RealTime IT News

British Court Close To Sending Curador to Jail

A Crown Court judge in Wales indicated that he intends to sentence teenage hacker Raphael Gray to prison, pending the outcome of medical tests.

After arguments from both sides at a sentencing hearing Friday, Judge Gareth Davies declared that Gray had "crossed the custody threshhold," according to his solicitor, Michael J. Reed.

Gray, who used the hacker nickname Curador, was arrested in March of 2000 in connection with the theft of more than 26,000 credit card numbers from nine small e-commerce sites.

At the time of his arrest, the Federal Bureau of Investigation said the losses connected with Gray's intrusions could exceed $3,000,000.

The judge adjourned Friday's hearing after agreeing to allow defense lawyers to arrange full medical tests on Gray, who has suffered from mood swings since a head injury when he was 15. Reed said those tests may include both psychiatric and physical evaluations, and will probably require three weeks to be completed. In the meantime, Gray is free on bail.

Last month, a week before his trial was to begin, the 19-year-old Gray pleaded guilty to 6 counts of unauthorized computer access under section 1 of Britain's Computer Misuse Act of 1990. In exchange, the prosecution agreed to drop more severe charges against Gray under section 2 of the Act, which deals with access with an intent to commit other crimes.

The maximum jail sentence Gray could receive is 12 months, according to Reed.

Does The Punishment Fit The Crime?

Gray exploited a well known password vulnerability in Microsft's SQL server to access credit card records from the victim sites, and then reposted the card numbers at his own web pages, along with diatribes about the poor state of e-commerce security. Gray chose the name Curador because it means "guardian" in Spanish, and called himself the Saint of E-Commerce.

"He passionately believed at the time that what he was doing was for the public good, and that by exposing this, in the long-term it would get Internet users a better deal," said Reed, who noted that Gray had no prior criminal record.

But Chris Wysopal, director of research and development for @Stake, the Boston-based security consulting firm, said the site operators can't be accused of incompetence, since Microsoft has never published a bulletin about the SQL server vulnerability, which the software maker considers a configuration issue.

"I think [Gray] definitely stepped over the line. Things are out of control out there. Only a small number of these crimes go to trial, and I think they want to make an example of this fraction of a percent when they can," said Wysopal, who also uses the hacker nickname Weld Pond.

Reed nonetheless expressed hope that the judge will mitigate the sentence in consideration of earlier comments from one of Gray's victims to InternetNews that he was grateful to the hacker for pointing out vulnerabilities.

Even an expert witness on the case for the Crown Court prosecution, Neil Barrett, expressed surprise that Gray appears headed to jail.

"I've seen people who've done phenomenally worse things in computer crime get off with a caution. Mr Gray is immature and wasn't doing it out of malice but out of a misplaced sense of fun. I'm not sure he deserves to go to prison," said Barrett, who is technical director for Information Risk Management, an IT security consultancy in London.

But Matt Yarbrough, a former US computer crime prosecutor, said Gray's justification for his crime is hollow.

"Hackers do what they do because of power. When they get on the Internet, they are gods. That's why they rant and post things -- to show other hackers `I was able to do this.' It's a drug to them," said Yarbrough, currently an attorney with Fish & Richardson in Texas.

Indeed, prior to his arrest, Curador boasted that he had obtained the credit card number of Microsoft chairman Bill Gates from one of his victim sites. However, the card number was missing four digits and did not match any algorithms used by major credit card companies.

Yarbrough said the court might consider, as part of its sentence, that Gray not be allowed to use computers for up to five years.

"To these guys, that's more devastating than a year in jail."