RE: Interesting conviction

["Craig Wright" <cwright () bdosyd com au>]

Have a look at - http://www.worldlii.org - this is more authorities than
some blog. It is always better to read the actual source - not an
uninformed opinion.

http://www.casetrack.com/ is easier - but you have to pay and they
copyright the material (strange but true since they are not the author).
I have not checked if it is published on Wordlii as yet - but it is
available on casetrack now.

Read the trial notes - there are two main issues

1       He lied to the police to cover his tracks. He stated that he was
"using the text based Lynx browser and this often has strange results".
The police demonstrated that this was not the case and than he changed
his story. The new story was that he just wanted to see if the site was
safe as he wanted to donate. This was changed again to he had donated
but did not get a reply and wanted to ensure that the site was not a
phising scam. Thus he attempted to crack the site to ensure that it was
not a scam site.

2       He admitted (after being caught out - see 1) running multiple
penetration tests against the site. He was not authorised to preform any
of these nor did he have any reason to do so.

His council stated that he could easily break into the site, but chose
not to. Which is false in itself.

I personally believe in forensic evidence over the word of Mr Daniel
James Cuthbert. He did not accidentally click links and he lied when
caught. He has given no reason to be trusted.

I personally do not need to attempt to break into a site to see if it
involved with phissing - there are whois etc checks and I doubt that Mr
Cuthbert needed to either. He could have even tried www.antiphishing.org


Craig

-----Original Message-----
From: Stu Thomas [mailto:stuart.thomas () mac com] 
Sent: 10 October 2005 4:40
To: lists () dawes za net
Cc: Mike Messick; jay.tomas () infosecguru com; pen-test () securityfocus com
Subject: Re: Interesting conviction

A little more detail here:

http://www.samizdata.net/blog/archives/008118.html

and some intelligent debate.



On 9 Oct 2005, at 16:40, Rogan Dawes wrote:

> Mike Messick wrote:
>
> > You're quite right!  ;-)
> > Here's mine:
> > I think the article's editorial comments about causing problems for 
> > security professional and penetration testing are pure crap.
> [snip]
>
>
> > Most laws are written with intent in mind.  That Mr. Cutbert didn't 
> > intend to do anything bad once he got in is really immaterial - that 
> > he *intended to gain entry in an unauthorized fashion* is what 
> > constituted the violation and his subsequent conviction.
>
> [snip]
>
> > Just because you don't steal the TV after you crowbar the front door 
> > open doesn't mean you won't go to prison for unlawful entry.  Or not 
> > get shot by the owner (in some states).  The fact that you don't have

> > permission to be there in the first place is what matters (at least 
> > under current law).
>
> Mr Cuthbert was simply attempting to verify the security of an 
> institution that he had decided to entrust his credit card details to.
>
> Granted, one should not try to break into the vault of a bank to check

> their security, but I think that his intent was somewhat closer to 
> rattling the lock on the safety deposit box after dropping your money 
> in, to make sure that someone else can't just come along and help 
> themself.
>
> Rogan
>
> ----------------------------------------------------------------------
> --------
> Audit your website security with Acunetix Web Vulnerability Scanner:
> Hackers are concentrating their efforts on attacking applications on 
> your website. Up to 75% of cyber attacks are launched on shopping 
> carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
> locked-down servers are futile against web application hacking. Check 
> your website for vulnerabilities to SQL injection, Cross site 
> scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------
> ---------


--
Stu Thomas
Web:  http://www.stuartspictures.com



------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------