[Gllug] Insecure practices at my ISP

James Bailey James.Bailey at osm.co.uk
Fri Apr 4 10:03:56 UTC 2003



> -----Original Message-----
> From: Chris Ball [mailto:chris at void.printf.net]
> Sent: Friday, April 04, 2003 10:31 AM
> To: gllug at linux.co.uk
> Subject: Re: [Gllug] Insecure practices at my ISP
> 
> 
> >> On 4 Apr 2003 10:19:37, David Pashley <david at parguild.co.uk> said:
> 
>    >> If he has not actually accessed areas of the system he is not
>    >> authorised to access there has been no offence.
> 
>    > <http://www.ddplus.co.uk/DDPlus_Website/News_Community/
>    > Easynet_Story/Easynet_dont_shoot_the_messenger.htm>
> 
> Not analogous at all.  In the article, "Certainly, he strayed into an
> account (or accounts) other than his own, but wouldn't anyone with a
> healthy sense of curiosity be tempted to do exactly the same?". Well,
> no, not anyone who wants to stay out of prison..
> 
> Notifying your ISP that the version of {sendmail, bind, mysql} that
> they're running is insecure and exploitable *without* getting a root
> shell from it yourself can never be against the Computer Misuse Act,
> which classifies against unauthorised access and modification, as 
> Jason said.
> 
Surely if the ISP has set 755 permission on a directory they are saying the
owner can read, write and execute this file and group and other can read and
execute.  If they have got this wrong then they should own up and fix the
problem not attack the person who quite rightly explored the limits of his
account and when feeling that some of the areas he was allowed into should
in fact be closed off to him and others advises them of this fact.

They should be thankful that someone as decent as Gary found this and not
some spotty 14 year old 733t with an attitude problem.

Peace Jim

Peace Jim

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list