Judge Refuses To Convict Hacker

Jake96 writes "A judge in Wellington, New Zealand, declined to convict a man who ran an unrequested security audit on a bank's phone systems and was charged with 'intentionally accessing a computer system knowing he was not authorized to,' according to an article in the New Zealand Herald."

Can this set a precedent here in the States?

[defile]

I hope so.

Re:Can this set a precedent here in the States?

Stupid court results?? I thought that was the norm in the US so why would it set a precedence?

Maybe you should read what this guy actually did. he intruded into a banks phone system (without permission), performed a security audit (again without permission), and then tried to get the bank to pay for his work. If I was the bank I would be taking this bastard to court too. how would you feel if someone turned up at your house did some work then sent you a bill all without you requesting anythign be done. The fact that the bank has a security issue is a side note here, they should be hiring a "reputable" security firm to look at there systems.

Re:Can this set a precedent here in the States?

[joe90]

Actually, it's a bit more serious than that. The bank http://www.rbnz.govt.nz/ who's phone system he compromised is an approximate functional equivilant of the US Federal Reserve http://www.federalreserve.gov/ (but quite a bit smaller).

He's very lucky he did it in NZ where it appears that the courts consider him stupid rather than malicious. In other countries he might get charged with terrorism related offenses or worse.

Re:Can this set a precedent here in the States?

[Fordiman]

He committed no intentional crime. He was identified a security flaw, and provided this info to the bank before asking for money. Sure, it's a little like the guy who washes your windshield at a sopt light asking for money, but it's far from dishonest.

If the bank were a computer company with the present mindset, the bank would get to work on fixing the problem, and he'd have been ignored when he asked for cash, rather than prosecuted.

Re:Can this set a precedent here in the States?

[Typhon100]

Except that instead of washing your windshield, he got into your car, pulled down your pants and gave you a rectal exam.

You don't "unintentionally" hack into a bank's phone system.

Re:Can this set a precedent here in the States?

[Fordiman]

You don't 'unintentionally' wash someone's windshield, either. But guess what: indications of a vulnerable system are about as easy to see as a dirty windscreen, if you're looking. No invasion necessary.

Now, quick question, when did I use the word 'unintentionally' in my post, as you seem to be implying?

Re:Can this set a precedent here in the States?

[Schraegstrichpunkt]

Except that instead of giving you a rectal exam, he molested your daughter, exploded your favourite hockey team's home town with NUCLEAR WEAPONS, and stole your glasses.

Care to provide any justification for why your analogy isn't just an arbitrary construction designed to suit your position?

These are information systems. Not cars, not windshields, and not the doctor's office. Discuss the actual question, not stupid analogies.

Re:Can this set a precedent here in the States?

[Zooka]

''He committed no intentional crime. He was identified a security flaw, and provided this info to the bank before asking for money. Sure, it's a little like the guy who washes your windshield at a sopt light asking for money, but it's far from dishonest.

If the bank were a computer company with the present mindset, the bank would get to work on fixing the problem, and he'd have been ignored when he asked for cash, rather than prosecuted.''

I don't want someone evaluating my security unless I ask them to, just as I don't want anyone ''washing'' my windshield unless I ask them to. Both are trespasses. That being said, I suppose that if there was a strong case that the hacker's intentions were purely honorable (if he was unlikely to be attempting extortion), then perhaps I wouldn't want to render punishment that could have a devastating impact on their life. But given this man's past criminal record, (even if his record has been clean for the past 10 years), I would not have been so lenient. The severity of the punishment I'd render would depend upon factors such as how aggressively he demanded payment. Anyhow, I don't think it's safe to say his intentions were ''far from dishonest'' after only reading the article (which is clearly light on details).

Re:Can this set a precedent here in the States?

[montyzooooma]

"He's very lucky he did it in NZ where it appears that the courts consider him stupid rather than malicious. In other countries he might get charged with terrorism related offenses or worse."

Can anyone point to an example where "other countries" doesn't just mean the US?

Re:Can this set a precedent here in the States?

[Fred_A]

I just remove my windshield. The look on their faces when they try to wipe it is worth it.

Re:Can this set a precedent here in the States?

[badfish99]

How about the UK: see for example here

Also, in the UK someone was fined £1000 and lost his job just for typing in a URL with "../../.." on the end of it. Story here.

Re:Can this set a precedent here in the States?

[infofc]

That case is so much BS. I know the UK law can be pretty fascist, but that judgement makes no sense at all. Im so tempted to start doing the same hack on my own sites until I get "caught".

Re:Can this set a precedent here in the States?

[matress]

The crime requires intention, his actions were intentional, therefore he commited an intentional crime. Whether he knew it was a crime or not is beside the point (in the eyes of the law, ignorantia juris non excusat).

Re:Can this set a precedent here in the States?

[russ1337]

What is funny is the court and judge didnt share your point of view.

Miracles!

[soft_guy]

A judge who uses common sense. Wow!

Re:Miracles!

[Who235]

He did not pass the information on to others and did not use it for personal gain. "In my view his intentions were honourable."

I know. Amazing isn't it.

Although there was the slight matter of calling the bank and presenting a bill for services that were never asked for, but I'm willing to chalk that up to creative marketing. . .

On a side note, my uncle (who is a lawyer) has a low opinion of judges and tells the following joke which you may tell your friends under the JPL (joke public license):

Q:What do you call a lawyer with an IQ of 50?
A:Your Honor. (Substitute M'Lud or other region appropriate judge appellation here if necessary.)

Re:Miracles!

[icepick72]

On a side note, my uncle (who is a lawyer) has a low opinion of judges and tells the following joke

Enlightening indeed. After all those lawyer jokes the lawyers finally made a joke about somebody else ... and it wasn't even funny! Nice try by the lawyers, but there's gotta' be another lawyer joke in there somewhere.

Re:Miracles!

[Cyberax]

It's the only joke about lawyers. The rest are true stories.

Re:Miracles!

[Chuck+Chunder]

Q:What do you call a lawyer with an IQ of 50? A:Your Honor. (Substitute M'Lud or other region appropriate judge appellation here if necessary.)

Or for even more entertainment, use both. F. E. Smith to witness: "So, you were as drunk as a judge?"
Judge (interjecting): "You mean as drunk as a lord?"
F. E. Smith: "Yes, My Lord."

"Researcher" was stupid

[Gemini_25_RB]

I see absolutely no problem with someone analyzing the security of a network and relaying the results to the owners of the network. According to the article, the "researcher", Macridis, checked the network and then tried to sell the results to the owners, _after_ already accessing the network. Seems a little bass ackward.

Re:"Researcher" was stupid

[ianejames]

Imagine this: A man walks up to your house while you're gone and tests each lock on every door and window. He finds a way to break in -- but claims that he hasn't. Then he sends you a letter saying he knows your security vulnerabilities and requests payment for that knowledge.

Is it better or worse that he actually walked around inside your house?

Re:"Researcher" was stupid

[StrongAxe]

I spent an hour walking around your house and found that you had some unlocked doors. Please pay me $5000 and I will tell you where they are, rather than your enemies.

is blackmail.

I spent an hour walking around your house and found that you had the following unlocked doors... Please pay me $50 for one hour's work.

is a bill for professional services rendered.

Re:"Researcher" was stupid

[Fred_A]

The problem is that this could set a precedent:
"Thank you for your prompt payment of my security bill. During your vacation, I took the liberty of redesigning your house by adding turrets in the corners, a moat and a drawbridge. I also painted it striped pink and orange. Your garden now sports a beautiful 35m marble fountain representing 'Mammals Overtaking Dinosaurs' (an allegory). I left your mail on the little table by the door. Please find my bill for $7 897 463 attached."

Re:"Researcher" was stupid

[benplaut]

And there's still another difference --
You either charge for the information, or you give the information and then request to be paid.
FTFA, it appears that he told them what the problems were before asking for money. More honerable, even.

Not a good way to do business

[BadAnalogyGuy]

More than anything, this guy is a business dumbass for doing the work and providing the results before even a contract was drawn up. Because of this strange sequence of events (providing vulnerability information before being requested), all of a sudden his generous offer looks more like extortion than altruism.

His background with fraud (though 10 years prior) sullies his reputation even further.

It's not a crime to be a dumbass. At least not in NZ, apparently.

Re:Not a good way to do business

[BadAnalogyGuy]

It still sounds dangerously close to extortion. What happens to the data if the bank decides not to hire him? The bank was right to have him arrested, IMO. The judge was right to acquit him.

Stupid.

[Kid+Zero]

In other words, I can break into your house and wander around, take notes then leave. When I come to the door later, I can bill you for the "Security Consultation" and not be charged for robbery.

Great! ...and they call Americans silly? This one's off the chart.

Re:Stupid.

[Firehed]

Breaking and entering != robbery. Still illegal, of course, but generally you have to actually steal something to have stolen something (probably not always the case with some of the idiots we have in black robes, but that's another matter). As simple as it would make things, crimes aren't generic and thus you must be charged with the correct one in order to be convicted of it (I would hope). The poster I originally replied to just used the wrong one in his example. Or translated it poorly or something. Dunno, but looking around without permission certainly isn't theft.

Borderline scam?

[Louis+A.+J.]

While he didn't do anything illegal, I would be very surprised to receive a bill for a service I didn't request. His actions weren't illegal but his method of doing business definitely leaves something to be desired. Although his decision to not broadcast the bank's weaknesses to the public could be viewed as integrity, it could also be calculated business sense. It doesn't sound like someone I would choose to do business with.

Would you honestly pay for a service you weren't told you were receiving and didn't ask for if you were billed for it?

Re:Borderline scam?

[xs650]

Right, who does he think he is , the government?

First Xena, then LoTR, now this

[bunions]

what is it over there, like some kind of geek paradise?

Re:First Xena, then LoTR, now this

[Introspective]

what is it over there, like some kind of geek paradise?

Yep, thats why they created the .geek.nz 2LD. Geeks are taken seriously in NZ, almost as important as the sheep.

Re:First Xena, then LoTR, now this

[Petrushka]

what is it over there, like some kind of geek paradise?

No way, hell you should see what passes for broadband here.

Re:Insert dick here

[Who235]

Is that your anus? Are you propositioning me?

And wouldn't that make us "Linux fuck-anuses" and not "Linux fuckheads?"

Your troll is very confusing.

Speedy Justice

[ColaMan]

At least it shows efficient legal process.

Macridis had telephoned the Reserve Bank on May 30, introducing himself as a security consultant.
The Reserve Bank made a complaint to police, who searched Macridis' house on September 21 and seized his computer.

Ok, a bit slow there - four months - but maybe the bank did some research on the flaws first. And the wheels of Big Business turn pretty slow....

Gerasimos Macridis, 39, appeared in the Wellington District Court on Wednesday - the 27th - on one charge of intentionally accessing a computer system without authorisation.

A little over a week from when the police took his computer, to when he appeared in court.
They presumably searched it, did all the legal paperwork, had the weekend off, etc.
Not much crime in Wellington lately? Or are they normally this speedy?

Re:Speedy Justice

[Snad]

The Reserve Bank of New Zealand is not a bank, as such. It's not like you waltz down to the Reserve Bank to make a deposit of your weekly wage cheque.

I believe it's more like the Federal Reserve in the States, though the RBNZ is 100% government owned.

So basically this guy decided to do some "security analysis" of a governmental body, not some penny-ante savings & loan branch in the backwoods. So yes, the police are going to be on to it pretty damn quick.

Re: Why does this supprise people?

[revolu7ion]

You can't expect to get paid for work you weren't asked to do. Sure he incurred expenses, that he wasn't asked to incur by anyone but himself. If he truly had integrity, he would tell the bank and leave it at that. Not try to get money from it. That doesn't help his case of having a pure motive.

Re: Why does this supprise people?

[mark-t]

It doesn't matter that he didn't threaten to make the vulnerabilities public, he disclosed that he knew of the vulnerabilities to the bank, which instantly creates the knowledge that there _ARE_ vulnerabilities that somebody else might potentially try to uncover and exploit. The bank's only recourse is to fix those vulnerabilities, and the only way they will discover what vulnerabilities were uncovered is if they pay the guy.

Whether or not it was his intention, this soooo looks like extortion.

MAYDAY MAYDAY

[copponex]

Lawyer 131236716723: Shit. This is not good.

Lawyer 216421934614: What?

Lawyer 131236716723: They didn't throw this guy in jail who broke some technicality against a major corporation.

Lawyer 216421934614: WHAT?

Lawyer 131236716723: I'm serious! New Zealand! That fucking judge forgot how hard it is to pay off an SL500 and those student loans on a measly $70,000 starting salary!

Lawyer 216421934614: Look, I know you're new here, but this is America. We've got the RIAA, MPAA, not to mention all the lobbying to be done in DC. I mean, those Native Americans don't rip themselves off, eh? Plus, we've got so many laws on the book that someone, somewhere isn't doing something right, and who gets to prosecute?

Lawyer 131236716723: Lawyers?

Lawyer 216421934614: And who gets to defend?

Lawyer 131236716723: Lawyers!

Lawyer 216421934614: And who gets to judge?

Lawyer 131236716723: Former lawyers elected by other lawyers!

Lawyer 216421934614: And who makes the law?

Lawyer 131236716723: Former lawyers who have even less ethical concerns than other lawyers, lobbied by lawyers! Thanks, Bill... I was starting to worry!

You must be American

New Zealand was never a penal colony, so has never had criminals shipped to it, other than the state visits by royalty and presidents. You are obviously thinking of Australia, a completely separate country about 1800 km away. You could drop Texas into the gap in between. (and nobody would miss it either)

Not just once

[shack420]

This is actually the second time this has happened in NZ this year...

"Sahil Gupta, the second man charged over the Telecom voicemail hacking incident in April, walked free from an Auckland court last week.

Gupta was charged along with a teenager who cannot be identified for legal reasons. The teen was charged with unauthorised access of a computer system and pleaded guilty. Gupta was charged under the same section of the Crimes Act and faced up to two years in prison.

However two justices of the peace discharged Gupta saying there was no case to answer after a hearing in the Auckland District Court on Wednesday."

more @ http://www.crime-research.org/news/21.01.2006/1770 / and all over ya google.

Re:No surprise

[spagetti_code]

As an inhabitant of NZ, I think you need some lessons in Geography.

Australia is where the convicts were sent.
Colonists chose to go to NZ.
Australia is 2.5 hours away from NZ by airplane - i.e. a *long* way.

And we've got the Bledisloe Cup
and Australia doesn't. :-)

You need to spend some time with Google Maps.

Re:No surprise

[ThePeices]

"Thats what you get when you ship off all your criminals to a newly discovered island (or is it a continent?) and come back a hundred years later to look at their justice system."

What the hell are you on about, read TFA, this happened in NZ, not Australia.

He was asking for it....

[Bitsy+Boffin]

sorry, but this guy was asking for trouble. Firstly, it wasn't just any old bank, it was the Reserve Bank (http://en.wikipedia.org/wiki/Reserve_Bank_of_New_ Zealand), secondly, when he discovered this flaw he didn't just tell them about it, he said basically "I found a flaw, now pay me money".

You don't mess with the systems controlling an entire countries economy, and then demand money for it, if you do, well, Darwin would like a word with you.

Since when...

[toonworld]

..is telephone system considered an information system? I think I missed something.

I actually applaud the NZ courts. The man could have used the information to commit fraud, steal sensitive/valuable information and sell it to the highest bidder and make a whole lot of money but instead he chose to go directly to the bank and ASK for payment.

So he had a sure way to make money, but instead he ASKS for money AFTER revealing the security flaw. If you ask me, the bank suffered from bruised ego syndrome and wanted some sort of revenge. It's nice to see that the bank didn't get what it wanted.

Re:Um, Exposing a problem is not CREATING a proble

[tomhudson]

The judge was an idiot - what this guy did was just a new twist on the old "send them a bill and hope they pay at" scam.

A man who accessed the Reserve Bank's telephone systems to find security weak spots then billed the bank for his unsolicited services told the Wellington District Court he was surprised when police questioned him about his actions.

Gerasimos Macridis, 39, a researcher, represented himself in court before Judge Ian Mill.

Macridis pleaded guilty to one charge of intentionally accessing a computer system knowing he was not authorised to do so.

Police prosecutor Colin McGilivray told the court Macridis had telephoned the Reserve Bank on May 30, introducing himself as a security consultant.

He outlined problems with the bank's telephone system, then requested payment for providing the information. He also contacted Telecom and asked for payment, outlining testing he had conducted, vulnerabilities he had found and ways these could be fixed.

This is the same sort of scam that boiler-room ops do all the time - sending bills for unsolicited ad space in non-existent magazines, etc.

The guy is scum. The judge was out to lunch on this one.

Lets put it in terms slashdotters can understand ... someone does a pen test of your web site, and sends you a description of what they found, plus a bill for their unsolicited :advice" ... even though you didn't ask them to try to do any penetration testing and you never heard of them before ...

Or someone tries to break into your house, then sends you a description of all the "security weaknesses" they found, plus a bill for their time.

Just because its a phone system doesn't make it any less an attempted con job.

Re:Um, Exposing a problem is not CREATING a proble

[lubricated]

Yeah I get something similar from charities sending me mailing labels every Christmass and then charging me for them. I also get mail in the form of a check only when you look at the small print it's a loan. Yeah it's all bullshit. Usually legal though.

Re:Um, Exposing a problem is not CREATING a proble

[sjames]

Lets put it in terms slashdotters can understand ... someone does a pen test of your web site, and sends you a description of what they found, plus a bill for their unsolicited :advice" ... even though you didn't ask them to try to do any penetration testing and you never heard of them before ...

Tell him you aren't going to give him a penny, but thanks for the free security audit!

The judge's decision came from a correctional view of the justice system there rather than the punitive model used in the U.S. (despite the U.S. tendancy to falsely call prisons correctional facillities). That is, the judge believed that the process of justice up to that point had already convinced the defendant not to do it again and the free security audit was adequate restitution.