ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security threats Toolkit

Tsunami 'hacker' is innocent, say readers

Colin Barker ZDNet.co.uk

Published: 10 Oct 2005 16:00 BST

Last Thursday's conviction of a computer security consultant for illegally accessing a Web site set up to aid victims of the Boxing Day Asian tsunami prompted a wide range of opinions from readers of ZDNet UK.

While many sympathised with a man who, even the judge agreed, had done "no real harm", others argued that a computer professional who knowingly accessed a Web site he had no permission to enter should have been aware of the possible consequences.

Daniel Cuthbert from London was found guilty of breaching Section One of the Computer Misuse Act (1990), which makes it an offence for someone to secure unauthorised access to a computer when they know that they are not permitted to do so.

Cuthbert, who at the time of his arrest was employed by ABN Amro to carry out security testing, pleaded not guilty to the charge. He was fined £400 plus £600 costs. An application for damages from the plaintiffs was thrown out by the judge on the grounds that by being found guilty, and already having lost his employment, Cuthbert had suffered enough.

The vast majority of ZDNet UK readers believe that Cuthbert has been treated unfairly. We conducted an online poll and asked readers if they believe Cuthbert "should have been convicted of gaining unauthorised access" to a computer under the Act. Over 1,000 people took part, and 92 percent said the conviction handed out by district judge Mr Q. Purdy was wrong.

While a vast majority of readers reckoned that Cuthbert was not guilty of a crime, there was a wide variety of opinion in the issue in our TalkBack pages.

It's understood that Cuthbert added ../../../ to the URL, hoping to get access to higher directories in the hope of confirming whether or not the Web site was genuine. He argued in his case that when he set off an intruder alarm he was checking the site out as he feared that rather than actually donating he had been taken in by a phishing scam.

"Breaking in is not a means of making that determination," argued an anonymous security consultant. "[Does that mean] if you cannot break in the site is legit, or is it legit if you CAN break in?"

But another reader argued that Cuthbert's actions were like "walking around trying everyone's front doors and car doors to see which ones are locked...You wouldn't do that, would you?"

But whether it is trying doorknobs or the front (or back) doors of systems, can computer professionals do their jobs if they are no longer allowed to test systems as they might like to?

"I'm not sure how I could perform my duties as a security professional if it suddenly became unlawful to test security in a very passive manner," argued Shaun Walter, a Unix system administrator. "[Cuthbert] didn't seem to employ any brute-force attacks or elegant procedures to check security at this site."

A US security consultant also felt the case could have serious consequences. "Pretty scary to think that only a government-authorised security company can legally test a site's security or integrity. You can bet I'll be accepting no more contracts to verify ANY corporate networks."

But that wasn't everybody's view, and at least one correspondent believed that Cuthbert was not acting particularly professionally when he tried to crack the appeal site. . "Professional testers know better than to go out and attempt to crack Web sites out of curiosity," argued another anonymous security specialist. "They use their skills to break into systems only after signing lengthy contractual stipulations that allow them to do so without repercussion. The simple fact is that [Cuthbert] tried to gain unauthorised access into a system."

You can still have your say about Cuthbert's conviction by voting in our poll or using TalkBack below.