Last Thursday's conviction of a computer security consultant
for illegally accessing a Web site set up to aid victims of the Boxing Day Asian tsunami prompted a wide range of opinions from readers of ZDNet UK.While many sympathised with a man who, even the judge agreed, had done "no real harm", others argued that a computer professional who knowingly accessed a Web site he had no permission to enter should have been aware of the possible consequences.
Daniel Cuthbert from London was found guilty of breaching Section One of the Computer Misuse Act (1990), which makes it an offence for someone to secure unauthorised access to a computer when they know that they are not permitted to do so.
Cuthbert, who at the time of his arrest was employed by ABN Amro to carry out security testing, pleaded not guilty to the charge. He was fined £400 plus £600 costs. An application for damages from the plaintiffs was thrown out by the judge on the grounds that by being found guilty, and already having lost his employment, Cuthbert had suffered enough.
The vast majority of ZDNet UK readers believe that Cuthbert has been treated unfairly. We conducted an online poll and asked readers if they believe Cuthbert "should have been convicted of gaining unauthorised access" to a computer under the Act. Over 1,000 people took part, and 92 percent said the conviction handed out by district judge Mr Q. Purdy was wrong.
While a vast majority of readers reckoned that Cuthbert was not guilty of a crime, there was a wide variety of opinion in the issue in our TalkBack pages.
It's understood that Cuthbert added ../../../ to the URL, hoping to get access to higher directories in the hope of confirming whether or not the Web site was genuine. He argued in his case that when he set off an intruder alarm he was checking the site out as he feared that rather than actually donating he had been taken in by a phishing scam.
"Breaking in is not a means of making that determination," argued an anonymous security consultant. "[Does that mean] if you cannot break in the site is legit, or is it legit if you CAN break in?"
But another reader argued that Cuthbert's actions were like "walking around trying everyone's front doors and car doors to see which ones are locked...You wouldn't do that, would you?"
But whether it is trying doorknobs or the front (or back) doors of systems, can computer professionals do their jobs if they are no longer allowed to test systems as they might like to?
"I'm not sure how I could perform my duties as a security professional if it suddenly became unlawful to test security in a very passive manner," argued Shaun Walter, a Unix system administrator. "[Cuthbert] didn't seem to employ any brute-force attacks or elegant procedures to check security at this site."
A US security consultant also felt the case could have serious consequences. "Pretty scary to think that only a government-authorised security company can legally test a site's security or integrity. You can bet I'll be accepting no more contracts to verify ANY corporate networks."
But that wasn't everybody's view, and at least one correspondent believed that Cuthbert was not acting particularly professionally when he tried to crack the appeal site. . "Professional testers know better than to go out and attempt to crack Web sites out of curiosity," argued another anonymous security specialist. "They use their skills to break into systems only after signing lengthy contractual stipulations that allow them to do so without repercussion. The simple fact is that [Cuthbert] tried to gain unauthorised access into a system."
You can still have your say about Cuthbert's conviction by voting in our poll or using TalkBack below.
Talkback
What happens if someone put that URL up as a link on a web page? Is everyone who clicks on it a criminal?
He lied to the police - do him for wasting police time. But if the webserver was configured to give a response to his (valid) request, and he DID NO HARM, then that's their problem.
I often alter URLs to try to navigate badly designed websites. I'd taken it that it you send a URL to a website and it sends back a page then it's public, published information. If it comes back 'forbidden' then it's not and you don't get to see it.
This sort of thing counts as 'hacking' now?
I'm not allowed to 'ask' the website 'can I see this URL please' when I really don't know if I'm supposed to be able to or not?
Perhaps we should all get written permission to access every URL before attempting to do so.
What if you click on a link from one website to another but the link is out of date and points to a forbidden URL? Are you a criminal, or the linking website's owner or both?
How many web users have never hit a 'forbidden' page by accident? How the hell do you prove that it WAS an accident?
So how do you check if a website is genuine or not? And if it is so easy to "hack" a URL, how often is this happening?
The situation has arisen due to the wordings of the statute. Section 1 of the Computer Misuse Act, 1990, considers an unauthorised access to a computer site as a crime if the person accessing the system “knows” that he is not authorised to access the site. The mens rea aspect has been incorporated in the form of “knowledge” aspect and that makes the concerned provision a “strict liability offence” unless the same is justified by law. For example, if an organisation or person is “legally entitled” to adopt “penetration test” as a mode of ethical hacking, then there seems to be no problem. The problem arises only when the person penetrating is not entitled to do so. In that case the provisions of section 1 apply harshly and there seems to be no justification for cursing the same. If the security aspects have to be tested or if the veracity of a site has to be checked, let the authorised person handle the same. If the person performing the penetration test is authorised, then there is no problem. If he is not, then the prosecution is the natural outcome.
Now coming to the conviction aspect, if the offender is a “first time offender” with no malicious intention (as in the present case), then the court must be liberal in his release either on probation or after due admonition. The offending act in this case is due to the language of the statute and whether a different provision must be made is a matter of policy decision by the Government that has to be decided by it in public interest. Till then the provision does not deserves to be criticised as the consequences were foreseeable.
Having read this, it is even more Bolleux than I thought. The whole point of the web is to put web servers on it to be accessed. As previously mentioned if the part of the web server is private then it should return forbidden. This has been going on since the beginning. How many people accidentally post a URL which they do not realise is valid for them, but not for anyone else.
Hacking is a concerted attempt to breach security or alter information.
If the url had been loaded with buffer overloading data etc then fair enough but not a plain and straightforward url.
Apart from that I seem to read that he didn't actually gain access, the attempts were logged. IF he didn't gain access and it wasn't a concerted attack (I have had 4-500 attempts in 30 minutes from China) then he has not broken the law, but Magistrates are not qualified on most matters and so do as the court "advisor" tells them.
How ludicrous that an act as simple as trying an amended url can result in a fine and loss of employment. So now we must check and double check when entering a URL in case we set of an IDS alarm with our mis-spelling.
This is a stupid ruling, flies in the face of public opion and just makes no sense at all.
does that mean people think i can test their house security by entering their homes? surely i can test my own home but not someone elses, and the same must be true for websites.
Was this hacking or just 'acking? If you go for a walk and wander onto somebodys land without causing or intending any damage then that's just trespass, but if you did intend damage then that's criminal trespass.
What about when you stand in someones doorway when it rains? What about the strangers who walk up my garden path and knock on my door - despite the signs that say Private and No callers?
Point is; if there is no sign, or no fence and no damage then it's just a trespass. Why don't squatters and travellers get fined?
If he was just roaming - Why doesn't he get himself a decent lawyer and advice about an appeal?
It is unclear to me and, no doubt, most other folk what the laws are in respect to browsing, hacking (intentional or otherwise), DRM, etc. There is a blizzard of reports from arount the World on these and other related topics and each cites a particular statute and details the hapless or malicious offender's offence. There are also lengthy articles about the philosophical nuances of wider policies, such as DRM and fair use. No wonder we're confused. It would be very helpful if a publication like ZDNet would publish a reference guide to 'digital law', detailing for example whether someone in the UK can be prosecuted under UK law,in the UK, for adding ../../.. to a site based in the US or China or Iraq or ... wherever! Also which countries allow/disallow/tolerate 'fair use' of bought copyright materials. There's lots more and a good pragmatic reference for the common user would be great!
If, as reported he tried the ol' /../../ trick, then he was obviously testing to see if the web server was vulnerable to this well documented flaw of allowing root access via a specific url sent to it.
This type of "attack" can reveal pertinent info on the security of the web server, but is generally used to gather info for further attacks. Was this his motive or not?
That said, only he really knows his motives for doing this, and hopefully did not lie in court or to the police. Everyone else's comments on this are irrelevant anyway. Are we now re-trying him via public opinion?
The ruling is unfair and I will go with the majority of the views. It's not as if he deliberately wanted to cause damage. I presumed DEC has a log of his £30 donation, so why did they allow it to go so far.
Is ping-ing the web server technically illegal ?. It's akin to pushing a door open to an organisation to see if they are open for business (but not entering).
A port scan could reveal any opening so we have to be careful, but even that is like a criminal walking around a building to see how to potentially break in and this is not a crime. I don't know what application he used, but it may be that he trespassed onto the site, fully armed , but providing that no damage is done shouldn't have to loose his job, but severly slapped on his wrist.
I mean how far up the OSI stack and what applications can be run before it is considered an offence?
Posting a website is an invitation to enter. It is like opening a store on a high street. The store may have several departments accessed via different doors. If a door is signed "Staff Only" then the consequences of opening the door are clear. If there is no sign then one may assume that one is entitled to enter.
If the website Terms & Conditions stated: "Access to this website is only permitted via the links provided", then guilty is the correct verdict. If not, and no damage was caused, and there was no intent to cause damage, then either the verdict or the act is wrong.
I not a security speaclist, or judge. However you need to consider the whole facts. He said he was tesing to see if the site was real or fake, however no one has mentioned the fact that he changed his story, or alibi.
But another reader argued that Cuthbert's actions were like "walking around trying everyone's front doors and car doors to see which ones are locked...You wouldn't do that, would you?"
Or should that infact be, " going down the shops for a packet of tea", no sorry i was "walking around trying everyone's front doors and car doors to see which ones are locked"
The judge even mentioned because of the lie was why he was taking the action
This is like a house breaker accidentally setting off an alarm then stopping what he was doing and providing a lame excuse when the police arrived.
Cuthbert changed his story during the proceedings. Presumably on the advice of his lawyers.
This is clearly the online equivalent of all the real world criminals who get off lightly due to technicalities.
We all know they're lying scumbags and we all know their intentions are dishonourable but unfortunately if they are pre-emptively caught there's nothing we can do but rap their knuckles.