20 April 2007

BeThere? I'd Rather BeSquare

I've sometimes been vaguely tempted by BeThere's promises of "up to 24 Meg download" speeds. No more, if this is how it treats someone pointing out a serious vulnerability in its operations:

A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers.

BeThere took the retaliatory action four weeks after subscriber Sid Karunaratne demonstrated how the ISP's broadband routers can be remotely accessed by anyone curious enough to look for several poorly concealed backdoors. The hack makes it trivial to telnet into a modem and sniff users' VPN credentials, modify DNS settings and carry out other nefarious acts.

Here's a simple explanation: if someone exploits your vulnerability, they are crackers and deserve punishing; if someone points out your vulnerability so you can fix it and protect yourself, they are hackers and deserve rewarding. (Via TechDirt.)


Anonymous said...

Never expect gratitude.p

Suramya said...

Well, he didn't really point it out to their tech support that their system was buggy, he posted the details online along with the passwords required to exploit it.

There is a difference in publishing a vulnerability and publishing a how-to manual on exploiting it. Sid published the how-to without giving BeThere a chance to fix it.

- Suramya

glyn moody said...

I agree he didn't exactly do it in the most helpful way, but it still seems to me that ultimately he was doing them a service: if his intention had been to exploit the bug, he wouldn't have published it at all.