Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Use the Dots, Go to Jail - that's the law

From: David Farber <dave () farber net>
Date: Mon, 24 Oct 2005 06:42:13 -0400


Begin forwarded message:

From: Randall <rvh40 () insightbb com>
Date: October 23, 2005 8:22:13 PM EDT
To: Dave <dave () farber net>
Subject: Use the Dots, Go to Jail - that's the law


http://tinyurl.com/btjdp

Justice versus legality – the case of Daniel Cuthbert
Guest Writer (Terra, Sol)  Civil liberty/regulation • UK affairs
Trackbacks to this post(4)
        This is the un-edited version of an article sent in by Diana
        Quaver, which we published earlier in a reduced form. Diana has
        been closely following this story, which should be of great
        interest to the on-line community:

I have recently followed the trial of Daniel Cuthbert. This was the
gentleman who was accused of “hacking” into the website of the Disasters
and Emergency Committee. He was recently found “regretfully” found
guilty under section 1 (a) of the Computer Misuse Act 1990. He never
even lived in Whitechapel. This was the BBC story a few months ago:

        Charge over tsunami 'hacking' bid

        A man has been charged over an alleged attempt to hack into a
        website set up to raise funds after the Asian tsunami.

        Daniel Cuthbert, 28, of Whitechapel, east London, has been
        charged with one offence under the Computer Misuse Act.

        Scotland Yard said the charge followed an alleged unauthorised
        access of the Disasters and Emergency Committee site on New
        Year's Eve.

        Mr Cuthbert is due to appear at Horseferry Magistrates' Court
        next Thursday.

        The disaster fund has raised an estimated £250m to help victims
        of the tsunami.
Tens of thousands of people used its web pages to offer money to 
        those caught in the Boxing Day tragedy.


Today, Daniel Cuthbert was found guilty.

Daniel Cuthbert saw the devastating images of the Tsunami disaster and
decided to donate £30 via the website that was hastily set up to be able
to process payments. He is a computer security consultant, regarded in
his field as an expert and respected by colleagues and employers alike.
He entered his full personal details (home address, number, name and
full card details). He did not receive confirmation of payment or a
reference and became concerned as he has had issues with fraud on his
card on a previous occasion. He then did a couple of very basic
penetration tests. If they resulted in the site being insecure as he
suspected, he would have contacted the authorities, as he had nothing to
gain from doing this for fun and keeping the fact to himself that he
suspected the site to be a phishing site and all this money pledged was
going to some South American somewhere in South America.

The first test he used was the (dot dot slash, 3 times) ../../../
sequence. The ../ command is called a Directory Traversal which allows
you to move up the hierarchy of a file. The triple sequence amounts to a
DTA (Directory Traversal Attack), allows you to move three times. It is
not a complete attack as that would require a further command, it was
merely a light “knock on the door”. The other test, which constituted an
apostrophe( ‘ ) was also used. He was then satisfied that the site was
safe as his received no error messages in response to his query, then
went about his work duties. There were no warnings or dialogue boxes
showing that he had accessed an unauthorised area.

20 days later he was arrested at his place of work and had his house
searched. In the first part of his interview, he did not readily
acknowledge his actions, but in the second half of the interview, he
did. He was a little distraught and confused upon arrest, as anyone
would be in that situation and did not ask for a solicitor, as he
maintained he did nothing wrong. His tests were done in a 2 minute
timeframe, then forgotten about.

He was prosecuted under the Computer Misuse Act 1990, which was signed
in 1989 when perms were just going out of fashion and mobile phones were
like bricks and cost £1000 and we were still using green type on a black
background. The word “ Computer” was not even defined as they realised
that this area was moving at light speed so they wanted to keep it open.
Sadly, it has become open to willy-nilly interpretation and the
magistrate decided there was intention to access data as stated in
section 1(a), although I may be biased, it is an incorrect
interpretation.

Cuthbert was prosecuted under the Computer Misuse Act 1990, and
convicted under Section 1 (a) of this Act. The relevant section of the
Act is:

Section (1) of the Act states:

        (1) A person is guilty of an offence if –

        a. he causes a computer to perform any function with intent to
        secure access to any program or data held in any computer;

        b. the access he intends to secure is unauthorised; and

        c. he knows at the time when he causes the computer to perform
        the function that that is the case.


As an expert, if he had true intent (as the judge deemed he did, which
is an incorrect analysis) he would have been more than capable of
“hacking” and gunning that door down with a digital version of a
point-blank range AK47, but he did not. He maybe should not have done
the tests that are beyond the knowledge of a regular user and a caution
would have sufficed, there was no need for a trial and certainly not 10
months of waiting time. The policeman was smug as he got his browny
points and the CPS prosecutor was what one can expect of a CPS
prosecutor, patronising, pedantic and uninteresting but sadly
successful.

The ../ sequence triggered of the alarm which was set up as “high” for
this sort of “attack” at the donate.bt.com website that was set up by
the DEC website. This alerted someone that there was something
potentially suspicious, this was then passed up to someone who reported
it to the police. They found their suspect through the IP address and
were able to trace it to his laptop. Well, the Computer Crime Unit
(known in the industry as “Muppets”) were very happy they got their
man.

Mr Cuthbert was convicted under S. 1 (a) of the Computer Misuse Act
1990. It will be almost impossible for him to work in IT, the security
industry being totally based on trust and reputation, as they are all
freelancers and rely on contacts. That simply is not right. Justice is
not always synonymous with legality.

When someone tells you, “whatever you do, do not press the red button”
and you are almost compelled, in just that way, I am feverishly tempted
to type in the ../../../ sequence in the Ministry of Defence website,
and see what happens. Maybe not.


--
"We've got the hatemongers who literally hate this president, and that
is so wrong. . . . The people who hate George Bush hate him because he's
a follower of Jesus Christ, unashamedly says so and applies his faith in
his day-to-day operations." -- Rev. Jerry Falwell, on C-SPAN's "Washington Journal" 




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: