Note: This column represents the opinions
of the writer and as such, is not represented as fact|
When is a hack not a hack?
the contents of Aardvark's "million-dollar ideas" notebook
are revealed for all to see!
The recent court case Garrett vs Telecom showed that poking around in other
people's computers without their permission can get you in big trouble.
But what constitutes "permission?"
The reason I'm posing this question is that yesterday I was alerted to what
appears to be a major security flaw in the service operated by an NZ ISP.
When I checked -- it sure seems as if the hole is so big you could drive
a truck through it. It would be quite possible for unauthorised people
to gain access to some very important data.
Need Cutting-Edge Copy?|
As NZ's longest-running online commentator, I'm looking for
extra syndication opportunities for this daily publication -- or I'm happy
to write casual or regular material specifically to order for print or
Net-based publications. If you're
interested, drop me a line
In accordance with my policy, I attempted to contact the ISP yesterday, but
haven't yet received any reply, so I'm not divulging the identity of the
company or details of how the intrusion can be performed.
The person who originally alerted me to this hole was clearly concerned
that they could find themselves in real hot water if they actually poked
around to see what was inside -- but could they?
I did have a look around -- just to try and determine whether there really
was a problem.
At no time was I challenged to enter a password and no "skill" (other than
being able to type and click a mouse) was required to access the data inside.
No special tools were used -- this stuff is all accessible using a regular
web-browser and a straightforward URL.
So, would I be breaking the law to access this stuff?
Could it not be argued that if it wasn't meant to be publicly accessible
then it wouldn't be published in a public place (the WWW).
Surely if it was the ISPs intention not to make this material available to
anyone who browsed by then they'd at least have added some password protection
Now let me make it clear -- the data available through this hole appears to
include valid credit card details, passwords, and a raft of other stuff that
you certainly don't want in the public domain.
As I mentioned -- I've tried to contact the ISP concerned and advised them
that they might have a problem. However -- was this the wisest course of
At present, the risk associated with being honest and trying to help someone
with a security problem is pretty low. I'm not using any of the information
I might have come across and I immediately informed the owner.
This is a win-win. The ISP gets to patch up a problem, the people using
the service avoid possibly having their credit-card details misappropriated
if some malicious Net-user finds the same hole, and everyone's happy.
What happens after the Crimes Amendment Bill is passed though?
Yep.. that's right. I keep my mouth shut tight for fear of being prosecuted
as a hacker.
Then some mean little snot (possibly from a foreign country where he's safe from
our laws anyway) comes along, finds the same hole and steals a nice wad of
credit card numbers and screws the ISP's service up badly.
Now someone tell me again how the CAB is supposed to reduce online crime?
Oh, and would the ISP who received a phone call from me at 5:30pm last night
(left on your answering service) please contact me ASAP.
Save The Aardvark Fund
Yes, I have had several donations to the Aardvark fund and I thank those
who put their money where their mouse is :-)
If guilt is gnawing away inside you then there's still time to donate.
Just drop by and
hand over your loot.
Add Aardvark To Your Own Website!
Got a moment? Want a little extra fresh content for your own website or
Just add a
to your pages and you can get
a free summary of Aardvark's daily commentary -- automatically updated
each and every week-day.
Aardvark also makes a summary of this daily column available via XML using
the RSS format. More details can be found
Contact me if you decide to use either of these feeds and
have any problems.
Did you tell someone else about Aardvark today? If not then do it
There is/are 0 Vacancies Last added 2 July In The Job Centre
There are 14 Domain Names for sale