Consultant Convicted For Non-Invasive Site Access

← Back to Stories (view on slashdot.org)

Consultant Convicted For Non-Invasive Site Access

Posted by Zonk on Friday October 7, 2005 @04:20AM from the anyone-else-thinking-greyhawk dept.

Phillip P Barnett writes "Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question." From the article: "During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access. The defence also pointed out that Cuthbert had not attempted to defraud the site." ZDNet also has a commentary piece on what this decision may mean for the future of cybercrime.

22 of 377 comments (clear)

seems like there could be more to this story. by yagu · 2005-10-07 04:21 · Score: 4, Insightful
I can't help but suspect there must be more to this story than is being put forth. Part of me wants to believe his defense, "he never tried to defraud", but my distaste for legal mumbo jumbo makes me wonder more about the specifics:
- He tried to access the system twice and both times was denied access. What does that mean? Was he trying to gain access to a part of the system where access to sensitive information was stored? Was he trying to login, but not knowing how to?
- He never tried to defraud: What does that mean? Is it because he never gained access? If so, was his intent to try and defraud had he gained access? (In my opinion, if that were the case, he certainly should be considered to have tried to defraud.)
- Another defense argument is this guy's actions were merely attempts to verify legitimacy of the fund raising site. So, what exactly was he doing to verify? (And why wouldn't he take more traditional avenues such as Googling, etc. What are the implications of every cynical user of a site attempting "access" to verify legitimacy?)
- Has this guy done other things and now authorities, etc., are just using technicalities to shut him down?
On its face, this looks like serious stuff with serious consequences for seemingly innocent activity and should give pause to any internet users, but I suspect there's more to it than meets the public eye.
1. Re:seems like there could be more to this story. by ArsonSmith · 2005-10-07 04:25 · Score: 4, Insightful
  
  yea, at one time I was clear you could either tell the truth or you could lie. After reading the news you learn of this entire huge gray area called spin. It's amazing and opens the door for all kinds of emotional out bursts.
  
  --
  Paying taxes to buy civilization is like paying a hooker to buy love.
2. Re:seems like there could be more to this story. by Red+Flayer · 2005-10-07 04:31 · Score: 4, Informative
  
  RTFA.
  
  "Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it."
  
  British Law says that if you know you are not allowed access, you cannot attempt to circumvent system security.
  
  What makes this case so interesting is:
  "This is thought to be the first time that a judge had indicated that -- despite the letter of the act -- knowingly accessing a system when unauthorised to do so is not necessarily a crime. "
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
3. Re:seems like there could be more to this story. by gormanly · 2005-10-07 04:50 · Score: 5, Informative
  
  He tried to access the system twice and both times was denied access. What does that mean? Was he trying to gain access to a part of the system where access to sensitive information was stored? Was he trying to login, but not knowing how to?
  
  Directory traversal, and using lynx.
  
  He never tried to defraud: What does that mean? Is it because he never gained access? If so, was his intent to try and defraud had he gained access? (In my opinion, if that were the case, he certainly should be considered to have tried to defraud.)
  
  He gave them £30 (at the time, ~ US$58). This is the opposite of defrauding them...
  
  Another defense argument is this guy's actions were merely attempts to verify legitimacy of the fund raising site. So, what exactly was he doing to verify? (And why wouldn't he take more traditional avenues such as Googling, etc. What are the implications of every cynical user of a site attempting "access" to verify legitimacy?)
  
  He clicked on a banner add to donate to the UK's Disasters Emergency Committee's appeal for the December tsunami in Asia, and got no confirmation page. His first thought was that this was a phising site and he'd been scammed. So he panicked and tried the directory traversal...
  
  Has this guy done other things and now authorities, etc., are just using technicalities to shut him down?
  
  No. This was AFAIK his first offence of any sort at all - and now his career's in ruins.
  
  The Computer Misuse Act (1990) is an apalling piece of shoddy law - speaking as an IT professional who's actually had to read it. The only thing it's good for is threatening users.
4. Re:seems like there could be more to this story. by malakai · 2005-10-07 05:51 · Score: 4, Informative
  
  It looks like he initially lied to the police and said the the reason the IDS detected it as a hack, was because he was using Lynx. That is the first story that went around the net. He was on Solaris, using Lynx, made a credit card payment, and the IDS picked it up as a hack.
  
  Here's the original BoingBoig: http://www.boingboing.net/2005/01/27/jailed_for_us ing_a_n.html
  and then: http://www.boingboing.net/2005/02/11/supposed_tsun ami_cha.html
  
  In the end, despite his initial lie, all he did was try a directory traversal 'attack' (the ../ trick to try and break out of the root web directory). Not so much as an attack, as a query.
  Basically he was trying to answer: "Is this site vulnerable to this easily exploited flaw, and if so, I better call them or my Credit Card number is going to make it's waya round the russian mafia sites in no time".
  
  I don't doubt he was secretly hoping the flaw existed so he could get some fame saving a disaster relief web site.
  
  I guess then technically, if you click the following link, their IDS should flag it as a 'hack' and if you live in jolly ol'england expect a boot at your door: Don't click me or you go to Jail!
  
  If you try it out, let me know how fast their response time is.
  
  --
  -Malakai
  A Dragon Lives in my Garage
Much ado about nothing. by plover · 2005-10-07 04:21 · Score: 5, Informative

TFA quite clearly states that he was convicted because he lied to the police about his activities. Here's the quote:
"Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.
Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said. "
The article above also says "The defence also pointed out that Cuthbert had not attempted to defraud the site." What it should have said is that Cuthbert DID attempt to defraud the police. Very unprofessional behavior from a supposed "security professional."
Moral of the story: don't lie to the cops about security testing. Take them seriously. Had he been honest, this wouldn't even have been prosecuted.

--
John
1. Re:Much ado about nothing. by pla · 2005-10-07 04:42 · Score: 4, Insightful
  
  Moral of the story: don't lie to the cops about security testing.
  
  We live in a world where posession of electronics and printouts on the subway gets you hauled away by a full riot squad under suspicion of terrorism.
  
  The average cop doesn't have the faintest clue about legitimate security testing as opposed to malicious hacking. Same tools, same methods, same general sort of people - Only the motivation differs, which the "target" can only discern after-the fact (and since the article mentions he failed to gain access, he can't even establish that much in his own defense). Even another IT security pro would most likely have to seriously consider the exact choice of attacks to discern intent (for example, did he obviously not use easier but more damaging tools for certain parts of the task?).
  
  Yes, geeks should ALWAYS lie to the police, whether in the right or not. Because the police have one job - Check off that last little box on their list. If they can do that by throwing away a "cybercriminal" by getting a jury full of people who can't even open email attachments to convict, they WILL. The error here involves changing his story.
2. Re:Much ado about nothing. by I+confirm+I'm+not+a · 2005-10-07 04:59 · Score: 4, Insightful
  
  We live in a world where posession of electronics and printouts on the subway gets you hauled away by a full riot squad under suspicion of terrorism.
  
  Dude, this is Britain we're talking about. Possession of a winter jacket and a Brazilian sun-tan gets you far, far worse than a hauling away.
  
  --
  This is where the serious fun begins.
3. Re:Much ado about nothing. by Scrameustache · 2005-10-07 05:08 · Score: 4, Informative
  
  Yes, geeks should ALWAYS lie to the police
  
  Fer christ sake, STFU and ask for a lawyer!
  Don't lie to the police, that pisses them off.
  
  --
  You can't take the sky from me...
4. Re:Much ado about nothing. by Anonymous Coward · 2005-10-07 05:26 · Score: 5, Insightful
  
  Yes, geeks should ALWAYS lie to the police, whether in the right or not. Because the police have one job - Check off that last little box on their list. If they can do that by throwing away a "cybercriminal" by getting a jury full of people who can't even open email attachments to convict, they WILL.
  
  Because, naturally, everybody else is a corrupt, money-grubbing idiot who have no interest in serving society, helping people out or any other noble enterprises, whereas all geeks are paragons of altruism who live in their parent's basement and work tech support so that they can write free software for the greater good.
  
  All the cops that I've met were just trying to do their job. They don't get paid by the conviction. They would much rather be stopping violent criminals and making people safer, but they have to deal with all crime because non-violent crime can damage society just as much as violent crime. I have certainly heard about corruption, bigotry, etc., but haven't seen it myself.
  
  On the other hand, I've known some technical people who have no interest in playing by the rules (on any level). Most people seem to think that cheating the law is some sort of game (although they don't want to play anymore when they lose). I've known geeks whose morals were just as low as any corrupt cop, and heard about those who did just as much damage.
  
  This case is a nice example. If the defendant was forthright and honest, the judge would likely have taken his word and let him go. Because the guy tried to cheat the system, the judge has no reason to believe anything else he says, including the part about how he didn't mean to defraud the site he was visiting, that it was an honest evaluation. As you said, it's hard to tell the difference, so the character of the defendant plays a big role in determining his goals.
5. Re:Much ado about nothing. by crazyphilman · 2005-10-07 07:14 · Score: 4, Insightful
  
  I would love to hear how, exactly, the British cops explain this.
  
  Question: "So, the suspect was dangerous?"
  
  Cop: "No, guv, we had him pinned down, he wasn't going anywhere."
  
  Q: "So... Did he have a weapon?"
  
  Cop: "No, just a rail ticket."
  
  Q: "And you had him pinned down?"
  
  Cop: "Yep!"
  
  Q: "At which point you shot him once in the shoulder and seven times in the head?"
  
  Cop: "We wasn't taking any chances, Gov!"
  
  Q: "What, exactly, did you think he might do? Use harsh language???"
  
  Cop: "..."
  
  --
  Farewell! It's been a fine buncha years!
Unintended consequence of regulation and control by dada21 · 2005-10-07 04:23 · Score: 4, Interesting

UK lawlessness, nothing new?

The UK has preceded the US in destroying the basic rights of its citizens, replacing laws against violence with laws against rights.

This is a country that won't let their citizens bear arms (increasing crime), but will let security officers shoot first and never ask questions. This is a country that continues to fight a war against secession for centuries.

TFA doesn't surprise me at all. Citizens have no rights any more. Just let the State provide. Does it surprise you that they criminalize non-violent behavior after you realize that national prisons were a statist recreation? More laws = more crimes = more criminals = more prisoners = more money for the State.

Again, nothing to see here, except it is a good preview of things to come in the US as we clamor for more regulation, more government control of the Internet, and more destruction of our basic rights to protect ourselves.
And quite rightly so... by gravyface · 2005-10-07 04:25 · Score: 5, Insightful

While I sympathize with him, taking the law into your own hands on a whim, regardless of the crime or environment, should not be tolerated. If he was B&Eing into a biker hangout to see if they had his stolen TV, he'd be prosecuted in the exact same manor.

--
body massage!
couple of checks? by cdn2k1 · 2005-10-07 04:27 · Score: 5, Informative

I think by "couple of checks," you mean "a directory traversal attack."

http://www.theregister.co.uk/2005/10/05/dec_case/
Re:Unintended consequence of regulation and contro by david.given · 2005-10-07 04:37 · Score: 4, Funny

The UK has preceded the US in destroying the basic rights of its citizens, replacing laws against violence with laws against rights.
However, we still don't have any laws against trolling. Shame, really...
Re:Well by dougmc · 2005-10-07 04:41 · Score: 4, Insightful

Perjury is a crime, you know.
Yes, but generally you have to be sworn in or otherwise lie under oath to be convicted of perjury. (At least in the US. I don't know what the laws look like on the other side of the pond.)
Generally making a statement to the police isn't done under oath.
And really, if the crime was perjury, why wasn't he convicted for perjury and not something else?
Wow. That's a pretty vague law... by karlandtanya · 2005-10-07 04:44 · Score: 4, Insightful

"a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case."

This reads to me something like "If anybody tells you can't do something with a computer, and you do it anyway, it's a crime.".

So, in the UK, to attach criminal liability to your violation of any of my own wishes, I just have to somehow involve a computer.

What, by the way, is a computer in the UK? Do embedded devices count? Don't leave through that automatic door; Mickey here hasn't sold his quota of cars this week, and we want a fair chance to convince you to buy. Whoops--you triggered the photoeye, causing the automatic door to open. I guess you can't get more egalitarian than this--every individual has the right to pass criminal laws.

OK, this seems a really silly example. It is. After all, we trust the authorities to selectively enforce overly broad laws--only prosecuting the real bad guys.

Hell, it works on this side of the pond; why not over there?

--
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
Better summary by DrSkwid · 2005-10-07 04:46 · Score: 4, Informative

http://www.theregister.co.uk/2005/10/05/dec_case/

'DEC hacking' trial opens
Accused gives evidence
By John Oates
Published Wednesday 5th October 2005 16:22 GMT

Horsferry Road Magistrates Court has heard the first day of evidence against the East London man accused of hacking into a donations site for the tsunami appeal last December.

Daniel James Cuthbert, 28, of Whitechapel, London, is accused of breaches of Section One of the Computer Misuse Act, 1990, on the afternoon of New Year's Eve, 2004. He had earlier pleaded not guilty.

Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee.

Giving evidence on his own behalf, Cuthbert, at times near tears, said he had made a £30 donation to the site, after clicking on a banner advert. Because he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check the security of the site.

The case continues tomorrow. ®

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:Unintended consequence of regulation and contro by TheRaven64 · 2005-10-07 05:02 · Score: 4, Insightful

It sounds more like a red cross person asks you for money, but doesn't say thank you, so you try to pickpocket them to check their ID is valid, and then get caught with your hand in their pocket.

--
I am TheRaven on Soylent News
These are dark times... by nightfire-unique · 2005-10-07 05:47 · Score: 5, Insightful

As a fellow security consultant, I cannot believe the comments I've read for this article so far. Have people lost their self respect so fully that they hand every last shred of individual right and responsibility over to the state?
Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
Well no shit! The people who were prosecuting him clearly couldn't handle the truth. These are not reasonable people. One who arrests another for a directory traversal (with no evidence of cracking) is not a reasonable person.
The very fact the investigators couldn't discern between a cracking attempt and a directory traversal is evidence that the they were not capable of handling this type of work. Being an intelligent person, he probably figured the best course of action (to end this as quickly as possible) was to give the information to them in a way they could understand.
For example, if I were arrested for the same "offense," I would probably state something like this:
"I wasn't hacking; I was just using standard web access techniques to validate the site's identity."
Which, depending on your level of ignorance, may be construed as "lying." The investigator may live under the impression that the only type of web access which is "standard" is logging on the site using the main form. The investigators probably felt he was being an arrogant prick and wanted to make an example of him. This is not the purpose of law.
This guy donates 30 pounds to a charity, for which he receives no verification. He practices due diligence (against a phishing attack) by validating the authenticity of the site. And they have the nerve not only to arrest him, but to prosecute him! And convict him!
I am repulsed, and I weep for the security community.

--
A government is a body of people notably ungoverned - AC
DEC - I'd have panicked too. by rapiddescent · 2005-10-07 06:35 · Score: 5, Insightful

Whilst I think Cuthbert was daft for lying and that was his mistake, I would have also panicked...
have a look at http://www.dec.org.uk. They are currently supporting as campaign to help the worthy cause of the situation in the Niger. Click on the donate button and you will be taken to a shocking rendition of a 1997-esque payment page that looks awful. So I imagine our man Cuthbert looked again at the dec.org.uk site and it looks bonafide enough and also the whois entry stacks up.
I remember at the time that the BBC News carried a story at, or about the time of the Hogmany (31st Dec 2004) regarding fake websites. I could only find this story on BBC website 6 days after the alledged incident.
so our man cuthbert panics. As you can see the basic link and page to securetrading.net (not even a .co.uk). Remember that 31-DEC-2004 is a friday before a long holiday weekend. So there will no-one to phone. He looks at the certificate for the server-side SSL - "Secure trading Ltd" a UK company. But the whois entry is privately registered and does not have any standard company details on it - it is also registered abroad (which isn't a big worry, but remember this is a UK gov't sponsored website)
My next port of call is Companies House - where all UK Ltd companies have to be, by law, registered. So using their webcheck facility - it is company number 04591066 with an address in south east london. Not a government organisation, but seems wholly owned by another unknown company UC Media? securetrading.co.uk? no, they're someone else. back to companies house - searching for UC Media, can't find them, but there is an entry for UC Group Ltd at the same address. bingo. hang on. there are two insolvency notices on this company...
I'm sorry but I would have also panicked.
This is like... thought police by zappepcs · 2005-10-07 06:38 · Score: 5, Insightful

It seems to me that its like a teen rattling a gate at the ball park to see if it is locked. While you might do so out of curiosity, or in an attempt to gain unauthorized access, it is still just checking to see if it is locked. If you have a valid ticket in your pocket, accessing through that gate would still be wrong, but checking that it is locked is not.

It does not matter if you have safe cracking tools in the garage at home, if you are simply standing outside the jewelry shop, and check to see if the door is locked or anyone is inside, this doesn't mean that you are attempting to steal diamonds. Sure, he may have had tools on his machine, but that is no different than saying a cop has a gun, and looked like he was trying to break into the store when the door was locked. Things are not always as they appear, and convicting on the basis of intention, especially when it is not overly easy to see the intention, is just wrong.

We have no need of, or room for, thought police in civilized society.

Of course, I may have missed a salient point here, but it just seems wrong to convict without evidence of harm.

In the case of where this seems to happen, like dangerous driving (intoxicated or not) it has been shown that this behavior does lead to accidents, and removing the driver from public roads is a safety measure that does not harm anyone. This is the reason for various lane markings, speed limits, etc.

In this case, there was no speed limits or lane markings, only a locked gate type of guidance. Convicting this man of attempting to steal when there is no blatant evidence is just wrong, and sets a bad precedent in my opinion. Banks don't keep their cash funds out on the sidewalk for a reason. If they did, and it went missing, what exactly would the courts say?

Additionally, it doesn't seem to ring true that a 'security expert' would leave such a trail as to be caught if he was truly trying to break into the system?

--
Support NYCountryLawyer RIAA vs People