Last January, I got an email from a trusted source swearing that a good pal of his had been arrested while making a donation to an online tsunami relief fund because he'd been using a non-standard text-based browser that triggered the donor's intrusion detection system. I blogged the story.
Now the "lynx user" has been found guilty of unlawful intrusion, and has changed his story. He says that he wasn't just using nonstandard browser, but that'd he'd also probed the system when his attempt to make a donation had failed and he got a suspicion that he'd been suckered by a phishing scam.
If this is the true story (and the judge didn't dispute it, according to the ZDNet story), then that could very well have been me — lots of times when I suspect a site is dodgy I'll do things like check the operating system and server version of the remote end by using probing tools and compare the result against a list of known-compromised combinations.
But in court on Wednesday, Cuthbert said he had made a £30 donation to the site, after clicking on a banner advert. When he received no final thank-you or confirmation page he suspected he might have fallen victim to a phishing scam, so he carried out two tests to check the security of the site.
Cuthbert's defence team had argued that he had merely 'knocked on the door' of the site, pointing out that he had the skills to break into it if he wanted.
Section one of the CMA says that it is an offence to make "unauthorised access to computer material". There is no burden on the prosecution to prove that the accused had intended to cause any damage.
Judge Purdy accepted that Cuthbert had not intended to cause any damage, and also pointed out there was almost no case law in this area.
Update: Stephen de Vries sez, "The details of this case are important to understand exactly how absurd the verdict was. What Daniel actually did to 'knock on the door' was to insert a ../../../ character sequence into the web address and a single quote into the credit card field – THROUGH HIS BROWSER. He did not use any attack 'tools' or 'probes' other than Internet Explorer. Furthermore, typing these sequences into a browser does not an attack make – it only proves that a website may be vulnerable. It takes a hell of a lot more effort to actually gain any form of unauthorized access to the site. Daniel did none of this, he only typed the sequences and watched the responses – and don't forget, he actually donated the £30 p towards the fund using his real credit card and personal details. I am a security consultant and not the only one to be outraged by the way this case was handled and by the outcome of the final verdict. The incompetence and ignorance of the Computer Crime Unit can be understood – but that the judge chose to interpret the vague Computer Misuse Act in this way simply beggars belief and sets a worrying precedent in UK law. So to all UK based web administrators, if you encounter ../../../ or single quotes in your web server logs, please forward this information on to the CCU. They can be contacted on: +44 20 7230 1279 or +44 20 7230 1280, http://www.met.police.uk/computercrime/#SO6"