Service & Reliability February 99: Hard drive hacked -- by ISP Roulla Yiacoumi When APC's Service & Reliability column received a phone call from an Internet user claiming his hard drive had been hacked into by his ISP, we had reservations. After all, this was something we had heard many times before, but had never seen proven. What made this time different, however, was that the user claimed he had received a letter from his provider explaining how it had committed the deed. Of course we were interested, but we still had no proof. So we asked the reader to forward the letter to us. To our utter surprise, there were the words, in black and white. In an email addressed to the user, the provider wrote: "For your information, our network administrator, with very little effort, was able to violate your computer's security and examine the contents of your hard drive in only a few minutes." We read it and re-read it. Surely no ISP would actually admit it had hacked a user's hard drive? The name of this ISP? Internet Information Superhighway (IIS). Regular readers will recall that IIS was also the subject of a Service & Reliability column in March 1998 (see here), when a reader claimed he had been disconnected from the service after complaining about a fee increase. So, what horrible offence had this user committed that IIS felt it was within its power to violate the user's hard drive? He had installed an option from the Windows 98 CD called 'HTTP Server' (part of 'Personal Web Server'), believing it was some kind of Web site creation tool. When he discovered it wasn't what he thought it was, he left it sitting on his hard drive until he received the heavy- handed letter from IIS which claimed it had "detected" the program on his machine, demanding it be immediately removed. Further, the provider had the gall to tell the reader that "operating such a service without the appropriate sanctions by the authorities offends State and Federal legislation, not to mention breaching our usage policy under our terms and conditions." Now, we do not dispute that installing this program may have breached the ISP's terms and conditions. Indeed, it is in every user's best interests to read the online agreement before signing up with any provider and to make sure they understand what they can and can't do. However, to claim having this program offends state and federal legislation is ludicrous. There are no laws requiring users to seek approval before running a Web service. Indeed, when we asked IIS to clarify what it meant by these statements, we received a nasty legal letter -- but no answers. The user told us he had contacted the Telecommunications Industry Ombudsman (TIO) and the NSW Commercial Crime Agency. We contacted both of these bodies to see what they had to say about this incident. The TIO said that it had received this complaint and confirmed the matter had been referred to the NSW Police's Commercial Crime Agency. We contacted the NSW Police and spoke to the Computer Crime Investigations Unit. A spokesperson confirmed the matter had been referred to them and had been investigated. Although no further action was taken against this ISP, the police have informed Service & Reliability that they would consider taking action against any ISP that acted with malicious intent, or without authority or lawful excuse in accessing data stored on a computer. And, of course, we attempted to contact the ISP. As we had previously dealt with this ISP, we sent email to the three addresses we had on our books, but all three came back a day later saying they could not be delivered. APC's daily news service Newswire (http://newswire.com.au/) published the story 'ISP busted for hacking' in November 1998 (see here). At the time of posting the story on its site, Newswire wrote that it was unable to contact IIS for comment. When we later decided to run this story as part of Service & Reliability in the magazine, we again attempted to contact the ISP -- this time by fax. We sent a letter and a copy of the Newswire article, inviting the ISP to give its side of the story. We informed the provider that if it wished to respond via Australian Consolidated Press' lawyers, it was welcome to do so. (Australian Personal Computer is published by Australian Consolidated Press.) We requested a written response be forthcoming within one week. Shortly before this deadline expired, our legal team received a written response from the provider's lawyer. It stated that "Newswire was not unable to contact my client as alleged" (false), that the NSW Commercial Crime Agency had not conducted an "investigation" into its client (we only stated that the police had investigated the matter), and that the user was "publishing pornographic material over the Internet using my client's service" -- a claim both the user and police instantly dismissed. Further, the police added that the viewing and downloading of adult material over the Internet was not illegal (with the exception of child pornography, which was not an issue in this case). If the ISP suspected illegal activity on the part of a user, it is obligated to contact the police and not take matters into its own hands. The ISP's lawyer demanded a retraction, claiming Newswire's article was "biased, distorted and malicious". It further accused the author of the article (yours truly) of being "involved in a conspiracy to falsely accuse my client of a crime", adding that this in itself is a crime "punishable by penal servitude for fourteen years". We do not succumb to the threat of legal proceedings -- regardless of who the vendor is. Our readers trust APC for its unbiased reporting and thoroughly investigated issues. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:19 PDT