UK ISP threatens security researcher
Kradorex Xeron
admin at digibase.ca
Fri Apr 20 18:56:06 UTC 2007
On Friday 20 April 2007 10:51, Stephen Wilcox wrote:
> On Thu, Apr 19, 2007 at 06:10:06PM -0500, Gadi Evron wrote:
> > On Thu, 19 Apr 2007, Will Hargrave wrote:
> > > Gadi Evron wrote:
> > > > "A 21-year-old college student in London had his internet service
> > > > terminated and was threatened with legal action after publishing
> > > > details of a critical vulnerability that can compromise the security
> > > > of the ISP's subscribers."
> > > >
> > > > I happen to know the guy, and I am saddened by this.
> > >
> > > In his blog post [1] he did admit to accessing other routers of Be's
> > > customers using the backdoor password; this is probably [2] a criminal
> > > offence in the UK.
> > >
> > > I'm not sure I have as much sympathy for him as you do.
> >
> > The guy basically looked at his own modem, which is what this was all
> > about. The rest of what he may have done is indeed up to your judgement.
> >
> > I am generally worried about the trend that is emerging of reporting
> > security issues resulting in legal threats.
>
> well in this case i dont know the nature of the threat but asking the guy
> to hold back the passwords seems reasonable
>
> what other examples are there as you suggest a trend in hushing security
> vulns?
>
> Steve
In my personal opinion, ISPs, vendors, and such should legally be held
responsible for their product's security and unconditionally be made to
repair any security holes. -- if a vendor or ISP maintains good security
practices, there will be nothing for them to fear from this.
If per-se Microsoft doesn't want to fix their code, why don't they release the
source and let the open source community do it? Clearly they displayed their
non-interest with that ANI exploit, they off-set the fix for MONTHS after
knowing it, then what do you know, only did when it became something in the
wild did Microsoft do something about it.
But phasing back on topic, as in this case: Unless some form of a Denial of
Service was being performed, the ISP should just fix the problem instead of
making themselves look like overpowering legal-system abusing bigots. They
seem to think if the problem isn't discovered, that it doesn't exist, I think
they heard the "if a tree falls in a forest, does it make a sound?" quote too
many times.
What is the ISP going to do when someone malicious actually takes the open
hole to the next level? i.e. actively DOES cause a denial of service on a
massive scale? Obviously if one person found it, someone else will also.
There SHOULD be more accountability on the providers/vendors' part reguardless
of the technology. If the provider/vendor cannot handle securiing the
product. they probably shouldn't be putting the product out to the market
But nothing like that will ever happen as too many people prefer the "ignore
it and it will go away" philosophy and too many lawmakers are old twits who
don't know anything about technology and probably couldn't care less.
More information about the NANOG
mailing list