Tsunami 'hacker' keeps security job

When Daniel Cuthbert was convicted last month of gaining unauthorized access to a tsunami fund-raising Web site, many people--including the U.K. trial judge--suspected his career in the IT industry was over.

These suspicions were unfounded, though. Cuthbert is hard at work at Corsaire, a U.K. tech security company.

Martin O'Neal, director at Corsaire, confirmed Friday that Cuthbert had actually joined the company before his trial. O'Neal, though, isn't worried that one of his employees is a high-profile breaker of the Computer Misuse Act (CMA).

"The reason being, we've known Daniel for a long time. He was well known in the security industry, even before the case. His integrity has never been called into question," O'Neal told ZDNet UK on Friday.

Cuthbert was found guilty under the Computer Misuse Act of gaining unauthorized access to an appeal site for victims of the Asian tsunami in December 2004. Cuthbert said in court that he had made a donation and then became concerned that he'd fallen victim to a phishing scam. To check, he added "../../../" to the URL in an attempt to access the site's higher directories--an action that triggered an alarm.

Security experts and ZDNet readers have expressed concern about the conviction. O'Neal shares this view.

"As for the conviction, it's frankly ridiculous. It highlighted how untried and untested the CMA is. The main problem is how you define unauthorized access and intent in the context of an open Web server," O'Neal said.

As a full-time employee at Corsaire, Cuthbert is currently working on internal training material. This may come as a surprise to the judge in his case, who told Cuthbert that the consequences of his actions were ?more serious than anything I can do."

The wider issue of the ethics of hiring known hackers or convicted cybercriminals is one that splits the security industry. Last year, German firewall vendor SecurePoint Technologies was criticized after hiring Sven Jaschan, a teenager who had been charged--and was subsequently convicted--of writing the Sasser worm.

Richard Starnes, U.K. president of the Information Systems Security Association, acknowledged that the circumstance of Cuthbert's conviction should not automatically keep him from working in the security industry.

"Life is rarely made of hard and fast rules, nor should it be," Starnes said. "You should look at the merits of each particular case. In general, I do not hire former hackers. However, from a potential employment standpoint, a situation such as Mr. Cuthbert's would certainly warrant further investigation rather than a flat refusal to consider for employment."

Graeme Wearden of ZDNet UK and Dan Ilett of Silicon.com reported from London.

[n3td3v]

Tsunami website admins to blame

Websites that have directory structures exposed to the internet should be blamed here. Furthermore, the computer misuse act in United Kingdom is a shambles. Alot more laws need to be passed to make the computer security laws more defined. If you're going to start locking people up for guessing directory structures or people who have accessed a page, the company exposed to the internet by mistake, then the jail's here in U.K. are going to be pretty busy.

What constitutes breaking into a system

If a system is open to individuals, e.g., not properly secured, I do not believe anyone should consider that system has been hacked. There are many attempts (thousands) made each year to my relatively unimportant web sites/systems. I do not support nor condone hackers but also believe website administrators should be competent or they are as much at fault for a security breach as the hacker.

[AgedHack]

Doing his job

What if, in his search he revealed that the site was a phishing attack. Then he would have been rewarded, not prosecuted. It takes suspicious people with the right skills to protect all of us users.