A Bankstown man who admitted to hacking into the systems of Australia's second largest telco Optus and Flow Communications has been convicted on an appeal by the DPP in the NSW District Court, fined $4000 and placed on a two year good behaviour bond.
Stephen Craig Dendtler had previously had the two matters against him proven after pleading guilty, but did not have a conviction recorded against him (commonly known as a section 10) and was spared any fine or good behaviour bond. The Crown subsequently appealed the case on the grounds that the sentence was manifestly inadequate.
Mr Matt Laffin for the DPP successfully argued that Dendtler’s initial sentence “failed to take into consideration [the factor of] deterrence”, adding whether Dendtler “likes it or not, he is an example to others”. Laffin argued that the previous sentence would act so as to trivialise the offences (of unauthorised access and modification of data with intent to cause imparement) and possibly encourage others to engage in similar activity.
A contrite and shaken Dendtler said that although what he did could be construed as hacking, the only personal benefit he sought to derive was to further his knowledge of computer network security systems.
Dendtler also admitted under cross examination to being a “nerd”, a condition he said he had endured since an “early age” and which had led him to complete a Bachelor of Information Technology at the University of Western Sydney. The condition, it would appear, persists.
Dendtler also told the court that his particularly strong interest in computer security had seen him apply for positions within the ranks of security and intelligence agency the Defence Signals Directorate (DSD). Dendtler’s conviction now precludes him from any permanent employment within government requiring a security clearance — a near mandatory condition for IT positions.
The court also heard that Dendtler had written his own software and tested it on Optus, and had “fixed” a number of “holes” so as to prevent others the same unauthorised access -- although he personally retained the ability to access the network himself. The miscreant code, the court heard was applied to a computer named “Caprice” belonging to an Optus employee.
The court heard that Dendtler gained access to 435,000 Optus customer usernames and passwords, requiring Optus to inform the media and their customers of a serious breach of security – although what requirements exist to inform the media were neither discussed nor questioned in court. Computerworld is seeking detail as to any requirements of telcos to inform the media of breaches of security but holds no substantive hopes.
Examined on this, Dendtler told the court his actions had probably reduced the possibility of unauthorised access to Optus’ network from “a few billion people to one person”; a line Justice McGuire very explicitly rejected.
“You don’t access 435,000 [username and passwords] to fill in a Saturday afternoon. It’s a matter of common sense. Why would you do it?” Justice McGuire said, adding there was no evidence before him that compelled him to believe Dendtler’s actions constituted an “intellectual pursuit”.
In sentencing Dendtler, Justice McGuire said that Dendtler “had the ability to gain access to the financial details of those [Optus’] customers. I accept he did not [access or utilise password access to financial detail to his pecuniary or material advantage]”, adding that it gravely concerned him that Dendtler had discussed his actions with others, particularly his “methodology”.
Precisely how or why 435,000 Optus customers’ intimate financial details — in security rather than legal terms — should reside so near their ISP account so as to be accessible by the likes of Dendtler is as questionable as the apparent requirement of telcos to bare all security breaches to the media.
Dendtler is currently employed as a security systems programmer for a secure transaction service provider. And there is still not a lot to do in Bankstown on a Saturday afternoon.