Slashdot Mirror

← Back to Stories (view on slashdot.org)

Consultant Convicted For Non-Invasive Site Access

Posted by Zonk on from the anyone-else-thinking-greyhawk dept.

Phillip P Barnett writes "Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question." From the article: "During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access. The defence also pointed out that Cuthbert had not attempted to defraud the site." ZDNet also has a commentary piece on what this decision may mean for the future of cybercrime.

7 of 377 comments (clear)

  1. Much ado about nothing. by plover · · Score: 5, Informative
    TFA quite clearly states that he was convicted because he lied to the police about his activities. Here's the quote:

    "Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.

    Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.

    The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said. "

    The article above also says "The defence also pointed out that Cuthbert had not attempted to defraud the site." What it should have said is that Cuthbert DID attempt to defraud the police. Very unprofessional behavior from a supposed "security professional."

    Moral of the story: don't lie to the cops about security testing. Take them seriously. Had he been honest, this wouldn't even have been prosecuted.

    --
    John
    1. Re:Much ado about nothing. by Scrameustache · · Score: 4, Informative

      Yes, geeks should ALWAYS lie to the police

      Fer christ sake, STFU and ask for a lawyer!
      Don't lie to the police, that pisses them off.

      --

      You can't take the sky from me...

  2. couple of checks? by cdn2k1 · · Score: 5, Informative

    I think by "couple of checks," you mean "a directory traversal attack."

    http://www.theregister.co.uk/2005/10/05/dec_case/

  3. Re:seems like there could be more to this story. by Red+Flayer · · Score: 4, Informative

    RTFA.

    "Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it."

    British Law says that if you know you are not allowed access, you cannot attempt to circumvent system security.

    What makes this case so interesting is:
    "This is thought to be the first time that a judge had indicated that -- despite the letter of the act -- knowingly accessing a system when unauthorised to do so is not necessarily a crime. "

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  4. Better summary by DrSkwid · · Score: 4, Informative

    http://www.theregister.co.uk/2005/10/05/dec_case/

    'DEC hacking' trial opens
    Accused gives evidence
    By John Oates
    Published Wednesday 5th October 2005 16:22 GMT

    Horsferry Road Magistrates Court has heard the first day of evidence against the East London man accused of hacking into a donations site for the tsunami appeal last December.

    Daniel James Cuthbert, 28, of Whitechapel, London, is accused of breaches of Section One of the Computer Misuse Act, 1990, on the afternoon of New Year's Eve, 2004. He had earlier pleaded not guilty.

    Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee.

    Giving evidence on his own behalf, Cuthbert, at times near tears, said he had made a £30 donation to the site, after clicking on a banner advert. Because he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check the security of the site.

    The case continues tomorrow. ®

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  5. Re:seems like there could be more to this story. by gormanly · · Score: 5, Informative
    He tried to access the system twice and both times was denied access. What does that mean? Was he trying to gain access to a part of the system where access to sensitive information was stored? Was he trying to login, but not knowing how to?

    Directory traversal, and using lynx.

    He never tried to defraud: What does that mean? Is it because he never gained access? If so, was his intent to try and defraud had he gained access? (In my opinion, if that were the case, he certainly should be considered to have tried to defraud.)

    He gave them £30 (at the time, ~ US$58). This is the opposite of defrauding them...

    Another defense argument is this guy's actions were merely attempts to verify legitimacy of the fund raising site. So, what exactly was he doing to verify? (And why wouldn't he take more traditional avenues such as Googling, etc. What are the implications of every cynical user of a site attempting "access" to verify legitimacy?)

    He clicked on a banner add to donate to the UK's Disasters Emergency Committee's appeal for the December tsunami in Asia, and got no confirmation page. His first thought was that this was a phising site and he'd been scammed. So he panicked and tried the directory traversal...

    Has this guy done other things and now authorities, etc., are just using technicalities to shut him down?

    No. This was AFAIK his first offence of any sort at all - and now his career's in ruins.

    The Computer Misuse Act (1990) is an apalling piece of shoddy law - speaking as an IT professional who's actually had to read it. The only thing it's good for is threatening users.

  6. Re:seems like there could be more to this story. by malakai · · Score: 4, Informative

    It looks like he initially lied to the police and said the the reason the IDS detected it as a hack, was because he was using Lynx. That is the first story that went around the net. He was on Solaris, using Lynx, made a credit card payment, and the IDS picked it up as a hack.

    Here's the original BoingBoig: http://www.boingboing.net/2005/01/27/jailed_for_us ing_a_n.html
    and then: http://www.boingboing.net/2005/02/11/supposed_tsun ami_cha.html

    In the end, despite his initial lie, all he did was try a directory traversal 'attack' (the ../ trick to try and break out of the root web directory). Not so much as an attack, as a query.
    Basically he was trying to answer: "Is this site vulnerable to this easily exploited flaw, and if so, I better call them or my Credit Card number is going to make it's waya round the russian mafia sites in no time".

    I don't doubt he was secretly hoping the flaw existed so he could get some fame saving a disaster relief web site.

    I guess then technically, if you click the following link, their IDS should flag it as a 'hack' and if you live in jolly ol'england expect a boot at your door: Don't click me or you go to Jail!

    If you try it out, let me know how fast their response time is.

    --
    -Malakai
    A Dragon Lives in my Garage