The ministry (VWS) issued a sharp response after the findings were reported. On closer inspection, however, the ministry has not actually shown any weaknesses in my work, but instead confirmed all findings. The main argument of the ministry is that I could not prove that anyone can break into the LSP or any of the systems attached to it. Given that this concerns thousands of systems, I believe that the ministry's statement that 'regular hacker tests' and audits will protect us from a break-in, is unfounded.
The ministry indicated in their letter that the reported issues were known to them, and that these were part of a conscious tradeoff between, effectively, practical usability and 'optimal' security. I am very surprised to learn that people in the ministry have consciously built in the security weaknesses that I discovered.
This page contains my reaction to the response of the ministry.
Download mijn reactie (Nederlands).
Back to the main EPD page.