Slashdot Mirror
Consultant Convicted For Non-Invasive Site Access
Phillip P Barnett writes "Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question." From the article: "During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access. The defence also pointed out that Cuthbert had not attempted to defraud the site." ZDNet also has a commentary piece on what this decision may mean for the future of cybercrime.
I can't help but suspect there must be more to this story than is being put forth. Part of me wants to believe his defense, "he never tried to defraud", but my distaste for legal mumbo jumbo makes me wonder more about the specifics:
On its face, this looks like serious stuff with serious consequences for seemingly innocent activity and should give pause to any internet users, but I suspect there's more to it than meets the public eye.
"Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.
Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said. "
The article above also says "The defence also pointed out that Cuthbert had not attempted to defraud the site." What it should have said is that Cuthbert DID attempt to defraud the police. Very unprofessional behavior from a supposed "security professional."
Moral of the story: don't lie to the cops about security testing. Take them seriously. Had he been honest, this wouldn't even have been prosecuted.
John
UK lawlessness, nothing new?
The UK has preceded the US in destroying the basic rights of its citizens, replacing laws against violence with laws against rights.
This is a country that won't let their citizens bear arms (increasing crime), but will let security officers shoot first and never ask questions. This is a country that continues to fight a war against secession for centuries.
TFA doesn't surprise me at all. Citizens have no rights any more. Just let the State provide. Does it surprise you that they criminalize non-violent behavior after you realize that national prisons were a statist recreation? More laws = more crimes = more criminals = more prisoners = more money for the State.
Again, nothing to see here, except it is a good preview of things to come in the US as we clamor for more regulation, more government control of the Internet, and more destruction of our basic rights to protect ourselves.
On one hand, he could have used legitamite methods to verify the site. On the other hand, he didn't destroy any data, view private information, nor was it a malicious purpose (supposedly).
Not only "land of the free" but "land of the lawyers" who love a good old 1st amendment smackdown. Shihar 153932
While I sympathize with him, taking the law into your own hands on a whim, regardless of the crime or environment, should not be tolerated. If he was B&Eing into a biker hangout to see if they had his stolen TV, he'd be prosecuted in the exact same manor.
body massage!
I think by "couple of checks," you mean "a directory traversal attack."
http://www.theregister.co.uk/2005/10/05/dec_case/
Which of Cuthbert's rights were violated when he broke the law and was convicted of doing so, again? I missed that part.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
Though TFA tries to ring alarm bells over police cracking down on innocent activities, it also mentions that the guy initially lied to the police about his actions, leading the police down a time-consuming garden path.
So although the guys "hacking" was fairly innocent, his response to the police was not. Perhaps he should be convicted of public mischief instead.
Life is like a web application. Sometime you need cookies just to get by.
He should probably have known better since his job deals specifically with security. I'm even surprised that he would get hit with a phishing attack to begin with. Also if he got hit that hard over this, what would have happened to the owners of the site if he had been defrauded and had reported it to the authorities instead (it sounds like he and the site were based in the UK)?
By the way, the first thing that (superficially) struck me about the story was the guy's name:
D an i e l Cuth bert
Have you read my blog lately?
Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.
Perjury is a crime, you know.
"IT: Consultant Convicted For Non-Invasive Site Access"
No. The consultant was convicted of attempting to access a system which he knew he was not authorized to access. He never got access -- t was the attempts that nailed him.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
However, we still don't have any laws against trolling. Shame, really...
Now that he's beginning his new career as a black hat...
The NSA: The only part of the US government that actually listens.
Another defense argument is this guy's actions were merely attempts to verify legitimacy of the fund raising site. So, what exactly was he doing to verify? (And why wouldn't he take more traditional avenues such as Googling, etc. What are the implications of every cynical user of a site attempting "access" to verify legitimacy?)
Or how about picking up a phone and CALLING them. If there is no number to call, donate elsewhere.
-Valiss
It's interesting that, much like in Watergate, he got in trouble mostly because of the coverup, not the crime itself.
Have you read my blog lately?
Putting an innocent person to jail will make him want to get some retribution for his time spent UNFAILY in jail.
Will he trust in the government after? In trials? In the police? The guy feels betrayed by the same government he paid taxes to! What they're teaching him is to be much more careful the next time he tries to hack a site. Yeah, nice way to "reform" a "criminal".
The fact that he was arrested for performing a nonviolent act is the first abuse by authorities.
After finding no cause to charge him, they instead convicted him of lying. So he was wrongfully accused, but during interrogation he lied.
Crazy world we live in. Why not arrest every tenth person for murder. See if they slip up some fact, then book them.
In my mind, if the original arrest is unfounded, take no action.
The "security consultant" clicked on a banner ad.
Then he gave his credit card info to the site that banner linked to.
Then he wondered if it was a phishing site so he tried to crack it.
Then he lied to the cops when they investigated.
And now he was fired. I for one do not see a problem with that last step given the preceeding 4 steps.
This reads to me something like "If anybody tells you can't do something with a computer, and you do it anyway, it's a crime.".
So, in the UK, to attach criminal liability to your violation of any of my own wishes, I just have to somehow involve a computer.
What, by the way, is a computer in the UK? Do embedded devices count? Don't leave through that automatic door; Mickey here hasn't sold his quota of cars this week, and we want a fair chance to convince you to buy. Whoops--you triggered the photoeye, causing the automatic door to open. I guess you can't get more egalitarian than this--every individual has the right to pass criminal laws.
OK, this seems a really silly example. It is. After all, we trust the authorities to selectively enforce overly broad laws--only prosecuting the real bad guys.
Hell, it works on this side of the pond; why not over there?
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
Which of Cuthbert's rights were violated when he broke the law and was convicted of doing so, again? I missed that part.
I think the point of the GP post was simple: the "law" he broke infringes on basic rights. Just like watching CSS-encrypted DVDs on a Linux box is illegal, certain laws make criminals out of honest citizens.
If I were arrested in Fairbanks, AK, for carrying an ice-cream cone in my pocket, I would hope for some public outrage. Yes, there's a law against it; but that law infringes on my basic right to carry an ice-cream cone in whatever manner I desire.
"Hey! It's also illegal to put squirrels down your pants for the purposes of gambling!" -- Chief Wiggum
Not that I agree with the GP. I'm still undecided.
Microsoft is to software what Budweiser is to beer.
I do security audits for a living.
Although I do them with a fully endorsed and NOTARIZED release!
Rule number one:
"Thou shalt not perform any invasive activity against IPs that you do not have defacto administrative control over or have legal release (in hard copy) to do so."
I have no sympathy for the guy.
The comment at the end of the article is crap IMHO: "I've run into a lot of people in the penetration test community over the past few months, and they're all sympathetic to Dan. Their view was that he merited a ticking off, not losing his job. The police need the help of penetration testers and this won't help"
Outside of publicly available DNS and ARIN information there's not much more you can do to a remote host to find out whatever information you are looking for. At least if you want to stay out of hot water.
"If you scan the port you go to court"
Another consultant who stuck it out.
"We are the Priests, of the Temples of Syrinx..."
http://www.theregister.co.uk/2005/10/05/dec_case/
'DEC hacking' trial opens
Accused gives evidence
By John Oates
Published Wednesday 5th October 2005 16:22 GMT
Horsferry Road Magistrates Court has heard the first day of evidence against the East London man accused of hacking into a donations site for the tsunami appeal last December.
Daniel James Cuthbert, 28, of Whitechapel, London, is accused of breaches of Section One of the Computer Misuse Act, 1990, on the afternoon of New Year's Eve, 2004. He had earlier pleaded not guilty.
Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee.
Giving evidence on his own behalf, Cuthbert, at times near tears, said he had made a £30 donation to the site, after clicking on a banner advert. Because he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check the security of the site.
The case continues tomorrow. ®
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I meant to say "UNFAIRLY".
He has been convicted because he lied to the police about it and that made the judge suspicious about his innocence. The judge is quoted as saying that if he'd have told police the truth he'd have been acquited.
Just like Martha...
Happy Posting.
The synopsis states Daniel Cuthbert was "worried that he'd been stung by a phishing scam" as the motive for his unauthorized access to the site. The article never mentions motive. The one thing the artcicle does make quite clear, which the synopsis doesn't, is the reason for his conviction was lying to the police. Seems as though he wasn't paying attention to the Martha Stewart case.
So, typing "/../" at the end of a URL is now considered a cybercrime?
He did basically break the law. But this is a similar situation to a Red Cross volunteer walking up to your door and asking for a donation, which you give out but then want to find out if it is valid. So you go to the local Red Cross and ask if the person you gave money to is legit. But in the online sense there isn't really a physical building you can go to, or people you can talk directly to. The distance that can be felt from websites, and sometimes their shoddiness, can leave a bad feeling that makes you wonder if it is legit or not.
"but money is the God of Algiers & Mahomet their prophet." - Rich. O'Bryen June 8th 1786
Don't get caught.
Guy should do time for posing as a security guru then getting busted.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
This reads to me something like "If anybody tells you can't do something with a computer, and you do it anyway, it's a crime." Change that to "If anybody tells you that you can't do something with THEIR computer, and you do it anyway, it's a crime" and you'll be on-target. That sounds fair to me.
Is it the job of a judge to convict someone of a crime they didn't commit as punishment for doing something else? This is a typical police state tactic, not something you expect in a civilized country. If he lied to cops, and that is a crime, that that is what he should have been convicted of. Convicting someone of the wrong crime (1) encourages judges to slap all kinds of convictions on people for no reason "maybe he didn't commit this crime but he's a shifty character so he deserves punishment anyway" and (2) reduces the ability of the justice system to deter crime by failing to deter the actual crime that was committed. It is crucial that the justice system doesn't just punish criminals but punishes criminals for the correct crime.
I hoped after all this he asked for his donation back.
Nyquil = Nectar of the devil
Moral of the story: Do not try to use the excuse of curiousity to break into another person's system? If he was concerned over the validity of the site in question he should have done web searches on it and/or other background checks. As a "security consultant" he should have known better and the judge IMO did the right thing. I don't see where this persons right are being violated here as he was the one who acted as an attacker in this scenario.
If you think this is ok then would it be ok for me to use the excuse "I think Slashdot might be leaking personal information about me so let me try to gain privileged access to the site..." No it wouldn't.
News Reporters Make Tasty Polar Bear Treats!
Normal police don't carry guns but some specially trained ones do (anti-terrorism). Also major police stations have armed rapid responce units.
Interesting theory, that you shouldn't be arrested for nonviolent actions.
So, if I steal your car (say I'm a locksmith, so I don't do any damage at all), I shouldn't be arrested? I haven't done anything violent---just opened the car door, started the engine, and driven off. (For the sake of argument, let's say that you're asleep, far, far away.)
That's gonna undercut the whole ``capitalist" part of ``anarchocapitalism," since people would then be free to commit nonviolent property crimes.
"Every decent man is ashamed of the government he lives under." - H.L. Mencken
I'm sorry, abuse?
Does this mean if, for example, your car was stolen with no violence involved, you would be happy if no action was taken? What if your house was burnt down by someone who doesn't like you, but again, no violence was involved. I'm sure this would be acceptable too, right?
Whether you like it or not, the Computer Misuse Act (1990) is here for a reason. It is not a basic human right to access computer systems you are not authorised to access. It is not a basic human right to "check for security".
You do have the right not to donate to certain websites, and not to use certain websites. You also have the right to search the web for opinions of others who have used a particular service.
Sadly, I suspect your original post is nothing short of trolling.
Backup not found: (A)bort (R)etry (P)anic
Er... free Kevin Mitnick?
Fuck it
It sounds more like a red cross person asks you for money, but doesn't say thank you, so you try to pickpocket them to check their ID is valid, and then get caught with your hand in their pocket.
I am TheRaven on Soylent News
I completely agree with you, but be careful about how you fling about the term "right." Rights are things that all men possess as an incident of being human beings. They cannot be taken away or awarded, you always have them. Governments may only choose to recognize them or ignore them. This is the fundamental principle of American individual liberty, and our civil rights. We play fast and loose with what constitutes a "right" on Slashdot. Does this guy have the "right" to "[carry] out two tests to check the security of the site" and does a law preventing such a thing violate that right? I honestly don't know, and I suspect neither do most of the outraged posters on Slashdot. It's a comforting assumption that we have such a right, but do we really? That's really the question that an article like this should beg, and it might start an intellectual conversation, which is almost always a more edifying experience than the predictable Slashdot outrage whenever one of "our own" is brutalized by The Man for breaking laws that we find unpalatable.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
For my own safety I think I'll configure my copy of bind to not resolve names in the bt.com zone. BT's IDS is famously overzealous--anyone remember that 'hacker' gaoled for using Lynx story from last year? That was BT's fault as well.
Perhaps there are places where one can legally lie to the cops, but I was charged and convicted for "providing false information to an officer" when I was a kid, because I told them I had car insurance when I didn't.
They also charged me with "not having insurance", and "not having proof of insurance" (separate charges in that state; not all states criminalize both, and a couple don't require insurance at all).
In any event, the cops just charged me with a whole bunch of shit so that some of it might stick. That's how our frail and clumsy "justice" system works: spew lots of charges so you can throw some out to "work out a deal."
First, I have not RTFA. (Who does?)
Second, what exactly was so illegal? I've done many ARIN queries and borrowed Symantec's geographic IP locator to find out about various sites. Nobody's come knocking on my door (yet).
At least she'll SAY she agrees.
Exam 4/C again. Maybe I'll do better this time.
It would be helpfull to know exactly what he did.
Did he run an exploit, did he test for the vulnerability of the system against an exploit?
Was it SQL Injection, Java Injection or just plain login abuse?.
Hard to determine whether he was truly attempting to gain "unauthorized access" without knowing more details, but what I can say is that this is a cut and dry text book case.
1). Attacker attempts to exploit vulnerability (regardless of how/why)
2). IDS Detects and Logs Attacker
3). Law Enforcement is contacted and provided with logs and asked to act
4). Law Enforcement acts, legal system convicts attacker
The US version of the Red Cross has a less than adequate reputation. I've heard that the International Red Cross is better, but they aren't supporting the Katrina victims. And much of the aid that was sent was denied enterance by FEMA.
I feel that the money I donated was probably shanghied, but the goods that were donated probably got through.
I think we've pushed this "anyone can grow up to be president" thing too far.
who gets caught red handed, then comes up with a (very weak) lie to cover.
I'm NOT saying this guy is lying (I'm just implying it)
After RTFA and then looking at the poll I amazed at the reaction. 87% of people think he should not have been convicted thus far because he "didn't cause any damage"
Its time to wake up people. First point: Yes he did cause damage. Money was spent investigating the intrusion which is monetary damages. Second Point: He very well could have caused damage had he successfully broken in. Do we not punish crackers now just because they didn't destroy data? Thirdly: He is a professional in the Information Security field! Of all people he should be held to a higher standard because of his career field.
How does this hurt the Penetration Testing career field as well lol (another piece of FUD in the article...) Professional penetration testers have to sign lengthy contracts that state what they are allowed to do in order to protect themselves from prosecution later on the road. Documentation is kept during the process of testing so the testers can show that at point X when they were attempting attack Y they did or did not shut down Server Z... What this guy did was attempt to break into a system that he had no prior consent to do so! Thats illegal and he being a security consultant would know that... I can't just arbitrarily attack a website because I think they might not be real. Sure people might sympathise with me if I was right, but that doesn't mean it makes it legal.
News Reporters Make Tasty Polar Bear Treats!
"This is a country that won't let their citizens bear arms (increasing crime [lewrockwell.com]), but will let security officers shoot first and never ask questions."
I didnt go to your assumedly gun nut link, but i really dont understand what your syaing here. Are you saying that the brazillian guy, had he been carrying a gun, would have been less likely to get shot in the head? what would you have had him do? shoot the advancing security personelle?
Repeat after me I DO NOT LIVE IN THE OLD WEST. I CANNOT SHOOT COPS BEFORE THEY SHOOT ME
I'll just use my special getting high powers one more time...
Somehow, I think Daniel Cutberth, 28, east London, arrested on January 20th and the Solaris using, Lynx toting 28-year-old east Londoner arrested about the same time are one and the same.
So much for the "Lynx theory".
Being convicted for the act of breaking the law is the way it's supposed to work. However, there's a difference - he was convicted because he lied to the cops.
zdnet Judge Purdy accepted that Cuthbert had not intended to cause any damage, and also pointed out there was almost no case law in this area.
District judge Mr Q. Purdy, who heard the case, told Cuthbert it was "with deep regret that he was finding him guilty"
It looks to me that if he hadn't changed his story, nothing serious would have happened. If he had not talked to the cops without a lawyer, I think there's a good chance he would have gotten away with maybe a slap on the wrist. Since he lied to the cops to confuse the issue, the judge got mad and used a guilty verdict as a punishment for a lie. That's just wrong, and it sets a horrible precedence for future cases that are pursued based on a horrible law.
I guess it's not just the US who has a fuggered up legal system that bases legal decision on petty "get even" routines... It's just sad.
--- "To ignore race and sex is racist and sexist!" -- Jesse Jackson
Do not try to use the excuse of curiousity to break into another person's system?
Directory traversing IMO isn't trying to break into a system. Neither is SQL Injection or anything else.
If you leave your blinds open when you shag your wife, and I look in your windows from the street, I'm not breaking any laws. Close your damn blinds.
Really, a web site is up for public consumption, and directory traversing is quite a common http request. Web developers use it all the time - to specify images or a css file or a js file or whatever.
He's just doing what a script is already allowed to do on the server.
If you don't want it happening on your server, lock it out. It's easy. IIS 6 blocks that by default , and using mod_security you can block that request easily enough.
Truth is, it's an idiot webmaster, and an idiot judge. I think it's making a mountain out of a mole hill.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
The Joy of Directory Traversal Attacks
In other words, if you're in the UK, don't type "../" in a URL or you go to jail.
I made similar points to the ZDNet op-ed piece linked above in an op-ed of my own from March:
2 010-1029_3-5648740.html
http://news.com.com/Is+identity+theft+inevitable/
of the Constitution, so when you refer to the Constitution you are referring to the amendments as well. Also, the Constitution does not grant rights to people, but guarantees them, or takes them away.
http://www.usconstitution.net/const.html#Am5
While it wasn't clear on what he did when accessing the system I think that this was a fair ruling. These computer security experts are invading others systems which are running legitimately or not. I see this in the same way of an uninvited person entering your house and rummaging through your stuff. While this does hinder computer security experts from doing there job efficiently, it protects the right to privacy of the systems owner. What I feel should be done is for the government to create a system in which security experts can become government trained and certified to go into systems in a particular way (same way police gather evidence). After they are trained they should be allowed to use a service where they can apply for a warrant if enough evidence is gathered about the suspiciousness of the site. I see this as being a fair way to protect the rights of the systems owner. The only issues I find with this approach would be efficiency. Anyone agree with me?
Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
Well no shit! The people who were prosecuting him clearly couldn't handle the truth. These are not reasonable people. One who arrests another for a directory traversal (with no evidence of cracking) is not a reasonable person.
The very fact the investigators couldn't discern between a cracking attempt and a directory traversal is evidence that the they were not capable of handling this type of work. Being an intelligent person, he probably figured the best course of action (to end this as quickly as possible) was to give the information to them in a way they could understand.
For example, if I were arrested for the same "offense," I would probably state something like this:
"I wasn't hacking; I was just using standard web access techniques to validate the site's identity."
Which, depending on your level of ignorance, may be construed as "lying." The investigator may live under the impression that the only type of web access which is "standard" is logging on the site using the main form. The investigators probably felt he was being an arrogant prick and wanted to make an example of him. This is not the purpose of law.
This guy donates 30 pounds to a charity, for which he receives no verification. He practices due diligence (against a phishing attack) by validating the authenticity of the site. And they have the nerve not only to arrest him, but to prosecute him! And convict him!
I am repulsed, and I weep for the security community.
A government is a body of people notably ungoverned - AC
I find it laughable that you don't think SQL injection for the purposes of gaining access to information that you are not authorized to view is ok? So I can do a bit of SQL injection and have password files or credit card information brought forward... But that is alright since you think "Directory traversing IMO isn't trying to break into a system. Neither is SQL Injection or anything else."
Oh and BTW using the Window analogy is really off. The front page of the website is the Window and what this person did was try and get around that Window by using old exploits. Not everything is as straightforward as they want to make it.
News Reporters Make Tasty Polar Bear Treats!
Your company used the police to deal with this?
I would have gone to the Cyber Crimes Division of the FBI. They'll get involved when there is more than $5000.00 in documentable damages.
Another consultant who stuck it out.
"We are the Priests, of the Temples of Syrinx..."
I've been wondering if this is the same guy who (supposedly) was arrested for using Lynx to access a charity site. If that was his original story -- "I didn't hack the site, I just accessed it using Lynx!" -- and it turned out to be untrue (as in he tried a known exploit, though only to verify info) -- that would fit with the article about the conviction.
Does anyone know whether this is the same case?
Wonder how good he is... Now that he's beginning his new career as a black hat...
This guy just lost his job, and will have more trouble getting another job in the security industry (depending on what they charge him with). Also, he will be very pissed off at the government and the law. Hence, the logical solution is to solve both problems by becoming a black hat -- or where else did you think he would apply his skills as a security expert if no one will hire him? (Not that I think he is a bad guy, donating to Tsunami relief and all)
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Attempting to access a computer without permission may or may not be a criminal offsence.
We don't know what he really did, or what his real intent was.
Cast in the light of a security expert checking to ensure the donation site is legitimate you might give them the benefit of the doubt and let them off.
Considering he lied and changed his story you might be more inclined to think he is lying about the origional intent behind the actions.
Say the url was site.com/thanks.html. He changed it to site.com/../thanks.html.
.com/ and use it as parameters with no sanity check. He tried it, they had a sanity check, they logged it as an attack. Stoopid. I don't see how it's an attack. Wikipedia says you could potentially change it to ../../../../etc/passwd and try guess the number of levels you are away.
Apparently some dynamic sites just grab whatever's after
Thanks, buster! I repeated that and I am feeling very silly because of the numerous uncomfortable stares I am receiving right now. I hate this library anyway.
-Jam
Remember, without BT, there would be no WWW; after all, you do know that BT invented the hyperlink.
I'm not a network security person, but the few courses I did on the subject at uni drilled this into my head: don't test a computers security without permission (preferably written) even if you work for the company that owns them. Surely any network security engineer would know not to do this? And wouldn't a person in the security field know enough to check out a site *before* giving them card details? And then going to a more trustworthy site, say oh I don't know redcross.org? To be honest, I think cyber-related crimes need a higher level of punishment for them because they are so hard to trace, and so prevalent. I do think though he would have gotten away with a slapped wrist or fine, but he did lie, which should definitely be factored in, how could they trust what he said about his motives after that? It'd be like getting caught trying to pick the lock on someones house because they were out and had left their lights on. Just out of curiousity, what could doing a directory traversal (/../) possibly prove about the validity of a site? Oh, and do credit cards provide fraud protection for this kind of thing?
I had thought that lying to the police was against the law. perjury isn't the only way to lie illegally.
Exam 4/C again. Maybe I'll do better this time.
Great! Digg! That's where the cool kids hang out. That will leave slashdots for the ... erm ... nerds?
have a look at http://www.dec.org.uk. They are currently supporting as campaign to help the worthy cause of the situation in the Niger. Click on the donate button and you will be taken to a shocking rendition of a 1997-esque payment page that looks awful. So I imagine our man Cuthbert looked again at the dec.org.uk site and it looks bonafide enough and also the whois entry stacks up.
I remember at the time that the BBC News carried a story at, or about the time of the Hogmany (31st Dec 2004) regarding fake websites. I could only find this story on BBC website 6 days after the alledged incident.
so our man cuthbert panics. As you can see the basic link and page to securetrading.net (not even a .co.uk). Remember that 31-DEC-2004 is a friday before a long holiday weekend. So there will no-one to phone. He looks at the certificate for the server-side SSL - "Secure trading Ltd" a UK company. But the whois entry is privately registered and does not have any standard company details on it - it is also registered abroad (which isn't a big worry, but remember this is a UK gov't sponsored website)
My next port of call is Companies House - where all UK Ltd companies have to be, by law, registered. So using their webcheck facility - it is company number 04591066 with an address in south east london. Not a government organisation, but seems wholly owned by another unknown company UC Media? securetrading.co.uk? no, they're someone else. back to companies house - searching for UC Media, can't find them, but there is an entry for UC Group Ltd at the same address. bingo. hang on. there are two insolvency notices on this company...
I'm sorry but I would have also panicked.
It seems to me that its like a teen rattling a gate at the ball park to see if it is locked. While you might do so out of curiosity, or in an attempt to gain unauthorized access, it is still just checking to see if it is locked. If you have a valid ticket in your pocket, accessing through that gate would still be wrong, but checking that it is locked is not.
It does not matter if you have safe cracking tools in the garage at home, if you are simply standing outside the jewelry shop, and check to see if the door is locked or anyone is inside, this doesn't mean that you are attempting to steal diamonds. Sure, he may have had tools on his machine, but that is no different than saying a cop has a gun, and looked like he was trying to break into the store when the door was locked. Things are not always as they appear, and convicting on the basis of intention, especially when it is not overly easy to see the intention, is just wrong.
We have no need of, or room for, thought police in civilized society.
Of course, I may have missed a salient point here, but it just seems wrong to convict without evidence of harm.
In the case of where this seems to happen, like dangerous driving (intoxicated or not) it has been shown that this behavior does lead to accidents, and removing the driver from public roads is a safety measure that does not harm anyone. This is the reason for various lane markings, speed limits, etc.
In this case, there was no speed limits or lane markings, only a locked gate type of guidance. Convicting this man of attempting to steal when there is no blatant evidence is just wrong, and sets a bad precedent in my opinion. Banks don't keep their cash funds out on the sidewalk for a reason. If they did, and it went missing, what exactly would the courts say?
Additionally, it doesn't seem to ring true that a 'security expert' would leave such a trail as to be caught if he was truly trying to break into the system?
Support NYCountryLawyer RIAA vs People
Excuse the Star Trek quotation. :) But it's a good one.
"There can be no justice so long as laws are absolute."
The investigators and prosecutors should lose their jobs for wasting taxpayer money, prosecuting a professional for something clearly non-malicious. You don't charge someone for break and enter if they walk up your driveway to read your house number.
A government is a body of people notably ungoverned - AC
of course not but:
a) that doesn't mean he should get the same sentance as if he did.
b) your anology sucks.
This is the equivilent of rattling the door on a store front.
The Kruger Dunning explains most post on
By the way, the site was donate.bt.com. I would have gotten much better information had he just picked up a phone and called BT and asked them if it was legit.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
a, it's not a private home, don't sue that analogy, it only associates a portential life threatening issue with a non life threating issue.
b, while it would be wrong of my to enter a store that was locked, it would be wrong of me to rattle the door to see if its looked. It also wouldn't be wrong of me to enter a store that wasn't locked even if they were closed.
why should computers that are on a system designed to allow people to access them be any different?
The Kruger Dunning explains most post on
Smithers, I thought I told you not to start drinking before noon! Hmmm, WTF did I actually post up there, anyway?
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
If I'd gone to the police with an eye-witness statement of someone breaking into my car, the guy would have been arrested and charged. But when it comes to computers, it's still astrology to most law enforcement.
This is the mistake in your reasoning. The idea that the cops would care about the car theft is simply false. There may be a few police out there who would care, but none in my experience. A friend of mine once witnessed a few guys breaking into a corvette outside a nightclub in Houston (they weren't very good at it - cleary someone *thought* he knew how to hot-wire a car), walked a block to find a uniformed policeman, and spent 10 minutes trying to pursuade the cop to go do something about it. Finally the corvette goes by with 2 of the thieves in it, and my friend jut gives up. Realistically, he should be thankfull *he* wasn't arrested for stealing the car!
I had a similar experience once when I was robbed/assaulted while delivering pizza. This particular thief wasn't very bright, and it was clear where he actually lived (he didn't quite rob me after ordering pizza to his own house, but it was about that stupid). I return to find a cop walking out of the pizza place with a couple of free pizzas, explain that I had just been robbed (like the still-flowing blood wasn't a clue), and that the guy was right down the road over there and "let's go arrest him". Couldn't get the cop to care. He did write me a ticket for expired tags the next day though, which was nice.
I could go on, but the theme is the same. You can guess how I feel about cops.
Socialism: a lie told by totalitarians and believed by fools.
No, it was denied by the Louisiana governor's office. They didn't want to create an attractant at the Superdome. Search for it on Google.
FEMA didn't go in because the media was reporting gang rapes and murders in the Superdome (which didn't happen). FEMA are relief works and volunteer coordinators - not military, so they stayed out. And the military can't go in either:
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
a computer on a system designed to let people access it is NOT the same as your HOUSE!
The Kruger Dunning explains most post on
It is a shame that no one has posted what the acutal lie was. Or was it a changing story?
1st interview:
cops - what did you do?
guy - I looked around the site to see if it was legit
2nd interview:
cops - what did you do?
guy - Well I fired up my Ultra 60 running Solaris, not that it had ZFS, but I started her up anyway. I was going to use mozilla/mozilla, but I forgot that I had acidentally removed an X lib earlier that year when I was testing a buffer exploit. So I dug up an old copy of lynx that I had cobbled together with color-xterm support. I remembered that I had not compiled it with SSL, so I had to rebuild it with with and openSSL library. I then typed "../" on the end of the URL.
Judge - you changed your story! Liar liar pants on fire.
Boss - your fired!
Seriously...again...is that me reading between the lines or ...
On Thursday, Daniel Cuthbert [...] was found guilty of breaching Section One of the Act [...]. He admitted attempted to access the Web site, which was collecting donations for victims of last year's tsunami.
So I understand that he "admitted accessing the web site"...Oh my...I just clicked on my "Slashdot" bookmark and accessed the web site. Is this not allowed any more?
The article also states:
Under Section 1 of the Computer Misuse Act, 1990, any unauthorised access to a computer site can be considered a crime, if the person accessing the system knows that he is not authorised to access the site. As the Act says, "a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case."
So basically, I have been testing my web application all morning. As it turns out, I was testing the ACEJI security configuration and got a lot of "access denied", which I was expecting since I wrote the system.
This scenario falls under the Act description. I should be jailed!
OK...I think that's not me...I think this world is getting dangerously ignorant and stupid.
And of course, there can't be other reasons for rising crime can there? Oh no! That's why you read in papers about increased immigration, gypsies, the European Court of Human Rights... trying to link crime to them. Granted, most of those are just tabloid rants, but there are other factors.
More laws = more crimes = more criminals = more prisoners = more money for the State.
Where you got this bollocks on the other hand i have no idea! The prison population in the UK is about 77,000, but it's been rising since 1993, when there was a different government in charge! Infact it levelled off after 1997 for a short period. The average cost of keeping a prisoner was £38,753 (2002). By locking people up and providing full room and board, with none of them earning and able to contribute, is obviously another one of these:
Please don't drag up random crime statistics and figures without realising what they mean. The US has 726 prisoners per 100,000 people, the UK has 145. The US has 0.04 murders per 1000, the UK has 0.01 per 1000
He didn't even get into TFS!!!!
Now, let me get this straight, the guy donated money to a site, typed in a URL, and then got arrested! WTF!
Hundreds of people try, unsuccessfully, to log in to my SSH server with random usernames and passwords! I don't call the feds on all of them!
There's a huge difference between looking in someones window and smashing it with a rock!
Anything that takes away someone's life or property or harms their body (against their will) is violent.
House burning and car stealing are both violent activities.
FUD.
Murder rates are higher in the US but violent crimes are much higher in the UK.
http://panda.com/advocacy.html
Gun crimes in the UK have more than doubled since the current Labour government took control.
and
people in London are now 6 times more likely to be mugged than people in New York City
The prisoner percentage is FUD, too. The supermajority of US prisoners are non-violent drug users. The UK is far less likely to prosecute petty drug crimes (see US Rockefeller laws and on).
To quote Chumbawamba: 'It is a great thing we have an unarmed police force in this country. It is perhaps an even greater thing that a force that is unarmed is able to shoot so many people'.
If corporations are people, aren't stockholders guilty of slavery?
So he lied. What's wrong with that?
"WHERE DO I START?!" you're probably thinking.
Well, now let's turn the tables. I'll give you an example of the tides turning -
Last year, on my 18th birthday, I partied a little bit too hard. After hours of drinking, we went for a drive (YES, we DID have a sober driver.). Unfortunately, we ended up in a situation that the cops were called, and my 4 buddies and I had to spend the rest of my 18th birthday shackled to the walls in a PA State Police barracks. Now, at this point, I was too drunk to write, so they just made me sit there and did their rounds. After a few hours I see one... two... and then three... go up for their mugshot and then leavc... and then they finally let me go.
So, I go outside to meet my friends and try to find them a way home, and I promptly get punched square in the face. "What the FUCK was that for?", I thought. Well, it turns out the state police, despite my inability to drive, write, or even talk without sounding like a raging alcoholic, had told my friends I had written a confession that said A - we had broken the windows (what got us there in the first place) and that B - everyone had been drinking. It would be in <i>their</i> best interest to do the same. So they did.
I could go into another example of the same thing happening to someone else, but I'm sure everyone's heard enough of them.
When my long-forgotten ancestors accepted this nation's founders' idea for government, they placed their trust in it for not only themselves, but everyone down the line, too. I've even heard cops say that "pig" stands for "Pride, Integrity, Guts". What's that middle word there?
If you would like your citizens to behave and be honest people of high moral standards, then you MUST do the same. With deceit comes dissention, and with dissention, revolution is born. Those that lead must do so by example, and soon enough, those that should be removed from society will become very evident.
To put it short, How can you trust a liar? You can't, no matter how truthful they are.
However, that law doesn't mean what people seem to think it means, either. That merely stops the president from using the military as law enforcement in the US, despite being commander in chief.
FEMA does, in fact, have Congressional authorization to call in the military.
And it doesn't matter anyway, because 'protecting FEMA personal' isn't 'law enforcement', anymore than protecting military bases is.
If corporations are people, aren't stockholders guilty of slavery?
I don't know what you mean by 'the military'. The National Guard is supposed to be the people providing martial law in the US, and the posse comitatus law doesn't talk about them.
Right, but it's the governor of the state that deals with that state's Guards, unless they've actively handed control over to the feds. This, of course, did not happen when/how it needed to in New Orleans.
FEMA does, in fact, have Congressional authorization to call in the military.
But that doesn't mean doodly until the governor of the state acts correctly to let that happen. Separation of those powers and obligations is very, very clear (and a good thing, too!).
And it doesn't matter anyway, because 'protecting FEMA personal' isn't 'law enforcement', anymore than protecting military bases is.
Assume you mean "personnel." Regardless, if those FEMA employees are civilians working off of the federal turf, then it's exactly a law enforcement issue if those people are threatened within our borders. If, though, actual martial law has been declared (rare!), then it's still law enforcement, but it's the military enforcing the law. Force protection on a military base is an entirely different thing, and not relevent unless FEMA happens to be working out of one.
Don't disappoint your bird dog. Go to the range.
The idea that the cops would care about the car theft is simply false. There may be a few police out there who would care, but none in my experience.
Where do you live, New Orleans? It's a shame you can't get your fellow voters to hold your city/county responsible for hiring decent LEOs.
I have interacted with police on the most trivial of stuff (neighborhood vandalism, cars broken into, etc) and on serious stuff (assault, business burglaries, financial fraud, etc) and have never found a single person I dealt with to be less that courteous, engaged, and dedicated to solving the problem. I've seen the vandals arrested, the car B&E asses arrested, the fraudsters arrested (and pushed up to the feds) and so on. I've dealt with beat cops, motor cops, detectives, administrators, even clerical assistants - all at the city, county, and state levels, in jurisdictions across multiple states. I have never experienced anything like what you're describing. So, if you have shitty local law enforcement, that's a shame - but it's your local culture, not "police" as a class of public servants that you should be bitching about.
Don't disappoint your bird dog. Go to the range.
It worries me that a ruling like this would come down when there was no proof of criminal intent, and no real harm was done. The judge even acknowledged this in his comments from the bench, but said that the way the law was written necessitated this verdict. First, the law is very loose in its definitions of "unauthorised access".
It seems that there were three levels where hysteria over computer crimes worked against the defendant. First, British Telecom had very sensitive intrusion alarms which can give false positives. Second, the police seemed overzealous in prosecuting what was just a small matter. Third, I'm not sure the judge had the knowledge to understand the technology or the actions that precipitated the legal actions. Add a vague and very loose definition in the computer crimes laws, and you have a recipe where someone can be wrongly convicted.
It's good to use your head, but not as a battering ram.
Hence my point of "Don't pull figures out realising what they mean". My main point was that crime statistics skyrocketing (Especially "violent crime") is likely due to the change in recording of crimes. As i said, if an attack on a group of people is now recorded as one per person and not one for the group, then of course it's skyrocketing.
.01) as much as UK ones, the site you quote says violent crime is just over 2x as high.
Murder rates are higher in the US but violent crimes are much higher in the UK.
Bollocks again, as i showed earlier US murder rates were 4x (.04 to
I'd like to see the sources for the "facts" on that page (You couldn't get a more biased site could you?). I've never seen those statistics anywhere else (Under the "Since the UK outlawed handguns" section). And the fact that British police are now routinely armed? If that's meant to mean with guns (Doesn't specify), then i think you'll find they're not. Anti-terrorist police (See No. 10) are, the standard copper doesn't carry a gun.
Anyway, we're off the topic by far now.
On slashdot why defend the hacker. Yes i call him a hacker because i dont know what his intentions where, only he does.
Maybe he was a budding hacker trying out his leet skills and maybe it was an innocent mistake on his part we will never know.
We do know that hopefully his troubles now will deter others from testing my server for traversal attack or port scans or whatever.
Next time your logs show an attack attemp will you just ignore it thinking its just someone testing for security.
Adding /../ to a URL is not an attack. It is legitimate URL syntax.
http://example.com/ => default page of example.com
http://example.com/SomeFolder/../ => display folder contents of example.com so that user can peruse list of available pages.
The dangerous precedent that this case sets, is that typing a URL into the address bar is an attempt to gain unlawful access, rather than (as I think it *should* be interpreted) a polite request as to whether a particular page is available to the public.
Since I have automatic redirects disabled on my browser, in order to use some sites (including bt's), I need to type in the full path to the home page, and my usual method involves trial and error.
So far I have tried
http://www.bt.co.uk/
http://www.bt.co.uk/index.html
http://www.bt.co.uk/index.htm
Woah. I just made 3 unsuccessful attempts to "access" bt's site. They'll be coming to get me now.
Well, if they do, I think I have a perfectly legit counterclaim - they tried to hijack my computer by redirecting my browser to a URL that I did not type in directly.
Adelle.
The reports that I have heard from people who claimed to have been on the scene were fairly clear the FEMA was blocking aid provided by others. Doctors who were on the scene reported ... well, this isn't FEMA, this is some people dressed up as police officers (of some sort...these people weren't Lousianna locals, so they don't know the local uniforms) and presumably acting under orders confiscated their medical equipment and supplies and threw them in the river. Perhaps that wasn't FEMA, I wasn't there. It was certainly some group that appeared to be acting as an official group.
Perhaps I can't tie a lot of the things that I heard any more closely than to "the government", but FEMA was claiming to be in charge, so I believe then, and attribute the evil to them. If you want to think of them of as merely malfeasant, that's ok. It's still a felony.
I wasn't talking about the SuperDome, as I have heard nothing from anyone who claimed to have been there. And I don't believe anything the new reports without independent confirmation. (You have given a good example of why in your response.)
I think we've pushed this "anyone can grow up to be president" thing too far.
The reports that I have heard from people who claimed to have been on the scene were fairly clear the FEMA was blocking aid provided by others. ... Perhaps that wasn't FEMA, I wasn't there. It was certainly some group that appeared to be acting as an official group.
It was the Louisiana Department of Homeland Security. See here.
but FEMA was claiming to be in charge, so I believe then, and attribute the evil to them. If you want to think of them of as merely malfeasant, that's ok. It's still a felony.
Huh? FEMA wasn't there for a few days, they're not first responders. They don't have the authority or manpower to override the state and local agencies. LDHS was managing first response. What felony are you going on about?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
A quick portscan of 139 and 445 is a good indication if the machine in question is a hacked windoze box. These ports have no business to be exposed on a production webserver.
When I want to enter an outhouse, better shake its contruction a bit to see if it won't collapse on me. When I want to drink something from a bottle, I take a sniff if somebody did not alter the content for a chemical (accidents happen). When I want to cross a road, I look. When I want to donate money to a website, I look too. Anything wrong with that?
Isn't that enough to destroy any credibility he might have otherwise had? If the dumb jackass had simply been honest - assuming he truly was well-intentioned and meaning only to protect himself - he would likely have never even found himself charged or in court.
This is an example of a smart guy who first made a dumb choice further compounded by a REALLY bad one.
If you wanna be trusted, it helps to bloody tell the truth!
:)
.22. If it was loaded, I'd have shot him, too.
...by Jury.
I was fighting FUD with FUD. I don't trust statistics.
I definitely feel less safe in Chicago and London (where I can't carry my defense) than in other large towns where I can.
My lady and I went through a carjack attempt 2 years ago in Chicago after pumping gas. When I yelled to her to get my gun, the 2 thugs took off. She later replied that my defense was at home.
No one threatens my body or my person without answering me. I plead the 2nd.
Yes, the two thugs did run off, and yes I'd have shot them both illegally without warning.
I also scared off a robber at one of my retail stores with my defense. He was more scared by my calm demeanor than by a tiny
I believe in my basic human rights:
1. I can say anything, on my property. You can not.
2. I will defend my property wit lethal force at the first sign of a threat.
3. I will never allow a soldier to use my house for shelter.
4. No agent of the State can enter my car or home without a warrant. Even at a traffic stop.
5. I have nothing to say to the police, ever. My property will not be taken from me without proper compensation.
6. If I am arrested, I expect a speedy trial...
7.
8. If arrested I will pay a reasonable bail and nevere tortured.
Simple enough. If any of these rights are denied, see #2.
Perhaps I believed too much of what they were saying... at this point in time I can't go back and verify precisely which arm of the feds did what. The malfeasance was denial of life saving materials to those in need...denial as in blocking, not merely as in not providing. Perhaps those who did it, and their superiors who ordered it, should be charged with murder rather than malfeasance...and perhaps I shouldn't have particularly laid it at FEMAs foot. I was appearantly believing too strongly in their press releases (and here I thought I was cynical).
I followed the link, and it doesn't lead to the people that made the report I heard. The "police" could, of course, have been operating under the control of Louisanna Homeland Security...but threatening to shoot doctors attempting to supply medical treatment who were already on the spot (they'd been attending a convention) and destroying their supplies and equipment is, in my mind, murder. Murder, conspiracy to comit murder, and felonious assault under cloak of authority. Probably a few other charges should go in there too. Both the police who engaged in the acts and their superiors who ordered them should be charged with that. The superiors who merely didn't prevent it should get off with malfeasance (not merely misfeasance). And I should be less trusting of PR releases saying that "we have everything under control" (which is how FEMA became associated with these acts in my mind).
Not that I don't still believe that FEMA is guilty of misfeasance, and conspiracy to comit misfeasance (is that malfeasance?) in their negligent planning. (Proving intentional neglect would be difficult...but it does seem probable. Look how quickly the contracts for repair ended up with Haliburton.)
Do I believe and ANYONE responsible will be charged? It is to laugh.
I think we've pushed this "anyone can grow up to be president" thing too far.
The superiors who merely didn't prevent it should get off with malfeasance (not merely misfeasance). And I should be less trusting of PR releases saying that "we have everything under control" (which is how FEMA became associated with these acts in my mind).
This guy Michael Brown may have some responsibility there - he was apparently unqualified to run emergency operations. Maybe he was qualified to run the bureaucracy but a good bureaucrat would have delegated emergency responsibilities. FEMA didn't get to the aftermath of Hugo for 30 days - Lord knows what they were thinking trying to take control of Katrina so soon.
Not that I don't still believe that FEMA is guilty of misfeasance, and conspiracy to comit misfeasance (is that malfeasance?) in their negligent planning. (Proving intentional neglect would be difficult...but it does seem probable.
The planning was pretty good - New Orleans was to be evacuated 48 hours before Katrina hit. They have a plan for exactly this. They had the resources to do it. They had the buses to get people out. What happened is the Mayor and Governor decided it would be politically unpopular if they ordered evacuation and the storm diverted. Bush called the Governor on Saturday and 'pleaded' with her to order the evacuation. This is what happens when you have a political input into a plan like this - there's no place for it and it'll f^ck things up every time. Just to illustrate the cranial anal inversion down there, the Red Cross was in place for disaster relief and was denied entrance by LDHS. It's not hard to find the smoking gun, unless you listen too much to the friends of the Governor masquerading as on-the-scene reporters.
Look how quickly the contracts for repair ended up with Haliburton.)
Would you have rather the contracts go through the normal FEMA 90-day bid process? Which companies could have taken the contract and hit the ground running? Haliburton, Bectel, Kellog, Don't forget the Shaw Group - they got 1/3 of the contracts and their CEO is Chairman of the Louisiana Democratic Party. You're barking up an apolitical tree.
Do I believe and ANYONE responsible will be charged? It is to laugh.
Exactly, right. The contractor who built the major failed levy filed law suit in 1994(5?) to get the Army Corps of Engineers to allocate an additional $800,000 for foundation because the contractor considered the base of the levy unstable and unsuitable for the specifications given to it. Do you think the ACoE is going to catch heat? Do you think Les Aspin or Bill Perry will catch heat? Clinton? If anyone's going to get unelected over this it's the Mayor of New Orleans who had final say on not evacuating. Or maybe Mary Landrieu if her voting base decides not to move back to NOLA.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Stupid analogy, but I'll bite.
It's more like a Red Cross person asks you for money, but doesn't say thank you, so you try to turn over their badge to see if it's valid. Later on, you are arrested on charges of assault and battery, even tough all you touched was the badge.
Then under questioning, you can't recall what hand you used, so you guess your right. Video footage shows you used your left. And them the judge says that even tough you obviously didn't commit assault and battery, he's going to convict you of those crimes, because you lied to the police.
Send your comment to the Magistrate Court at Horseferry and ask that it be forwarded to Judge Q. Purdy. (probably in the form of printed paper, since I doubt this guy is trusted with by Her Majesty's government with a computer)
Tech Public Policy stuff
Well, I only present my experience. But in my experience, the cops have never solved a single crime against my person or property (except the one guy, who when the police showed up when he and his friends were stealing my car, actually tried to hide in my car - but they let him go the next day). No one has ever been held accountable. In my experience, the police function only as insurance company functionaries, providing the paperwork that allows insurance claims, and writing the tickets that drive up insurance rates. Not that I haven't met polite cops, just never a *useful* cop.
Maybe it's a big-city thing.
Socialism: a lie told by totalitarians and believed by fools.
You've made a grave error of understanding, there are no citizens of the UK. We are subjects of Her Majesty, Queen Elizabeth the Second.
Who's with me?! I SAID... WHO'S WITH ME!!??