Slashdot Mirror
Consultant Convicted For Non-Invasive Site Access
Phillip P Barnett writes "Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question." From the article: "During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access. The defence also pointed out that Cuthbert had not attempted to defraud the site." ZDNet also has a commentary piece on what this decision may mean for the future of cybercrime.
"Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.
Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said. "
The article above also says "The defence also pointed out that Cuthbert had not attempted to defraud the site." What it should have said is that Cuthbert DID attempt to defraud the police. Very unprofessional behavior from a supposed "security professional."
Moral of the story: don't lie to the cops about security testing. Take them seriously. Had he been honest, this wouldn't even have been prosecuted.
John
I think by "couple of checks," you mean "a directory traversal attack."
http://www.theregister.co.uk/2005/10/05/dec_case/
RTFA.
"Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it."
British Law says that if you know you are not allowed access, you cannot attempt to circumvent system security.
What makes this case so interesting is:
"This is thought to be the first time that a judge had indicated that -- despite the letter of the act -- knowingly accessing a system when unauthorised to do so is not necessarily a crime. "
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Purgery is a crime, though lieing to police is not. Never said he changed his story in court only to the police.
I am Bennett Haselton! I am Bennett Haselton!
Perjury is a crime, you know.
Perjury is a crime committed in court, not in an interview room. To put this in context, in the USA and many other countries, it's perfectly acceptable to say nothing when questioned by the police. Indeed, I believe the Constitution or an amendment (I'm neither a US citizen nor resident) grant citizens the right not to incriminate themselves. I'm not aware of any such right in Britain, and in Britain when you're arrested you are advised that:
In other words, you're strongly "encouraged" not to remain silent.
I'm neither condoning nor condemning Mr. Cuthbert's statements to the police, merely suggesting that we don't know why Cuthbert chose to (allegedly) lie.
This is where the serious fun begins.
http://www.theregister.co.uk/2005/10/05/dec_case/
'DEC hacking' trial opens
Accused gives evidence
By John Oates
Published Wednesday 5th October 2005 16:22 GMT
Horsferry Road Magistrates Court has heard the first day of evidence against the East London man accused of hacking into a donations site for the tsunami appeal last December.
Daniel James Cuthbert, 28, of Whitechapel, London, is accused of breaches of Section One of the Computer Misuse Act, 1990, on the afternoon of New Year's Eve, 2004. He had earlier pleaded not guilty.
Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee.
Giving evidence on his own behalf, Cuthbert, at times near tears, said he had made a £30 donation to the site, after clicking on a banner advert. Because he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check the security of the site.
The case continues tomorrow. ®
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Directory traversal, and using lynx.
He gave them £30 (at the time, ~ US$58). This is the opposite of defrauding them...
He clicked on a banner add to donate to the UK's Disasters Emergency Committee's appeal for the December tsunami in Asia, and got no confirmation page. His first thought was that this was a phising site and he'd been scammed. So he panicked and tried the directory traversal...
No. This was AFAIK his first offence of any sort at all - and now his career's in ruins.
The Computer Misuse Act (1990) is an apalling piece of shoddy law - speaking as an IT professional who's actually had to read it. The only thing it's good for is threatening users.
BT's IDS monitors must suck fat donkey's cock; I shall certainly be doing everything I can to avoid putting work in the way of these clowns, and making sure no company that asks me to interview an ex-BT Infosec person will ever hire them. The PHBs at BT (the ones reponsible for seeing the sort of IDS false positive that fill our logs on a daily basis and calling the cops to boot in the door of this uber-haxx0r who was, uh, doing it from his own personal computer (rather than bouncing thru anonymous proxies or other hacked machines) and effectively destroy his career need to be treated with utter contempt and derision for their appalling lack of clue, common sense, and for behaving like what we used to call "little Hitlers". Fuck them. I would not be AT ALL surprised if some of the *real* kiddies out there adopt this unfortunate victim and start defacing sites with calls for him to be exonerated - after all he's infinitely less guilty than Mitnick ever was.
Today I'm disgusted and depressed by the technical illiteracy not only of the police and justice system (which we expect) but of the people hired to host the site. Fuck BT, and may 'OpenRetch' signal the beginning of the end for this first, and most evil monopoly telco ever to blight the bright future of telecoms and technology in the country they battened on to. (Yes, they're supposedly not a monopoly any more, but despite being privatised in 1984(!!) they are only now finally allowing the local loop to be prised from their cold, morally-dead fingers.)
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
The Joy of Directory Traversal Attacks
In other words, if you're in the UK, don't type "../" in a URL or you go to jail.
You have the right to remain silent. Use it, and talk to a lawyer.
In the UK u dont really have the right to remain silent anymore. They changed that in 94 I beleive. What they basically say now upon arrest is
"You could harm your defense if you fail to mention when questiond something that you later rely on in
court"
This is the same guy from the earlier story about Lynx. Read the article. The reason he got convicted wasn't so much about accessing the site, but because he made up the convoluted lynx story earlier.
>> Today I'm disgusted and depressed by the technical illiteracy not only of the police and justice system
Let's assume for a moment the judge didn't have _any_ technical knowledge.
What he did know was that the defendant had lied to police while making his initial statement . I'm pretty sure the judge felt he was on familiar ground at that point. That is what got him convicted, not the technical aspects.
Not only has this cost a man his job, but you luck Brits now have a case to be used as precedent. Better not type any URLS in manually, you might accidentally "hack" a system...
http://request-header.info
It looks like he initially lied to the police and said the the reason the IDS detected it as a hack, was because he was using Lynx. That is the first story that went around the net. He was on Solaris, using Lynx, made a credit card payment, and the IDS picked it up as a hack.
s ing_a_n.htmln ami_cha.html
../ trick to try and break out of the root web directory). Not so much as an attack, as a query.
Here's the original BoingBoig: http://www.boingboing.net/2005/01/27/jailed_for_u
and then: http://www.boingboing.net/2005/02/11/supposed_tsu
In the end, despite his initial lie, all he did was try a directory traversal 'attack' (the
Basically he was trying to answer: "Is this site vulnerable to this easily exploited flaw, and if so, I better call them or my Credit Card number is going to make it's waya round the russian mafia sites in no time".
I don't doubt he was secretly hoping the flaw existed so he could get some fame saving a disaster relief web site.
I guess then technically, if you click the following link, their IDS should flag it as a 'hack' and if you live in jolly ol'england expect a boot at your door: Don't click me or you go to Jail!
If you try it out, let me know how fast their response time is.
-Malakai
A Dragon Lives in my Garage
Say the url was site.com/thanks.html. He changed it to site.com/../thanks.html.
.com/ and use it as parameters with no sanity check. He tried it, they had a sanity check, they logged it as an attack. Stoopid. I don't see how it's an attack. Wikipedia says you could potentially change it to ../../../../etc/passwd and try guess the number of levels you are away.
Apparently some dynamic sites just grab whatever's after
If you are smart, you will assume everything a policeman says is a lie.
Every time I have interacted with the police, they have told me a lie like "You were going so fast I didn't think I would be able to catch you!" (I was going 45 MPH on a small stretch of road where the limit dips from 50 to 35 for a brief period while its technically "in a town". Yes, I was speeding, but to say that he couldn't have caught me was ridiculous hperbole.
Another lie: "No, there's way we can ever catch the person who shot your house with paintballs". While the guy was telling me this, another officer radioed him to say they had pulled over a group of teens 2 blocks from my house who all had paintball guns and were shooting up the neighborhood.
Another police lie: "Your friend has already confessed that the two of you commited armed robery." The circumstance was that I was in college and they pulled over me and my friend on suspicion of armed robbery. Apparently two guys in a van had robbed someplace the week before and my friend who I went to lunch with had a van. Since we hadn't commited armed robbery, I knew the policeman was lying. I was too scared to actually say that he was lying (i.e. I didn't say "You are a dirty liar."), but I did say that I did not rob anyone. Of course, in the next room they were telling him the same thing. Fortunately the victim came down and looked at us and said, "No, these were not the guys who robbed me."
Avoid Missing Ball for High Score