The recent court case Garrett vs Telecom showed that poking around in other people's computers without their permission can get you in big trouble.

But what constitutes "permission?"

The reason I'm posing this question is that yesterday I was alerted to what appears to be a major security flaw in the service operated by an NZ ISP.

When I checked -- it sure seems as if the hole is so big you could drive a truck through it. It would be quite possible for unauthorised people to gain access to some very important data.

In accordance with my policy, I attempted to contact the ISP yesterday, but haven't yet received any reply, so I'm not divulging the identity of the company or details of how the intrusion can be performed.

The person who originally alerted me to this hole was clearly concerned that they could find themselves in real hot water if they actually poked around to see what was inside -- but could they?

I did have a look around -- just to try and determine whether there really was a problem.

At no time was I challenged to enter a password and no "skill" (other than being able to type and click a mouse) was required to access the data inside.

No special tools were used -- this stuff is all accessible using a regular web-browser and a straightforward URL.

So, would I be breaking the law to access this stuff?

Could it not be argued that if it wasn't meant to be publicly accessible then it wouldn't be published in a public place (the WWW).

Surely if it was the ISPs intention not to make this material available to anyone who browsed by then they'd at least have added some password protection right?

Readers Say (updated hourly) Nothing Yet Have Your Say

Now let me make it clear -- the data available through this hole appears to include valid credit card details, passwords, and a raft of other stuff that you certainly don't want in the public domain.

As I mentioned -- I've tried to contact the ISP concerned and advised them that they might have a problem. However -- was this the wisest course of action?

At present, the risk associated with being honest and trying to help someone with a security problem is pretty low. I'm not using any of the information I might have come across and I immediately informed the owner.

This is a win-win. The ISP gets to patch up a problem, the people using the service avoid possibly having their credit-card details misappropriated if some malicious Net-user finds the same hole, and everyone's happy.

What happens after the Crimes Amendment Bill is passed though?

Yep.. that's right. I keep my mouth shut tight for fear of being prosecuted as a hacker.

Then some mean little snot (possibly from a foreign country where he's safe from our laws anyway) comes along, finds the same hole and steals a nice wad of credit card numbers and screws the ISP's service up badly.

Now someone tell me again how the CAB is supposed to reduce online crime?

Oh, and would the ISP who received a phone call from me at 5:30pm last night (left on your answering service) please contact me ASAP.

Save The Aardvark Fund
Yes, I have had several donations to the Aardvark fund and I thank those who put their money where their mouse is :-)

If guilt is gnawing away inside you then there's still time to donate.

Just drop by and hand over your loot.

Add Aardvark To Your Own Website!
Got a moment? Want a little extra fresh content for your own website or page?

Just add a couple of lines of JavaScript to your pages and you can get a free summary of Aardvark's daily commentary -- automatically updated each and every week-day.

Aardvark also makes a summary of this daily column available via XML using the RSS format. More details can be found here.

Contact me if you decide to use either of these feeds and have any problems.

Did you tell someone else about Aardvark today? If not then do it now!

There is/are 0 Vacancies Last added 2 July In The Job Centre

There are 14 Domain Names for sale