Tsunami appeal site 'hacker' found guilty
Summary: A computer consultant has been fined for gaining unauthorised access to the Disaster Emergency Committee's fundraising Web site
A computer consultant has been convicted of gaining unauthorised access to a Web site collecting donations for victims of last year's tsunami, even though the judge hearing the case accepted that he meant to cause no harm.
Daniel Cuthbert of Whitechapel in London was found guilty on Thursday afternoon of breaching Section One of the Computer Misuse Act, 1990, on the afternoon of New Year's Eve, 2004.
Cuthbert, who at the time of his arrest had been employed by ABN Amro to carry out security testing, had pleaded not guilty to the charge. He was fined £400 plus £600 costs.
District judge Mr Q. Purdy, who heard the case, told Cuthbert it was "with deep regret that he was finding him guilty" given his record of unblemished good behaviour. But Judge Purdy also said that Cuthbert had changed his defence, between being interviewed by police at the beginning of the year and his appearance in court this week.
Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
Earlier this year it was reported that Cuthbert had donated money to the Tsunami appeal using the text-only Lynx browser, which can appear to behave differently to other browsers from the server's point of view.
But in court on Wednesday, Cuthbert said he had made a £30 donation to the site, after clicking on a banner advert. When he received no final thank-you or confirmation page he suspected he might have fallen victim to a phishing scam, so he carried out two tests to check the security of the site.
Cuthbert's defence team had argued that he had merely 'knocked on the door' of the site, pointing out that he had the skills to break into it if he wanted.
Section one of the CMA says that it is an offence to make "unauthorised access to computer material". There is no burden on the prosecution to prove that the accused had intended to cause any damage.
Judge Purdy accepted that Cuthbert had not intended to cause any damage, and also pointed out there was almost no case law in this area.
You can have your say about Cuthbert's conviction by voting in this poll.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
1) Network is path to your computer, like a road
2) Ports are like windows and doors. In setting up the computer the ports are part of the architecture that connects your computer to the road. It is the computer owners responsibility to decide which ports to provide and to make sure they are secured.
3) connecting to a common service port (anything in a standard) is a usual thing to do in establishing identity and connection with a computer
4) trying to open a common port is not a crime attempting to break a lock on a common port is.
any lawyers out there. is that too simple of an explanation?
The only reason he did this is because he thought he was anonymous. Hard cheese, I say.
what story are you reading? since when did he say this?
You guys are plain panzies. Why not THINK before you DO. Did he really did anything bad? Couldnt you guys just contact him, have a serious meeting and find out what was wrong?! NO!!! You guys had to be like "uuhh. dude, we're gonna sue you! uhh!".
I hate you.
scam. Breaking in is not a means of making that determination. What, if you cannot break in the site is legit,
or is it legit if you CAN break in.
He lied to the police about what he was doing. That is evidence of a guilty mind. As I recall, that's called "mens rea". If he thought he himself was guilty, why shouldn't a judge?
gl-horseferry.court@hmcourts-service.gsi.gov.uk and ask the recipient to forward your comments to Judge Q.Purdy .
He then lied to police - bad move - who knows, it may not even have got to court if he had told the truth from the start.
I have some sympathy, but I'm afraid he made two mistakes that have cost him dearly.
Being a Computer Forensics Tech I have little envy for this individual for using the technique he used to validate this site whether he did this with innocent values or not.
The "attack" has been likened to trying doors to see if they're open - a good analogy. Well, if I caught someone trying the locked door of my house I might be pretty upset but I wouldn't prosecute. After all, touching a door knob isn't a crime. Trying it and entering would be. So maybe damage or intent should feature a little more prominently in this law.
Nearly every day the press reports a security researcher, who presumably did not have the permission of the relevant people, discovering a security issue and reporting it responsibly. Should we prosecute these people whose actions improve the security of software and the web, for 'trying door knobs'? If the prosecuted 'hacker' had found such an issue and reported it we'd be hailing him a minor hero, not discussing his fate. Don't forget he's only in this predicament because an alarm was triggered, not because anyone noticed any harm was done. The only person to have suffered loss here was the prosecuted individual.
I can't help feel he's been made a scapegoat here, to discourage others from doing a little exploring. Just another symptom of an increasingly litigious and now prosecution-happy society maybe.
Cuthbert's premise of accessing the Disasters Emergency Committee (DEC) Web site was based on his intent to ascertain that he has not been conned, there has been cases of port re-direction on websites in which case the victim is not protected from fraud.
When the judge says that the defendant changed his story, well that happens all the time. When he was initially questioned he would have been in a state of shock and once charged, can't elaborate on anything he's said. The statement given to a person at arrest "anything you do say may be used against you in a court of law" implies that it might not either. I've always thought it odd that we allow such a threat to be given to a person arrested without question.
Unfortunately I wasn't in the court so I don't know what was said, and media reports of the case are in conflict.
If it is correct that he used his browser to access the site (by requesting the page ../../../ as specified in section 5.4.2 of RFC 3986), then we are all hackers. I suggest therefore that anyone who reads this hands themselves in to the police (but at least do me the favour of reading till the end).
It has always been my opinion that you cannot have unauthorised access to a public website, unless you have defaced it, altered files on it or obtained information from it to commit another crime (eg credit card fraud). Even then, wikis and other amendable sites mean that this definition isn't accurate enough.
What would happen if a site gave an "access denied" error when you tried to access the site, due to a configuration error? Would that be illegal? By this interpretation it is, but common sense tells you that it's no such thing.
This is why organisations should separate what is public from what is private, and also why this case is a travesty and the decision must be overturned.
Also, folks, trying a car or a house door isn't an offence either. Do it a lot and it's suspicious and neighbours would be entitled to call the police. Entering the house or "taking a vehicle without the owner's consent" (aka "twoking") is. Although the police have caught people before they've even driven off.
The only reason this conviction went through is because the judge took an overzealous view of section 1 of the Act. I read a comment elsewhere that equated mens rea with strict liability. That's not correct. Strict liability includes things like "drunk driving", since being incapacitated means that you aren't aware you're drunk.
The bottom line is there is no way that you can know in advance whether you are authorised to access any page on a web site before getting a response from the server. If you therefore truly believe Daniel Cuthbert to be guility you would be a hypocrite if you continued to access the world wide web.
This isn't at all a case of someone attempting to break in. The query he sent is allowable under agreed international standards.
Also, like I said, you can't know if you are allowed to access a page before you send a query, since you can't know for sure that you will get a "200" response from the server. I've visited hundreds of sites that have an "access denied" error at the top level (I've been accessing web sites for thirteen years). By this reasoning I am a criminal. If I mistype a URL and get an "access denied" page, or (as I did recently) edit a URL to get a more up to date software program from a companies server (as they had forgotten to update the link to the newer software) does that make me a criminal?
Also, I need to correct what I said in an earlier post (see, even I can't get it right first time, and I'm not under arrest!). What I meant was a threat when you are arrested are the words "it may harm your defence when questioned if you do not mention evidence that you later rely on in court". Leaving aside the fact that the police shouldn't be giving legal advice, this statement flies completely in the face of article 6 of the European Convention on Human Rights. It is saying (and the judge in this case appears to agree) that you must present everything in your defence right there and then.
Has anyone actually noticed that it was three weeks between the "offence" and arrest? How many of you can remember exactly what you were doing around 15:00 three weeks ago, and can give a full legal defence of it within a few hours of being arrested? None of you? I thought so.
Of course, now that the link that he has followed is on public web sites, Google and MSN search (to name two) will now attempt to access those pages. Does that mean that Eric Schmidt and Bill Gates are going to be arrested?
There is plenty of law to cover web sites being attacked, but section 1 of the Computer Misuse Act isn't part of it. For several years now I have managed the sites I look after on the basis that everything on the public sites is in the public domain, and everything else is secured in some way. That I've done with section 1 of the Computer Misuse Act in mind.
And my firewall merrily stops dozens of intrusions per minute from various viruses out there... I don't go run crying to the police about it! "Waaaaahhhh a virus tried to get into my computer and the firewall stopped it, but waaaaahhhh I want revenge anyway!"