A secure democratic Net is a fundamental right

THis seems to be guest/guest or nothing....

and than you can find all the adresses and other confidential information

but the journalists that published the information about the police didn't find it by Google surfing. They logged in as guest guest.

So did they do anything illegal ?

Possible Yes. They were no policemen, they were no administrators of the website nor did they have any invitation and they were no professional or paid securityresearchers that had the written consent to test the security of the website. Strictly they had according to the Belgian cybercriminalitylaw not the right to enter the site.

Off course you can say that it is a scandal that such information is so easy to get but there is so much information on the Belgian internet that is so easy to find without even entering socalled secured parts of the website that you shouldn't even enter this website to write an article about that. There are so many websites that are totally insecure that you shouldn't even do any research to be able to publish the listings as we do. And you shouldn't blame them, there is nobody in Belgium that obliges them to secure their websites and there are no penalties if they don't, so why should they spend money on securing their websites ? Even more so as the press hardly talks about it. (that is except us, but we are very very small fish)

But discovering that didn't give them the right to publish that information. If we would publish all the information we have, receive and know than those journalists wouldn't be able to know where to begin first. We don't and we won't. But let's say it just to make clear that it is not because you discover something that you have the right to publish it if it endangers the public safety of people, networks and industries. If after your warnings and contacts it seems that the networks or websites have no intention whatsoever of better securing their sites and networks, than you can publish - maybe not bluntly - to give an indication or just contact people higher up - as we have done with the Electronic Identiy Card of Belgium. (more to come about that soon....).

If in Belgium - as we say over and over again - you want to stay strictly within the law (which is very strict itself) - you are only allowed to republish information that has been published elsewhere or that you can discover with some Google surfing.

The only other possibility is that you contact first the owner of the website and you explain that you have received this information about a vulnerability in their website and this is quite important and that he should do something about it, you can publish (sometimes) this information afterwards. THis is responsable disclosure and is agreed upon between two parties. In Belgium this doesn't exist in law, but we hope that in the coming months we will see clearer about that.

We have also looked at the conditions of the website of fedpol.be  We think it would be better - if you have a more secured part of the website you should put a rule in that sounds more or less like this

" This part of the website is only accessable for legitimate users that have received from the administrator a strictly personal and confidential login. It is forbidden to use another logon or to (try to) bypass this authentification." 

The only things they have now is that they did harm at the image of the police which is mentioned in their 'conditions of use ' (even if stupidly it is not called like that) and that images and content weren't used without prior agreement which is also mentioned in their FAQ.

Off course you should have a password policy for such sites and you should test it on ways to bypass that authentification process (XSS for example)