Announcement

Collapse
No announcement yet.

Tsunami 'hacker' Conviction Implications

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Tsunami 'hacker' Conviction Implications

    So I'm sure by now most people here have read about the conviction of Daniel Cuthbert for unauthorized access to a Tsunami donation website. I'm not going to go into the details of the case (easily available online, look below for certain links). I'm interested to hear what some of the older and more informed members of the community think the implications of things like this and the Michael Lynn case are going to have on the future of the security industry and security hobbyists. It worries me seeing the direction things seem to be heading. Are we going to reach a point where things like full disclosure and Defcon are frowned upon or illegal?

    -zac
    %54%68%69%73%20%69%73%20%6E%6F%74%20%68%65%78

  • #2
    This is really nothing new: being a security hobbyist doesn't give you the right to test other people's systems. Note that he wasn't convicted for his actions pertaining to the web site (using the lynx web browser and placing ".." in the URL). He was convicted because he lied to the police.

    Also of note is that the news site I read indicated that the judge said accessing a system without authorization isn't necessarily a crime.

    Comment


    • #3
      Originally posted by pr0zac0x2a
      Are we going to reach a point where things like full disclosure and Defcon are frowned upon or illegal?
      (URL Editing, and resubmission has caused would-be students to not get into colleges when they tried to check their acceptance before an official notice was made.)

      Over the past 10 years or so, it seems to me that industry and government have been heading hand-in-hand in the direction of focusing on "security for show" while making or using or attempting to make (new) laws to restrict control of information dissemenation. (There are exceptions.)

      Use of NDA, Special Contract Clauses, and addition of laws to make reverse engineering, legally more difficult, comprise only part of the picture. These would have little effect if it were not for the influence of money to bind the will of professional security people (and hackers-- conventional sense) to not cause financial loss to the employer through disclosure or other means.

      Industry calls it a "trade secret" while government calls it "national security" but both are applications and use of law to control how proprietary information is controlled and disclosed.

      "We are limiting access to this information for your benefit." Ambiguity of where this is acceptable is subjective, and is the core of its problem. A business motivation is profit. A government's motivation is existence. To expect a business/government to always act on behalf of consumers/people is illogical, and shows where there is fault in the above quote.

      Many skilled hackers have been and are being co-opted with the incentive of money. Once they have assets, then they have something to lose, and if they value those assets, then they are controlled. (Funny how those without these jobs tend to call those employed, "sell-outs" until they also get employed.)

      The model popularized by Microsoft (embrace and extend) is hard at work.

      What is the future? More of the same until there is an advantage to do otherwise, or a disadvantage to continue down this path. It is Newtonian Physics in the marketplace with the primary metaphor borrowing inertia and replacing "mass" with market direction, and "force" with policy.
      Last edited by TheCotMan; October 7, 2005, 17:16. Reason: spelling, grammar

      Comment


      • #4
        Originally posted by pr0zac0x2a
        So I'm sure by now most people here have read about the conviction of Daniel Cuthbert for unauthorized access to a Tsunami donation website. I'm not going to go into the details of the case (easily available online, look below for certain links). I'm interested to hear what some of the older and more informed members of the community think the implications of things like this and the Michael Lynn case are going to have on the future of the security industry and security hobbyists. It worries me seeing the direction things seem to be heading. Are we going to reach a point where things like full disclosure and Defcon are frowned upon or illegal?

        -zac
        What Michael Lynn case? That fizzled out within days of Blackhat. He is still a free man, and he probably ended up with a better job than working at ISS. Most of the respected security establishment supported him pubicly (e.g. Schneier).

        You should also re-read the articles on Cuthbert. He actually attempted to IIS directory traversal attacks against a foreign website...which according to the letter of the UK law, is very illegal. His intentions don't matter ("I wanted to verify blah blah blah...)...he knowingly attempted to exploit known vulnerabilities.

        Also, the judge in the case specifically stressed that his conviction was based less on the morality of his actions, and more on the fact that when initially questioned by police he lied about what he is done.

        Lesson: if being interrogated by police, STFU and wait for a lawyer instead of LYING to them. If they figure out you've done the latter, you're pretty much screwed in any jurisdiction.

        -g
        Jesus built my car
        It’s a love affair
        Mainly Jesus and my hot rod

        Comment


        • #5
          Originally posted by Grond
          he knowingly attempted to exploit known vulnerabilities
          If he can be convicted for his bit of "hacking", then I think we are in trouble. He didn't use any tools beyond his web browser, and his "crime" would have been altering the URL. Who here hasn't removed the file name in an attempt to get a directory listing? Changed "page=1" to "page=8" to skip to the end of an article? Requests for information can hardly be considered a crime...

          On the other hand, as I pointed out, he was not convicted for requesting information.

          Comment


          • #6
            Originally posted by Voltage Spike
            If he can be convicted for his bit of "hacking", then I think we are in trouble. He didn't use any tools beyond his web browser, and his "crime" would have been altering the URL. Who here hasn't removed the file name in an attempt to get a directory listing? Changed "page=1" to "page=8" to skip to the end of an article? Requests for information can hardly be considered a crime...

            On the other hand, as I pointed out, he was not convicted for requesting information.
            His crime was his own stupidity in that he screwed with a high profile site that has received a large amount of media attention. The police then are forced to act severely as to appear tough on this sort of crime when in reality it was only the media spotlight that made it so severe and resulted in the loss of his job.
            Did Everquest teach you that?

            Comment


            • #7
              Originally posted by allentrace
              His crime was his own stupidity in that he screwed with a high profile site
              I never thought to look up the web site. The Disasters and Emergency Committee is indeed a very well-known site, and a single web search (always the first step) reveals that they are not likely to be a phishing site. The guy was an idiot and simply came up with a plausible story for why he was going after a charity.

              Comment


              • #8
                Originally posted by Voltage Spike
                If he can be convicted for his bit of "hacking", then I think we are in trouble. He didn't use any tools beyond his web browser, and his "crime" would have been altering the URL. Who here hasn't removed the file name in an attempt to get a directory listing? Changed "page=1" to "page=8" to skip to the end of an article? Requests for information can hardly be considered a crime...
                Oh he did't use Hackerzz toolz so he probably was't trying to access infornation illegaly...
                I can't understand your logic... so sad.
                /* NO COMMENT */

                Comment


                • #9
                  Originally posted by dataworm
                  Oh he did't use Hackerzz toolz so he probably was't trying to access infornation illegaly...
                  I can't understand your logic... so sad.
                  Then try not to think of it as logic. Have you ever modified a URL? To get information that wasn't "clickable" (such as a directory list)? I know the answer is yes, so do you feel that you should be in prison?

                  I also wasn't saying that he "was't[sic] trying to access information illegaly[sic]"; I was questioning whether asking for information (albeit information that isn't "clickable") should be illegal. Since I like analogies, should it be illegal for me to write a letter to a company asking for trade secrets? Why are computers different? Could we liken the use of this security weakness in the web server to that of sending the letter to a lower-level employee that may not know or care who knows the information?

                  (You should also note that I decided the guy's story is mostly bullshit based on my follow-up response...)
                  Last edited by Voltage Spike; October 11, 2005, 12:51. Reason: I said web browser, but I meant web server.

                  Comment


                  • #10
                    Originally posted by Voltage Spike
                    If he can be convicted for his bit of "hacking", then I think we are in trouble. He didn't use any tools beyond his web browser, and his "crime" would have been altering the URL. Who here hasn't removed the file name in an attempt to get a directory listing? Changed "page=1" to "page=8" to skip to the end of an article? Requests for information can hardly be considered a crime...

                    On the other hand, as I pointed out, he was not convicted for requesting information.
                    Changing URL arguments for a server-side script isn't the same as exploiting a well-known vulnerability. It also isn't clear whether he just used his browser or some type of tool.

                    -g
                    Jesus built my car
                    It’s a love affair
                    Mainly Jesus and my hot rod

                    Comment

                    Working...
                    X