On Friday 20 April 2007 10:51, Stephen Wilcox wrote:
On Thu, Apr 19, 2007 at 06:10:06PM -0500, Gadi Evron wrote:
On Thu, 19 Apr 2007, Will Hargrave wrote:
Gadi Evron wrote:
"A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers."
I happen to know the guy, and I am saddened by this.
In his blog post [1] he did admit to accessing other routers of Be's customers using the backdoor password; this is probably [2] a criminal offence in the UK.
I'm not sure I have as much sympathy for him as you do.
The guy basically looked at his own modem, which is what this was all about. The rest of what he may have done is indeed up to your judgement.
I am generally worried about the trend that is emerging of reporting security issues resulting in legal threats.
well in this case i dont know the nature of the threat but asking the guy to hold back the passwords seems reasonable
what other examples are there as you suggest a trend in hushing security vulns?
Steve
In my personal opinion, ISPs, vendors, and such should legally be held responsible for their product's security and unconditionally be made to repair any security holes. -- if a vendor or ISP maintains good security practices, there will be nothing for them to fear from this. If per-se Microsoft doesn't want to fix their code, why don't they release the source and let the open source community do it? Clearly they displayed their non-interest with that ANI exploit, they off-set the fix for MONTHS after knowing it, then what do you know, only did when it became something in the wild did Microsoft do something about it. But phasing back on topic, as in this case: Unless some form of a Denial of Service was being performed, the ISP should just fix the problem instead of making themselves look like overpowering legal-system abusing bigots. They seem to think if the problem isn't discovered, that it doesn't exist, I think they heard the "if a tree falls in a forest, does it make a sound?" quote too many times. What is the ISP going to do when someone malicious actually takes the open hole to the next level? i.e. actively DOES cause a denial of service on a massive scale? Obviously if one person found it, someone else will also. There SHOULD be more accountability on the providers/vendors' part reguardless of the technology. If the provider/vendor cannot handle securiing the product. they probably shouldn't be putting the product out to the market But nothing like that will ever happen as too many people prefer the "ignore it and it will go away" philosophy and too many lawmakers are old twits who don't know anything about technology and probably couldn't care less.