NEWS
When Daniel Cuthbert was convicted last month of gaining unauthorised access to a Tsunami fund-raising website, many people - including the trial judge - suspected his career in the IT industry was over.
These fears were unfounded, though. Cuthbert is hard at work at Corsaire, a UK security company.
Martin O'Neal, director at Corsaire, confirmed on Friday that Cuthbert had actually joined the company before his trial. O'Neal, though, isn't worried that one of his employees is a high-profile breaker of the Computer Misuse Act (CMA).
O'Neal said: "The reason being, we've known Daniel for a long time. He was well-known in the security industry, even before the case. His integrity has never been called into question."
Cuthbert was found guilty under the CMA of gaining unauthorised access to the Tsunami appeal site. He claimed in court he had made a donation and then became concerned that he'd fallen victim to a phishing scam. To check, he added ../../../ to the URL in an attempt to access the site's higher directories - an action that triggered an alarm.
Security experts have expressed concern about the conviction. O'Neal shares this view: "As for the conviction, it's frankly ridiculous. It highlighted how untried and untested the CMA is. The main problem is how you define unauthorised access and intent in the context of an open web server."
As a full-time employee at Corsaire, Cuthbert is currently working on internal training material. This may come as a surprise to the judge in his case, who told Cuthbert that the consequences of his actions were “more serious than anything I can do".
The wider issue of the ethics of hiring known hackers or convicted cyber criminals is one that splits the security industry. Last year, German firewall vendor Securepoint was criticised after hiring Sven Jaschan, a teenager who had been charged - and was subsequently convicted - of writing the Sasser worm.
Richard Starnes, UK president of the Information Systems Security Association, acknowledged that the circumstance of Cuthbert's conviction should not automatically debar him from the security industry.
Starnes said: "Life is rarely made of hard and fast rules, nor should it be. You should look at the merits of each particular case. In general, I do not hire former hackers. However, from a potential employment standpoint, a situation such as Mr Cuthbert's would certainly warrant further investigation rather than a flat refusal to consider for employment."
Graeme Wearden writes for ZDNet UK
Comments
There are 3 comments. Join the discussion
1. anonymous
i wouldn't deal with Corsaire if they were the last security company on earth.
this is wrong, ALL WRONG !!
give the burglars, muggers and rapist jobs in police whilst your at it.
2. anumous too
I think anonymous is over reacting. If ALL he did was use www dir url access then it's hardly hacking.
Geez, how many of us have typed in a speculative url extension to see what else is there? Just imagine typing in an incorrect url, and then finding the Old Bill feeling your collar.
3. Graham Coles
Ridiculous.
Sounds like a bad case of trying to manufacture conviction ratings.
A serious incident - typing ../ at the end of a URL to access a publicly accessible website? If this is their idea of an effective IDS, they should be shot, but only after being publicy birched for incompetence.
(I also hope the rumours at the time that the police turned up at his house ARMED and broke the door down were false!)
What next, people getting convicted for thinking about shoplifting because an assistant sees them walking up a store aisle more than twice?
Once again I find myself losing all respect for the legal system in the UK.