Slashdot Mirror
Consultant Convicted For Non-Invasive Site Access
Phillip P Barnett writes "Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question." From the article: "During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access. The defence also pointed out that Cuthbert had not attempted to defraud the site." ZDNet also has a commentary piece on what this decision may mean for the future of cybercrime.
I can't help but suspect there must be more to this story than is being put forth. Part of me wants to believe his defense, "he never tried to defraud", but my distaste for legal mumbo jumbo makes me wonder more about the specifics:
On its face, this looks like serious stuff with serious consequences for seemingly innocent activity and should give pause to any internet users, but I suspect there's more to it than meets the public eye.
"Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.
Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said. "
The article above also says "The defence also pointed out that Cuthbert had not attempted to defraud the site." What it should have said is that Cuthbert DID attempt to defraud the police. Very unprofessional behavior from a supposed "security professional."
Moral of the story: don't lie to the cops about security testing. Take them seriously. Had he been honest, this wouldn't even have been prosecuted.
John
UK lawlessness, nothing new?
The UK has preceded the US in destroying the basic rights of its citizens, replacing laws against violence with laws against rights.
This is a country that won't let their citizens bear arms (increasing crime), but will let security officers shoot first and never ask questions. This is a country that continues to fight a war against secession for centuries.
TFA doesn't surprise me at all. Citizens have no rights any more. Just let the State provide. Does it surprise you that they criminalize non-violent behavior after you realize that national prisons were a statist recreation? More laws = more crimes = more criminals = more prisoners = more money for the State.
Again, nothing to see here, except it is a good preview of things to come in the US as we clamor for more regulation, more government control of the Internet, and more destruction of our basic rights to protect ourselves.
On one hand, he could have used legitamite methods to verify the site. On the other hand, he didn't destroy any data, view private information, nor was it a malicious purpose (supposedly).
Not only "land of the free" but "land of the lawyers" who love a good old 1st amendment smackdown. Shihar 153932
While I sympathize with him, taking the law into your own hands on a whim, regardless of the crime or environment, should not be tolerated. If he was B&Eing into a biker hangout to see if they had his stolen TV, he'd be prosecuted in the exact same manor.
body massage!
I think by "couple of checks," you mean "a directory traversal attack."
http://www.theregister.co.uk/2005/10/05/dec_case/
I confine my donations to organizations with known track records like the Reed Cross and the Salivation Army.
Another interesting quote from the article:
"Some of the tests you might instinctively want to run to see if a site is valid may fall foul of a strict interpretation."
Well, I guess it will certainly change one's "instincts" when it comes to using penetration testing tools to determine a site's legitimacy.
Which of Cuthbert's rights were violated when he broke the law and was convicted of doing so, again? I missed that part.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
Though TFA tries to ring alarm bells over police cracking down on innocent activities, it also mentions that the guy initially lied to the police about his actions, leading the police down a time-consuming garden path.
So although the guys "hacking" was fairly innocent, his response to the police was not. Perhaps he should be convicted of public mischief instead.
Life is like a web application. Sometime you need cookies just to get by.
He should probably have known better since his job deals specifically with security. I'm even surprised that he would get hit with a phishing attack to begin with. Also if he got hit that hard over this, what would have happened to the owners of the site if he had been defrauded and had reported it to the authorities instead (it sounds like he and the site were based in the UK)?
By the way, the first thing that (superficially) struck me about the story was the guy's name:
D an i e l Cuth bert
Have you read my blog lately?
n/t
Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.
Perjury is a crime, you know.
"IT: Consultant Convicted For Non-Invasive Site Access"
No. The consultant was convicted of attempting to access a system which he knew he was not authorized to access. He never got access -- t was the attempts that nailed him.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
However, we still don't have any laws against trolling. Shame, really...
Now that he's beginning his new career as a black hat...
The NSA: The only part of the US government that actually listens.
Another defense argument is this guy's actions were merely attempts to verify legitimacy of the fund raising site. So, what exactly was he doing to verify? (And why wouldn't he take more traditional avenues such as Googling, etc. What are the implications of every cynical user of a site attempting "access" to verify legitimacy?)
Or how about picking up a phone and CALLING them. If there is no number to call, donate elsewhere.
-Valiss
When you read a story like this you just wonder who paid that judge to make such an insane and wrong decision. Let's hope the poor guy will appeal.
It's interesting that, much like in Watergate, he got in trouble mostly because of the coverup, not the crime itself.
Have you read my blog lately?
Putting an innocent person to jail will make him want to get some retribution for his time spent UNFAILY in jail.
Will he trust in the government after? In trials? In the police? The guy feels betrayed by the same government he paid taxes to! What they're teaching him is to be much more careful the next time he tries to hack a site. Yeah, nice way to "reform" a "criminal".
The fact that he was arrested for performing a nonviolent act is the first abuse by authorities.
After finding no cause to charge him, they instead convicted him of lying. So he was wrongfully accused, but during interrogation he lied.
Crazy world we live in. Why not arrest every tenth person for murder. See if they slip up some fact, then book them.
In my mind, if the original arrest is unfounded, take no action.
I don't see enough information here to determine if this sets dangerous prescident or not.. all it says is "accessed".
Does that mean he ping/trace routed them? Did a WHOIS? or did he attempt to log in to their cpanel or equivelent? did he brute force a login prompt for 3 days?
I'm "Accessing" this page right now, as are you.
The "security consultant" clicked on a banner ad.
Then he gave his credit card info to the site that banner linked to.
Then he wondered if it was a phishing site so he tried to crack it.
Then he lied to the cops when they investigated.
And now he was fired. I for one do not see a problem with that last step given the preceeding 4 steps.
This reads to me something like "If anybody tells you can't do something with a computer, and you do it anyway, it's a crime.".
So, in the UK, to attach criminal liability to your violation of any of my own wishes, I just have to somehow involve a computer.
What, by the way, is a computer in the UK? Do embedded devices count? Don't leave through that automatic door; Mickey here hasn't sold his quota of cars this week, and we want a fair chance to convince you to buy. Whoops--you triggered the photoeye, causing the automatic door to open. I guess you can't get more egalitarian than this--every individual has the right to pass criminal laws.
OK, this seems a really silly example. It is. After all, we trust the authorities to selectively enforce overly broad laws--only prosecuting the real bad guys.
Hell, it works on this side of the pond; why not over there?
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
Which of Cuthbert's rights were violated when he broke the law and was convicted of doing so, again? I missed that part.
I think the point of the GP post was simple: the "law" he broke infringes on basic rights. Just like watching CSS-encrypted DVDs on a Linux box is illegal, certain laws make criminals out of honest citizens.
If I were arrested in Fairbanks, AK, for carrying an ice-cream cone in my pocket, I would hope for some public outrage. Yes, there's a law against it; but that law infringes on my basic right to carry an ice-cream cone in whatever manner I desire.
"Hey! It's also illegal to put squirrels down your pants for the purposes of gambling!" -- Chief Wiggum
Not that I agree with the GP. I'm still undecided.
Microsoft is to software what Budweiser is to beer.
I do security audits for a living.
Although I do them with a fully endorsed and NOTARIZED release!
Rule number one:
"Thou shalt not perform any invasive activity against IPs that you do not have defacto administrative control over or have legal release (in hard copy) to do so."
I have no sympathy for the guy.
The comment at the end of the article is crap IMHO: "I've run into a lot of people in the penetration test community over the past few months, and they're all sympathetic to Dan. Their view was that he merited a ticking off, not losing his job. The police need the help of penetration testers and this won't help"
Outside of publicly available DNS and ARIN information there's not much more you can do to a remote host to find out whatever information you are looking for. At least if you want to stay out of hot water.
"If you scan the port you go to court"
Another consultant who stuck it out.
"We are the Priests, of the Temples of Syrinx..."
http://www.theregister.co.uk/2005/10/05/dec_case/
'DEC hacking' trial opens
Accused gives evidence
By John Oates
Published Wednesday 5th October 2005 16:22 GMT
Horsferry Road Magistrates Court has heard the first day of evidence against the East London man accused of hacking into a donations site for the tsunami appeal last December.
Daniel James Cuthbert, 28, of Whitechapel, London, is accused of breaches of Section One of the Computer Misuse Act, 1990, on the afternoon of New Year's Eve, 2004. He had earlier pleaded not guilty.
Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee.
Giving evidence on his own behalf, Cuthbert, at times near tears, said he had made a £30 donation to the site, after clicking on a banner advert. Because he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check the security of the site.
The case continues tomorrow. ®
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I meant to say "UNFAIRLY".
He has been convicted because he lied to the police about it and that made the judge suspicious about his innocence. The judge is quoted as saying that if he'd have told police the truth he'd have been acquited.
Just like Martha...
Happy Posting.
Na - he could be right. Give guns to everybody - and when we're all dead the crime rate will drop for sure.
Police don't carry guns in the UK.
The police who shoot the person in London are probaility going to be trialed for murder.
The synopsis states Daniel Cuthbert was "worried that he'd been stung by a phishing scam" as the motive for his unauthorized access to the site. The article never mentions motive. The one thing the artcicle does make quite clear, which the synopsis doesn't, is the reason for his conviction was lying to the police. Seems as though he wasn't paying attention to the Martha Stewart case.
So, typing "/../" at the end of a URL is now considered a cybercrime?
I followed the link about prisons and it's quite amusing - ancient Israel didn't have prisons, because with whipping and execution as punishment, it didn't need them. And trolls got crucified.
He did basically break the law. But this is a similar situation to a Red Cross volunteer walking up to your door and asking for a donation, which you give out but then want to find out if it is valid. So you go to the local Red Cross and ask if the person you gave money to is legit. But in the online sense there isn't really a physical building you can go to, or people you can talk directly to. The distance that can be felt from websites, and sometimes their shoddiness, can leave a bad feeling that makes you wonder if it is legit or not.
"but money is the God of Algiers & Mahomet their prophet." - Rich. O'Bryen June 8th 1786
Don't get caught.
Guy should do time for posing as a security guru then getting busted.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
This reads to me something like "If anybody tells you can't do something with a computer, and you do it anyway, it's a crime." Change that to "If anybody tells you that you can't do something with THEIR computer, and you do it anyway, it's a crime" and you'll be on-target. That sounds fair to me.
good opportunity to scrutanize the DEC also....
Is it the job of a judge to convict someone of a crime they didn't commit as punishment for doing something else? This is a typical police state tactic, not something you expect in a civilized country. If he lied to cops, and that is a crime, that that is what he should have been convicted of. Convicting someone of the wrong crime (1) encourages judges to slap all kinds of convictions on people for no reason "maybe he didn't commit this crime but he's a shifty character so he deserves punishment anyway" and (2) reduces the ability of the justice system to deter crime by failing to deter the actual crime that was committed. It is crucial that the justice system doesn't just punish criminals but punishes criminals for the correct crime.
I hoped after all this he asked for his donation back.
Nyquil = Nectar of the devil
Moral of the story: Do not try to use the excuse of curiousity to break into another person's system? If he was concerned over the validity of the site in question he should have done web searches on it and/or other background checks. As a "security consultant" he should have known better and the judge IMO did the right thing. I don't see where this persons right are being violated here as he was the one who acted as an attacker in this scenario.
If you think this is ok then would it be ok for me to use the excuse "I think Slashdot might be leaking personal information about me so let me try to gain privileged access to the site..." No it wouldn't.
News Reporters Make Tasty Polar Bear Treats!
Normal police don't carry guns but some specially trained ones do (anti-terrorism). Also major police stations have armed rapid responce units.
Interesting theory, that you shouldn't be arrested for nonviolent actions.
So, if I steal your car (say I'm a locksmith, so I don't do any damage at all), I shouldn't be arrested? I haven't done anything violent---just opened the car door, started the engine, and driven off. (For the sake of argument, let's say that you're asleep, far, far away.)
That's gonna undercut the whole ``capitalist" part of ``anarchocapitalism," since people would then be free to commit nonviolent property crimes.
"Every decent man is ashamed of the government he lives under." - H.L. Mencken
What I want to know is, after all of that checking, was the site legit?!? Was he right? I think he deserves a little credit if it wasn't. :) Also, let's see the email that made him think he was scammed. In reality, either way this guy isn't too smart. I think after careful consideration, I would have to fire him also.
Think about it.
He couldn't tell that he was being phished. If he even suspected it, as a guy that works in security, you think that he would check it out FIRST before sending his money in. But alas, fe probably did it, thought oops shouldnt have done that, tried to break into the database to erase his info, and failed. There is another reason I might fire the guy. He wasn't even successful at breaking in. Third reason... he wasn't careful enough to cover his tracks. Teenage script-kiddies could probably have done it and got away with it.
Oh well, he will probably write a book entitled "How The Phishermen Sent Me To Jail" and get rich. RIGHT ON MAN.
J Gjonola
The fact that he was arrested for performing a nonviolent act is the first abuse by authorities.
Yeah, and it'd be an abuse to arrest someone for fraud, theft, blackmail - and hey, you could rape someone non-violently if you use the date rape drug.
I'm sorry, abuse?
Does this mean if, for example, your car was stolen with no violence involved, you would be happy if no action was taken? What if your house was burnt down by someone who doesn't like you, but again, no violence was involved. I'm sure this would be acceptable too, right?
Whether you like it or not, the Computer Misuse Act (1990) is here for a reason. It is not a basic human right to access computer systems you are not authorised to access. It is not a basic human right to "check for security".
You do have the right not to donate to certain websites, and not to use certain websites. You also have the right to search the web for opinions of others who have used a particular service.
Sadly, I suspect your original post is nothing short of trolling.
Backup not found: (A)bort (R)etry (P)anic
Every time I read a story like this I think of the guy who broke into our systems a few years back, using passwords he'd had on other systems before he quit the company, then installed a forward rule on some director's email accounts, deleted a bunch of files from CVS, then wiped the Linux logs. We caught him while he was downloading the copied emails over the next few days. Made a full analysis and report, placed a formal complaint with the police, and we're still waiting for something to be done about it...
Sometimes people make a big deal about electronic crimes, but the break in to our systems cost us an incredible amount of time and money, and was basically done for commercial gain - the CVS files were for a client that switched away from us the day after the break-in. Since the hacker was an ex-employee, who we trusted, it was very traumatic. I think we lost something like 50k over this break-in, much more if we count the lost customer.
Worst of all, the bugger - after admitting he did it - launched a lawsuit against us, trying to blackmail us into dropping charges.
If I'd gone to the police with an eye-witness statement of someone breaking into my car, the guy would have been arrested and charged. But when it comes to computers, it's still astrology to most law enforcement.
I'm posting this anonymously because the case is pending.
Anyhow, it's nice to see e-crooks get their come-uppance. This kind of case at least proves that crime by modem and ADSL is still crime.
When I "investigate" a website, I ALWAYS bounce through a proxy internationally. Duhhh. Some security expert.
If it is illegal to carry ice cream in your pocket then only criminals will have ice cream in their pocket!
Er... free Kevin Mitnick?
Fuck it
It sounds more like a red cross person asks you for money, but doesn't say thank you, so you try to pickpocket them to check their ID is valid, and then get caught with your hand in their pocket.
I am TheRaven on Soylent News
I completely agree with you, but be careful about how you fling about the term "right." Rights are things that all men possess as an incident of being human beings. They cannot be taken away or awarded, you always have them. Governments may only choose to recognize them or ignore them. This is the fundamental principle of American individual liberty, and our civil rights. We play fast and loose with what constitutes a "right" on Slashdot. Does this guy have the "right" to "[carry] out two tests to check the security of the site" and does a law preventing such a thing violate that right? I honestly don't know, and I suspect neither do most of the outraged posters on Slashdot. It's a comforting assumption that we have such a right, but do we really? That's really the question that an article like this should beg, and it might start an intellectual conversation, which is almost always a more edifying experience than the predictable Slashdot outrage whenever one of "our own" is brutalized by The Man for breaking laws that we find unpalatable.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
and you think not allowing access to guns (at least legally) is a bad thing because ???
For my own safety I think I'll configure my copy of bind to not resolve names in the bt.com zone. BT's IDS is famously overzealous--anyone remember that 'hacker' gaoled for using Lynx story from last year? That was BT's fault as well.
Perhaps there are places where one can legally lie to the cops, but I was charged and convicted for "providing false information to an officer" when I was a kid, because I told them I had car insurance when I didn't.
They also charged me with "not having insurance", and "not having proof of insurance" (separate charges in that state; not all states criminalize both, and a couple don't require insurance at all).
In any event, the cops just charged me with a whole bunch of shit so that some of it might stick. That's how our frail and clumsy "justice" system works: spew lots of charges so you can throw some out to "work out a deal."
First, I have not RTFA. (Who does?)
Second, what exactly was so illegal? I've done many ARIN queries and borrowed Symantec's geographic IP locator to find out about various sites. Nobody's come knocking on my door (yet).
At least she'll SAY she agrees.
Exam 4/C again. Maybe I'll do better this time.
It would be helpfull to know exactly what he did.
Did he run an exploit, did he test for the vulnerability of the system against an exploit?
Was it SQL Injection, Java Injection or just plain login abuse?.
Hard to determine whether he was truly attempting to gain "unauthorized access" without knowing more details, but what I can say is that this is a cut and dry text book case.
1). Attacker attempts to exploit vulnerability (regardless of how/why)
2). IDS Detects and Logs Attacker
3). Law Enforcement is contacted and provided with logs and asked to act
4). Law Enforcement acts, legal system convicts attacker
So if I went to the .gov site or some other site and keyed in the 'MASTER' or 'ADMIN' for the login and password after seeing a NOVA program about how millitary computers often forget to remove the default passwords I could get into trouble just for trying?
What would happen if I got in on the first attempt?
Would it be the same if the guy went up to a house and try to door to see if was unlocked?
who gets caught red handed, then comes up with a (very weak) lie to cover.
I'm NOT saying this guy is lying (I'm just implying it)
After RTFA and then looking at the poll I amazed at the reaction. 87% of people think he should not have been convicted thus far because he "didn't cause any damage"
Its time to wake up people. First point: Yes he did cause damage. Money was spent investigating the intrusion which is monetary damages. Second Point: He very well could have caused damage had he successfully broken in. Do we not punish crackers now just because they didn't destroy data? Thirdly: He is a professional in the Information Security field! Of all people he should be held to a higher standard because of his career field.
How does this hurt the Penetration Testing career field as well lol (another piece of FUD in the article...) Professional penetration testers have to sign lengthy contracts that state what they are allowed to do in order to protect themselves from prosecution later on the road. Documentation is kept during the process of testing so the testers can show that at point X when they were attempting attack Y they did or did not shut down Server Z... What this guy did was attempt to break into a system that he had no prior consent to do so! Thats illegal and he being a security consultant would know that... I can't just arbitrarily attack a website because I think they might not be real. Sure people might sympathise with me if I was right, but that doesn't mean it makes it legal.
News Reporters Make Tasty Polar Bear Treats!
"This is a country that won't let their citizens bear arms (increasing crime [lewrockwell.com]), but will let security officers shoot first and never ask questions."
I didnt go to your assumedly gun nut link, but i really dont understand what your syaing here. Are you saying that the brazillian guy, had he been carrying a gun, would have been less likely to get shot in the head? what would you have had him do? shoot the advancing security personelle?
Repeat after me I DO NOT LIVE IN THE OLD WEST. I CANNOT SHOOT COPS BEFORE THEY SHOOT ME
I'll just use my special getting high powers one more time...
Somehow, I think Daniel Cutberth, 28, east London, arrested on January 20th and the Solaris using, Lynx toting 28-year-old east Londoner arrested about the same time are one and the same.
So much for the "Lynx theory".
Being convicted for the act of breaking the law is the way it's supposed to work. However, there's a difference - he was convicted because he lied to the cops.
zdnet Judge Purdy accepted that Cuthbert had not intended to cause any damage, and also pointed out there was almost no case law in this area.
District judge Mr Q. Purdy, who heard the case, told Cuthbert it was "with deep regret that he was finding him guilty"
It looks to me that if he hadn't changed his story, nothing serious would have happened. If he had not talked to the cops without a lawyer, I think there's a good chance he would have gotten away with maybe a slap on the wrist. Since he lied to the cops to confuse the issue, the judge got mad and used a guilty verdict as a punishment for a lie. That's just wrong, and it sets a horrible precedence for future cases that are pursued based on a horrible law.
I guess it's not just the US who has a fuggered up legal system that bases legal decision on petty "get even" routines... It's just sad.
--- "To ignore race and sex is racist and sexist!" -- Jesse Jackson
Do not try to use the excuse of curiousity to break into another person's system?
Directory traversing IMO isn't trying to break into a system. Neither is SQL Injection or anything else.
If you leave your blinds open when you shag your wife, and I look in your windows from the street, I'm not breaking any laws. Close your damn blinds.
Really, a web site is up for public consumption, and directory traversing is quite a common http request. Web developers use it all the time - to specify images or a css file or a js file or whatever.
He's just doing what a script is already allowed to do on the server.
If you don't want it happening on your server, lock it out. It's easy. IIS 6 blocks that by default , and using mod_security you can block that request easily enough.
Truth is, it's an idiot webmaster, and an idiot judge. I think it's making a mountain out of a mole hill.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
The Joy of Directory Traversal Attacks
In other words, if you're in the UK, don't type "../" in a URL or you go to jail.
Holy shit, people with mod points please get this up +5.
where there's fish, there's cats
I made similar points to the ZDNet op-ed piece linked above in an op-ed of my own from March:
2 010-1029_3-5648740.html
http://news.com.com/Is+identity+theft+inevitable/
of the Constitution, so when you refer to the Constitution you are referring to the amendments as well. Also, the Constitution does not grant rights to people, but guarantees them, or takes them away.
http://www.usconstitution.net/const.html#Am5
While it wasn't clear on what he did when accessing the system I think that this was a fair ruling. These computer security experts are invading others systems which are running legitimately or not. I see this in the same way of an uninvited person entering your house and rummaging through your stuff. While this does hinder computer security experts from doing there job efficiently, it protects the right to privacy of the systems owner. What I feel should be done is for the government to create a system in which security experts can become government trained and certified to go into systems in a particular way (same way police gather evidence). After they are trained they should be allowed to use a service where they can apply for a warrant if enough evidence is gathered about the suspiciousness of the site. I see this as being a fair way to protect the rights of the systems owner. The only issues I find with this approach would be efficiency. Anyone agree with me?
I hope this gets thrown out on appeal. We're getting to the point where someone can claim a crime occured where there isn't even any actual demonstration of harm. Yeah, I suppose I can see where it's not right to investigate a system, and that can cause harm, but that's not what this person apparently did.
And lying to the police? It's not an issue I care to criminalize. This sort of thing makes me want to lie to the police more, not less. Of course, I'd immediately say get out of my face till I get a lawyer to any policeman who apporaches me. And if they get persisting, I'd feel no remorse at responding violently. At that point, they'd have broken the rules, and indicated to me they intended to violate my rights in a criminal manner.
Thus they were no longer operating under lawful authority, entitling me to any response I find reasonable and neccessary to force them to desist.
They will have to put a new button that says that "i agree that i'm not entering this website with ill intent"
To protect the consummer from badly secure website.
Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
Well no shit! The people who were prosecuting him clearly couldn't handle the truth. These are not reasonable people. One who arrests another for a directory traversal (with no evidence of cracking) is not a reasonable person.
The very fact the investigators couldn't discern between a cracking attempt and a directory traversal is evidence that the they were not capable of handling this type of work. Being an intelligent person, he probably figured the best course of action (to end this as quickly as possible) was to give the information to them in a way they could understand.
For example, if I were arrested for the same "offense," I would probably state something like this:
"I wasn't hacking; I was just using standard web access techniques to validate the site's identity."
Which, depending on your level of ignorance, may be construed as "lying." The investigator may live under the impression that the only type of web access which is "standard" is logging on the site using the main form. The investigators probably felt he was being an arrogant prick and wanted to make an example of him. This is not the purpose of law.
This guy donates 30 pounds to a charity, for which he receives no verification. He practices due diligence (against a phishing attack) by validating the authenticity of the site. And they have the nerve not only to arrest him, but to prosecute him! And convict him!
I am repulsed, and I weep for the security community.
A government is a body of people notably ungoverned - AC
I find it laughable that you don't think SQL injection for the purposes of gaining access to information that you are not authorized to view is ok? So I can do a bit of SQL injection and have password files or credit card information brought forward... But that is alright since you think "Directory traversing IMO isn't trying to break into a system. Neither is SQL Injection or anything else."
Oh and BTW using the Window analogy is really off. The front page of the website is the Window and what this person did was try and get around that Window by using old exploits. Not everything is as straightforward as they want to make it.
News Reporters Make Tasty Polar Bear Treats!
I've been wondering if this is the same guy who (supposedly) was arrested for using Lynx to access a charity site. If that was his original story -- "I didn't hack the site, I just accessed it using Lynx!" -- and it turned out to be untrue (as in he tried a known exploit, though only to verify info) -- that would fit with the article about the conviction.
Does anyone know whether this is the same case?
So when I ../ a porn site to see if I can veiw the directories is that illegal? What if I change the directory from /005/ to /004/ is that going to put me in jail?
"Cuthbert's defence argued that any unauthorised access was entirely innocent. (...) The defence also pointed out that Cuthbert had not attempted to defraud the site."
Yeah! This conviction is a travesty of justice!
I mean, it's as if someone broke into your house and just kind of looked around, without raping your daughter, killing your wife, or stealing anything! Entirely innocent!
Wonder how good he is... Now that he's beginning his new career as a black hat...
This guy just lost his job, and will have more trouble getting another job in the security industry (depending on what they charge him with). Also, he will be very pissed off at the government and the law. Hence, the logical solution is to solve both problems by becoming a black hat -- or where else did you think he would apply his skills as a security expert if no one will hire him? (Not that I think he is a bad guy, donating to Tsunami relief and all)
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Repeat after me: I DO NOT LIVE IN THE OLD WEST. I WENT TO SCHOOL FOR 12 OR MORE YEARS. I SHOULD KNOW HOW TO SPELL.
Attempting to access a computer without permission may or may not be a criminal offsence.
We don't know what he really did, or what his real intent was.
Cast in the light of a security expert checking to ensure the donation site is legitimate you might give them the benefit of the doubt and let them off.
Considering he lied and changed his story you might be more inclined to think he is lying about the origional intent behind the actions.
Say the url was site.com/thanks.html. He changed it to site.com/../thanks.html.
.com/ and use it as parameters with no sanity check. He tried it, they had a sanity check, they logged it as an attack. Stoopid. I don't see how it's an attack. Wikipedia says you could potentially change it to ../../../../etc/passwd and try guess the number of levels you are away.
Apparently some dynamic sites just grab whatever's after
Thanks, buster! I repeated that and I am feeling very silly because of the numerous uncomfortable stares I am receiving right now. I hate this library anyway.
-Jam
Remember, without BT, there would be no WWW; after all, you do know that BT invented the hyperlink.
I'm not a network security person, but the few courses I did on the subject at uni drilled this into my head: don't test a computers security without permission (preferably written) even if you work for the company that owns them. Surely any network security engineer would know not to do this? And wouldn't a person in the security field know enough to check out a site *before* giving them card details? And then going to a more trustworthy site, say oh I don't know redcross.org? To be honest, I think cyber-related crimes need a higher level of punishment for them because they are so hard to trace, and so prevalent. I do think though he would have gotten away with a slapped wrist or fine, but he did lie, which should definitely be factored in, how could they trust what he said about his motives after that? It'd be like getting caught trying to pick the lock on someones house because they were out and had left their lights on. Just out of curiousity, what could doing a directory traversal (/../) possibly prove about the validity of a site? Oh, and do credit cards provide fraud protection for this kind of thing?
I had thought that lying to the police was against the law. perjury isn't the only way to lie illegally.
Exam 4/C again. Maybe I'll do better this time.
Great! Digg! That's where the cool kids hang out. That will leave slashdots for the ... erm ... nerds?
You can have your say about Cuthbert's conviction by voting in this poll.
Man, if only Slashdot polls carried this much weight...
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
From a dumbass mac user?
have a look at http://www.dec.org.uk. They are currently supporting as campaign to help the worthy cause of the situation in the Niger. Click on the donate button and you will be taken to a shocking rendition of a 1997-esque payment page that looks awful. So I imagine our man Cuthbert looked again at the dec.org.uk site and it looks bonafide enough and also the whois entry stacks up.
I remember at the time that the BBC News carried a story at, or about the time of the Hogmany (31st Dec 2004) regarding fake websites. I could only find this story on BBC website 6 days after the alledged incident.
so our man cuthbert panics. As you can see the basic link and page to securetrading.net (not even a .co.uk). Remember that 31-DEC-2004 is a friday before a long holiday weekend. So there will no-one to phone. He looks at the certificate for the server-side SSL - "Secure trading Ltd" a UK company. But the whois entry is privately registered and does not have any standard company details on it - it is also registered abroad (which isn't a big worry, but remember this is a UK gov't sponsored website)
My next port of call is Companies House - where all UK Ltd companies have to be, by law, registered. So using their webcheck facility - it is company number 04591066 with an address in south east london. Not a government organisation, but seems wholly owned by another unknown company UC Media? securetrading.co.uk? no, they're someone else. back to companies house - searching for UC Media, can't find them, but there is an entry for UC Group Ltd at the same address. bingo. hang on. there are two insolvency notices on this company...
I'm sorry but I would have also panicked.
It seems to me that its like a teen rattling a gate at the ball park to see if it is locked. While you might do so out of curiosity, or in an attempt to gain unauthorized access, it is still just checking to see if it is locked. If you have a valid ticket in your pocket, accessing through that gate would still be wrong, but checking that it is locked is not.
It does not matter if you have safe cracking tools in the garage at home, if you are simply standing outside the jewelry shop, and check to see if the door is locked or anyone is inside, this doesn't mean that you are attempting to steal diamonds. Sure, he may have had tools on his machine, but that is no different than saying a cop has a gun, and looked like he was trying to break into the store when the door was locked. Things are not always as they appear, and convicting on the basis of intention, especially when it is not overly easy to see the intention, is just wrong.
We have no need of, or room for, thought police in civilized society.
Of course, I may have missed a salient point here, but it just seems wrong to convict without evidence of harm.
In the case of where this seems to happen, like dangerous driving (intoxicated or not) it has been shown that this behavior does lead to accidents, and removing the driver from public roads is a safety measure that does not harm anyone. This is the reason for various lane markings, speed limits, etc.
In this case, there was no speed limits or lane markings, only a locked gate type of guidance. Convicting this man of attempting to steal when there is no blatant evidence is just wrong, and sets a bad precedent in my opinion. Banks don't keep their cash funds out on the sidewalk for a reason. If they did, and it went missing, what exactly would the courts say?
Additionally, it doesn't seem to ring true that a 'security expert' would leave such a trail as to be caught if he was truly trying to break into the system?
Support NYCountryLawyer RIAA vs People
Excuse the Star Trek quotation. :) But it's a good one.
"There can be no justice so long as laws are absolute."
The investigators and prosecutors should lose their jobs for wasting taxpayer money, prosecuting a professional for something clearly non-malicious. You don't charge someone for break and enter if they walk up your driveway to read your house number.
A government is a body of people notably ungoverned - AC
How is that fair?
Following the GP's example of the automatic door -- if I tell you not to open the door (which is done with my computer), I have effectively forced you to stay in the room unless you feel like breaking the law.
By the way, the site was donate.bt.com. I would have gotten much better information had he just picked up a phone and called BT and asked them if it was legit.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
a, it's not a private home, don't sue that analogy, it only associates a portential life threatening issue with a non life threating issue.
b, while it would be wrong of my to enter a store that was locked, it would be wrong of me to rattle the door to see if its looked. It also wouldn't be wrong of me to enter a store that wasn't locked even if they were closed.
why should computers that are on a system designed to allow people to access them be any different?
The Kruger Dunning explains most post on
a computer on a system designed to let people access it is NOT the same as your HOUSE!
The Kruger Dunning explains most post on
It is a shame that no one has posted what the acutal lie was. Or was it a changing story?
1st interview:
cops - what did you do?
guy - I looked around the site to see if it was legit
2nd interview:
cops - what did you do?
guy - Well I fired up my Ultra 60 running Solaris, not that it had ZFS, but I started her up anyway. I was going to use mozilla/mozilla, but I forgot that I had acidentally removed an X lib earlier that year when I was testing a buffer exploit. So I dug up an old copy of lynx that I had cobbled together with color-xterm support. I remembered that I had not compiled it with SSL, so I had to rebuild it with with and openSSL library. I then typed "../" on the end of the URL.
Judge - you changed your story! Liar liar pants on fire.
Boss - your fired!
Seriously...again...is that me reading between the lines or ...
On Thursday, Daniel Cuthbert [...] was found guilty of breaching Section One of the Act [...]. He admitted attempted to access the Web site, which was collecting donations for victims of last year's tsunami.
So I understand that he "admitted accessing the web site"...Oh my...I just clicked on my "Slashdot" bookmark and accessed the web site. Is this not allowed any more?
The article also states:
Under Section 1 of the Computer Misuse Act, 1990, any unauthorised access to a computer site can be considered a crime, if the person accessing the system knows that he is not authorised to access the site. As the Act says, "a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case."
So basically, I have been testing my web application all morning. As it turns out, I was testing the ACEJI security configuration and got a lot of "access denied", which I was expecting since I wrote the system.
This scenario falls under the Act description. I should be jailed!
OK...I think that's not me...I think this world is getting dangerously ignorant and stupid.
Not really knowing is what got him into trouble, and what leads countless others (/. readers among them - among us?) into generously throwing our hard earned cash down ratholes. He didn't need to to try to hack into their site to find out if it was legitimate, and how much of his money would actually help those in need.
There are independent organizations, governmental and NGO, that list and track legitimate charities and provide info on how much of what they collect actually goes to those they claim to help. If you can't find out about a charity from separate, independent sources, move on; there are lots of other charities that are effective. Don't let boring old names like "Red Cross," or "World Vision" keep you from finding out how much, or how little they deliver to those in need (World Vision delivers a surprisingly large percentage). Daniel Cuthbert's thoughtless act of charity led him into even stupider, and illegal acts. Be deliberate, and sober (serious, not just "not drunk," and I have no idea whatsoever what state he was in) in your giving, and perhaps even budget for it! You'll feel better if you do (hard to feel worse than Daniel Cuthbert about a generous act, right now).
Lemme get this straight -
slash - dot ------ mostly legal
dot - dot - slash ----- now illegal (if you are confused RTFA)
Are we next?
And of course, there can't be other reasons for rising crime can there? Oh no! That's why you read in papers about increased immigration, gypsies, the European Court of Human Rights... trying to link crime to them. Granted, most of those are just tabloid rants, but there are other factors.
More laws = more crimes = more criminals = more prisoners = more money for the State.
Where you got this bollocks on the other hand i have no idea! The prison population in the UK is about 77,000, but it's been rising since 1993, when there was a different government in charge! Infact it levelled off after 1997 for a short period. The average cost of keeping a prisoner was £38,753 (2002). By locking people up and providing full room and board, with none of them earning and able to contribute, is obviously another one of these:
Please don't drag up random crime statistics and figures without realising what they mean. The US has 726 prisoners per 100,000 people, the UK has 145. The US has 0.04 murders per 1000, the UK has 0.01 per 1000
He didn't even get into TFS!!!!
Now, let me get this straight, the guy donated money to a site, typed in a URL, and then got arrested! WTF!
Hundreds of people try, unsuccessfully, to log in to my SSH server with random usernames and passwords! I don't call the feds on all of them!
There's a huge difference between looking in someones window and smashing it with a rock!
Anything that takes away someone's life or property or harms their body (against their will) is violent.
House burning and car stealing are both violent activities.
or were they just too stupid to understand him?
If you tell the average person something technical that they dislike hearing, they usually will misrepresent the statement internally to something impossible, and accuse you of lying to them.
Sadly enough, the average police officer is no more intelligent than the average helpdesk caller; he's just better armed, more beligerant, and convinced that everyone talking to him is lying. This is largely because cops talk to liars, con artists, and criminals all day; he's just not used to dealing with honest citizens, and doesn't trust anything out of the ordinary. All too often, strange == dangerous for cops.
Did this guy really lie to the cops? Or did he tell the truth, and have them just confuse the facts that they found impossible to understand? The article doesn't say, but it's a distinct possiblity these days.
FUD.
Murder rates are higher in the US but violent crimes are much higher in the UK.
http://panda.com/advocacy.html
Gun crimes in the UK have more than doubled since the current Labour government took control.
and
people in London are now 6 times more likely to be mugged than people in New York City
The prisoner percentage is FUD, too. The supermajority of US prisoners are non-violent drug users. The UK is far less likely to prosecute petty drug crimes (see US Rockefeller laws and on).
To quote Chumbawamba: 'It is a great thing we have an unarmed police force in this country. It is perhaps an even greater thing that a force that is unarmed is able to shoot so many people'.
If corporations are people, aren't stockholders guilty of slavery?
So he lied. What's wrong with that?
"WHERE DO I START?!" you're probably thinking.
Well, now let's turn the tables. I'll give you an example of the tides turning -
Last year, on my 18th birthday, I partied a little bit too hard. After hours of drinking, we went for a drive (YES, we DID have a sober driver.). Unfortunately, we ended up in a situation that the cops were called, and my 4 buddies and I had to spend the rest of my 18th birthday shackled to the walls in a PA State Police barracks. Now, at this point, I was too drunk to write, so they just made me sit there and did their rounds. After a few hours I see one... two... and then three... go up for their mugshot and then leavc... and then they finally let me go.
So, I go outside to meet my friends and try to find them a way home, and I promptly get punched square in the face. "What the FUCK was that for?", I thought. Well, it turns out the state police, despite my inability to drive, write, or even talk without sounding like a raging alcoholic, had told my friends I had written a confession that said A - we had broken the windows (what got us there in the first place) and that B - everyone had been drinking. It would be in <i>their</i> best interest to do the same. So they did.
I could go into another example of the same thing happening to someone else, but I'm sure everyone's heard enough of them.
When my long-forgotten ancestors accepted this nation's founders' idea for government, they placed their trust in it for not only themselves, but everyone down the line, too. I've even heard cops say that "pig" stands for "Pride, Integrity, Guts". What's that middle word there?
If you would like your citizens to behave and be honest people of high moral standards, then you MUST do the same. With deceit comes dissention, and with dissention, revolution is born. Those that lead must do so by example, and soon enough, those that should be removed from society will become very evident.
To put it short, How can you trust a liar? You can't, no matter how truthful they are.
It worries me that a ruling like this would come down when there was no proof of criminal intent, and no real harm was done. The judge even acknowledged this in his comments from the bench, but said that the way the law was written necessitated this verdict. First, the law is very loose in its definitions of "unauthorised access".
It seems that there were three levels where hysteria over computer crimes worked against the defendant. First, British Telecom had very sensitive intrusion alarms which can give false positives. Second, the police seemed overzealous in prosecuting what was just a small matter. Third, I'm not sure the judge had the knowledge to understand the technology or the actions that precipitated the legal actions. Add a vague and very loose definition in the computer crimes laws, and you have a recipe where someone can be wrongly convicted.
It's good to use your head, but not as a battering ram.
I keep getting a 404 page.
Do you think some uberhacker might have gotten there first?
Hence my point of "Don't pull figures out realising what they mean". My main point was that crime statistics skyrocketing (Especially "violent crime") is likely due to the change in recording of crimes. As i said, if an attack on a group of people is now recorded as one per person and not one for the group, then of course it's skyrocketing.
.01) as much as UK ones, the site you quote says violent crime is just over 2x as high.
Murder rates are higher in the US but violent crimes are much higher in the UK.
Bollocks again, as i showed earlier US murder rates were 4x (.04 to
I'd like to see the sources for the "facts" on that page (You couldn't get a more biased site could you?). I've never seen those statistics anywhere else (Under the "Since the UK outlawed handguns" section). And the fact that British police are now routinely armed? If that's meant to mean with guns (Doesn't specify), then i think you'll find they're not. Anti-terrorist police (See No. 10) are, the standard copper doesn't carry a gun.
Anyway, we're off the topic by far now.
On slashdot why defend the hacker. Yes i call him a hacker because i dont know what his intentions where, only he does.
Maybe he was a budding hacker trying out his leet skills and maybe it was an innocent mistake on his part we will never know.
We do know that hopefully his troubles now will deter others from testing my server for traversal attack or port scans or whatever.
Next time your logs show an attack attemp will you just ignore it thinking its just someone testing for security.
I once worked for BT, only a few years ago.
Their network is (was?) so dangerously put together that it took their network admins (read: trained Cisco Engineers in the business from 5 - 10 years) around a day to work out whether adding a single new network-route was going to screw any part of the network, if not the entire thing.
Worse, there never seemed time (or inclination, or management-backing) to ask/pay someone to properly document it.
And if you say "OSPF": Yes, there should be OSPF or some other decent auto-routing protocol on a network as large BT's, but apparently when they tried it, the people involved didn't really understand what they were doing, caused their entire net to flutter everytime one router went down or a bit off -- which can cause hours of instability -- so were subsequently too scared to ever try it again.
Personally, I wouldn't touch BT's network with a flying brick.
I have observed that rulers behave as badly as they can get away with. If we are armed, then there is always a little bit of fear in the heart of our rulers. They always know that if they go too far they could end up making someone too angry and could end up dead.
Fear is the basis of respect. Where there is no fear, where rulers know that there be no consquences no matter what they do, we end up with the worst possible rulers.
I've heard it said that the reason why England had a middle class earlier than the rest of Europe, and why feudalism was never as strong of an institution in England as in other European countries, was that all the peasants of England knew how to use longbows, and a longbow can kill a knight in armor from 100 yards. As long as peasants with longbows were around every aristocrat in England knew, deep down inside, that if he pushed things too far, he might get perforated.
I don't know how this connects with the current case, I just know that where there is no fear, there is no respect. Unless there's a big fat "another side to this story that we're not hearing", this is just a case of someone getting squished because, well, nothing bad will happen to those doing the squishing.
Adding /../ to a URL is not an attack. It is legitimate URL syntax.
http://example.com/ => default page of example.com
http://example.com/SomeFolder/../ => display folder contents of example.com so that user can peruse list of available pages.
The dangerous precedent that this case sets, is that typing a URL into the address bar is an attempt to gain unlawful access, rather than (as I think it *should* be interpreted) a polite request as to whether a particular page is available to the public.
Since I have automatic redirects disabled on my browser, in order to use some sites (including bt's), I need to type in the full path to the home page, and my usual method involves trial and error.
So far I have tried
http://www.bt.co.uk/
http://www.bt.co.uk/index.html
http://www.bt.co.uk/index.htm
Woah. I just made 3 unsuccessful attempts to "access" bt's site. They'll be coming to get me now.
Well, if they do, I think I have a perfectly legit counterclaim - they tried to hijack my computer by redirecting my browser to a URL that I did not type in directly.
Adelle.
Isn't that enough to destroy any credibility he might have otherwise had? If the dumb jackass had simply been honest - assuming he truly was well-intentioned and meaning only to protect himself - he would likely have never even found himself charged or in court.
This is an example of a smart guy who first made a dumb choice further compounded by a REALLY bad one.
If you wanna be trusted, it helps to bloody tell the truth!
I think by "a directory traversal attack," you mean "a directory traversal examination."
:)
.22. If it was loaded, I'd have shot him, too.
...by Jury.
I was fighting FUD with FUD. I don't trust statistics.
I definitely feel less safe in Chicago and London (where I can't carry my defense) than in other large towns where I can.
My lady and I went through a carjack attempt 2 years ago in Chicago after pumping gas. When I yelled to her to get my gun, the 2 thugs took off. She later replied that my defense was at home.
No one threatens my body or my person without answering me. I plead the 2nd.
Yes, the two thugs did run off, and yes I'd have shot them both illegally without warning.
I also scared off a robber at one of my retail stores with my defense. He was more scared by my calm demeanor than by a tiny
I believe in my basic human rights:
1. I can say anything, on my property. You can not.
2. I will defend my property wit lethal force at the first sign of a threat.
3. I will never allow a soldier to use my house for shelter.
4. No agent of the State can enter my car or home without a warrant. Even at a traffic stop.
5. I have nothing to say to the police, ever. My property will not be taken from me without proper compensation.
6. If I am arrested, I expect a speedy trial...
7.
8. If arrested I will pay a reasonable bail and nevere tortured.
Simple enough. If any of these rights are denied, see #2.
Stupid analogy, but I'll bite.
It's more like a Red Cross person asks you for money, but doesn't say thank you, so you try to turn over their badge to see if it's valid. Later on, you are arrested on charges of assault and battery, even tough all you touched was the badge.
Then under questioning, you can't recall what hand you used, so you guess your right. Video footage shows you used your left. And them the judge says that even tough you obviously didn't commit assault and battery, he's going to convict you of those crimes, because you lied to the police.
Send your comment to the Magistrate Court at Horseferry and ask that it be forwarded to Judge Q. Purdy. (probably in the form of printed paper, since I doubt this guy is trusted with by Her Majesty's government with a computer)
Tech Public Policy stuff
It wouldn't have sounded even remotely that way if you would have had any experience surfing around websites in lynx....
You've made a grave error of understanding, there are no citizens of the UK. We are subjects of Her Majesty, Queen Elizabeth the Second.
Who's with me?! I SAID... WHO'S WITH ME!!??