Hacker thrown in jail for reporting police system security flaws
A hacker has been awarded a suspended sentence for disclosing security vulnerabilities in a Slovenian police system.
The student, 26-year-old Dejan Ornig, studied the Tetra police communication system and through his study found that the system contained security vulnerabilities due to incorrect configuration settings, among other issues.
Between 2012 and 2014, Ornig, alongside colleagues, discovered that Tetra did not always encrypt communication sent through the protocol. As Tetra is used by the military, the Slovenian Intelligence and Security Service and other agencies, a lack of encryption could have serious ramifications for intelligence and the country as a whole.
As noted by Security Affairs, the student then disclosed these security issues to law enforcement, but after waiting at least a year, there was no action taken to remedy the flaws.
As a result, Ornig decided to publicly disclose the issues in March this year — something the Slovenian authorities were not happy with.
The public disclosure did result in the rapid patching of the security vulnerabilities. However, once the problems were fixed, law enforcement turned its gaze on the student and accused Ornig of attempting to hack into government networks on three separate occasions in 2014.
The issue was made more complicated when law enforcement raided his home and found a fake police badge and recorded conversations related to Ornig’s former employer.
According to local publication Pod Crto, Ornig was charged with attacks on information systems, the falsification of documents and “undue” audio recording.
A Slovenian court handed down a suspended sentence of one year and three months in prison on 11 May.
In the past decade, ethical and “white hat” hacking has become more regulated through the use of bug bounty programs and financial incentives. However, it appears that despite dragging their feet to patch problems, some agencies do not take kindly to public disclosures forcing them to do so.
Source | ZDNET