[96155] in North American Network Operators' Group
Re: UK ISP threatens security researcher
daemon@ATHENA.MIT.EDU (Leigh Porter)
Fri Apr 20 06:12:16 2007
Date: Fri, 20 Apr 2007 11:11:05 +0100
From: Leigh Porter <leigh.porter@ukbroadband.com>
To: Gadi Evron <ge@linuxbox.org>
Cc: Will Hargrave <will@harg.net>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.21.0704191809090.25872-100000@linuxbox.org>
Errors-To: owner-nanog@merit.edu
Gadi Evron wrote:
> On Thu, 19 Apr 2007, Will Hargrave wrote:
>
>> Gadi Evron wrote:
>>
>>
>>> "A 21-year-old college student in London had his internet service
>>> terminated and was threatened with legal action after publishing details
>>> of a critical vulnerability that can compromise the security of the ISP's
>>> subscribers."
>>>
>>> I happen to know the guy, and I am saddened by this.
>>>
>> In his blog post [1] he did admit to accessing other routers of Be's customers
>> using the backdoor password; this is probably [2] a criminal offence in the UK.
>>
>> I'm not sure I have as much sympathy for him as you do.
>>
>
> The guy basically looked at his own modem, which is what this was all
> about. The rest of what he may have done is indeed up to your judgement.
>
> I am generally worried about the trend that is emerging of reporting
> security issues resulting in legal threats.
>
> Gadi.
>
What worries me more is that they managed to do such a blindly stupid
thing as put the exact same back door passwords on *ALL* their customer
CPE and then make it accessible from anywhere. This really does not
encourage me about the security of the box that holds my credit card number.
This was not a critical vulnerability, it was a bloody stupid thing to
do. Leaving the keys in your car in Brixton is not a critical
vulnerability, it's a bloody stupid thing to do.
So, any company (person) who is stupid enough to do this in the first
place probably wouldn't take any notice of being informed of it anyway,
because they were informed of it a number of times..
--
Leigh Porter
