Hacker admits wilful damage

By PETER GRIFFIN

Well-known computer hacker Jodi "VeNoMoUs" Jones has pleaded guilty to hacking an internet service provider in yet another case that appears to have been handled smoothly by the 42-year-old Crimes Act.

Jones yesterday pleaded guilty in the Manukau District Court, before IT-literate Judge David Harvey, to a charge of wilful damage - hacking into the network of Web Internet, a small internet provider since bought by Maxnet.

In November 2001, Jones, who uses the web name "VeNoMoUs", exploited a flaw in an SSH (secure shell for servers) program - software that allows Unix-based systems to be accessed and maintained remotely - to gain access to the financial accounts of Web Internet's customers.

"There was a bug in SSH which allowed him to break into the system. Then he could do whatever he wanted," said former Web Internet managing director David Gottschalk.

Jones upgraded the SSH program, inserting "backdoor" software called "Frozen", which allowed access at will. He also deleted log files to cover his tracks, which wiped some accounts details.

But the SSH upgrade caught Jones out, when Netsaint - software that queries the computers every few minutes to ensure they are operating as usual - picked up his tampering.

The clean-up job cost Web Internet $3000 as contractors scoured the system for breaches.

The deleted accounts were estimated to have been worth between $1000 and $6000.

Jones also broke into the servers of customers who were co-locating their equipment on Web Internet's network.

Boasting of his exploits led to Jones' downfall. Gottschalk heard of the admissions secondhand and invited Jones to a bogus job interview at Web Internet, where he challenged the hacker.

Gottschalk believed Jones targeted Web Internet because of his dislike for a member of the staff.

The manager, now working at Maxnet, said an overhaul of the Crimes Act was needed to make prosecution of hackers easier.

But Crown prosecutor Simon Mount said the outdated Crimes Act had not posed a problem in the hacking cases that had emerged because the courts had taken a wide interpretation of the law in applying it to computer-related offences.

"It was possible the courts could have taken a very narrow view, but they haven't. I'm a bit worried, however, about what a jury would have made of a case like this."

The Crimes Amendment Bill, still waiting to be introduced to Parliament, will update the Crimes Act to better deal with computer offences.

But hacking, phone-phreaking and web defamation cases have all been handled successfully under existing legislation in the past couple of years.

Jones' defence counsel, Karen Harding, asked for him to be discharged without conviction, telling Judge Harvey that a conviction would result in the 23-year-old losing his job and struggling to find employment in the industry.

Harding said Jones had taken out a bank loan of $5000 to meet legal fees, but had since run out of money.

Jones claimed that if discharged, he would be able to make reparations immediately, something that would have to be done in weekly instalments if he was convicted.

Harding painted Jones as a "white hacker" - he had aided Web Internet by uncovering a system's security flaw.

"He was trying to be helpful, trying to see if the system was vulnerable. There was no malicious intent to come back and harm or crash the system down," she said.

Judge Harvey said wilful damage to a computer system was a "pretty serious" offence and that a discharge without conviction was a "big ask".

The case will conclude tomorrow.