A Crown Court judge in Wales indicated that he intends to sentence teenage
hacker Raphael Gray to prison, pending the outcome of medical tests.
After arguments from both sides at a sentencing hearing Friday, Judge
Gareth Davies declared that Gray had “crossed the custody threshhold,”
according to his solicitor, Michael J. Reed.
Gray, who used the hacker nickname Curador, was arrested
in March of 2000 in connection with the theft of more than 26,000 credit
card numbers from nine small e-commerce sites.
At the time of his arrest, the Federal Bureau of Investigation said the
losses connected with Gray’s intrusions could exceed $3,000,000.
The judge adjourned Friday’s hearing after agreeing to allow defense
lawyers to arrange full medical tests on Gray, who has suffered from mood
swings since a head injury when he was 15. Reed said those tests may
include both psychiatric and physical evaluations, and will probably
require three weeks to be completed. In the meantime, Gray is free on bail.
Last month, a week before his trial was to begin, the 19-year-old Gray pleaded
guilty to 6 counts of unauthorized computer access under section 1 of
Britain’s Computer Misuse Act of 1990. In exchange, the prosecution agreed
to drop more severe charges against Gray under section 2 of the Act, which
deals with access with an intent to commit other crimes.
The maximum jail sentence Gray could receive is 12 months, according to Reed.
Does The Punishment Fit The Crime?
Gray exploited a well known password vulnerability in Microsft’s SQL server
to access credit card records from the victim sites, and then reposted the card numbers
at his own web pages, along with diatribes about the poor state of
e-commerce security. Gray chose the name Curador because it means
“guardian” in Spanish, and called himself the Saint of E-Commerce.
“He passionately believed at the time that what he was doing was for the
public good, and that by exposing this, in the long-term it would get
Internet users a better deal,” said Reed, who noted that Gray had no prior
criminal record.
But Chris Wysopal, director of research and development for @Stake, the
Boston-based security consulting firm, said the site operators can’t be
accused of incompetence, since Microsoft has never published a bulletin
about the SQL server vulnerability, which the software maker considers a
configuration issue.
“I think [Gray] definitely stepped over the line. Things are out of control
out there. Only a small number of these crimes go to trial, and I think
they want to make an example of this fraction of a percent when they can,”
said Wysopal, who also uses the hacker nickname Weld Pond.
Reed nonetheless expressed hope that the judge will mitigate the sentence
in consideration of earlier comments
from one of Gray’s victims to InternetNews that he was grateful to the
hacker for pointing out vulnerabilities.
Even an expert witness on the case for the Crown Court prosecution, Neil
Barrett, expressed surprise that Gray appears headed to jail.
“I’ve seen people who’ve done phenomenally worse things in computer crime
get off with a caution. Mr Gray is immature and wasn’t doing it out of
malice but out of a misplaced sense of fun. I’m not sure he deserves to go
to prison,” said Barrett, who is technical director for Information Risk
Management, an IT security consultancy in London.
But Matt Yarbrough, a former US computer crime prosecutor, said Gray’s
justification for his crime is hollow.
“Hackers do what they do because of power. When they get on the Internet,
they are gods. That’s why they rant and post things — to show other
hackers `I was able to do this.’ It’s a drug to them,” said Yarbrough,
currently an attorney with Fish & Richardson in Texas.
Indeed, prior to his arrest, Curador boasted
that he had obtained the credit card number of Microsoft chairman Bill
Gates from one of his victim sites. However, the card number was missing
four digits and did not match any algorithms used by major credit card
companies.
Yarbrough said the court might consider, as part of its sentence, that Gray
not be allowed to use computers for up to five years.
“To these guys, that’s more devastating than a year in jail.”
