Consultant Convicted For Non-Invasive Site Access

Phillip P Barnett writes "Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question." From the article: "During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access. The defence also pointed out that Cuthbert had not attempted to defraud the site." ZDNet also has a commentary piece on what this decision may mean for the future of cybercrime.

Unintended consequence of regulation and control

[dada21]

UK lawlessness, nothing new?

The UK has preceded the US in destroying the basic rights of its citizens, replacing laws against violence with laws against rights.

This is a country that won't let their citizens bear arms (increasing crime), but will let security officers shoot first and never ask questions. This is a country that continues to fight a war against secession for centuries.

TFA doesn't surprise me at all. Citizens have no rights any more. Just let the State provide. Does it surprise you that they criminalize non-violent behavior after you realize that national prisons were a statist recreation? More laws = more crimes = more criminals = more prisoners = more money for the State.

Again, nothing to see here, except it is a good preview of things to come in the US as we clamor for more regulation, more government control of the Internet, and more destruction of our basic rights to protect ourselves.

Hmm.

[sdirrim]

On one hand, he could have used legitamite methods to verify the site. On the other hand, he didn't destroy any data, view private information, nor was it a malicious purpose (supposedly).

Re:Much ado about nothing.

[Overly+Critical+Guy]

Well, of course Slashdot left that out of the article summary. This needed to be a "Poor guy convicted for doing simple website checks, let's rally together fellow hackers and feel sorry for him" instead of "Guy lied to the police about what he did, a big no-no." The former gets more page hits from sympathetic Slashdotters, which means higher revenues for OSTG. Yes, kids, this site is owned by a corporation (a Linux corporation, in fact...suddenly all the anti-Microsoft, pro-GPL front page articles make sense for OSTG's bottom line). It amuses me how rarely people realize and acknowledge that.

This place is a big joke now. Go to Digg to see a site where users decide what gets posted. Digg readers knew about the iPod nano three days before its official announcement--Kevin Rose revealed it there.

Re:Unintended consequence of regulation and contro

[cybergrunt69]

Which of Cuthbert's rights were violated when he broke the law and was convicted of doing so, again? I missed that part.

Being convicted for the act of breaking the law is the way it's supposed to work. However, there's a difference - he was convicted because he lied to the cops.

zdnet Judge Purdy accepted that Cuthbert had not intended to cause any damage, and also pointed out there was almost no case law in this area.

District judge Mr Q. Purdy, who heard the case, told Cuthbert it was "with deep regret that he was finding him guilty"

It looks to me that if he hadn't changed his story, nothing serious would have happened. If he had not talked to the cops without a lawyer, I think there's a good chance he would have gotten away with maybe a slap on the wrist. Since he lied to the cops to confuse the issue, the judge got mad and used a guilty verdict as a punishment for a lie. That's just wrong, and it sets a horrible precedence for future cases that are pursued based on a horrible law.

I guess it's not just the US who has a fuggered up legal system that bases legal decision on petty "get even" routines... It's just sad.

Re:seems like there could be more to this story.

[pariax]

There could be more to this story. But unfortunately, there really isn't.

The simple truth is that Dan is a top notch security guy, who had a prestigious position as lead penetration tester within an investment bank. He is also well known in the app-sec community, and his contributions to OWASP have been fundamental to the widespread success of that organization.

He was working overtime on New Year's Eve, alone in the office, during a time when most people were already well into their third or fourth pint.

During the course of a sanctioned pen-test he saw a banner ad for Tsunami relief and followed it. He then proceeded to make a donation for £30 which failed to return any confirmation of success. Those of you who read http://it.slashdot.org/comments.pl?sid=164612&cid= 13741471 can see that the construction, legal organization, registration, and execution of the site are suspect.

Yes -- in the course of his work part of his regular duties were to identify phishing sites. So by this point something definitely appeared amiss. A quick ../ against a sloppily constructed phishing site could easily reveal a webroot of vhosts like ebay.com, paypal.com, hsbc.co.uk, etc. etc. And as a fellow penetration tester myself I can attest that in the days prior to his arrest, few in the security community would think twice before traversing directories. How could a valid URI that's RFC compliant be a violation of law?

Come on now. We all know what an attempt is at unauthorized access. Brute forcing an auth form overnight -- yes, that's certainly a (noisy and ridiculous) attempt at gaining unauthorized access. Checking for SQL injection (my name is John O'Callaghan, really!)ok sure. But "../" ?? Christ. What is this world coming to?

And now -- with respect to the judge coming down on Dan hard because he allegedly "lied" about his story, I would ask you to refrain from comment because it has not been established that Dan materially changed his story between the time of his initial police interview and when he took the stand to testify. At the time of his initial interview he may not even have remembered doing anything even remotely out of the ordinary (remember, ../ is something we all do from time to time, even if it's just to avoid hitting the *back* button on the browser!)

So before you all throw him under the bus I suggest you try and imagine what it would be like to be a professional, law abiding, upstanding member of the community, and then to have the cops bust into your workplace, cuff you, and then carry you out for questioning -- informing you that your residence is being searched, and your computers seized. I ask you if you would be cool and composed and have your facts recollected as perfectly as you would after 9+ months of time to think about it.

Anyway -- I think that this case represents a serious lack of understanding on the part of the legal system. An inability to understand the *technical* difference between a malicious attack (aimed at gaining unauthorized access), and the actions of a computer savvy philanthrope who wanted to verify that the donation he had just made wasn't on its way to a .ru bank account.

Only time (and perhaps an appeal) can heal the wounds that Britain's legal system, as well as its information technology security industry experienced yesterday.