The Tsunami “Hacker” Story

By Daniel Miessler on October 12th, 2005: Tagged as General | Philosophy

As many of you know, there is currently a story about a security consultant by the name of Daniel Cuthbert who’s been convicted of illegally accessing a Tsunami relief web page after making a donation.

There are widely varying views on this, but let’s first lay down the facts as we know them. First of all, he tried accessing the system directories on the web server. Secondly, and most importantly, he tried to get the database to cough by doing some SQL injection.

Here’s the thing: at the very least the guy should be convicted of abject stupidity. He may not have had any intentions of doing anything malicious, but as a security consultant he should have known better than to throw single quotes into URLs without permission. This is day 1 security consultant stuff.

His story evidently is that he didn’t get a confirmation email back after making a donation, and that after becoming suspicious he decided to check into it. The problem with that is that he wasn’t paid to audit their security. (Insert analogy about open doors on in a residential neighborhood) He should have known better — plain and simple.

What this guy does not deserve, however, is to have his name ruined. He made a bad choice, but it’s not the sort of thing that should end a career. Give him a fine, a healthy dose of embarrassment, and put an end to it. What he did wasn’t immoral, it was just stupid. Give the guy a break.

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

Comments

  • Tim
    Lots of people are behind bars because they did something stupid.

    Honestly I think stupity is no less evil than immorality or malice.
  • Michael S Black
    If you can get this kind of sentence for simply adding "../../../" to a URL, why oh WHY do we still have script kiddies??!! I do this all the time at work when I am investigating sites that "appear" to be phishing sites trying to look my companies online portal, does this mean I can no longer do this if they reside in the UK? I can't do any investigative work in trying to determine whether they are ripping our customers off? I suppose I then must contact LEO and ask some officer to do this. What kind of priority can I expect the UK Law Enforcement Community to give my "possible" phish site? I think the implications of this ruling are WAY MORE imperative to pay attention to than the individual repercussions of Mr. Cuthbert, as sad as they may be.
  • If you read into it, though, Michael, the issue was deception rather than the act itself. He lied about what he did for quite a bit and then recanted later. Bad form.

    Not sure it deserves what he got, but still...bad form.
  • Ken
    It is very difficult to define morality. Most laws are/or should be based off of intent. What this guys did that was major wrong was lie. As an information security professional he should have told the truth right away.
  • Michael S Black
    Bad form, Yeah...conviction worthy...I don't really know if I would agree with that..Will it make me be on my toes from now on, even more so that I am already...DEFINITELY
blog comments powered by Disqus

Twitter Microblog

twitter_icon      facebook_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives