Slashdot Mirror
Consultant Convicted For Non-Invasive Site Access
Phillip P Barnett writes "Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question." From the article: "During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access. The defence also pointed out that Cuthbert had not attempted to defraud the site." ZDNet also has a commentary piece on what this decision may mean for the future of cybercrime.
I can't help but suspect there must be more to this story than is being put forth. Part of me wants to believe his defense, "he never tried to defraud", but my distaste for legal mumbo jumbo makes me wonder more about the specifics:
On its face, this looks like serious stuff with serious consequences for seemingly innocent activity and should give pause to any internet users, but I suspect there's more to it than meets the public eye.
"Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.
Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said. "
The article above also says "The defence also pointed out that Cuthbert had not attempted to defraud the site." What it should have said is that Cuthbert DID attempt to defraud the police. Very unprofessional behavior from a supposed "security professional."
Moral of the story: don't lie to the cops about security testing. Take them seriously. Had he been honest, this wouldn't even have been prosecuted.
John
UK lawlessness, nothing new?
The UK has preceded the US in destroying the basic rights of its citizens, replacing laws against violence with laws against rights.
This is a country that won't let their citizens bear arms (increasing crime), but will let security officers shoot first and never ask questions. This is a country that continues to fight a war against secession for centuries.
TFA doesn't surprise me at all. Citizens have no rights any more. Just let the State provide. Does it surprise you that they criminalize non-violent behavior after you realize that national prisons were a statist recreation? More laws = more crimes = more criminals = more prisoners = more money for the State.
Again, nothing to see here, except it is a good preview of things to come in the US as we clamor for more regulation, more government control of the Internet, and more destruction of our basic rights to protect ourselves.
On one hand, he could have used legitamite methods to verify the site. On the other hand, he didn't destroy any data, view private information, nor was it a malicious purpose (supposedly).
Not only "land of the free" but "land of the lawyers" who love a good old 1st amendment smackdown. Shihar 153932
While I sympathize with him, taking the law into your own hands on a whim, regardless of the crime or environment, should not be tolerated. If he was B&Eing into a biker hangout to see if they had his stolen TV, he'd be prosecuted in the exact same manor.
body massage!
I think by "couple of checks," you mean "a directory traversal attack."
http://www.theregister.co.uk/2005/10/05/dec_case/
Which of Cuthbert's rights were violated when he broke the law and was convicted of doing so, again? I missed that part.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
Though TFA tries to ring alarm bells over police cracking down on innocent activities, it also mentions that the guy initially lied to the police about his actions, leading the police down a time-consuming garden path.
So although the guys "hacking" was fairly innocent, his response to the police was not. Perhaps he should be convicted of public mischief instead.
Life is like a web application. Sometime you need cookies just to get by.
He should probably have known better since his job deals specifically with security. I'm even surprised that he would get hit with a phishing attack to begin with. Also if he got hit that hard over this, what would have happened to the owners of the site if he had been defrauded and had reported it to the authorities instead (it sounds like he and the site were based in the UK)?
However, we still don't have any laws against trolling. Shame, really...
Now that he's beginning his new career as a black hat...
The NSA: The only part of the US government that actually listens.
Another defense argument is this guy's actions were merely attempts to verify legitimacy of the fund raising site. So, what exactly was he doing to verify? (And why wouldn't he take more traditional avenues such as Googling, etc. What are the implications of every cynical user of a site attempting "access" to verify legitimacy?)
Or how about picking up a phone and CALLING them. If there is no number to call, donate elsewhere.
-Valiss
Purgery is a crime, though lieing to police is not. Never said he changed his story in court only to the police.
I am Bennett Haselton! I am Bennett Haselton!
Generally making a statement to the police isn't done under oath.
And really, if the crime was perjury, why wasn't he convicted for perjury and not something else?
Putting an innocent person to jail will make him want to get some retribution for his time spent UNFAILY in jail.
Will he trust in the government after? In trials? In the police? The guy feels betrayed by the same government he paid taxes to! What they're teaching him is to be much more careful the next time he tries to hack a site. Yeah, nice way to "reform" a "criminal".
The fact that he was arrested for performing a nonviolent act is the first abuse by authorities.
After finding no cause to charge him, they instead convicted him of lying. So he was wrongfully accused, but during interrogation he lied.
Crazy world we live in. Why not arrest every tenth person for murder. See if they slip up some fact, then book them.
In my mind, if the original arrest is unfounded, take no action.
This reads to me something like "If anybody tells you can't do something with a computer, and you do it anyway, it's a crime.".
So, in the UK, to attach criminal liability to your violation of any of my own wishes, I just have to somehow involve a computer.
What, by the way, is a computer in the UK? Do embedded devices count? Don't leave through that automatic door; Mickey here hasn't sold his quota of cars this week, and we want a fair chance to convince you to buy. Whoops--you triggered the photoeye, causing the automatic door to open. I guess you can't get more egalitarian than this--every individual has the right to pass criminal laws.
OK, this seems a really silly example. It is. After all, we trust the authorities to selectively enforce overly broad laws--only prosecuting the real bad guys.
Hell, it works on this side of the pond; why not over there?
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
Which of Cuthbert's rights were violated when he broke the law and was convicted of doing so, again? I missed that part.
I think the point of the GP post was simple: the "law" he broke infringes on basic rights. Just like watching CSS-encrypted DVDs on a Linux box is illegal, certain laws make criminals out of honest citizens.
If I were arrested in Fairbanks, AK, for carrying an ice-cream cone in my pocket, I would hope for some public outrage. Yes, there's a law against it; but that law infringes on my basic right to carry an ice-cream cone in whatever manner I desire.
"Hey! It's also illegal to put squirrels down your pants for the purposes of gambling!" -- Chief Wiggum
Not that I agree with the GP. I'm still undecided.
Microsoft is to software what Budweiser is to beer.
I do security audits for a living.
Although I do them with a fully endorsed and NOTARIZED release!
Rule number one:
"Thou shalt not perform any invasive activity against IPs that you do not have defacto administrative control over or have legal release (in hard copy) to do so."
I have no sympathy for the guy.
The comment at the end of the article is crap IMHO: "I've run into a lot of people in the penetration test community over the past few months, and they're all sympathetic to Dan. Their view was that he merited a ticking off, not losing his job. The police need the help of penetration testers and this won't help"
Outside of publicly available DNS and ARIN information there's not much more you can do to a remote host to find out whatever information you are looking for. At least if you want to stay out of hot water.
"If you scan the port you go to court"
Another consultant who stuck it out.
"We are the Priests, of the Temples of Syrinx..."
Perjury is a crime, you know.
Perjury is a crime committed in court, not in an interview room. To put this in context, in the USA and many other countries, it's perfectly acceptable to say nothing when questioned by the police. Indeed, I believe the Constitution or an amendment (I'm neither a US citizen nor resident) grant citizens the right not to incriminate themselves. I'm not aware of any such right in Britain, and in Britain when you're arrested you are advised that:
In other words, you're strongly "encouraged" not to remain silent.
I'm neither condoning nor condemning Mr. Cuthbert's statements to the police, merely suggesting that we don't know why Cuthbert chose to (allegedly) lie.
This is where the serious fun begins.
http://www.theregister.co.uk/2005/10/05/dec_case/
'DEC hacking' trial opens
Accused gives evidence
By John Oates
Published Wednesday 5th October 2005 16:22 GMT
Horsferry Road Magistrates Court has heard the first day of evidence against the East London man accused of hacking into a donations site for the tsunami appeal last December.
Daniel James Cuthbert, 28, of Whitechapel, London, is accused of breaches of Section One of the Computer Misuse Act, 1990, on the afternoon of New Year's Eve, 2004. He had earlier pleaded not guilty.
Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee.
Giving evidence on his own behalf, Cuthbert, at times near tears, said he had made a £30 donation to the site, after clicking on a banner advert. Because he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check the security of the site.
The case continues tomorrow. ®
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
What's an aneCuth?
I hoped after all this he asked for his donation back.
Nyquil = Nectar of the devil
It sounds more like a red cross person asks you for money, but doesn't say thank you, so you try to pickpocket them to check their ID is valid, and then get caught with your hand in their pocket.
I am TheRaven on Soylent News
I completely agree with you, but be careful about how you fling about the term "right." Rights are things that all men possess as an incident of being human beings. They cannot be taken away or awarded, you always have them. Governments may only choose to recognize them or ignore them. This is the fundamental principle of American individual liberty, and our civil rights. We play fast and loose with what constitutes a "right" on Slashdot. Does this guy have the "right" to "[carry] out two tests to check the security of the site" and does a law preventing such a thing violate that right? I honestly don't know, and I suspect neither do most of the outraged posters on Slashdot. It's a comforting assumption that we have such a right, but do we really? That's really the question that an article like this should beg, and it might start an intellectual conversation, which is almost always a more edifying experience than the predictable Slashdot outrage whenever one of "our own" is brutalized by The Man for breaking laws that we find unpalatable.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
For my own safety I think I'll configure my copy of bind to not resolve names in the bt.com zone. BT's IDS is famously overzealous--anyone remember that 'hacker' gaoled for using Lynx story from last year? That was BT's fault as well.
After RTFA and then looking at the poll I amazed at the reaction. 87% of people think he should not have been convicted thus far because he "didn't cause any damage"
Its time to wake up people. First point: Yes he did cause damage. Money was spent investigating the intrusion which is monetary damages. Second Point: He very well could have caused damage had he successfully broken in. Do we not punish crackers now just because they didn't destroy data? Thirdly: He is a professional in the Information Security field! Of all people he should be held to a higher standard because of his career field.
How does this hurt the Penetration Testing career field as well lol (another piece of FUD in the article...) Professional penetration testers have to sign lengthy contracts that state what they are allowed to do in order to protect themselves from prosecution later on the road. Documentation is kept during the process of testing so the testers can show that at point X when they were attempting attack Y they did or did not shut down Server Z... What this guy did was attempt to break into a system that he had no prior consent to do so! Thats illegal and he being a security consultant would know that... I can't just arbitrarily attack a website because I think they might not be real. Sure people might sympathise with me if I was right, but that doesn't mean it makes it legal.
News Reporters Make Tasty Polar Bear Treats!
Being convicted for the act of breaking the law is the way it's supposed to work. However, there's a difference - he was convicted because he lied to the cops.
zdnet Judge Purdy accepted that Cuthbert had not intended to cause any damage, and also pointed out there was almost no case law in this area.
District judge Mr Q. Purdy, who heard the case, told Cuthbert it was "with deep regret that he was finding him guilty"
It looks to me that if he hadn't changed his story, nothing serious would have happened. If he had not talked to the cops without a lawyer, I think there's a good chance he would have gotten away with maybe a slap on the wrist. Since he lied to the cops to confuse the issue, the judge got mad and used a guilty verdict as a punishment for a lie. That's just wrong, and it sets a horrible precedence for future cases that are pursued based on a horrible law.
I guess it's not just the US who has a fuggered up legal system that bases legal decision on petty "get even" routines... It's just sad.
--- "To ignore race and sex is racist and sexist!" -- Jesse Jackson
The Joy of Directory Traversal Attacks
In other words, if you're in the UK, don't type "../" in a URL or you go to jail.
You have the right to remain silent. Use it, and talk to a lawyer.
In the UK u dont really have the right to remain silent anymore. They changed that in 94 I beleive. What they basically say now upon arrest is
"You could harm your defense if you fail to mention when questiond something that you later rely on in
court"
Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
Well no shit! The people who were prosecuting him clearly couldn't handle the truth. These are not reasonable people. One who arrests another for a directory traversal (with no evidence of cracking) is not a reasonable person.
The very fact the investigators couldn't discern between a cracking attempt and a directory traversal is evidence that the they were not capable of handling this type of work. Being an intelligent person, he probably figured the best course of action (to end this as quickly as possible) was to give the information to them in a way they could understand.
For example, if I were arrested for the same "offense," I would probably state something like this:
"I wasn't hacking; I was just using standard web access techniques to validate the site's identity."
Which, depending on your level of ignorance, may be construed as "lying." The investigator may live under the impression that the only type of web access which is "standard" is logging on the site using the main form. The investigators probably felt he was being an arrogant prick and wanted to make an example of him. This is not the purpose of law.
This guy donates 30 pounds to a charity, for which he receives no verification. He practices due diligence (against a phishing attack) by validating the authenticity of the site. And they have the nerve not only to arrest him, but to prosecute him! And convict him!
I am repulsed, and I weep for the security community.
A government is a body of people notably ungoverned - AC
Say the url was site.com/thanks.html. He changed it to site.com/../thanks.html.
.com/ and use it as parameters with no sanity check. He tried it, they had a sanity check, they logged it as an attack. Stoopid. I don't see how it's an attack. Wikipedia says you could potentially change it to ../../../../etc/passwd and try guess the number of levels you are away.
Apparently some dynamic sites just grab whatever's after
have a look at http://www.dec.org.uk. They are currently supporting as campaign to help the worthy cause of the situation in the Niger. Click on the donate button and you will be taken to a shocking rendition of a 1997-esque payment page that looks awful. So I imagine our man Cuthbert looked again at the dec.org.uk site and it looks bonafide enough and also the whois entry stacks up.
I remember at the time that the BBC News carried a story at, or about the time of the Hogmany (31st Dec 2004) regarding fake websites. I could only find this story on BBC website 6 days after the alledged incident.
so our man cuthbert panics. As you can see the basic link and page to securetrading.net (not even a .co.uk). Remember that 31-DEC-2004 is a friday before a long holiday weekend. So there will no-one to phone. He looks at the certificate for the server-side SSL - "Secure trading Ltd" a UK company. But the whois entry is privately registered and does not have any standard company details on it - it is also registered abroad (which isn't a big worry, but remember this is a UK gov't sponsored website)
My next port of call is Companies House - where all UK Ltd companies have to be, by law, registered. So using their webcheck facility - it is company number 04591066 with an address in south east london. Not a government organisation, but seems wholly owned by another unknown company UC Media? securetrading.co.uk? no, they're someone else. back to companies house - searching for UC Media, can't find them, but there is an entry for UC Group Ltd at the same address. bingo. hang on. there are two insolvency notices on this company...
I'm sorry but I would have also panicked.
It seems to me that its like a teen rattling a gate at the ball park to see if it is locked. While you might do so out of curiosity, or in an attempt to gain unauthorized access, it is still just checking to see if it is locked. If you have a valid ticket in your pocket, accessing through that gate would still be wrong, but checking that it is locked is not.
It does not matter if you have safe cracking tools in the garage at home, if you are simply standing outside the jewelry shop, and check to see if the door is locked or anyone is inside, this doesn't mean that you are attempting to steal diamonds. Sure, he may have had tools on his machine, but that is no different than saying a cop has a gun, and looked like he was trying to break into the store when the door was locked. Things are not always as they appear, and convicting on the basis of intention, especially when it is not overly easy to see the intention, is just wrong.
We have no need of, or room for, thought police in civilized society.
Of course, I may have missed a salient point here, but it just seems wrong to convict without evidence of harm.
In the case of where this seems to happen, like dangerous driving (intoxicated or not) it has been shown that this behavior does lead to accidents, and removing the driver from public roads is a safety measure that does not harm anyone. This is the reason for various lane markings, speed limits, etc.
In this case, there was no speed limits or lane markings, only a locked gate type of guidance. Convicting this man of attempting to steal when there is no blatant evidence is just wrong, and sets a bad precedent in my opinion. Banks don't keep their cash funds out on the sidewalk for a reason. If they did, and it went missing, what exactly would the courts say?
Additionally, it doesn't seem to ring true that a 'security expert' would leave such a trail as to be caught if he was truly trying to break into the system?
Support NYCountryLawyer RIAA vs People
If I'd gone to the police with an eye-witness statement of someone breaking into my car, the guy would have been arrested and charged. But when it comes to computers, it's still astrology to most law enforcement.
This is the mistake in your reasoning. The idea that the cops would care about the car theft is simply false. There may be a few police out there who would care, but none in my experience. A friend of mine once witnessed a few guys breaking into a corvette outside a nightclub in Houston (they weren't very good at it - cleary someone *thought* he knew how to hot-wire a car), walked a block to find a uniformed policeman, and spent 10 minutes trying to pursuade the cop to go do something about it. Finally the corvette goes by with 2 of the thieves in it, and my friend jut gives up. Realistically, he should be thankfull *he* wasn't arrested for stealing the car!
I had a similar experience once when I was robbed/assaulted while delivering pizza. This particular thief wasn't very bright, and it was clear where he actually lived (he didn't quite rob me after ordering pizza to his own house, but it was about that stupid). I return to find a cop walking out of the pizza place with a couple of free pizzas, explain that I had just been robbed (like the still-flowing blood wasn't a clue), and that the guy was right down the road over there and "let's go arrest him". Couldn't get the cop to care. He did write me a ticket for expired tags the next day though, which was nice.
I could go on, but the theme is the same. You can guess how I feel about cops.
Socialism: a lie told by totalitarians and believed by fools.
It is a shame that no one has posted what the acutal lie was. Or was it a changing story?
1st interview:
cops - what did you do?
guy - I looked around the site to see if it was legit
2nd interview:
cops - what did you do?
guy - Well I fired up my Ultra 60 running Solaris, not that it had ZFS, but I started her up anyway. I was going to use mozilla/mozilla, but I forgot that I had acidentally removed an X lib earlier that year when I was testing a buffer exploit. So I dug up an old copy of lynx that I had cobbled together with color-xterm support. I remembered that I had not compiled it with SSL, so I had to rebuild it with with and openSSL library. I then typed "../" on the end of the URL.
Judge - you changed your story! Liar liar pants on fire.
Boss - your fired!
Seriously...again...is that me reading between the lines or ...
On Thursday, Daniel Cuthbert [...] was found guilty of breaching Section One of the Act [...]. He admitted attempted to access the Web site, which was collecting donations for victims of last year's tsunami.
So I understand that he "admitted accessing the web site"...Oh my...I just clicked on my "Slashdot" bookmark and accessed the web site. Is this not allowed any more?
The article also states:
Under Section 1 of the Computer Misuse Act, 1990, any unauthorised access to a computer site can be considered a crime, if the person accessing the system knows that he is not authorised to access the site. As the Act says, "a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case."
So basically, I have been testing my web application all morning. As it turns out, I was testing the ACEJI security configuration and got a lot of "access denied", which I was expecting since I wrote the system.
This scenario falls under the Act description. I should be jailed!
OK...I think that's not me...I think this world is getting dangerously ignorant and stupid.
So he lied. What's wrong with that?
"WHERE DO I START?!" you're probably thinking.
Well, now let's turn the tables. I'll give you an example of the tides turning -
Last year, on my 18th birthday, I partied a little bit too hard. After hours of drinking, we went for a drive (YES, we DID have a sober driver.). Unfortunately, we ended up in a situation that the cops were called, and my 4 buddies and I had to spend the rest of my 18th birthday shackled to the walls in a PA State Police barracks. Now, at this point, I was too drunk to write, so they just made me sit there and did their rounds. After a few hours I see one... two... and then three... go up for their mugshot and then leavc... and then they finally let me go.
So, I go outside to meet my friends and try to find them a way home, and I promptly get punched square in the face. "What the FUCK was that for?", I thought. Well, it turns out the state police, despite my inability to drive, write, or even talk without sounding like a raging alcoholic, had told my friends I had written a confession that said A - we had broken the windows (what got us there in the first place) and that B - everyone had been drinking. It would be in <i>their</i> best interest to do the same. So they did.
I could go into another example of the same thing happening to someone else, but I'm sure everyone's heard enough of them.
When my long-forgotten ancestors accepted this nation's founders' idea for government, they placed their trust in it for not only themselves, but everyone down the line, too. I've even heard cops say that "pig" stands for "Pride, Integrity, Guts". What's that middle word there?
If you would like your citizens to behave and be honest people of high moral standards, then you MUST do the same. With deceit comes dissention, and with dissention, revolution is born. Those that lead must do so by example, and soon enough, those that should be removed from society will become very evident.
To put it short, How can you trust a liar? You can't, no matter how truthful they are.