How do you surf the web? Chances are that you’re like most people and you just click on links to move from page to page. Seems that most people don’t use the location bar in their browser. That’s the text box near the top of your browser window that contains the URL (or, in plain English, the address) of the current web page. Even less people realise that they can edit that address and thereby go to different pages. For example, if I follow a link to http://example.com/some/interesting/page and I then want to see more of the site I’ll often just edit the URL to remove “some/interesting/page” and end up at http://example.com/ which is hopefully the site’s main page.
For me, and most of my geekier friends, that’s a common part of our day. We’ll often poke around on sites like that. It’s not “hacking” (at least not in the nasty meaning of the word used by most mainstream media) it’s just curiousity.
But it looks like this has just become a potentially dangerous activity. On New Years Eve, Daniel Cuthbert was using the DEC web site to make a donation to the tsunami appeal. Something went wrong with his transaction and he became suspicious and began to think that the site might be a phishing site[1]. As a bit of a geek, he poked around on the site a bit to find out what was going on. After a couple of probes he gave up and thought no more of it.
But his probes had set off an intruder detection system and his actions were reported to the police. They were able to track him down using the details of his credit card and he was prosecuted under the Computer Misuse Act.
Here’s where it gets really surreal. Even though the judge accepted that there was no malicious intent in anything that Cuthbert had done, he said that he had no choice but to follow the letter of the law and to find Cuthbert guilty. He was fined £400 and ordered to pay £600 in costs. Full details of the case are here and there is comment from various security experts here.
I find this whole story incredible. There is now a precedent that says that any time you visit a web site in a way not foreseen by the site’s owners, you are liable to be prosecuted. And that might cost you £1,000. As someone who regularly “hacks” URLs, I now need to be a lot more careful about the sites that I visit. Any site could potentially be monitoring accesses and looking for unusual ones. Does this mean that every time I get a 404 error, I could get fined?
It also has potential impact on me as a site owner. All web sites come under attack. Every day my web servers get probed to see if they are running software that has security holes. I just shrug and ignore it. Should I report all of these to the police? Should I report all 404 errors to the police? Can the police handle the thousands of new reports they’ve just opened themselves up to each day? Haven’t they got more important things to do?
It just goes to show that laws which effect the ways that people use technology should really be written by people who understand that technology.
[1] A web site that pretends to be something it isn’t in order to get confidential information from visitors.
Update: More detail here and the original posting about the story (from January) is here.
Have you seen the DEC site with Javascript turned off? It looks like a disaster in both Firefox and IE (no pun intended…really :).
I’m a professional URL hacker.
Google has buttons on their toolbar that do this for you.