Re: UK ISP threatens security researcher

[Owen DeLong <owen () delong com>]

On Apr 19, 2007, at 10:20 AM, Will Hargrave wrote:

> Gadi Evron wrote:
>
> > "A 21-year-old college student in London had his internet service
> > terminated and was threatened with legal action after publishing  
> > details
> > of a critical vulnerability that can compromise the security of  
> > the ISP's
> > subscribers."
> >
> > I happen to know the guy, and I am saddened by this.
>
> In his blog post [1] he did admit to accessing other routers of  
> Be's customers
> using the backdoor password; this is probably [2] a criminal  
> offence in the UK.
He admitted to logging in, but, was clear that he didn't actually  
modify or
inspect the routers in detail.  It looks like he did the minimum  
necessary
to verify the extent of the security risk.

IANAL either, but, I would say that such actions are probably not
prohibited in the spirit of the law, even if they are prohibited in the
letter of the law.

Generally, anti-intrusion laws fall under either anti-theft (I don't
think you can really say he stole bandwidth or service by these
actions) or anti-vandalism (I don't think you can really call
his actions vandalism).

He was definitely in a gray area and could have handled things better,
but, the ISPs actions are way over the top and beyond reason for the
situation in question.

Owen

Attachment: smime.p7s
Description: