Advertisement
Promo

Security threats Toolkit

Tsunami 'hacker' conviction worries experts

Colin Barker and Rupert Goodwins ZDNet.co.uk

Published: 07 Oct 2005 15:40 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The conviction of a computer consultant who gained unauthorised access to the Disaster Emergency Committee's fundraising Web site has left security experts leafing through the magistrate's decision to try and understand the full implication of the verdict.

On Thursday, Daniel Cuthbert, a computer security consultant from Whitechapel in London, was found guilty of breaching Section One of the Act on the afternoon of New Year's Eve, 2004. He admitted attempted to access the Web site, which was collecting donations for victims of last year's tsunami.

During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access.

The defence also pointed out that Cuthbert had not attempted to defraud the site. Security expert Peter Sommer is concerned by the conviction.

"Nobody thought he was doing anything significant or malicious, and there was a strong argument that the police should have given him a slap on the wrists and not prosecuted,” said Sommer, senior research fellow at the London School of Economics’ Information Systems Integrity Group.

Under Section 1 of the Computer Misuse Act, 1990, any unauthorised access to a computer site can be considered a crime, if the person accessing the system knows that he is not authorised to access the site.

As the Act says, "a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case."

In making his decision, district judge Mr Q. Purdy said that the court would have to take into account Cuthbert’s previous conduct when deciding whether he was guilty.

"This is not an infallible guide," Judge Purdy said. "If it was, there would be no first time offenders." But he indicated that as Cuthbert had no previous convictions and an "unblemished" record he would be inclined to find him not guilty.

This is thought to be the first time that a judge had indicated that — despite the letter of the act — knowingly accessing a system when unauthorised to do so is not necessarily a crime.

Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.

Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.

The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said.

Sommer backed up this point.

"The major problem was that he gave them an overly complex explanation which turned out not to be true, and involved them in a lot more work. That's probably why the judge didn't give him a conditional discharge, which was open to him," Sommer told ZDNet UK.

Sommer is now digesting the implications of the judge’s ruling.

"There are a number of long term issues," said Sommer. "We've now got a very strict interpretation on how Section 1 works and how it might be interpreted in terms of an attempt. Some of the tests you might instinctively want to run to see if a site is valid may fall foul of a strict interpretation."

Sommer added that there are also public policy implications. "Once someone's charged, there's almost no defence. Is it in the public interests to prosecute people who haven't done anything very serious if you know they'll lose their profession as a result?"

"I've run into a lot of people in the penetration test community over the past few months, and they're all sympathetic to Dan. Their view was that he merited a ticking off, not losing his job. The police need the help of penetration testers and this won't help," Sommer said.

You can have your say about Cuthbert's conviction by voting in this poll.

 

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
72 out of 139 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

14 comments

  1. How is it that a free thinking society cannot voic... Shaun Walter
  2. It sounds like the lawyer that represented him got... Stack Smasher
  3. An uneducated verdict. It will spell doom if... Anonymous
  4. "Instead, Judge Purdy found Cuthbert guilty, becau... AyeRoxor
  5. Pretty scary to think that only a government-autho... Rich Willis
  6. If you warn a thief he's being looked at the thief... Anonymous
  7. A lot of fuss is being made about him initial... David B. Wildgoose
  8. The situation has arisen due to the wordings of th... Praveen Dalal
  9. Just goes to show that like the majority of the la... Sb
  10. The police need computer forensics experts, securi... Craig S Wright
  11. I would love to work for computer forensics.... Neale Martin
  12. His biggest mistakes where, to be British, to live... Anon
  13. What is it that people here don't get? When I was... Fujikid
  14. It is interesting to me that unless you are a... Anonymous

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:




Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Climate research centre compromised

One of the UK's leading climate change research centres has had a security breach. The Climate Research Unit at the University of East Anglia (UEA) suffered a compromise of information,... More

1 comment

Government web-monitoring plans on hol...

Government plans to compel ISPs to process and store details of all web communications have been put on hold until after the next election. The Home Office told ZDNet UK on Wednesday... More

1 comment

Watchdog reveals illegal sale of phone...

The Information Commissioner's Office is preparing a prosecution file against a mobile operator's employees who allegedly sold on thousands of customers' details to a competitor. The... More

1 comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters