If a member of AAISP staff logs into my router without my request and
without my permission, and changes the set up unrequested, has a criminal
offense been committed?

Alan Clifford wrote:
>
> If a member of AAISP staff logs into my router without my request and
> without my permission, and changes the set up unrequested, has a criminal
> offense been committed?

Is this a hypothetical question? If it has really happened, I think it's very
unlikely AAISP would do that intentionally. In any case, you should have
changed the password, or blocked remote login altogether unless you need to do
it yourself.

Normally I'd say an offence has not been committed unless someone acted with
malicious intent or serious dereliction of a duty of care. With the way most
new laws these days seem to assume guilty until proven innocent, though, I'm
not so sure.

"Alan Clifford" <sardines> wrote in message >
>
> If a member of AAISP staff logs into my router

is it _your_ router or an AAISP router on loan?

Roga

roga wrote:
> "Alan Clifford" <sardines> wrote in message >
>> If a member of AAISP staff logs into my router
>
> is it _your_ router or an AAISP router on loan?

Even if it's on loan, I don't think it's very likely that AAISP would take it
on themselves to mess with it. If so I'm sure there would be a requirement in
the terms and conditions not to change the password or block remote access.

There was something a while back about some Zyxel routers having a security
hole, and I think AAISP did a batch check of known Zyxel routers, then informed
any customer who should update the firmware. Could this check be the cause of a
log entry showing an attempted connection?

Alfred E Neuman wrote:
> There was something a while back about some Zyxel routers having a
> security hole, and I think AAISP did a batch check of known Zyxel
> routers, then informed any customer who should update the firmware.
> Could this check be the cause of a log entry showing an attempted
> connection?

There is an altogether more sinister explanation. A few weeks ago, I was
reading about a virus that infects your router, not your PC. It gets in
if the router accepts admin connections from the WAN and has no/poor
admin passwords.

Once such a virus is in situ it can infect other routers, and do
whatever it wants with data you happen to send/receive unencrypted.

One method of propagation was direct router to router via the wireless
capability. Of course, this is seen as a "local" connection so
circumvents the "No WAN Admin" setting. The propagation speed of such a
virus is something to behold. It was predicted that it could infect
every single vulnerable router in a metropolis such as New York within
24 hours.

Needless to say, I don't allow admin sessions from the WAN, and I
changed the admin password to something not likely to be guessed in the
lifetime of the universe. I also made sure that my wireless encryption
was the highest level that my devices can manage. I'm still pretty
worried by this.

On 2009-05-01, Swifty <steve.j.swift> wrote:
>
> Needless to say, I don't allow admin sessions from the WAN, and I
> changed the admin password to something not likely to be guessed in the
> lifetime of the universe. I also made sure that my wireless encryption
> was the highest level that my devices can manage. I'm still pretty
> worried by this.

Why are you still worried about it?

Given the steps you've taken above, I'd say you should be far more
worried about the repeated Adobe Acrobat Reader 0-day vulnerabilities,
assuming you ever read PDFs.

Or the IE vulnerabilities. Or the firefox vulnerabilities. Or the
Office vulernabilities, or, or, or...

On Fri, 1 May 2009, Alfred E Neuman wrote:

> Alan Clifford wrote:
>
> Is this a hypothetical question? If it has really happened, I think it's very
> unlikely AAISP would do that intentionally. In any case, you should have
> changed the password, or blocked remote login altogether unless you need to
> do it yourself.
>
> Normally I'd say an offence has not been committed unless someone acted with
> malicious intent or serious dereliction of a duty of care. With the way most
> new laws these days seem to assume guilty until proven innocent, though, I'm
> not so sure.
>

Not hypothetical but a case of over-enthusiasm rather than anthing
malicious and A&A have responded appropriately today. My own fault for
not immediately resetting the passwords on a new router to keep
over-enthusiastic hands out.

I was just curious really, considering all the fuss that is reported in
the "media" about accessing computer equipment. Why is this different
from accessing the Americans' defense computers?

Alan Clifford wrote:
> On Fri, 1 May 2009, Alfred E Neuman wrote:
>> Not hypothetical but a case of over-enthusiasm rather than anthing
> malicious and A&A have responded appropriately today. My own fault for
> not immediately resetting the passwords on a new router to keep
> over-enthusiastic hands out.
>
> I was just curious really, considering all the fuss that is reported in
> the "media" about accessing computer equipment. Why is this different
> from accessing the Americans' defense computers?
>
All down to how much damages can be claimed through the courts.

DL

David Taylor wrote:
> Why are you still worried about it?

There are all sorts of aspects of this that cause me concern:

1. There are relatively few different sorts of routers. So a virus which
spreads directly between routers would spread *very* quickly.
2. The router is sitting there on the internet, with little or no
protection if there are bugs in its code.
3. Most people (including me) would not know how to tackle a virus in
their router.
4. You probably wouldn't even know it was there, unless it caused your
router to crash. Not many people monitor their router, looking for odd
things happening.
5. I suspect that the kind of people who write viruses would find
routers very attractive.

It's not keeping me awake (a bodged ATI video driver update is doing
that) but it's probably in my top ten list.

Alan Clifford wrote:
>
> If a member of AAISP staff logs into my router without my request and
> without my permission, and changes the set up unrequested, has a criminal
> offense been committed?

Email details to us if you think this has happened.

There is no reason for any member of staff to log in to your router
without you asking. Regardless of whether such action is legal or not, I
am happy to investigate the matter.

As to whether an offence has been committed, there are several factors.

The access would have to have been intentional.

Also, there are also matters of consent to access. If someone
legitimately has the password to something they probably have implicit
permission to access it by that fact alone and as such the access would
be quite legal.

IANAL.