Tsunami 'hacker' is innocent, say readers

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

talkback, Hacker

NEWS

Last Thursday's conviction of a computer security consultant for illegally accessing a Web site set up to aid victims of the Boxing Day Asian tsunami prompted a wide range of opinions from readers of ZDNet UK.

While many sympathised with a man who, even the judge agreed, had done "no real harm", others argued that a computer professional who knowingly accessed a Web site he had no permission to enter should have been aware of the possible consequences.

Daniel Cuthbert from London was found guilty of breaching Section One of the Computer Misuse Act (1990), which makes it an offence for someone to secure unauthorised access to a computer when they know that they are not permitted to do so.

Cuthbert, who at the time of his arrest was employed by ABN Amro to carry out security testing, pleaded not guilty to the charge. He was fined £400 plus £600 costs. An application for damages from the plaintiffs was thrown out by the judge on the grounds that by being found guilty, and already having lost his employment, Cuthbert had suffered enough.

The vast majority of ZDNet UK readers believe that Cuthbert has been treated unfairly. We conducted an online poll and asked readers if they believe Cuthbert "should have been convicted of gaining unauthorised access" to a computer under the Act. Over 1,000 people took part, and 92 percent said the conviction handed out by district judge Mr Q. Purdy was wrong.

While a vast majority of readers reckoned that Cuthbert was not guilty of a crime, there was a wide variety of opinion in the issue in our TalkBack pages.

It's understood that Cuthbert added ../../../ to the URL, hoping to get access to higher directories in the hope of confirming whether or not the Web site was genuine. He argued in his case that when he set off an intruder alarm he was checking the site out as he feared that rather than actually donating he had been taken in by a phishing scam.

"Breaking in is not a means of making that determination," argued an anonymous security consultant. "[Does that mean] if you cannot break in the site is legit, or is it legit if you CAN break in?"

But another reader argued that Cuthbert's actions were like "walking around trying everyone's front doors and car doors to see which ones are locked...You wouldn't do that, would you?"

But whether it is trying doorknobs or the front (or back) doors of systems, can computer professionals do their jobs if they are no longer allowed to test systems as they might like to?

"I'm not sure how I could perform my duties as a security professional if it suddenly became unlawful to test security in a very passive manner," argued Shaun Walter, a Unix system administrator. "[Cuthbert] didn't seem to employ any brute-force attacks or elegant procedures to check security at this site."

A US security consultant also felt the case could have serious consequences. "Pretty scary to think that only a government-authorised security company can legally test a site's security or integrity. You can bet I'll be accepting no more contracts to verify ANY corporate networks."

But that wasn't everybody's view, and at least one correspondent believed that Cuthbert was not acting particularly professionally when he tried to crack the appeal site. . "Professional testers know better than to go out and attempt to crack Web sites out of curiosity," argued another anonymous security specialist. "They use their skills to break into systems only after signing lengthy contractual stipulations that allow them to do so without repercussion. The simple fact is that [Cuthbert] tried to gain unauthorised access into a system."

You can still have your say about Cuthbert's conviction by voting in our poll or using TalkBack below.

Talkback

What happens if someone put that URL up as a link on a web page? Is everyone who clicks on it a criminal?

He lied to the police - do him for wasting police time. But if the webserver was configured to give a response to his (valid) request, and he DID NO HARM, then that's their problem.

via Facebook 10 October, 2005 16:33
Reply

I often alter URLs to try to navigate badly designed websites. I'd taken it that it you send a URL to a website and it sends back a page then it's public, published information. If it comes back 'forbidden' then it's not and you don't get to see it.
This sort of thing counts as 'hacking' now?
I'm not allowed to 'ask' the website 'can I see this URL please' when I really don't know if I'm supposed to be able to or not?

Perhaps we should all get written permission to access every URL before attempting to do so.

What if you click on a link from one website to another but the link is out of date and points to a forbidden URL? Are you a criminal, or the linking website's owner or both?

How many web users have never hit a 'forbidden' page by accident? How the hell do you prove that it WAS an accident?

via Facebook 10 October, 2005 17:14
Reply

So how do you check if a website is genuine or not? And if it is so easy to "hack" a URL, how often is this happening?

via Facebook 10 October, 2005 22:21
Reply

The situation has arisen due to the wordings of the statute. Section 1 of the Computer Misuse Act, 1990, considers an unauthorised access to a computer site as a crime if the person accessing the system “knows” that he is not authorised to access the site. The mens rea aspect has been incorporated in the form of “knowledge” aspect and that makes the concerned provision a “strict liability offence” unless the same is justified by law. For example, if an organisation or person is “legally entitled” to adopt “penetration test” as a mode of ethical hacking, then there seems to be no problem. The problem arises only when the person penetrating is not entitled to do so. In that case the provisions of section 1 apply harshly and there seems to be no justification for cursing the same. If the security aspects have to be tested or if the veracity of a site has to be checked, let the authorised person handle the same. If the person performing the penetration test is authorised, then there is no problem. If he is not, then the prosecution is the natural outcome.

Now coming to the conviction aspect, if the offender is a “first time offender” with no malicious intention (as in the present case), then the court must be liberal in his release either on probation or after due admonition. The offending act in this case is due to the language of the statute and whether a different provision must be made is a matter of policy decision by the Government that has to be decided by it in public interest. Till then the provision does not deserves to be criticised as the consequences were foreseeable.

via Facebook 11 October, 2005 06:05
Reply

Having read this, it is even more Bolleux than I thought. The whole point of the web is to put web servers on it to be accessed. As previously mentioned if the part of the web server is private then it should return forbidden. This has been going on since the beginning. How many people accidentally post a URL which they do not realise is valid for them, but not for anyone else.

Hacking is a concerted attempt to breach security or alter information.
If the url had been loaded with buffer overloading data etc then fair enough but not a plain and straightforward url.
Apart from that I seem to read that he didn't actually gain access, the attempts were logged. IF he didn't gain access and it wasn't a concerted attack (I have had 4-500 attempts in 30 minutes from China) then he has not broken the law, but Magistrates are not qualified on most matters and so do as the court "advisor" tells them.

via Facebook 11 October, 2005 13:25
Reply

How ludicrous that an act as simple as trying an amended url can result in a fine and loss of employment. So now we must check and double check when entering a URL in case we set of an IDS alarm with our mis-spelling.

This is a stupid ruling, flies in the face of public opion and just makes no sense at all.

via Facebook 11 October, 2005 13:38
Reply

does that mean people think i can test their house security by entering their homes? surely i can test my own home but not someone elses, and the same must be true for websites.

via Facebook 11 October, 2005 15:23
Reply

Was this hacking or just 'acking? If you go for a walk and wander onto somebodys land without causing or intending any damage then that's just trespass, but if you did intend damage then that's criminal trespass.

What about when you stand in someones doorway when it rains? What about the strangers who walk up my garden path and knock on my door - despite the signs that say Private and No callers?

Point is; if there is no sign, or no fence and no damage then it's just a trespass. Why don't squatters and travellers get fined?

If he was just roaming - Why doesn't he get himself a decent lawyer and advice about an appeal?

via Facebook 11 October, 2005 22:57
Reply

It is unclear to me and, no doubt, most other folk what the laws are in respect to browsing, hacking (intentional or otherwise), DRM, etc. There is a blizzard of reports from arount the World on these and other related topics and each cites a particular statute and details the hapless or malicious offender's offence. There are also lengthy articles about the philosophical nuances of wider policies, such as DRM and fair use. No wonder we're confused. It would be very helpful if a publication like ZDNet would publish a reference guide to 'digital law', detailing for example whether someone in the UK can be prosecuted under UK law,in the UK, for adding ../../.. to a site based in the US or China or Iraq or ... wherever! Also which countries allow/disallow/tolerate 'fair use' of bought copyright materials. There's lots more and a good pragmatic reference for the common user would be great!

via Facebook 12 October, 2005 08:50
Reply

If, as reported he tried the ol' /../../ trick, then he was obviously testing to see if the web server was vulnerable to this well documented flaw of allowing root access via a specific url sent to it.

This type of "attack" can reveal pertinent info on the security of the web server, but is generally used to gather info for further attacks. Was this his motive or not?

That said, only he really knows his motives for doing this, and hopefully did not lie in court or to the police. Everyone else's comments on this are irrelevant anyway. Are we now re-trying him via public opinion?

via Facebook 12 October, 2005 20:13
Reply

The ruling is unfair and I will go with the majority of the views. It's not as if he deliberately wanted to cause damage. I presumed DEC has a log of his £30 donation, so why did they allow it to go so far.

Is ping-ing the web server technically illegal ?. It's akin to pushing a door open to an organisation to see if they are open for business (but not entering).
A port scan could reveal any opening so we have to be careful, but even that is like a criminal walking around a building to see how to potentially break in and this is not a crime. I don't know what application he used, but it may be that he trespassed onto the site, fully armed , but providing that no damage is done shouldn't have to loose his job, but severly slapped on his wrist.

I mean how far up the OSI stack and what applications can be run before it is considered an offence?

via Facebook 13 October, 2005 17:59
Reply

Posting a website is an invitation to enter. It is like opening a store on a high street. The store may have several departments accessed via different doors. If a door is signed "Staff Only" then the consequences of opening the door are clear. If there is no sign then one may assume that one is entitled to enter.

If the website Terms & Conditions stated: "Access to this website is only permitted via the links provided", then guilty is the correct verdict. If not, and no damage was caused, and there was no intent to cause damage, then either the verdict or the act is wrong.

via Facebook 13 October, 2005 21:54
Reply

I not a security speaclist, or judge. However you need to consider the whole facts. He said he was tesing to see if the site was real or fake, however no one has mentioned the fact that he changed his story, or alibi.

But another reader argued that Cuthbert's actions were like "walking around trying everyone's front doors and car doors to see which ones are locked...You wouldn't do that, would you?"

Or should that infact be, " going down the shops for a packet of tea", no sorry i was "walking around trying everyone's front doors and car doors to see which ones are locked"

The judge even mentioned because of the lie was why he was taking the action

via Facebook 14 October, 2005 13:13
Reply

This is like a house breaker accidentally setting off an alarm then stopping what he was doing and providing a lame excuse when the police arrived.

Cuthbert changed his story during the proceedings. Presumably on the advice of his lawyers.

This is clearly the online equivalent of all the real world criminals who get off lightly due to technicalities.

We all know they're lying scumbags and we all know their intentions are dishonourable but unfortunately if they are pre-emptively caught there's nothing we can do but rap their knuckles.

via Facebook 18 October, 2005 06:44
Reply

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

Paul Fezziwig

Keep the crap apps out?! How will they compete with Android and Apple's claim to fame of having so many life changing apps? I wonder if the media...

22 minutes ago by Paul Fezziwig via Facebook on RIM: BlackBerry will keep 'garbage' apps out of store
Aigars Mahinovs

It has been shown time after time that if there is an author store that sells the songs at even 1$ per song and gives you a high-quality digital...

1 hour ago by Aigars Mahinovs via Facebook on Copyright isn't working, says European Commission
EvaBrian

This is a great start to leverage virtualization and standardized deployments, however even a well-managed virtualization solution has its...

2 hours ago by EvaBrian on AWS CloudFormation automates cloud app deployment
EvaBrian

that's a great news for android users! The cloud is set as the battleground that will decide the fate of Google’s Android and Apple’s iOS as...

3 hours ago by EvaBrian on Google's 'Bouncer' scans Android apps for malware
EvaBrian

Google knows that the only way that Android is going to survive is by a superiority of numbers. By doing that, it is playing a completely different...

3 hours ago by EvaBrian on Apple vs Google: Cloud concepts that clash
awbMaven

""As a result of Butyka's alleged conduct, researchers were unable to use the computers for more than two months while NASA removed the malicious...

4 hours ago by awbMaven on US indicts Romanian over NASA climate change hack
subhorup

It simultaneously worries me and uplifts me that a self-proclaimed group of internet activists name themselves after Indian mythical figures....

12 hours ago by subhorup on Anonymous activists release PCAnywhere source code
naviathan

It's actually far easier to work anonymously on the internet than you think. With tools like Tor bouncing your traffic around the world before...

15 hours ago by naviathan on Anonymous activists release PCAnywhere source code
Agnostic_OS

1000272134 and bluedalmatian with you both there but then I'm still in 10.04 land (and happy with it)

15 hours ago by Agnostic_OS on Ten factors that make Ubuntu 11.10 a hit
apexwm

Interesting article and definitely see your points on the products mentioned. One of the top products for our Help Desk (approximately 20% of all...

23 hours ago by apexwm on Ten flawed products that derail productivity
Paul Hutchinson

Absolutely - this should obviously not be handled my isp - but handled by their hosting operator. What's been suggested here is that my isp police...

23 hours ago by Paul Hutchinson via Facebook on MPs urge ISPs to take down terrorist material
Techs UK

Looks like a great phone. I don't notice any deficiencies in WP7. used IOS before, that's pretty good. I don't spend much time in Apps, all i need...

1 day ago by Techs UK on Nokia pins US 're-entry' hopes on Lumia 900
Larry Bloggy

Now with the help of these apps you are always synced with MS outlook while on the move. Just download apps like xobni or outlookreflex and get...

1 day ago by Larry Bloggy via Facebook on Outlook Social Connector beta 2 and the LinkedIn connector
mike40g123

Your details are wrong. The version currently being made is the one with 2 USB ports, 256MB RAM and a network port. This is the Model B. The...

1 day ago by mike40g123 on Raspberry Pi boards set to go on sale
Moley

The thing that has been puzzling me for quite a while is how Anonymous can remain anonymous whilst not only being active on the Internet but also...

2 days ago by Moley on Anonymous activists release PCAnywhere source code
Don Dilly

If what Semantec is saying is rue, that is even worse and shows a complete disregard for thier users. If what Anonymous claims is true and the...

2 days ago by Don Dilly via Facebook on Anonymous activists release PCAnywhere source code
MattChurchy

Didn't seem particularly biased to me either. Oh though you might have mentioned some other competitors with free search and email services...

2 days ago by MattChurchy on Time for an evil umpire: Google, Microsoft & privacy
Simon Bisson and Mary Branscombe

James - exactly as much as anyone paid you for your comment; I don't feel that I need to say that I'm independant and unbiased, but just for you...

2 days ago by Simon Bisson and Mary Branscombe on Time for an evil umpire: Google, Microsoft & privacy
Carl White

Once they realise symantec are willing to pay real money, they will simply keep extorting, unless of course symantec/authorities can use the...

2 days ago by Carl White via Facebook on Symantec offered hackers $50k in source code sting
Jonathan Hassell

You can find more information on BS 8878 by Jonathan Hassell its lead-author at http://www.hassellinclusion.com/bs8878/ The page includes a...

3 days ago by Jonathan Hassell on BSI publishes first British web accessibility standard