While publishing the data, he also published part of his home folder (containing his personal files). Although he cancelled the torrent before anyone could download the full version, the partial torrent could still have data extracted
There was a TV show I watched 30 years ago already, NYPD Blue. When a criminal clearly abused children, Detective Andy Sipowicz, "a drunken, angry, racist goon with a heart of gold", would smack the perp around a bit, while his partners looked the other way. Somebody committed suicide because of this hack and extortion. That is a tragedy. How the tens of thousands of persons who were attempted to be extorted felt, how can you even measure that? Don't you think that there is a bit of grey area in a case like this?
He made a crontab task to create a vastaamo.tar file from all of the files that had been randomly published so far. The mistake was that the command for creating the tarball was the wrong command and only worked accidentally in his tests because he was running the command from a specific directory.
tar cvf /var/www/html/vastaamo/vastaamo.tar . -C /var/www/html/vastaamo --exclude vastaamo.tar
Once he added the command to crontab, the command was executed from the root user's home directory and it created a 7.5 GB tarball before running out of space on the server two minutes later. The server didn't crash but started malfunctioning, as for example no logs could be written on disk. The police found that the maximum time that anyone was able to download the tarball was for 1 hour and 41 minutes before the TOR service had stopped responding.
The admin of the server logged back about 10 hours after the tarball was created and tried to figure out how many downloads of the tarball had been made, but because the server had no space left, there was really no way to get a realistic image of the situation.
The previous sentence seems to be saying that the mistake was he dumped all of the therapy notes to the dark web anyway - likely linking him to some user profile or IP/crypto address in there that he was already known to assume. No need to jump to nefarious conclusions here. This guy seems arrogant and was already well known to law enforcement it appears.
edit: saw the sibling comment explaining what happened. even dumber than I had imagined.
"But because juvenile convictions in Finland don’t count towards determining whether somebody is a first-time offender, Kivimäki will end up serving approximately half of his sentence."
“The boss of Vastaamo, Ville Tapio, was also convicted of failing to protect his customers' sensitive data.
Investigations found that the databases were vulnerable and open to the internet without proper protections.
He was given a suspended three-month prison sentence last year.
The company which was once a highly regarded and successful business in Finland collapsed after the hack.”
And in my city an IT worker left a laptop with the encrypted health records of approximately a quarter million people in a ln unlocked car where it was promptly stolen.
That's a quarter of a million people who never explicitly consented to their records being digitized in the first place given to someone who they've never met for them to just leave it somewhere to be stolen.
That's the difference in scale and consent of a digital record system and non digital.
While unauthorized access to therapy notes is bad, I think there's a difference in scale.
You probably don't bring all of your notes from your whole practice with you on the train to lose. If you do bring some of your notes with you and leave them on the train, there's a good chance they will be returned without being accessed by the returner, or be collected as trash, again with no access. Even if there is some access, it's less likely that they'll be widely distributed, because they'd need to be digitized or otherwise copied first, and that's a lot of effort.
If the person who picks up your notes on the train is nefarious or even maybe just curious and happens to know the people in your notes, there's potential for negative outcomes for your patients, but IMHO, the probability of a negative outcome for patients given an incident of unauthorized access is lower with paper records than digital records. I don't know if I can really opine on the probability of unauthorized access --- digital records open up the possibility of more effective controls on access than a filing cabinet; you can't audit which records were read when an authorized person opens a cabinet to get some records and looks around at others.
The likelihood of patient files being found on a train and mass exploited are really low. Most people would either try to do the right thing or just trash them. The average train rider isn’t looking to ruin someone’s day.
The same cannot be said for the average unprotected database scanner.
I asked a potential MD, politely, to "please remove your iWatch and iPhone, at least during our initial consulation..." and was met with an immediate retort of "being paranoid."
The recent controversies about online (and even genAI) psychotherarpy have largely left many to suffer unaided, out of fear of hacking or selling of their most secret of secrets.
I don't know that it's going to matter too much, in the end? There's a plethora of other "metadata" surrounding a patient's encounter with the therapist that isn't therapy notes, enough such that you can probably infer a good deal of what might be in the notes from the metadata. E.g., things like their reason for even engaging the therapist in the first place is probably basically the thesis for most of the session & notes. Enough to extort the person, I think.
Sure, then pedantry - Digitized therapy notes are a bad idea, while "digitized" generally continues to mean some bucket-of-stomach-fluid EMR vendor's obtuse SaaS (Software Augmented with Arbitrary Surveillance) webapp running on SaaS Google Ads Chrome on top of SaaS Microsoft OG-negligence Windows.
It's like if "automobiles" all had cell modems in them, ran some minimum viable functionality Swiss cheese security embedded software, could be remotely controlled from the Internet, and the only things keeping mass destruction at bay is the lack of documentation and the fact that individual humans generally don't want to hurt one another. uh, maybe I need a different example.
> It's like if "automobiles" all had cell modems in them, ran some minimum viable functionality Swiss cheese security embedded software, could be remotely controlled from the Internet, and the only things keeping mass destruction at bay is the lack of documentation and the fact that individual humans generally don't want to hurt one another. uh, maybe I need a different example.
And nobody outside of Hacker News cares about any of that. All they care about is getting from point A to point B, never mind that ~1,300,000 people are killed by by crashes every year and that we're poisoning our planet with them[1].
It's possible that I chose them as an example deliberately and cynically, as opposed to pedantically.
---
[1] Both of which are far more pressing concerns than some Martian super-hacker pwning my car, but it's all worth the convenience of not having to get into a bus, or on a train.
You have a therapist? That must be nice, there's a shortage of them, none of them are taking new patients, and they can charge whatever they want, and use whatever tools they want.
Anyone aware if there is are any provisions under Finnish law for the detention of the defendant to be extended past half the sentence duration? For instance in a case of bad behavior while inside has been cited as justification in other regions.
Went bankrupt. CEO got three months of suspended sentence and had to return the millions he made selling shares of the company after the data breach but before it was known publicly.
> a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats
> Kivimäki has been sentenced to six years and three months in prison
Well I guess see you in six years and three months for the next round of crimes.
Not to mention that Finnish prisons are relatively livable. They get TVs, access to lots of reading and education materials, and proper assistance with reintegration.
Someone who blackmails 33,000 people should receive 33,000 consecutive sentences for blackmail. Why even consider to let someone who uses technology to amplify how much damage they can do to society to such an extent, back out?
The police report had three screenshots of Hacker News discussions where he had participated. His nickname was redacted (like were all others), but the screenshots are for:
Not sure how legal it is to share it around, but you can find it online if you can do some web sleuthing in Finnish. Or if you're Finnish, you can just order the docs directly from the police for a fee.
Yet, as far as I can see, no facts have been posted. Just 1 random person saying "it's this guy", and 2 other random people saying "believe me, it is lol".
>> Zee/"ryanc" has indeed been involved in things like these for many years. HTP (Linode + much more) is just a small part of it.
>> I'm also very surprised it's taken this long for him to be arrested. He's completely brazen and has committed countless crimes despite knowing full well the general public and law enforcement know exactly who he is.
ryanlol responded:
> Just because someone knows who I am does not mean that'll matter when it comes to proving things in court, which in real life isn't as easy as one might imagine.
> PS: Want to read some of his Hacker News comments? Usernames are ryanlol, FDSGSG, rosnd, rosndo, prvit, lfodofod, ryanl0l, bbbbb5, gggggg5 (which stopped posting right after his arrest).
While Krebs has more weight than a random HN person, he has a poor record in this department and has doxxed innocent people before [1], and people he doesn't agree with out of spite [2]. So, yeah... Not holding much weight with me.
“After his attempt to extort the company failed, he emailed patients directly, threatening to reveal what they had told their therapists.
At least one suicide has been linked to the case, which has shocked the country.“
I don't know the Finnish equivalent of this but this is in the neighborhood of negligent homicide in the US. An enterprising prosecutor could probably make a decent case for 2nd degree murder.
This is very clearly in "spend somewhere between 1 and 2 decades turning big rocks into little rocks" territory to my punishment-focused American lizard brain.
This definitely sounds more like it and I am happy to be this week's example of why non-lawyers shouldn't speculate about what a particular crime is or is not :)
What he did is reprehensible. But comments like this are emotively loaded and provoke the ongoing debate around the purpose of jail term. In my opinion, even this length of sentence has a high chance of producing a hardened, bitter criminal with hacking skills.
> even this length of sentence has a high chance of producing a hardened, bitter criminal with hacking skills.
You present this as an argument for a shorter sentence. But from another perspective, it's an argument for never letting him out.
Prison isn't primarily meant to rehabilitate; you are almost certainly right that it will do the exact opposite in this case. Its power to deter is also limited. But what it can do, if we are simply willing to use it for that purpose, is contain dangerous people and prevent them from harming others again by simply not giving them the opportunity to do so.
> Prison isn't primarily meant to rehabilitate; you are almost certainly right that it will do the exact opposite in this case.
Prisons are meant for rehabilitation in Finland, where the case was decided. And the system maintains a lower recidivism rate than the US with a lower incarceration rate + less crime.
It is an argument, although that might count as unusually cruel or disproportionate for a crime like this. Even murderers in Finland are typically pardoned and released after 12-15 years.
> Even murderers in Finland are typically pardoned and released after 12-15 years
What about serial murderers? The damning part—to me—isn’t the crime per se but the repeat offenses.
The Finnish system is famously good at rehabilitating criminals. But what do you do with the edge cases? (I guess our system, which excels at incapacitation and retribution, has its edge cases in the unjustly imprisoned. Put that way, having the edge default to letting out a few incurable criminals from time to time might be the fairer solution.)
> While the maximum prison sentence in Norway is 21 years, the law was amended in 2002 so that, in rare cases, sentences can be extended indefinitely in five-year increments if someone is still considered a danger to the public.
> Put that way, having the edge default to letting out a few incurable criminals from time to time might be the fairer solution.
Blackstone's ratio[0]
He's a scumbag, but the folks that didn't secure that data were also complicit (although unintentionally). I know that the company went belly-up, but I'd suggest the company that wrote and sold the software also shares culpability, as they likely sold it as some kind of magic beans.
There's really no substitute for not collecting the information in the first place, but in this community, that's heresy.
Not looking to argue directly about the punishment, but I think it's quite clear that this individuals is ALREADY a hardened, bitter criminal with hacking skills and needs no assistance on that score.
Under Finnish law he isn’t - his prior crimes were a long time ago (caught anyway), and largely afaict while he was a kid. Most countries don’t treat children as adults, and in many - as here - crimes committed as a child get cleared.
I get that if you’re used to the US criminal justice system you believe the goal is to punish people as long as possible - with a side order of slave labor and electoral disenfranchisement - but all of the statistics show that that policy has worse outcomes across the board. It has higher costs, higher rates of recidivism, and lower trust in the judicial system - which encourages an us vs them mentality that further increases crime rates. Not to mention that if a child spends a decade in prison they’re coming out the other end with little to know ability to earn a non-crime living afterwards.
Other criminals can teach him how to not get caught or recruit him into larger organizations. Prison is like a startup incubator for gangs. When you put a bunch of people with similar interests in one place it's a great networking opportunity.
> From a post war crime boom and relatively high incarceration rates, Finnish prisons have emerged to be counted among the most humane correctional facilities in the world and yet, recidivism is very low compared to international standards.
Sounds similar to that of Norway which is known for its kind/compassionate treatment of prisoners.
Removing people from society is what we do when they do these kind of terrible things to others. 6 years of removal isn't enough. The debate you refer to is a separate thing.
This sounds a little like an appeal to tradition, unless I'm misunderstanding you. Removal from society is absolutely one of the intended purposes of prison, but as with all traditions it must be open to challenge and debate.
Rehabilitation is all the rage around these parts, but there are other reasons for prisons. One of the purposes of prison is to protect the public from dangerous people. Another aspect is the instructive element; you send a message to the rest of society about what kind of behavior will or won't be tolerated.
This man should be executed. It would be a fitting punishment for both of those reasons and more. He caused at least one suicide and victimized tens of thousands. This is a crime that calls for the death penalty.
> Asked about it today, Kivimäki denies posting as ryanlol, though that contradicts his admission in a police interrogation submitted at his trial—and is hard to square with a 2017 post in which ryanlol detailed a personal rap sheet including “50,700 counts of aggravated unauthorized access to computer systems.”
>We modern first world nations have regressed as a civilization to only be able to offer fines and jail time to people for their crimes, and can only speak in the language of rehabilitation and restitution
The alternative is what, state sanctioned torture? Or are you suggesting that we need way more capital crimes?
But it was a mistake that the hacker made himself that led police to a treasure trove of information found on a server that Kivimäki owned.
Unprecedented digital forensics and cryptocurrency tracking also helped secure the conviction.
What mistake did he make?
Was incriminating evidence found on that server?
Is there any direct evidence Kivimäki did it?
The use of "unprecedented" is worrying, and extremely vague.