North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: UK ISP threatens security researcher

  • From: Kradorex Xeron
  • Date: Fri Apr 20 15:01:44 2007

On Friday 20 April 2007 10:51, Stephen Wilcox wrote:
> On Thu, Apr 19, 2007 at 06:10:06PM -0500, Gadi Evron wrote:
> > On Thu, 19 Apr 2007, Will Hargrave wrote:
> > > Gadi Evron wrote:
> > > > "A 21-year-old college student in London had his internet service
> > > > terminated and was threatened with legal action after publishing
> > > > details of a critical vulnerability that can compromise the security
> > > > of the ISP's subscribers."
> > > >
> > > > I happen to know the guy, and I am saddened by this.
> > >
> > > In his blog post [1] he did admit to accessing other routers of Be's
> > > customers using the backdoor password; this is probably [2] a criminal
> > > offence in the UK.
> > >
> > > I'm not sure I have as much sympathy for him as you do.
> >
> > The guy basically looked at his own modem, which is what this was all
> > about. The rest of what he may have done is indeed up to your judgement.
> >
> > I am generally worried about the trend that is emerging of reporting
> > security issues resulting in legal threats.
>
> well in this case i dont know the nature of the threat but asking the guy
> to hold back the passwords seems reasonable
>
> what other examples are there as you suggest a trend in hushing security
> vulns?
>
> Steve

In my personal opinion, ISPs, vendors, and such should legally be held 
responsible for their product's security and unconditionally be made to 
repair any security holes. -- if a vendor or ISP maintains good security 
practices, there will be nothing for them to fear from this.

If per-se Microsoft doesn't want to fix their code, why don't they release the 
source and let the open source community do it? Clearly they displayed their 
non-interest with that ANI exploit, they off-set the fix for MONTHS after 
knowing it, then what do you know, only did when it became something in the 
wild did Microsoft do something about it.

But phasing back on topic, as in this case: Unless some form of a Denial of 
Service was being performed, the ISP should just fix the problem instead of 
making themselves look like overpowering  legal-system abusing bigots. They 
seem to think if the problem isn't discovered, that it doesn't exist, I think 
they heard the "if a tree falls in a forest, does it make a sound?" quote too 
many times.

What is the ISP going to do when someone malicious  actually takes the open 
hole to the next level? i.e. actively DOES cause a denial of service on a 
massive scale? Obviously if one person found it, someone else will also.

There SHOULD be more accountability on the providers/vendors' part reguardless 
of the technology. If the provider/vendor cannot handle securiing the 
product. they probably shouldn't be putting the product out to the market

But nothing like that will ever happen as too many people prefer the "ignore 
it and it will go away" philosophy and too many lawmakers are old twits who 
don't know anything about technology and probably couldn't care less.