1 recommendation |
buyaclue
Anon
2007-Apr-18 9:34 am
The only good hacker is a dead hacker !Obviously the hacker's intent was not good by publicly exposing a vulnerability. If his intentions were good all he had to do was confidentially contact the ISP and advise them that he illegally hacked their system... instead of telling folks how to hack the system. | |
|
| |
Re: The only good hacker is a dead hacker !Taylor troll ! Ohh how we missed you.... | |
|
RayW Premium Member join:2001-09-01 Layton, UT |
RayW
Premium Member
2007-Apr-18 9:37 am
Wiggle"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," says BeThere Managing Director Dana Pressman.
I wonder if the password is the same on all units? If so, then I suspect that there is grounds for a lawsuit since anyone with that router can gain that information. If it is unique to each Router, then he does not have a leg to stand on. Granted backdoors are bad, but if it is a unique password then it falls under the AUP | |
|
| bigunkGort, Klattu Birada Nikto join:2001-02-10 USA
1 recommendation |
bigunk
Member
2007-Apr-18 11:27 am
Re: Wigglesaid by RayW:"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," says BeThere Managing Director Dana Pressman. The vulnerability did not exist prior to....? Makes no sense. Pardon me if you think I am parsing words, but saying something didn't exist prior to it being accessed is a real head-in-the-sand approach to all this. In a warped kind way, he might have done them a favor. For all we know, he might have found the problem and told them but was dismissed by the almighty ISP techs. So he went public with the info to show there was indeed something that needed attention. We have seen multiple instances of this behavior. If you will recall, there was that guy, Mike Lynn I think, who did that to Cisco. Cisco screamed bloody murder and subverted the legal process to get what they wanted. What I am getting at is there are people with both good and bad intentions out there, and both should be listened to. | |
|
| | RayW Premium Member join:2001-09-01 Layton, UT |
RayW
Premium Member
2007-Apr-18 12:14 pm
Re: WiggleBut the question is, is it just his password, or do they use it on ALL the routers as a backdoor? AUP specifies you keep your passwords safe, I do not know how that applies if it is a global password that Bubba down the street can use against all users of BeThere or if British law even allows a differentiation between the two concepts. | |
|
| en102Canadian, eh? join:2001-01-26 Valencia, CA |
to RayW
Does anyone remember back in the Windows NT4 days when a hacker exposed the TCP buffer issues in Windows which caused a BSOD, and spawned the nice app known as 'WinNuke'? Microsoft dismissed this originally. | |
|
| | RayW Premium Member join:2001-09-01 Layton, UT |
RayW
Premium Member
2007-Apr-18 12:55 pm
Re: Wigglesaid by en102:Does anyone remember back in the Windows NT4 days when a hacker exposed the TCP buffer issues in Windows which caused a BSOD, and spawned the nice app known as 'WinNuke'? Microsoft dismissed this originally. Or even earlier, AT&T telling the US gov that the "Blue Box" was impossible? We can come up with all sorts of 'head in the sand' stories down through history, all in the name of money, power, or loss of face. | |
|
| | | en102Canadian, eh? join:2001-01-26 Valencia, CA |
en102
Member
2007-Apr-18 1:10 pm
Re: WiggleJust because investigating these holes are against TOS, doesn't mean they don't exist. Some are big enough to drive a truck through, and if companies aren't aware, less 'benign' hacking in the form of awareness can cause issues with much more impact. | |
|
| | | ·Consolidated Com.. ·Republic Wireless ·Hollis Hosting
|
to RayW
said by RayW: AT&T telling the US gov that the "Blue Box" was impossible? Interesting quote. AT&T know when they decided on using in-band signalling rather then out-of-band for long distance it was vulnerable to hacking. They chose it because it was cheaper. Remember back in those days telephone computing was done with relays. /Tom | |
|
1 recommendation |
21-year-old college student violated ...That sums it up quite well. [IMHO] What do they teach in college nowadays? Not logic and responsibility. A 15yr old I could see doing this...but come on. Serious lack of common sense...yes? | |
|
| FFH5 Premium Member join:2002-03-03 Tavistock NJ
1 recommendation |
FFH5
Premium Member
2007-Apr-18 9:42 am
Re: 21-year-old college student violated ...said by cableties:That sums it up quite well. [IMHO] What do they teach in college nowadays? Not logic and responsibility. A 15yr old I could see doing this...but come on. Serious lack of common sense...yes? And so-called security researchers are often nothing but publicity seeking hackers or workers for companies looking to sell their security services by advertising the holes they promise to plug. | |
|
| | |
Re: 21-year-old college student violated ...Well said. | |
|
| | en102Canadian, eh? join:2001-01-26 Valencia, CA
1 recommendation |
to FFH5
Geez... when I was in College (Canada), we had a competition with the profs. Those that could hack into Novell server would not have to write the final exam (exemption). Also, we had our own 'tests' of WinNuke in the college lab and played with 'live' viruses on the lan to study them, and how they worked. Of course, we segmented off our lan | |
|
MaxoYour tax dollars at work. Premium Member join:2002-11-04 Tallahassee, FL |
Maxo
Premium Member
2007-Apr-18 9:44 am
Sue for weak securityI think if a system can be demonstrated to be hackable, then the people who designed the system need to recognise their fallibility and go back to the drawing board. Demonstrating a weakness in security should not, within itself, be a crime. If someone points out the locks on my door can be picked, or a window on my house can be easily opened, but he doesn't actually break in, should (s)he go to jail for showing the weakness in my home security? | |
|
| |
Re: Sue for weak securityNo! But with these people now a days prosecuting and reinterpreting laws who the hell knows what is and is not illegal. | |
|
| ROCINANTEOriginal Member 007 Premium Member join:1999-06-29 Hartsdale, NY |
to Maxo
More invalid analogies, but we should switch the focus to anyone's house rather than just your house. He could be charged with at least trespassing if he was not granted permission to attempt to pick the locks. This can escalate to criminal mischief if he damages your locks or window and that would lead to attempted burglary. He does not have to break in to be arrested. It would be difficult for him to prove his intentions since he did not ask for permission in the first place. | |
|
| | MaxoYour tax dollars at work. Premium Member join:2002-11-04 Tallahassee, FL |
Maxo
Premium Member
2007-Apr-18 10:12 am
Re: Sue for weak securityConsidering the modem was at his house. If he damaged the modem I could see him being charged for the cost of modem, just like anyone else who damages the ISPs equipment. I think my analogy stands. Like the guy who was arrested because he discovered the black marker on the CD would bypass the DRM, or holding down the shift key or turning off autorun. This is bypassing weak security but being charged like a criminal just because it was so damn easy. | |
|
| jester121 Premium Member join:2003-08-09 Lake Zurich, IL |
to Maxo
Wow, what a leap of logic....
(Except that we're not talking about criminal prosecution here, -- HE JUST GOT HIS INTERNET SERVICE SHUT OFF!!!) | |
|
| | MaxoYour tax dollars at work. Premium Member join:2002-11-04 Tallahassee, FL |
Maxo
Premium Member
2007-Apr-18 10:49 am
Re: Sue for weak securitysaid by jester121:HE JUST GOT HIS INTERNET SERVICE SHUT OFF On that note, I do stand corrected. There was not any criminal prosecution. | |
|
| | | Ahrenl join:2004-10-26 North Andover, MA |
Ahrenl
Member
2007-Apr-18 1:36 pm
Re: Sue for weak securityAlthough in the states it would have been illegal under the DMCA{? correct acronym}. I believe attempting to break into anything that has been secured is criminal. Regardless if the security is a piece of kite string holding a door half closed. | |
|
| | | | MaxoYour tax dollars at work. Premium Member join:2002-11-04 Tallahassee, FL |
Maxo
Premium Member
2007-Apr-18 1:43 pm
Re: Sue for weak securityI would agree breaking into physical locations should be criminal. I don't agree that breaking into your own personal property, like cracking the DRM on a CD/DVD you purchased, should be criminal. | |
|
| JammerMan79 Premium Member join:2004-05-13 Prince George, BC |
to Maxo
Wrong... he should sue for breach of contract on the companies part...
"You are responsible for ensuring that any member ID and/or password selected by you remain confidential so that the network cannot be used by any unauthorised person. "
Wasn't this a password selected by the company? | |
|
maartenaElmo Premium Member join:2002-05-10 Orange, CA |
maartena
Premium Member
2007-Apr-18 10:05 am
He already committed the crime...This is the same as stealing something from a store, and then bringing it back 2 days later pointing out the security flaws of anti-theft system the shop has in place.
At that point he already committed the crime. | |
|
|
He committed no crimeThe fact that the ISP used a single password for all their routers isn't his fault, he has EVERY right to publish it. Look at it this way, if only HIS router used the password, and he published it, do you think the ISP would care? Certainly not. The fact that the ISP is too dumb to secure their own equipment isn't the users fault. At least in the US, he has EVERY RIGHT to publish an expose on the ISP's failure. And I would applaud him for doing so. This 'hack' forces the ISP to provide REAL security, instead of relying on a simple, clear text telnet password. | |
|
| |
Re: He committed no crimeBut when the ISP spends the money to upgrade the routers who is going to be the first to bitch about any rate increases to cover these expenses? Not every ISP has the mega huge deep pockets that AT&T and Comcast enjoy. The guy was in the wrong.
If you want cheap free routers included with your service then you need to expect that the ISP is going to buy the cheapest router they can. | |
|
| | |
Re: He committed no crimeHey, the kid has talent. The ISP should consider hiring the kid! | |
|
| | | |
Stormsinger
Anon
2007-Apr-18 8:22 pm
Re: He committed no crimesaid by AJICQ499087:Hey, the kid has talent. The ISP should consider hiring the kid! He may have talent...there's nowhere near enough information available to anyone here to tell. However, he's clearly demonstrated a serious lack of common sense and ethics. I wouldn't hire him for anything more than lawn maintenance, or janitorial work. Scratch that, even janitorial work might give him access to information that shouldn't be released to the public, and I'd rather have a janitor that would refrain from revealing any business secrets that were sitting on a desk or in the trash. | |
|
|
Idiot HackerMany years ago I discovered a security backdoor to my ISPs remote access server where I had gained full rights over the system. I made the decision to call the ISP instead of telling everyone else how to hack it. They hooked me up with the head engineer, and we worked together to plug the hole. The ISP was very grateful for the information, and gave me a year free access.
This stupid hacker took a security vulnerability, and made it much worse by publishing the how-to with passwords. The ISP was well within its rights to terminate this idiot's service. Hopefully charges will be filed against him for hacking since it's so obvious his motivation was not to protect the ISP and its subs, but to gain recognition. | |
|
| openbox9 Premium Member join:2004-01-26 71144 |
openbox9
Premium Member
2007-Apr-18 11:30 am
Re: Idiot Hackersaid by dwhayden:I made the decision to call the ISP instead of telling everyone else how to hack it. This is generally the "socially accepted" avenue to taken by white hats and in general, better for the overall community than telling the whole world about the vulnerabilities. What this guy did is more black hat and he does deserve the consequences. Now if you had received little or no response from your ISP regarding the situation, the area becomes a little more grey, and usually you'll see the vulnerabilities published in an attempt to 'force' a response. | |
|
| | |
Re: Idiot HackerUser: Admin Pass: 1234
Not very secure, but that was how my ISP was shipping their modems a couple of years back. They were counting on self-installers to change the password when they got the modems. | |
|
| | | openbox9 Premium Member join:2004-01-26 71144 |
openbox9
Premium Member
2007-Apr-18 12:15 pm
Re: Idiot HackerAnd both you and your ISP knew about this insecurity. Same practice as almost every networking device sold. It's not the same as looking for, or discovering a "vulnerability" and then contacting the responsible party for a fix...or worse yet, posting it on the net for potential malicious activity. | |
|
| | | |
to gworkman
"12345! Amazing, I got the same combination on my luggage!" /Spaceballs | |
|
fuziwuziNot born yesterday Premium Member join:2005-07-01 Palm Springs, CA Hitron EN2251 Nest H2D
|
fuziwuzi
Premium Member
2007-Apr-18 12:04 pm
stop jumping to conclusions...We haven't been told whether or not the guy tried to inform the ISP of the problem before he published the issue. Also, it is rather vague that he violated the stated AUP since the password WAS available to all the ISPs customers (that was the whole problem!).
The way it looks is that someone at the ISP is simply trying to CYA and passing the blame off on the (former) customer instead of taking any responsibility for their own boneheadedness. | |
|
|
|