This is really nothing new: being a security hobbyist doesn't give you the right to test other people's systems. Note that he wasn't convicted for his actions pertaining to the web site (using the lynx web browser and placing ".." in the URL). He was convicted because he lied to the police.

Also of note is that the news site I read indicated that the judge said accessing a system without authorization isn't necessarily a crime.

(URL Editing, and resubmission has caused would-be students to not get into colleges when they tried to check their acceptance before an official notice was made.)

Over the past 10 years or so, it seems to me that industry and government have been heading hand-in-hand in the direction of focusing on "security for show" while making or using or attempting to make (new) laws to restrict control of information dissemenation. (There are exceptions.)

Use of NDA, Special Contract Clauses, and addition of laws to make reverse engineering, legally more difficult, comprise only part of the picture. These would have little effect if it were not for the influence of money to bind the will of professional security people (and hackers-- conventional sense) to not cause financial loss to the employer through disclosure or other means.

Industry calls it a "trade secret" while government calls it "national security" but both are applications and use of law to control how proprietary information is controlled and disclosed.

"We are limiting access to this information for your benefit." Ambiguity of where this is acceptable is subjective, and is the core of its problem. A business motivation is profit. A government's motivation is existence. To expect a business/government to always act on behalf of consumers/people is illogical, and shows where there is fault in the above quote.

Many skilled hackers have been and are being co-opted with the incentive of money. Once they have assets, then they have something to lose, and if they value those assets, then they are controlled. (Funny how those without these jobs tend to call those employed, "sell-outs" until they also get employed.)

The model popularized by Microsoft (embrace and extend) is hard at work.

What is the future? More of the same until there is an advantage to do otherwise, or a disadvantage to continue down this path. It is Newtonian Physics in the marketplace with the primary metaphor borrowing inertia and replacing "mass" with market direction, and "force" with policy.

What Michael Lynn case? That fizzled out within days of Blackhat. He is still a free man, and he probably ended up with a better job than working at ISS. Most of the respected security establishment supported him pubicly (e.g. Schneier).

You should also re-read the articles on Cuthbert. He actually attempted to IIS directory traversal attacks against a foreign website...which according to the letter of the UK law, is very illegal. His intentions don't matter ("I wanted to verify blah blah blah...)...he knowingly attempted to exploit known vulnerabilities.

Also, the judge in the case specifically stressed that his conviction was based less on the morality of his actions, and more on the fact that when initially questioned by police he lied about what he is done.

Lesson: if being interrogated by police, STFU and wait for a lawyer instead of LYING to them. If they figure out you've done the latter, you're pretty much screwed in any jurisdiction.

-g

If he can be convicted for his bit of "hacking", then I think we are in trouble. He didn't use any tools beyond his web browser, and his "crime" would have been altering the URL. Who here hasn't removed the file name in an attempt to get a directory listing? Changed "page=1" to "page=8" to skip to the end of an article? Requests for information can hardly be considered a crime...

On the other hand, as I pointed out, he was not convicted for requesting information.

His crime was his own stupidity in that he screwed with a high profile site that has received a large amount of media attention. The police then are forced to act severely as to appear tough on this sort of crime when in reality it was only the media spotlight that made it so severe and resulted in the loss of his job.

I never thought to look up the web site. The Disasters and Emergency Committee is indeed a very well-known site, and a single web search (always the first step) reveals that they are not likely to be a phishing site. The guy was an idiot and simply came up with a plausible story for why he was going after a charity.

Oh he did't use Hackerzz toolz so he probably was't trying to access infornation illegaly...
I can't understand your logic... so sad.

Then try not to think of it as logic. Have you ever modified a URL? To get information that wasn't "clickable" (such as a directory list)? I know the answer is yes, so do you feel that you should be in prison?

I also wasn't saying that he "was't[sic] trying to access information illegaly[sic]"; I was questioning whether asking for information (albeit information that isn't "clickable") should be illegal. Since I like analogies, should it be illegal for me to write a letter to a company asking for trade secrets? Why are computers different? Could we liken the use of this security weakness in the web server to that of sending the letter to a lower-level employee that may not know or care who knows the information?

(You should also note that I decided the guy's story is mostly bullshit based on my follow-up response...)

Changing URL arguments for a server-side script isn't the same as exploiting a well-known vulnerability. It also isn't clear whether he just used his browser or some type of tool.

-g