Feeds

Security pros savage Tsunami hacker verdict

Could conviction divide police and IT professionals?

5 things you didn’t know about cloud backup

Analysis Last week Daniel Cuthbert was convicted of breaking the Computer Misuse Act, fined £400, and ordered to pay £600 in costs. As an IT security consultant, it will be a long time before Cuthbert's reputation is restored and it is possible he will never work in the industry again.

But it is going to take just as long for the police to recover their reputation amongst much of the IT security community. The decision to prosecute Cuthbert might be "good PR", as one officer told the Register last week, but it could make it harder for police to chase computer criminals in the future. Some observers believe it will damage the relationship between the police and the security professionals they rely on for information and advice.

Cuthbert, a 28 year old from Whitechapel, London, was a security consultant at ABN Amro, a job he lost as a result of his arrest. He also lectured at Westminster and Royal Holloway universities - ironically he taught some members of the Computer Crime Unit.

On December 31, 2004, Cuthbert, using an Apple laptop and Safari browser, became concerned that a website collecting credit card details for donations to the Tsunami appeal could be a phishing site. After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories.

After running the two tests, at between 15.12 and 15.15 on New Year's Eve, Cuthbert took no further action.

In fact his action set off an Intrusion Detection System at BT's offices in Edinburgh and the telco called the police. A witness for BT confirmed that the attack would have had no effect on its server, running Unix Solaris, even if it had not been detected by the IDS. The Crown also accepted that there was no malicious motive in Cuthbert's actions.

The police were able to track Cuthbert down because of the donation he made just before running the tests. He was arrested, brought in for questioning and subsequently charged with breaking the Computer Misuse Act.

Feedback to our story on Cuthbert's conviction last week was mostly sympathetic to Cuthbert though some felt he had overstepped the boundaries.

One reader said: "There are occasions where criminal damage charges could be used under this act, but it seems this wasn't one of them. The damage this will have done to the relationship between the police and information security specialists is absolutely immeasurable."

Some have questioned the Met's claim that the verdict, "sends a reassuring message to the general public". One reader said, "the message it sends to the public is that the Met are inhumane and without compassion. They should have exercised discretion and better judgement."

Peter Sommer, a security expert who gave expert evidence for the defence last week, said: "Mr Cuthbert has a lot of friends in the security community - friends the police need contact with - they will certainly feel more wary after this verdict."

But not everyone agreed - Dr Neil Barrett, a computer crime expert recently appointed to advise the EC on Microsoft issues, said: "...the access was unauthorised. He came to a site for which he did not have permission to exceed the normal user levels of access and attempted to elevate that access. Now, it's true that security professionals do such things - on penetration tests - but that's where permission has been given." Barrett does not believe the verdict will have much impact on the security community.

Dr Helg Janicke at De Montfort University said that in the past feedback from users and security professionals had been welcomed by webmasters but that might change.

"We are moving from an informal world to a more formal and regulated one," said Janicke. "It is dangerous for individuals to play with these kind of things." ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?