Was expecting to see claims that he'd deleted files or something, but if they've pretty much confirmed all he did was view the passwords then frankly they should be paying to secure it properly themselves (as they should have done in the first place). If it was really as easy to access as he's making it out to be then the only safe assumption is that the system was already compromised by others too. Sounds like they're trying to get someone else to foot the bill for what they should have done themselves
Swedish city demands £40,000 to repair teenage hacking spree
A Swedish local authority is seeking almost £40,000 in damages from a 17-year-old who hacked its IT system. Umeå, in northern Sweden, is demanding half a million Swedish kroner from Erik Sundqvist as compensation for damages incurred after the then-16-year-old hacked into the municipal system. Sundqvist, who says he only …
COMMENTS
-
-
-
-
Monday 23rd March 2015 11:29 GMT Anonymous Coward
Re: £40k to change 600 passwords
Were do I apply? I'll do it for £30K in my lunch break.
:). I think this is a massive own goal. Not only did they publish that they couldn't run a safe system if they wanted to, they also made it clear that will fail to do so in the future because they don't seem to have the right idea of what it takes.
Unauthorised testing for vulnerabilities is in many countries a crime, for fairly logical reasons - but you can choose how to react when someone at least tells you what they found. Others will not.
It can indeed take a good € 40k because you need to audit the system, and I suspect they will probably get in some big name consultancy so they can show that they have thrown money at the problem to offset any liabilities. Where they went completely wrong was managing the media impact - by seeking to kill the messenger they have created adverse publicity, wasted goodwill and probably set themselves up for a more thorough probing from all and sundry who don't like the idea of taking a friendly to court.
*Not* the brightest response IMHO.
-
-
-
Monday 23rd March 2015 20:02 GMT I. Aproveofitspendingonspecificprojects
> makes me think they got a consultancy firm to do it.
It made me think they still hadn't done it at the time of writing, which means that some generous soul still has time to nip in and round up a few passwords with the idea of selling them off for the 40,000 to pay for the lad's seek and ye shall fined
-
-
-
Monday 23rd March 2015 12:41 GMT NoneSuch
Obviously a radical
"He said it was ridiculous that a public IT system that stores personal data on so many people should be so unsafe."
My lord. Actually asking government to use more than a tab + slot cardboard flap to protect their users data? What a revolutionary! Then forcing them to change passwords, but not fix the underlying vulnerability that got him in there in the first place. There's a sensible and thorough solution to correct things. (Not.)
Let's not fix the problem, let's just charge the person who highlighted the problem to the public. They should go work for the American government with that attitude.
-
Monday 23rd March 2015 09:47 GMT LucreLout
Surely they should be sacking whomever is in charge of their system security and hiring this guy as a consultant to his replacement, assuming he doesn't want the job himself?
Passing on the bill for proper security to the guy that pointed out what you had wasn't worth shit seems unfair. People have very little choice about allowing the state to hold whatever data they please about us. The minimum we're entitled to expect is that it'll be kept securely, and that there will be consequences when its not (lessons are only learned once heads have rolled).
-
Monday 23rd March 2015 09:55 GMT Jimmy2Cows
@LucreLout
That should happen, of course, but that means they'd have to admit they screwed up. Which is never gonna happen.
Far better to say "we were hacked" because Joe Public believes hackers are scarey evil monsters. Saying "someone found our unsecured, unencrypted password database and showed us what a bunch of morons we are" doesn't have the same ring.
Heads have rolled. Sadly, as ever, the wrong ones.
-
Monday 23rd March 2015 10:05 GMT Anonymous Coward
Still fair compared to other countries...
35 hours community service and a 5-digit bill for breaking into local authority websites isn't that harsh at all. Let's not forget that what he did is still illegal.
In other countries, especially on the other side of the big pond, he would have been locked away for a long time, paying compensation in the millions, and possibly be branded a terrorist for good measure...
-
Monday 23rd March 2015 10:18 GMT Anonymous Coward
Re: Still fair compared to other countries...
done for deterrent value?
Same principle as shops taking civil action against a shoplifter for costs incurred as a result of the theft. Even if the magistrate tells them they've been a bit naughty and they shouldn't do it again and imposes a minimum fine, they get stung for a bit more.
-
Monday 23rd March 2015 10:50 GMT gnasher729
Re: Still fair compared to other countries...
According to what I have been reading, there was no or very little cost caused by his hacking. The cost is due to them having insecure systems. If they had hired a security consultant to check the security of their passwords, and the security consultant had told them that they were so badly protected that a 17 year old without any special knowledge could read their passwords, then they'd have to pay the same bill.
-
Monday 23rd March 2015 11:29 GMT MonkeyCee
Re: Still fair compared to other countries...
"Same principle as shops taking civil action against a shoplifter for costs incurred as a result of the theft."
There's very strict rules on what they can charge for that, mainly based on value of items they nicked. You can't charge a shoplifter for the costs of a CCTV system installation, or claim that they have to pay $40k for the security firm to do it's fcking job properly.
Also seems to fail the deterrent value test. If you white hat it, point out the insecurity you get fined and prosecuted. If you steal the information, use it to cause harm or gain profit, you get fined and prosecuted.
Should have made his community service to toughen up their infosec. Well, except that it probably boils down to "is very inconvenient being secure. Please give everybody all the access to all the passwords". Or perhaps it's the "we haz autosaved passwords everywhere, we iz super secure".
If people treated physical security like infosec they would get laughed out of court.
-
-
-
Monday 23rd March 2015 10:43 GMT Danny 14
Re: Still fair compared to other countries...
he probably saved them more than 40k in identity theft by forcing them to shore up their defences. Other companies tend to offer BOUNTIES to point out issues like this. He didn't sell the passwords on, they "caught" him because he tried to tell them.
-
-
-
-
Monday 23rd March 2015 10:51 GMT NorthernCoder
Re: How do you say...
"För att avskräcka de andra" if you want to discourage or "För att uppmuntra de andra" if you want to encourage.
It should be noted that there is a difference of opinion between the young man and the city council whether he actually cooperated when the breach and malware was discovered.
Oh, and it should be "kronor", not "kroner" for the plural of the currency.
-
Tuesday 24th March 2015 10:57 GMT Glenturret Single Malt
Re: How do you say...
The point is that "pour encourager les autres" isn't about encouraging or discouraging at all. The verb is being used ironically. The phrase is often associated with another much-argued word, decimate. If the occupying Romans had to put down a local uprising, then they might kill a tenth of the subdued male population "pour encourager les autres".
-
-
-
Monday 23rd March 2015 12:01 GMT Ashton Black
My 2p on this...
If the kid told them, before the hack, that "x" exploit was open, but they ignored him and did nothing, with a reasonable fix time, then they have been negligent and in my opinion, should be liable for their own security costs. (Bearing in mind, the kid does now have a criminal conviction over and above their sueball.You can't sue a burglar for the cost of a security system, after leaving your windows open.)
If however, this was a straight black hat hack, then yes, he should be liable.
It doesn't state if this was the case or not.
-
-
Monday 23rd March 2015 13:25 GMT Sarah Balfour
He's probably thinking the exact same thing in hindsight…
…it's either teenage naïveté - or greed (in that he thought that, by not hiding his identity, he'd be hailed a hero and a massive reward would be his).
Although I will concede that not ALL teenagers are money-grabbing shits, just most… ;OD I have to say my image of Sweden is changing rapidly.
-
-
Monday 23rd March 2015 13:47 GMT Anonymous Coward
This is precisely the problem...
...failure to impose a deterrent to hacking. 35 hours community service is an insult when this person could have just told the appropriate people why he believed they system was insecure instead of actually hacking it. Proof of concept could be done by the authorities. The kid should at least pay the damages and be held accountable for hacking - which 35 hours community service is not.
-
Monday 23rd March 2015 13:48 GMT ascii bandit
The original article states, that it is not the first time he is charged with hacking, and that he repeatedly have tried to make the it department aware of the lack of security
Furthermore, there is a quote from the judge, that the documented warnings will have no impact on the verdict.
Nice work, there is a bloke who will never warn anybody of anything again.
:(
-
Monday 23rd March 2015 16:13 GMT Mad Chaz
Here is what this sounds like to me, by telling a story that I think equates to what happened.
You are walking down the street and pass by a local police building. It's got a nice architecture so you go to take a closer look. You see, via a window, highly sensitive investigation files, right in view of anyone who could walk up to the window, like you just did.
You walk in the front door and tell the officer on duty "Hey, I was passing by and noticed someone doing an investigation is leaving the files in plane view of the third window on the right from the door, you guys should be more careful."
Then the cops reply "Sir, you're under arrest for breaking into police property and damaging the building security. Pay up a huge fine so we can install automatic curtains that stay closed at all time on the windows so it doesn't happen again".
Yea ... the public is no longer allowed to point out incompetence in the gouv. That will never go wrong ...
-
Tuesday 24th March 2015 02:54 GMT Bob Dole (tm)
Fine for the firm?
What fine does the firm have to pay for storing passwords in a non-encrypted format?
What fine does the firm have to pay for not bothering with any type of security on personal data?
If this kid has to pay 40k, then I'd think the firm out to be hit with about a 4m one. Seems fair to me.
-
Tuesday 24th March 2015 10:17 GMT cduance
40k
They should get fined by the ICO for a breach and potential loss of data perhaps 200k just to make the point that security is their problem and that suing a white hat hacker is just going to give every black hat hacker the green light to hack them because they don't take security seriously.