Service & Reliability February 99: Hard drive hacked -- by ISP
Roulla Yiacoumi
When APC's Service & Reliability column received a phone call from an
Internet user claiming his hard drive had been hacked into by his ISP, we
had reservations. After all, this was something we had heard many times
before, but had never seen proven.
What made this time different, however, was that the user claimed he had
received a letter from his provider explaining how it had committed the
deed. Of course we were interested, but we still had no proof. So we asked
the reader to forward the letter to us. To our utter surprise, there were
the words, in black and white. In an email addressed to the user, the
provider wrote: "For your information, our network administrator, with
very little effort, was able to violate your computer's security and
examine the contents of your hard drive in only a few minutes."
We read it and re-read it. Surely no ISP would actually admit it had
hacked a user's hard drive?
The name of this ISP? Internet Information Superhighway (IIS). Regular
readers will recall that IIS was also the subject of a Service &
Reliability column in March 1998 (see here), when a reader claimed he had
been disconnected from the service after complaining about a fee increase.
So, what horrible offence had this user committed that IIS felt it was
within its power to violate the user's hard drive? He had installed an
option from the Windows 98 CD called 'HTTP Server' (part of 'Personal Web
Server'), believing it was some kind of Web site creation tool. When he
discovered it wasn't what he thought it was, he left it sitting on his
hard drive until he received the heavy- handed letter from IIS which
claimed it had "detected" the program on his machine, demanding it be
immediately removed. Further, the provider had the gall to tell the reader
that "operating such a service without the appropriate sanctions by the
authorities offends State and Federal legislation, not to mention
breaching our usage policy under our terms and conditions."
Now, we do not dispute that installing this program may have breached the
ISP's terms and conditions. Indeed, it is in every user's best interests
to read the online agreement before signing up with any provider and to
make sure they understand what they can and can't do. However, to claim
having this program offends state and federal legislation is ludicrous.
There are no laws requiring users to seek approval before running a Web
service. Indeed, when we asked IIS to clarify what it meant by these
statements, we received a nasty legal letter -- but no answers.
The user told us he had contacted the Telecommunications Industry
Ombudsman (TIO) and the NSW Commercial Crime Agency. We contacted both of
these bodies to see what they had to say about this incident.
The TIO said that it had received this complaint and confirmed the matter
had been referred to the NSW Police's Commercial Crime Agency.
We contacted the NSW Police and spoke to the Computer Crime Investigations
Unit. A spokesperson confirmed the matter had been referred to them and
had been investigated. Although no further action was taken against this
ISP, the police have informed Service & Reliability that they would
consider taking action against any ISP that acted with malicious intent,
or without authority or lawful excuse in accessing data stored on a
computer.
And, of course, we attempted to contact the ISP. As we had previously
dealt with this ISP, we sent email to the three addresses we had on our
books, but all three came back a day later saying they could not be
delivered.
APC's daily news service Newswire (http://newswire.com.au/) published the
story 'ISP busted for hacking' in November 1998 (see here). At the time of
posting the story on its site, Newswire wrote that it was unable to
contact IIS for comment.
When we later decided to run this story as part of Service & Reliability
in the magazine, we again attempted to contact the ISP -- this time by
fax. We sent a letter and a copy of the Newswire article, inviting the ISP
to give its side of the story. We informed the provider that if it wished
to respond via Australian Consolidated Press' lawyers, it was welcome to
do so. (Australian Personal Computer is published by Australian
Consolidated Press.) We requested a written response be forthcoming within
one week.
Shortly before this deadline expired, our legal team received a written
response from the provider's lawyer. It stated that "Newswire was not
unable to contact my client as alleged" (false), that the NSW Commercial
Crime Agency had not conducted an "investigation" into its client (we only
stated that the police had investigated the matter), and that the user was
"publishing pornographic material over the Internet using my client's
service" -- a claim both the user and police instantly dismissed.
Further, the police added that the viewing and downloading of adult
material over the Internet was not illegal (with the exception of child
pornography, which was not an issue in this case). If the ISP suspected
illegal activity on the part of a user, it is obligated to contact the
police and not take matters into its own hands.
The ISP's lawyer demanded a retraction, claiming Newswire's article was
"biased, distorted and malicious". It further accused the author of the
article (yours truly) of being "involved in a conspiracy to falsely accuse
my client of a crime", adding that this in itself is a crime "punishable
by penal servitude for fourteen years".
We do not succumb to the threat of legal proceedings -- regardless of who
the vendor is. Our readers trust APC for its unbiased reporting and
thoroughly investigated issues.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:26:25 1999