Security pros savage Tsunami hacker verdict
Could conviction divide police and IT professionals?
Analysis Last week Daniel Cuthbert was convicted of breaking the Computer Misuse Act, fined £400, and ordered to pay £600 in costs. As an IT security consultant, it will be a long time before Cuthbert's reputation is restored and it is possible he will never work in the industry again.
But it is going to take just as long for the police to recover their reputation amongst much of the IT security community. The decision to prosecute Cuthbert might be "good PR", as one officer told the Register last week, but it could make it harder for police to chase computer criminals in the future. Some observers believe it will damage the relationship between the police and the security professionals they rely on for information and advice.
Cuthbert, a 28 year old from Whitechapel, London, was a security consultant at ABN Amro, a job he lost as a result of his arrest. He also lectured at Westminster and Royal Holloway universities - ironically he taught some members of the Computer Crime Unit.
On December 31, 2004, Cuthbert, using an Apple laptop and Safari browser, became concerned that a website collecting credit card details for donations to the Tsunami appeal could be a phishing site. After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories.
After running the two tests, at between 15.12 and 15.15 on New Year's Eve, Cuthbert took no further action.
In fact his action set off an Intrusion Detection System at BT's offices in Edinburgh and the telco called the police. A witness for BT confirmed that the attack would have had no effect on its server, running Unix Solaris, even if it had not been detected by the IDS. The Crown also accepted that there was no malicious motive in Cuthbert's actions.
The police were able to track Cuthbert down because of the donation he made just before running the tests. He was arrested, brought in for questioning and subsequently charged with breaking the Computer Misuse Act.
Feedback to our story on Cuthbert's conviction last week was mostly sympathetic to Cuthbert though some felt he had overstepped the boundaries.
One reader said: "There are occasions where criminal damage charges could be used under this act, but it seems this wasn't one of them. The damage this will have done to the relationship between the police and information security specialists is absolutely immeasurable."
Some have questioned the Met's claim that the verdict, "sends a reassuring message to the general public". One reader said, "the message it sends to the public is that the Met are inhumane and without compassion. They should have exercised discretion and better judgement."
Peter Sommer, a security expert who gave expert evidence for the defence last week, said: "Mr Cuthbert has a lot of friends in the security community - friends the police need contact with - they will certainly feel more wary after this verdict."
But not everyone agreed - Dr Neil Barrett, a computer crime expert recently appointed to advise the EC on Microsoft issues, said: "...the access was unauthorised. He came to a site for which he did not have permission to exceed the normal user levels of access and attempted to elevate that access. Now, it's true that security professionals do such things - on penetration tests - but that's where permission has been given." Barrett does not believe the verdict will have much impact on the security community.
Dr Helg Janicke at De Montfort University said that in the past feedback from users and security professionals had been welcomed by webmasters but that might change.
"We are moving from an informal world to a more formal and regulated one," said Janicke. "It is dangerous for individuals to play with these kind of things." ®