[Chaos CD]
[Datenschleuder] [38]    DUTCH POLICE ARRESTS HACKERS
[Gescannte Version] [ -- ] [ ++ ] [Suchen]  

 

DUTCH POLICE ARRESTS HACKERS

    The facts
At 10.30 in the morning of monday the 27th of January 1992 Dutch police searched the homes of two hackers, in the city of Roermond, the parental. home of the 21-year old student H.W. was searched and in Nuenen the same happened to the parental home of R.N., a Computer Science engineer, age 26. Both were arrested and taken into custody. At both sites, members of the Amsterdam Police Pilot Team Computer Crime were present, alongside local police officers and representatives of the national organisation CRI (Criminal Investigations Agency). Both suspects were transported to Amsterdam. The brother of one of the suspects was told the suspects could receive no visits or mail. All of this has happened more than one week ago and the two are still in jail as we write this.

The charges
A break-in supposedly occured at the bronto.geo.vu.nl site at the VU University in Amsterdam. This UNIX system running on a SUN station (IP 130.37.64.3) has been taken off the net at least for the duration of the investigation. What happened to the actual hardware is unknown at this time. The formal charges are: forgery, racketeering and vandalism. The police justifies the forgery part by claiming that files on the system have been changed. The vandalism charge is valid because the system had to be taken off the net for a period of time to investigate the extent of the damage. By pretending to be regular users or even system management the hackers committed racketeering, the police says.
Both suspects, according to the Dutch police, have made a full statement. According to a police spokesman the motive was "fanatical hobbyism". Spokesperson Slort for the CRI speakes of the "kick of seeing how far you can get"

"Damages"
According to J. Renkerna, head of the geophysics faculty at the VU, the university is considering filing a civil lawsuit against the suspects. "The system was contaminated because of their doing and had to be cleaned out. This cost months of labour and 50.000 guilders (about US$ 30,000). Reigistered users pay for access to the system and these hackers did not. Result: tens of thousands of guilders in damages." Renkema also speaks of a "moral disadvantage": The university lost trust from other sites on the network. Renkema claims the university runs the risk of being expelled from some networks. Renkema also claims the hackers were discovered almost immediately after the breakin and were monitored at all times. This means all the damages had occured under the watchful eyes of the supervisors. All this time, no action was taken to kick the hackers off the system. According to Renkema all systems at the VU were protected according to guidelines as laid down by CERT and SurfNet BV (SurfNet is the company that runs most of the inter- university datatraffic in The Netherlands).

What really happened?
The charge of "adapting system-software" could mean that the hackers installed backdoors to secure access to the system or to the root level, even if passwords were changed. New versions of telnet, ftp, rlogin and other programs could have been compiled to log access to the networks.
What really happened is anybody's guess. One point is that even the CRI acknowledges. that there were no "bad" intentions on the part of the hackers. They were there to look around and play with the networks.

About hacking in general
In the past we have warned that new laws against computer crime can only be used against hackers which are harmless. Against the real computer criminals a law is useless because they will probably remain untraceable. The CRI regularly goes on the record to say that hackers are not the top priority in computer crime investigation. It seems that hackers are an easy target when 'something has to be done'.
And "something had to be done": The pressure from especially the U.S. to do something about the "hacking problem" was so huge that it would have been almost humiliating for the Dutch not to respond. It seems as if the arrests are mainly meant to ease the American fear of the overseas hacker-paradise.

A closer look at the charges and damages
The VU has launched the idea that system security on their system was only needed because of these two hackers. All costs made in relation to system security are billed to the two people that just happened to get in. For people that like to see hacking in terms of analogies: It is like walking into a building full of students, fooling around and then getting the bill for the new alarm-system that they had to install just for you.
Systems security is a normal part of the daily task of every system-adminstrator. Not just because the system has to be protected from break-ins from the outside, but also because the users themselves need to be protected from each other. The 'bronto' management has neglected some of their duties, and now they still have to secure their system. This is not damages done, it's work long overdue.

If restoring back-ups costs tens of thousand of guilders, something is terribly wrong at the VU. Every system manager that uses a legal copy of the operating system has a distribution version within easy reach.
"Month of tedious labour following the hackers around in the system". It would have been much easier and cheaper to deny the hackers access to the system directly after they bad been discovered. "Moral damages" by break-ins in other systems would have been small. The VU chose to call the police and trace the hackers. The costs of such an operation cannot be billed to the hackers. Using forgery and racketeering makes one wonder if the OvJ (the District Attorney here) can come up with a better motive than "they did it for kicks". If there is no monetary or material gain involved, it is questionable at best if these allegations will stand up in court.

As far as the vandalism goes: there have been numerous cases of system management overreacting in a case like this. A well trained system-manager can protect a system without making it inaccesible to normal users. Again: the hackers have to pay for the apparent incompetence of system management.

This does not mean that having hackers on your system can not be a pain. The Internet is a public network and if you cannot protect a system, you should not be on it. This is not just our statement, it is the written policy of many networking organisations. One more metaphore. It's like installing a new phone-switch that allows direct dial to all employees. If you get such a system, you will need to tell your employees not to be overly loose-lipped to strangers. It is not the callers fault if some people can be "hacked". If you tie a cord to the lock and hang it out the mail-slot, people will pull it. If these people, do damages, you should prosecute them, but not for the costs of walking after them and doing your security right.

Consequences of a conviction
If these suspects are convicted, the VU makes a good chance of winning the civil case. Furthermore, this case is of interest to all other hackers in Holland. Their hobby is suddenly a crime and many hackers will cease to hack. Others will go "underground", which is riot beneficial to the positive interaction between backers and system management or the relative openness in the Dutch computer security world.
"Our system is perfectly secure!" (and if you prove it's not, we'll have you put in jail)
übernommen von der HACKTIC

 

  [Chaos CD]
[Datenschleuder] [38]    DUTCH POLICE ARRESTS HACKERS
[Gescannte Version] [ -- ] [ ++ ] [Suchen]