Investigating A Security Hole Is...Cracking?

crbee asks: "The other day, I was attempting to view a friend's Web site. After having no luck with www.domain.com, I decided to check domain.com, to my surprise I found a completely unauthenticated session to their ISDN router allowing me to administer and reconfigure it. I then launched a telnet session to the IP address and again got full access, this time with more features. To clarify my findings and to establish the severity of the problem, I telneted to one or two other IP addresses within the same range of the UK based ISP, only to find another customer of the same ISP with an open router. In the spirit of goodwill, I notified the ISP immediately. The response seemed to assume I had been portscanning their customers and I was asked to desist." Why is it that companies always react in the wrong way when someone with security knowledge is trying to help them? Should we start leaving security holes wide open for the skr1pt k1dz or should ISPs lay off of the boilerplate warnings, read the e-mails sent in by helpful hackers, and apply a modicum of common sense when responding back? A cracker most certainly isn't going to mail ISPs telling them about open routers, so why treat the people who do report them with open contempt?

"The ISP's response to my kindness is not really the issue here. They have since mailed me a slightly more grateful response, and even fixed the affected customers' routers. However, it did start a rather interesting debate on a UK industry list about the technical legalities of my actions... OK, I know, and most people saw it was obvious, that my actions were purely innocent and and my response was good practice. However, according to some arguments, technically, the fact that I launched a telnet session to the router, no matter what my intentions were, I was in breach of the Computer Misuse Act (UK). What's the general opinion of Slashdot on this?"

Makes a difference how you say it

[bug-eyed+monster]

I usually play dumb when I report these problem. It's all a question of how you word your notice, try to sound as non-threatening as possible. Don't say: "your routers are open and I can telnet to any node on your network, you should close this up before somebody cracks you!" Instead say something like: "Um, I was trying to get to my friends web-site, and I forgot to type in 'www' before 'domain.com', and I got these weird text that I've pasted at the end of this email. Like, I think your computer's broken. Can you fix it please?" Just report the symptoms and let them figure it out.

Put it another way, it's like when you're having lunch with someone, and they get spinach stuck in their teeth. Unless you're very familiar with them, you don't just point and say: "Bud, you have spinach on your teeth, and also I've notice you don't chew your food enough." You just ignore it or try to make them aware of the problem in a more diplomatic way.

Put it yet another way, let's say you leave your apartment door unlocked and a distracted visitor or neighbour walks in by mistake. You expect them to walk out as soon as they find their mistake, and at most put a note on the door apologizing for their intrusion. You don't expect them to come in and find you in your bedroom and tell you "hey pal you better lock your door, look how easy it was for me to get in!"

Re:The telnet was wrong

[Manic+Miner]

I can see your point of view, however... From my position as a Sysadmin, a full report of a problem with my systems is much more appreciated (and much more likely to be acted on) than the usual - "your computers are broken"!

I've had all the extreems from "your f*~#ing website is broken - fix it" to "your machine alice appears to be version x of bob which is insecure, you can crack it be doing the following..."

Of the two, I ignored and was pissed off by the first, the second was useful and clear, and I reacted quickly, and thanked the person who made the bug report afterward (having checked the machine for hacks first ;)

It's difficult to know where to draw the line, if someone told me my router was wide open, I'd still assume someone might have broken into it, so the extra telnet wouldn't really make a difference. But the extra information would be useful in solving the problem / believing the person who was submitting the problem.