UK ISP threatens security researcher

http://www.theregister.com/2007/04/17/hackers_service_terminated/

"A 21-year-old college student in London had his internet service
terminated and was threatened with legal action after publishing details
of a critical vulnerability that can compromise the security of the ISP's
subscribers."

I happen to know the guy, and I am saddened by this.

  Gadi.

Gadi Evron wrote:

"A 21-year-old college student in London had his internet service
terminated and was threatened with legal action after publishing details
of a critical vulnerability that can compromise the security of the ISP's
subscribers."

I happen to know the guy, and I am saddened by this.

In his blog post [1] he did admit to accessing other routers of Be's customers
using the backdoor password; this is probably [2] a criminal offence in the UK.

I'm not sure I have as much sympathy for him as you do.

[1] Vulnerability Security Testing & DAST | Fortra's Beyond Security
[2] IANAL

I don't see any part of the story that indicates that the ISP did wrong, I see plenty that the student did wrong. E.g., did the student ever try to discreetly raise the issue with the ISP before going public?

He admitted to logging in, but, was clear that he didn't actually modify or
inspect the routers in detail. It looks like he did the minimum necessary
to verify the extent of the security risk.

IANAL either, but, I would say that such actions are probably not
prohibited in the spirit of the law, even if they are prohibited in the
letter of the law.

Generally, anti-intrusion laws fall under either anti-theft (I don't
think you can really say he stole bandwidth or service by these
actions) or anti-vandalism (I don't think you can really call
his actions vandalism).

He was definitely in a gray area and could have handled things better,
but, the ISPs actions are way over the top and beyond reason for the
situation in question.

Owen

Being that I know nothing more than what is in the article, I will go along with the assessment that the ISP could have done a better job in running their network. But I don't think that their reaction is uncalled for (given again that the article is all that I have to go on).

He was definitely in a gray area and could have handled things better,
but, the ISPs actions are way over the top and beyond reason for the
situation in question.

The article fails to mention whether the student did try to use proper channels. Perhaps he did - that would change my assessment. Passing judgement on so little data - and data in the press at that - is only as good as, well, the data presented.

Employing official channels is preferable to public humiliation. Complaints that "postmaster@" isn't set up correctly take on bigger importance when we can say "we tried to contact you via proper channels but then had to take our complaint public."

When I hear about such stunts, I wonder if the student did this all for self-promotion.

Gadi Evron wrote:

> "A 21-year-old college student in London had his internet service
> terminated and was threatened with legal action after publishing details
> of a critical vulnerability that can compromise the security of the ISP's
> subscribers."
>
> I happen to know the guy, and I am saddened by this.

In his blog post [1] he did admit to accessing other routers of Be's customers
using the backdoor password; this is probably [2] a criminal offence in the UK.

I'm not sure I have as much sympathy for him as you do.

The guy basically looked at his own modem, which is what this was all
about. The rest of what he may have done is indeed up to your judgement.

I am generally worried about the trend that is emerging of reporting
security issues resulting in legal threats.

  Gadi.

>ISP ejects whistle-blowing student • The Register
>
>"A 21-year-old college student in London had his internet service
>terminated and was threatened with legal action after publishing details
>of a critical vulnerability that can compromise the security of the ISP's
>subscribers."

I don't see any part of the story that indicates that the ISP did
wrong, I see plenty that the student did wrong. E.g., did the
student ever try to discreetly raise the issue with the ISP before
going public?

I believe he covers his good, or lacking, disclosure policy in his blog.

Fact is, he "hacked" (read telnet) his own modem.

Looking at the lack of security response and seriousness from this ISP, I
personally, in hindsight (although it was impossible to see back
then) would not waste time with reporting issues to them, now.

  Gadi.

These days there is almost never any reason to report a security issue
unless you are a professional security researcher who is looking for
publicity/work. [1]

If you are a random person who comes across a security hole in a website
or commercial product then the best thing to do is tell nobody, refrain
from any further investigation and if possible remove all evidence you
ever did anything.

There is almost zero potential upside of reporting these holes vs the very
real potential downside that the company might decide to go after you with
their legal team or the police.

Anonymous notifications to 3rd parties like security forums or
journalists might be an option if you really fell it is important. However
in the scheme of things giving $50 to your favorite charity is likely to
be safer and do the world more good.

[1] - An exception might be for open source projects or as part of your
normal job with your companies products. Even then you should only follow
normal channels and always be careful.

I guess my experience in this area differs. Of the times I reported
security holes to vendors/site operators they were grateful for the tip. I
used my real name (which apparently is somewhat unique) and real contact
information in case they had questions. I always made sure to contact the
most appropriate person I could get contact info for (i.e. the security team
if possible; avoiding the general information address). Though I guess the
big difference with me is I did not post detailed information about those
problems on the Internet for anyone to see.

Frankly, posting a major flaw in the setup of thousands of routers before
the ISP has had a chance to correct the problem is doing more harm than
good. I am not surprised at the ISPs response. The person in question here
should have first notified the ISP and unless the ISP was unwilling to fix
the problem, only then should he have considered releasing the information
publicly.

My $0.02,
Adam Stasiniewicz

Gadi Evron wrote:

  

Gadi Evron wrote:

"A 21-year-old college student in London had his internet service
terminated and was threatened with legal action after publishing details
of a critical vulnerability that can compromise the security of the ISP's
subscribers."

I happen to know the guy, and I am saddened by this.
      

In his blog post [1] he did admit to accessing other routers of Be's customers
using the backdoor password; this is probably [2] a criminal offence in the UK.

I'm not sure I have as much sympathy for him as you do.
    
The guy basically looked at his own modem, which is what this was all
about. The rest of what he may have done is indeed up to your judgement.

I am generally worried about the trend that is emerging of reporting
security issues resulting in legal threats.

  Gadi.
  
What worries me more is that they managed to do such a blindly stupid thing as put the exact same back door passwords on *ALL* their customer CPE and then make it accessible from anywhere. This really does not encourage me about the security of the box that holds my credit card number.

This was not a critical vulnerability, it was a bloody stupid thing to do. Leaving the keys in your car in Brixton is not a critical vulnerability, it's a bloody stupid thing to do.

So, any company (person) who is stupid enough to do this in the first place probably wouldn't take any notice of being informed of it anyway, because they were informed of it a number of times..

Now, that is off-topic to NANOG.

One comment: just because they are not reported does not mean they are not
used. Proved beyond doubt this past year with all the 0day attacks and
targeted attacks going on.

  Gadi.

>
> > Looking at the lack of security response and seriousness from this
> > ISP, I personally, in hindsight (although it was impossible to see
> > back then) would not waste time with reporting issues to them, now.
>
> These days there is almost never any reason to report a security issue
> unless you are a professional security researcher who is looking for
> publicity/work. [1]

Now, that is off-topic to NANOG.

Just because you disagree with someone's opinion, doesn't make it
offtopic.

One comment: just because they are not reported does not mean they are
not used. Proved beyond doubt this past year with all the 0day attacks
and targeted attacks going on.

I'm not sure if Simon's comment was tongue-in-cheek.

I think if you are referring to "public disclosure", yes, I think there's
little point of doing this, unless you are seeking attention. Of course,
reporting a problem to vendor privately always makes sense.

I'm not sure the debate on public disclosure vs private falls under NANOG
AUP.

-alex

well in this case i dont know the nature of the threat but asking the guy to hold back the passwords seems reasonable

what other examples are there as you suggest a trend in hushing security vulns?

Steve

[...]

In his blog post [1] he did admit to accessing other routers of Be's
customers using the backdoor password; this is probably [2] a criminal
offence in the UK. I'm not sure I have as much sympathy for him as you do.

[2] IANAL

It *is* a criminal offence under extensions to the original CMA1990 in the
Police and Justice Act 2006. The maximum penalty was also increased to two
years imprisonment.

I don't think this particular incident is enough to attract a custodial
sentence, but he will almost certainly end up with a well-deserved criminal
record for his stupidity if somebody can be bothered to press charges.

alex@pilosoft.com wrote:

I'm not sure if Simon's comment was tongue-in-cheek.

I think if you are referring to "public disclosure", yes, I think there's little point of doing this, unless you are seeking attention. Of course, reporting a problem to vendor privately always makes sense.

I'm not sure the debate on public disclosure vs private falls under NANOG AUP.

-alex

I beg to differ here on a few points...

1) Reporting to vendors... I don't know how many vendors from
Microsoft on down I've reported issues to... Sometimes it
works sometimes it doesn't. For the heavy hitters (MS, IBM,
etc.) they should acknowledge and take responsibility for
their issues, else have the issues publicly disclosed.

How would you feel if you used a product a company KNOWS lacks
fundamental security controls and does little to fix it. How
would you feel if AFTER the fact someone leveraged a method
to affect you. How would you feel AFTER the fact, finding
out they were told and did nothing for eons.

I've disclosed a pretty bad denial of service bug. Tested not
only by me, but by about six other individuals one in one of
the world's biggest insurance agencies... Confirmed... Another
in academia land... Confirmed... A professional pentester with
a DoD contract... Confirmed... Sent it to MS... "Well it
doesn't work" said the MS team... I didn't even bother disclosing
it out after that. Not because it didn't work but because the
last thing I wanted to see was something akin to another Smurf
like attack on MS being part of my own shop where I work is
MS based. I gave up. On occasion I will take a few minutes to
find something stupid to break because I fiddle with things.
Sometimes I release things publicly, sometimes I don't depending
on what I perceive to be a level of severity. If its minor, it
gets released and this is only because I've gotten tired of
dealing with the idiotic policies these companies use to shoot
themselves in their own foot.

On the other hand, if I attempted to contact someone, got the
cold shoulder, attempted again, and something was that bad, why
should I be chastised after I decided to let others using that
product know "Hey if you use that product... It might not be
all that safe." I get flack whenever I release something in the
wild and those whose messages go to my trash bin, know little
about the fact that I'd made attempts to contact the vendor.

From Cisco, to Microsoft, to open source vendors (Asterisk),
whomever, most times I will contact the necessary party... They
fail to respond, it goes public. Same happened way back when
with Computrace (LoJack for Laptops)... Where I contacted them
over and over... They told me "You're wrong... After proving
my points repeatedly... Finally I ended up pulling their card
and posting their entire email transcription... I still have
an NDA they wanted me to sign which is summarized as "We will
pay you x amount of what you spend if you just... well shut
up." Right.... I see nothing wrong with responsible public
disclosure.

It *is* a criminal offence under extensions to the original CMA1990 in the
Police and Justice Act 2006. The maximum penalty was also increased to two
years imprisonment.

I don't think this particular incident is enough to attract a custodial
sentence, but he will almost certainly end up with a well-deserved criminal
record for his stupidity if somebody can be bothered to press charges.

Some people's opinions are truly astounding.

Why do we even bother having best practices if people aren't going to follow them?

No damage was done- that's a hell of a lot more than you can ask from a damned hacker. And if your provisioning system doesn't blow- then fixing the problem isn't a big deal either.

Would your insurance company pay a claim on your stolen car if you left it running, with the doors wide open, in Harlem? Of course not.

Nobody wants to take any responsibility for their own stupidity. The only criminal act here was the negligence on the part of the ISP. They got embarrassed- no harm was done- get on with your damned life.

The fact is that people will ALWAYS be curious- it's what makes human beings so amazing. People will explore their surroundings and if you don't want them to- then try taking some basic steps to ensure they can't.

As for the laws? Prison is for people who irrevocably harm society- some stupid kid who went exploring his cable modem DOES NOT QUALIFY. And what about a criminal record? Who the hell does that help? Give the guy a record and force him to go to work for the spammers and botnet writers? Great thinking.

"well-deserved criminal record for his stupidity." Where is the criminal record for the idiot who allowed remote access with a single username and password to every single cable modem? That's pretty damned stupid.

Honetly- when did we all become such vindictive assholes? Had the guy caused any real damage then you might have an argument. He didn't. We need to stop letting companies abuse the law instead of performing due dilligence.

-Don

Skylarov ended up in jail for a while for daring to point out that a certain
foolish vendor had used ROT-13 as their encryption scheme.

Raven Adler had her run-in with Apple: "After realizing that Apple were not
my friends and were more interested in their PR spin":
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/52959

Cisco initiated legal action at Michael Lynn and the Black Hat crew:
http://news.com.com/Cisco+hits+back+at+flaw+researcher/2100-1002_3-5807551.html

Ed Felten at Princeton had his famous run-in with the SDMI folks:
http://www.usenix.org/events/sec01/craver.pdf
which lead to threatened legal action:
http://cryptome.org/sdmi-attack.htm

Threats of legal action scuttled an RFID hacking demo at a recent BlackHat:
http://www.securityfocus.com/news/11444

Now, as you were saying?

> Now, that is off-topic to NANOG.
Just because you disagree with someone's opinion, doesn't make it
offtopic.

<snip>

I'm not sure the debate on public disclosure vs private falls under NANOG
AUP.

Do you even read your own emails?

  Gadi.

>
> I am generally worried about the trend that is emerging of reporting
> security issues resulting in legal threats.

well in this case i dont know the nature of the threat but asking the guy to hold back the passwords seems reasonable

what other examples are there as you suggest a trend in hushing security vulns?

Replying off-list.

  Gadi.

>
> I'm not sure if Simon's comment was tongue-in-cheek.
>
> I think if you are referring to "public disclosure", yes, I think
> there's little point of doing this, unless you are seeking attention.
> Of course, reporting a problem to vendor privately always makes sense.
>
> I'm not sure the debate on public disclosure vs private falls under
> NANOG AUP.

I beg to differ here on a few points...

1) Reporting to vendors... I don't know how many vendors from Microsoft
on down I've reported issues to... Sometimes it works sometimes it
doesn't. For the heavy hitters (MS, IBM, etc.) they should acknowledge
and take responsibility for their issues, else have the issues publicly
disclosed.

This is getting into the discussion on whether public disclosure (and
attendant attention of script kiddies, public embarassment of vendor, and
"glory" to the reporter) is better way to get the bug fixed than working
with your vendor (who, presumably, receives $$$ from you on maintenance
contract or hopes to receive $$$ from you on the upgrade to next version).

How would you feel if you used a product a company KNOWS lacks
fundamental security controls and does little to fix it. How would you
feel if AFTER the fact someone leveraged a method to affect you. How
would you feel AFTER the fact, finding out they were told and did
nothing for eons.

Vote with your wallet, use a vendor that is responsive to customer needs.

I've disclosed a pretty bad denial of service bug. Tested not only by
me, but by about six other individuals one in one of the world's biggest
insurance agencies... Confirmed... Another in academia land...
Confirmed... A professional pentester with a DoD contract...
Confirmed... Sent it to MS... "Well it doesn't work" said the MS team...
I didn't even bother disclosing it out after that. Not because it didn't
work but because the last thing I wanted to see was something akin to
another Smurf like attack on MS being part of my own shop where I work
is MS based. I gave up. On occasion I will take a few minutes to find
something stupid to break because I fiddle with things. Sometimes I
release things publicly, sometimes I don't depending on what I perceive
to be a level of severity. If its minor, it gets released and this is
only because I've gotten tired of dealing with the idiotic policies
these companies use to shoot themselves in their own foot.

It's your choice, it is not the only way.

<snip>

From Cisco, to Microsoft, to open source vendors (Asterisk), whomever,
most times I will contact the necessary party... They fail to respond,
it goes public. Same happened way back when with Computrace (LoJack for
Laptops)... Where I contacted them over and over... They told me "You're
wrong... After proving my points repeatedly... Finally I ended up
pulling their card and posting their entire email transcription... I
still have an NDA they wanted me to sign which is summarized as "We will
pay you x amount of what you spend if you just... well shut up."
Right.... I see nothing wrong with responsible public disclosure.

Responsible is the key word. There's been much discussion on the mailing
lists that are *more appropriate* to discuss full-disclosure what
constitutes responsible. Note that those mailing lists are not NANOG,
where this subject is tangential.

-alex