I wish we would stop calling these types of people hackers and just call them extortionists. The fact a computer was used to commit the crime really changes nothing about the crime.
If he physically broke in we wouldn't call him a nortorious lockpicker.
The two are not mutually exclusive: A hacker that steals people's banking info and drains their funds is a hacker and a financial fraudster. Hackers conducting ransomware attacks are hackers and extortionists. The fact that a computer was used to commit the crime is just a detail of how the extortion was carried out.
Right but I agree with the above poster in the sense that the most relevant crime here is the extortion. Hacking can vary in severity from the totally harmless all the way to threatening the lives of millions. Leading off by calling this Hacking fundamentally fails to convey the severity of the crime in this case. "Finland's most notorious hacker" has a much better connotation than say "mass extorter of the mentally ill", don't you think?
The problem is that people are numb to news about "hackers" because often it's some sort of dumb story about some teenager messing around in somebody else's network and a netsec or government bureaucracy overreacting rather than properly securing their network, whereas this case is basically an instance of terrorism. It should not be possible for me to be confused which kind of hacking story this is from the headline. If I had come across that headline in the wild I would almost certainly ignored it due to the above.
Other folks in the comments have brought up the term "cyber-criminal", which I think also fails this same test for exactly the same reasons.
Hacking can often simply refer to someone who writes code fast and loose, without care towards readability or reuse. The result usually looks like they were trying to be clever, but really it's just obtuse.
No, they are mutually exclusive. The word "hacker" originally meant someone enthusiastic about technology, someone who liked to tinker. The media distorted the word to mean "computer-related criminal", but that's a distortion.
The terms "hacker" and "criminal" are as mutually exclusive as "engineer" and "robber". Yes, maybe the robber knows how locks work so she can pick them, but "engineer" implies some level of ethics.
Modern Greek doesn't have the French "u" sound, I don't know if ancient Greek did. The "υ" in "κυβερνήτης" (cybernetes/kubernetes = helmsman, governor) is pronounced "i", as in "miss".
Incidentally, the word "governor" comes from "kubernetes" as well.
But then, if you only criminalised the crime, you wouldn't be able to justify all the intrusion and tracking of people's online lives!
If you want to pass legislation to eliminate peoples privacy and justify the fascist governance structure (government + corporations working together) in deanonymising individuals, you have to show that it is special. This is what is really going on - its not actually some special new type of crime that the law hadn't catered for - that's just what its sold as.
So, because 'online is the problem' is actually a sales job, the more one heightens the risk of 'online', 'hackers', etc the easier it is to take everyone's privacy away on account of the perceived thread and the purported fix. People will be happy someone is doing something, given a terrible event (crime) occurred!
The reality is that crimes will always occur; the threats to safety are overblown and already covered by the law; the fix does not materialise as indicated. But if you were sold on the idea (as most are) and thought it would make a difference you will sign up (to less online freedom). It doesn't even matter that this is happened in Finland, or whether it even happened at all - as long as people think handing over more control to the governance structure is the solution.
The truth is that you bought into the ostensible excuses. No need to keep making that mistake though!
What point? That we should not call convicted extortionist a hacker? I sure agree with you, but we (outsiders) should not call unconvictected (regardless of their previous history) people a hacker or extorsionist either.
In the US, defamation requires either knowledge of falsehood or reckless disregard for the truth. It's not reckless disregard for the truth to say someone who's been arrested for a crime did that crime, even if it may be premature.
But I personally relate more to the horror the hacker put himself through:
> security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder
> “It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,”
What a huge flop! I can recall feelings myself publishing things I shouldn't, but the entire home directory, including private keys and everything? I'd die of shame.
Still, really terrible behavior from him, he deserves whatever punishment is coming for him.
The owner of the company tried to sell it a few months later without declaring the data breach to the new owners and has been forced to pay €8M compensation:
https://yle.fi/a/3-12479562
I thought the problem with Vastaamo was that the CEO was in charge of the mysql database and he was basically a hobbyist that didn't care much for security. (yeah zero proper sources for that... my level of Finnish is terrible)
And then Murphy's law kicked it. A vilain nabs the data for free and does his thing.
Liability for the whole software industry needs to be re-thought.
The problem with jailing CEOs is that even if it would work the first couple of times the other possible effect would be that people would do even more to brush their fuckups under the carpet...
The EU has got this right I think: massive fines in case of a breach to the point that the CEOs are starting to pay attention. That certainly isn't perfect but it is a step in the right direction.
Healthcare is particularly vulnerable and I'm always surprised that people in HC seem to think that they aren't a target. This is a huge mistake imo, there is massive blackmail potential in healthcare data.
The problem with the classic "burn the CEO" knee-jerk is that it only leads to security theater.
CEO hires CISO. CISO makes a big splash, and spends a ton of time getting the business certified in various ways, to prove to CEO stuff is being done.
In reality, security remains atrocious at the tactical level, and the company hemorrhages security talent because no one wants to work for clueless assholes.
Ultimately, eventually, breach still happens, CISO falls on their sword, but is fine because they and CEO always knew this is what they were really being hired to do and compensation was engineered around that expectation.
--
What actually works is a gentle, gradual pressure to move to a better security posture (e.g. vaulted credentials, separate security domains, etc.), implemented over time as opportunity allows, preventing new vulnerabilities from being introduced by targeting development processes, and financially incentivizing developers throughout the company to report issues when they find them.
If someone left a car door open with the car full of confidential documents and someone stole them, the person who left the door open would definitely be held responsible.
I don't care what encryption we are using. Therapy notes should always be in paper and locked in therapist office. Medical info should have NEVER being digitized.
Vehemently disagree. Stifling progress because of the risks involved isn't worth it, the risks need to be assessed, acknowledged and accounted for.
Digitising medical info is brilliant and extremely useful for anyone involved. Handoff between practitioners is seamless, and no more of the redundant "are you allergic to anything? any priors? are you taking any meds?", because the practitioner knows everything they need to (e.g. your dentist doesn't need to have access to your therapy notes, but should probably know all meds you're taking and all previous dentistry work done on you, wherever and wherever that happened). It would also allow for country-wide anonymous statistical analysis. Oh, everyone taking pill X is also having Y? Is there a problem there? A lot of people getting operated for A used to do Z, C, so maybe we need a better educational campaign so people know the risks? The possibilities - life saving, medical system improving, etc. are enormous.
It just needs to be handled with extreme care, because the risks are enormous. Security should be top notch, with strict access controls, anonymisation where needed, etc.
Your parent made a much narrower point than you’re debating: you argue in favor of digitizing general medical info and your parent made the point that therapy notes should be paper-only and locked. The risk/reward tradeoff is different for those than allergies, general medication etc. The information contained is much more sensitive and at the same time they’re much less likely to be passed off between therapists unfiltered and unredacted.
Both, digitizing general medical info and keeping specific bits in analog form for safety and security reasons are not mutually exclusive.
Which i assumed to be talking about all medical info.
> The information contained is much more sensitive and at the same time they’re much less likely to be passed off between therapists unfiltered and unredacted.
Yes indeed it has. However, since incidents like this, we can ask practitioners to not do this, or at least not force doctors to digitize records. There are certain things are just NOT mean to be digitized.
I agree in principle, but at the same time note that patients expect their records to be shared between practitioners, for instance when their regular therapist isn't available they would like the person that takes their place to be immediately up to speed.
The question of whether or not these records will be digitized is no longer germane, it will happen, like it or not. But what can be done is that the systems that are used to store this information pass an external review to ensure that at least the basics required for keeping such critical information safe are met.
Does Finland have a legal doctrine that makes evidence inadmissible in court if it was illegally obtained? I wonder could law enforcement use admissions of criminal activity in the released notes as evidence against patients?
There is no blanket provision to make unlawfully obtained evidence inadmissible but the judge must still forbid using any document that was i.a. obtained through a "gross" violation of the person's legal rights. So in this specific case the evidence would probably be inadmissible.
But a violation by the police, not necessarily a violation by a third party.
There was a case in France where the suspect of a murder case fled to Germany which refused to extradite him. The father of the victim organised a kidnapping and left the guy attached in front of a French police station. The father was prosecuted for kidnapping, but that didn't help the alleged murderer who was then arrested and charged.
I don't know what the law is in Finland, but usually medical secrecy only covers specific stuff, and likely not the admission of a crime, unlike attorney-client privilege (which is specifically designed to cover crimes committed).
The relevant part here is probably the last paragraph of section 25. It concerns the rules for admitting evidence that has not been given by the person themselves in an official investigation, and which has been obtained unlawfully. It is on page 97 in the linked PDF:
> [...] the court may use also evidence that has been obtained unlawfully unless such use would:
> * endanger the conduct of fair proceedings
> * taking into consideration the nature of the matter, the seriousness of the violation of law in obtaining the evidence
> * the significance of the method of obtaining the evidence in relation to its credibility
> * the significance of the evidence for deciding the matter
> * and the other circumstances.
Namely, considering that these documents were obtained in probably the most heinous possible violation of the person's privacy, it would not be possible for the court to admit them as evidence. That's anyway completely moot, as if it ever became publicly known that a prosecutor or police officer had read any of these documents it would be very scandalous in of itself.
Most likely these documents are protected from prosecutors in the same way they would be without the breach, because the breach does not alter the type of document.
It's not all black & white. In the ANOM case the FBI, through a Swiss cover company, sold criminals "super encrypted" mobile phones.[1] In reality, the phones were backdoored and all their messaging leaked to the FBI. This uncovered several criminal operations in Finland such as drug trafficking rings. The FBI shared this correspondence with the Finnish police.
When the case came to court, the defendants' first action was of course asking the court to suppress all evidence from the FBI because it was obtained illegally, as the criminals obviously had an expectation to the privacy of their correspondence, which was illegally violated. The court actually ruled that the messages are only admissible if they pertain to crimes that carry a maximum penalty of at least four years in prison, which is the same threshold that allows the Finnish law enforcement to use wiretapping.[2]
Communications between a client and a professional (physician, lawyer etc.) generally have specific protections carved out in the criminal procedure of most countries and can't be compared to a random chat app.
in the US, the govt can't use illegal means to obtain documents, but if a criminal's information is exposed by another criminal, it's available to be used.
> I can only imagine the horror felt by the people whose therapy notes were made public.
I might be in the minority here, but frankly I'd be -happy- to actually be able to see a therapist's notes on me. At least in my region, one of the first things you sign before any therapy begins usually contains a paragraph that such notes are 'IP' of the therapist/provider and thus something you as a patient are never allowed to see.
In the EU, at least, you have a right to all information that a healthcare provider holds about you, so either an administrative request or data subject access request will get you that data for free, and without the possibility of it being used against you by third parties.
There is such a right where I live too, but there is an exception: when the release of that information is thought to be harmful to that individual. I can certainly imagine how allowing a paranoid person suffering from delusion, to read the unfiltered medical notes of their psychiatrist, could be quite harmful. I don't know how often this actually comes up; I read the report of the last psychiatrist I saw in its entirety. They always suggest you shouldn't. Probably right about that. "Subdued affect"? Ouch.
There appears to be an excluded middle scenario that you are in fact describing, wherein a patient would be happy to peer behind the curtain at the doctor’s notepad for their own session (but not everyone else’s).
Fewer patients would be happy to see the doctor’s notes for all other patients including themselves.
Fewer still would appreciate having everyone, including non-patients, see not only their notes but all of the other patients in that practice.
Where I’m from we don’t even have to sign anything before therapy begins… much less some weird IP clause. And as another commenter said, such a clause would be invalid anyway.
This depends on where you live and what the facility is like, no? At least in Germany, patient records like therapy notes are only hard copy. I don't see why they should ever be digitalized and I'd never go to a therapist or a facility that did have notes in digital form. I'm not particularly paranoid either, I'm just aware of how common it is for companies to be hacked and how rarely they face any consequences for not sufficiently investing in IT security.
Even if something only exists as hard copy today, who knows if it will stay that way. Some new regulation might come along requiring practices to digitise all their records.
>why a paranoid person like me might abstain from ever seeking counsel from a therapist
one of the benefits of therapy that you are missing out on is learning that what you are ashamed of is much less important than that you feel all that shame toward yourself. everybody else has much they are ashamed of, it's not a big deal
I don’t know if it would work but you might ask the therapist to have in writing that they will never take records of your sessions except for the bare minimum required by accounting.
No, you can't get rid of those files, they were uploaded in their entirety to anonymous file sharing services. It's absolutely horrible, and the damage to these people's lives is huge. The degree of lack of empathy that you'd need to have to blackmail the customers of an institution like that is one I have trouble comprehending.
Sometimes I understand hackers from developing countries(not Finland!) in bad circumstances who have a chip on their shoulder against corporations... but this is just as scummy as it gets. This is worse than getting into people's bank account IMO. Taking advantage of people who shared their deepest darkest secrets and vulnerabilities with a trusted authority is beyond cruel, it could trigger someone into self-harm or worse. These same hundreds of people will be afraid to open up to their psychologists again. I hope this psychopath is never allowed near a computer again.
Such a summary can be very helpful to disambiguate the subject matter and save me (and I’m guessing many other folks too) the time of reading every article to find out whether it’s interesting/relevant to me.
- He hacked the patient files of a psychotherapy center Vastaamo. This included therapy notes for more than 22.000 patients.
- First the hacker blackmailed the therapy center.
- Next he started blackmailing individual patients.
- Finally he released the files online revealing very private information on thousands of patients.
I can only imagine the horror felt by the people whose therapy notes were made public.