October 10, 2005
Last Thursday's conviction of a computer security consultant for
illegally accessing a Web site set up to aid victims of the Boxing Day
Asian tsunami prompted a wide range of opinions from readers of ZDNet
While many sympathised with a man who, even the judge agreed, had done
"no real harm", others argued that a computer professional who
knowingly accessed a Web site he had no permission to enter should
have been aware of the possible consequences.
Daniel Cuthbert from London was found guilty of breaching Section One
of the Computer Misuse Act (1990), which makes it an offence for
someone to secure unauthorised access to a computer when they know
that they are not permitted to do so.
Cuthbert, who at the time of his arrest was employed by ABN Amro to
carry out security testing, pleaded not guilty to the charge. He was
fined =A3400 plus =A3600 costs. An application for damages from the
plaintiffs was thrown out by the judge on the grounds that by being
found guilty, and already having lost his employment, Cuthbert had
The vast majority of ZDNet UK readers believe that Cuthbert has been
treated unfairly. We conducted an online poll and asked readers if
they believe Cuthbert "should have been convicted of gaining
unauthorised access" to a computer under the Act. Over 1,000 people
took part, and 92 percent said the conviction handed out by district
judge Mr Q. Purdy was wrong.
While a vast majority of readers reckoned that Cuthbert was not guilty
of a crime, there was a wide variety of opinion in the issue in our
It's understood that Cuthbert added ../../../ to the URL, hoping to
get access to higher directories in the hope of confirming whether or
not the Web site was genuine. He argued in his case that when he set
off an intruder alarm he was checking the site out as he feared that
rather than actually donating he had been taken in by a phishing scam.
"Breaking in is not a means of making that determination," argued an
anonymous security consultant. "[Does that mean] if you cannot break
in the site is legit, or is it legit if you CAN break in?"
But another reader argued that Cuthbert's actions were like "walking
around trying everyone's front doors and car doors to see which ones
are locked...You wouldn't do that, would you?"
But whether it is trying doorknobs or the front (or back) doors of
systems, can computer professionals do their jobs if they are no
longer allowed to test systems as they might like to?
"I'm not sure how I could perform my duties as a security professional
if it suddenly became unlawful to test security in a very passive
manner," argued Shaun Walter, a Unix system administrator. "[Cuthbert]
didn't seem to employ any brute-force attacks or elegant procedures to
check security at this site."
A US security consultant also felt the case could have serious
consequences. "Pretty scary to think that only a government-authorised
security company can legally test a site's security or integrity. You
can bet I'll be accepting no more contracts to verify ANY corporate
But that wasn't everybody's view, and at least one correspondent
believed that Cuthbert was not acting particularly professionally when
he tried to crack the appeal site. . "Professional testers know better
than to go out and attempt to crack Web sites out of curiosity,"
argued another anonymous security specialist. "They use their skills
to break into systems only after signing lengthy contractual
stipulations that allow them to do so without repercussion. The simple
fact is that [Cuthbert] tried to gain unauthorised access into a
Copyright =A9 2005 CNET Networks, Inc. All Rights Reserved.
InfoSec News v2.0 - Coming Soon!