Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Government The Courts News Politics

Consultant Convicted For Non-Invasive Site Access 377

Phillip P Barnett writes "Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question." From the article: "During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access. The defence also pointed out that Cuthbert had not attempted to defraud the site." ZDNet also has a commentary piece on what this decision may mean for the future of cybercrime.
This discussion has been archived. No new comments can be posted.

Consultant Convicted For Non-Invasive Site Access

Comments Filter:
  • by yagu ( 721525 ) * <yayagu.gmail@com> on Friday October 07, 2005 @11:21AM (#13740342) Journal

    I can't help but suspect there must be more to this story than is being put forth. Part of me wants to believe his defense, "he never tried to defraud", but my distaste for legal mumbo jumbo makes me wonder more about the specifics:

    • He tried to access the system twice and both times was denied access. What does that mean? Was he trying to gain access to a part of the system where access to sensitive information was stored? Was he trying to login, but not knowing how to?
    • He never tried to defraud: What does that mean? Is it because he never gained access? If so, was his intent to try and defraud had he gained access? (In my opinion, if that were the case, he certainly should be considered to have tried to defraud.)
    • Another defense argument is this guy's actions were merely attempts to verify legitimacy of the fund raising site. So, what exactly was he doing to verify? (And why wouldn't he take more traditional avenues such as Googling, etc. What are the implications of every cynical user of a site attempting "access" to verify legitimacy?)
    • Has this guy done other things and now authorities, etc., are just using technicalities to shut him down?

    On its face, this looks like serious stuff with serious consequences for seemingly innocent activity and should give pause to any internet users, but I suspect there's more to it than meets the public eye.

    • by ArsonSmith ( 13997 ) on Friday October 07, 2005 @11:25AM (#13740372) Journal
      yea, at one time I was clear you could either tell the truth or you could lie. After reading the news you learn of this entire huge gray area called spin. It's amazing and opens the door for all kinds of emotional out bursts.
      • I access sites like this - with links, lynx, wget and curl ALL THE TIME!


        This is how you know who to trust - if there is a possible MITM and hidden re-direct, etc.


        If this is illegal, then it is illegal to automate these actions as well.


        The conclusion from this is that web-spiders are a form of 'hacking', and Google is in violation.

        • Ummm, the story says he was using lynx, and a paragraph further down, it says he clicked on a banner ad in order to get to the site.

          WTF? Is it just me, or does it seem really strange that he "clicked on a banner ad" while using lynx? He subsequently made a donation to them, and didn't see a confirmation page. Maybe I'm not up-to-date enough on lynx, but last time I used lynx, it didn't want to play very nice with a number of asp/js pages. And what kind of self-respecting geek (and a security expert no

          • Reading your comment, I have such a deja-vu feeling... I even checked if slashdot is not fucked up and it shows an old story.
            Wasn't some guy in UK under suspicion for hacking because he used lynx?

            Btw, I use very often elinks2 (links) and that has frames and mouse suport (and with more effort even images), and I click stuff it it a lot of times. The banners are most of the times "accesible" with alt text, sometimes that text is more appealing than a graphic that we tend to ignore.
    • by Red Flayer ( 890720 ) on Friday October 07, 2005 @11:31AM (#13740436) Journal
      RTFA.

      "Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it."

      British Law says that if you know you are not allowed access, you cannot attempt to circumvent system security.

      What makes this case so interesting is:
      "This is thought to be the first time that a judge had indicated that -- despite the letter of the act -- knowingly accessing a system when unauthorised to do so is not necessarily a crime. "

      • by malakai ( 136531 ) * on Friday October 07, 2005 @12:51PM (#13741140) Journal
        It looks like he initially lied to the police and said the the reason the IDS detected it as a hack, was because he was using Lynx. That is the first story that went around the net. He was on Solaris, using Lynx, made a credit card payment, and the IDS picked it up as a hack.

        Here's the original BoingBoig: http://www.boingboing.net/2005/01/27/jailed_for_us ing_a_n.html [boingboing.net]
        and then: http://www.boingboing.net/2005/02/11/supposed_tsun ami_cha.html [boingboing.net]

        In the end, despite his initial lie, all he did was try a directory traversal 'attack' (the ../ trick to try and break out of the root web directory). Not so much as an attack, as a query.
        Basically he was trying to answer: "Is this site vulnerable to this easily exploited flaw, and if so, I better call them or my Credit Card number is going to make it's waya round the russian mafia sites in no time".

        I don't doubt he was secretly hoping the flaw existed so he could get some fame saving a disaster relief web site.

        I guess then technically, if you click the following link, their IDS should flag it as a 'hack' and if you live in jolly ol'england expect a boot at your door: Don't click me or you go to Jail! [bt.com]

        If you try it out, let me know how fast their response time is.

    • Or.....? (Score:3, Insightful)

      by Valiss ( 463641 )
      Another defense argument is this guy's actions were merely attempts to verify legitimacy of the fund raising site. So, what exactly was he doing to verify? (And why wouldn't he take more traditional avenues such as Googling, etc. What are the implications of every cynical user of a site attempting "access" to verify legitimacy?)


      Or how about picking up a phone and CALLING them. If there is no number to call, donate elsewhere.
    • Better summary (Score:5, Informative)

      by DrSkwid ( 118965 ) on Friday October 07, 2005 @11:46AM (#13740570) Journal
      http://www.theregister.co.uk/2005/10/05/dec_case/ [theregister.co.uk]

      'DEC hacking' trial opens
      Accused gives evidence
      By John Oates
      Published Wednesday 5th October 2005 16:22 GMT

      Horsferry Road Magistrates Court has heard the first day of evidence against the East London man accused of hacking into a donations site for the tsunami appeal last December.

      Daniel James Cuthbert, 28, of Whitechapel, London, is accused of breaches of Section One of the Computer Misuse Act, 1990, on the afternoon of New Year's Eve, 2004. He had earlier pleaded not guilty.

      Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee.

      Giving evidence on his own behalf, Cuthbert, at times near tears, said he had made a £30 donation to the site, after clicking on a banner advert. Because he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check the security of the site.

      The case continues tomorrow. ®
    • by gormanly ( 134067 ) on Friday October 07, 2005 @11:50AM (#13740597)
      He tried to access the system twice and both times was denied access. What does that mean? Was he trying to gain access to a part of the system where access to sensitive information was stored? Was he trying to login, but not knowing how to?

      Directory traversal, and using lynx.

      He never tried to defraud: What does that mean? Is it because he never gained access? If so, was his intent to try and defraud had he gained access? (In my opinion, if that were the case, he certainly should be considered to have tried to defraud.)

      He gave them £30 (at the time, ~ US$58). This is the opposite of defrauding them...

      Another defense argument is this guy's actions were merely attempts to verify legitimacy of the fund raising site. So, what exactly was he doing to verify? (And why wouldn't he take more traditional avenues such as Googling, etc. What are the implications of every cynical user of a site attempting "access" to verify legitimacy?)

      He clicked on a banner add to donate to the UK's Disasters Emergency Committee's appeal for the December tsunami in Asia, and got no confirmation page. His first thought was that this was a phising site and he'd been scammed. So he panicked and tried the directory traversal...

      Has this guy done other things and now authorities, etc., are just using technicalities to shut him down?

      No. This was AFAIK his first offence of any sort at all - and now his career's in ruins.

      The Computer Misuse Act (1990) is an apalling piece of shoddy law - speaking as an IT professional who's actually had to read it. The only thing it's good for is threatening users.

    • As a UK-er concerned with "hacker rights" I've been following this case since it was first announced. Actually (tho' you are right to be cautious and sceptical of such stories), you're wrong: not only is it as bad as it seems, it's actually many times worse. Informed rumour in the UK scene / community has it that the "unauthorised access" of which he was accused consisted of adding " ../ " to the end of an URL. (Try checking boingboing.net's coverage, or that of NeedToKnow (ntk.net).)

      BT's IDS monitors m

      • >> Today I'm disgusted and depressed by the technical illiteracy not only of the police and justice system

        Let's assume for a moment the judge didn't have _any_ technical knowledge.

        What he did know was that the defendant had lied to police while making his initial statement . I'm pretty sure the judge felt he was on familiar ground at that point. That is what got him convicted, not the technical aspects.

        Not only has this cost a man his job, but you luck Brits now have a case to be used as precede
      • Re: (Score:3, Interesting)

        Comment removed based on user account deletion
    • There could be more to this story. But unfortunately, there really isn't.

      The simple truth is that Dan is a top notch security guy, who had a prestigious position as lead penetration tester within an investment bank. He is also well known in the app-sec community, and his contributions to OWASP have been fundamental to the widespread success of that organization.

      He was working overtime on New Year's Eve, alone in the office, during a time when most people were already well into their third or fourth pint.

      D
  • by plover ( 150551 ) * on Friday October 07, 2005 @11:21AM (#13740347) Homepage Journal
    TFA quite clearly states that he was convicted because he lied to the police about his activities. Here's the quote:

    "Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.

    Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.

    The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said. "

    The article above also says "The defence also pointed out that Cuthbert had not attempted to defraud the site." What it should have said is that Cuthbert DID attempt to defraud the police. Very unprofessional behavior from a supposed "security professional."

    Moral of the story: don't lie to the cops about security testing. Take them seriously. Had he been honest, this wouldn't even have been prosecuted.

    • Well, of course Slashdot left that out of the article summary. This needed to be a "Poor guy convicted for doing simple website checks, let's rally together fellow hackers and feel sorry for him" instead of "Guy lied to the police about what he did, a big no-no." The former gets more page hits from sympathetic Slashdotters, which means higher revenues for OSTG. Yes, kids, this site is owned by a corporation (a Linux corporation, in fact...suddenly all the anti-Microsoft, pro-GPL front page articles make
    • How many people get arrested for lying to the police? Martha Stewart, that runaway bride, this guy?

      I'm not sure I understand the point of convicting someone of a crime unassociated to the lying part. For me, the fact that police are involved in all 3 of these nonviolent actions is the real crime.

      The thing to note is no never talk to the cops. Ever. Let your lawyer say what needs to be said. Shut up, defend yourself at trial. You have no reason to talk, as you're innocent until they get facts to find y
      • For me, the fact that police are involved in all 3 of these nonviolent actions is the real crime.
        In the case of that runaway bride, I think they got involved when she was rpeorted missing and thenthings got even worse when she said she had been kidnapped.
      • It does seem strange that the judge effectively exonnerated him of the crime of malicious intrusion, but convicted of him of that very same crime solely because he lied to the police. Sounds like grounds for appeal, to me (IANAL).
        I quite agree with you about not talking to the police, but remember in this wonderful country, the law says that it may affect your case if you later mention something in court, in your defence, that you didn't mention at the time you were questioned by police.
        Personally, I'd li
    • by pla ( 258480 ) on Friday October 07, 2005 @11:42AM (#13740530) Journal
      Moral of the story: don't lie to the cops about security testing.

      We live in a world where posession of electronics and printouts on the subway gets you hauled away by a full riot squad under suspicion of terrorism.

      The average cop doesn't have the faintest clue about legitimate security testing as opposed to malicious hacking. Same tools, same methods, same general sort of people - Only the motivation differs, which the "target" can only discern after-the fact (and since the article mentions he failed to gain access, he can't even establish that much in his own defense). Even another IT security pro would most likely have to seriously consider the exact choice of attacks to discern intent (for example, did he obviously not use easier but more damaging tools for certain parts of the task?).


      Yes, geeks should ALWAYS lie to the police, whether in the right or not. Because the police have one job - Check off that last little box on their list. If they can do that by throwing away a "cybercriminal" by getting a jury full of people who can't even open email attachments to convict, they WILL. The error here involves changing his story.
      • by I confirm I'm not a ( 720413 ) on Friday October 07, 2005 @11:59AM (#13740657) Journal

        We live in a world where posession of electronics and printouts on the subway gets you hauled away by a full riot squad under suspicion of terrorism.

        Dude, this is Britain we're talking about. Possession of a winter jacket and a Brazilian sun-tan gets you far, far worse than a hauling away.

        • by IIH ( 33751 )
          Possession of a winter jacket and a Brazilian sun-tan gets you far, far worse than a hauling away.

          It wasn't a winter jacket, it was a demin one. He didn't jump the barriers, he walked through them with his ticket, just like any other commuter. He was sitting down in the train when he was grabbed, pinnmed down, and shot eight times (with another three shots missing)

          BBC Article [bbc.co.uk]

          • by crazyphilman ( 609923 ) on Friday October 07, 2005 @02:14PM (#13741799) Journal
            I would love to hear how, exactly, the British cops explain this.

            Question: "So, the suspect was dangerous?"

            Cop: "No, guv, we had him pinned down, he wasn't going anywhere."

            Q: "So... Did he have a weapon?"

            Cop: "No, just a rail ticket."

            Q: "And you had him pinned down?"

            Cop: "Yep!"

            Q: "At which point you shot him once in the shoulder and seven times in the head?"

            Cop: "We wasn't taking any chances, Gov!"

            Q: "What, exactly, did you think he might do? Use harsh language???"

            Cop: "..."

      • The cops aren't all techno-idiots. Most major precincts have cybercrime divisions. The people they employ typically know how to investigate computer activity. Perhaps he could have come up with a BETTER lie that a cop computer geek couldn't have easily refuted, but chances are he denied being in there and they had obvious proof that he had been in there.
      • by Scrameustache ( 459504 ) on Friday October 07, 2005 @12:08PM (#13740732) Homepage Journal
        Yes, geeks should ALWAYS lie to the police

        Fer christ sake, STFU and ask for a lawyer!
        Don't lie to the police, that pisses them off.
      • by Anonymous Coward on Friday October 07, 2005 @12:26PM (#13740919)
        Yes, geeks should ALWAYS lie to the police, whether in the right or not. Because the police have one job - Check off that last little box on their list. If they can do that by throwing away a "cybercriminal" by getting a jury full of people who can't even open email attachments to convict, they WILL.

        Because, naturally, everybody else is a corrupt, money-grubbing idiot who have no interest in serving society, helping people out or any other noble enterprises, whereas all geeks are paragons of altruism who live in their parent's basement and work tech support so that they can write free software for the greater good.

        All the cops that I've met were just trying to do their job. They don't get paid by the conviction. They would much rather be stopping violent criminals and making people safer, but they have to deal with all crime because non-violent crime can damage society just as much as violent crime. I have certainly heard about corruption, bigotry, etc., but haven't seen it myself.

        On the other hand, I've known some technical people who have no interest in playing by the rules (on any level). Most people seem to think that cheating the law is some sort of game (although they don't want to play anymore when they lose). I've known geeks whose morals were just as low as any corrupt cop, and heard about those who did just as much damage.

        This case is a nice example. If the defendant was forthright and honest, the judge would likely have taken his word and let him go. Because the guy tried to cheat the system, the judge has no reason to believe anything else he says, including the part about how he didn't mean to defraud the site he was visiting, that it was an honest evaluation. As you said, it's hard to tell the difference, so the character of the defendant plays a big role in determining his goals.
      • The average cop doesn't have the faintest clue about legitimate security testing as opposed to malicious hacking.

        Well if you have no work relationship with the company then it is not "legitimate security testing".
    • Moral of the story: don't lie to the cops about security testing.

      Real Moral of the story: Don't tell police ANYTHING without your lawyer in the room. Ever. It has nothing to do with being helpful or honest. It is about covering your ass against all potential outcomes.

  • UK lawlessness, nothing new?

    The UK has preceded the US in destroying the basic rights of its citizens, replacing laws against violence with laws against rights.

    This is a country that won't let their citizens bear arms (increasing crime [lewrockwell.com]), but will let security officers shoot first and never ask questions. This is a country that continues to fight a war against secession for centuries.

    TFA doesn't surprise me at all. Citizens have no rights any more. Just let the State provide. Does it surprise you that they criminalize non-violent behavior after you realize that national prisons were a statist recreation [lewrockwell.com]? More laws = more crimes = more criminals = more prisoners = more money for the State.

    Again, nothing to see here, except it is a good preview of things to come in the US as we clamor for more regulation, more government control of the Internet, and more destruction of our basic rights to protect ourselves.
    • The UK has preceded the US in destroying the basic rights of its citizens, replacing laws against violence with laws against rights.

      Which of Cuthbert's rights were violated when he broke the law and was convicted of doing so, again? I missed that part.

      • The right to, um, test other people's security systems. Yeah, that's the ticket! It's in the UN's Charter of Human Rights, somewhere, I'm pretty sure...

        It's interesting that, much like in Watergate, he got in trouble mostly because of the coverup, not the crime itself.

      • The fact that he was arrested for performing a nonviolent act is the first abuse by authorities.

        After finding no cause to charge him, they instead convicted him of lying. So he was wrongfully accused, but during interrogation he lied.

        Crazy world we live in. Why not arrest every tenth person for murder. See if they slip up some fact, then book them.

        In my mind, if the original arrest is unfounded, take no action.
        • The fact that he was arrested for performing a nonviolent act is the first abuse by authorities.

          I'm sorry, abuse?

          Does this mean if, for example, your car was stolen with no violence involved, you would be happy if no action was taken? What if your house was burnt down by someone who doesn't like you, but again, no violence was involved. I'm sure this would be acceptable too, right?

          Whether you like it or not, the Computer Misuse Act (1990) is here for a reason. It is not a basic human right to access comput

      • Which of Cuthbert's rights were violated when he broke the law and was convicted of doing so, again? I missed that part.

        I think the point of the GP post was simple: the "law" he broke infringes on basic rights. Just like watching CSS-encrypted DVDs on a Linux box is illegal, certain laws make criminals out of honest citizens.

        If I were arrested in Fairbanks, AK, for carrying an ice-cream cone in my pocket, I would hope for some public outrage. Yes, there's a law against it; but that law infringes on my bas
        • If I were arrested in Fairbanks, AK, for carrying an ice-cream cone in my pocket, I would hope for some public outrage. Yes, there's a law against it; but that law infringes on my basic right to carry an ice-cream cone in whatever manner I desire.

          I completely agree with you, but be careful about how you fling about the term "right." Rights are things that all men possess as an incident of being human beings. They cannot be taken away or awarded, you always have them. Governments may only choose to reco

      • He did basically break the law. But this is a similar situation to a Red Cross volunteer walking up to your door and asking for a donation, which you give out but then want to find out if it is valid. So you go to the local Red Cross and ask if the person you gave money to is legit. But in the online sense there isn't really a physical building you can go to, or people you can talk directly to. The distance that can be felt from websites, and sometimes their shoddiness, can leave a bad feeling that make
      • Which of Cuthbert's rights were violated when he broke the law and was convicted of doing so, again? I missed that part.

        Being convicted for the act of breaking the law is the way it's supposed to work. However, there's a difference - he was convicted because he lied to the cops.

        zdnet [zdnet.co.uk] Judge Purdy accepted that Cuthbert had not intended to cause any damage, and also pointed out there was almost no case law in this area.

        District judge Mr Q. Purdy, who heard the case, told Cuthbert it was "with deep regret

    • The UK has preceded the US in destroying the basic rights of its citizens, replacing laws against violence with laws against rights.

      However, we still don't have any laws against trolling. Shame, really...

    • Moral of the story: Do not try to use the excuse of curiousity to break into another person's system? If he was concerned over the validity of the site in question he should have done web searches on it and/or other background checks. As a "security consultant" he should have known better and the judge IMO did the right thing. I don't see where this persons right are being violated here as he was the one who acted as an attacker in this scenario.

      If you think this is ok then would it be ok for me to use the
  • Hmm. (Score:3, Interesting)

    by sdirrim ( 909976 ) <sdirrim @ g m a i l . com> on Friday October 07, 2005 @11:24AM (#13740360) Journal
    On one hand, he could have used legitamite methods to verify the site. On the other hand, he didn't destroy any data, view private information, nor was it a malicious purpose (supposedly).
    • because he couldn't get in

      and then lied to the investigators about his entirely innocent activities

      In what way is trying to break into someone's system as 'legitimate' ?

      Can you tell me what legitimate reasons you could have for breaking into my house (presuming you are not an agent of the state).

  • by gravyface ( 592485 ) on Friday October 07, 2005 @11:25AM (#13740373)
    While I sympathize with him, taking the law into your own hands on a whim, regardless of the crime or environment, should not be tolerated. If he was B&Eing into a biker hangout to see if they had his stolen TV, he'd be prosecuted in the exact same manor.
  • couple of checks? (Score:5, Informative)

    by cdn2k1 ( 908657 ) on Friday October 07, 2005 @11:27AM (#13740403)
    I think by "couple of checks," you mean "a directory traversal attack."

    http://www.theregister.co.uk/2005/10/05/dec_case/ [theregister.co.uk]
  • by khendron ( 225184 ) on Friday October 07, 2005 @11:32AM (#13740442) Homepage
    Though TFA tries to ring alarm bells over police cracking down on innocent activities, it also mentions that the guy initially lied to the police about his actions, leading the police down a time-consuming garden path.

    So although the guys "hacking" was fairly innocent, his response to the police was not. Perhaps he should be convicted of public mischief instead.
  • by Azarael ( 896715 ) on Friday October 07, 2005 @11:32AM (#13740446) Homepage
    He should probably have known better since his job deals specifically with security. I'm even surprised that he would get hit with a phishing attack to begin with. Also if he got hit that hard over this, what would have happened to the owners of the site if he had been defrauded and had reported it to the authorities instead (it sounds like he and the site were based in the UK)?
  • If there's anything to be learned from this, it's probably "don't lie to the authorities". I'm sure many will take offense at this, but basically he got convicted because he wasn't honest to the police investigating his intrusions.

    By the way, the first thing that (superficially) struck me about the story was the guy's name:

    D an i e l Cuth bert

  • Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.

    Perjury is a crime, you know.
    • Re:Well (Score:3, Informative)

      by g0bshiTe ( 596213 )
      Purgery is a crime, though lieing to police is not. Never said he changed his story in court only to the police.
      • So you're saying lying to the police shouldn't be considered a crime? Also, how do we know he wasn't under some kind of affirmation or oath.
        • So you're saying lying to the police shouldn't be considered a crime?

          In general, no. Lying to the police should only be a crime in well-defined circumstances. It may however be considered evidence that someone knew their behavior was wrong.
    • Re:Well (Score:5, Insightful)

      by dougmc ( 70836 ) <dougmc+slashdot@frenzied.us> on Friday October 07, 2005 @11:41AM (#13740520) Homepage
      Perjury is a crime, you know.
      Yes, but generally you have to be sworn in or otherwise lie under oath to be convicted of perjury. (At least in the US. I don't know what the laws look like on the other side of the pond.)

      Generally making a statement to the police isn't done under oath.

      And really, if the crime was perjury, why wasn't he convicted for perjury and not something else?

      • Yup, perjury is lieing in a court of law while sworn in.

        Lieing to the police under questioning would probably count as "obstructing the police with their enquiries" if you wanted to push the point.

    • Re:Well (Score:4, Informative)

      by I confirm I'm not a ( 720413 ) on Friday October 07, 2005 @11:46AM (#13740569) Journal

      Perjury is a crime, you know.

      Perjury is a crime committed in court, not in an interview room. To put this in context, in the USA and many other countries, it's perfectly acceptable to say nothing when questioned by the police. Indeed, I believe the Constitution or an amendment (I'm neither a US citizen nor resident) grant citizens the right not to incriminate themselves. I'm not aware of any such right in Britain, and in Britain when you're arrested you are advised that:

      You have the right to remain silent, but if you do not mention, when questioned, something you later rely on in court, it may be held against you. [My emphasis]

      In other words, you're strongly "encouraged" not to remain silent.

      I'm neither condoning nor condemning Mr. Cuthbert's statements to the police, merely suggesting that we don't know why Cuthbert chose to (allegedly) lie.

      • It's OK to say _nothing_. It's NOT OK to give false statements. If Martha Stewart kept her trap shut, she wouldn't have ended up in jail.
        • It's OK to say _nothing_. It's NOT OK to give false statements. If Martha Stewart kept her trap shut, she wouldn't have ended up in jail.

          Martha Stewart was arrested and presumably "Miranda-ed" - in a country where it is, indeed, OK to say nothing.

          Daniel Cuthbert was arrested and advised that if he kept quiet his defense in court might be compromised - the UK "Miranda" is very different to the warning given in other countries.

          The best advice I can give if you're arrested in the UK is state that you will

      • Actually, I believe the portion in italics should read:

        ...but it may harm your defence if you do not mention, when questioned, something which you later rely on on court.

        The difference in meaning is subtle, but present. Of course, there is a world of difference between saying nothing and lying. Lying to the police could fall under wasting police time or attempting to pervert the cause of justice. I would much rather have seen him prosecuted under the former of these than the Computer Misuse Act.

        • Actually, I believe the portion in italics should read:...

          I suspect you're quite right. But that's really the point, isn't it, that the UK caution isn't clear, is intimidating, and does turn otherwise sane people into gibbering idiots. Yes, everyone should keep mum until they've spoken to a solicitor. No, very few people actually do this.

      • by Otter ( 3800 )
        Indeed, I believe the Constitution or an amendment (I'm neither a US citizen nor resident) grant citizens the right not to incriminate themselves. I'm not aware of any such right in Britain...

        Actually, beyond that, US law protects the "exculpatory 'no'" -- untruthfully saying "I didn't do it!" isn't punished as an additional offense the way a similar lie from a witness would be. That's not the case in most countries, although I don't know about Britain.

  • "IT: Consultant Convicted For Non-Invasive Site Access"

    No. The consultant was convicted of attempting to access a system which he knew he was not authorized to access. He never got access -- t was the attempts that nailed him.

  • by It doesn't come easy ( 695416 ) * on Friday October 07, 2005 @11:37AM (#13740486) Journal
    Now that he's beginning his new career as a black hat...
  • WARNING! (Score:3, Insightful)

    by Spy der Mann ( 805235 ) <spydermann.slash ... com minus distro> on Friday October 07, 2005 @11:43AM (#13740531) Homepage Journal
    Putting an innocent person to jail will make him want to get some retribution for his time spent UNFAILY in jail.

    Will he trust in the government after? In trials? In the police? The guy feels betrayed by the same government he paid taxes to! What they're teaching him is to be much more careful the next time he tries to hack a site. Yeah, nice way to "reform" a "criminal".
  • by karlandtanya ( 601084 ) on Friday October 07, 2005 @11:44AM (#13740547)
    "a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case."


    This reads to me something like "If anybody tells you can't do something with a computer, and you do it anyway, it's a crime.".


    So, in the UK, to attach criminal liability to your violation of any of my own wishes, I just have to somehow involve a computer.


    What, by the way, is a computer in the UK? Do embedded devices count? Don't leave through that automatic door; Mickey here hasn't sold his quota of cars this week, and we want a fair chance to convince you to buy. Whoops--you triggered the photoeye, causing the automatic door to open. I guess you can't get more egalitarian than this--every individual has the right to pass criminal laws.


    OK, this seems a really silly example. It is. After all, we trust the authorities to selectively enforce overly broad laws--only prosecuting the real bad guys.


    Hell, it works on this side of the pond; why not over there?

  • I do security audits for a living.

    Although I do them with a fully endorsed and NOTARIZED release!

    Rule number one:

    "Thou shalt not perform any invasive activity against IPs that you do not have defacto administrative control over or have legal release (in hard copy) to do so."

    I have no sympathy for the guy.

    The comment at the end of the article is crap IMHO: "I've run into a lot of people in the penetration test community over the past few months, and they're all sympathetic to Dan. Their view was that he meri
  • So, typing "/../" at the end of a URL is now considered a cybercrime?
    • Actually yes it is if they can prove that you are purposely trying to drill down into directories that you know you shouldn't have access to. Its all about proving intent which can be hard. But for certain ppl (like a computer security consultant) I think it would be hard for him to feign ignorance in the eyes of judge/jury...
  • He broke the 11th Commandment:

    Don't get caught.

    Guy should do time for posing as a security guru then getting busted.

  • Refund (Score:2, Funny)

    by mhandlon ( 464241 )
    I hoped after all this he asked for his donation back.
  • by cortana ( 588495 ) <sam@robots.orRASPg.uk minus berry> on Friday October 07, 2005 @12:17PM (#13740827) Homepage
    For my own safety I think I'll configure my copy of bind to not resolve names in the bt.com zone. BT's IDS is famously overzealous--anyone remember that 'hacker' gaoled for using Lynx [google.co.uk] story from last year? That was BT's fault as well.
  • by Evil W1zard ( 832703 ) on Friday October 07, 2005 @12:27PM (#13740931) Journal
    After RTFA and then looking at the poll I amazed at the reaction. 87% of people think he should not have been convicted thus far because he "didn't cause any damage"

    Its time to wake up people. First point: Yes he did cause damage. Money was spent investigating the intrusion which is monetary damages. Second Point: He very well could have caused damage had he successfully broken in. Do we not punish crackers now just because they didn't destroy data? Thirdly: He is a professional in the Information Security field! Of all people he should be held to a higher standard because of his career field.

    How does this hurt the Penetration Testing career field as well lol (another piece of FUD in the article...) Professional penetration testers have to sign lengthy contracts that state what they are allowed to do in order to protect themselves from prosecution later on the road. Documentation is kept during the process of testing so the testers can show that at point X when they were attempting attack Y they did or did not shut down Server Z... What this guy did was attempt to break into a system that he had no prior consent to do so! Thats illegal and he being a security consultant would know that... I can't just arbitrarily attack a website because I think they might not be real. Sure people might sympathise with me if I was right, but that doesn't mean it makes it legal.

    • "First point: Yes he did cause damage. Money was spent investigating the intrusion which is monetary damages. Second Point: He very well could have caused damage had he successfully broken in."

      If he didn't break in, how could there be money spent investigating the intrusion?

      If you walk up to a store, and rattle the door to see if it is locked it is not a crime. If the company has a camera watching the door your not held for any liabilty to pay them back for money spent on the guy reviewing the camera tapes.
      • I love it when the clueless talk like they know. Have you ever investigated an attempted intrusion or even a successful intrusion. You have to spend X amount of hours to go over the logs and see exactly what the offending IP did and then you go and try and correlate that with other traffic around the time to make sure that there weren't multiple sources involved. You also have to take the data collected and ensure it is protected as digital evidence.... Point is if you have ever investigated cyber crime the
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Friday October 07, 2005 @12:47PM (#13741098)
    Comment removed based on user account deletion
  • by rapiddescent ( 572442 ) on Friday October 07, 2005 @01:35PM (#13741471)
    Whilst I think Cuthbert was daft for lying and that was his mistake, I would have also panicked...

    have a look at http://www.dec.org.uk [dec.org.uk]. They are currently supporting as campaign to help the worthy cause of the situation in the Niger. Click on the donate button and you will be taken to a shocking rendition of a 1997-esque payment page that looks awful. So I imagine our man Cuthbert looked again at the dec.org.uk site and it looks bonafide enough and also the whois entry stacks up.

    I remember at the time that the BBC News carried a story at, or about the time of the Hogmany (31st Dec 2004) regarding fake websites. I could only find this story [bbc.co.uk] on BBC website 6 days after the alledged incident.

    so our man cuthbert panics. As you can see the basic link and page to securetrading.net (not even a .co.uk). Remember that 31-DEC-2004 is a friday before a long holiday weekend. So there will no-one to phone. He looks at the certificate for the server-side SSL - "Secure trading Ltd" a UK company. But the whois entry is privately registered and does not have any standard company details on it - it is also registered abroad (which isn't a big worry, but remember this is a UK gov't sponsored website)

    My next port of call is Companies House - where all UK Ltd companies have to be, by law, registered. So using their webcheck facility - it is company number 04591066 with an address in south east london. Not a government organisation, but seems wholly owned by another unknown company UC Media? securetrading.co.uk? no, they're someone else. back to companies house - searching for UC Media, can't find them, but there is an entry for UC Group Ltd at the same address. bingo. hang on. there are two insolvency notices on this company...

    I'm sorry but I would have also panicked.

  • by zappepcs ( 820751 ) on Friday October 07, 2005 @01:38PM (#13741495) Journal
    It seems to me that its like a teen rattling a gate at the ball park to see if it is locked. While you might do so out of curiosity, or in an attempt to gain unauthorized access, it is still just checking to see if it is locked. If you have a valid ticket in your pocket, accessing through that gate would still be wrong, but checking that it is locked is not.

    It does not matter if you have safe cracking tools in the garage at home, if you are simply standing outside the jewelry shop, and check to see if the door is locked or anyone is inside, this doesn't mean that you are attempting to steal diamonds. Sure, he may have had tools on his machine, but that is no different than saying a cop has a gun, and looked like he was trying to break into the store when the door was locked. Things are not always as they appear, and convicting on the basis of intention, especially when it is not overly easy to see the intention, is just wrong.

    We have no need of, or room for, thought police in civilized society.

    Of course, I may have missed a salient point here, but it just seems wrong to convict without evidence of harm.

    In the case of where this seems to happen, like dangerous driving (intoxicated or not) it has been shown that this behavior does lead to accidents, and removing the driver from public roads is a safety measure that does not harm anyone. This is the reason for various lane markings, speed limits, etc.

    In this case, there was no speed limits or lane markings, only a locked gate type of guidance. Convicting this man of attempting to steal when there is no blatant evidence is just wrong, and sets a bad precedent in my opinion. Banks don't keep their cash funds out on the sidewalk for a reason. If they did, and it went missing, what exactly would the courts say?

    Additionally, it doesn't seem to ring true that a 'security expert' would leave such a trail as to be caught if he was truly trying to break into the system?

  • by flibuste ( 523578 ) on Friday October 07, 2005 @02:49PM (#13742135)

    Seriously...again...is that me reading between the lines or ...

    On Thursday, Daniel Cuthbert [...] was found guilty of breaching Section One of the Act [...]. He admitted attempted to access the Web site, which was collecting donations for victims of last year's tsunami.

    So I understand that he "admitted accessing the web site"...Oh my...I just clicked on my "Slashdot" bookmark and accessed the web site. Is this not allowed any more?

    The article also states:

    Under Section 1 of the Computer Misuse Act, 1990, any unauthorised access to a computer site can be considered a crime, if the person accessing the system knows that he is not authorised to access the site. As the Act says, "a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case."

    So basically, I have been testing my web application all morning. As it turns out, I was testing the ACEJI security configuration and got a lot of "access denied", which I was expecting since I wrote the system.
    This scenario falls under the Act description. I should be jailed!

    OK...I think that's not me...I think this world is getting dangerously ignorant and stupid.

  • by Vegeta99 ( 219501 ) <rjlynn@gmai3.14l.com minus pi> on Friday October 07, 2005 @04:31PM (#13742882)
    So he lied. What's wrong with that?

    "WHERE DO I START?!" you're probably thinking.

    Well, now let's turn the tables. I'll give you an example of the tides turning -

    Last year, on my 18th birthday, I partied a little bit too hard. After hours of drinking, we went for a drive (YES, we DID have a sober driver.). Unfortunately, we ended up in a situation that the cops were called, and my 4 buddies and I had to spend the rest of my 18th birthday shackled to the walls in a PA State Police barracks. Now, at this point, I was too drunk to write, so they just made me sit there and did their rounds. After a few hours I see one... two... and then three... go up for their mugshot and then leavc... and then they finally let me go.

    So, I go outside to meet my friends and try to find them a way home, and I promptly get punched square in the face. "What the FUCK was that for?", I thought. Well, it turns out the state police, despite my inability to drive, write, or even talk without sounding like a raging alcoholic, had told my friends I had written a confession that said A - we had broken the windows (what got us there in the first place) and that B - everyone had been drinking. It would be in <i>their</i> best interest to do the same. So they did.

    I could go into another example of the same thing happening to someone else, but I'm sure everyone's heard enough of them.

    When my long-forgotten ancestors accepted this nation's founders' idea for government, they placed their trust in it for not only themselves, but everyone down the line, too. I've even heard cops say that "pig" stands for "Pride, Integrity, Guts". What's that middle word there?

    If you would like your citizens to behave and be honest people of high moral standards, then you MUST do the same. With deceit comes dissention, and with dissention, revolution is born. Those that lead must do so by example, and soon enough, those that should be removed from society will become very evident.

    To put it short, How can you trust a liar? You can't, no matter how truthful they are.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...