[Infowarrior] - ISP ejects whistle-blowing student

Fri Apr 20 14:37:01 UTC 2007

ISP ejects whistle-blowing student
BeThere's damage control found lacking
By Dan Goodin in San Francisco → More by this author
Published Tuesday 17th April 2007 22:02 GMT
http://www.theregister.com/2007/04/17/hackers_service_terminated/

A 21-year-old college student in London had his internet service terminated
and was threatened with legal action after publishing details of a critical
vulnerability that can compromise the security of the ISP's subscribers.

BeThere took the retaliatory action four weeks after subscriber Sid
Karunaratne demonstrated how the ISP's broadband routers can be remotely
accessed by anyone curious enough to look for several poorly concealed
backdoors. The hack makes it trivial to telnet into a modem and sniff users'
VPN credentials, modify DNS settings and carry out other nefarious acts.

Alas, Karunaratne's February 22 posting originally included the specific
password needed to carry out the attack - a tack from the "full disclosure"
school of vulnerability reporting that is considered a no-no in many
security circles. Less than 48 hours later, he removed the password
information, but that didn't stop the ISP from exacting its retribution.

"We have carried out a full and diligent investigation into the alleged
breach and your posting relating to it," a BeThere email informed
Karunaratne. "Based on that investigation, we do not believe that there was
(prior to your post) any such security breach. Therefore, the passwords
could only have been obtained through illegal means (i.e. by hacking)."

Evidently, the mere tinkering with a modem constitutes "illegal means."
That's a remarkable determination for any technology-related company, but
especially so in this case given the niche that BeThere aims to fill: The
ISP caters to power users by offering speeds as high as 24 Mbps down and 2.5
Mbps up.

The email went on to "reserve the right to institute legal proceedings" if
Karunaratne accessed BeThere's network again or made additional publications
that included passwords related to the ISP. BeThere also sought to prevent
Karunaratne from going public with the termination. "This letter is
confidential and we do not consent to any publication of the details of our
dispute with you or this letter in any forum whatsoever," it warned.

(In a generous concession, it added: "We agree that you may disclose the
contents of this letter to your legal counsel or advisor.")

Unfortunately, BeThere hasn't shown the same diligence in repairing the
vulnerability, which remains unmitigated more than seven weeks after
Karunaratne revealed it. The company says rolling out a patch in a way that
doesn't disrupt subscribers' existing service takes time and that it expects
to begin pushing out a fix in the next week or so.

The company has made no public disclosures of the vulnerability and has
offered no temporary workarounds, again, managers say, because they don't
want to do anything that will degrade customer experience.

The company says in a statement it canceled Karunaratne's account because he
violated numerous terms of service, including failing to take reasonable
steps necessary to prevent third parties from obtaining unauthorized access
to the BeThere network.

"According to our investigation, the modem vulnerability did not exist prior
to his accessing without permission and then publishing certain confidential
passwords which were not otherwise available to Be* members," Managing
Director Dana Pressman said.

They say time heals all wounds, and for Karunaratne, a state of Zen-inspired
acceptance has settled in, even if he has to surf the web at significantly
slower speeds. "I knew that some companies treated security researchers very
badly but I had no idea companies like that included major ISPs," he says.
(Note: BeThere has only a fraction the number of subscribers of huge ISPs of
BT or AT&T.) "I've learned just how ill-prepared some companies are and what
they will do to make the problem go away." ®