Unauthorized Hacking - NZ$7500. Chutzpah - Priceless.
Not many reports about cybercrime issues are likely to induce a triple-take, but yesterday's New Zealand Herald included a report that could do just that. According to the article, one Gerry Macridis, described as a "security consultant," admitted that he had accessed the New Zealand Reserve Bank's computer-controlled telephone system without authorization. Macridis is now threatening the Reserve Bank with legal action if he is not paid NZ$7,500 for the information he gave the Bank about security flaws in the phone system.
The fact that Macridis lacked authorization to access the system is apparently both insignificant and irrelevant, as he claims the Bank then used his information to fix the security flaws he found. Macridis reportedly had taken the trouble to send the Bank a report that detailed the security flaws (although the Bank did not request it), and had called the Bank asking for payment for his unsought advice.
Now for the triple-take: Because of his unauthorized access to the Bank's system, Macridis was prosecuted in Wellington District Court, and pleaded guilty to the unauthorized access. Yet the judge -- after hearing from Macridis that "the bank's phone system was the worst he had seen in 11 years as a consultant and was vulnerable to tapping from overseas" -- discharged Macridis from conviction. The judge reportedly stated that Macridis "had acted honourably and a conviction would be disproportionate to the crime."
This ruling does not bode well for law enforcement or IT security departments in New Zealand. Under this court's apparent reasoning, any self-described "security consultant" can hack a computer system, and present the system owner with information on the vulnerability along with a bill for unrequested "services" (at least, as long as he is careful not to threaten harm to the system if he is not paid). One can only hope that Kiwi courts will give any legal action by Macridis short shrift, and perhaps recognize, as future Macridises less come along, that unauthorized access to computers -- far from being "honourable" behavior -- is criminal conduct that deserves to be recognized as such.
The fact that Macridis lacked authorization to access the system is apparently both insignificant and irrelevant, as he claims the Bank then used his information to fix the security flaws he found. Macridis reportedly had taken the trouble to send the Bank a report that detailed the security flaws (although the Bank did not request it), and had called the Bank asking for payment for his unsought advice.
Now for the triple-take: Because of his unauthorized access to the Bank's system, Macridis was prosecuted in Wellington District Court, and pleaded guilty to the unauthorized access. Yet the judge -- after hearing from Macridis that "the bank's phone system was the worst he had seen in 11 years as a consultant and was vulnerable to tapping from overseas" -- discharged Macridis from conviction. The judge reportedly stated that Macridis "had acted honourably and a conviction would be disproportionate to the crime."
This ruling does not bode well for law enforcement or IT security departments in New Zealand. Under this court's apparent reasoning, any self-described "security consultant" can hack a computer system, and present the system owner with information on the vulnerability along with a bill for unrequested "services" (at least, as long as he is careful not to threaten harm to the system if he is not paid). One can only hope that Kiwi courts will give any legal action by Macridis short shrift, and perhaps recognize, as future Macridises less come along, that unauthorized access to computers -- far from being "honourable" behavior -- is criminal conduct that deserves to be recognized as such.
posted by Jon Rusch at 12:37 PM
3 Comments:
Hello--
Love your blog-- very well done.
I'm wondering whether you'd mind my linking to it from mine-- and whether you might be willing to link to my blog from yours.
Check out my "blog" (you'll find it's more of a disclaimer) and let me know. Sorry to contact you publicly like this. I'm still learning my way around Blogger.
To clarify:
The reason for my "blog" and for asking your permission to link to yours from it (and for asking whether you'll do the same!), is to displace another site from its position as the top hit through a Google search under my name. It will be clear to you after you read the blog why I wish to do this.
So far the blog does not appear in Google search at all. I have created a site map and am in the process of enlisting friends to Goggle-bomb it. But I'd be very grateful to have a reciprocal link with you as well, because you have a lovely blog that deals with issues that I am now, suddenly, very interested in.
Cheers ... and of course delete these messages once you've read them if you feel the need.
It should be noted that Gerry Macridis has previous convictions for fraud and hacking.
He should count himself very lucky that he got away with this and let the matter lie.
Post a Comment
<< Home