In an interview on the Computer Security Alert Web site, Cuthbert says that he ran "security tests" to see how well the site's security was, because he felt a phishing site wouldn't have good security. All this triggered intrusion-detection systems to watch the rest of his activities. The incident was investigated, Cuthbert was prosecuted, and he was found guilty of violating the U.K.'s Computer Misuse Act. He was ordered to pay a fine and court costs that total about US$1,700. He is appealing the conviction. The latest twist is that Cuthbert, who has worked in the IT industry, was recently hired by an information security company.
I have to admit that I am not too concerned about the details of the case. Let's just assume for the sake of argument that the story is exactly how Cuthbert describes, in that he was interested only in figuring out if he was a victim of a phishing attack, so he intruded into the system and looked around. That is still a crime, and it should be. Concerning newspapers reports that he simply appended "../../../" to the site URL, something tells me it was a little more than that. I doubt that there would be such a massive prosecution for a single attempt to access root levels of a computer using a well-known and relatively benign method. I know several people in the U.K.'s High Tech Crime Unit, and I doubt that they would waste valuable resources on a simple attempt like the one described that didn't go further. Running "security tests" implies that Cuthbert ran a variety of scans against the system, which appears identical to criminal hacking reconnaissance. The fact that one of his guilty verdicts involved modifying a log file would generally indicate that he achieved unauthorized access to the site.
However, even if you assume that there was little more than the URL, and that the prosecutors made too much out of nothing, there is still a lot wrong with the situation. There are many other things Cuthbert could have done to look into the matter. For example, he could have done a whois or dnslookup, and searched a variety of open-source information to determine if the site and the associated organization were legitimate. It would have been that easy to avoid the whole mess. I have to admit that I previously looked into a site to see if my information was vulnerable on a specific site. I'm not sure how many people remember The Industry Standard magazine, which was basically the magazine for the dot-com boom. (Editor's note: IDG, the parent company of Computerworld, previously owned the Standard.) I received an e-mail asking me to renew my subscription online with an embedded URL.
I looked at the URL and guessed that the URL contained a one-up number that tied to individual subscribers. I hand-typed in the URL and modified it a couple of times, and confirmed my worries by pulling up other people's subscription information. I then hypothesized that a computer program could download the entire subscriber list, with all of the readers' contact information, which was basically a who's who of the dot-com era. I contacted the webmaster and reported my findings. While it is a gray area, I stopped when I realized that I was correct in my assumption that my information, and that of thousands of others, was vulnerable. I didn't need to go into the Web site to verify it further, or to download the entire list to prove the point.
Different articles report that the Cuthbert ruling worries security professionals. I can tell you it doesn't worry me or any of the colleagues I have spoken to. Choosing to run "security tests," which again are identical to what you would see in an attack, against a site without permission is a crime. We know that. A court case that affirms that people cannot randomly choose to hack into a site to "test its security" is actually a welcome reminder. As long as a security professional has permission to assess a site, the Cuthbert ruling represents no threat. However, "security professionals" who randomly choose to assess sites are a threat. The critical concept for the whole issue is judgment. Cuthbert's supporters argue that he never had criminal intent. His new employer attests to his integrity. These issues mean that I might ask Cuthbert to watch my wallet. It doesn't mean that I would hire him for a job in the security industry. The fact is that security professionals are not just qualified by their abilities and their integrity, but for their judgment as well.
Security professionals have to make a lot of judgment calls. For example, if you perform a penetration test against a Web site, you would also instinctively assess the routers and DNS servers as well. However, judgment sets in because you should know that the client might not have the authority to give you permission to assess those devices, as those devices may be owned by the Internet service provider, and you might be committing a crime by testing them. This is just one specific example of how judgment would override instinct. There are other reasons why judgment is important. While Cuthbert may not have had intent to cause damage, he did. While he might not have caused damage to the Web site itself, if he made one mistake, he very well could have. His actions did attract the attention of the administrators of the fund-raising site, and they had to use their resources to figure out what Cuthbert was doing. It is not up to them to figure out his intent, so they contacted the police about the breach, which could have potentially been part of a massive credit card or identity theft attempt.
Everybody theoretically did what he was supposed to in response to Cuthbert's actions. This cost a great deal of resources (well more than the $1,700 fine he is ordered to pay), whatever his intent was, and Cuthbert should be accountable for it. Again, all this could have been avoided if he applied "judgment" and used nonintrusive methods for investigating the legitimacy of the site in question. If security professionals cannot exercise judgment, and know when they might theoretically be crossing a line, and resort to other than direct methods of performing their work, they are not qualified to be security professionals.
Cuthbert's new employer was quoted as saying that his case demonstrates that the Computer Misuse Act is untried and untested, despite the fact it has been in effect since 1990, because it doesn't account for intent. There are few laws where intent matters, and the fact is that it shouldn't in most cases. When you cause people to react to what is a crime, you cannot expect people to stop and just forget about it because the crime was just a mistake on your part. Even if Cuthbert's conviction is overturned on a technicality, the damage has been done. What happens to Cuthbert himself remains to be seen. Some people who are burned by their poor judgment exercise better judgment in the future. Cuthbert could make a good security professional. If, however, he is treated like a computer counterculture hero, he will be rewarded for exercising bad judgment, and will probably look for future opportunities to do so. That's up to him.
However I have my doubts as Cuthbert refers to people who dare question his opinions as "desperate wannabes" who are "nobodies in the security field." So take the advice from this desperate wannabe and nobody, that it's up to you to determine to what extent judgment matters for you and your company.