Attackers, hackers, and the CMA

Steve Gold’s excellent blog at makes mention of the 12 month prison sentence handed out to one of the chaps who hacked into the LexisNexis Accurint database. I concur with the views of Graham Cluley of Sophos who says “The U.S. authorities must be congratulated for another big computer hacking arrest, which will hopefully deter others from following in the footsteps of Perras, who’s going nowhere fast for the next few years..”

I do like a happy ending. I also like the outcome of the Shawn Carpenter case. Read all about it here:,9171,1098906-1,00.html. The story describes Shawn as a tenacious investigator but he fell foul of confidentiality policies governing with whom he should have been sharing his data with. The fact he has now been compensated for the way he was treated demonstrates that the courts – at least in the USA -are waking up to the difference between criminals who deliberately go out of their way to steal data and those who have a genuine desire to do good but end up being perceived as criminals in doing so.

Here in the UK too, the recent amendments to the Computer Misuse Act are supposed to make it easier to obtain prosecutions although, as noted here, some opions are that the Act still doesn’t go far enough. A recent article in the Computer & Law Security Report Journal from John Worthy and Martin Fanning entitled “Denial of Service:Plugging the legal loopholes” was also rather scathing, noting that “Questions remain about the clarity and enforceability of the changes (to the Computer Misuse Act).” The article goes on to give, in my opinion, the best advice of all that we “should continue to adopt a prudent technical and commercial approach architecture (including the use (and regular review) of leading security and anti-intrusion technologies).” That’s really the crux of the matter: we want to make the potential return on attack too low for it to be worthwhile an attacker expending time bashing away at our networks, and we want to have the right controls in place to protect data when they do.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Stuart - Thank you for turning me on to Steve Gold's excellent blog -- great stuff. Carpenter's case is the canary in a coal mine here at Sandia National Laboratories. The usually reserved atmosphere within the Sandia staff was turned upside down when staff members read the Sandia President's response in the internally published Lab News - Tom Hunter Letter to Sandia Staff - Carpenter Case
The Albuquerque Journal provided daily coverage of the trial, and Hunter's letter was rife with platitudes, but devoid of any acknowledgement of management failures in the handling of the case. Sandia's highly educated staff found the disparity in the content of Hunter's internal memo and the press coverage highly disturbing. For instance, the Sandia Counterintelligence Director admitted that he threatened Carpenter with "decapitation" and "blood on the floor" in court room testimony. According to other reporting, no documentation of the investigation existed, and Sandia witnesses substantially changed their deposition testimony at trial (perjury?).
Despite the fact that Sandia does important national security work, and maintains the United States' nuclear weapons stockpile, all employees are work under "at will" arrangements. In other words, Sandia can fire us for no reason at all. In fact, Sandia attorneys argued that Carpenter had "no right to fair treatment," and it was irrelevant that Sandia did not follow its own procedures in his termination; an "at will" employment arrangement does not require fairness.
This is a foolish and dangerous approach for a facility that does such important work. Los Alamos employees found themselves in a similar situation when the University of California lost the contract to operate the lab last year. It is an environment of fear, where the vast majority of employees will not risk their livelihoods to report security problems. Nobody in their right mind would do so after witnessing what happened to Carpenter.
Corporatization is about money, and fear is about control. Gone are the days of Oppenheimer when patriotism and duty to country inspired scientists and engineers to produce great advances in technology. Companies like Lockheed Martin, who won the contract to manage Sandia in 1993, care only about the bottom line. Their arguments in the Carpenter case, and their views about "fairness" couldn't illustrate their stance better. Talented graduates now look elsewhere to carry on their research, if they are smart. Today's staff members are sheep, blindly following our leaders off a cliff, until corporations like LockMart suck as much federal funding as they can out of the place and move on to greener pastures.