In message <fob8an$p9t$1@[EMAIL PROTECTED]
>, Keith F. Lynch
<kfl@[EMAIL PROTECTED]
> writes
>netcat <netcat@[EMAIL PROTECTED]
> wrote:
>> Then again, maybe there are some extremely stupid British techies
>> after all. Wasn't it in Britain where a guy was arrested for making
>> a donation with Lynx?
>
>Yes. See http://www.boingboing.net/2005/01/27/jailed_for_using_a_n.html
>
>I never heard any followup. What happened next?
Finding this took a few minutes googleing.
It turned out that wasn't why he was arrested. He had actually committed
a criminal offence in attempting to gain access to non public
directories on the server.
<http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/>
Tsunami hacker convicted
Fine + costs for Daniel Cuthbert
By John Oates
Published Thursday 6th October 2005 16:24 GMT
Daniel James Cuthbert was convicted today of breaking Section 1
of the Computer Misuse Act of 1990 by hacking into a tsunami
appeal website last New Year's Eve.
District Judge Mr Quentin Purdy said: "For whatever reason Mr
Cuthbert intended to secure access, in an unauthorised way, to
that computer...it is with some considerable regret...I find the
case proved against Mr Cuthbert." He was fined £400 for the
offence and must pay a further £600 in costs.
Cuthbert, 28, of Whitechapel, London, told Horseferry Road
Magistrates Court yesterday that he had made a donation on the
site, but when he received no final thank-you or confirmation
page he became concerned it may have been a phi****ng site, so he
carried out two tests to check its security. This action set off
an Intruder Detection System in a BT server room and the telco
contacted the police.
The prosecution made an application for costs but declined to
seize Cuthbert's Apple notebook on which the offences were
committed. They made no further claim for compensation.
The defence asked for some sort of discharge because the case
came close to "strict liability" - it was his responsibility but
not his "fault". Mr Harding, for the defence, said: "His
reasoning was not reprehensible. He was convicted because of the
widely-drafted legislation that could catch so many."
Mr Purdy, speaking to Cuthbert in the dock, said: "I appreciate
the consequences of this conviction for you are considerably
graver than any I can impose. But you crossed an inappropriate
line, time and expense was expended and anxiety caused. That
aside, the price may be a heavy one for you to pay." Cuthbert
lost his job as security consultant at ABN Amro as a result of
his arrest and has only recently been able to find work.
DC Robert Burls of the Met's Computer Crime Unit said
afterwards: "We welcome today's verdict in a case which fully
tested the computer crime legislation and hope it sends a
reassuring message to the general public that in this particular
case the appropriate security measures were in place thus
enabling donations to be made securely to the Tsunami Appeal via
the DEC website."
Peter Sommer, who was an expert witness for the defence, said he
thought the judge had a good understanding of the issues
involved but "took a very strict view of the wording of the
legislation." Sommer added that he thought the policing of minor
offences should "not involve taking people to court but rather
talking, warning and slapping wrists."
Asked if he thought the verdict would make it harder for the
police to get help and cooperation from security professionals
Sommer said: "It will certainly make them more wary."
Speaking after the verdict an upset Daniel Cuthbert told the
Reg: "They've now set the bar so high that there should be
thousands of convictions for people doing things like these.
There will be lot of anger from security professionals and the
police will find it harder to get help in future."
Cuthbert is considering a career outside the IT industry.
<http://news.zdnet.co.uk/security/0,1000000189,39236752,00.htm>
Tsunami 'hacker' finds new job in security scene
Graeme Wearden, ZDNet UK and Dan Ilett, silicon.com ZDNet.co.uk
Published: 11 Nov 2005 13:45 GMT
When Daniel Cuthbert was convicted last month of gaining
unauthorised access to a Tsunami fund-raising Web site, many
people — including the trial judge — suspected his career in
the IT industry was over.
These fears were unfounded, though. Cuthbert is hard at work at
Corsaire, a UK security company.
Martin O'Neal, director at Corsaire, confirmed on Friday that
Cuthbert had actually joined the company before his trial.
O'Neal, though, isn't worried that one of his employees is a
high-profile breaker of the Computer Misuse Act (CMA).
"The reason being, we've known Daniel for a long time. He was
well-known in the security industry, even before the case. His
integrity has never been called into question," O'Neal told
ZDNet UK on Friday.
Cuthbert was found guilty under the CMA of gaining unauthorised
access to the Tsunami appeal Web site. He claimed in court that
he had made a donation and then became concerned that he'd
fallen victim to a phi****ng scam. To check, he added ../../../
to the URL in an attempt to access the site's higher directories
— an action that triggered an alarm.
Security experts and ZDNet readers have expressed concern about
the conviction. O'Neal shares this view.
"As for the conviction, it's frankly ridiculous. It highlighted
how untried and untested the CMA is. The main problem is how you
define unauthorised access and intent in the context of an open
Web server," O'Neal said.
As a full-time employee at Corsaire, Cuthbert is currently
working on internal training material. This may come as a
surprise to the judge in his case, who told Cuthbert that the
consequences of his actions were “more serious than anything I
can do".
The wider issue of the ethics of hiring known hackers or
convicted cybercriminals is one that splits the security
industry. Last year, German firewall vendor Securepoint was
criticised after hiring Sven Jaschan, a teenager who had been
charged – and was subsequently convicted – of writing the
Sasser worm.
Richard Starnes, UK president of the Information Systems
Security Association, acknowledged that the cir***stance of
Cuthbert's conviction should not automatically debar him from
the security industry.
"Life is rarely made of hard and fast rules, nor should it be.
You should look at the merits of each particular case. In
general, I do not hire former hackers. However, from a potential
employment standpoint, a situation such as Mr. Cuthbert's would
certainly warrant further investigation rather than a flat
refusal to consider for employment," said Starnes.
The CMA can be fairly draconian and creates some very broad offences
which covers some fairly innocuous activities. On the other hand this is
an act passed in 1990 which nearly 18 years later is still effective at
dealing with spammers, virus writers, script kiddies and other scammers
and vandals. There can't be many pieces of legislation covering the
Internet that are still effective after that amount of time without
major revision.
--
Great Internet Mersenne Prime Search http://www.mersenne.org/prime.htm
Livejournal http://brett-dunbar.livejournal.com/
Brett Paul Dunbar
To email me, use reply-to address
|
