On Apr 19, 2007, at 10:20 AM, Will Hargrave wrote:
Gadi Evron wrote:
"A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers."
I happen to know the guy, and I am saddened by this.
In his blog post [1] he did admit to accessing other routers of Be's customers using the backdoor password; this is probably [2] a criminal offence in the UK.
He admitted to logging in, but, was clear that he didn't actually modify or inspect the routers in detail. It looks like he did the minimum necessary to verify the extent of the security risk. IANAL either, but, I would say that such actions are probably not prohibited in the spirit of the law, even if they are prohibited in the letter of the law. Generally, anti-intrusion laws fall under either anti-theft (I don't think you can really say he stole bandwidth or service by these actions) or anti-vandalism (I don't think you can really call his actions vandalism). He was definitely in a gray area and could have handled things better, but, the ISPs actions are way over the top and beyond reason for the situation in question. Owen