crbee asks:
"The other day, I was attempting to view a friend's Web site. After having no luck with www.domain.com, I decided to check domain.com, to my surprise I found a completely unauthenticated session to their ISDN router allowing me to administer and reconfigure it. I then launched a telnet session to the IP address and again got full access, this time with more features. To clarify my findings and to establish the severity of the problem, I telneted to one or two other IP addresses within the same range of the UK based ISP, only to find another customer of the same ISP with an open router. In the spirit of goodwill, I notified the ISP immediately. The response seemed to assume I had been portscanning their customers and I was asked to desist." Why is it that companies always react in the wrong way when someone with security knowledge
is trying to help them? Should we start leaving security holes wide open for the skr1pt k1dz or should ISPs lay off of the boilerplate warnings, read the e-mails sent in by helpful hackers, and apply a modicum of common sense when responding back? A cracker most certainly isn't going to mail ISPs telling them about open routers, so why treat the people who do report them with open contempt?
"The ISP's response to my kindness is not really the issue here. They have since mailed me a slightly more grateful response, and even fixed the affected customers' routers. However, it did start a rather interesting debate on a UK industry list about the technical legalities of my actions... OK, I know, and most people saw it was obvious, that my actions were purely innocent and and my response was good practice. However, according to some arguments, technically, the fact that I launched a telnet session to the router, no matter what my intentions were, I was in breach of the Computer Misuse Act (UK). What's the general opinion of Slashdot on this?"
The telnet was wrong (Score:2)
Its questionable, realy... (Score:2)
The Legal community really doesnt understand technology or technological issues like most of us do, and lawmakers themselves are pretty well ignorant about these things. The ISP's logs should show what you were up to (if they were loggin it like good little admins though leaving something that open, odds are pretty good that they're equally dumb about logging) and show that you weren't doing anything mallicious.
Makes a difference how you say it (Score:4)
Put it another way, it's like when you're having lunch with someone, and they get spinach stuck in their teeth. Unless you're very familiar with them, you don't just point and say: "Bud, you have spinach on your teeth, and also I've notice you don't chew your food enough." You just ignore it or try to make them aware of the problem in a more diplomatic way.
Put it yet another way, let's say you leave your apartment door unlocked and a distracted visitor or neighbour walks in by mistake. You expect them to walk out as soon as they find their mistake, and at most put a note on the door apologizing for their intrusion. You don't expect them to come in and find you in your bedroom and tell you "hey pal you better lock your door, look how easy it was for me to get in!"
Well, it may be stupid....but.... (Score:3)
People are ethical, but the media doesn't say that (Score:2)
Blame the media for creating this "web of distrust" regarding the Internet. Don't get me wrong, your default attitude should be distrust when it comes to system security itself. But when you get someone on the line, in voice, or in a sincere correspondence, your first instinct should be to "thank" them. The great majority of people are quite ethical. Otherwise Melissa (and most of the original worms) would have wiped out most Windows systems on the first shot instead of just being a benign worm.
-- Bryan "TheBS" Smith
Re:The telnet was wrong (Score:4)
I can see your point of view, however... From my position as a Sysadmin, a full report of a problem with my systems is much more appreciated (and much more likely to be acted on) than the usual - "your computers are broken"!
I've had all the extreems from "your f*~#ing website is broken - fix it" to "your machine alice appears to be version x of bob which is insecure, you can crack it be doing the following..."
Of the two, I ignored and was pissed off by the first, the second was useful and clear, and I reacted quickly, and thanked the person who made the bug report afterward (having checked the machine for hacks first ;)
It's difficult to know where to draw the line, if someone told me my router was wide open, I'd still assume someone might have broken into it, so the extra telnet wouldn't really make a difference. But the extra information would be useful in solving the problem / believing the person who was submitting the problem.
Re:Estonian Telecom does too (Score:1)
Re:Well, it may be stupid....but.... (Score:3)
It sure is a security problem. The fact that he connected and had full access demonstrates that. He could have inserted rules that would have created a backdoor for him in the future. If that's how you run things, remind me not to hire you.
When you're delivering internet-connected equipment for installation at a customer site, you first connect it in an isolated network, then set up access control and passwords, THEN send it to the site.
As for the matter at hand, there is a big difference between poking around through random strangers' networks hunting for holes, and taking a closer look at a friend's network because you think there might be a problem she should know about. This clearly looks like a case of the latter. Fortunately it would be quite difficult to bring prosecution in most jurisdictions because the prosecutor would not have the support of the victim. It's like trying to prosecute someone for breaking and entering after they're observed climbing through a window - when it's later discovered that the window belonged to their mother's house and they climbed in because they saw a fire in the kitchen.
Re:Makes a difference how you say it (Score:1)
I have never yet been alerted to any security issues in my network... I like to think that for the most part, I run a pretty tight ship. If I do detect anything going on, I do whatever is necessary to stop it, and report it as abuse unless I hear from someone claiming to have achieved something, or if the tone of the claim is that of a cracker rather than a helpful hacker.
The biggest problem I've ever had with people's technical comments is trying to explain to them that "the technical aspects of the web server are outside my control".
Re:Makes a difference how you say it (Score:1)
Security (Score:2)
Some Admins Just Don't Listen.... (Score:1)
So, I went to the site, added their most expensive items as $0.00 and sent them a screenshot of their checkout screen, and an explanation of the problem. (I didn't buy the items either). After explaining it in an email, I sent it to quite a few different people at the company. But they just didn't listen and refuse to reply. Is this common to other people's experiences? And my question is, what should I do if they continue to refuse to reply and do not fix it?
Re:Security (Score:3)
Defensive admins (Score:2)
It's hard for some admins to be to admit they have security problems. Far from being appreciative, they get very defensive, even if all you do is report a problem.
Well, that's another case near and dear to me (Score:3)
Re:Some Admins Just Don't Listen.... (Score:1)
Re:Well, it may be stupid....but.... (Score:2)
I can certainly sympathize, having often been in the position of scrambling to fix something (not always of an electronic nature), only to have to put up with well-intended interruptions telling me what I already knew (that it needs fixing) or wanting a time estimate (in a situation where determining the problem is 99% of fixing it), but what should the polite user do?
How do you find out if you're just wasting time and network resources in continued failed attempts at access unless you ask someone in charge of the network?
A couple of days ago, I couldn't log on to Slashdot, it refused to recognize me as a registered user. The stories I could get to load as a separate page came up with no comments, and several other Andover sites wouldn't load at all. The story at the top of the main page was the one about Napster users in Belgium. Subsequent attempts to load the main page in another window came up with what I assume was the way it looked before that story was added. The next day, when everything was working normally, I noticed that there is a gap of about 4 hours between the time the story was added and the earliest posts, so it would seem that something was wrong on their end, but I haven't seen any mention of it. How do I find out if the problem was on my end or their's without being an annoyance?
I haven't changed anything on my end lately, but the next day another site I frequent (a discussion forum for consumer electronics techs and the people that drive them crazy) started having problems with names disappearing from original posts (but not all of them) and the reply link not working (for me, but apparently not for everybody). So here I am wondering whether the problem is something on my end that I need to find and fix, which means I'll need all the clues I can get from anywhere and anyone I can get them, or if I've just hit a stretch of co-incidental unrelated problems that others are having. How do I find out without being a pest?
Estonian Telecom does too (Score:2)