Sponsor's Message

It was quite timely therefore, that a reader notified me the other day to advise they'd discovered something of a security flaw in an online service operated by Telecom.

It appears to be possible, using nothing more than a carefully crafted URL, to view information belonging to other Telecom customers; information that should not be publicly accessible

Of course I'm not going to admit that *I* have checked this personally, since the act of checking would indeed be breaching the Crimes Amendment Act. However, I believe the problem does exist and is real.

Now should I, or the Aardvark reader concerned (who will of course remain anonymous) contact Telecom with the details of this problem?

Well certainly the reader who discovered the problem should stay well clear of Telecom, since admitting that they'd found the problem would expose them to the risk of criminal prosecution.

Now have your say Got something to say about today's column, or want to see what others think?  Visit The Forums While you're here, why not visit the Aardvark Hall of Shame and perhaps make your own nomination.

On the other hand, I could possibly disclose the information that has been made available to me -- since I could claim that I hadn't duplicated the reader's actions but was relying on another independent party to verify those claims.

Which raises another interesting point...

If I'm privy to information that would allow the exploitation of such a security hole, am I now party to the crime and also liable to some extent?

Should I, and the reader, just have kept our mouths shut?

I don't think so, after all, we all know the folly of "security by obscurity" don't we?

Fortunately in this instance the vulnerability, although it appears to be very real, is not likely to result in financial loss to anyone. However, it could prove highly embarrassing to those Telecom customers if some of this information were to fall into the wrong hands.

So what should I do readers?

Should I go to Telecom and give them the heads-up they need to fix this problem -- and by doing so perhaps risk being considered a party to the "crime"? (Too late, this column has already done that I guess).

Should I just erase all records relating to this matter and refuse to say any more? (I've already deleted the reader's emails to preserve their anonymity)

Or should I point out that we really need some amendment to the law that indemnifies those white-hats who come forward and help those whose security vulnerabilities have been discovered?

Will a team of police officers now descend on my home and seize all my computers so they can search for evidence that I've engaged in the "hacking" of Telecom's computer systems (which I haven't)? If they do then they'll never find the information they're after. However, I'm not going to hold anyone to ransom here and if Telecom simply ask politely, I'll gladly relate the problem to them so that it can be remedied.

But this case raises a very important question:

If you, I, or *anyone* mistypes a URL and ends up looking at information that obviously belongs to someone else - have *they* really committed a crime?

And, if by doing so they have committed a crime, isn't this law a bit of an ass?

If you feel that this is a good thing and/or you hold a "geniune affection" for yours truly -- then you are welcome to gift me some money using the buttons provided. In gifting this money you accept that no goods, service or other consideration is offered, provided, accepted or anticipated in return. Just click on the button to gift whatever you can afford. NOTE: PayPal bills in US dollars so don't accidentally gift more than what you were intending :-)

Contacting Aardvark
I'm always happy to hear from readers, whether they're delivering brickbats, bouquets or news tip-offs. If you'd like to contact me directly, please this form. If you're happy for me to republish your comments then please be sure and select For Publication.

Other media organisations seeking more information or republication rights are also invited to contact me.

Just add a couple of lines of JavaScript to your pages and you can get a free summary of Aardvark's daily commentary -- automatically updated each and every week-day.

Aardvark also makes a summary of this daily column available via XML using the RSS format. More details can be found here.

Contact me if you decide to use either of these feeds and have any problems.

Linking Policy
Want to link to this site? Check out Aardvark's Linking Policy.

Did you tell someone else about Aardvark today? If not then do it now!