Gadi Evron wrote:
On Thu, 19 Apr 2007, Will Hargrave wrote:
Gadi Evron wrote:
"A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers."
I happen to know the guy, and I am saddened by this.
In his blog post [1] he did admit to accessing other routers of Be's customers using the backdoor password; this is probably [2] a criminal offence in the UK.
I'm not sure I have as much sympathy for him as you do.
The guy basically looked at his own modem, which is what this was all about. The rest of what he may have done is indeed up to your judgement.
I am generally worried about the trend that is emerging of reporting security issues resulting in legal threats.
Gadi.
What worries me more is that they managed to do such a blindly stupid thing as put the exact same back door passwords on *ALL* their customer CPE and then make it accessible from anywhere. This really does not encourage me about the security of the box that holds my credit card number. This was not a critical vulnerability, it was a bloody stupid thing to do. Leaving the keys in your car in Brixton is not a critical vulnerability, it's a bloody stupid thing to do. So, any company (person) who is stupid enough to do this in the first place probably wouldn't take any notice of being informed of it anyway, because they were informed of it a number of times.. -- Leigh Porter