Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Judge Refuses To Convict Hacker 272

Jake96 writes "A judge in Wellington, New Zealand, declined to convict a man who ran an unrequested security audit on a bank's phone systems and was charged with 'intentionally accessing a computer system knowing he was not authorized to,' according to an article in the New Zealand Herald."
This discussion has been archived. No new comments can be posted.

Judge Refuses To Convict Hacker

Comments Filter:
  • by defile ( 1059 ) on Wednesday September 27, 2006 @11:47PM (#16224385) Homepage Journal
    I hope so.
    • by Anonymous Coward on Thursday September 28, 2006 @12:09AM (#16224543)
      Stupid court results?? I thought that was the norm in the US so why would it set a precedence?

      Maybe you should read what this guy actually did. he intruded into a banks phone system (without permission), performed a security audit (again without permission), and then tried to get the bank to pay for his work. If I was the bank I would be taking this bastard to court too. how would you feel if someone turned up at your house did some work then sent you a bill all without you requesting anythign be done. The fact that the bank has a security issue is a side note here, they should be hiring a "reputable" security firm to look at there systems.
      • by joe90 ( 48497 ) on Thursday September 28, 2006 @12:25AM (#16224653) Homepage
        Actually, it's a bit more serious than that. The bank http://www.rbnz.govt.nz/ [rbnz.govt.nz] who's phone system he compromised is an approximate functional equivilant of the US Federal Reserve http://www.federalreserve.gov/ [federalreserve.gov] (but quite a bit smaller).

        He's very lucky he did it in NZ where it appears that the courts consider him stupid rather than malicious. In other countries he might get charged with terrorism related offenses or worse.
        • by montyzooooma ( 853414 ) on Thursday September 28, 2006 @03:27AM (#16225575)
          "He's very lucky he did it in NZ where it appears that the courts consider him stupid rather than malicious. In other countries he might get charged with terrorism related offenses or worse."

          Can anyone point to an example where "other countries" doesn't just mean the US?

      • He committed no intentional crime. He was identified a security flaw, and provided this info to the bank before asking for money. Sure, it's a little like the guy who washes your windshield at a sopt light asking for money, but it's far from dishonest.

        If the bank were a computer company with the present mindset, the bank would get to work on fixing the problem, and he'd have been ignored when he asked for cash, rather than prosecuted.
        • Re: (Score:2, Insightful)

          by Typhon100 ( 641308 )
          Except that instead of washing your windshield, he got into your car, pulled down your pants and gave you a rectal exam.

          You don't "unintentionally" hack into a bank's phone system.
          • You don't 'unintentionally' wash someone's windshield, either. But guess what: indications of a vulnerable system are about as easy to see as a dirty windscreen, if you're looking. No invasion necessary.

            Now, quick question, when did I use the word 'unintentionally' in my post, as you seem to be implying?
          • Maybe not a bank, but I got very bored one day when talking to Delta Airlines phone computer.
            I started saying random gibberish and various swear phrases backwards "uoy kcuf"* and such. Ended up accessing some maintenance subroutine or such that seemed to have the ability to list all prompts by menu tree. Likely could have gotten farther, but I really was trying to book a flight so I hung up and started over.
            -nB

            I love WAV recorder. It will let you reverstethe WAV and play it back. Learned everything back
          • Never mind, found it.

            In TFA, he states that he wasn't aware it was illegal. Hey, funny that; he didn't intentionally commit a crime!

            So, yeah. He intentionally probed a vulnerability, and reported his results, then asked for compensation. Stupid, businesswise, but a very reasonable way to go about things. It happens all the time in the software world, and there's a lot less money to protect there. You'd think a bank would welcome the info, and the suggestions on how to repair the issue.
            • by matress ( 871339 )
              The crime requires intention, his actions were intentional, therefore he commited an intentional crime. Whether he knew it was a crime or not is beside the point (in the eyes of the law, ignorantia juris non excusat).
          • by Schraegstrichpunkt ( 931443 ) on Thursday September 28, 2006 @02:05AM (#16225205) Homepage

            Except that instead of giving you a rectal exam, he molested your daughter, exploded your favourite hockey team's home town with NUCLEAR WEAPONS, and stole your glasses.

            Care to provide any justification for why your analogy isn't just an arbitrary construction designed to suit your position?

            These are information systems. Not cars, not windshields, and not the doctor's office. Discuss the actual question, not stupid analogies.

            • Since when... (Score:2, Interesting)

              by toonworld ( 838479 )
              ..is telephone system considered an information system? I think I missed something.

              I actually applaud the NZ courts. The man could have used the information to commit fraud, steal sensitive/valuable information and sell it to the highest bidder and make a whole lot of money but instead he chose to go directly to the bank and ASK for payment.

              So he had a sure way to make money, but instead he ASKS for money AFTER revealing the security flaw. If you ask me, the bank suffered from bruised ego syndrome and wante
              • He didn't have a "sure way of making money."

                On any phone system, there are going to be users with easy passwords and default passwords that didn't get changed, or got reset during maintenance.

                This doesn't give him the right to go around playing detective unasked, then trying to bill them for it.

                How about if someone shows up at your house unasked, and tells you they inspected it, and you need to do the following work, and by the way, their bill for the unwanted "inspection" is $300.00? I'd call the co

        • Re: (Score:2, Insightful)

          by Zooka ( 457908 )

          ''He committed no intentional crime. He was identified a security flaw, and provided this info to the bank before asking for money. Sure, it's a little like the guy who washes your windshield at a sopt light asking for money, but it's far from dishonest.

          If the bank were a computer company with the present mindset, the bank would get to work on fixing the problem, and he'd have been ignored when he asked for cash, rather than prosecuted.''

          I don't want someone evaluating my security unless I ask them

      • Stupid court results? Why stupid?

        First, you don't know all the evidence. Basing judgement on what you read or hear in the news (hearsay and rumor rather than fact)is stupid.

        Is it stupid that the judge didn't overreact? Just becasue folks in the good old USA like to overreact and blow things out of proportion doesn't mean the rest of the world should follow suit.

        Like it or not, the right descision was made. If you were so smart, you'd be a judge, instead of posting on /.
  • Miracles! (Score:4, Funny)

    by soft_guy ( 534437 ) on Wednesday September 27, 2006 @11:51PM (#16224403)
    A judge who uses common sense. Wow!
    • by Who235 ( 959706 ) <secretagentx9@cia.cNETBSDom minus bsd> on Thursday September 28, 2006 @12:03AM (#16224487)
      He did not pass the information on to others and did not use it for personal gain. "In my view his intentions were honourable."


      I know. Amazing isn't it.

      Although there was the slight matter of calling the bank and presenting a bill for services that were never asked for, but I'm willing to chalk that up to creative marketing. . .

      On a side note, my uncle (who is a lawyer) has a low opinion of judges and tells the following joke which you may tell your friends under the JPL (joke public license):

      Q:What do you call a lawyer with an IQ of 50?
      A:Your Honor. (Substitute M'Lud or other region appropriate judge appellation here if necessary.)
  • by Gemini_25_RB ( 997440 ) on Wednesday September 27, 2006 @11:51PM (#16224405)
    I see absolutely no problem with someone analyzing the security of a network and relaying the results to the owners of the network. According to the article, the "researcher", Macridis, checked the network and then tried to sell the results to the owners, _after_ already accessing the network. Seems a little bass ackward.
    • by ianejames ( 999353 ) on Thursday September 28, 2006 @12:25AM (#16224655)
      Imagine this: A man walks up to your house while you're gone and tests each lock on every door and window. He finds a way to break in -- but claims that he hasn't. Then he sends you a letter saying he knows your security vulnerabilities and requests payment for that knowledge.

      Is it better or worse that he actually walked around inside your house?
      • Backwards. The above is blackmail. This guy presented the info first, then asked to be paid. The bank went a little far prosecuting. I'd have just ignored his request for payment, and maybe offered a job in security auditing instead.
        • Re: (Score:3, Insightful)

          by StrongAxe ( 713301 )
          I spent an hour walking around your house and found that you had some unlocked doors. Please pay me $5000 and I will tell you where they are, rather than your enemies.

          is blackmail.

          I spent an hour walking around your house and found that you had the following unlocked doors... Please pay me $50 for one hour's work.

          is a bill for professional services rendered.

          • "I spent an hour walking around your house and found that you had the following unlocked doors... Please pay me $50 for one hour's work.

            is a bill for professional services rendered."

            A bill that the 'customer', in this case has no obligation to pay; no contract or sales agreement, you see. A respectable human / company would pay it anyway, despite the lack of obligation.
            • Re: (Score:3, Funny)

              by Fred_A ( 10934 )
              The problem is that this could set a precedent:
              "Thank you for your prompt payment of my security bill. During your vacation, I took the liberty of redesigning your house by adding turrets in the corners, a moat and a drawbridge. I also painted it striped pink and orange. Your garden now sports a beautiful 35m marble fountain representing 'Mammals Overtaking Dinosaurs' (an allegory). I left your mail on the little table by the door. Please find my bill for $7 897 463 attached."
              • by deek ( 22697 )
                Oh man, it seems like I'm on a witch hunt for bad analogies. This has got to be the bazillionth one so far in this slashdot topic. What, me exaggerate?!

                Anyway, the guy didn't redesign their house. He just discovered something about it. No changes made. He was asking them if they're interested in paying for his knowledge.

                If someone uses a house in an analogy again, I swear I'll do something that I'll regret.
                • by Fred_A ( 10934 )
                  The point was more along the lines of "don't pay people for stuff you didn't ask for".
                  Not "come up with a realistic analogy". :)

                  Should we use the time tried car analogies then ? ;)
          • Re: (Score:2, Interesting)

            by benplaut ( 993145 )
            And there's still another difference --
            You either charge for the information, or you give the information and then request to be paid.
            FTFA, it appears that he told them what the problems were before asking for money. More honerable, even.
          • I spent an hour walking around your house and found that you had the following unlocked doors... Please pay me $50 for one hour's work.

            is a bill for professional services rendered.

            No, that's blackmail too, only better veiled (... and, admittedly, more reasonably priced...).

            • You can't be sure whether he told you about all the doors he found.
            • Maybe some doors have broken locks, and you can't get a craftsmen within 3 weeks because they're all busy. During that time, you're a sitting duck, wondering what t
      • by hyfe ( 641811 )
        Imagine this; you put a booth on a public space, and while you're gone, someone walks around it, takes notes, finds some weaknesses and offer to sell you the list. Doesn't sound that bad, now does it?

        Put something on the internet and it's on public space pr definition. It doesn't give anyone the right to destroy it, but it does give us the right to look at it (or rather, it doesn't give you the right to refuse us).

        (I haven't read the story, don't know if my analogy is more appliciable, but I find GP's a

  • by BadAnalogyGuy ( 945258 ) <BadAnalogyGuy@gmail.com> on Wednesday September 27, 2006 @11:51PM (#16224409)
    More than anything, this guy is a business dumbass for doing the work and providing the results before even a contract was drawn up. Because of this strange sequence of events (providing vulnerability information before being requested), all of a sudden his generous offer looks more like extortion than altruism.

    His background with fraud (though 10 years prior) sullies his reputation even further.

    It's not a crime to be a dumbass. At least not in NZ, apparently.
    • Apparently so (that's comforting, since that's where I live). At first I doubted that the judge actually acquitted him, and thought maybe he just convicted him without imposing a sentence; but another NZ source [radionz.co.nz] says the judge "discharged him without conviction, despite police opposition."

      dumbass for doing the work and providing the results before even a contract was drawn up.

      In fact the other source I cited above has a different story: it says he "identified security vulnerabilities in the bank's telephon

      • Re: (Score:2, Insightful)

        It still sounds dangerously close to extortion. What happens to the data if the bank decides not to hire him? The bank was right to have him arrested, IMO. The judge was right to acquit him.
        • It's a matter of the details and we don't know the details of the case. And the details are important.

          After all, from what I see he could have told the bank something like the following:

          "Hi, you've got security problems with your email server, the following webservers have serious problems and need to be patched (list of IPs), the following servers have easily guessable ssh username and passwords.

          If you want more details my professional rates are XYZ."

          While that's not the best way of going about doing thing
    • by dougmc ( 70836 )

      his generous offer

      He sent them a bill. That's not so generous. Generous would be finding the issues, letting them know, and not asking for money. (Though people have been arrested and I assume convicted for things like this too.)

      I had a guy show up and mow our yard, then knock on the door and asked to be paid. My wife, not really sure what to do, called me (I was at work) and asked if I really did hire this guy to mow our yard. I did not. Should we have paid him?

      Did it matter that he seem

      • by Nutria ( 679911 )
        He sent them a bill. That's not so generous. Generous would be finding the issues, letting them know, and not asking for money. (Though people have been arrested and I assume convicted for things like this too.)

        Sure it's generous, but it's also a one-way ticket to the poor house. From TFA:

        it appeared he was trying to obtain money through virtue of his technical knowledge

        Wow! Guess what??? So do I!! And I bet so do most of the people who read /.

        I had a guy show up and mow our yard, then knock on the door

        • "I would not have to pay him, but if my lawn needed it, and he asked a reasonable fee, I'd have paid him."

          See, that's the difference between you and this bank. You, apparently, have respect for other people.

          If I were an Australian, I would not use that bank; the proper course of action would be not to pay him, but to hire him. Good security auditors are hard to find (though, awful, by-the-book ones abound).
          • I'd find it hard to respect the first guy who comes around and mows my lawn without being asked to and possibily against my wishes, who then proceeds to act like he deserves anything. I'm not sure you realize my fictional lawn is my property.
    • "His background with fraud (though 10 years prior) sullies his reputation even further."

      I dunno. Some of the best security experts are post-black-hat hackers.
    • More than anything, this guy is a business dumbass for doing the work and providing the results before even a contract was drawn up.

      But street bums do that to my windshield all the time!
  • Stupid. (Score:2, Insightful)

    by Kid Zero ( 4866 )
    In other words, I can break into your house and wander around, take notes then leave. When I come to the door later, I can bill you for the "Security Consultation" and not be charged for robbery.

    Great! ...and they call Americans silly? This one's off the chart.
    • by Firehed ( 942385 )
      Well, seeing that you didn't take anything, I'd hope that you're not charged with (or convicted of) robbery. Unless by 'take notes', you mean in a literal sense and walk off with my stack of Post-Its. In which case, you should be charged with criminal idiocy.
      • Well, seeing that you didn't take anything, I'd hope that you're not charged with (or convicted of) robbery.

        Depends. Years ago, their was a robber gang who would break into houses, take notes (or rather, snap pix), and go away without taking anything. The pix would go into their catalog.

        Once they had a customer for your antique furniture, they would come back with their van and get it. I guess, this cut down on their storage costs, or sth like that. Just-in-time robbery.

        And given this modus operandi, I'

    • by pembo13 ( 770295 )
      Hmm. If you break into my house which I assume to be very secure, take notes - only, and are willing to relay that information to me. ..I am not sure that I would be pissed. I would just hope your fees are reasonable.
  • Borderline scam? (Score:5, Insightful)

    by Louis A. J. ( 724488 ) on Wednesday September 27, 2006 @11:56PM (#16224443) Homepage
    While he didn't do anything illegal, I would be very surprised to receive a bill for a service I didn't request. His actions weren't illegal but his method of doing business definitely leaves something to be desired. Although his decision to not broadcast the bank's weaknesses to the public could be viewed as integrity, it could also be calculated business sense. It doesn't sound like someone I would choose to do business with.

    Would you honestly pay for a service you weren't told you were receiving and didn't ask for if you were billed for it?
  • by bunions ( 970377 ) on Thursday September 28, 2006 @12:07AM (#16224525)
    what is it over there, like some kind of geek paradise?
  • Speedy Justice (Score:4, Interesting)

    by ColaMan ( 37550 ) on Thursday September 28, 2006 @12:11AM (#16224555) Homepage Journal
    At least it shows efficient legal process.

    Macridis had telephoned the Reserve Bank on May 30, introducing himself as a security consultant.
    The Reserve Bank made a complaint to police, who searched Macridis' house on September 21 and seized his computer.

    Ok, a bit slow there - four months - but maybe the bank did some research on the flaws first. And the wheels of Big Business turn pretty slow....

    Gerasimos Macridis, 39, appeared in the Wellington District Court on Wednesday - the 27th - on one charge of intentionally accessing a computer system without authorisation.

    A little over a week from when the police took his computer, to when he appeared in court.
    They presumably searched it, did all the legal paperwork, had the weekend off, etc.
    Not much crime in Wellington lately? Or are they normally this speedy?
    • Re: (Score:3, Informative)

      by Snad ( 719864 )

      The Reserve Bank of New Zealand [rbnz.govt.nz] is not a bank, as such. It's not like you waltz down to the Reserve Bank to make a deposit of your weekly wage cheque.

      I believe it's more like the Federal Reserve in the States, though the RBNZ is 100% government owned.

      So basically this guy decided to do some "security analysis" of a governmental body, not some penny-ante savings & loan branch in the backwoods. So yes, the police are going to be on to it pretty damn quick.

      • by ColaMan ( 37550 )
        I know, they've the same function as the Reserve Bank here in Australia. I just didn't feel like typing it all out.

        And the cogs of government are often the slowest moving ones, you know.
      • by oh ( 68589 )
        I believe it is roughly equivalent to the Federal Reserve in the US.
  • MAYDAY MAYDAY (Score:5, Insightful)

    by copponex ( 13876 ) on Thursday September 28, 2006 @12:24AM (#16224651) Homepage
    Lawyer 131236716723: Shit. This is not good.

    Lawyer 216421934614: What?

    Lawyer 131236716723: They didn't throw this guy in jail who broke some technicality against a major corporation.

    Lawyer 216421934614: WHAT?

    Lawyer 131236716723: I'm serious! New Zealand! That fucking judge forgot how hard it is to pay off an SL500 and those student loans on a measly $70,000 starting salary!

    Lawyer 216421934614: Look, I know you're new here, but this is America. We've got the RIAA, MPAA, not to mention all the lobbying to be done in DC. I mean, those Native Americans don't rip themselves off, eh? Plus, we've got so many laws on the book that someone, somewhere isn't doing something right, and who gets to prosecute?

    Lawyer 131236716723: Lawyers?

    Lawyer 216421934614: And who gets to defend?

    Lawyer 131236716723: Lawyers!

    Lawyer 216421934614: And who gets to judge?

    Lawyer 131236716723: Former lawyers elected by other lawyers!

    Lawyer 216421934614: And who makes the law?

    Lawyer 131236716723: Former lawyers who have even less ethical concerns than other lawyers, lobbied by lawyers! Thanks, Bill... I was starting to worry!
  • Not just once (Score:5, Informative)

    by shack420 ( 821947 ) on Thursday September 28, 2006 @12:44AM (#16224773)
    This is actually the second time this has happened in NZ this year...

    "Sahil Gupta, the second man charged over the Telecom voicemail hacking incident in April, walked free from an Auckland court last week.

    Gupta was charged along with a teenager who cannot be identified for legal reasons. The teen was charged with unauthorised access of a computer system and pleaded guilty. Gupta was charged under the same section of the Crimes Act and faced up to two years in prison.

    However two justices of the peace discharged Gupta saying there was no case to answer after a hearing in the Auckland District Court on Wednesday."

    more @ http://www.crime-research.org/news/21.01.2006/1770 / [crime-research.org] and all over ya google.
    • This is actually the second time this has happened in NZ this year...

      "Sahil Gupta, the second man charged over the Telecom voicemail hacking incident in April, ...

      Well yes, but you gotta admit, "hacking the Reserve Bank" sounds a lot cooler than just "hacking voicemail".

    • by Audent ( 35893 )
      Isn't that interesting... a website called "crime research" that doesn't know the meaning of the word "copyright" or even "just quote the intro and link to the original story ya munters"...

      original story here:

      http://computerworld.co.nz/news.nsf/UNID/FD9D3F1F2 E04EC92CC2570FE0025DF44 [computerworld.co.nz]

    • This is actually the second time this has happened in NZ this year...

      The second time? Dangerous precedent! Hmm, time to fire up google, and enter inurl:asp inurl:id site:nz and rake in that free cash!

  • by Bitsy Boffin ( 110334 ) on Thursday September 28, 2006 @03:12AM (#16225517) Homepage
    sorry, but this guy was asking for trouble. Firstly, it wasn't just any old bank, it was the Reserve Bank (http://en.wikipedia.org/wiki/Reserve_Bank_of_New_ Zealand), secondly, when he discovered this flaw he didn't just tell them about it, he said basically "I found a flaw, now pay me money".

    You don't mess with the systems controlling an entire countries economy, and then demand money for it, if you do, well, Darwin would like a word with you.

ASHes to ASHes, DOS to DOS.

Working...