Advertenties

Ethical Hacking – A Crime

In January 2013 the National Cyber ​​Security Center in Holland came with a “Guideline” of Ethical hacking and Responsible Disclosure. Meant to draft steps (rules) and keep a hacker adhere strictly to these rules, if these rules should be met the organization will not follow legal steps. However, it is not a law, so the hacker can be prosecuted anyway.

Working in IT i’ve found many leaks, some were so bad i had to find a way to report them. Does this mean i’m a hacker?

The correct answer would be NO but the guideline makes no difference in this. I do not search leaks, i do not hack for open ports nor do i crack passwords of e-mail accounts. I simply do my job. But, according to the so-called Guideline, even when i do my job and find a hole in someones network i can be prosecuted. In my case, i’ll stop reporting.

But then came “HackersMeldpunt.NL”, a new websites organized by a bunch of hackers in The Hague (Netherlands) so that must be good! I would assume that hackers could guide me the way to anonymous reporting and staying out of trouble, but sadly – no. Reading the website i get the feeling they just *really* needed publicity and found this to be the way since they offer no protection at all. And, really.. These guys pretend to be hackers?!

Before you do any type of reporting, upload any type of file or even sent them an e-mail ; Please *be aware* of the following:

On there website it says very clearly:
” …. and is not affiliated with (government) organizations. … ”

There dead wrong on this one. Maybe they do not work together with the local government but since they are a Foundation based in The Hague they are bound to the Dutch law. There is absolutely no protection here, AT ALL. Actually they already knew this since they put this so obviously on there website too:

” … We have no statutory duty of confidentiality and in theory can be tapped our connection, and our archives can be searched. … ”

Right? Can you believe this? Here i thought these hackers would provide me anonymity and secure my safety! Thats what these guys do all day, right? Stay anonymous?! So Actually they have no confidence that they can keep information a secret from the government ?

And to make it even worse, they just want me to sent an e-mail with all my dirty laundry to “meldanoniem @@@ revspace.nl” .. Like, where is the protection here? I’m anonymous by using my GMail or what ?

This news report is disappointing, to say the least. There should be a hotline for leaks like this but it should be setup professionally, by people that actually know what there doing. This hotline could be of great value for company’s, our country and security as we know it now! And in regards to the new Guideline, there should be a big difference between people (employees!) working in IT discovering a leak by accident and a ‘real hacker’ (whatever that means after reading that horrible website).

Advertenties
  1. So, instead of azijnpissing on someone else’s initiative, where is your initiative?

    Beantwoorden

  2. If you bothered to read the site, or maybe talk to one the people running it you might have something more insightful to write. The quotes you pasted above are on our site, as we can’t guarantee any anonimity, or can’t guarantee that we aren’t wiretapped. We do however try to provide as much anonimity as possible.
    – Our mailservers strip all headers from emails
    – Our logs are kept only for 24 hours
    – We fall under dutch law, but we can’t provide the authorities with logs / information we don’t have. We try to minimize the information we have, so we can’t give anything away.
    – We don’t publish leaks or go the the press with them
    – The quoted nu.nl article was written without our request, nu.nl contacted us.

    Beantwoorden

    1. Besides those things we recommend anyone posting something to our site / mail to use TOR or an equivalent anonimity system.

      Beantwoorden

  3. Dear All,

    Thank you all for sending me comments on this blogpost, obviously i rejected most of them since they were no addition to the topic and/or discussion.

    There was one visitor who actually typed a very long story about his history in hacking, about what he did in the past (‘projects’) and what he had discovered. I just did some small checks and he used his own e-mail address and what looks to be his normal home IP address (since his FTP service gave me a nice banner with last name).

    Thank you for that, but please – if you want to go to jail don’t to that through by blog. I’d like to keep my followers *out* of jail by posting this previous message.

    But one, back to the comments that i did approve and found noteworthy to reply on.

    @rbt:
    As i said in the above blogpost, i am not a hacker nor do i intend to become one. Since i also own a company in the Netherlands it would be completely useless for me to setup such a website for the same reasons i don’t believe in this one.

    @Mark Janssen:
    Since you type most sentence’s with ‘WE’ i will just assume you are one of the founders? Well, anyway.

    As you already say in your first message; You cannot be completely sure the government get’s his hands on the information. Also you can’t guarantee that you are not wiretapped. How would this reflect on the ‘Ethical hacker’ that has sent you it’s (very secret, very important en sometimes extreme valuable) information? Basicly, since everybody read the Article on NU.nl the government is already aware of your existance. All they have to do it go to court on the right time to seize all information that falls under your foundation and voila, all information is in hands of the government. This means everybody that leaked information to you could be prosecuted.

    You advise everybody to use TOR but how is that safer? The way of sending information to you might be a ‘safe’ way but eventually you will need to open the documents/read the documents or you are forced by law to give the information.

    You mention the fact that you keep log files for only 24 hours but forget that you host a website through a provider, providers are bound by law to keep log files for 12 Months…..

    “We fall under dutch law, but we can’t provide the authorities with logs / information we don’t have.”

    So you are under the dutch law but just ignoring it, also you just put this online on a public blog website..

    I really support the idea of such a website but only if it’s 100% bulletproof. The one reporting an incident should never me identified.

    Beantwoorden

Geef een reactie

%d bloggers liken dit: