Legal Eagles pt2 | Friday, October 07, 2005 |
So Dan's case is over and done, and the judge said "...is with some considerable regret...I find the case proved against Mr Cuthbert".
From The Register
From SC Magazine
So, another triumph of the British legal system.
The problem is that this effectively makes the discovery of security problems on public facing websites illegal as there is no distinction between action and intent. Financial institutions and individuals are worried about identity theft and there are informal, but generally accepted approaches for security researchers to notify vendors of problems with their software and online services.
But you can't have it both ways, and if people aren't free to test stuff out then the vendors/site owners never get notified, and the only people who do know about the problems are those with malicious intent.
And, as regards the DEC website concerned it did look suspect. Admittedly you wouldn't want the DEC to spend all it's cash on web design, but at the time, it looked like something a seven year old would put together. It certainly wouldn't have suprised me if there had been security and/or privacy issues.
Our intrepid plod said
What they didn't mention is that the systems that detected this activity are signature based, that is, someone in the past has discovered a problem, published details of it and vendors have reacted by fixing the issue. Once the mechanism is understood companies such as Sourcefire or ISS write signatures so that their products can spot this behaviour in the future in much the same way as anti-virus companies.
For some types of problem a researcher can model and test in a lab environment. If you suspect that say, RBS has a problem or Hotmail there's no practical way you can replicate their environment, and all too common the response from a vendor or a site owner is, "What problem? There's no problem"
Convictions like this, where it is accepted that there is no ill intent endanger online business, not strengthen it.
It's a bit shit, that's all I'm saying.
From The Register
Peter Sommer, who was an expert witness for the defense, said he thought the judge had a good understanding of the issues involved but "took a very strict view of the wording of the legislation." Sommer added that he thought the policing of minor offences should "not involve taking people to court but rather talking, warning and slapping wrists."
Asked if he thought the verdict would make it harder for the police to get help and cooperation from security professionals Sommer said: "It will certainly make them more wary."
Asked if he thought the verdict would make it harder for the police to get help and cooperation from security professionals Sommer said: "It will certainly make them more wary."
From SC Magazine
When asked if this conviction might drive a wedge between the infosec community and the police, Sommer said "it's certainly not going to help ... and the Computer Crime Unit is going round the City [of London] with a begging bowl saying why don't you fund us directly ... and I think they're going to find it now more difficult."
So, another triumph of the British legal system.
The problem is that this effectively makes the discovery of security problems on public facing websites illegal as there is no distinction between action and intent. Financial institutions and individuals are worried about identity theft and there are informal, but generally accepted approaches for security researchers to notify vendors of problems with their software and online services.
But you can't have it both ways, and if people aren't free to test stuff out then the vendors/site owners never get notified, and the only people who do know about the problems are those with malicious intent.
And, as regards the DEC website concerned it did look suspect. Admittedly you wouldn't want the DEC to spend all it's cash on web design, but at the time, it looked like something a seven year old would put together. It certainly wouldn't have suprised me if there had been security and/or privacy issues.
Our intrepid plod said
"We welcome today's outcome in a case which fully tests the computer crime legislation," said DC Robert Burls of the Metropolitan Police's Computer Crime Unit. "[We] hope it sends out a reassuring message to the general public that in this particular case the appropriate measures were in place that enabled donations to be made via the Disaster Emergency Committee website."
What they didn't mention is that the systems that detected this activity are signature based, that is, someone in the past has discovered a problem, published details of it and vendors have reacted by fixing the issue. Once the mechanism is understood companies such as Sourcefire or ISS write signatures so that their products can spot this behaviour in the future in much the same way as anti-virus companies.
For some types of problem a researcher can model and test in a lab environment. If you suspect that say, RBS has a problem or Hotmail there's no practical way you can replicate their environment, and all too common the response from a vendor or a site owner is, "What problem? There's no problem"
Convictions like this, where it is accepted that there is no ill intent endanger online business, not strengthen it.
It's a bit shit, that's all I'm saying.
