owners were who you say they were.

You can't say it's really independent if it's all owned by (proponents of) one political party.

I understand now: the communists are actually the illuminati.

I'll explain:

50 years of communism in the eastern Europe countries left most of the people with no wealth as it was forbidden to own a company, unless you where co-operating with the secret police and singed a deal with them. This caused the issue that after the collapse of communism and soviet union people with wealth were communist collaborators (there were informing about non-safe people and helping throwing them into jails and sharing money with police officers). Then after communism collapsed they've created TV, media and obviously there was still TV, Radio and press which was government owned, where the same people were working. So as you can see everything is post-soviet countries is still mostly owned by communists and police informants.

Not so simple. The GDP and the country's wealth grew very significantly since 1990, and don't forget the enormous amount of foreign capital that entered Hungary. (For example "RTL Klub" is owned by the German RTL Group. And it is the last TV channel that airs segments critical of the government.)

Also, don't forget the privatization boom during the early 90s, when every government sold whatever they could find to fund the country. Early on this of course benefited friends of the old guard.

Furthermore, police informants liked to remain hidden. Secret police officers on the other hand liked to make the deals with the informants, especially those with some kind of business ambition.

But these deals produced a very pathological market state. As soon as the old regime fell, new businesses sprang up, and they soon eclipsed these old protected inefficient ones.

1) true, so they bought and created big supermarkets, factories and kept the salaries low, this did not help people on building wealth anywhere... 2) Privatisation is true - so you agree with me. 3) And? 4) New business? You mean old police informants with capital, investing in what was interesting for them...

Where do you think that GDP per capita growth came from? The economy benefited immensely from those factories and access to cheap stuff on international markets.

Salaries are low because there is not enough high paying job, because there are not enough high-skilled workers to attract/fund businesses that would employ them.

Furthermore, the Hungarian economy and demography suffers from the same problems as other developed economies. Technological improvements made a lot of mid-value jobs so efficient (via automation and of course through global institutions and multinational organizations), that the demand for them disappeared. See David Autor's seminal paper: https://economics.mit.edu/files/11563 (for example page 13, figure 2 is very telling. middle class jobs "disappeared").

Hungary, just as the US suffers from the problem of transforming labor markets (middle class jobs are hard to find, plus typical worker class male dominated fields are shrinking, whereas female dominated service oriented sectors are rising). And whereas in case of the US a lot of people are simply caught in a vicious cycle of poverty and incarceration, about two hundred thousand Hungarians left the country since 2010. (That of course did not help the active population ratio, though people working abroad send a lot of money back.)

The education system is also regressing in the last 5-10 years, now the research institutions are in upheaval too, due to centralization and inefficient restructuring by the government.

This will slowly swing back one way or another. The recent "overtime work hours" law is a good example, because it doesn't make much difference, as the labor market for low-skilled workers is in a gridlock. (A friend of mine works as a HR manager and they can't find enough local workers, so they recruit Ukrainian foreign workers, for a simple, but big warehouse, 1000+ workers.)

And don't forget, wages will rise when labor share of profits increases, but that means more competition, less government protected oligarchs.

Privatization resulted in a lot of foreign companies owning stuff, not commies and informants.

Secret police driven businesses were not particularly successful even back then, they haven't accumulated much capital. There are bound to be some folks living off that, but investors in the early 90s were usually high income individuals. (Doctors, company directors, etc.) They got there during the 80s, which of course required the right party signals, but these people then sold stuff (real estate, companies, etc.) after its value appreciated to foreigners or the new guard.

It's very unlikely that "everything [in Hungary] is still mostly owned by communists and police informants."

Not enough high skilled workers? That is simply not true, highly skilled workers earn good money (programmers, engineers, doctors), the problem is with low skilled ones, who earn 4-5 times less then in Western Europe. In every country you have lot more of low skilled than high skilled workers hence this is where the problem lies.

There is absolutely no difference in how a shop assistant deals with clients in Hungary or Czech Rep. as in UK or US. So why the disparity? It is definitely not caused by skills, the prices of goods are the same (for sure not 4/5 times cheaper), so what is the problem? The foreign companies? Not enough powerful unions? Governments allowing that?

> That is simply not true,

You haven't disproved my claim, you introduced a different one (that high skilled workers earn good money).

Hungary has fewer people that speak foreign languages (as percentage of working age population: https://scontent-vie1-1.xx.fbcdn.net/v/t31.0-8/18155924_8861... ) than any of the other EU member states. Hungary is the country where the ratio of graduates decreased among the 25-34 year olds between 2014 and 2017 (which might seem like a statistical fluke, but the problem is EU average is increasing monotonically since 2008, whereas Hungary had a peak in 2015 and declined since back to 30% vs 39% of EU average(!), see also: https://ec.europa.eu/eurostat/statistics-explained/index.php... 2017 )

This pretty much means Hungary has too few high-skilled workers.

> In every country you have lot more of low skilled than high skilled workers hence this is where the problem lies. There is absolutely no difference in how a shop assistant deals with clients in Hungary or Czech Rep. as in UK or US. So why the disparity?

And that's because economics works in the aggregate. Skills matter, because in Hungary you have too many people competing for those low skilled jobs.

Think about what does the emptying of the middle class means. Of what the Autor paper means that I linked. A lot of people move down. The low skilled jobs are threatened not by automation, but by having more people suddenly becoming "low skilled" (because if they are not high skilled enough to count as high-skilled, and middle-skill stuff is disappearing, then more people are now forced to try to find low-skilled work jobs).

https://qz.com/1010831/the-middle-skill-job-is-disappearing-... Hungary lost both low and middle skilled jobs, high-skilled jobs grew. Yet Hungary has comparatively few high skilled workers.

Hence those who are forced to work at "low skilled jobs" are now simply competing with each other more.

jopsen 12 days ago [flagged]

Is this much worse than what is happening in America under Trump?

Personally, I'm less worried, if the Eastern European countries goes repressive they'll be leaving the EU one way or another..

Whataboutism. No, it's not "much worse", but what's happening in the US isn't exactly great either. It's also different… The US issues are more impactful on the rest of the world than Hungary's issues are.

Did you read the article?

> Hungary’s Prosecutor Office has indicted the white hat hacker

> 'the Prosecutor’s Office is asking for a prison sentence' despite the fact that in the indictment files 'it is not clear what exactly has he done.' The files lack the place, time, and means of the committed crimes he is accused of, 'and in general, nothing that would be necessary to present the lawful accusation in detail',"

The Prosecutor's Office is a state body, is it not?

Regardless of this specific episode, it seems it's becoming a pattern in Hungary.


ygkkojr6 12 days ago [flagged]

Having a corrupt public servant (if this is the case here) does not make a country a "repressive state".

It's highly unlikely this guy will actually go to prison. weev, on the other hand, did go to prison. Is the US a "repressive state"?


coldtea 12 days ago [flagged]

>Is the US a "repressive state"?

Well, it has the biggest incarceration rates per capita, and the biggest death penalty rates, of the whole world, and a horrible legal system (three strikes, for example, or the tons of people that went to jail for BS like marijuana). It has the top incidents of cops killing people in the western world. Heck, until the 70s it even have segregation laws.

Then there's the circus that are internal politics (the same two parties alternating in power for a century, following a bizarro multi-step process as remote from the actual people's vote as possible, with gerrymandering on top, and fat pockets with millions in promotion needed to have any chance as a candidate). Oh, and legal lobbying.

That said, they do have a decent rule of law, a legacy of respect for freedom of speech, and quite good representation at the state level.

[Edit: added some counter-items for balance]

It ranks only slightly above Hungary on this freedom index:


> the biggest death penalty rates, of the whole world,

aren't they beaten by Singapour on the execution per citizen ratio? They certainly were, a few years ago.

When I last read about it it wasn't mentioned, but could have happened meanwhile. In general the competition was places like China (and even then, the numbers were unfavorable).
gtirloni 12 days ago [flagged]

Respect for the law is paramount and it's taken very seriously in death penalty cases in the US.

You can't say the same for all the people that die anonymously in certain countries that don't respect (or even have) laws that much.

I can see how that seems laughable, but Hungary is turning into a dictatorship exteremly fast.

The scariest thing is that Hungary joined the EU in 2004 but has since a few years turned into a very scary place.

There's a number of countries across the world that are headed in that direction at an alarming rate, and the worst part is, it's happening via democratic processes - a lot of people WANT a dictatorship.

And we "imported" that from the US:



It feels like we are a petri-dish for political experimentation to test what could be scaled up.

Well, it's not exactly a paragon of democracy.

Yeah it is. Sliding to the way things were under Mother USSR...in fact a lot of East Europe are having the same problem. Strong leaders /parties try to choke free speech and opponents.
tomp 12 days ago [flagged]

Geert Wilders is a leader of the largest opposition party. He's a big problem for sure, but can't be compared with places like Poland, Hungary, Serbia, and others that already have autocratic leaders for years.

Western Europe saw oppressive candidates losing the fight and becoming a fierce opposition. Eastern Europe already got fucked and is now facing consequences. It was enough for the autocratic leaders to win fair elections once and there were no fair elections since.

No, what I want was, he is an political opponent who was being being “choked”.

should have been: what I meant

Whenever I hear another case like this, I'm once again reminded of how the mainland Chinese deal with being witnesses to accidents or crimes taking place (as long as they aren't the victim), they simply walk on by as the "reward" for them is often not good, and in many cases they end up getting implicated.

Maybe it's time for solo security researchers to stop being the nice guys. I'm not saying they should start behaving like blackhats, simply that self-preservation must come first and when you are faced with an industry who treats what I'd consider acts of generosity with contempt and legal action, then fuck them.

Article with sources: https://www.zdnet.com/article/white-hat-hacker-discloses-mag...

> the first vulnerability allowed the hacker to obtain an administrator password through a public-facing service. The second bug allowed him to "create a test user with administrative privileges."

Translated source article with much more information: https://translate.google.com/translate?sl=auto&tl=en&u=https...

> She browsed and found a user guide in a PDF file on the Telekom website that contained the IP address of a DNS server. Performed a routine scan for this IP address and then surprised to find that it was relatively easy to get an administrator password from here.

This is a better article with a better headline:


When in a country you reward unethical behavior and you punish ethical behavior you are going to the fall.

This is outrageous and ridiculous. Magyar Telekom is a bunch of crooks anyway, why in western Europe phones plans are so much cheaper?

Because Hungary is just a free for all market for every corrupt big corp and organisation that wants easy profits.

Everything costs more than in Western Europe (except rents and services), yet people make 1/6th of the money. Hence why third of the working population left the country.

I know, I wrote a couple of articles about Hungary for Jacobin, for those interested:

- https://www.jacobinmag.com/2018/03/viktor-orban-hungary-fide...

- https://www.jacobinmag.com/2018/04/fidesz-viktor-orban-hunga...

Sad but true, just came back from skiing and the food is in general cheaper in France. Also the quality is better.

Why would you set a precedent for not reporting vulnerabilities ? Are they stupid ? This just means "next time you find something, exploit it or just sell it to someone".

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact