UK ISP threatens security researcher

Fri Apr 20 10:11:05 UTC 2007

Gadi Evron wrote:
> On Thu, 19 Apr 2007, Will Hargrave wrote:
>   
>> Gadi Evron wrote:
>>
>>     
>>> "A 21-year-old college student in London had his internet service
>>> terminated and was threatened with legal action after publishing details
>>> of a critical vulnerability that can compromise the security of the ISP's
>>> subscribers."
>>>
>>> I happen to know the guy, and I am saddened by this.
>>>       
>> In his blog post [1] he did admit to accessing other routers of Be's customers
>> using the backdoor password; this is probably [2] a criminal offence in the UK.
>>
>> I'm not sure I have as much sympathy for him as you do.
>>     
>
> The guy basically looked at his own modem, which is what this was all
> about. The rest of what he may have done is indeed up to your judgement.
>
> I am generally worried about the trend that is emerging of reporting
> security issues resulting in legal threats.
>
> 	Gadi.
>   

What worries me more is that they managed to do such a blindly stupid 
thing as put the exact same back door passwords on *ALL* their customer 
CPE and then make it accessible from anywhere. This really does not 
encourage me about the security of the box that holds my credit card number.

This was not a critical vulnerability, it was a bloody stupid thing to 
do. Leaving the keys in your car in Brixton is not a critical 
vulnerability, it's a bloody stupid thing to do.

So, any company (person) who is stupid enough to do this in the first 
place probably wouldn't take any notice of being informed of it anyway, 
because they were informed of it a number of times..

--
Leigh Porter