Slashdot Mirror
Consultant Convicted For Non-Invasive Site Access
Phillip P Barnett writes "Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question." From the article: "During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access. The defence also pointed out that Cuthbert had not attempted to defraud the site." ZDNet also has a commentary piece on what this decision may mean for the future of cybercrime.
UK lawlessness, nothing new?
The UK has preceded the US in destroying the basic rights of its citizens, replacing laws against violence with laws against rights.
This is a country that won't let their citizens bear arms (increasing crime), but will let security officers shoot first and never ask questions. This is a country that continues to fight a war against secession for centuries.
TFA doesn't surprise me at all. Citizens have no rights any more. Just let the State provide. Does it surprise you that they criminalize non-violent behavior after you realize that national prisons were a statist recreation? More laws = more crimes = more criminals = more prisoners = more money for the State.
Again, nothing to see here, except it is a good preview of things to come in the US as we clamor for more regulation, more government control of the Internet, and more destruction of our basic rights to protect ourselves.
On one hand, he could have used legitamite methods to verify the site. On the other hand, he didn't destroy any data, view private information, nor was it a malicious purpose (supposedly).
Not only "land of the free" but "land of the lawyers" who love a good old 1st amendment smackdown. Shihar 153932
Well, of course Slashdot left that out of the article summary. This needed to be a "Poor guy convicted for doing simple website checks, let's rally together fellow hackers and feel sorry for him" instead of "Guy lied to the police about what he did, a big no-no." The former gets more page hits from sympathetic Slashdotters, which means higher revenues for OSTG. Yes, kids, this site is owned by a corporation (a Linux corporation, in fact...suddenly all the anti-Microsoft, pro-GPL front page articles make sense for OSTG's bottom line). It amuses me how rarely people realize and acknowledge that.
This place is a big joke now. Go to Digg to see a site where users decide what gets posted. Digg readers knew about the iPod nano three days before its official announcement--Kevin Rose revealed it there.
"Sufferin' succotash."
He should probably have known better since his job deals specifically with security. I'm even surprised that he would get hit with a phishing attack to begin with. Also if he got hit that hard over this, what would have happened to the owners of the site if he had been defrauded and had reported it to the authorities instead (it sounds like he and the site were based in the UK)?
How many people get arrested for lying to the police? Martha Stewart, that runaway bride, this guy?
I'm not sure I understand the point of convicting someone of a crime unassociated to the lying part. For me, the fact that police are involved in all 3 of these nonviolent actions is the real crime.
The thing to note is no never talk to the cops. Ever. Let your lawyer say what needs to be said. Shut up, defend yourself at trial. You have no reason to talk, as you're innocent until they get facts to find you guilty.
This is how you know who to trust - if there is a possible MITM and hidden re-direct, etc.
If this is illegal, then it is illegal to automate these actions as well.
The conclusion from this is that web-spiders are a form of 'hacking', and Google is in violation.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
For my own safety I think I'll configure my copy of bind to not resolve names in the bt.com zone. BT's IDS is famously overzealous--anyone remember that 'hacker' gaoled for using Lynx story from last year? That was BT's fault as well.
After RTFA and then looking at the poll I amazed at the reaction. 87% of people think he should not have been convicted thus far because he "didn't cause any damage"
Its time to wake up people. First point: Yes he did cause damage. Money was spent investigating the intrusion which is monetary damages. Second Point: He very well could have caused damage had he successfully broken in. Do we not punish crackers now just because they didn't destroy data? Thirdly: He is a professional in the Information Security field! Of all people he should be held to a higher standard because of his career field.
How does this hurt the Penetration Testing career field as well lol (another piece of FUD in the article...) Professional penetration testers have to sign lengthy contracts that state what they are allowed to do in order to protect themselves from prosecution later on the road. Documentation is kept during the process of testing so the testers can show that at point X when they were attempting attack Y they did or did not shut down Server Z... What this guy did was attempt to break into a system that he had no prior consent to do so! Thats illegal and he being a security consultant would know that... I can't just arbitrarily attack a website because I think they might not be real. Sure people might sympathise with me if I was right, but that doesn't mean it makes it legal.
News Reporters Make Tasty Polar Bear Treats!
Being convicted for the act of breaking the law is the way it's supposed to work. However, there's a difference - he was convicted because he lied to the cops.
zdnet Judge Purdy accepted that Cuthbert had not intended to cause any damage, and also pointed out there was almost no case law in this area.
District judge Mr Q. Purdy, who heard the case, told Cuthbert it was "with deep regret that he was finding him guilty"
It looks to me that if he hadn't changed his story, nothing serious would have happened. If he had not talked to the cops without a lawyer, I think there's a good chance he would have gotten away with maybe a slap on the wrist. Since he lied to the cops to confuse the issue, the judge got mad and used a guilty verdict as a punishment for a lie. That's just wrong, and it sets a horrible precedence for future cases that are pursued based on a horrible law.
I guess it's not just the US who has a fuggered up legal system that bases legal decision on petty "get even" routines... It's just sad.
--- "To ignore race and sex is racist and sexist!" -- Jesse Jackson
I'm not sure I understand the point of convicting someone of a crime unassociated to the lying part. For me, the fact that police are involved in all 3 of these nonviolent actions is the real crime.
Yeah, that the police would make an effort to look for a missing person is a *real* crime. We don't want the people to be wasting their time doing that. I'm sorry, but many people disagree with you that police shouldn't get involved in missing persons cases.
The thing to note is no never talk to the cops.Actually there's another alternative. You could always tell the truth. That is more preferable then lying, or even not saying anything.
-BrentYup yup. It's not a good idea to lie to the investigators. Just ask Martha Stewart, and I'm sure she'll agree.
Agreed, but we can still assert that it was a silly thing for the police to have been questioning him about in the first place. Of course, the police, they were just doing their jobs and trying to enforce the law.
But it's either a bad law, or at least a misuse of the law on the part of those who called the police on this guy. WTF cares if someone hits a site using lynx? WTF cares if someone tries to access a directory and gets a 403 error? Now, if he tried to get a directory listing and IT WORKED, but then he didn't try to use the information he gleaned from it for his personal gain or to harm anyone, he still shouldn't be in trouble. (Somebody should probably get in trouble with their boss for not locking it down!)
Any law that says otherwise is idiotic. It sounds like TFA is saying that the judge in this case actually realizes that! In that case yay for the country that gave the world the Common Law, even if its too little too late to help this guy.
where there's fish, there's cats
Interestingly enough, I've seen "../" in queries from search engines on my site while they were indexing it. Apparently looking for any and all content they could index. Does this make google and yahoo criminals also?
Need Free Juniper/NetScreen Support? JuniperForum
No, killed by being shot several times despite being unarmed. Don't you read the news?
You could've hired me.
It does seem strange that the judge effectively exonnerated him of the crime of malicious intrusion, but convicted of him of that very same crime solely because he lied to the police. Sounds like grounds for appeal, to me (IANAL).
I quite agree with you about not talking to the police, but remember in this wonderful country, the law says that it may affect your case if you later mention something in court, in your defence, that you didn't mention at the time you were questioned by police.
Personally, I'd like to see that nastly little assault on our right to silence thrown out, but there we are.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
>The thing to note is no never talk to the cops. Ever. Let your lawyer say what needs to be said.
Boy, if there's one thing I've learned from watching Law and Order, you _never_ volunteer anything to the cops, even if you didn't do anything. Being cooperative and answering their questions without a lawyer present only benefits the police and works against you.
You never see "Ok, thank you for coming down and clearing this up. Have a nice day".
I learned this long time ago on a traffic stop. It was snowy and I had spun out trying to avoid someone who slid into my lane.
"How fast were you going?"
"I don't know. It was really coming down and I was going pretty slow. He was changing lanes and lost traction and started sliding towards me. I stepped on the brakes, and before I could do anything I started to slide too and spun out into the ditch here."
"How fast?"
"I really don't know... thirty, thirty-five?"
*scribble-rip*
"here you go"
"what's this?"
"citation -- travelling too fast for conditions"
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
If I'd gone to the police with an eye-witness statement of someone breaking into my car, the guy would have been arrested and charged. But when it comes to computers, it's still astrology to most law enforcement.
This is the mistake in your reasoning. The idea that the cops would care about the car theft is simply false. There may be a few police out there who would care, but none in my experience. A friend of mine once witnessed a few guys breaking into a corvette outside a nightclub in Houston (they weren't very good at it - cleary someone *thought* he knew how to hot-wire a car), walked a block to find a uniformed policeman, and spent 10 minutes trying to pursuade the cop to go do something about it. Finally the corvette goes by with 2 of the thieves in it, and my friend jut gives up. Realistically, he should be thankfull *he* wasn't arrested for stealing the car!
I had a similar experience once when I was robbed/assaulted while delivering pizza. This particular thief wasn't very bright, and it was clear where he actually lived (he didn't quite rob me after ordering pizza to his own house, but it was about that stupid). I return to find a cop walking out of the pizza place with a couple of free pizzas, explain that I had just been robbed (like the still-flowing blood wasn't a clue), and that the guy was right down the road over there and "let's go arrest him". Couldn't get the cop to care. He did write me a ticket for expired tags the next day though, which was nice.
I could go on, but the theme is the same. You can guess how I feel about cops.
Socialism: a lie told by totalitarians and believed by fools.
The very fact the investigators couldn't discern between a cracking attempt and a directory traversal...
This article implies that it is against British law to edit urls. Crap, I do that all the time especially when googling for something and the page google finds is too specific. Quite often the more general answer I'm looking for is up one level. Do I now need to tell firefox and/or bind to never present me with uk urls for fear that some underclued admin will try to cause all sorts of legal problems?
There could be more to this story. But unfortunately, there really isn't.
= 13741471 can see that the construction, legal organization, registration, and execution of the site are suspect.
../ against a sloppily constructed phishing site could easily reveal a webroot of vhosts like ebay.com, paypal.com, hsbc.co.uk, etc. etc. And as a fellow penetration tester myself I can attest that in the days prior to his arrest, few in the security community would think twice before traversing directories. How could a valid URI that's RFC compliant be a violation of law?
../ is something we all do from time to time, even if it's just to avoid hitting the *back* button on the browser!)
.ru bank account.
The simple truth is that Dan is a top notch security guy, who had a prestigious position as lead penetration tester within an investment bank. He is also well known in the app-sec community, and his contributions to OWASP have been fundamental to the widespread success of that organization.
He was working overtime on New Year's Eve, alone in the office, during a time when most people were already well into their third or fourth pint.
During the course of a sanctioned pen-test he saw a banner ad for Tsunami relief and followed it. He then proceeded to make a donation for £30 which failed to return any confirmation of success. Those of you who read http://it.slashdot.org/comments.pl?sid=164612&cid
Yes -- in the course of his work part of his regular duties were to identify phishing sites. So by this point something definitely appeared amiss. A quick
Come on now. We all know what an attempt is at unauthorized access. Brute forcing an auth form overnight -- yes, that's certainly a (noisy and ridiculous) attempt at gaining unauthorized access. Checking for SQL injection (my name is John O'Callaghan, really!)ok sure. But "../" ?? Christ. What is this world coming to?
And now -- with respect to the judge coming down on Dan hard because he allegedly "lied" about his story, I would ask you to refrain from comment because it has not been established that Dan materially changed his story between the time of his initial police interview and when he took the stand to testify. At the time of his initial interview he may not even have remembered doing anything even remotely out of the ordinary (remember,
So before you all throw him under the bus I suggest you try and imagine what it would be like to be a professional, law abiding, upstanding member of the community, and then to have the cops bust into your workplace, cuff you, and then carry you out for questioning -- informing you that your residence is being searched, and your computers seized. I ask you if you would be cool and composed and have your facts recollected as perfectly as you would after 9+ months of time to think about it.
Anyway -- I think that this case represents a serious lack of understanding on the part of the legal system. An inability to understand the *technical* difference between a malicious attack (aimed at gaining unauthorized access), and the actions of a computer savvy philanthrope who wanted to verify that the donation he had just made wasn't on its way to a
Only time (and perhaps an appeal) can heal the wounds that Britain's legal system, as well as its information technology security industry experienced yesterday.
So he lied. What's wrong with that?
"WHERE DO I START?!" you're probably thinking.
Well, now let's turn the tables. I'll give you an example of the tides turning -
Last year, on my 18th birthday, I partied a little bit too hard. After hours of drinking, we went for a drive (YES, we DID have a sober driver.). Unfortunately, we ended up in a situation that the cops were called, and my 4 buddies and I had to spend the rest of my 18th birthday shackled to the walls in a PA State Police barracks. Now, at this point, I was too drunk to write, so they just made me sit there and did their rounds. After a few hours I see one... two... and then three... go up for their mugshot and then leavc... and then they finally let me go.
So, I go outside to meet my friends and try to find them a way home, and I promptly get punched square in the face. "What the FUCK was that for?", I thought. Well, it turns out the state police, despite my inability to drive, write, or even talk without sounding like a raging alcoholic, had told my friends I had written a confession that said A - we had broken the windows (what got us there in the first place) and that B - everyone had been drinking. It would be in <i>their</i> best interest to do the same. So they did.
I could go into another example of the same thing happening to someone else, but I'm sure everyone's heard enough of them.
When my long-forgotten ancestors accepted this nation's founders' idea for government, they placed their trust in it for not only themselves, but everyone down the line, too. I've even heard cops say that "pig" stands for "Pride, Integrity, Guts". What's that middle word there?
If you would like your citizens to behave and be honest people of high moral standards, then you MUST do the same. With deceit comes dissention, and with dissention, revolution is born. Those that lead must do so by example, and soon enough, those that should be removed from society will become very evident.
To put it short, How can you trust a liar? You can't, no matter how truthful they are.