North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: UK ISP threatens security researcher

  • From: Owen DeLong
  • Date: Thu Apr 19 14:44:47 2007

On Apr 19, 2007, at 10:20 AM, Will Hargrave wrote:


Gadi Evron wrote:

"A 21-year-old college student in London had his internet service
terminated and was threatened with legal action after publishing details
of a critical vulnerability that can compromise the security of the ISP's
subscribers."

I happen to know the guy, and I am saddened by this.

In his blog post [1] he did admit to accessing other routers of Be's customers
using the backdoor password; this is probably [2] a criminal offence in the UK.

He admitted to logging in, but, was clear that he didn't actually modify or
inspect the routers in detail. It looks like he did the minimum necessary
to verify the extent of the security risk.

IANAL either, but, I would say that such actions are probably not
prohibited in the spirit of the law, even if they are prohibited in the
letter of the law.

Generally, anti-intrusion laws fall under either anti-theft (I don't
think you can really say he stole bandwidth or service by these
actions) or anti-vandalism (I don't think you can really call
his actions vandalism).

He was definitely in a gray area and could have handled things better,
but, the ISPs actions are way over the top and beyond reason for the
situation in question.

Owen

Attachment: smime.p7s
Description: S/MIME cryptographic signature