DUTCH POLICE ARRESTS HACKERS
At 10.30 in the morning of monday the 27th of January 1992 Dutch police searched the homes of two
hackers, in the city of Roermond, the parental. home of the 21-year old student H.W. was searched and
in Nuenen the same happened to the parental home of R.N., a Computer Science engineer, age 26. Both were
arrested and taken into custody. At both sites, members of the Amsterdam Police Pilot Team Computer
Crime were present, alongside local police officers and representatives of the national organisation CRI
(Criminal Investigations Agency). Both suspects were transported to Amsterdam. The brother of one of the
suspects was told the suspects could receive no visits or mail. All of this has happened more than one
week ago and the two are still in jail as we write this.
The charges
A break-in supposedly occured at the bronto.geo.vu.nl site at the VU University in Amsterdam. This UNIX
system running on a SUN station (IP 130.37.64.3) has been taken off the net at least for the duration of
the investigation. What happened to the actual hardware is unknown at this time. The formal charges are:
forgery, racketeering and vandalism. The police justifies the forgery part by claiming that files on
the system have been changed. The vandalism charge is valid because the system had to be taken off the
net for a period of time to investigate the extent of the damage. By pretending to be regular users or
even system management the hackers committed racketeering, the police says.
Both suspects, according to the Dutch police, have made a full statement. According to a police
spokesman the motive was "fanatical hobbyism". Spokesperson Slort for the CRI speakes of the "kick of
seeing how far you can get"
"Damages"
According to J. Renkerna, head of the geophysics faculty at the VU, the university is considering filing
a civil lawsuit against the suspects. "The system was contaminated because of their doing and had to be
cleaned out. This cost months of labour and 50.000 guilders (about US$ 30,000). Reigistered users pay
for access to the system and these hackers did not. Result: tens of thousands of guilders in damages."
Renkema also speaks of a "moral disadvantage": The university lost trust from other sites on the
network. Renkema claims the university runs the risk of being expelled from some networks.
Renkema also claims the hackers were discovered almost immediately after the breakin and were monitored
at all times. This means all the damages had occured under the watchful eyes of the supervisors. All
this time, no action was taken to kick the hackers off the system. According to Renkema all systems at
the VU were protected according to guidelines as laid down by CERT and SurfNet BV (SurfNet is the
company that runs most of the inter- university datatraffic in The Netherlands).
What really happened?
The charge of "adapting system-software" could mean that the hackers installed backdoors to secure
access to the system or to the root level, even if passwords were changed.
New versions of telnet, ftp, rlogin and other programs could have been compiled to log access to the
networks.
What really happened is anybody's guess. One point is that even the CRI acknowledges. that there were no
"bad" intentions on the part of the hackers. They were there to look around and play with the networks.
About hacking in general
In the past we have warned that new laws against computer crime can only be used against hackers which
are harmless. Against the real computer criminals a law is useless because they will probably remain
untraceable. The CRI regularly goes on the record to say that hackers are not the top priority in
computer crime investigation. It seems that hackers are an easy target when 'something has to be done'.
And "something had to be done": The pressure from especially the U.S. to do something about the
"hacking problem" was so huge that it would have been almost humiliating for the Dutch not to respond.
It seems as if the arrests are mainly meant to ease the American fear of the overseas hacker-paradise.
A closer look at the charges and damages
The VU has launched the idea that system security on their system was only needed because of these two
hackers. All costs made in relation to system security are billed to the two people that just happened
to get in. For people that like to see hacking in terms of analogies: It is like walking into a building
full of students, fooling around and then getting the bill for the new alarm-system that they had to
install just for you.
Systems security is a normal part of the daily task of every system-adminstrator. Not just because the
system has to be protected from break-ins from the outside, but also because the users themselves need
to be protected from each other. The 'bronto' management has neglected some of their duties, and now
they still have to secure their system. This is not damages done, it's work long overdue.
If restoring back-ups costs tens of thousand of guilders, something is terribly wrong at the VU. Every
system manager that uses a legal copy of the operating system has a distribution version within easy
reach.
"Month of tedious labour following the hackers around in the system". It would have been much
easier and cheaper to deny the hackers access to the system directly after they bad been discovered.
"Moral damages" by break-ins in other systems would have been small. The VU chose to call the police and
trace the hackers. The costs of such an operation cannot be billed to the hackers. Using forgery and
racketeering makes one wonder if the OvJ (the District Attorney here) can come up with a better motive
than "they did it for kicks". If there is no monetary or material gain involved, it is questionable at
best if these allegations will stand up in court.
As far as the vandalism goes: there have been numerous cases of system management overreacting in a case
like this. A well trained system-manager can protect a system without making it inaccesible to normal
users. Again: the hackers have to pay for the apparent incompetence of system management.
This does not mean that having hackers on your system can not be a pain. The Internet is a public
network and if you cannot protect a system, you should not be on it. This is not just our statement, it
is the written policy of many networking organisations. One more metaphore. It's like installing a new
phone-switch that allows direct dial to all employees. If you get such a system, you will need to tell
your employees not to be overly loose-lipped to strangers. It is not the callers fault if some people
can be "hacked". If you tie a cord to the lock and hang it out the mail-slot, people will pull it. If
these people, do damages, you should prosecute them, but not for the costs of walking after them and
doing your security right.
Consequences of a conviction
If these suspects are convicted, the VU makes a good chance of winning the civil case. Furthermore, this
case is of interest to all other hackers in Holland. Their hobby is suddenly a crime and many hackers
will cease to hack. Others will go "underground", which is riot beneficial to the positive interaction
between backers and system management or the relative openness in the Dutch computer security world.
"Our system is perfectly secure!"
(and if you prove it's not, we'll have you put in jail)
übernommen von der HACKTIC
|
![[Chaos CD]](/file/6530/Chaos_CD_Blue__[1999].iso/images/chaoscd.jpg)
![[Gescannte Version]](/file/6530/Chaos_CD_Blue__[1999].iso/images/scan.jpg)
![[ -- ]](/file/6530/Chaos_CD_Blue__[1999].iso/images/prev.jpg)
![[ ++ ]](/file/6530/Chaos_CD_Blue__[1999].iso/images/next.jpg)
![[Suchen]](/file/6530/Chaos_CD_Blue__[1999].iso/images/search.jpg)