Slashdot Mirror
Judge Refuses To Convict Hacker
Jake96 writes "A judge in Wellington, New Zealand, declined to convict a man who ran an unrequested security audit on a bank's phone systems and was charged with 'intentionally accessing a computer system knowing he was not authorized to,' according to an article in the New Zealand Herald."
I hope so.
A judge who uses common sense. Wow!
Avoid Missing Ball for High Score
I see absolutely no problem with someone analyzing the security of a network and relaying the results to the owners of the network. According to the article, the "researcher", Macridis, checked the network and then tried to sell the results to the owners, _after_ already accessing the network. Seems a little bass ackward.
More than anything, this guy is a business dumbass for doing the work and providing the results before even a contract was drawn up. Because of this strange sequence of events (providing vulnerability information before being requested), all of a sudden his generous offer looks more like extortion than altruism.
His background with fraud (though 10 years prior) sullies his reputation even further.
It's not a crime to be a dumbass. At least not in NZ, apparently.
The precedent needs setting!
He sounds like a bit of a jerk.
In other words, I can break into your house and wander around, take notes then leave. When I come to the door later, I can bill you for the "Security Consultation" and not be charged for robbery.
...and they call Americans silly? This one's off the chart.
Great!
He should have been convicted. He was not under contract or authorized to probe that system. He demanded money before he would tell them what was wrong. In my book that is extortion.
While he didn't do anything illegal, I would be very surprised to receive a bill for a service I didn't request. His actions weren't illegal but his method of doing business definitely leaves something to be desired. Although his decision to not broadcast the bank's weaknesses to the public could be viewed as integrity, it could also be calculated business sense. It doesn't sound like someone I would choose to do business with.
Would you honestly pay for a service you weren't told you were receiving and didn't ask for if you were billed for it?
Score! I'm going to try that!
Thats what you get when you ship off all your criminals to a newly discovered island (or is it a continent?) and come back a hundred years later to look at their justice system.
Jokes aside, the reason the bank would have indeed have the man arrested was probably a mix of pride and caution. Quite understandable, but I sure hope they pay the man after all this is out of the papers.
my capcha was condom
what is it over there, like some kind of geek paradise?
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
Is that your anus? Are you propositioning me?
And wouldn't that make us "Linux fuck-anuses" and not "Linux fuckheads?"
Your troll is very confusing.
At least it shows efficient legal process.
Macridis had telephoned the Reserve Bank on May 30, introducing himself as a security consultant.
The Reserve Bank made a complaint to police, who searched Macridis' house on September 21 and seized his computer.
Ok, a bit slow there - four months - but maybe the bank did some research on the flaws first. And the wheels of Big Business turn pretty slow....
Gerasimos Macridis, 39, appeared in the Wellington District Court on Wednesday - the 27th - on one charge of intentionally accessing a computer system without authorisation.
A little over a week from when the police took his computer, to when he appeared in court.
They presumably searched it, did all the legal paperwork, had the weekend off, etc.
Not much crime in Wellington lately? Or are they normally this speedy?
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
New Zealand becomes the Script Kiddies capital of the world. After all, they're providing a valuable service by exposing faults in network security.
Lawyer 131236716723: Shit. This is not good.
Lawyer 216421934614: What?
Lawyer 131236716723: They didn't throw this guy in jail who broke some technicality against a major corporation.
Lawyer 216421934614: WHAT?
Lawyer 131236716723: I'm serious! New Zealand! That fucking judge forgot how hard it is to pay off an SL500 and those student loans on a measly $70,000 starting salary!
Lawyer 216421934614: Look, I know you're new here, but this is America. We've got the RIAA, MPAA, not to mention all the lobbying to be done in DC. I mean, those Native Americans don't rip themselves off, eh? Plus, we've got so many laws on the book that someone, somewhere isn't doing something right, and who gets to prosecute?
Lawyer 131236716723: Lawyers?
Lawyer 216421934614: And who gets to defend?
Lawyer 131236716723: Lawyers!
Lawyer 216421934614: And who gets to judge?
Lawyer 131236716723: Former lawyers elected by other lawyers!
Lawyer 216421934614: And who makes the law?
Lawyer 131236716723: Former lawyers who have even less ethical concerns than other lawyers, lobbied by lawyers! Thanks, Bill... I was starting to worry!
New Zealand was never a penal colony, so has never had criminals shipped to it, other than the state visits by royalty and presidents. You are obviously thinking of Australia, a completely separate country about 1800 km away. You could drop Texas into the gap in between. (and nobody would miss it either)
That's a good way to remember. Anytime you have a problem with the government, remember that it's a government of lawyers for lawyers. I thought it was supposed to be for the PEOPLE.
Cool! Amazing Toys.
err um I mean "hackers of New Zeland, unite!"
This is actually the second time this has happened in NZ this year...
0 / and all over ya google.
"Sahil Gupta, the second man charged over the Telecom voicemail hacking incident in April, walked free from an Auckland court last week.
Gupta was charged along with a teenager who cannot be identified for legal reasons. The teen was charged with unauthorised access of a computer system and pleaded guilty. Gupta was charged under the same section of the Crimes Act and faced up to two years in prison.
However two justices of the peace discharged Gupta saying there was no case to answer after a hearing in the Auckland District Court on Wednesday."
more @ http://www.crime-research.org/news/21.01.2006/177
When will people realize that public networks are totally unlike houses! It's a lot more like a 7-11 than a house. You are allowed to wander into the 7-11 any time of night or day, presumably to do business, but if you notice that there's a hole in the wall, or the security mirror is missing, well, it's not your fault.
Don't bother telling me why this network isn't really like a 7-11 either. (Actually it's a series of tubes... :-) All these analogies are weak. I'm just so tired of the house analogy I had to add a counterpoint.
$META_SIG_JOKE
While I think the trespass is morally wrong and the judge should have left it legally criminal, I can't follow your reasoning here. Suppose I constructively prove P=NP tomorrow, instantly threatening essentially all of modern cryptography. If I call up my bank and say "Hiya, you know that SSL encryption? You're going to want to change that, fast. Why? OK, we'll talk that after I have you NDAed up and some money sitting in my account, because I have literally the most important advance in mathematics in the last 50 years sitting on my PC. Thats worth some serious money to me -- if I'm the first to publish I get the Fields Medal for sure, and thats just for starters.", thats clearly not extortion. I haven't hurt or expressed a plan to hurt the bank yet.
Yep, granted, they'll only know the exact nature of the vulnerability if they either pay me or independently prove P=NP, but that has been true for every day of the last 50 years regardless of what I've done.
"Pay me $250 million dollars or I upload the n*log(n) factoring code to the file sharing networks. Imagine what the Russians could do with that. I'd hate to have a billion dollars an hour running over insecure wires, wouldn't you?", now THATS extortion.
I can't find the crime here which is divorced from the trespass.
Help poke pirates in the eyepatch, arr.
Regardless his intent is malicious or not, he is smart in doing business or not, he managed to show the bank has a big hole in its security. A salute to him.
Guys someone submit his new crock of rumors and fud.
Windows? Is that you?
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
...did he wind up getting any payment from the RBNZ/Telecom?
The decision by the judge would about make sense if he didn't. Namely - you weren't bad enough to get hammered, but you were stupid enough that shouldn't be rewarded.
Perfecting the art of insanity since 1982
Just by reading the headline I knew it couldn't possibly be in the US. Most judges here are out of touch with society, or beholden to special interests. They'd never stand out of line. If you've even been involved in the US legal system you learn this all too quickly. The judge and lawyers cut deals behind your back, and you sit there like an idiot to see how much pull your lawyer has, regardless of the law.
...CRACKER. Turn in your geek license.
Goten Xiao
It's a matter of the details and we don't know the details of the case. And the details are important.
After all, from what I see he could have told the bank something like the following:
"Hi, you've got security problems with your email server, the following webservers have serious problems and need to be patched (list of IPs), the following servers have easily guessable ssh username and passwords.
If you want more details my professional rates are XYZ."
While that's not the best way of going about doing things, I don't think that should be considered criminal.
The Bank is free to look for a different person/organisation to do the job, and give that info to them as a starting point.
After all providing a detailed and professional report and recommendation takes a fair bit of time and effort. You can't expect that bit for free.
So not knowing the details I don't think we should be so sure that he's been doing extortion or blackmail. Maybe the Bank has been nasty about the whole thing - after all when was the last time a Bank has behaved well?
Maybe someone had to cover up their ignorance and incompetence and thus treated it as extortion.
AND that's why I think the guy was dumb to do what he did - after all he's not dealing with a friendly organisation - he's dealing with a Bank. Lucky for him, he's in NZ and not some uncivilized country like the USA[1].
Many of the slashdotters seem to be used to the US "justice" system.
[1] If you win cases because you have more money or power, that's not really better than one of those corrupt African countries is it?
Excuse me,? He compromised NOTHING, he only exposed problems already existing in the system that apparently they would rather keep than fix.
"Hey, he exposed our weaknesses! put him in jail so on one else (like the PUBLIC we are supposed to serve) finds out we aren't smart enough to properly configure our stuff and are too cheap to have it done correctly for us!"
Good job!
At least the judges have some brains in NZ.
I wonder what thier immigration laws are like?
We may not have *all* the details, but there's nothing there that could reasonably be construed as extortion.
Jay Jennings
sorry, but this guy was asking for trouble. Firstly, it wasn't just any old bank, it was the Reserve Bank (http://en.wikipedia.org/wiki/Reserve_Bank_of_New_ Zealand), secondly, when he discovered this flaw he didn't just tell them about it, he said basically "I found a flaw, now pay me money".
You don't mess with the systems controlling an entire countries economy, and then demand money for it, if you do, well, Darwin would like a word with you.
NZ Electronics Enthusiasts: Check out my Trade Me Listings
final porst!!!
only dumbarses say dumbass.
Only in america could bush ever get in.
Linux is for everybody. Got a problem with "fags"?
So you've got this bank which holds a large sum of money for you/lots of different entities. But instead of renting a building and doing their business there they figure it is cheaper to just conduct business on the street and save some money on rent, but to protect their security they set up in a deserted part of town, where normally no-one goes. Then some day this guy decides to take a look. So he takes the day off and buys a bus ticket and off he goes. Imagine his horror at the bank's security measures. So this guys thinks to himself: "I should do this for a living. I'm good at it and somebody had better make these banks understand. 't Might as well be me.", and sends the bank a bill for his security check.
Morale: you can't break in through an open door. Banks should keep their doors closed. Keep your money in a sock and let no bank near it.
...he's a Greek. We Greeks are notorious for covering our utter stupidity with the steadfast belief that we're smarter than anybody else out there.
Maybe what he is trying to tell us is that he's an arseface or something...
LOL.. the judge just lazy..
Maybe he shouldn't have said he was an auditor, but instead a security systems checker. Then he could have charged more.
Can I bum a sig?
..is telephone system considered an information system? I think I missed something.
I actually applaud the NZ courts. The man could have used the information to commit fraud, steal sensitive/valuable information and sell it to the highest bidder and make a whole lot of money but instead he chose to go directly to the bank and ASK for payment.
So he had a sure way to make money, but instead he ASKS for money AFTER revealing the security flaw. If you ask me, the bank suffered from bruised ego syndrome and wanted some sort of revenge. It's nice to see that the bank didn't get what it wanted.
It's not the destination that matters, but rather the journey.
The judge was an idiot - what this guy did was just a new twist on the old "send them a bill and hope they pay at" scam.
This is the same sort of scam that boiler-room ops do all the time - sending bills for unsolicited ad space in non-existent magazines, etc.
The guy is scum. The judge was out to lunch on this one.
Lets put it in terms slashdotters can understand ... someone does a pen test of your web site, and sends you a description of what they found, plus a bill for their unsolicited :advice" ... even though you didn't ask them to try to do any penetration testing and you never heard of them before ...
Or someone tries to break into your house, then sends you a description of all the "security weaknesses" they found, plus a bill for their time.
Just because its a phone system doesn't make it any less an attempted con job.
UNTIE!!
It's not the destination that matters, but rather the journey.
Yeah I get something similar from charities sending me mailing labels every Christmass and then charging me for them. I also get mail in the form of a check only when you look at the small print it's a loan. Yeah it's all bullshit. Usually legal though.
It has been statistically shown that helmets increase the risk of head injury.
BANK != HOME
13
Do you live at a bank? Do you sleep there? Is that where you consider yourself safest at night?
Look, comment for what this story is, not what you think its equivalent to.
He did an unauthorized security audit for a bank phone system, and tried to bill them for his actions in the audit. At most he is guilty of gaining unauthorized access, and being stupid.
Should he be locked up? Doubtful. Was what he did illegal and punishable? Yes. Should he be required to sort RJ-11/RJ-45 ends out of a landfill for 1 year as punishment?? Yes.
A terrorrist, cracker, or whatever malcontent term people prefer, would have identified the security lapses, sold it to someone else with 'bad' or 'nefarious' intentions, for either profit, idealogical reasons, or disagreement with the government. As best we can tell, he did none of these things. Merely tried to make himself a quick buck out of unwanted services rendered for the bank.
If I was the bank, I'd give him $50, make him sign a legally binding contract regarding information disclosure. If he refused, then sue him.
Lets put it in terms slashdotters can understand ... someone does a pen test of your web site, and sends you a description of what they found, plus a bill for their unsolicited :advice" ... even though you didn't ask them to try to do any penetration testing and you never heard of them before ...
Tell him you aren't going to give him a penny, but thanks for the free security audit!
The judge's decision came from a correctional view of the justice system there rather than the punitive model used in the U.S. (despite the U.S. tendancy to falsely call prisons correctional facillities). That is, the judge believed that the process of justice up to that point had already convinced the defendant not to do it again and the free security audit was adequate restitution.
... as a Math teacher who teaches the material, brings the students who are behind up to the level they need to be, and doesn't fail 85% of the class.
Alas, I fear this Judge will last about as long as "good" math teachers. To be liked by students is a death sentence for math teachers.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
How could someone that is so right on Linus etc, be so far off on this one. I have previously enjoyed many of your posts.
The poster was using an analogy to show his perspective, and you went off and started talking about sexual abuse and killing? Molestation causes perminant scars, and nuclear weapons the same... so while you might not like his "stupid" analogies, at least they were in the "same book". The "same book" as in, he was likely trying to find an analogy where there was no harm done by the actions, In your analogies - well...
Thanks in advance for your Christian Charity in trying to understand my perspective, and why I find talk of molestation more serious and offensive than all the bad analogies and benevolent hacking in the world. (ok, so I have a daughter)
I kind of agree with you, and at the same time I really don't want a situation where every time someone acts like a jackass, they get jailed.
I'd love it to be easier to be compensated by people acting like jackasses though. Some way of, without having to spend a lot of time and effort, "fine" people $10 every time they do something deliberately against me in bad faith. That would certainly cut down on the jackassery. The problem is finding a workable, no false positives, mechanism for doing it.
You are not alone. This is not normal. None of this is normal.
...than the guys who go walking down the street peering at houses looking for termite damage that the owner might have missed. Not only do they tell you about a problem that you might not know about, they offer their services to fix it. You're under no obligation to pay them for finding it, but a lot of people are grateful to the person and fork over some cash anyway (and maybe hire them to help more).
People are failing to realise that without that guy doing what he had done, the bank wouln't have realized that there is a security problem with their system. We all think hacking is a dangerous thing. In some sense yes it is when it is done without you submitting that you have done something bad that will put someone into a loss, but in the reverse it is good. Would you thank your neighbor if he tell you that your wireless is open or would you care about how he knew that it was open? You will thank him/ or her and find a way to secure it.
> The judge's decision came from a correctional view of the justice system there rather than the punitive model used in the U.S. (despite the U.S. tendancy to falsely call prisons correctional facillities).
Funny, in the U.S. we call that judicial activism. Sounds like this judge from New Zealand is more interested in conducting a social experiment than interpreting law.
> That is, the judge believed that the process of justice up to that point had already convinced the defendant not to do it again and the free security audit was adequate restitution.
First of all it wasn't a "free security audit", it was a crime. The hacker had no authorisation from the bank and violated the privacy of all customers holding accounts there. Second, the judge has no evidence that the hacker won't commit the crime again. The judge even went so far as to call the hacker's actions "honorable." Does anyone else see the irony here?
> Funny, in the U.S. we call that judicial activism
No we don't. The term "judicial activism" is used in reference to acts of judicial interpretation that critics consider to take on suspected political reasoning, rather than an evaluation of applicable law. It has nothing to do with correctional vs. punitive. You're a moron.
Parent tells the truth. Australia was a convict colony, NOT New Zealand. New Zealand != Australia.
Thanks, I'll admit that my framing was moronic, but that doesn't justify name calling. The New Zealand judge is clearly applying his own ideology to the ruling. The judge actually believes that the hackers invasion of the privacy to thousands of the bank's customers was "honorable." Whether you call it correctional, political, or ideological it _is_ judicial activism, plain and simple. Mor... oh wait.
I think in other country, he may faced the opposite judgement. So for those who like to be just like that man, you can come to the New Zealand.
Maybe they had to come up with the hacker judge.That would be more secure and for sure a lot of people are interested to.
I think he'll plan to set up his own government.
I hope not so
since the judge is giving stupid result,what are the laywers doing there.
Funny, in the U.S. we call that judicial activism. Sounds like this judge from New Zealand is more interested in conducting a social experiment than interpreting law.
As others have pointed out, that's not judicial activism. Secondly, you assUme that New Zealand takes the same punative approach to criminal behaviour that the U.S. does and that the judge has gone against that. Have you considered the possability that the New Zealand judge in New Zeland presiding over a case of New Zeland criminal law might have acted entirely in accordance with the guiding principles of of New Zeland legal philosophy? Different countrys are different!
First of all it wasn't a "free security audit", it was a crime. The hacker had no authorisation from the bank and violated the privacy of all customers holding accounts there.
The hacker accessed the phone system of a reserve bank. You and I have no evidence that any customer (which would be other banks, not actual people) data was accessed at all. Perhaps he dialed in and then made a long distance call for example. The judge, on the other hand, would have that evidence if there is any.
Second, the judge has no evidence that the hacker won't commit the crime again.
Are you sure? He was there and we were not. He had the opportunity to observe the defendant's demeanor and statements and weigh them for himself. He might have found the defendant's statements as repentant and based on his demeanor, believable. Such JUDGEments DO have a place in criminal law.
The judge even went so far as to call the hacker's actions "honorable." Does anyone else see the irony here?
The judge called the hacker's INTENTIONS honorable, not his actions. That is, he judged that the man intended to improve the bank's security and be paid for doing so. Those are the intentions of any security consultant. This is as opposed to intending to take advantage of the bank's security problems for undeserved gains. That would be a criminaal intent.
Performing the service first without authorization then seeking payment was at least foolish. It may have been criminal in NZ law (I don't know either way). However, the judge determined that given the defendant's intentions, a conviction would be disproportionally punative.
>> Funny, in the U.S. we call that judicial activism. Sounds like this judge from New Zealand is more interested in conducting a social experiment than interpreting law.
>> As others have pointed out, that's not judicial activism. Secondly, you assUme that New Zealand takes the same punative approach to criminal behaviour that the U.S. does and that the judge has gone against that. Have you considered the possability that the New Zealand judge in New Zeland presiding over a case of New Zeland criminal law might have acted entirely in accordance with the guiding principles of of New Zeland legal philosophy? Different countrys are different!
And as others have done, you are ignoring the fact that I said, "in the U.S.", it's a very important part of what I said. I never claimed that judicial activism applied to New Zealand in the literal sense. I was simply pointing out that the ruling would be more controversial here in the States. Others in the broader discussion have noted enthusiasm that this New Zealand ruling should set a precedent here in the States, but to me it seems that there's a fundamental difference between American standards and New Zealand's standards. I believe a little caution might be in order to those that would have us quickly adopt another country's standards.
Of course we don't know all of the details, that's why it's called speculation. What we do know is that the hacker was awarded for his foolishness and if I was a New Zealander I would hope that would be enough to give me pause.
I did see "In the U.S." but mis-interpreted the phrase to apply to the term rather than the action the judge took. Sorry about that :-)
In general though, I do advocate moving to a more corrective approach to criminal justice. I believe it would result in an overall reduction in crime and save money on prisons at the same time.
It's not something that can be done overnight, but we could transition that way gradually. For example we could start by repealing minimum sentencing for non-violent offenses.