Investigating A Security Hole Is...Cracking?

crbee asks: "The other day, I was attempting to view a friend's Web site. After having no luck with www.domain.com, I decided to check domain.com, to my surprise I found a completely unauthenticated session to their ISDN router allowing me to administer and reconfigure it. I then launched a telnet session to the IP address and again got full access, this time with more features. To clarify my findings and to establish the severity of the problem, I telneted to one or two other IP addresses within the same range of the UK based ISP, only to find another customer of the same ISP with an open router. In the spirit of goodwill, I notified the ISP immediately. The response seemed to assume I had been portscanning their customers and I was asked to desist." Why is it that companies always react in the wrong way when someone with security knowledge is trying to help them? Should we start leaving security holes wide open for the skr1pt k1dz or should ISPs lay off of the boilerplate warnings, read the e-mails sent in by helpful hackers, and apply a modicum of common sense when responding back? A cracker most certainly isn't going to mail ISPs telling them about open routers, so why treat the people who do report them with open contempt?

"The ISP's response to my kindness is not really the issue here. They have since mailed me a slightly more grateful response, and even fixed the affected customers' routers. However, it did start a rather interesting debate on a UK industry list about the technical legalities of my actions... OK, I know, and most people saw it was obvious, that my actions were purely innocent and and my response was good practice. However, according to some arguments, technically, the fact that I launched a telnet session to the router, no matter what my intentions were, I was in breach of the Computer Misuse Act (UK). What's the general opinion of Slashdot on this?"