In an interview on the Computer Security Alert Web site, Cuthbert says that he ran "security tests" to see how well the site's security was, because he felt a phishing site wouldn't have good security. All this triggered intrusion-detection systems to watch the rest of his activities. The incident was investigated, Cuthbert was prosecuted, and he was found guilty of violating the U.K.'s Computer Misuse Act. He was ordered to pay a fine and court costs that total about US$1,700. He is appealing the conviction. The latest twist is that Cuthbert, who has worked in the IT industry, was recently hired by an information security company.
I have to admit that I am not too concerned about the details of the case. Let's just assume for the sake of argument that the story is exactly how Cuthbert describes, in that he was interested only in figuring out if he was a victim of a phishing attack, so he intruded into the system and looked around. That is still a crime, and it should be. Concerning newspapers reports that he simply appended "../../../" to the site URL, something tells me it was a little more than that. I doubt that there would be such a massive prosecution for a single attempt to access root levels of a computer using a well-known and relatively benign method. I know several people in the U.K.'s High Tech Crime Unit, and I doubt that they would waste valuable resources on a simple attempt like the one described that didn't go further. Running "security tests" implies that Cuthbert ran a variety of scans against the system, which appears identical to criminal hacking reconnaissance. The fact that one of his guilty verdicts involved modifying a log file would generally indicate that he achieved unauthorized access to the site.
However, even if you assume that there was little more than the URL, and that the prosecutors made too much out of nothing, there is still a lot wrong with the situation. There are many other things Cuthbert could have done to look into the matter. For example, he could have done a whois or dnslookup, and searched a variety of open-source information to determine if the site and the associated organization were legitimate. It would have been that easy to avoid the whole mess. I have to admit that I previously looked into a site to see if my information was vulnerable on a specific site. I'm not sure how many people remember The Industry Standard magazine, which was basically the magazine for the dot-com boom. (Editor's note: IDG, the parent company of Computerworld, previously owned the Standard.) I received an e-mail asking me to renew my subscription online with an embedded URL.
I looked at the URL and guessed that the URL contained a one-up number that tied to individual subscribers. I hand-typed in the URL and modified it a couple of times, and confirmed my worries by pulling up other people's subscription information. I then hypothesized that a computer program could download the entire subscriber list, with all of the readers' contact information, which was basically a who's who of the dot-com era. I contacted the webmaster and reported my findings. While it is a gray area, I stopped when I realized that I was correct in my assumption that my information, and that of thousands of others, was vulnerable. I didn't need to go into the Web site to verify it further, or to download the entire list to prove the point.
Different articles report that the Cuthbert ruling worries security professionals. I can tell you it doesn't worry me or any of the colleagues I have spoken to. Choosing to run "security tests," which again are identical to what you would see in an attack, against a site without permission is a crime. We know that. A court case that affirms that people cannot randomly choose to hack into a site to "test its security" is actually a welcome reminder. As long as a security professional has permission to assess a site, the Cuthbert ruling represents no threat. However, "security professionals" who randomly choose to assess sites are a threat. The critical concept for the whole issue is judgment. Cuthbert's supporters argue that he never had criminal intent. His new employer attests to his integrity. These issues mean that I might ask Cuthbert to watch my wallet. It doesn't mean that I would hire him for a job in the security industry. The fact is that security professionals are not just qualified by their abilities and their integrity, but for their judgment as well.