Episode: 1424
Title: HPR1424: ohmroep hpr live mini, 03-08-2013, Censorship and Hacking in the Netherlands
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1424/hpr1424.mp3
Transcribed: 2025-10-18 02:08:37

---

NIDO has arrived. NIDO is going to be making this podcast even more interesting
because NIDO is on the early morning radio show making a mini edition of
HECK public radio at 5 p.m. or maybe half past four. That would be even better.
How many version of the HPR for your talk edition? Yes indeed. So that's a good plan.
Yes, hello. Welcome here to the early morning edition. Hello and welcome here to the early morning
edition to HECKR public radio live at home 2013. I'm here. I'm NIDO media and I'm here with
Brenno the winter. Hello. You are here on the event as a volunteer. You're also here
on the event as one of the core organizers. You're even one of the press relations
here just as I am with the HECK public radio. But the reason why I wanted to talk to
you for a moment is because you also are one of the speakers here. Yeah, it's just
just pick a wristband and at the moment you're even the police force of four
years ago and you're here for just one day. But let's forget that for a moment.
Let's talk a bit about your talk which you had last Friday, right? Yes indeed.
Last Friday I spoke about censorship in the Netherlands and things that the
Dutch system will do to you at the moment when you are basically expressing
yourself in a way that the Dutch government just doesn't like. If you're critical or
if you showed shortcomings, they will come after you. Shortcomings? For instance,
take a journalist like Alberto Steigmann. He is an investigative journalist and he got
prosecuted for showing that the Dutch airport Schiphol is very unsafe and he
could get access to the plane of the Queen instead of saying thank you or the way of
saying thank you was he got prosecuted and there was an appeal. He was acquitted.
Then they took a tiny little detail of the case to the Supreme Court for more
clarification and that tiny part of the case has to be redone now in appeal.
Now this all happened in 2007. So just imagine how long he is down the road with this
whole story and how much money it will cost you in lawyer fees etc. Basically for
nothing more than showing that the international airport Schiphol is not a safe
airport. It's very interesting. I've heard about this case from if I'm
mistaken please correct me but from what I heard what he basically what he did
was he walked up to the he found out through various means mostly the
internet where the plane was located and then he basically just walked there
put his hand on it, made a picture and walked away. Well he filmed there
actually he had actually hit a camera there and the thing he got onto the
airport with a fake badge fake ID card belonging to the airport I believe to
KLM and basically nothing was checked so when his colleague was driving
with the fake KLM card which was not his he was in the back of the car in the
trunk and they didn't bother to check and he found it out by consistent
observation of the airport and how they didn't do their job with all the
observations nobody bothered to to come to him so the airport here was at
fault and and where we have to you know go through these draconian measures he
just got into the airport and then he got prosecuted ultimately yes I got
prosecuted myself for showing that the Dutch transportation card wasn't safe
for four years I've been doing research writing many articles many articles
also that the Dutch state was lied to by the company that built this
card and they made all sorts of promises when they turned out that card could
be hacked they made all sorts of promises and they were all lies they were simply
not true and I showed that and when I did that at that point basically I was
told to come to the police and was facing six years in prison for me as a
journalist do all my work so yes what did they charge you with after my
ask they charged me with hacking and they charged me with having tools to
hack and they charged me with manipulating a value card ultimately to my
aid came the European Court of Human Rights because they had early
verdicts that forbid the state to prosecute a journalist under certain
conditions and then and the certain conditions and then basically that
that that was the end of the case so I never had had to go to court but a
statement did a hank call a digital illiterate person who is member of parliament
that is also a journalist showed that a medical system was failing and it was
showing medical information and it was only protected with five numbers and
the password were the same five numbers and then the the public prosecutor
called that top-notch security so five number pin card is a top-notch
security system in the Netherlands now for the this the public prosecutors
officer apparently it is and they thought that that there was not a reason to
hack the system and the court disagreed but he hacked the system twice to show
to a television system and he was convicted for the second hack not the first
hack but for for the second hack so the time when he went to the to the
to the broadcasting stations and he said like I can do this and it works like
that and then when they had a camera on it you should have gotten the camera
in the first place so it it's a strange case and there was room for a
bill definitely he was clumsy but my point is why would you bother to go after
him why would you do that it's just not it is not just not relevant enough
it's a good question I'm afraid I can't really give you an answer which
which would satisfy which would satisfy you in that regard no and and it
sends the signal that if you find a book in a system and you go public or you
approach somebody that the public prosecutor will say thank you by ruining
your life if you are convicted in the Netherlands you will not be able to
do a lot of jobs you need a certain declaration of no obstruction and
a criminal conviction would definitely be one of those assumptions so you
ruin a lot of people's lives and especially if you look at hackers many of
them are young people they make little mistakes they they are sometimes
little bit too wild and when you go with the full force of the of the government
and I I stopped calling government government but state then basically
you you send out a wrong signal don't talk about this this is and it to me it
freedom of speech showing something that is not correct is part of freedom
of speech and I'm not the only one with this opinion also the international
court of human or the the European court of human rights and sides with that
vision so it's it's strange not not to not to let these youngsters do their
thing and applaud it you know and even if they make small mistakes be a little
bit more forgiving you know they they do it in good faith in good intentions
don't be don't be too negative about it that that's one of the things that
I said and the other thing is they did try to make a process called responsible
disclosure and responsible responsible disclosure and I believe you have
talked about this on other app sorry you thought about this talked about
this in other episodes and yes yeah we there's probably an episode
or it or I will make sure there will be one on the later time responsible
disclosure basically means that you can go to a company or to an organization
say like okay this and this is your problem this and this is how I found it
out and they may agree not to press charges against you that's basically
what about the document states and then they give some guidelines where what
you you should be looking at and one of the things is you cannot try
something multiple times one of the other things you cannot do is social
engineering or brute force attacking and the strange thing is that those
technologies are really or techniques more are really needed to to
basically you know show that there's something wrong they are the basic forms
of attack most of the times and brute force attack that's that's that is the
reason why everybody's telling you don't you short passwords because hacker
or a cracker somebody who wants to get into your account well he can just try
it a million times it doesn't matter to him he has the resources and he just
needs to wait until he has guessed right password and that's the way you can
get it that's and that's one of the biggest problems within security of
course there are systems which are which are hardened against such kinds
of tax there are techniques you can do to protect against those kinds of
attack factors but I must agree with you they're seldom in use.
Now come to come to the worst part of this document it is totally
voluntarily so there's no guarantee that things in practice will work this
way and even if a company says all stick to the responsible disclosure agreement
the justice department may still come after you so you might still end up in
prison even if you show a data leak and it's not me saying this the public
prosecutor rushed to Twitter to announce that so it's been announced that
that they will come after the good willing hacker and they need to do so
because there are statistics on how they fight cybercrime and not really
that good and in major cases you see them feel so that's my Facebook and
hopefully it's a response of one of the speakers that we want to talk to
later on but let's stick to the radio and like what that okay no no problem
well to go back a bit what you mentioned earlier you yourself had hacked
the OV chip card and you told me you had a conviction or not a conviction
yeah they dropped a charge yes a charge but one of the charges was hacking
can you tell me what a charge of hacking means in the Netherlands because we had
a few weeks ago on the hyper public radio we had a discussion about what
actually is hacking and we were therefore I believe two hours and we agreed
that we can't really give you a definition which counts for hacking in general
but we can only could only get something which counted for the for the
for the heck public radio group so we're not even we're not even we're not
we're not even sure of what hacking means within the community at large
what's the charge of hacking mean it's manipulating and system in the
way it was not intended to basically and the system is anything that basically
has a microcontroller in it at this point they want to make it even broader
so that's that's the creepy part they want to even go further than this
but so far it's it's basically anything so for instance let me give you an example
please if you read the the the the text of the law well and you take a
cell phone you're filming on the street policeman comes by and this happens
sometimes in the Netherlands and policeman picks up your phone stops the
filming and the leads the the the filming that would be hacking already
because he's manipulating the virus in a way that I didn't want him to do
that so you would be the one who was hacking in that particular case the
the policeman would be hacking okay okay since you brought in the policeman I was
just making sure how extreme the Dutch law is it's it's people think of the
Netherlands as a pretty liberal nation and I tend to disagree with them it's
it's it's a very broad definition so basically with anything with a
microprocessor if somebody showers I don't want that that would be hacking
and I want times and one time had somebody who wanted to pick myself
when they discovered I was filming something they shouldn't be doing and then
when he he grabbed my phone that will be theft with violence that will be good
up to 12 years in prison by the way but let's not talk about that and he his
finger went to the camera and I said to him if you are going to touch this
camera I will press charges because you're hacking then and the guy got so
afraid that he left the camera with a face up so every time when he was moving
over it you could see his face and I had perfect evidence of what he did and
he shouldn't have been though have been doing etc so that that that's pretty
funny so it's a very broad definition so you're easily violating this what I
did was basically manipulate the system where the card had the chip in it
mm-hmm
there's the over chip card let's let's go a bit into the over chip card what's
what's what's the deal with the over chip card we've done a bit about it but let's
let's just go well let's let's do this this the fast version what can you
do with the over chip card it's a public transportation card similar to the one
being used in London and basically the same as being used in
Boston a couple of years ago and I believe Bart in San Francisco uses the same
it's a myficulosic chip that has been cracked already in 2008
politicians were as usual techno optimists so totally in denial of the
problem but very very aggressive moving forward with the project and at a
certain point there was this hearing in parliament where a professor of
cybersecurity into sorry digital security said this is basically an open
wallet and then the politicians that invited him called him overly negative so
there you have it you know it's it's kind of strange and at that point I decided
there will be a day that I will be traveling on this this hacked card and I
did so in 2011 when there was already one criminal case of somebody who
did it and there was also software available for windows that made it very easy
to do so so what I started to do I hacked a transportation card
basically could you could you describe the process rather than say to I hacked
because it's very simple what I did was I bought a card I put five euros on it
legally and then basically you placed it on on a arvadeer sorry no I could
I could already my fair no yeah no it is already I'm getting tired here at oh my
guess and then you try the thing is with the card you have to authenticate
against the card so the card will tell you if you had the correct one the correct
code or not so not the card is authenticating again towards the system it is
the other way around so you can try indefinitely all combinations in
that's what what the system basically does and because of many flaws this
process doesn't take more than 45 minutes and then you get all keys that are
on this card it's a 4k card with I believe 20 keys and those are called
A keys and 20 B keys and the B keys are for writing and the A keys are
for reading and as every IT person knows that's a stupid difference because if
you want to write you have to be able to read yes so I found that out and then
I realized okay I only need half of the so the software was open source so with
a small adjustment that worked for me as well and then then at the
certain point I started basically traveling on it by changing the value on
the card and then I realized when I was doing that I don't want to change the
value if I'm in the train for instance I want the train conductor to believe
that I checked in yes because you need to check in and then maintain to check
out and then the system will calculate how much money you have to pay yes and
of course half of the time the polls don't work so you need to check in except
on so you need to go to the next station then you need to run out of the
train go all the way to the entrance of the station leave your card and then
go back and maybe if you're lucky then he says okay it's okay exactly it's
it's a hassle and so how did you fix that problem well I altered the state
of the card where I was not checking to I am checked in and if you are
checked in the train conductor won't look any further okay so it's basically
to buy me revalue I'm inside the system no no no it's more than a binary
value because you also have to add the train station at the
code and the time that you checked in well I made with friends I made a
little program to do so put it on the card and let the train conductor
have his way he thought that I checked in I knew I didn't so basically
that you have it and the whole system basically fell apart on that then
I went public with the story and I did it in two ways first I told
that I could change the value of money on the card and this was a big bang
this was opening of all the news everybody was talking about it I was in
Amsterdam got on a tram the tram conductor wouldn't let the tram drive before
he could check my hands to thank me this was people were crazy and there
was this emergency debate in parliament that would take place two weeks
later then the following morning I came like why would I check in if I can
check myself in and I show that on television and now the debate was moved
backwards to the day the day after so that was on Thursday and if
when anything was a debate of about the war in Afghanistan was moved
aside for this debate it they were dead nervous so they talked about it
they decided not to introduce the card and then later on they decided
okay we'll move ahead because the chance that people are up using it is
really slow now the interesting thing to know is that the card readers within
two days were sold out in the entire Western Europe hemisphere and parts
of the US so and then the politicians were like well we don't know if people
are abusing the flaws because the software was really out there you know I had
more advanced software because because of little changes that you made for
one part but in general you know if you were a little bit patient could
wait for 45 minutes then basically you have a correct card and the correct
card basically means you have control over how much much money is on the
card and whether you are checked in where you checked in and at what
time yes and one of the one of a friend of mine without telling me when he
realized that the debate had moved moved to the day after he was with
somebody in the pub and they said like okay they don't get the real issue
here this is the criminal business case where people can abuse it so what they
did they made a website called over chipcard discounted.nl and they
made a fake and phony web shop where you could order cards and then somebody
tweeted me hey Brenno have you seen this during the debate so I was like what the
fuck and I hadn't got the time and it was at the Sunport realize okay this is
fake so I wanted to tell this to a member of parliament that was standing by
me and he said like what what is this so I thought like okay it's a good
joke so I said like well this is the first web shop abusing the and he went
like I want to speak to the minister right now again and there was more
debate and then the eight o'clock news opened with it and 24 hours earlier
this whole website had never been thought of and now the joke was ready and it was
opening of the eight o'clock news so you you on one hand that showed the
tension on the other hand all of a sudden it made very explicit what the problem
is at hand but and what I was fighting but then politicians do what politicians
do so they start to be little the issue so at the Sunpoint to company behind
the card set like yeah but it's a very complex heck to execute and I was at
this television station and said like it bullshit you know even an old
an old person can do it without any computer experience you know if you're
digital a little bit you can do it so then the owner of this public and
network set well you know take a reporter show it so we went to an old
folks home find somebody who was very old didn't know jack shit about computers
and he hacked one of the cards and traveled on it so we showed it the game and
then we showed the book in the in the tele machines that where you can
charge the cards at the Dutch railway station and it would crash with a certain
setting a buffer overflow so I found the Dutch railway and at first I
wouldn't believe me again so I'm like okay I'll show you and then I just
shut down the entire train station of Utrecht Central so they had to restart
it and as soon as they restarted the machines again I would shut them
down again so sorry sorry we believe you now but of course it was very funny
imagery on television where you see people like totally so that drove the
point home and at that point an investigation was started it found out that
the company had more too much power in the system things should have been
done differently and basically it doesn't the project doesn't deliver what
it should deliver and it still doesn't deliver if I'm correct because we're
still using the same myfair cards which are still the heckable cards which are
still not well they are they even fix the stellar problem no they
they've introduced a new card now the the Infinian SLE 66 and that that
chip is is a Java Java cards now let's not go into that this
because they say they they basically now detect if somebody is brute
forcing and they they basically make the chip stop responding I'm still in
the process of finding out how they do it but they are now introducing an even
newer chip the SLE 77 and that can do a different kind of encryption and
over time they will switch over time so at the moment if I'm buying over
the chip card I will still have my post was that if they would have solved
it let's say overnight or as soon as possible that would cost more than
a hundred million euros and they are already somewhat over budget by 120
million euros so the project is more expensive than than thought of so it
failed you could you could argue you could argue that this is a
failed project yes but back to my lecture yes yes yes I'm sorry I just thought
it was a good example to walk into and to see what actually happened yeah
then the prosecutor comes after you I'm a freelance journalist so a lawyer
is very expensive for me and then the threat the threatening way of the
police coming after you it has a lot of impact so right now I understand very
well how nasty it is if the government is are is after you and this makes me
very emotional angry upset about what what we are doing to young youngsters that
are basically doing the right thing so and that that that's the whole that
and that is the essence of censorship that that somebody comes to you and
and basically makes you not right or do something even though you're doing
it in a right mind and now even the company that is behind the object card has
said to me that they regret it filing charges against me but that's a little
bit late and I mean apology accepted of course and and they they had
a lesson but it's very late in the process and the thing with the government
is it's a machine that is kind of uncontrollable so I rather talk about
state because then people remember that the state also has a nasty face they
can put people in prison they can hinder them in their endeavors they can
take away your children and they can they can do really nasty things and
sometimes it's very very complex beast to control let me give you an example
there was this 15 year old boy Hans Röder he found a floor in Habbo Hotel
Habbo Hotel is a website where you can game a little bit and children
come and they they for them it's fun I know I know the I know the I know
the website there says it's a it's a popular target for another group of
people who are doing stuff there which is not really that great but let's
continue with your example please yeah and the 15 year old found a book in
the administrative module so you can get the addresses and information of
little children very easily and these boys basically this boy basically
helped this company the company thanked him and the next thing that the
company did was like yeah we need a little bit of extra information so that
we can find them in the log files so that's what they did that what he did
he gave the information to the log file for to use in the log files and they
searched the information and then they then they pressed charges against him so
they were the company was evil now the public prosecutor said okay I'm not
going to prosecute this then the company took the public prosecutor to court
to force them to prosecute when they realized that they might lose all of
a sudden they retracted the case now this boy was it was 15 years old when
this happened and now he's 18 and now he's off the hook so for three years this
case has been a dark cloud over his head and basically for doing the right
thing I don't want to live in a country where we treat youngsters like this for
doing the right thing so again this is the the chilling effect of a state
doing nasty things so that so that is very nasty nasty and and and full of
misery yeah and you had you had a lot of the lot of examples of this
happening do you have a light at the end of the tunnel because I'm getting
really depressed here no I don't at this point that the thing is that that at
this point we're on the road where unless we start to wake up nothing will
change you can say like we have freedom of speech in the Netherlands but that's
in the constitution and we can't enforce the constitution in the Netherlands
there's no court to do so if you violate the constitution there is that's
not a crime in the Netherlands if you make a law that is contradicting the
constitution that is totally okay because as soon as a law comes into place
it is deemed to be in accordance with the constitution so we would need to
fix the constitution to have firm law or we need to have a public prosecutor
that dares to say I'm not going to prosecute that not a good idea yes okay I
have one other example of censorship that I really really want to talk
about and when your show is over my show begins I will call this boy and
bring him on the radio but there's this boy Ilya who stopped his study when he
was at 24 because his brother and little sister had been taken away by the
Dutch government child protection services took them I've read many documents
out of the case and seems to me that there is a mistake mate it's an honest
mistake probably but the thing that the model only speaks Russian seems to
be the biggest issue at the hand here and the boy filmed when the police came
and took the children out of house and went public with it and when you see
the when you see the imagery it is shocking it is really really shocking and
you hear children crying they you hear them say I want to go to mommy in
Dutch yes very important because that apparently means that the children do
speak Dutch and do you know I know yes indeed for showing this to the world he
was not allowed to see his brother and sister sister for months and he started
campaigning against what happened here he got a little bit of help of a couple
of journalists I'm one of them and the thing is the Dutch government just
doesn't say why this happened now this case has been ongoing for a year and
they went to the European Parliament and testified now child protective
services just recently has written a report in the report it says that the
boys are the boy and girl cannot go home because of the campaigning the
campaigning is not in the benefit of these children so the boy that stands for his
little brother and sister now is punished for being public and being open about
what happened there and the advice is not to send them home the second thing is
he shouldn't have gone to the European Parliament so executing his
constitutional rights is all of a sudden a reason for the Netherlands to basically
keep your children away that is the sheer definition of censorship and any
journalist should be very very angry the only fix I see for these type of
issues is that we stand up against it and say this is not the country that
we want to build this is not the country that I believe in I love my
country dearly I really do and she should start beginning to see the
consequences of what we are doing yes wow I'm like totally
clever casted by the story it is it is shocking and the thing is we don't
think about it enough because you know if you're here your child protective
services there's always this feeling there must be something ongoing but it's
a machine you start and cannot stop and I understand what happened here very
well you know child protective services starts to panic they don't know
what what is happening now and how to deal with it and then they start to
make one mistake of not a mistake of the not a mistake of the not a mistake
and at the end of the day everybody is in a position that they don't want to
be in there are many good people working at child protective services I've
spoken to many of them I've spoken to judges they explain to me that they
do not dare to rule against child protective services so the family has
lost every case and when they win an appeal which they have done twice child
protective services basically starts a new case and find new reasons to keep the
children away and it's such a mechanism legs proper control yes another
example and that is closer to hacking and why it's important that we hack
system and test them over and over again is indigo indigo is a system
me in use at the Department of Security and Justice for people that are
how do you call that immigrate immigrating to the Netherlands and if you
if you seek asylum you'll be in this system
so this is not the platform which is like Kickstarter this is totally
different system exactly yeah it's a government system so filled project as
usual and the thing is they have markers and one of the markers is you're
ready to be removed now there was this activist from Russia that fled to
the Netherlands after he was released from prison he lost his case and he
appealed and were mistake after mistake was made and at a certain time he got
the label ready to be removed so he was imprisoned they forgot to set the
label that he was suicidal so he hung himself in the jail cell and basically
nobody was to blame so everybody is to blame so nobody gets to blame and now
because of a simple computer glitch a person is dead an activist that
was basically just coming to the Netherlands to be protected for his freedom of
speech and be campaigning against Putin I think that's very sad very sad
subsequently they started the investigation 300 people were also marked
removable where they shouldn't have been marked at so the system is a massive
fuck up and we don't realize that we haven't thought this properly through so
this to me this is a big deal I agree and I mean and this is why I want to see
there are 3000 people here who are happy to well there would be at least 2000
of the 3000 people here would be happy to look into such a secure system or
rather such a system what is supposed to be secure yeah these very kinds of
reasons the people here present would have said don't build a machine you cannot
stop don't build you know if you even have to build such a system that's a
different discussion but if you build such a system build a system where you have
got many escapes where you check check check check and check you know and where
you can't make these massive fuck ups but we've got these politicians
running around that we need more systems and we need every time they have a
problem there's a digital solution because they have no problems or something
yes so it just doesn't you know it just doesn't work like that we should
really stand up against these things and at certain points I like sometimes it's
better not to have technology or sometimes it's better to build extra escapes
and if you don't know how the system is working or can't oversee the
consequences probably the best thing to do is to re-evaluate your opinion but
the thing is with many managers and I consider politicians to be managers that
they have a solution and then they basically work towards a common problem that
we all should recognize that there's there and also the the fact that you there
is no way back that bullshit there's always a way back there's always
something you can do to show you know once politicians said to me it's not
possible to fix computer systems it's basically not possible to have more
secure systems because a lot of companies won't do it well I showed it to
them for one month in 2011 I showed the data leak each and every day
I called the month leak tober yes and people later came up to me and said
like we were so afraid you were coming to talk about our company because we
have data leaks and we know it and we are not secure enough these were
managers of the company so I was amazed that I wasn't a target of leak
tober I've had tens of those conversations when the month started I believe it
was already four or five October all the all the security companies got
massive amounts of phone calls they wanted security audits and it was I
believe five October when several companies announced that they haven't
hadn't any people left to do audits until June of the next year so all of
a sudden apparently there were a lot of companies that realized that they
should have been doing audits all the time and they never bothered to do so
because else they would have been in the industry around it already so I
single handedly created that industry so there is something you can do as
one person you know make make stupid managers look stupid you know that's the
best way you you you can deal with this all right before we close this up
is there some last words you would like to speak to the hacker public radio
audience yes I think that hackers and I consider most of them my friends
they should stop bitching about trivial issues and start to be critical
again especially towards states critical on how they are behaving and they need to
be you know vigilant because this is the community that can make a difference
now we are the people that that hold the key to the future because we understand
technology and we understand the danger of technology so help each other you know
and there to campaign against really big mistakes forget about the trivial
issues start to be angry about the big issues life is all about yes well
thank you for your time especially since this is in your show time so I'm
really happy that you had gave me this opportunity we will cut this out
later for the for the for the pop the question while we will we'll take care
of that thank you thank you
you have been listening to hacker public radio at hacker public radio
does our we are a community podcast network that releases shows every week day
Monday through Friday today's show like all our shows was contributed by a
HBR listener like yourself if you ever consider recording a podcast then visit
our website to find out how easy it really is hacker public radio was founded by the
digital dot pound and the economic and computer club HBR is funded by the binary
revolution at binref dot com all binref projects are crowd sponsored by
lunar pages from shared hosting to custom private clouds go to lunar pages dot
com for all your hosty needs unless otherwise stasis today's show is released
under a creative commons attribution share a lot