Attackers, hackers, and the CMA

Steve Gold’s excellent blog at makes mention of the 12 month prison sentence handed out to one of the chaps who hacked into the LexisNexis Accurint database. I concur with the views of Graham Cluley of Sophos who says “The U.S. authorities must be congratulated for another big computer hacking arrest, which will hopefully deter others from following in the footsteps of Perras, who’s going nowhere fast for the next few years..”

I do like a happy ending. I also like the outcome of the Shawn Carpenter case. Read all about it here:,9171,1098906-1,00.html. The story describes Shawn as a tenacious investigator but he fell foul of confidentiality policies governing with whom he should have been sharing his data with. The fact he has now been compensated for the way he was treated demonstrates that the courts – at least in the USA -are waking up to the difference between criminals who deliberately go out of their way to steal data and those who have a genuine desire to do good but end up being perceived as criminals in doing so.

Here in the UK too, the recent amendments to the Computer Misuse Act are supposed to make it easier to obtain prosecutions although, as noted here, some opions are that the Act still doesn’t go far enough. A recent article in the Computer & Law Security Report Journal from John Worthy and Martin Fanning entitled “Denial of Service:Plugging the legal loopholes” was also rather scathing, noting that “Questions remain about the clarity and enforceability of the changes (to the Computer Misuse Act).” The article goes on to give, in my opinion, the best advice of all that we “should continue to adopt a prudent technical and commercial approach architecture (including the use (and regular review) of leading security and anti-intrusion technologies).” That’s really the crux of the matter: we want to make the potential return on attack too low for it to be worthwhile an attacker expending time bashing away at our networks, and we want to have the right controls in place to protect data when they do.