We take a break from our regularly scheduled, deeply-movie-focused, Friday Star Wars security blogging to mention the Chewbacca defense, and its interplay with a story that’s floating around.
First, if you’re not familiar with it, “The ‘Chewbacca Defense‘ is a satirical term for any legal strategy that seeks to overwhelm its audience with nonsensical arguments and thus confuse them into failing to take account of the opposing arguments and, ultimately, to reject them.” (From Wikipedia.)
Second, the story going around about how a Daniel James Cuthbert used a web browser (lynx) to explore a web site:
Cuthbert clicked on a banner ad to donate £30 to the Disaster Emergency Committee (DEC) appeal. However, when he did not get a confirmation or thank you in response to his donation, he feared that he had fallen for a phishing site, and decided to test the site to make sure. Unfortunately, in doing so he set off the DEC protection systems, and the police were called in.
(From The Out-law.)
The story is often shortened to “Man jailed for using alternate web browser,” or “It’s official – doing due diligence is a criminal offence!” (Let me dismiss that by saying due diligence is done with permission.) Or “Daniel Cuthbert’s Travesty of Justice.”
The trouble is, this makes no sense. It’s a pure Chewbacca defense. If Cuthbert thought the site was a phishing site, why did he try to execute path traversal and SQL injection tests? That’s not to say that I think those should be crimes, its simply to say that the defense of “That was a perfectly innocent thing to do” would fit better with the facts.
It would make sense to use whois and traceroute to see where the site is. But those tests tell you nothing about the owner of the site, and precious little about its security. It may well be that he did this, and I haven’t read about it.
Again, I couldn’t tell you how often I do things like that. Especially now that it’s a crime. It ought not be. But there is something fishy about the defense.
Alec Muffet has a good set of links in “‘Regrettable’ conviction under Computer Misuse Act.” Next week, we’ll be sure to get to Saltzer and Schroeder.