I wish we would stop calling these types of people hackers and just call them extortionists. The fact a computer was used to commit the crime really changes nothing about the crime.
If he physically broke in we wouldn't call him a nortorious lockpicker.
But I personally relate more to the horror the hacker put himself through:
> security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder
> “It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,”
What a huge flop! I can recall feelings myself publishing things I shouldn't, but the entire home directory, including private keys and everything? I'd die of shame.
Still, really terrible behavior from him, he deserves whatever punishment is coming for him.
The owner of the company tried to sell it a few months later without declaring the data breach to the new owners and has been forced to pay €8M compensation:
https://yle.fi/a/3-12479562
I thought the problem with Vastaamo was that the CEO was in charge of the mysql database and he was basically a hobbyist that didn't care much for security. (yeah zero proper sources for that... my level of Finnish is terrible)
And then Murphy's law kicked it. A vilain nabs the data for free and does his thing.
I don't care what encryption we are using. Therapy notes should always be in paper and locked in therapist office. Medical info should have NEVER being digitized.
Does Finland have a legal doctrine that makes evidence inadmissible in court if it was illegally obtained? I wonder could law enforcement use admissions of criminal activity in the released notes as evidence against patients?
> I can only imagine the horror felt by the people whose therapy notes were made public.
I might be in the minority here, but frankly I'd be -happy- to actually be able to see a therapist's notes on me. At least in my region, one of the first things you sign before any therapy begins usually contains a paragraph that such notes are 'IP' of the therapist/provider and thus something you as a patient are never allowed to see.
Sometimes I understand hackers from developing countries(not Finland!) in bad circumstances who have a chip on their shoulder against corporations... but this is just as scummy as it gets. This is worse than getting into people's bank account IMO. Taking advantage of people who shared their deepest darkest secrets and vulnerabilities with a trusted authority is beyond cruel, it could trigger someone into self-harm or worse. These same hundreds of people will be afraid to open up to their psychologists again. I hope this psychopath is never allowed near a computer again.
IMHO Zeekill represents the very worst kind of hacker: a greedy troll script kiddie who knows just enough to cause damage, and doesn't give a shit about the very real human cost.
> Security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement.
The bane of every criminal. You only have to make one mistake to get caught and there are many chances to make that mistake.
Many criminals on the run assume they’re smart, but luck plays a big role in getting caught or not…I mean, this guy got caught because of an unrelated case of domestic violence.
Indeed, a lot of criminals think they're smart and that they'll never get caught while they do stupid shit.
An acquaintance of mine tried to dodge his mandatory military service by moving to the neighboring country and would (foolishly) drive to his family across the border every now and then thinking that because Schengen has no borders he would never get caught.
And it worked for a couple of years, until one day when a police car stopped him for a busted tail light and handed him over to the military police.
If you're gonna break the law, you at least gotta be smart and careful about it.
> "Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary”"
There used to be a user on HN, going by the nickname "ryanlol" [0] who seemed to have (had) good hacking knowledge.
Could be the same person, could be not. But they had good comments here and there, was fun to read back then.
He's been on HN under a large number of accounts, in particular giving people advice on obtaining alternate identification papers (Romania was mentioned in particular).
That was him: https://news.ycombinator.com/item?id=10846051. He's been posting under various alts since, see the stylometry.net link below. Reading his comment history, unless he was just lying for HN e-cred it seems he was very wealthy. Probably an early BTC user?
The guy obviously need psychiatric advice and "hacked" then blackmail a psychiatric institute.
But good job by the Courbevoie police. If it was any city north of Asniere i would have been more than impressed by the changes of our police force, but still, responding quickly to domestic violence even in a rich city is an improvement compared to five years ago. Still nowhere close to Spain, but baby steps.
Fitting that the criminal blackmailing people with their own personal information accidentally uploaded his home folder, including his SSH keys and known_hosts file.
I don't get the logic here. If I had the ability to pull off a sophisticated hack, why shouldn't I sell my skill to say a corporation or intelligence agency but instead tried to grab quick dough and got caught? Am I stupid enough to believe that I can be out of the radar of state power?
It was not a sophisticated hack. He just happened to find MySQL server which was left on DMZ/public internet with root and no password. Then he just dumped the database to his computer. Basically script kiddie who thought he was lucky.
People have varying motivations for committing crimes. Highly skilled (or just simply lucky) black hat hackers can potentially make millions, which is far more than governments and corporations will hand over for equivalent activities.
He managed to put his entire /home folder in the leak, which lead to his identification. I am not sure I would like someone like him to work for my intelligence agency.
Definition of a script kiddie with too much time on their hands... I hate people like him. Could've done something good with his life (like getting into info/cybersec!).
Tbf the average infosec job is writing lots of policies, checking to see if people follow them, writing reports, nagging teams to update their outdated dependencies, etc. Of course there are many types of infosec professionals and not all infosec jobs are like this, but i kind of doubt someone like this would be all that happy in an entry level infosec job.
Shame their talent couldn't be used to do good indeed.
Although posts about relatively young hackers who went the rogue black hat route always intrigue me.
I used to be a super curious script kiddy but fortunately found my solace in programming (relatively unharmful) scripts for games and private servers that'd only affect virtual economies.
But I also used to stroll gray/black hat forums out of curiosity and always wonder where I would've eventually end up if I did go down that path.
Fortunately, I'm in FANG now and make good bucks to never have to consider black hat again.
Why would the records be in a database in the first place? That seems like such a sensitive type of info, at least don't attach real names to them geeZ.
> Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.
When crimes perpetuated online can effect so many people, can we stop treating them like regular crimes. That's ridiculous.
I might aswel defraud as many people as possible before 18 years and basically get away with it.
We should stop arresting hackers. We should pay them instead. Not just in officially declared bounty programs with specific conditions but anytime they break something and tell us what and how. This is the only way we can build a reasonably secure digital ecosystem. If we don't, most of us will have their sensitive data leaked sooner or later.
Can you please stop posting unsubstantive and/or flamebait comments? You've been doing it repeatedly, unfortunately, and we eventually have to ban such accounts.
[+] [-] pasiaj|3 years ago|reply
- He hacked the patient files of a psychotherapy center Vastaamo. This included therapy notes for more than 22.000 patients.
- First the hacker blackmailed the therapy center.
- Next he started blackmailing individual patients.
- Finally he released the files online revealing very private information on thousands of patients.
I can only imagine the horror felt by the people whose therapy notes were made public.
[+] [-] bawolff|3 years ago|reply
If he physically broke in we wouldn't call him a nortorious lockpicker.
[+] [-] capableweb|3 years ago|reply
But I personally relate more to the horror the hacker put himself through:
> security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder
> “It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,”
What a huge flop! I can recall feelings myself publishing things I shouldn't, but the entire home directory, including private keys and everything? I'd die of shame.
Still, really terrible behavior from him, he deserves whatever punishment is coming for him.
[+] [-] mikkohypponen|3 years ago|reply
[+] [-] helsinkiandrew|3 years ago|reply
https://yle.fi/a/3-12543823
The owner of the company tried to sell it a few months later without declaring the data breach to the new owners and has been forced to pay €8M compensation: https://yle.fi/a/3-12479562
[+] [-] momeunier|3 years ago|reply
[+] [-] x98asfd|3 years ago|reply
[+] [-] closewith|3 years ago|reply
[+] [-] to11mtm|3 years ago|reply
I might be in the minority here, but frankly I'd be -happy- to actually be able to see a therapist's notes on me. At least in my region, one of the first things you sign before any therapy begins usually contains a paragraph that such notes are 'IP' of the therapist/provider and thus something you as a patient are never allowed to see.
[+] [-] jnsie|3 years ago|reply
[+] [-] pyuser583|3 years ago|reply
It seems the Internet does have a delete button. Has it been used again?
[+] [-] neither_color|3 years ago|reply
[+] [-] agumonkey|3 years ago|reply
[+] [-] Slighted|3 years ago|reply
[+] [-] moremetadata|3 years ago|reply
[+] [-] rippercushions|3 years ago|reply
IMHO Zeekill represents the very worst kind of hacker: a greedy troll script kiddie who knows just enough to cause damage, and doesn't give a shit about the very real human cost.
[+] [-] boeingUH60|3 years ago|reply
The bane of every criminal. You only have to make one mistake to get caught and there are many chances to make that mistake.
Many criminals on the run assume they’re smart, but luck plays a big role in getting caught or not…I mean, this guy got caught because of an unrelated case of domestic violence.
[+] [-] ChuckNorris89|3 years ago|reply
An acquaintance of mine tried to dodge his mandatory military service by moving to the neighboring country and would (foolishly) drive to his family across the border every now and then thinking that because Schengen has no borders he would never get caught.
And it worked for a couple of years, until one day when a police car stopped him for a busted tail light and handed him over to the military police.
If you're gonna break the law, you at least gotta be smart and careful about it.
[+] [-] ilovecurl|3 years ago|reply
There's a great scene from The Wire where this is discussed: https://www.youtube.com/watch?v=E2Fv-nJCfrk
[+] [-] namaria|3 years ago|reply
[+] [-] potrebitel|3 years ago|reply
There used to be a user on HN, going by the nickname "ryanlol" [0] who seemed to have (had) good hacking knowledge. Could be the same person, could be not. But they had good comments here and there, was fun to read back then.
[0] : https://news.ycombinator.com/user?id=ryanlol
[+] [-] jacquesm|3 years ago|reply
https://news.ycombinator.com/threads?id=nachash
He didn't take that advice.
He's been on HN under a large number of accounts, in particular giving people advice on obtaining alternate identification papers (Romania was mentioned in particular).
https://news.ycombinator.com/item?id=34156119
So much for that I guess.
[+] [-] rdl|3 years ago|reply
[+] [-] costco|3 years ago|reply
[+] [-] rendall|3 years ago|reply
Whoa. Just 11 years old he started.
Got busted after a domestic violence call, after a night out. Just, a pathetic life.
[+] [-] orwin|3 years ago|reply
The guy obviously need psychiatric advice and "hacked" then blackmail a psychiatric institute.
But good job by the Courbevoie police. If it was any city north of Asniere i would have been more than impressed by the changes of our police force, but still, responding quickly to domestic violence even in a rich city is an improvement compared to five years ago. Still nowhere close to Spain, but baby steps.
[+] [-] ed25519FUUU|3 years ago|reply
[+] [-] hnthrowaway0315|3 years ago|reply
[+] [-] Hamuko|3 years ago|reply
[+] [-] Anonasty|3 years ago|reply
[+] [-] Slighted|3 years ago|reply
[+] [-] maeln|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] xwolfi|3 years ago|reply
[deleted]
[+] [-] spyremeown|3 years ago|reply
[+] [-] bawolff|3 years ago|reply
[+] [-] zoover2020|3 years ago|reply
Although posts about relatively young hackers who went the rogue black hat route always intrigue me.
I used to be a super curious script kiddy but fortunately found my solace in programming (relatively unharmful) scripts for games and private servers that'd only affect virtual economies.
But I also used to stroll gray/black hat forums out of curiosity and always wonder where I would've eventually end up if I did go down that path.
Fortunately, I'm in FANG now and make good bucks to never have to consider black hat again.
It's just in the back of my mind: what if ...?
[+] [-] kzrdude|3 years ago|reply
[+] [-] grugagag|3 years ago|reply
[+] [-] jcq3|3 years ago|reply
[+] [-] sourcecodeplz|3 years ago|reply
[+] [-] bilekas|3 years ago|reply
When crimes perpetuated online can effect so many people, can we stop treating them like regular crimes. That's ridiculous.
I might aswel defraud as many people as possible before 18 years and basically get away with it.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] joemazerino|3 years ago|reply
[+] [-] pasiaj|3 years ago|reply
[deleted]
[+] [-] Hamuko|3 years ago|reply
By accessing a publicly available database server with default authentication details.
[+] [-] sylware|3 years ago|reply
[+] [-] qwerty456127|3 years ago|reply
[+] [-] m00dy|3 years ago|reply
no shit sherlock
[+] [-] dang|3 years ago|reply
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.