Shostack + Friends Blog Archive

 

Daniel Cuthbert's Chewbacca Defense

chewbacca-defense.jpg
We take a break from our regularly scheduled, deeply-movie-focused, Friday Star Wars security blogging to mention the Chewbacca defense, and its interplay with a story that’s floating around.

First, if you’re not familiar with it, “The ‘Chewbacca Defense‘ is a satirical term for any legal strategy that seeks to overwhelm its audience with nonsensical arguments and thus confuse them into failing to take account of the opposing arguments and, ultimately, to reject them.” (From Wikipedia.)

Second, the story going around about how a Daniel James Cuthbert used a web browser (lynx) to explore a web site:

Cuthbert clicked on a banner ad to donate £30 to the Disaster Emergency Committee (DEC) appeal. However, when he did not get a confirmation or thank you in response to his donation, he feared that he had fallen for a phishing site, and decided to test the site to make sure. Unfortunately, in doing so he set off the DEC protection systems, and the police were called in.

(From The Out-law.)

The story is often shortened to “Man jailed for using alternate web browser,” or “It’s official – doing due diligence is a criminal offence!” (Let me dismiss that by saying due diligence is done with permission.) Or “Daniel Cuthbert’s Travesty of Justice.

The trouble is, this makes no sense. It’s a pure Chewbacca defense. If Cuthbert thought the site was a phishing site, why did he try to execute path traversal and SQL injection tests? That’s not to say that I think those should be crimes, its simply to say that the defense of “That was a perfectly innocent thing to do” would fit better with the facts.

It would make sense to use whois and traceroute to see where the site is. But those tests tell you nothing about the owner of the site, and precious little about its security. It may well be that he did this, and I haven’t read about it.

Again, I couldn’t tell you how often I do things like that. Especially now that it’s a crime. It ought not be. But there is something fishy about the defense.

Alec Muffet has a good set of links in “‘Regrettable’ conviction under Computer Misuse Act.” Next week, we’ll be sure to get to Saltzer and Schroeder.

6 comments on "Daniel Cuthbert's Chewbacca Defense"

  • Justin Mason says:

    My big problem, as I wrote here, is that his 2 tests, while not entirely innocent, were misrepresented in severity, which IMO misled the court. As I said in that post:
    ‘Instead of making parallels with “rattling the doorknob??? or “lurking around the back door of a bank???, a better parallel would be looking through the bank’s front window, from the street!’

  • Roundup on News

    In the developing story of the “Cuthbert case” the ripples continue to spread as security experts disect the result. Curiously, it hasn’t hit the mainstream much, probably because popular press can’t work out what the fuss is about but the blogs seem t…

  • Adam says:

    But, see, I don’t but that analogy. ../../.. is not looking through the window, it’s leaning on the window to see if it’s well-seated. More importantly, wow does it relate to phishing?

  • alecm says:

    how does it relate to phishing?
    It gives you an idea how competently the website has been put together. I’ve done similarly, myself. Phishing sites are usually crap, and evident from some simple misbehaviour.

  • Adam says:

    Ok, so phishing sites are crap, but so are many normal sites.
    Of course, this raises a fascinating question: If phishing sites are crap, why operate one? Why not just wait for a phish, and steal their victims?

  • Iang says:

    The problem with using the Chewbacca Offense – calling your opponent on the Chewbacca Defense – is that you reveal that you aren’t going to attack the case on its merits. If the case has any real merits, then a dismissive attitude to those merits puts you into risky territory.
    The story is not about Cuthbert. It’s pretty clear he did “something wrong.” It’s pretty clear he did an attack. And it’s pretty clear that the attack was intended in some part aggressively. But it’s also pretty clear that he wasn’t attacking the site, and he wasn’t being aggressive in the higher senses of the words.
    The problem – the issue – lies here in that one side assumes innocence and perfection, and therefore is holding everyone to a high standard of behaviour. “It’s unauthorised because I say it’s unauthorised.” And then proceeds to act on the basis of that standard. But the actual environment is not one of innocence, so the standard is out of tune with the difficulties that real users have to face.
    In short, what you and BT say is idealistic and has no place on the real net. Phishers exist, and the start to dealing with them is to recognise and accept that existance. Sadly, we are still living in a world where security best practices includes denying the existance of threats that are not easy to deal with.

Comments are closed.