Judge Refuses To Convict Hacker 272
Jake96 writes "A judge in Wellington, New Zealand, declined to convict a man who ran an unrequested security audit on a bank's phone systems and was charged with 'intentionally accessing a computer system knowing he was not authorized to,' according to an article in the New Zealand Herald."
Can this set a precedent here in the States? (Score:5, Insightful)
Re:Can this set a precedent here in the States? (Score:5, Interesting)
Maybe you should read what this guy actually did. he intruded into a banks phone system (without permission), performed a security audit (again without permission), and then tried to get the bank to pay for his work. If I was the bank I would be taking this bastard to court too. how would you feel if someone turned up at your house did some work then sent you a bill all without you requesting anythign be done. The fact that the bank has a security issue is a side note here, they should be hiring a "reputable" security firm to look at there systems.
Re:Can this set a precedent here in the States? (Score:5, Interesting)
He's very lucky he did it in NZ where it appears that the courts consider him stupid rather than malicious. In other countries he might get charged with terrorism related offenses or worse.
Re:Can this set a precedent here in the States? (Score:4, Funny)
Can anyone point to an example where "other countries" doesn't just mean the US?
Re:Can this set a precedent here in the States? (Score:5, Informative)
Also, in the UK someone was fined £1000 and lost his job just for typing in a URL with "../../.." on the end of it. Story here [theregister.co.uk].
Re: (Score:2, Interesting)
Re:Um, Exposing a problem is not CREATING a proble (Score:2)
Re:Um, Exposing a problem is not CREATING a proble (Score:5, Insightful)
The judge was an idiot - what this guy did was just a new twist on the old "send them a bill and hope they pay at" scam.
This is the same sort of scam that boiler-room ops do all the time - sending bills for unsolicited ad space in non-existent magazines, etc.
The guy is scum. The judge was out to lunch on this one.
Lets put it in terms slashdotters can understand ... someone does a pen test of your web site, and sends you a description of what they found, plus a bill for their unsolicited :advice" ... even though you didn't ask them to try to do any penetration testing and you never heard of them before ...
Or someone tries to break into your house, then sends you a description of all the "security weaknesses" they found, plus a bill for their time.
Just because its a phone system doesn't make it any less an attempted con job.
Re: (Score:3, Insightful)
Re:Um, Exposing a problem is not CREATING a proble (Score:4, Insightful)
Lets put it in terms slashdotters can understand ... someone does a pen test of your web site, and sends you a description of what they found, plus a bill for their unsolicited :advice" ... even though you didn't ask them to try to do any penetration testing and you never heard of them before ...
Tell him you aren't going to give him a penny, but thanks for the free security audit!
The judge's decision came from a correctional view of the justice system there rather than the punitive model used in the U.S. (despite the U.S. tendancy to falsely call prisons correctional facillities). That is, the judge believed that the process of justice up to that point had already convinced the defendant not to do it again and the free security audit was adequate restitution.
Re:Can this set a precedent here in the States? (Score:5, Funny)
If the bank were a computer company with the present mindset, the bank would get to work on fixing the problem, and he'd have been ignored when he asked for cash, rather than prosecuted.
Re: (Score:2, Insightful)
You don't "unintentionally" hack into a bank's phone system.
Re:Can this set a precedent here in the States? (Score:4, Insightful)
Now, quick question, when did I use the word 'unintentionally' in my post, as you seem to be implying?
Re: (Score:2)
I started saying random gibberish and various swear phrases backwards "uoy kcuf"* and such. Ended up accessing some maintenance subroutine or such that seemed to have the ability to list all prompts by menu tree. Likely could have gotten farther, but I really was trying to book a flight so I hung up and started over.
-nB
I love WAV recorder. It will let you reverstethe WAV and play it back. Learned everything back
Re: (Score:2)
In TFA, he states that he wasn't aware it was illegal. Hey, funny that; he didn't intentionally commit a crime!
So, yeah. He intentionally probed a vulnerability, and reported his results, then asked for compensation. Stupid, businesswise, but a very reasonable way to go about things. It happens all the time in the software world, and there's a lot less money to protect there. You'd think a bank would welcome the info, and the suggestions on how to repair the issue.
Re: (Score:2)
Re: (Score:3, Insightful)
Re:Can this set a precedent here in the States? (Score:4, Interesting)
Except that instead of giving you a rectal exam, he molested your daughter, exploded your favourite hockey team's home town with NUCLEAR WEAPONS, and stole your glasses.
Care to provide any justification for why your analogy isn't just an arbitrary construction designed to suit your position?
These are information systems. Not cars, not windshields, and not the doctor's office. Discuss the actual question, not stupid analogies.
Since when... (Score:2, Interesting)
I actually applaud the NZ courts. The man could have used the information to commit fraud, steal sensitive/valuable information and sell it to the highest bidder and make a whole lot of money but instead he chose to go directly to the bank and ASK for payment.
So he had a sure way to make money, but instead he ASKS for money AFTER revealing the security flaw. If you ask me, the bank suffered from bruised ego syndrome and wante
Re: (Score:2)
He didn't have a "sure way of making money."
On any phone system, there are going to be users with easy passwords and default passwords that didn't get changed, or got reset during maintenance.
This doesn't give him the right to go around playing detective unasked, then trying to bill them for it.
How about if someone shows up at your house unasked, and tells you they inspected it, and you need to do the following work, and by the way, their bill for the unwanted "inspection" is $300.00? I'd call the co
Re: (Score:2, Insightful)
I don't want someone evaluating my security unless I ask them
Re: (Score:2)
First, you don't know all the evidence. Basing judgement on what you read or hear in the news (hearsay and rumor rather than fact)is stupid.
Is it stupid that the judge didn't overreact? Just becasue folks in the good old USA like to overreact and blow things out of proportion doesn't mean the rest of the world should follow suit.
Like it or not, the right descision was made. If you were so smart, you'd be a judge, instead of posting on
Re:Can this set a precedent here in the States? (Score:5, Funny)
Re: (Score:2)
No, no... wait, it's like this. It's like stopping in the red light district in Amsterdam and, while looking through a window, you get your bum cleaned by some money *without* your permission.
(Substituting in for BadAnalogyGuy.)
Miracles! (Score:4, Funny)
Re:Miracles! (Score:5, Funny)
I know. Amazing isn't it.
Although there was the slight matter of calling the bank and presenting a bill for services that were never asked for, but I'm willing to chalk that up to creative marketing. . .
On a side note, my uncle (who is a lawyer) has a low opinion of judges and tells the following joke which you may tell your friends under the JPL (joke public license):
Q:What do you call a lawyer with an IQ of 50?
A:Your Honor. (Substitute M'Lud or other region appropriate judge appellation here if necessary.)
Re:Miracles! (Score:5, Funny)
Enlightening indeed. After all those lawyer jokes the lawyers finally made a joke about somebody else ... and it wasn't even funny! Nice try by the lawyers, but there's gotta' be another lawyer joke in there somewhere.
Re:Miracles! (Score:5, Funny)
Re:Miracles! (Score:5, Funny)
Judge (interjecting): "You mean as drunk as a lord?"
F. E. Smith: "Yes, My Lord."
"Researcher" was stupid (Score:3, Insightful)
Re:"Researcher" was stupid (Score:4, Interesting)
Is it better or worse that he actually walked around inside your house?
Re: (Score:2)
Re: (Score:3, Insightful)
is blackmail.
I spent an hour walking around your house and found that you had the following unlocked doors... Please pay me $50 for one hour's work.
is a bill for professional services rendered.
Re: (Score:2)
is a bill for professional services rendered."
A bill that the 'customer', in this case has no obligation to pay; no contract or sales agreement, you see. A respectable human / company would pay it anyway, despite the lack of obligation.
Re: (Score:3, Funny)
"Thank you for your prompt payment of my security bill. During your vacation, I took the liberty of redesigning your house by adding turrets in the corners, a moat and a drawbridge. I also painted it striped pink and orange. Your garden now sports a beautiful 35m marble fountain representing 'Mammals Overtaking Dinosaurs' (an allegory). I left your mail on the little table by the door. Please find my bill for $7 897 463 attached."
Re: (Score:2)
Anyway, the guy didn't redesign their house. He just discovered something about it. No changes made. He was asking them if they're interested in paying for his knowledge.
If someone uses a house in an analogy again, I swear I'll do something that I'll regret.
Re: (Score:2)
Not "come up with a realistic analogy".
Should we use the time tried car analogies then ?
Re: (Score:2, Interesting)
Re: (Score:2)
No, that's blackmail too, only better veiled (... and, admittedly, more reasonably priced...).
Re: (Score:2)
Put something on the internet and it's on public space pr definition. It doesn't give anyone the right to destroy it, but it does give us the right to look at it (or rather, it doesn't give you the right to refuse us).
(I haven't read the story, don't know if my analogy is more appliciable, but I find GP's a
Re: (Score:2)
Meanwhile, he gave the info, THEN asked for money. That's not extortion. It's a stupid request, in that he's got no pull after he gives the info to the bank, but it's not extortion.
If I were the bank, I'd have either told him to shove it, or added him to my security auditing team. He in no way deserves to be paid for work he did without request, but he has proven skill, knowledge, experience and maturity in the way he went ab
Re: (Score:2)
It's still extortion. And he still has pull:
Re: (Score:2)
It's a professional service. They provide you with info, you pay them.
Re: (Score:2)
If neither a threat nor a demand of pay
Re: (Score:2)
Re: (Score:2)
Sticking your head in the sand doesn't actually make security problems go away.
So the banks system has N security holes, where some other number X have already been identified by the bank and reviewed for severity and decisions were made as to how to deal with them.
This guy identified some set of problems that are in N and possibly in X.
Other people (aka: Bad Guys TM) have identified some other set of vulnerabilities i
Re: (Score:2)
The bank never had a choice in the first place. If it feels it has a responsibility to its customers, it's JOB is to remain always vigilant about
Not a good way to do business (Score:4, Insightful)
His background with fraud (though 10 years prior) sullies his reputation even further.
It's not a crime to be a dumbass. At least not in NZ, apparently.
Re: (Score:2)
Apparently so (that's comforting, since that's where I live). At first I doubted that the judge actually acquitted him, and thought maybe he just convicted him without imposing a sentence; but another NZ source [radionz.co.nz] says the judge "discharged him without conviction, despite police opposition."
In fact the other source I cited above has a different story: it says he "identified security vulnerabilities in the bank's telephon
Re: (Score:2, Insightful)
It's all in the details. (Score:2)
After all, from what I see he could have told the bank something like the following:
"Hi, you've got security problems with your email server, the following webservers have serious problems and need to be patched (list of IPs), the following servers have easily guessable ssh username and passwords.
If you want more details my professional rates are XYZ."
While that's not the best way of going about doing thing
Re: (Score:2)
Re: (Score:2)
He sent them a bill. That's not so generous. Generous would be finding the issues, letting them know, and not asking for money. (Though people have been arrested and I assume convicted for things like this too.)
I had a guy show up and mow our yard, then knock on the door and asked to be paid. My wife, not really sure what to do, called me (I was at work) and asked if I really did hire this guy to mow our yard. I did not. Should we have paid him?
Did it matter that he seem
Re: (Score:2)
Sure it's generous, but it's also a one-way ticket to the poor house. From TFA:
Wow! Guess what??? So do I!! And I bet so do most of the people who read /.
I had a guy show up and mow our yard, then knock on the door
Re: (Score:2)
See, that's the difference between you and this bank. You, apparently, have respect for other people.
If I were an Australian, I would not use that bank; the proper course of action would be not to pay him, but to hire him. Good security auditors are hard to find (though, awful, by-the-book ones abound).
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I dunno. Some of the best security experts are post-black-hat hackers.
Re: (Score:2)
But street bums do that to my windshield all the time!
Stupid. (Score:2, Insightful)
Great!
Re: (Score:2)
Re: (Score:2)
Depends. Years ago, their was a robber gang who would break into houses, take notes (or rather, snap pix), and go away without taking anything. The pix would go into their catalog.
Once they had a customer for your antique furniture, they would come back with their van and get it. I guess, this cut down on their storage costs, or sth like that. Just-in-time robbery.
And given this modus operandi, I'
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
To be picky, I should have called it "Breaking and Entry" rather than robbery. B&E doesn't have the force requireme
Re: (Score:2)
Not just yet. :)
I already coverd B&E in my original argument, as well as trespass if you're thinking of using that. Accord to Wikipedia, Breaking and Entering, or Burglary [wikipedia.org] does indeed not need an actual theft. But it does need an intention to commit a crime. Making notes is not a crime.
Anyway, my original point is that your analogy really doesn't
Re: (Score:2)
I think he goofed up when he tried charging for his services, which he hadn't been contracted for. That is very presumptious, and more than a little irritating. I don't believe he'd been asked to look for holes, which amounts to B&E.
Re: (Score:2)
The door was not left unlocked and open. It just had a bad lock, guy walzed in, and left a bill for "identifying a security flaw in the front door" on the kitchen table.
Company internal data systems accessible only through faults in the public interface are not any more public than my house is public just because it happens to be alongside public road network. They both have public parts (my doorbell), customer-accessib
Re: (Score:2)
Certainly the House is a bad analogy. I totally agree with the parent poster on this one. Let's run with this Bank analogy though
Suppose the man stays within the public areas of the bank. He is walking along, careful not to enter any restricted zone, but he is testing any doors leading to restricted or staff areas. Nobody seems to notice him doing this. Suppose he finds an unlocked door, but he doesn't take advantage of it. He goes to a staff member
Borderline scam? (Score:5, Insightful)
Would you honestly pay for a service you weren't told you were receiving and didn't ask for if you were billed for it?
Re:Borderline scam? (Score:5, Funny)
First Xena, then LoTR, now this (Score:5, Funny)
Re:First Xena, then LoTR, now this (Score:5, Funny)
Yep, thats why they created the
Re: (Score:3, Funny)
No way, hell you should see what passes for broadband here.
Speedy Justice (Score:4, Interesting)
Macridis had telephoned the Reserve Bank on May 30, introducing himself as a security consultant.
The Reserve Bank made a complaint to police, who searched Macridis' house on September 21 and seized his computer.
Ok, a bit slow there - four months - but maybe the bank did some research on the flaws first. And the wheels of Big Business turn pretty slow....
Gerasimos Macridis, 39, appeared in the Wellington District Court on Wednesday - the 27th - on one charge of intentionally accessing a computer system without authorisation.
A little over a week from when the police took his computer, to when he appeared in court.
They presumably searched it, did all the legal paperwork, had the weekend off, etc.
Not much crime in Wellington lately? Or are they normally this speedy?
Re: (Score:3, Informative)
The Reserve Bank of New Zealand [rbnz.govt.nz] is not a bank, as such. It's not like you waltz down to the Reserve Bank to make a deposit of your weekly wage cheque.
I believe it's more like the Federal Reserve in the States, though the RBNZ is 100% government owned.
So basically this guy decided to do some "security analysis" of a governmental body, not some penny-ante savings & loan branch in the backwoods. So yes, the police are going to be on to it pretty damn quick.
Re: (Score:2)
And the cogs of government are often the slowest moving ones, you know.
Re: (Score:2)
MAYDAY MAYDAY (Score:5, Insightful)
Lawyer 216421934614: What?
Lawyer 131236716723: They didn't throw this guy in jail who broke some technicality against a major corporation.
Lawyer 216421934614: WHAT?
Lawyer 131236716723: I'm serious! New Zealand! That fucking judge forgot how hard it is to pay off an SL500 and those student loans on a measly $70,000 starting salary!
Lawyer 216421934614: Look, I know you're new here, but this is America. We've got the RIAA, MPAA, not to mention all the lobbying to be done in DC. I mean, those Native Americans don't rip themselves off, eh? Plus, we've got so many laws on the book that someone, somewhere isn't doing something right, and who gets to prosecute?
Lawyer 131236716723: Lawyers?
Lawyer 216421934614: And who gets to defend?
Lawyer 131236716723: Lawyers!
Lawyer 216421934614: And who gets to judge?
Lawyer 131236716723: Former lawyers elected by other lawyers!
Lawyer 216421934614: And who makes the law?
Lawyer 131236716723: Former lawyers who have even less ethical concerns than other lawyers, lobbied by lawyers! Thanks, Bill... I was starting to worry!
moderate parent insightful (Score:2)
Re: (Score:2)
Not just once (Score:5, Informative)
"Sahil Gupta, the second man charged over the Telecom voicemail hacking incident in April, walked free from an Auckland court last week.
Gupta was charged along with a teenager who cannot be identified for legal reasons. The teen was charged with unauthorised access of a computer system and pleaded guilty. Gupta was charged under the same section of the Crimes Act and faced up to two years in prison.
However two justices of the peace discharged Gupta saying there was no case to answer after a hearing in the Auckland District Court on Wednesday."
more @ http://www.crime-research.org/news/21.01.2006/177
Re: (Score:2)
Well yes, but you gotta admit, "hacking the Reserve Bank" sounds a lot cooler than just "hacking voicemail".
Re: (Score:2)
original story here:
http://computerworld.co.nz/news.nsf/UNID/FD9D3F1F
Re: (Score:2)
The second time? Dangerous precedent! Hmm, time to fire up google, and enter inurl:asp inurl:id site:nz and rake in that free cash!
He was asking for it.... (Score:3, Insightful)
You don't mess with the systems controlling an entire countries economy, and then demand money for it, if you do, well, Darwin would like a word with you.
Re: (Score:3, Funny)
And wouldn't that make us "Linux fuck-anuses" and not "Linux fuckheads?"
Your troll is very confusing.
Re: (Score:2)
What bank protecting is its image. Realistically, he is incurring unexpected expenses and not via extortion. They can choose to not pay and keep
running leaky telephone system. How often people don't change their oil in the car on time? or at all. Extortion is when consequences of not paying
are immediate and far reaching. System is already insecure. The guy is in po
Re: (Score:2, Insightful)
Re: (Score:2)
Take opportunity that you get, clearly the bank won
Re: (Score:3, Interesting)
It doesn't matter that he didn't threaten to make the vulnerabilities public, he disclosed that he knew of the vulnerabilities to the bank, which instantly creates the knowledge that there _ARE_ vulnerabilities that somebody else might potentially try to uncover and exploit. The bank's only recourse is to fix those vulnerabilities, and the only way they will discover what vulnerabilities were uncovered is if they pay the guy.
Whether or not it was his intention, this soooo looks like extortion.
Re: (Score:2)
Re: (Score:2)
I think you're focusing on the wrong crime here (Score:2)
You must be American (Score:5, Funny)
Re: (Score:2)
Don't tempt the yanks. It would make a terrible splash.
Re:No surprise (Score:5, Informative)
Australia is where the convicts were sent.
Colonists chose to go to NZ.
Australia is 2.5 hours away from NZ by airplane - i.e. a *long* way.
And we've got the Bledisloe Cup [wikipedia.org]
and Australia doesn't.
You need to spend some time with Google Maps. [google.com]
Re: (Score:3, Informative)
What the hell are you on about, read TFA, this happened in NZ, not Australia.