Hacker News new | past | comments | ask | show | jobs | submit login
Finland’s most-wanted hacker nabbed in France (krebsonsecurity.com)
258 points by impish9208 on Feb 5, 2023 | hide | past | favorite | 171 comments



This was one nefarious operation by the hacker:

- He hacked the patient files of a psychotherapy center Vastaamo. This included therapy notes for more than 22.000 patients.

- First the hacker blackmailed the therapy center.

- Next he started blackmailing individual patients.

- Finally he released the files online revealing very private information on thousands of patients.

I can only imagine the horror felt by the people whose therapy notes were made public.


I wish we would stop calling these types of people hackers and just call them extortionists. The fact a computer was used to commit the crime really changes nothing about the crime.

If he physically broke in we wouldn't call him a nortorious lockpicker.


For real, someone who has OpSec of his level (pack home directory to dark web) does not deserve to be named a hacker


The two are not mutually exclusive: A hacker that steals people's banking info and drains their funds is a hacker and a financial fraudster. Hackers conducting ransomware attacks are hackers and extortionists. The fact that a computer was used to commit the crime is just a detail of how the extortion was carried out.


Right but I agree with the above poster in the sense that the most relevant crime here is the extortion. Hacking can vary in severity from the totally harmless all the way to threatening the lives of millions. Leading off by calling this Hacking fundamentally fails to convey the severity of the crime in this case. "Finland's most notorious hacker" has a much better connotation than say "mass extorter of the mentally ill", don't you think?

The problem is that people are numb to news about "hackers" because often it's some sort of dumb story about some teenager messing around in somebody else's network and a netsec or government bureaucracy overreacting rather than properly securing their network, whereas this case is basically an instance of terrorism. It should not be possible for me to be confused which kind of hacking story this is from the headline. If I had come across that headline in the wild I would almost certainly ignored it due to the above.

Other folks in the comments have brought up the term "cyber-criminal", which I think also fails this same test for exactly the same reasons.


Hacking can often simply refer to someone who writes code fast and loose, without care towards readability or reuse. The result usually looks like they were trying to be clever, but really it's just obtuse.


as in "he is a hack"


No, they are mutually exclusive. The word "hacker" originally meant someone enthusiastic about technology, someone who liked to tinker. The media distorted the word to mean "computer-related criminal", but that's a distortion.

The terms "hacker" and "criminal" are as mutually exclusive as "engineer" and "robber". Yes, maybe the robber knows how locks work so she can pick them, but "engineer" implies some level of ethics.


I think "cyber-criminal" is the term in common usage


Yeah, but “cyber” is such a cringe prefix.


It has impeccable pedigree, though: https://en.wikipedia.org/wiki/Cybernetics


Fun fact, the words "cybernetics" and "kubernetes" are different transliterations of basically the same word.


More on this: in French the letter y is written "i grec", or "Greek 'i'".

In the IPA, the sound of the French 'u' or German 'ü' is written with as 'y'. E.g. French "tu" -> [ty].

To speakers of languages without that sound, it often gets mapped to the vowel sound in the English word "loose".

So you can see what's happened here, "cybernetics" with the "Greek 'y'" pronounced as French "u" becomes "kubernetes".

I don't know if modern Greek still has that sound.

I love little realisations like this. Sometimes I wish I'd done linguistics instead of computer science.


Modern Greek doesn't have the French "u" sound, I don't know if ancient Greek did. The "υ" in "κυβερνήτης" (cybernetes/kubernetes = helmsman, governor) is pronounced "i", as in "miss".

Incidentally, the word "governor" comes from "kubernetes" as well.


The French "u" sound is just "i" pronounced with your lips rounded, so the two sounds are very similar.

https://en.wikipedia.org/wiki/Ancient_Greek_phonology#Vowel_...

It seems some varieties of Ancient Greek did have that sound


As far as I know/can see, it was more of an "oo" sound, rather than a ü, but I'm not an expert and you may be entirely correct.


Wasn’t cybernetics a borderline pseudoscience?

I mean read Stanley Milgram’s “Obedience to Authority” (with the actors who pretended to be shocked).

It was fascinating until he got to the theoretical implications. All cybernetic gobbledegook.

I prefer thinking of the “helmsman” of Ancient Greece when I hear Cyber/Kuber.


I prefer ecriminals


Annie are you OK? You've been hit by.. a smooth ecriminal.


Either way, it is still emphasizing the computer aspect, which to me seems incidental to his crimes.


Hacker turned extortionist sounds like a better description of this guy.


But then, if you only criminalised the crime, you wouldn't be able to justify all the intrusion and tracking of people's online lives!

If you want to pass legislation to eliminate peoples privacy and justify the fascist governance structure (government + corporations working together) in deanonymising individuals, you have to show that it is special. This is what is really going on - its not actually some special new type of crime that the law hadn't catered for - that's just what its sold as.

So, because 'online is the problem' is actually a sales job, the more one heightens the risk of 'online', 'hackers', etc the easier it is to take everyone's privacy away on account of the perceived thread and the purported fix. People will be happy someone is doing something, given a terrible event (crime) occurred!

The reality is that crimes will always occur; the threats to safety are overblown and already covered by the law; the fix does not materialise as indicated. But if you were sold on the idea (as most are) and thought it would make a difference you will sign up (to less online freedom). It doesn't even matter that this is happened in Finland, or whether it even happened at all - as long as people think handing over more control to the governance structure is the solution.

The truth is that you bought into the ostensible excuses. No need to keep making that mistake though!


Yeah, to quote: "Don't Panic! A 'hacker' is different from a 'cracker'"

It's important to keep hammering it.


But on the other hand he is suspect, until convicted (probabilities, who cares, system does not work by probabilities).


Right he is a suspect regardless if it’s for hacking or extortion.

We don’t call him a hacker because he hasn’t been convicted. Your statement seems to miss the point of the parent comment.


What point? That we should not call convicted extortionist a hacker? I sure agree with you, but we (outsiders) should not call unconvictected (regardless of their previous history) people a hacker or extorsionist either.


> we (outsiders) should not call unconvictected…people a hacker or extorsionist

Beyond reasonable doubt to take someone’s freedom. Not to privately judge them.


If he ends up not guilty, your not-so-private judgement is a defamation.


In the US, defamation requires either knowledge of falsehood or reckless disregard for the truth. It's not reckless disregard for the truth to say someone who's been arrested for a crime did that crime, even if it may be premature.


"alleged extortionist"


Well, it would make people think about spending money on better locks.


That was truly horrible, despicable.

But I personally relate more to the horror the hacker put himself through:

> security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder

> “It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,”

What a huge flop! I can recall feelings myself publishing things I shouldn't, but the entire home directory, including private keys and everything? I'd die of shame.

Still, really terrible behavior from him, he deserves whatever punishment is coming for him.


Thought the same. Ransom Man aka Incompetence Man.


He doesn't even know how to make his Reddit comments private.


Not the worst superpower to have, but it's up there.


Chapter from my book, about Case Vastaamo: https://ifitssmartitsvulnerable.com/s/vastaamo_excerpt.pdf


So, you get to add another set of paragraphs. Excellent writing by the way.


Actually it was 33000 patients. 22000 have so far made statements to the police:

https://yle.fi/a/3-12543823

The owner of the company tried to sell it a few months later without declaring the data breach to the new owners and has been forced to pay €8M compensation: https://yle.fi/a/3-12479562


22,000 police statement were made?!


Yes - these were probably done online, rather than involving a police station visit, the police have been soliciting for victims:

https://poliisi.fi/en/instructions-to-victims-of-hacking


I thought the problem with Vastaamo was that the CEO was in charge of the mysql database and he was basically a hobbyist that didn't care much for security. (yeah zero proper sources for that... my level of Finnish is terrible) And then Murphy's law kicked it. A vilain nabs the data for free and does his thing.


MySQL server was without any kind of firewall protection for about 1.5 years, and the root account had no password.

https://www.iltalehti.fi/digiuutiset/a/69314f2e-bb1c-4ea0-8a...


The guy should be in jail with the hacker. That's crazy.


He is getting charged in relation to the case https://yle.fi/a/3-12641083


Jails would not be large enough if everybody that exposed customer data would end up in jail with the hacker.


I think if it did start happening, CEOs and management types would start caring about IT security to avoid being put there.


Liability for the whole software industry needs to be re-thought.

The problem with jailing CEOs is that even if it would work the first couple of times the other possible effect would be that people would do even more to brush their fuckups under the carpet...

The EU has got this right I think: massive fines in case of a breach to the point that the CEOs are starting to pay attention. That certainly isn't perfect but it is a step in the right direction.

Healthcare is particularly vulnerable and I'm always surprised that people in HC seem to think that they aren't a target. This is a huge mistake imo, there is massive blackmail potential in healthcare data.


The problem with the classic "burn the CEO" knee-jerk is that it only leads to security theater.

CEO hires CISO. CISO makes a big splash, and spends a ton of time getting the business certified in various ways, to prove to CEO stuff is being done.

In reality, security remains atrocious at the tactical level, and the company hemorrhages security talent because no one wants to work for clueless assholes.

Ultimately, eventually, breach still happens, CISO falls on their sword, but is fine because they and CEO always knew this is what they were really being hired to do and compensation was engineered around that expectation.

--

What actually works is a gentle, gradual pressure to move to a better security posture (e.g. vaulted credentials, separate security domains, etc.), implemented over time as opportunity allows, preventing new vulnerabilities from being introduced by targeting development processes, and financially incentivizing developers throughout the company to report issues when they find them.


And the audience of hackernews would drop by half.


And anyone not closing their car doors too.


If someone left a car door open with the car full of confidential documents and someone stole them, the person who left the door open would definitely be held responsible.


I don't care what encryption we are using. Therapy notes should always be in paper and locked in therapist office. Medical info should have NEVER being digitized.


Vehemently disagree. Stifling progress because of the risks involved isn't worth it, the risks need to be assessed, acknowledged and accounted for.

Digitising medical info is brilliant and extremely useful for anyone involved. Handoff between practitioners is seamless, and no more of the redundant "are you allergic to anything? any priors? are you taking any meds?", because the practitioner knows everything they need to (e.g. your dentist doesn't need to have access to your therapy notes, but should probably know all meds you're taking and all previous dentistry work done on you, wherever and wherever that happened). It would also allow for country-wide anonymous statistical analysis. Oh, everyone taking pill X is also having Y? Is there a problem there? A lot of people getting operated for A used to do Z, C, so maybe we need a better educational campaign so people know the risks? The possibilities - life saving, medical system improving, etc. are enormous.

It just needs to be handled with extreme care, because the risks are enormous. Security should be top notch, with strict access controls, anonymisation where needed, etc.


Your parent made a much narrower point than you’re debating: you argue in favor of digitizing general medical info and your parent made the point that therapy notes should be paper-only and locked. The risk/reward tradeoff is different for those than allergies, general medication etc. The information contained is much more sensitive and at the same time they’re much less likely to be passed off between therapists unfiltered and unredacted.

Both, digitizing general medical info and keeping specific bits in analog form for safety and security reasons are not mutually exclusive.


Parent said:

> Medical info should have NEVER being digitized.

Which i assumed to be talking about all medical info.

> The information contained is much more sensitive and at the same time they’re much less likely to be passed off between therapists unfiltered and unredacted.

Why not?


That ship has sailed years ago.


Yes indeed it has. However, since incidents like this, we can ask practitioners to not do this, or at least not force doctors to digitize records. There are certain things are just NOT mean to be digitized.


I agree in principle, but at the same time note that patients expect their records to be shared between practitioners, for instance when their regular therapist isn't available they would like the person that takes their place to be immediately up to speed.

The question of whether or not these records will be digitized is no longer germane, it will happen, like it or not. But what can be done is that the systems that are used to store this information pass an external review to ensure that at least the basics required for keeping such critical information safe are met.


Does Finland have a legal doctrine that makes evidence inadmissible in court if it was illegally obtained? I wonder could law enforcement use admissions of criminal activity in the released notes as evidence against patients?


There is no blanket provision to make unlawfully obtained evidence inadmissible but the judge must still forbid using any document that was i.a. obtained through a "gross" violation of the person's legal rights. So in this specific case the evidence would probably be inadmissible.


But a violation by the police, not necessarily a violation by a third party.

There was a case in France where the suspect of a murder case fled to Germany which refused to extradite him. The father of the victim organised a kidnapping and left the guy attached in front of a French police station. The father was prosecuted for kidnapping, but that didn't help the alleged murderer who was then arrested and charged.

I don't know what the law is in Finland, but usually medical secrecy only covers specific stuff, and likely not the admission of a crime, unlike attorney-client privilege (which is specifically designed to cover crimes committed).


> But a violation by the police, not necessarily a violation by a third party.

Incorrect. If you are really interested, the rules of evidence are outlined in the Code of Judicial Procedure, Chapter 17. Translation to English is available here: https://finlex.fi/en/laki/kaannokset/1734/en17340004_2019081...

The relevant part here is probably the last paragraph of section 25. It concerns the rules for admitting evidence that has not been given by the person themselves in an official investigation, and which has been obtained unlawfully. It is on page 97 in the linked PDF:

> [...] the court may use also evidence that has been obtained unlawfully unless such use would:

> * endanger the conduct of fair proceedings

> * taking into consideration the nature of the matter, the seriousness of the violation of law in obtaining the evidence

> * the significance of the method of obtaining the evidence in relation to its credibility

> * the significance of the evidence for deciding the matter

> * and the other circumstances.

Namely, considering that these documents were obtained in probably the most heinous possible violation of the person's privacy, it would not be possible for the court to admit them as evidence. That's anyway completely moot, as if it ever became publicly known that a prosecutor or police officer had read any of these documents it would be very scandalous in of itself.


Indeed as far as Finnish law enforcement is concerned those documents are radioactive except as proof in the current case.


Most likely these documents are protected from prosecutors in the same way they would be without the breach, because the breach does not alter the type of document.


It's not all black & white. In the ANOM case the FBI, through a Swiss cover company, sold criminals "super encrypted" mobile phones.[1] In reality, the phones were backdoored and all their messaging leaked to the FBI. This uncovered several criminal operations in Finland such as drug trafficking rings. The FBI shared this correspondence with the Finnish police.

When the case came to court, the defendants' first action was of course asking the court to suppress all evidence from the FBI because it was obtained illegally, as the criminals obviously had an expectation to the privacy of their correspondence, which was illegally violated. The court actually ruled that the messages are only admissible if they pertain to crimes that carry a maximum penalty of at least four years in prison, which is the same threshold that allows the Finnish law enforcement to use wiretapping.[2]

[1]: https://en.wikipedia.org/wiki/ANOM

[2]: https://www.hs.fi/kotimaa/art-2000008761772.html (paywalled & encrypted in Finnish)


Communications between a client and a professional (physician, lawyer etc.) generally have specific protections carved out in the criminal procedure of most countries and can't be compared to a random chat app.


in the US, the govt can't use illegal means to obtain documents, but if a criminal's information is exposed by another criminal, it's available to be used.


> I can only imagine the horror felt by the people whose therapy notes were made public.

I might be in the minority here, but frankly I'd be -happy- to actually be able to see a therapist's notes on me. At least in my region, one of the first things you sign before any therapy begins usually contains a paragraph that such notes are 'IP' of the therapist/provider and thus something you as a patient are never allowed to see.


In the EU, at least, you have a right to all information that a healthcare provider holds about you, so either an administrative request or data subject access request will get you that data for free, and without the possibility of it being used against you by third parties.


There is such a right where I live too, but there is an exception: when the release of that information is thought to be harmful to that individual. I can certainly imagine how allowing a paranoid person suffering from delusion, to read the unfiltered medical notes of their psychiatrist, could be quite harmful. I don't know how often this actually comes up; I read the report of the last psychiatrist I saw in its entirety. They always suggest you shouldn't. Probably right about that. "Subdued affect"? Ouch.


Why is “subdued affect” ouch? Just about anyone who’s depressed or just melancholic has a “subdued affect”.


In what universe would any client agree to this predatory arrangement?


Apparently, America.


There appears to be an excluded middle scenario that you are in fact describing, wherein a patient would be happy to peer behind the curtain at the doctor’s notepad for their own session (but not everyone else’s).

Fewer patients would be happy to see the doctor’s notes for all other patients including themselves.

Fewer still would appreciate having everyone, including non-patients, see not only their notes but all of the other patients in that practice.


Where I’m from we don’t even have to sign anything before therapy begins… much less some weird IP clause. And as another commenter said, such a clause would be invalid anyway.


Sounds like something that would break GDPR


Absolutely heinous


and exactly why a paranoid person like me might abstain from ever seeking counsel from a therapist.

Not worth it


This depends on where you live and what the facility is like, no? At least in Germany, patient records like therapy notes are only hard copy. I don't see why they should ever be digitalized and I'd never go to a therapist or a facility that did have notes in digital form. I'm not particularly paranoid either, I'm just aware of how common it is for companies to be hacked and how rarely they face any consequences for not sufficiently investing in IT security.


Even if something only exists as hard copy today, who knows if it will stay that way. Some new regulation might come along requiring practices to digitise all their records.


>why a paranoid person like me might abstain from ever seeking counsel from a therapist

one of the benefits of therapy that you are missing out on is learning that what you are ashamed of is much less important than that you feel all that shame toward yourself. everybody else has much they are ashamed of, it's not a big deal


I don’t know if it would work but you might ask the therapist to have in writing that they will never take records of your sessions except for the bare minimum required by accounting.


A much larger threat than any hacker is a future government using that data to go after people deemed unwanted. Or the current.


So were these files somehow scrubbed from the Internet? Or is peoples private info still out there?

It seems the Internet does have a delete button. Has it been used again?


No, you can't get rid of those files, they were uploaded in their entirety to anonymous file sharing services. It's absolutely horrible, and the damage to these people's lives is huge. The degree of lack of empathy that you'd need to have to blackmail the customers of an institution like that is one I have trouble comprehending.


Sometimes I understand hackers from developing countries(not Finland!) in bad circumstances who have a chip on their shoulder against corporations... but this is just as scummy as it gets. This is worse than getting into people's bank account IMO. Taking advantage of people who shared their deepest darkest secrets and vulnerabilities with a trusted authority is beyond cruel, it could trigger someone into self-harm or worse. These same hundreds of people will be afraid to open up to their psychologists again. I hope this psychopath is never allowed near a computer again.


that's one of the lowest target crowd i could ever think of.. really rotten creativity from this dude.


Thank you for stating the obvious that anyone in this thread would've known had they read the linked article for even just a minute.


Such a summary can be very helpful to disambiguate the subject matter and save me (and I’m guessing many other folks too) the time of reading every article to find out whether it’s interesting/relevant to me.


And you seriously think the State hasnt done this for years, in plain sight, starting the day you born? You have a lot to learn.


So, how concerned are you with government use, either directly or indirectly, of machine learning?


Context on his most notorious hack: https://en.wikipedia.org/wiki/Vastaamo_data_breach

IMHO Zeekill represents the very worst kind of hacker: a greedy troll script kiddie who knows just enough to cause damage, and doesn't give a shit about the very real human cost.


I’m out of the loop but can you explain how he was able to get documents to therapy patients just by being a script kiddie?

like script kiddie to me, is trying to DDOS somebody with ping


Unsecured DB on internet facing server with default password/uid combo.


That is the lowest skill level. Next one up which still qualifies as script kiddie is one that uses ready made attacks and libraries and so on in spray and pray style. Trying them in every possible place and finding those setup with utter incompetence.


> the very worst kind of hacker: a greedy troll script kiddie who knows just enough

I know it feels good to make fun of and denigrate him, but frankly a worse kind of hacker is one who really knows what he is doing


At least we'd have a possibility of learning something new then.


> Security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement.

The bane of every criminal. You only have to make one mistake to get caught and there are many chances to make that mistake.

Many criminals on the run assume they’re smart, but luck plays a big role in getting caught or not…I mean, this guy got caught because of an unrelated case of domestic violence.


Indeed, a lot of criminals think they're smart and that they'll never get caught while they do stupid shit.

An acquaintance of mine tried to dodge his mandatory military service by moving to the neighboring country and would (foolishly) drive to his family across the border every now and then thinking that because Schengen has no borders he would never get caught.

And it worked for a couple of years, until one day when a police car stopped him for a busted tail light and handed him over to the military police.

If you're gonna break the law, you at least gotta be smart and careful about it.


> And it worked for a couple of years, until one day when a police car stopped him for a busted tail light and handed him over to the military police.

Hence the always-true adage: If you're gonna break the law, only break one law at a time, not multiple.


Some variation of not breaking ties with (supposed) friends and family generally is a pretty common theme in people getting their cover blown.


Some Schengen borders have cameras that scan license plates...


Some don't. Almost all do.


> The bane of every criminal. You only have to make one mistake to get caught and there are many chances to make that mistake.

There's a great scene from The Wire where this is discussed: https://www.youtube.com/watch?v=E2Fv-nJCfrk


You only hear about criminals that get caught...


Even if criminals do no get caught, we know they exist when a crime has been committed and we don't know who done it. In fact, there are famous criminals who never got caught. Like the Zodiac killer.

Now, if you manage to hide your crime too...


> "Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary”"

There used to be a user on HN, going by the nickname "ryanlol" [0] who seemed to have (had) good hacking knowledge. Could be the same person, could be not. But they had good comments here and there, was fun to read back then.

[0] : https://news.ycombinator.com/user?id=ryanlol


He got warned by his buddy nachash (loldoxbin) that he should unplug his internet connection if he didn't want to spend time in jail again.

https://news.ycombinator.com/threads?id=nachash

He didn't take that advice.

He's been on HN under a large number of accounts, in particular giving people advice on obtaining alternate identification papers (Romania was mentioned in particular).

https://news.ycombinator.com/item?id=34156119

So much for that I guess.


I assumed that was the "real" Ryan Cleary (LulzSec), not the Finland guy who was impersonating him.


https://stylometry.net/user?username=ryanlol

The first 10 are afaik accurate, the last stopped posting 3 days ago so that's a point of evidence.


The "real" Ryan Cleary hasn't really been online in any capacity as "himself" since his arrest over ten years ago.


That was him: https://news.ycombinator.com/item?id=10846051. He's been posting under various alts since, see the stylometry.net link below. Reading his comment history, unless he was just lying for HN e-cred it seems he was very wealthy. Probably an early BTC user?


> Kivimäki, a 25 year-old... involvement in cybercrime dates back to at least 2008

Whoa. Just 11 years old he started.

Got busted after a domestic violence call, after a night out. Just, a pathetic life.


I don't know if this is ridiculous or sad...

The guy obviously need psychiatric advice and "hacked" then blackmail a psychiatric institute.

But good job by the Courbevoie police. If it was any city north of Asniere i would have been more than impressed by the changes of our police force, but still, responding quickly to domestic violence even in a rich city is an improvement compared to five years ago. Still nowhere close to Spain, but baby steps.


Fitting that the criminal blackmailing people with their own personal information accidentally uploaded his home folder, including his SSH keys and known_hosts file.


Sounds like kharma caught up with him swiftly


I don't get the logic here. If I had the ability to pull off a sophisticated hack, why shouldn't I sell my skill to say a corporation or intelligence agency but instead tried to grab quick dough and got caught? Am I stupid enough to believe that I can be out of the radar of state power?


Nothing about this was sophisticated.


I mean the fact it got carried out successfully might say something. I don't know about the tech details though...


Internet exposed DB on a server with default credentials... not much of a hack, no less damaging for that though.


It was not a sophisticated hack. He just happened to find MySQL server which was left on DMZ/public internet with root and no password. Then he just dumped the database to his computer. Basically script kiddie who thought he was lucky.


People have varying motivations for committing crimes. Highly skilled (or just simply lucky) black hat hackers can potentially make millions, which is far more than governments and corporations will hand over for equivalent activities.


They don't 'make millions' they steal millions. Just like a bankrobber can get their hands on more money than a typical bank will pay to their tellers.


He managed to put his entire /home folder in the leak, which lead to his identification. I am not sure I would like someone like him to work for my intelligence agency.


[flagged]


I don't think that's fair to autists.


Definition of a script kiddie with too much time on their hands... I hate people like him. Could've done something good with his life (like getting into info/cybersec!).


Tbf the average infosec job is writing lots of policies, checking to see if people follow them, writing reports, nagging teams to update their outdated dependencies, etc. Of course there are many types of infosec professionals and not all infosec jobs are like this, but i kind of doubt someone like this would be all that happy in an entry level infosec job.


That's why despite having some knowledge about infosec, I don't want to make it my job. Pentesting looks like fun, but the real job seems to be about writing reports, applying policies you know don't make sense and not applying policies you know make sense, and if you block something, you get yelled at because you blocked it, allow it and you get yelled at because you allowed it. This is the kind of job where you are given a list of a thousand software and dependencies, get asked about vulnerabilities, find thousands of them, look how relevant each one of them is, write a report about what needs to be fixed/updated, get told it is too expensive and that you should find a cheaper solution and half ass something that you know is both too little and too much just to fit the allocated budget.


> Could've done something good with his life (like getting into info/cybersec!).

Very likely no, he could not. Being able to harm people does not imply ability to secure systems. Nor ability to learn advance tech while we are at it. Nor ability to obey contractual limits if you are red team.

And it would be pretty idea to employ person with such a bad judgement in any of those positions anyway.


> like getting into info/cybersec!

I'd argue that's exactly what he did. He's just gone for the Mitnick method.


Mitnick was (is) great at social engineering. This dude is just an a-hole.


Mitnick was asshole too.


I have some sympathy for Mitnick. My understanding is that most of the damage he caused was due to opportunity cost and direct costs of catching him, at a time when a direct path into a security career was less obvious.


Shame their talent couldn't be used to do good indeed.

Although posts about relatively young hackers who went the rogue black hat route always intrigue me.

I used to be a super curious script kiddy but fortunately found my solace in programming (relatively unharmful) scripts for games and private servers that'd only affect virtual economies.

But I also used to stroll gray/black hat forums out of curiosity and always wonder where I would've eventually end up if I did go down that path.

Fortunately, I'm in FANG now and make good bucks to never have to consider black hat again.

It's just in the back of my mind: what if ...?


There wasn't much talent involved in this hack. The CEO and solo self-taught developer of the psychotherapy place left a test server running on the public internet with the username and password root / root.


You would probably make more money if you were any good at gray/black hat stuff. Further, if you were less blatantly evil than this individual, you'd probably be able to finagle a slap on the wrist followed by a stable career in civilian street if/when you got busted.

One of the things that you learn as you grow older is that you can't be successful and have a conscience at the same time in this world. Software developers are fortunate enough to be able to scrape out a comfortable existence without stooping too far, but don't kid yourself: the large TechCos that sign our paychecks and buy our startups are not paragons of virtue.


Slight problem though: a slap on the wrist is still a criminal record, and if you're unlucky your 'slap on the wrist' may end up being a much harsher sentence and if you piss off the wrong person other kinds of retribution.

Large TechCos can - for now - not be jailed but you can and you will, see TFA.

Less blatantly evil doesn't mean you're going to walk away free, besides, you'll be a blackmail target for life.

Oh, and it is quite possible to both be successful and to have a working conscience.


He's got a real named reddit account, that's an interesting choice.


He could’ve used that as decoy while posting bad stuff with a different account.


These are his from a long time ago:

https://camas.unddit.com/#{%22author%22:%22uhx%22,%22resultS...

https://camas.unddit.com/#{%22author%22:%22uhxuhxuhx%22,%22r...

A bunch of IRC logs too:

https://google.com/?q=%22zeekill%22+site%3Apastebin.com

Including one where he basically extorts one the founders of ImageShack.

He has left quite the trail.


"Kivimäki’s apparent indifference to hiding his tracks" how come


He was a literal child/teenager for most of his criminal career.


Why would the records be in a database in the first place? That seems like such a sensitive type of info, at least don't attach real names to them geeZ.



where else should they put them


On paper I imagine but I wouldn't know.


Where do you think records were stored before computers were invented?


filing cabinet


I was wondring too what’s the need of overdigiting everything in psychiatry. Sure, stuff becomes searchable and is easy to archive but the the risks don’t compare with locked down file cabinets.


Therapists exist in a society where everything is digitized so they don't even think twice about digitizing these records. They aren't tech workers, much less security experts, so they really do this without a second thought.


I don’t think so. Many if not most therapists would likely much prefer only having notes on paper.


> Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.

When crimes perpetuated online can effect so many people, can we stop treating them like regular crimes. That's ridiculous.

I might aswel defraud as many people as possible before 18 years and basically get away with it.


Well, he got away with it so far. But note the 'suspended' bit. That may well come back to bite him now.


Blackhats are notorious for bad opsec.


Blackhats that get caught get notorious...


It’s a losing proposition eventually even for the ones that don’t. They are competing against significantly more people with significantly greater resources and access. It’s like those hackers that held up the energy company a few years ago and woke up one day to find their anonymous crypto wallets empty. Was supposed to be impossible but that doesn’t account for America literally owning the internet back bone. Cause enough trouble and they’ll show up at your door. The only protection is state sponsorship (ie Russian and Chinese hackers on government payroll).


Limiting scope of activity is opsec


Came here to ask why he is called a hacker when he is clearly lacking in the responsibility and do no harm side. Cracker, Blackhat or script kid...


[dupe]


>hacked the patient files

By accessing a publicly available database server with default authentication details.


did not know scandinavia could have such trash.


That's racist. Scandinavia (and Baltic countries, which is where this guys is from btw) has plenty of trash.


It could be nationalist/originist instead of racist, depending on if they literally thought Scandanavia didn't have such people, or if they intended to convey that they didn't think ethnic Scandanavians could act in such a way.


Not even ethnic: "culture", the scandinavian _CULTURE_.

People seeing race/ethnic stuff here are severely mistaken.


Sure let's pretend now it's not about the ugly thing now that I shine a light on it. Thankfully, enough reasonable doubt was left in the wording. I'm sure OP meant geographically for some reason. Maybe they thought you need more sun to become trashy.


There are really terrible people everywhere, luckily in low percentages.


We should stop arresting hackers. We should pay them instead. Not just in officially declared bounty programs with specific conditions but anytime they break something and tell us what and how. This is the only way we can build a reasonably secure digital ecosystem. If we don't, most of us will have their sensitive data leaked sooner or later.


A lot of talented people get paid for white hatting. This guy just really really wanted to earn money as a criminal.

You can also argue that he could have gone the bug bounty route if he could, but didn't have the skills.


The largest problem with this is that when you pay someone for blackmail, there's nothing stopping them from blackmailing you again. Same with extortion, and frankly, same with this guy right in this case. Governments also don't negotiate with terrorists, you might have heard that before. https://en.wikipedia.org/wiki/Government_negotiation_with_te...

except when they do of course.


> We should stop arresting hackers. We should pay them instead.

This like advocating, "We should stop arresting people for gun violence. We should pay them instead."

The vast majority of these "hackers" just happen to be more handy with the digital equivalent of a gun and have more propensity for crime than your average Joe. Their "tell us what and how" would hardly worth your time, nevermind paying.


>>> “It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, ..."

no shit sherlock


Can you please stop posting unsubstantive and/or flamebait comments? You've been doing it repeatedly, unfortunately, and we eventually have to ban such accounts.

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: