Slashdot Mirror

← Back to Stories (view on slashdot.org)

Consultant Convicted For Non-Invasive Site Access

Posted by Zonk on from the anyone-else-thinking-greyhawk dept.

Phillip P Barnett writes "Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question." From the article: "During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access. The defence also pointed out that Cuthbert had not attempted to defraud the site." ZDNet also has a commentary piece on what this decision may mean for the future of cybercrime.

3 of 377 comments (clear)

  1. Much ado about nothing. by plover · · Score: 5, Informative
    TFA quite clearly states that he was convicted because he lied to the police about his activities. Here's the quote:

    "Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.

    Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.

    The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said. "

    The article above also says "The defence also pointed out that Cuthbert had not attempted to defraud the site." What it should have said is that Cuthbert DID attempt to defraud the police. Very unprofessional behavior from a supposed "security professional."

    Moral of the story: don't lie to the cops about security testing. Take them seriously. Had he been honest, this wouldn't even have been prosecuted.

    --
    John
  2. couple of checks? by cdn2k1 · · Score: 5, Informative

    I think by "couple of checks," you mean "a directory traversal attack."

    http://www.theregister.co.uk/2005/10/05/dec_case/

  3. Re:seems like there could be more to this story. by gormanly · · Score: 5, Informative
    He tried to access the system twice and both times was denied access. What does that mean? Was he trying to gain access to a part of the system where access to sensitive information was stored? Was he trying to login, but not knowing how to?

    Directory traversal, and using lynx.

    He never tried to defraud: What does that mean? Is it because he never gained access? If so, was his intent to try and defraud had he gained access? (In my opinion, if that were the case, he certainly should be considered to have tried to defraud.)

    He gave them £30 (at the time, ~ US$58). This is the opposite of defrauding them...

    Another defense argument is this guy's actions were merely attempts to verify legitimacy of the fund raising site. So, what exactly was he doing to verify? (And why wouldn't he take more traditional avenues such as Googling, etc. What are the implications of every cynical user of a site attempting "access" to verify legitimacy?)

    He clicked on a banner add to donate to the UK's Disasters Emergency Committee's appeal for the December tsunami in Asia, and got no confirmation page. His first thought was that this was a phising site and he'd been scammed. So he panicked and tried the directory traversal...

    Has this guy done other things and now authorities, etc., are just using technicalities to shut him down?

    No. This was AFAIK his first offence of any sort at all - and now his career's in ruins.

    The Computer Misuse Act (1990) is an apalling piece of shoddy law - speaking as an IT professional who's actually had to read it. The only thing it's good for is threatening users.